管理员指南:Azure 信息保护统一标记客户端的自定义配置Admin Guide: Custom configurations for the Azure Information Protection unified labeling client

*适用于Azure 信息保护、Windows 10、Windows 8.1、Windows 8、Windows Server 2019、Windows Server 2016、Windows Server 2012 R2、Windows Server 2012**Applies to: Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012*

如果你使用 Windows 7 或 Office 2010,请参阅 AIP 与旧版 Windows 和 OfficeIf you have Windows 7 or Office 2010, see AIP and legacy Windows and Office versions.

*相关客户端适用于 Windows 的 Azure 信息保护统一标记客户端Relevant for: Azure Information Protection unified labeling client for Windows. 对于经典客户端,请参阅经典客户端管理员指南For the classic client, see the classic client admin guide.

管理 AIP 统一标记客户端时,请参考以下信息来指定适用于特定方案或用户的高级配置。Use the following information for advanced configurations needed for specific scenarios or users when managing the AIP unified labeling client.

备注

这些设置要求编辑注册表或指定高级设置。These settings require editing the registry or specifying advanced settings. 高级设置使用 Office 365 安全与合规中心 PowerShellThe advanced settings use Office 365 Security & Compliance Center PowerShell.

通过 PowerShell 配置客户端的高级设置Configuring advanced settings for the client via PowerShell

使用 Microsoft 365 安全与合规中心 PowerShell 配置用于自定义标签策略和标签的高级设置。Use the Microsoft 365 Security & Compliance Center PowerShell to configure advanced settings for customizing label policies and labels.

对于这两种情况,请在 连接到 Office 365 安全与合规中心 PowerShell 后,使用策略或标签的标识(名称或 GUID)以及在 哈希表中的键/值对指定 AdvancedSettings 参数。In both cases, after you connect to Office 365 Security & Compliance Center PowerShell, specify the AdvancedSettings parameter with the identity (name or GUID) of the policy or label, with key/value pairs in a hash table.

若要删除高级设置,请使用相同的 AdvancedSettings 参数语法,但要指定 null 字符串值。To remove an advanced setting, use the same AdvancedSettings parameter syntax, but specify a null string value.

重要

不要在字符串值中使用空格。Do not use white spaces in your string values. 在这些字符串值中使用空格会导致无法应用标签。White strings in these string values will prevent your labels from being applied.

有关详情,请参阅:For more information, see:

标签策略高级设置语法Label policy advanced settings syntax

用于在 Office 应用中显示“信息保护”栏的设置就是标签策略高级设置的一个例子。An example of a label policy advanced setting is the setting to display the Information Protection bar in Office apps.

对于单字符串值,请使用以下语法:For a single string value, use the following syntax:

Set-LabelPolicy -Identity <PolicyName> -AdvancedSettings @{Key="value1,value2"}

对于同一个键的多字符串值,请使用以下语法:For a multiple string value for the same key, use the following syntax:

Set-LabelPolicy -Identity <PolicyName> -AdvancedSettings @{Key=ConvertTo-Json("value1", "value2")}

标签高级设置语法Label advanced settings syntax

用于指定标签颜色的设置就是标签高级设置的一个例子。An example of a label advanced setting is the setting to specify a label color.

对于单字符串值,请使用以下语法:For a single string value, use the following syntax:

Set-Label -Identity <LabelGUIDorName> -AdvancedSettings @{Key="value1,value2"}

对于同一个键的多字符串值,请使用以下语法:For a multiple string value for the same key, use the following syntax:

Set-Label -Identity <LabelGUIDorName> -AdvancedSettings @{Key=ConvertTo-Json("value1", "value2")}

检查当前高级设置Checking your current advanced settings

若要检查当前高级设置是否生效,请运行以下命令:To check the current advanced settings settings in effect, run the following commands:

若要检查标签策略高级设置,请使用以下语法:To check your label policy advanced settings, use the following syntax:

对于名为 Global 的标签策略:For a label policy named Global:

(Get-LabelPolicy -Identity Global).settings

若要检查标签高级设置,请使用以下语法:To check your label advanced settings, use the following syntax:

对于名为 Public 的标签:For a label named Public:

(Get-Label -Identity Public).settings

指定高级设置的示例Examples for setting advanced settings

示例 1:为单字符串值指定标签策略高级设置:Example 1: Set a label policy advanced setting for a single string value:

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableCustomPermissions="False"}

示例 2:为单字符串值指定标签高级设置:Example 2: Set a label advanced setting for a single string value:

Set-Label -Identity Internal -AdvancedSettings @{smimesign="true"}

示例 3:为多字符串值指定标签高级设置:Example 3: Set a label advanced setting for multiple string values:

Set-Label -Identity Confidential -AdvancedSettings @{labelByCustomProperties=ConvertTo-Json("Migrate Confidential label,Classification,Confidential", "Migrate Secret label,Classification,Secret")}

示例 4:通过指定 null 字符串值删除标签策略高级设置:Example 4: Remove a label policy advanced setting by specifying a null string value:

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableCustomPermissions=""}

指定标签策略或标签标识Specifying the label policy or label identity

很容易就能找到 PowerShell Identity 参数的标签策略名称,因为在标记管理中心只有一个策略名称。Finding the label policy name for the PowerShell Identity parameter is simple because there is only one policy name in the labeling admin center.

但对于标签,标记管理中心会显示“名称”和“显示名称”值。 However, for labels, the labeling admin centers show both a Name and Display name value. 这些值有时相同,有时不同。In some cases, these values will be the same, but they may be different. 若要为标签配置高级设置,请使用“名称”值。To configure advanced settings for labels, use the Name value.

例如,若要标识下图中的标签,请在 PowerShell 命令中使用以下语法:-Identity "All Company"For example, to identify the label in the following picture, use the following syntax in your PowerShell command: -Identity "All Company":

使用“名称”而不是“显示名称”来标识敏感度标签

如果你更喜欢指定标签的 GUID,那么请注意,此值不会显示在标记管理中心。If you prefer to specify the label GUID, this value is not shown in the labeling admin center. 请使用 Get-Label 命令查找此值,如下所示:Use the Get-Label command to find this value, as follows:

Get-Label | Format-Table -Property DisplayName, Name, Guid

有关标签名称和显示名称的详细信息:For more information about labeling names and display names:

  • “名称”是标签的原始名称,在所有标签中是唯一的。Name is the original name of the label and it is unique across all your labels.

    即使以后更改了标签名称,此值也仍会保持不变。This value remains the same even if you've changed your label name later on. 对于从 Azure 信息保护迁移的敏感度标签,Azure 门户中可能会显示原始标签 ID。For sensitivity labels that were migrated from Azure Information Protection, you might see original label ID from the Azure portal.

  • “显示名称”是当前向用户显示的标签名称,不需要在所有标签中保持唯一。Display name is the name currently displayed to users for the label, and does not need to be unique across all your labels.

    例如,可以对“保密”标签下的某个子标签使用“所有员工”作为显示名称,对“高度保密”标签下的某个子标签也使用“所有员工”作为显示名称。 For example, you might have a display name of All Employees for a sublabel under the Confidential label, and another display name of All Employees for a sublabel under the Highly Confidential label. 这两个子标签都以相同的名称显示,但它们是不同的标签,并且其设置也不同。These sublabels both display the same name, but are not the same label and have different settings.

优先顺序 - 如何解决有冲突的设置Order of precedence - how conflicting settings are resolved

可以使用管理中心来配置以下标签策略设置:You can use the admin centers to configure the following label policy settings:

  • 默认将此标签应用于文档和电子邮件Apply this label by default to documents and emails

  • 用户必须提供理由才能删除某个标签或分类较低的标签Users must provide justification to remove a label or lower classification label

  • 要求用户将标签应用于其电子邮件或文档Require users to apply a label to their email or document

  • 为用户提供自定义帮助页的链接Provide users with a link to a custom help page

如果为用户配置了多个标签策略,而每个策略可能采用不同的策略设置,那么,将根据管理中心内的策略顺序应用最后一个策略设置。When more than one label policy is configured for a user, each with potentially different policy settings, the last policy setting is applied according to the order of the policies in the admin center. 有关详细信息,请参阅标签策略优先级(顺序非常重要)For more information, see Label policy priority (order matters)

运用相同的逻辑使用最后一个策略设置来应用标签策略高级设置。Label policy advanced settings are applied using the same logic, using the last policy setting.

高级设置参考Advanced setting references

以下部分介绍标签策略和标签的可用高级设置:The following sections the available advanced settings for label policies and labels:

按功能提供的高级设置参考Advanced setting reference by feature

以下部分按产品和功能集成列出了本页所述的高级设置:The following sections list the advanced settings described on this page by product and feature integration:

功能Feature 高级设置Advanced settings
Outlook 和电子邮件设置Outlook and email settings - 将标签配置为在 Outlook 中应用 S/MIME 保护- Configure a label to apply S/MIME protection in Outlook
- 自定义 Outlook 弹出消息- Customize Outlook popup messages
- 在 Outlook 中启用建议的分类- Enable recommended classification in Outlook
- 使 Outlook 消息免于强制标记- Exempt Outlook messages from mandatory labeling
- 对于包含附件的电子邮件,应用与这些附件的最高分类匹配的标签- For emails with attachments, apply a label that matches the highest classification of those attachments
- 搜索电子邮件收件人时展开 Outlook 通讯组列表- Expand Outlook distribution lists when searching for email recipients
- 在 Outlook 中实现弹出消息,针对发送的电子邮件发出警告、要求提供理由或予以阻止- Implement pop-up messages in Outlook that warn, justify, or block emails being sent
- 防止 S/MIME 电子邮件导致 Outlook 性能问题- Prevent Outlook performance issues with S/MIME emails
- 为 Outlook 设置不同的默认标签- Set a different default label for Outlook
PowerPoint 设置PowerPoint settings - 避免从 PowerPoint 删除包含指定文本且不是页眉/页脚的形状- Avoid removing shapes from PowerPoint that contain specified text, and are not headers / footers
- 从 PowerPoint 自定义布局内部显式删除外部内容标记- Explicitly remove external content markings from inside your PowerPoint custom layouts
- 删除页眉和页脚中具有特定形状名称的所有形状,而不要按形状内部的文本删除形状- Remove all shapes of a specific shape name from your headers and footers, instead of removing shapes by text inside the shape
文件资源管理器设置File Explorer settings - 在文件资源管理器中始终向用户显示自定义权限- Always display custom permissions to users in File Explorer
- 在文件资源管理器中禁用自定义权限- Disable custom permissions in File Explorer
性能改进设置Performance improvements settings - 限制 CPU 使用率- Limit CPU consumption
- 限制扫描程序使用的线程数- Limit the number of threads used by the scanner
- 防止 S/MIME 电子邮件导致 Outlook 性能问题- Prevent Outlook performance issues with S/MIME emails
用于与其他标记解决方案集成的设置Settings for integrations with other labeling solutions - 从 Secure Islands 和其他标记解决方案迁移标签- Migrate labels from Secure Islands and other labeling solutions
- 删除其他标记解决方案中的页眉和页脚- Remove headers and footers from other labeling solutions
AIP 分析设置AIP analytics settings - 禁用将审核数据发送到 Azure 信息保护分析- Disable sending audit data to Azure Information Protection analytics
- 将信息类型匹配项发送到 Azure 信息保护分析- Send information type matches to Azure Information Protection analytics
常规设置General settings - 为用户添加“报告问题”- Add "Report an Issue" for users
- 应用标签时应用自定义属性- Apply a custom property when a label is applied
- 更改本地日志记录级别- Change the local logging level
- 更改要保护的文件类型- Change which file types to protect
- 配置针对 Office 文件的自动标记超时- Configure the autolabeling timeout on Office files
- 配置 SharePoint 超时- Configure SharePoint timeouts
- 自定义已修改标签的理由提示文本- Customize justification prompt texts for modified labels
- 在 Office 应用中显示“信息保护”栏- Display the Information Protection bar in Office apps
- 启用从压缩文件中删除保护- Enable removal of protection from compressed files
- 在标记期间保留 NTFS 所有者(公共预览版)- Preserve NTFS owners during labeling (public preview)
- 使用强制标记时删除针对文档显示的“以后再说”- Remove "Not now" for documents when you use mandatory labeling
- 在扫描期间根据文件特性跳过或忽略文件- Skip or ignore files during scans depending on file attributes
- 指定标签的颜色- Specify a color for the label
- 为父标签指定默认子标签- Specify a default sublabel for a parent label
- 支持将 <EXT>.PFILE 更改为 P<EXT>- Support for changing <EXT>.PFILE to P<EXT>
- 支持已断开连接的计算机- Support for disconnected computers
- 启用在后台持续运行分类- Turn on classification to run continuously in the background
- 禁用文档跟踪功能(公共预览版)- Turn off document tracking features (public preview)

标签策略高级设置参考Label policy advanced setting reference

AdvancedSettings 参数与 LabelPolicyLabelPolicy 结合使用可定义以下设置:Use the AdvancedSettings parameter with New-LabelPolicy and Set-LabelPolicy to define the following settings:

设置Setting 应用场景和说明Scenario and instructions
AdditionalPPrefixExtensionsAdditionalPPrefixExtensions 支持使用此高级属性将 <EXT>.PFILE 更改为 P<EXT>Support for changing <EXT>.PFILE to P<EXT> by using this advanced property
AttachmentActionAttachmentAction 对于带有附件的电子邮件,使用与这些附件的最高等级相匹配的标签For email messages with attachments, apply a label that matches the highest classification of those attachments
AttachmentActionTipAttachmentActionTip 对于带有附件的电子邮件,使用与这些附件的最高等级相匹配的标签For email messages with attachments, apply a label that matches the highest classification of those attachments
DisableMandatoryInOutlookDisableMandatoryInOutlook 使 Outlook 消息免于强制标记Exempt Outlook messages from mandatory labeling
EnableAuditEnableAudit 禁用将审核数据发送到 Azure 信息保护分析Disable sending audit data to Azure Information Protection analytics
EnableContainerSupportEnableContainerSupport 启用从 PST、rar、7zip 和 MSG 文件中删除保护Enable removal of protection from PST, rar, 7zip, and MSG files
EnableCustomPermissionsEnableCustomPermissions 在文件资源管理器中禁用自定义权限Disable custom permissions in File Explorer
EnableCustomPermissionsForCustomProtectedFilesEnableCustomPermissionsForCustomProtectedFiles 对于受自定义权限保护的文件,始终在文件资源管理器中向用户显示自定义权限For files protected with custom permissions, always display custom permissions to users in File Explorer
EnableLabelByMailHeaderEnableLabelByMailHeader 从 Secure Islands 和其他标记解决方案迁移标签Migrate labels from Secure Islands and other labeling solutions
EnableLabelBySharePointPropertiesEnableLabelBySharePointProperties 从 Secure Islands 和其他标记解决方案迁移标签Migrate labels from Secure Islands and other labeling solutions
EnableOutlookDistributionListExpansionEnableOutlookDistributionListExpansion 搜索电子邮件收件人时展开 Outlook 通讯组列表Expand Outlook distribution lists when searching for email recipients
EnableTrackAndRevokeEnableTrackAndRevoke 禁用文档跟踪功能(公共预览版)Turn off document tracking features (public preview)
HideBarByDefaultHideBarByDefault 在 Office 应用程序中显示“信息保护”栏Display the Information Protection bar in Office apps
JustificationTextForUserTextJustificationTextForUserText 自定义已修改标签的理由提示文本Customize justification prompt texts for modified labels
LogMatchedContentLogMatchedContent 将信息类型匹配项发送到 Azure 信息保护分析Send information type matches to Azure Information Protection analytics
OfficeContentExtractionTimeoutOfficeContentExtractionTimeout 配置针对 Office 文件的自动标记超时Configure the autolabeling timeout on Office files
OutlookBlockTrustedDomainsOutlookBlockTrustedDomains 在 Outlook 中实现弹出消息,针对正在发送的电子邮件发出警告、进行验证或阻止Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookBlockUntrustedCollaborationLabelOutlookBlockUntrustedCollaborationLabel 在 Outlook 中实现弹出消息,针对正在发送的电子邮件发出警告、进行验证或阻止Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookCollaborationRuleOutlookCollaborationRule 自定义 Outlook 弹出消息Customize Outlook popup messages
OutlookDefaultLabelOutlookDefaultLabel 为 Outlook 设置不同的默认标签Set a different default label for Outlook
OutlookGetEmailAddressesTimeOutMSPropertyOutlookGetEmailAddressesTimeOutMSProperty 修改在 Outlook 中针对通讯组列表中的收件人实现阻止消息时展开通讯组列表的超时Modify the timeout for expanding a distribution list in Outlook when implementing block messages for recipients in distribution lists )
OutlookJustifyTrustedDomainsOutlookJustifyTrustedDomains 在 Outlook 中实现弹出消息,针对正在发送的电子邮件发出警告、进行验证或阻止Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookJustifyUntrustedCollaborationLabelOutlookJustifyUntrustedCollaborationLabel 在 Outlook 中实现弹出消息,针对正在发送的电子邮件发出警告、进行验证或阻止Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookRecommendationEnabledOutlookRecommendationEnabled 在 Outlook 中启用建议的分类Enable recommended classification in Outlook
OutlookOverrideUnlabeledCollaborationExtensionsOutlookOverrideUnlabeledCollaborationExtensions 在 Outlook 中实现弹出消息,针对正在发送的电子邮件发出警告、进行验证或阻止Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookSkipSmimeOnReadingPaneEnabledOutlookSkipSmimeOnReadingPaneEnabled 防止 S/MIME 电子邮件导致 Outlook 性能问题Prevent Outlook performance issues with S/MIME emails
OutlookUnlabeledCollaborationActionOverrideMailBodyBehaviorOutlookUnlabeledCollaborationActionOverrideMailBodyBehavior 在 Outlook 中实现弹出消息,针对正在发送的电子邮件发出警告、进行验证或阻止Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookWarnTrustedDomainsOutlookWarnTrustedDomains 在 Outlook 中实现弹出消息,针对正在发送的电子邮件发出警告、进行验证或阻止Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookWarnUntrustedCollaborationLabelOutlookWarnUntrustedCollaborationLabel 在 Outlook 中实现弹出消息,针对正在发送的电子邮件发出警告、进行验证或阻止Implement pop-up messages in Outlook that warn, justify, or block emails being sent
PFileSupportedExtensionsPFileSupportedExtensions 更改要保护的文件类型Change which file types to protect
PostponeMandatoryBeforeSavePostponeMandatoryBeforeSave 使用强制标签时,删除文档的“以后再说”Remove "Not now" for documents when you use mandatory labeling
PowerPointRemoveAllShapesByShapeNamePowerPointRemoveAllShapesByShapeName 删除页眉和页脚中具有特定形状名称的所有形状,而不要按形状内部的文本删除形状Remove all shapes of a specific shape name from your headers and footers, instead of removing shapes by text inside the shape
PowerPointShapeNameToRemovePowerPointShapeNameToRemove 避免从 PowerPoint 中删除包含指定文本且不是页眉/页脚的形状Avoid removing shapes from PowerPoint that contain specified text, and are not headers / footers
RemoveExternalContentMarkingInAppRemoveExternalContentMarkingInApp 删除其他标记解决方案中的页眉和页脚Remove headers and footers from other labeling solutions
RemoveExternalMarkingFromCustomLayoutsRemoveExternalMarkingFromCustomLayouts 从 PowerPoint 自定义布局内部显式删除外部内容标记Explicitly remove external content markings from inside your PowerPoint custom layouts
ReportAnIssueLinkReportAnIssueLink 为用户添加“报告问题”Add "Report an Issue" for users
RunPolicyInBackgroundRunPolicyInBackground 开启在后台持续运行的分类Turn on classification to run continuously in the background
ScannerMaxCPUScannerMaxCPU 限制 CPU 使用率Limit CPU consumption
ScannerMinCPUScannerMinCPU 限制 CPU 使用率Limit CPU consumption
ScannerConcurrencyLevelScannerConcurrencyLevel 限制扫描程序使用的线程数Limit the number of threads used by the scanner
ScannerFSAttributesToSkipScannerFSAttributesToSkip 在扫描期间根据文件特性跳过或忽略文件Skip or ignore files during scans depending on file attributes
SharepointWebRequestTimeoutSharepointWebRequestTimeout 配置 SharePoint 超时Configure SharePoint timeouts
SharepointFileWebRequestTimeoutSharepointFileWebRequestTimeout 配置 SharePoint 超时Configure SharePoint timeouts
UseCopyAndPreserveNTFSOwnerUseCopyAndPreserveNTFSOwner 在标记期间保留 NTFS 所有者Preserve NTFS owners during labeling

标签高级设置参考Label advanced setting reference

AdvancedSettings 参数与 New-LabelSet-Label 结合使用。Use the AdvancedSettings parameter with New-Label and Set-Label.

设置Setting 应用场景和说明Scenario and instructions
colorcolor 指定标签的颜色Specify a color for the label
customPropertiesByLabelcustomPropertiesByLabel 应用标签时应用自定义属性Apply a custom property when a label is applied
DefaultSubLabelIdDefaultSubLabelId 为父标签指定默认子标签Specify a default sublabel for a parent label
labelByCustomPropertieslabelByCustomProperties 从 Secure Islands 和其他标记解决方案迁移标签Migrate labels from Secure Islands and other labeling solutions
SMimeEncryptSMimeEncrypt 将标签配置为在 Outlook 中应用 S/MIME 保护Configure a label to apply S/MIME protection in Outlook
SMimeSignSMimeSign 将标签配置为在 Outlook 中应用 S/MIME 保护Configure a label to apply S/MIME protection in Outlook

在 Office 应用中显示“信息保护”栏Display the Information Protection bar in Office apps

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的策略高级设置This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

默认情况下,用户必须通过“敏感度”按钮选择“显示栏”选项,才能在 Office 应用中显示“信息保护”栏。 By default, users must select the Show Bar option from the Sensitivity button to display the Information Protection bar in Office apps. 使用 HideBarByDefault 键并将值设置为 False,以便为用户自动显示此栏,使他们可以通过此栏或按钮选择标签。Use the HideBarByDefault key and set the value to False to automatically display this bar for users so that they can select labels from either the bar or the button.

对于所选的标签策略,请指定以下字符串:For the selected label policy, specify the following strings:

  • 键:HideBarByDefaultKey: HideBarByDefault

  • 值:FalseValue: False

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{HideBarByDefault="False"}

使 Outlook 消息免于强制标记Exempt Outlook messages from mandatory labeling

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的策略高级设置This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

默认情况下,在启用标签策略设置“所有文档和电子邮件必须具有标签”时,必须为所有保存的文档和发送的电子邮件应用标签。By default, when you enable the label policy setting of All documents and emails must have a label, all saved documents and sent emails must have a label applied. 配置以下高级设置时,策略设置仅应用于 Office 文档,而不应用于 Outlook 邮件。When you configure the following advanced setting, the policy setting applies only to Office documents and not to Outlook messages.

对于所选的标签策略,请指定以下字符串:For the selected label policy, specify the following strings:

  • 键:DisableMandatoryInOutlookKey: DisableMandatoryInOutlook

  • 值:TrueValue: True

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{DisableMandatoryInOutlook="True"}

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的策略高级设置This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

为建议的分类配置标签时,系统将提示用户接受或关闭 Word、Excel 和 PowerPoint 中建议的标签。When you configure a label for recommended classification, users are prompted to accept or dismiss the recommended label in Word, Excel, and PowerPoint. 此设置将此标签建议扩展到也在 Outlook 中显示。This setting extends this label recommendation to also display in Outlook.

对于所选的标签策略,请指定以下字符串:For the selected label policy, specify the following strings:

  • 键:OutlookRecommendationEnabledKey: OutlookRecommendationEnabled

  • 值:TrueValue: True

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookRecommendationEnabled="True"}

启用从压缩文件中删除保护Enable removal of protection from compressed files

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的策略高级设置This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

配置此设置时,将启用 PowerShell cmdlet Set-AIPFileLabel,以便能够从 PST、rar、7zip 和 MSG 文件中删除保护。When you configure this setting, the PowerShell cmdlet Set-AIPFileLabel is enabled to allow removal of protection from PST, rar, 7zip, and MSG files.

  • 键:EnableContainerSupportKey: EnableContainerSupport

  • 值:TrueValue: True

用于启用策略的示例 PowerShell 命令:Example PowerShell command where your policy is enabled:

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableContainerSupport="True"}

为 Outlook 设置不同的默认标签Set a different default label for Outlook

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的策略高级设置This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

配置此设置时,对于选项“默认将此标签应用于文档和电子邮件”,Outlook 不会应用已配置为策略设置的默认标签。When you configure this setting, Outlook doesn't apply the default label that is configured as a policy setting for the option Apply this label by default to documents and emails. 相反,Outlook 可应用不同的默认标签,也可不应用标签。Instead, Outlook can apply a different default label, or no label.

对于所选的标签策略,请指定以下字符串:For the selected label policy, specify the following strings:

  • 键:OutlookDefaultLabelKey: OutlookDefaultLabel

  • 值:<label GUID> 或 NoneValue: <label GUID> or None

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookDefaultLabel="None"}

更改要保护的文件类型Change which file types to protect

这些配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的策略高级设置These configurations use a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

默认情况下,Azure 信息保护统一标记客户端会保护所有文件类型,而客户端中的扫描程序仅保护 Office 文件类型和 PDF 文件。By default, the Azure Information Protection unified labeling client protects all file types, and the scanner from the client protects only Office file types and PDF files.

可以通过指定以下设置之一来更改所选标签策略的此默认行为:You can change this default behavior for a selected label policy, by specifying one of the following:

PFileSupportedExtensionPFileSupportedExtension

  • 键:PFileSupportedExtensionsKey: PFileSupportedExtensions

  • 值: <string value>Value: <string value>

使用下表来确定要指定的字符串值:Use the following table to identify the string value to specify:

字符串值String value 客户端Client 扫描仪Scanner
* 默认值:对所有文件类型应用保护Default value: Apply protection to all file types 对所有文件类型应用保护Apply protection to all file types
ConvertTo-Json(".jpg", ".png")ConvertTo-Json(".jpg", ".png") 除了 Office 文件类型和 PDF 文件外,还对指定的文件扩展名应用保护In addition to Office file types and PDF files, apply protection to the specified file name extensions 除了 Office 文件类型和 PDF 文件外,还对指定的文件扩展名应用保护In addition to Office file types and PDF files, apply protection to the specified file name extensions

示例 1:供扫描程序用来保护所有文件类型的 PowerShell 命令,其中的标签策略名为“Scanner”:Example 1: PowerShell command for the scanner to protect all file types, where your label policy is named "Scanner":

Set-LabelPolicy -Identity Scanner -AdvancedSettings @{PFileSupportedExtensions="*"}

示例 2:供扫描程序用来保护 Office 文件和 PDF 文件再加上 .txt 文件和 .csv 文件的 PowerShell 命令,其中的标签策略名为“Scanner”:Example 2: PowerShell command for the scanner to protect .txt files and .csv files in addition to Office files and PDF files, where your label policy is named "Scanner":

Set-LabelPolicy -Identity Scanner -AdvancedSettings @{PFileSupportedExtensions=ConvertTo-Json(".txt", ".csv")}

使用此设置可以更改要保护的文件类型,但无法将默认保护级别从本机更改为通用。With this setting, you can change which file types are protected but you cannot change the default protection level from native to generic. 例如,对于运行统一标记客户端的用户,可以更改默认设置,以便仅保护 Office 文件和 PDF 文件,而不是保护所有文件类型。For example, for users running the unified labeling client, you can change the default setting so that only Office files and PDF files are protected instead of all file types. 但是,无法使用 .pfile 文件扩展名更改这些文件类型,使其通通受到保护。But you cannot change these file types to be generically protected with a .pfile file name extension.

AdditionalPPrefixExtensionsAdditionalPPrefixExtensions

统一标记客户端支持使用高级属性 AdditionalPPrefixExtensions 将 <EXT>.PFILE 更改为 P<EXT>。The unified labeling client supports changing <EXT>.PFILE to P<EXT> by using the advanced property, AdditionalPPrefixExtensions. 支持通过文件资源管理器、PowerShell 和扫描程序使用此高级属性。This advanced property is supported from the File Explorer, PowerShell, and by the scanner. 所有应用具有类似的行为。All apps have similar behavior.

  • 键:AdditionalPPrefixExtensionsKey: AdditionalPPrefixExtensions

  • 值: <string value>Value: <string value>

使用下表来确定要指定的字符串值:Use the following table to identify the string value to specify:

字符串值String value 客户端和扫描程序Client and Scanner
* 所有 .PFile 扩展名变为 P<EXT>All PFile extensions become P<EXT>
<null value> 默认值的行为类似于默认保护值。Default value behaves like the default protection value.
ConvertTo-Json(".dwg", ".zip")ConvertTo-Json(".dwg", ".zip") 除了前面列出的扩展名以外,“.dwg”和“.zip”也会变为 P<EXT>In addition to the previous list, ".dwg" and ".zip" become P<EXT>

使用此设置时,以下扩展名始终变为 P<EXT> :“.txt”、“.xml”、“.bmp”、“.jt”、“.jpg”、“.jpeg”、“.jpe”、“.jif”、“.jfif”、“.jfi”、“.png”、“.tif”、“.tiff”、“.gif”With this setting, the following extensions always become P<EXT>: ".txt", ".xml", ".bmp", ".jt", ".jpg", ".jpeg", ".jpe", ".jif", ".jfif", ".jfi", ".png", ".tif", ".tiff", ".gif") . 值得注意的是,上面未列出的“ptxt”不会变为“txt.pfile”。Notable exclusion is that "ptxt" does not become "txt.pfile".

仅当在启用了高级属性 PFileSupportedExtension 的情况下保护 PFile 时,AdditionalPPrefixExtensions 才起作用。AdditionalPPrefixExtensions only works if protection of PFiles with the advanced property - PFileSupportedExtension is enabled.

示例 1:行为类似于默认行为(受保护的“.dwg”变为“.pfile”)的 PowerShell 命令:Example 1: PowerShell command to behave like the default behavior where Protect ".dwg" becomes ".dwg.pfile":

Set-LabelPolicy -AdvancedSettings @{ AdditionalPPrefixExtensions =""}

示例 2:用于在保护文件时,将所有 PFile 扩展名从通用保护 (dwg.pfile) 更改为本机保护 (.pdwg) 的 PowerShell 命令:Example 2: PowerShell command to change all PFile extensions from generic protection (dwg.pfile) to native protection (.pdwg) when the files are protected:

Set-LabelPolicy -AdvancedSettings @{ AdditionalPPrefixExtensions ="*"}

示例 3:用于在使用此服务保护此文件时,将“.dwg”更改为“.pdwg”的 PowerShell 命令:Example 3: PowerShell command to change ".dwg" to ".pdwg" when using this service protect this file:

Set-LabelPolicy -AdvancedSettings @{ AdditionalPPrefixExtensions =ConvertTo-Json(".dwg")}

使用强制标签时,删除文档的“以后再说”Remove "Not now" for documents when you use mandatory labeling

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的策略高级设置This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

如果使用标签策略设置“所有文档和电子邮件必须具有标签”,当用户首次保存 Office 文档以及从 Outlook 发送电子邮件时,系统会提示他们选择标签。When you use the label policy setting of All documents and emails must have a label, users are prompted to select a label when they first save an Office document and when they send an email from Outlook.

对于文档,用户可以选择“以后再说”暂时关闭提示以选择标签,并返回到文档。For documents, users can select Not now to temporarily dismiss the prompt to select a label and return to the document. 但是不能在未选择标签的情况下关闭已保存的文档。However, they cannot close the saved document without labeling it.

配置 PostponeMandatoryBeforeSave 设置时,将删除“以后再说”选项,这样,用户在首次保存文档时必须选择一个标签。When you configure the PostponeMandatoryBeforeSave setting, the Not now option is removed, so that users must select a label when the document is first saved.

提示

PostponeMandatoryBeforeSave 设置还确保在通过电子邮件发送共享文档之前先对其进行标记。The PostponeMandatoryBeforeSave setting also ensures that shared documents are labeled before they're sent by email.

默认情况下,即使在策略中启用了“所有文档和电子邮件必须具有标签”,系统也只会提示用户在 Outlook 内部标记已附加到电子邮件的文件。By default, even if you have All documents and emails must have a label enabled in your policy, users are only promoted to label files attached to emails from within Outlook.

对于所选的标签策略,请指定以下字符串:For the selected label policy, specify the following strings:

  • 键:PostponeMandatoryBeforeSaveKey: PostponeMandatoryBeforeSave

  • 值:FalseValue: False

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{PostponeMandatoryBeforeSave="False"}

删除其他标记解决方案中的页眉和页脚Remove headers and footers from other labeling solutions

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的策略高级设置This configuration uses policy advanced settings that you must configure by using Office 365 Security & Compliance Center PowerShell.

可通过两种方法删除其他标记解决方案中的分类:There are two methods to remove classifications from other labeling solutions:

设置Setting 说明Description
WordShapeNameToRemoveWordShapeNameToRemove 删除 Word 文档中其名称与 WordShapeNameToRemove 高级属性中所定义的名称相匹配的任何形状。Removes any shape from Word documents where the shape name matches the name as defined in the WordShapeNameToRemove advanced property.

有关详细信息,请参阅使用 WordShapeNameToRemove 高级属性For more information, see Use the WordShapeNameToRemove advanced property.
RemoveExternalContentMarkingInAppRemoveExternalContentMarkingInApp

ExternalContentMarkingToRemoveExternalContentMarkingToRemove
用于删除或替换 Word、Excel 和 PowerPoint 文档中基于文本的页眉或页脚。Lets you remove or replace text-based headers or footers from Word, Excel, and PowerPoint documents.

有关详情,请参阅:For more information, see:
- 使用 RemoveExternalContentMarkingInApp 高级属性- Use the RemoveExternalContentMarkingInApp advanced property
- 如何配置 ExternalContentMarkingToRemove- How to configure ExternalContentMarkingToRemove.

使用 WordShapeNameToRemove 高级属性Use the WordShapeNameToRemove advanced property

2.6.101.0 和更高版本支持 WordShapeNameToRemove 高级属性The WordShapeNameToRemove advanced property is supported from version 2.6.101.0 and above

当其他标记解决方案在 Word 文档中应用了基于形状的标签时,此设置可让你删除或替换这些视觉标记。This setting lets you remove or replace shape-based labels from Word documents when those visual markings have been applied by another labeling solution. 例如,形状包含旧标签的名称,而你现在已将该标签迁移到敏感度标签,以使用新标签名称及其自身的形状。For example, the shape contains the name of an old label that you have now migrated to sensitivity labels to use a new label name and its own shape.

若要使用此高级属性,需要在 Word 文档中找到该形状的名称,然后在 WordShapeNameToRemove 高级属性形状列表中定义该名称。To use this advanced property, you'll need to find the shape name in the Word document and then define them in the WordShapeNameToRemove advanced property list of shapes. 服务将删除 Word 中以此高级属性中的形状列表内定义的名称开头的任何形状。The service will remove any shape in Word that starts with a name defined in list of shapes in this advanced property.

通过定义要删除的所有形状名称来避免删除包含所要忽略的文本的形状,并避免检查所有形状中的文本,这是一个资源密集型的过程。Avoid removing shapes that contain the text that you wish to ignore, by defining the name of all shapes to remove and avoid checking the text in all shapes, which is a resource-intensive process.

备注

如果不在此附加高级属性设置中指定 Word 形状,而 Word 包含在 RemoveExternalContentMarkingInApp 键值中,则会在所有形状中检查你在 ExternalContentMarkingToRemove 值中指定的文本。If you do not specify Word shapes in this additional advanced property setting, and Word is included in the RemoveExternalContentMarkingInApp key value, all shapes will be checked for the text that you specify in the ExternalContentMarkingToRemove value.

若要查找你正在使用的、但想要排除的形状名称To find the name of the shape that you're using and wish to exclude:

  1. 在 Word 中显示“选择窗格”:“主页”选项卡 >“编辑”组 >“选择”选项 >“选择窗格”。 In Word, display the Selection pane: Home tab > Editing group > Select option > Selection Pane.

  2. 选择页面中要标记为删除的形状。Select the shape on the page that you wish to mark for removal. 已标记的形状名称随即会突出显示在“选择”窗格中。The name of the shape you mark is now highlighted in the Selection pane.

使用形状名称为 WordShapeNameToRemove 键指定字符串值。Use the name of the shape to specify a string value for the WordShapeNameToRemove key.

示例:形状名称为 dcExample: The shape name is dc. 若要删除具有此名称的形状,则指定值:dcTo remove the shape with this name, you specify the value: dc.

  • 键:WordShapeNameToRemoveKey: WordShapeNameToRemove

  • 值:<Word shape name>Value: <Word shape name>

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{WordShapeNameToRemove="dc"}

若要删除多个 Word 形状,要删除的形状数有多少,就请指定多少个值。When you have more than one Word shape to remove, specify as many values as you have shapes to remove.

使用 RemoveExternalContentMarkingInApp 高级属性Use the RemoveExternalContentMarkingInApp advanced property

当其他标记解决方案在文档中应用了基于文本的页眉或页脚时,此设置可让你删除或替换这些视觉标记。This setting lets you remove or replace text-based headers or footers from documents when those visual markings have been applied by another labeling solution. 例如,旧页脚包含旧标签的名称,而你现在已将该标签迁移到敏感度标签,以使用新标签名称及其自身的页脚。For example, the old footer contains the name of an old label that you have now migrated to sensitivity labels to use a new label name and its own footer.

如果统一标记客户端在其策略中获取此配置,在 Office 应用中打开文档并将任何敏感度标签应用于该文档时,将删除或替换旧的页眉和页脚。When the unified labeling client gets this configuration in its policy, the old headers and footers are removed or replaced when the document is opened in the Office app and any sensitivity label is applied to the document.

Outlook 不支持此配置,并且请注意,在 Word、Excel 和 PowerPoint 中使用它时,会对这些应用的性能产生负面影响。This configuration is not supported for Outlook, and be aware that when you use it with Word, Excel, and PowerPoint, it can negatively affect the performance of these apps for users. 该配置允许你根据应用程序来定义设置,例如,搜索 Word 文档页眉和页脚中的文本,而不是 Excel 电子表格或 PowerPoint 演示文稿中的。The configuration lets you define settings per application, for example, search for text in the headers and footers of Word documents but not Excel spreadsheets or PowerPoint presentations.

由于模式匹配会影响用户的性能,我们建议将 Office 应用程序类型(W ord、E X cel、P owerPoint)限制为仅需要在其中进行搜索的那些类型。Because the pattern matching affects the performance for users, we recommend that you limit the Office application types (W ord, E X cel, P owerPoint) to just those that need to be searched. 对于所选的标签策略,请指定以下字符串:For the selected label policy, specify the following strings:

  • 键:RemoveExternalContentMarkingInAppKey: RemoveExternalContentMarkingInApp

  • 值:<Office application types WXP>Value: <Office application types WXP>

示例:Examples:

  • 若要仅搜索 Word 文档,请指定 W。To search Word documents only, specify W.

  • 若要搜索 Word 文档和 PowerPoint 演示文稿,请指定 WP。To search Word documents and PowerPoint presentations, specify WP.

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{RemoveExternalContentMarkingInApp="WX"}

然后需要至少一个高级客户端设置 ExternalContentMarkingToRemove,指定页眉或页脚的内容以及如何删除或替换它们。You then need at least one more advanced client setting, ExternalContentMarkingToRemove, to specify the contents of the header or footer, and how to remove or replace them.

如何配置 ExternalContentMarkingToRemoveHow to configure ExternalContentMarkingToRemove

ExternalContentMarkingToRemove 键指定字符串值时,有三个使用正则表达式的选项可供选择。When you specify the string value for the ExternalContentMarkingToRemove key, you have three options that use regular expressions. 对于上述每种情况,请使用下表的“示例值”列中所示的语法:For each of these scenarios, use the syntax shown in the Example value column in the following table:

选项Option 示例说明Example description 示例值Example value
用于删除页眉或页脚中所有内容的部分匹配Partial match to remove everything in the header or footer 页眉或页脚包含字符串 TEXT TO REMOVE,而你想要完全删除这些页眉或页脚。Your headers or footers contain the string TEXT TO REMOVE, and you want to completely remove these headers or footers. *TEXT*
用于仅删除页眉或页脚中特定单词的完全匹配Complete match to remove just specific words in the header or footer 页眉或页脚包含字符串 TEXT TO REMOVE,而你只想删除单词 TEXT,并将页眉或页脚字符串保留为 TO REMOVEYour headers or footers contain the string TEXT TO REMOVE, and you want to remove the word TEXT only, leaving the header or footer string as TO REMOVE. TEXT
用于删除页眉或页脚中所有内容的完全匹配Complete match to remove everything in the header or footer 页眉或页脚包含字符串 TEXT TO REMOVEYour headers or footers have the string TEXT TO REMOVE. 想要删除其字符串为 TEXT TO REMOVE 的页眉或页脚。You want to remove headers or footers that have exactly this string. ^TEXT TO REMOVE$

指定的字符串的匹配模式不区分大小写。The pattern matching for the string that you specify is case-insensitive. 最大字符串长度为 255 个字符,不能包含空格。The maximum string length is 255 characters, and cannot include white spaces.

因为某些文档可能包括不可见字符或者不同类型的空格或制表符,可能检测不到指定的短语或句子的字符串。Because some documents might include invisible characters or different kinds of spaces or tabs, the string that you specify for a phrase or sentence might not be detected. 只要有可能,指定单个易区分的单词作为值,并确保在生产环境中部署之前测试结果。Whenever possible, specify a single distinguishing word for the value and be sure to test the results before you deploy in production.

对于同一标签策略指定以下字符串:For the same label policy, specify the following strings:

  • 键:ExternalContentMarkingToRemoveKey: ExternalContentMarkingToRemove

  • 值:<string to match, defined as regular expression>Value: <string to match, defined as regular expression>

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{ExternalContentMarkingToRemove="*TEXT*"}

有关详情,请参阅:For more information, see:

多行页眉或页脚Multiline headers or footers

如果页眉或页脚文本超过一行,则所用命令将取决于要从页眉中删除的部分。If your header or footer text is more than a single line, your command will depend on what parts you want to remove from the header. 在本部分,我们将使用以下多行页脚示例:In this section, we'll use the following sample, multi-line footer:

The file is classified as ConfidentialThe file is classified as Confidential

Label applied manuallyLabel applied manually

Share with cautionShare with caution

根据要删除的页脚部分使用以下方法之一:Use one of the following methods, depending on which part of the footer you want to remove:

  • 若要删除整个页脚,只需提供一个键值,并在页脚中任一单词的前后插入星号。If you want to remove the entire footer, you only need one key value, with asterisks before and after any single word from your footer.

    例如,在标签策略中创建以下条目:For example, create the following entry in the label policy:

    • 键:ExternalContentMarkingToRemoveKey: ExternalContentMarkingToRemove

    • 键值 1: *Confidential*Key Value 1: *Confidential*

    示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

    Set-LabelPolicy -Identity Global -AdvancedSettings @{ExternalContentMarkingToRemove="*Confidential*"}
    
  • 如果只想删除特定的行,需为你要删除的每个特定行提供一个键值。If you want to remove only a specific line, you need a key value for each specific line you want to remove. 每个键值必须包含要删除的确切文本。Each key value must contain the exact text you want to remove.

    例如,在标签策略中创建以下条目:For example, create the following entry in the label policy:

    • 键:ExternalContentMarkingToRemoveKey: ExternalContentMarkingToRemove

    • 键值 1:Label applied manuallyKey Value 1: Label applied manually

    • 键值 2:Share with cautionKey Value 2: Share with caution

    示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

    Set-LabelPolicy -Identity Global -AdvancedSettings @{ExternalContentMarkingToRemove="Label applied manually,Share with caution"}
    

针对 PowerPoint 的优化Optimization for PowerPoint

PowerPoint 中的页眉和页脚是作为形状实现的。Headers and footers in PowerPoint are implemented as shapes. 对于 msoTextBoxmsoTextEffectmsoPlaceholdermsoAutoShape 形状类型,以下高级设置可提供进一步的优化:For the msoTextBox, msoTextEffect, msoPlaceholder, and msoAutoShape shape types, the following advanced settings provide additional optimizations:

此外,PowerPointRemoveAllShapesByShapeName 可以基于形状名称删除任何形状类型。Additionally, the PowerPointRemoveAllShapesByShapeName can remove any shape type, based on the shape name.

有关详细信息,请参阅查找用作页眉或页脚的形状的名称For more information, see Find the name of the shape that you're using as a header or footer.

避免从 PowerPoint 中删除包含指定文本且不是页眉/页脚的形状Avoid removing shapes from PowerPoint that contain specified text, and are not headers / footers

若要避免删除包含指定的文本但不是页眉或页脚的形状,请使用名为 PowerPointShapeNameToRemove 的附加高级客户端设置。To avoid removing shapes that contain the text that you have specified, but are not headers or footers, use an additional advanced client setting named PowerPointShapeNameToRemove.

我们还建议使用此设置来避免检查所有形状中的文本,因为这将占用大量资源。We also recommend using this setting to avoid checking the text in all shapes, which is a resource-intensive process.

  • 如果未指定这项附加的高级客户端设置,并且 PowerPoint 包括在 RemoveExternalContentMarkingInApp 键值中,将对所有形状检查你在 ExternalContentMarkingToRemove 值中指定的文本If you do not specify this additional advanced client setting, and PowerPoint is included in the RemoveExternalContentMarkingInApp key value, all shapes will be checked for the text that you specify in the ExternalContentMarkingToRemove value.

  • 如果指定了此值,则只会删除符合形状名称条件的、其中的文本与 ExternalContentMarkingToRemove 中提供的字符串相匹配的形状。If this value is specified, only shapes that meet the shape name criteria and also have text that matches the string provided with ExternalContentMarkingToRemove will be removed.

例如:For example:

Set-LabelPolicy -Identity Global -AdvancedSettings @{PowerPointShapeNameToRemove="fc"}
将外部标记删除扩展到自定义布局Extend external marking removal to custom layouts

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的策略高级设置This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

默认情况下,用于删除外部内容标记的逻辑将忽略 PowerPoint 中配置的自定义布局。By default, the logic used to remove external content markings ignores custom layouts configured in PowerPoint. 若要将此逻辑扩展到自定义布局,请将 RemoveExternalMarkingFromCustomLayouts 高级属性设置为 TrueTo extend this logic to custom layouts, set the RemoveExternalMarkingFromCustomLayouts advanced property to True.

  • 键:RemoveExternalMarkingFromCustomLayoutsKey: RemoveExternalMarkingFromCustomLayouts

  • 值:TrueValue: True

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{RemoveExternalMarkingFromCustomLayouts="True"}
删除具有特定形状名称的所有形状Remove all shapes of a specific shape name

如果你使用的是 PowerPoint 自定义布局,并想要从页眉和页脚中删除具有特定形状名称的所有形状,请结合要删除的形状的名称使用 PowerPointRemoveAllShapesByShapeName 高级设置。If you are using PowerPoint custom layouts, and want to remove all shapes of a specific shape name from your headers and footers, use the PowerPointRemoveAllShapesByShapeName advanced setting, with the name of the shape you want to remove.

使用 PowerPointRemoveAllShapesByShapeName 设置会忽略形状内部的文本,而改用形状名称来标识要删除的形状。Using the PowerPointRemoveAllShapesByShapeName setting ignores the text inside your shapes, and instead uses the shape name identify the shapes you want to remove.

例如:For example:

Set-LabelPolicy -Identity Global -AdvancedSettings @{PowerPointRemoveAllShapesByShapeName="Arrow: Right"}

备注

若要定义 PowerPointRemoveAllShapesByShapeName 设置,目前还必须定义 ExternalContentMarkingToRemove 设置,即使不需要 ExternalContentMarkingToRemove 所提供的功能,也是如此。To define the PowerPointRemoveAllShapesByShapeName setting, you must currently also define the ExternalContentMarkingToRemove setting, even if you do not need the functionality provided by ExternalContentMarkingToRemove.

如果你要定义 PowerPointRemoveAllShapesByShapeName,我们建议既定义 ExternalContentMarkingToRemove,也定义 PowerPointShapeNameToRemove,以避免删除的形状数目超过预期数目。We recommend that if you want to define PowerPointRemoveAllShapesByShapeName, define both ExternalContentMarkingToRemove and PowerPointShapeNameToRemove to avoid removing more shapes than you intend.

有关详情,请参阅:For more information, see:

  1. 在 PowerPoint 中,显示“选择”窗格:“格式”选项卡 >“排列”组 >“选择”窗格。In PowerPoint, display the Selection pane: Format tab > Arrange group > Selection Pane.

  2. 选择幻灯片上包含页眉或页脚的形状。Select the shape on the slide that contains your header or footer. 所选形状的名称现在突出显示在“选择”窗格中。The name of the selected shape is now highlighted in the Selection pane.

使用形状的名称为 PowerPointShapeNameToRemove 键指定一个字符串字。Use the name of the shape to specify a string value for the PowerPointShapeNameToRemove key.

示例:形状名称为 fcExample: The shape name is fc. 若要删除具有此名称的形状,则指定值:fcTo remove the shape with this name, you specify the value: fc.

  • 键:PowerPointShapeNameToRemoveKey: PowerPointShapeNameToRemove

  • 值:<PowerPoint shape name>Value: <PowerPoint shape name>

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{PowerPointShapeNameToRemove="fc"}

若要删除多个 PowerPoint 形状,要删除的形状数有多少,就请指定多少个值。When you have more than one PowerPoint shape to remove, specify as many values as you have shapes to remove.

默认情况下,只检查主幻灯片的页眉和页脚。By default, only the Master slides are checked for headers and footers. 若要将检查范围扩展到所有幻灯片,将占用大量资源,则可以使用 RemoveExternalContentMarkingInAllSlides 附加高级客户端设置:To extend this search to all slides, which is a much more resource-intensive process, use an additional advanced client setting named RemoveExternalContentMarkingInAllSlides:

  • 键:RemoveExternalContentMarkingInAllSlidesKey: RemoveExternalContentMarkingInAllSlides

  • 值:TrueValue: True

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{RemoveExternalContentMarkingInAllSlides="True"}
删除 PowerPoint 自定义布局中的外部内容标记Remove external content marking from custom layouts in PowerPoint

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的策略高级设置This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

默认情况下,用于删除外部内容标记的逻辑将忽略 PowerPoint 中配置的自定义布局。By default, the logic used to remove external content markings ignores custom layouts configured in PowerPoint. 若要将此逻辑扩展到自定义布局,请将 RemoveExternalMarkingFromCustomLayouts 高级属性设置为 TrueTo extend this logic to custom layouts, set the RemoveExternalMarkingFromCustomLayouts advanced property to True.

  • 键:RemoveExternalMarkingFromCustomLayoutsKey: RemoveExternalMarkingFromCustomLayouts

  • 值:TrueValue: True

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{RemoveExternalMarkingFromCustomLayouts="True"}

在文件资源管理器中禁用自定义权限Disable custom permissions in File Explorer

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的策略高级设置This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

默认情况下,当用户在文件资源管理器中右键单击并选择“分类和保护”时,会看到名为“使用自定义权限进行保护”的选项。 By default, users see an option named Protect with custom permissions when they right-click in File Explorer and choose Classify and protect. 此选项可让用户指定自己的保护设置,这些设置可以替代标签配置中可能包含的任何保护设置。This option lets them set their own protection settings that can override any protection settings that you might have included with a label configuration. 用户还能看到一个用于删除保护的选项。Users can also see an option to remove protection. 如果你配置了此设置,则用户将看不到这些选项。When you configure this setting, users do not see these options.

若要配置此高级设置,请为所选标签策略输入以下字符串:To configure this advanced setting, enter the following strings for the selected label policy:

  • 键:EnableCustomPermissionsKey: EnableCustomPermissions

  • 值:FalseValue: False

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableCustomPermissions="False"}

对于受自定义权限保护的文件,始终在文件资源管理器中向用户显示自定义权限For files protected with custom permissions, always display custom permissions to users in File Explorer

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的策略高级设置This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

将高级客户端设置配置为在文件资源管理器中禁用自定义权限时,默认情况下,用户无法查看或更改已在受保护文档中设置的自定义权限。When you configure the advanced client setting to disable custom permissions in File Explorer, by default, users are not able to see or change custom permissions that are already set in a protected document.

但是,可以指定另一个高级客户端设置,在这种情况下,用户可以在使用文件资源管理器并右键单击文件时,查看并更改受保护文档的自定义权限。However, there's another advanced client setting that you can specify so that in this scenario, users can see and change custom permissions for a protected document when they use File Explorer and right-click the file.

若要配置此高级设置,请为所选标签策略输入以下字符串:To configure this advanced setting, enter the following strings for the selected label policy:

  • 键:EnableCustomPermissionsForCustomProtectedFilesKey: EnableCustomPermissionsForCustomProtectedFiles

  • 值:TrueValue: True

示例 PowerShell 命令:Example PowerShell command:

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableCustomPermissionsForCustomProtectedFiles="True"}

对于带有附件的电子邮件,使用与这些附件的最高等级相匹配的标签For email messages with attachments, apply a label that matches the highest classification of those attachments

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的策略高级设置This configuration uses policy advanced settings that you must configure by using Office 365 Security & Compliance Center PowerShell.

此设置适用于用户将已标记的文档附加到电子邮件,但不标记电子邮件本身的情况。This setting is for when users attach labeled documents to an email, and do not label the email message itself. 在这种情况下,将根据应用于附件的分类标签为用户自动选择标签。In this scenario, a label is automatically selected for them, based on the classification labels that are applied to the attachments. 将选择分类最高的标签。The highest classification label is selected.

附件必须是实际文件,而不能是文件的链接(例如,Microsoft SharePoint 或 OneDrive 中的文件的链接)。The attachment must be a physical file, and cannot be a link to a file (for example, a link to a file on Microsoft SharePoint or OneDrive).

可将此设置配置为 Recommended,以使用可自定义的工具提示来提示用户将所选标签应用于其电子邮件。You can configure this setting to Recommended, so that users are prompted to apply the selected label to their email message, with a customizable tooltip. 用户可接受或忽略该建议。Users can accept the recommendation or dismiss it. 或者,可将此设置配置为 Automatic,在这种情况下,将自动应用所选的标签,但用户可以在发送电子邮件之前删除该标签或选择另一个标签。Or, you can configure this setting to Automatic, where the selected label is automatically applied but users can remove the label or select a different label before sending the email.

备注

使用用户定义的权限设置为带有最高分类标签的附件配置保护时:When the attachment with the highest classification label is configured for protection with the setting of user-defined permissions:

  • 如果该标签的用户定义权限包括 Outlook(“不要转发”),则会选择该标签,并对电子邮件应用“不要转发”保护。When the label's user-defined permissions include Outlook (Do Not Forward), that label is selected and Do Not Forward protection is applied to the email.
  • 如果该标签的用户定义权限仅用于 Word、Excel、PowerPoint 和文件资源管理器,则该标签不会应用于电子邮件,也不用于保护。When the label's user-defined permissions are just for Word, Excel, PowerPoint, and File Explorer, that label is not applied to the email message, and neither is protection.

若要配置此高级设置,请为所选标签策略输入以下字符串:To configure this advanced setting, enter the following strings for the selected label policy:

  • 键 1:AttachmentActionKey 1: AttachmentAction

  • 键值 1:RecommendedAutomaticKey Value 1: Recommended or Automatic

  • 键值 2:AttachmentActionTipKey 2: AttachmentActionTip

  • 键值 2:"<customized tooltip>"Key Value 2: "<customized tooltip>"

自定义的工具提示仅支持一种语言。The customized tooltip supports a single language only.

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{AttachmentAction="Automatic"}

为用户添加“报告问题”Add "Report an Issue" for users

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的策略高级设置This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

当指定以下高级客户端设置时,用户将看到一个“报告问题”选项,他们可以从“帮助和反馈”客户端对话框中选择该选项。When you specify the following advanced client setting, users see a Report an Issue option that they can select from the Help and Feedback client dialog box. 为链接指定 HTTP 字符串。Specify an HTTP string for the link. 例如,为用户报告问题设置的自定义 Web 页面,或者发送给支持人员的电子邮件地址。For example, a customized web page that you have for users to report issues, or an email address that goes to your help desk.

若要配置此高级设置,请为所选标签策略输入以下字符串:To configure this advanced setting, enter the following strings for the selected label policy:

  • 密钥:ReportAnIssueLinkKey: ReportAnIssueLink

  • 值: <HTTP string>Value: <HTTP string>

网站示例值:https://support.contoso.comExample value for a website: https://support.contoso.com

电子邮件地址示例值:mailto:helpdesk@contoso.comExample value for an email address: mailto:helpdesk@contoso.com

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{ReportAnIssueLink="mailto:helpdesk@contoso.com"}

在 Outlook 中实施弹出消息,警告、证明或阻止发送电子邮件Implement pop-up messages in Outlook that warn, justify, or block emails being sent

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的策略高级设置This configuration uses policy advanced settings that you must configure by using Office 365 Security & Compliance Center PowerShell.

当创建并配置以下高级客户端设置时,用户可以在 Outlook 中看到弹出消息,这些消息可以在发送电子邮件之前警告他们,或者要求他们提供发送电子邮件的理由,或者在存在以下任何一种情况时阻止他们发送电子邮件:When you create and configure the following advanced client settings, users see pop-up messages in Outlook that can warn them before sending an email, or ask them to provide justification why they are sending an email, or prevent them from sending an email for either of the following scenarios:

  • 其电子邮件或电子邮件附件有一个特定的标签Their email or attachment for the email has a specific label:

    • 附件可以是任何文件类型The attachment can be any file type
  • 其电子邮件或电子邮件的附件没有标签Their email or attachment for the email doesn't have a label:

    • 附件可以是 Office 文档或 PDF 文档The attachment can be an Office document or PDF document

满足这些条件时,用户将看到一个弹出消息,其中包含以下操作之一:When these conditions are met, the user sees a pop-up message with one of the following actions:

类型Type 说明Description
警告Warn 用户可以确认、发送或取消。The user can confirm and send, or cancel.
理由Justify 提示用户给出理由(预定义的选项或任意形式),然后用户可以发送或取消电子邮件。The user is prompted for justification (predefined options or free-form), and the user can then send or cancel the email.
理由文本将写入到电子邮件的 x-header,以便可供数据丢失防护 (DLP) 等其他系统读取。The justification text is written to the email x-header, so that it can be read by other systems, such as data loss prevention (DLP) services.
阻止Block 如果上述情况持续,将阻止用户发送电子邮件。The user is prevented from sending the email while the condition remains.
该消息包括阻止电子邮件的原因,以便用户可以解决问题。The message includes the reason for blocking the email, so the user can address the problem.
例如,删除特定收件人或标记电子邮件。For example, remove specific recipients, or label the email.

如果弹出消息针对特定的标签,你可以按域名配置收件人例外。When the popup-messages are for a specific label, you can configure exceptions for recipients by domain name.

有关如何配置这些设置的演练示例,请观看视频 Azure 信息保护 Outlook 弹出消息配置See the video Azure Information Protection Outlook Popup Configuration for a walkthrough example of how to configure these settings.

提示

为了确保即使在从 Outlook 外部共享文档(“文件”>“共享”>“附加副本”)时也会显示弹出消息,另请配置 PostponeMandatoryBeforeSave 高级设置。To ensure that popups are displayed even when documents are shared from outside Outlook (File > Share > Attach a copy), also configure the PostponeMandatoryBeforeSave advanced setting.

有关详情,请参阅:For more information, see:

针对特定的标签实现警告、理由或阻止弹出消息To implement the warn, justify, or block pop-up messages for specific labels

对于所选策略,使用以下键创建以下一个或多个高级设置。For the selected policy, create one or more of the following advanced settings with the following keys. 对于值,请按 GUID 指定一个或多个标签,用逗号分隔每个标签。For the values, specify one or more labels by their GUIDs, each one separated by a comma.

以逗号的分隔字符串表示的多个标签 GUID 示例值:Example value for multiple label GUIDs as a comma-separated string:

dcf781ba-727f-4860-b3c1-73479e31912b,1ace2cc3-14bc-4142-9125-bf946a70542c,3e9df74d-3168-48af-8b11-037e3021813f
消息类型Message type 键/值Key/Value
警告Warn 键:OutlookWarnUntrustedCollaborationLabelKey: OutlookWarnUntrustedCollaborationLabel

值:<label GUIDs, comma-separated>Value: <label GUIDs, comma-separated>
理由Justify 键:OutlookJustifyUntrustedCollaborationLabelKey: OutlookJustifyUntrustedCollaborationLabel

值:<label GUIDs, comma-separated>Value: <label GUIDs, comma-separated>
阻止Block 键:OutlookBlockUntrustedCollaborationLabelKey: OutlookBlockUntrustedCollaborationLabel

值:<label GUIDs, comma-separated>Value: <label GUIDs, comma-separated>

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookWarnUntrustedCollaborationLabel="8faca7b8-8d20-48a3-8ea2-0f96310a848e,b6d21387-5d34-4dc8-90ae-049453cec5cf,bb48a6cb-44a8-49c3-9102-2d2b017dcead,74591a94-1e0e-4b5d-b947-62b70fc0f53a,6c375a97-2b9b-4ccd-9c5b-e24e4fd67f73"}

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookJustifyUntrustedCollaborationLabel="dc284177-b2ac-4c96-8d78-e3e1e960318f,d8bb73c3-399d-41c2-a08a-6f0642766e31,750e87d4-0e91-4367-be44-c9c24c9103b4,32133e19-ccbd-4ff1-9254-3a6464bf89fd,74348570-5f32-4df9-8a6b-e6259b74085b,3e8d34df-e004-45b5-ae3d-efdc4731df24"}

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookBlockUntrustedCollaborationLabel="0eb351a6-0c2d-4c1d-a5f6-caa80c9bdeec,40e82af6-5dad-45ea-9c6a-6fe6d4f1626b"}

要进一步自定义,还可以在为特定标签配置的弹出消息中免于提供域名For further customization, you can also exempt domain names for pop-up messages configured for specific labels.

备注

本部分所述的高级设置(OutlookWarnUntrustedCollaborationLabelOutlookJustifyUntrustedCollaborationLabelOutlookBlockUntrustedCollaborationLabel)适用于使用了特定标签的情况。The advanced settings in this section (OutlookWarnUntrustedCollaborationLabel, OutlookJustifyUntrustedCollaborationLabel, and OutlookBlockUntrustedCollaborationLabel) are for when a specific label is in use.

若要对未标记的内容实现默认弹出消息,请使用 OutlookUnlabeledCollaborationAction 高级设置。To implement default popup messages for unlabled content, use the OutlookUnlabeledCollaborationAction advanced setting. 若要对未标记的内容自定义弹出消息,请使用一个 .json 文件来定义高级设置。To customize your popup messages for unlabeled content, use a .json file to define your advanced settings.

有关详细信息,请参阅自定义 Outlook 弹出消息For more information, see Customize Outlook popup messages.

提示

为了确保根据需要显示阻止消息(即使是对于 Outlook 通讯组列表中的收件人),请务必添加 EnableOutlookDistributionListExpansion 高级设置。To ensure that your block messages are displayed as needed, even for a recipient located inside an Outlook distribution list, make sure to add the EnableOutlookDistributionListExpansion advanced setting.

在为特定标签配置的弹出消息中免于提供域名To exempt domain names for pop-up messages configured for specific labels

对于指定了这些弹出消息的标签,可以免于提供特定的域名,这样,用户就看不到发送到电子邮件地址中包含该域名的收件人的邮件。For the labels that you've specified with these pop-up messages, you can exempt specific domain names so that users do not see the messages for recipients who have that domain name included in their email address. 在这种情况下,发送电子邮件时不会受消息干扰。In this case, the emails are sent without interruption. 若要指定多个域,将其添加为单个字符串,以逗号分隔。To specify multiple domains, add them as a single string, separated by commas.

典型配置是仅针对组织外部的收件人或并非组织授权合作伙伴的收件人显示弹出消息。A typical configuration is to display the pop-up messages only for recipients who are external to your organization or who aren't authorized partners for your organization. 在这种情况下,可以指定组织和合作伙伴使用的所有电子邮件域。In this case, you specify all the email domains that are used by your organization and by your partners.

对于同一标签策略,请创建以下高级客户端设置,并为值指定一个或多个域(用逗号分隔每个域)。For the same label policy, create the following advanced client settings and for the value, specify one or more domains, each one separated by a comma.

多个域的示例值,以逗号分隔的字符串表示:contoso.com,fabrikam.com,litware.comExample value for multiple domains as a comma-separated string: contoso.com,fabrikam.com,litware.com

消息类型Message type 键/值Key/Value
警告Warn 键:OutlookWarnTrustedDomainsKey: OutlookWarnTrustedDomains

值: <domain names, comma separated>Value: <domain names, comma separated>
理由Justify 键:OutlookJustifyTrustedDomainsKey: OutlookJustifyTrustedDomains

值: <domain names, comma separated>Value: <domain names, comma separated>
阻止Block 键:OutlookBlockTrustedDomainsKey: OutlookBlockTrustedDomains

值: <domain names, comma separated>Value: <domain names, comma separated>

例如,假设你为“保密”\“所有员工”标签指定了 OutlookBlockUntrustedCollaborationLabel 高级客户端设置。For example, let's say you have specified the OutlookBlockUntrustedCollaborationLabel advanced client setting for the Confidential \ All Employees label.

现在可以指定值为 contoso.comOutlookBlockTrustedDomains 的附加高级客户端设置。You now specify the additional advanced client setting of OutlookBlockTrustedDomains with contoso.com. 因此,用户可向 john@sales.contoso.com 发送标记为“保密”\“所有员工”的电子邮件,但被阻止向 Gmail 帐户发送具有相同标签的电子邮件。As a result, a user can send an email to john@sales.contoso.com when it is labeled Confidential \ All Employees, but will be blocked from sending an email with the same label to a Gmail account.

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell commands, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookBlockTrustedDomains="contoso.com"}

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookJustifyTrustedDomains="contoso.com,fabrikam.com,litware.com"}

备注

为了确保根据需要显示阻止消息(即使是对于 Outlook 通讯组列表中的收件人),请务必添加 EnableOutlookDistributionListExpansion 高级设置。To ensure that your block messages are displayed as needed, even for a recipient located inside an Outlook distribution list, make sure to add the EnableOutlookDistributionListExpansion advanced setting.

针对没有标签的电子邮件或附件实现警告、理由或阻止弹出消息To implement the warn, justify, or block pop-up messages for emails or attachments that don't have a label

对于同一标签策略,请创建使用以下值之一的以下高级客户端设置:For the same label policy, create the following advanced client setting with one of the following values:

消息类型Message type 键/值Key/Value
警告Warn 键:OutlookUnlabeledCollaborationActionKey: OutlookUnlabeledCollaborationAction

值:WarnValue: Warn
理由Justify 键:OutlookUnlabeledCollaborationActionKey: OutlookUnlabeledCollaborationAction

值:JustifyValue: Justify
阻止Block 键:OutlookUnlabeledCollaborationActionKey: OutlookUnlabeledCollaborationAction

值:BlockValue: Block
关闭这些消息Turn off these messages 键:OutlookUnlabeledCollaborationActionKey: OutlookUnlabeledCollaborationAction

值:OffValue: Off

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookUnlabeledCollaborationAction="Warn"}

若要进一步自定义,请参阅:For futher customization, see:

定义特定的文件扩展名以针对没有标签的电子邮件附件显示警告、理由或阻止弹出消息To define specific file name extensions for the warn, justify, or block pop-up messages for email attachments that don't have a label

默认情况下,警告、理由或阻止弹出消息适用于所有 Office 文档和 PDF 文档。By default, the warn, justify, or block pop-up messages apply to all Office documents and PDF documents. 可以使用一个附加高级设置和逗号分隔的文件扩展名列表,通过指定哪些文件扩展名应显示警告、理由或阻止消息,来具体化此列表。You can refine this list by specifying which file name extensions should display the warn, justify, or block messages with an additional advanced setting and a comma-separated list of file name extensions.

以逗号分隔字符串形式定义的多个文件扩展名的示例值:.XLSX,.XLSM,.XLS,.XLTX,.XLTM,.DOCX,.DOCM,.DOC,.DOCX,.DOCM,.PPTX,.PPTM,.PPT,.PPTX,.PPTMExample value for multiple file name extensions to define as a comma-separated string: .XLSX,.XLSM,.XLS,.XLTX,.XLTM,.DOCX,.DOCM,.DOC,.DOCX,.DOCM,.PPTX,.PPTM,.PPT,.PPTX,.PPTM

在此示例中,发送未标记的 PDF 文档不会导致出现警告、理由或阻止弹出消息。In this example, an unlabeled PDF document will not result in warn, justify, or block pop-up messages.

对于同一标签策略,请输入以下字符串:For the same label policy, enter the following strings:

  • 键:OutlookOverrideUnlabeledCollaborationExtensionsKey: OutlookOverrideUnlabeledCollaborationExtensions

  • 值: <file name extensions to display messages, comma separated>Value: <file name extensions to display messages, comma separated>

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookOverrideUnlabeledCollaborationExtensions=".PPTX,.PPTM,.PPT,.PPTX,.PPTM"}

针对不包含附件的电子邮件指定不同的操作To specify a different action for email messages without attachments

默认情况下,为 OutlookUnlabeledCollaborationAction 指定的、用于显示警告、理由或阻止弹出消息的值将应用于没有标签的电子邮件或附件。By default, the value that you specify for OutlookUnlabeledCollaborationAction to warn, justify, or block pop-up messages applies to emails or attachments that don't have a label.

可以通过为不包含附件的电子邮件指定另一个高级设置来具体化此配置。You can refine this configuration by specifying another advanced setting for email messages that don't have attachments.

使用以下值之一创建高级客户端设置:Create the following advanced client setting with one of the following values:

消息类型Message type 键/值Key/Value
警告Warn 键:OutlookUnlabeledCollaborationActionOverrideMailBodyBehaviorKey: OutlookUnlabeledCollaborationActionOverrideMailBodyBehavior

值:WarnValue: Warn
理由Justify 键:OutlookUnlabeledCollaborationActionOverrideMailBodyBehaviorKey: OutlookUnlabeledCollaborationActionOverrideMailBodyBehavior

值:JustifyValue: Justify
阻止Block 键:OutlookUnlabeledCollaborationActionOverrideMailBodyBehaviorKey: OutlookUnlabeledCollaborationActionOverrideMailBodyBehavior

值:BlockValue: Block
关闭这些消息Turn off these messages 键:OutlookUnlabeledCollaborationActionOverrideMailBodyBehaviorKey: OutlookUnlabeledCollaborationActionOverrideMailBodyBehavior

值:OffValue: Off

如果不指定此客户端设置,则为 OutlookUnlabeledCollaborationAction 指定的值将用于不包含附件的未标记电子邮件,以及包含附件的未标记电子邮件。If you don't specify this client setting, the value that you specify for OutlookUnlabeledCollaborationAction is used for unlabeled email messages without attachments as well as unlabeled email messages with attachments.

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookUnlabeledCollaborationActionOverrideMailBodyBehavior="Warn"}

搜索电子邮件收件人时展开 Outlook 通讯组列表Expand Outlook distribution lists when searching for email recipients

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的策略高级设置This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

若要将其他高级设置提供的支持扩展到 Outlook 通讯组列表中的收件人,请将 EnableOutlookDistributionListExpansion 高级设置指定为 trueTo extend support from other advanced settings to recipients inside Outlook distribution lists, set the EnableOutlookDistributionListExpansion advanced setting to true.

  • 键:EnableOutlookDistributionListExpansionKey: EnableOutlookDistributionListExpansion
  • 值:trueValue: true

例如,如果你已配置 OutlookBlockTrustedDomainsOutlookBlockUntrustedCollaborationLabel 高级设置,则另请配置 EnableOutlookDistributionListExpansion 设置,这样,便可以在 Outlook 中展开通讯组列表,确保根据需要显示阻止消息。For example, if you've configured the OutlookBlockTrustedDomains, OutlookBlockUntrustedCollaborationLabel advanced settings, and then also configure the EnableOutlookDistributionListExpansion setting, Outlook is enabled to expand the distribution list to ensuring that a block message appears as needed.

展开通讯组列表的默认超时为 2000 毫秒。The default timeout for expanding the distribution list is 2000 milliseconds.

若要修改此超时,请为所选策略创建以下高级设置:To modify this timeout, create the following advanced setting for the selected policy:

  • 键:OutlookGetEmailAddressesTimeOutMSPropertyKey: OutlookGetEmailAddressesTimeOutMSProperty
  • 值:以毫秒为单位的整数Value: Integer, in milliseconds

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableOutlookDistributionListExpansion="true"} @{OutlookGetEmailAddressesTimeOutMSProperty="3000"}

禁用将审核数据发送到 Azure 信息保护分析Disable sending audit data to Azure Information Protection analytics

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的策略高级设置This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

Azure 信息保护统一标记客户端支持中心报告,默认情况下,会将其审核数据发送到 Azure 信息保护分析The Azure Information Protection unified labeling client supports central reporting and by default, sends its audit data to Azure Information Protection analytics. 有关发送和存储的信息的详细资料,请参阅中心报告文档中的收集并发送到 Microsoft 的信息部分。For more information about what information is sent and stored, see the Information collected and sent to Microsoft section from the central reporting documentation.

若要更改此行为以防统一标记客户端发送此信息,请为所选标签策略输入以下字符串:To change this behavior so that this information is not sent by the unified labeling client, enter the following strings for the selected label policy:

  • 键:EnableAuditKey: EnableAudit

  • 值:FalseValue: False

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableAudit="False"}

将信息类型匹配项发送到 Azure 信息保护分析Send information type matches to Azure Information Protection analytics

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的策略高级设置This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

默认情况下,统一标记客户端不会将敏感信息类型的内容匹配项发送到 Azure 信息保护分析By default, the unified labeling client does not send content matches for sensitive info types to Azure Information Protection analytics. 有关可以发送的其他此类信息的详细信息,请参阅中心报告文档中的用于更深入分析的内容匹配项部分。For more information about this additional information that can be sent, see the Content matches for deeper analysis section from the central reporting documentation.

若要在发送敏感信息类型时发送内容匹配项,请在标签策略中创建以下高级客户端设置:To send content matches when sensitive information types are sent, create the following advanced client setting in a label policy:

  • 键:LogMatchedContentKey: LogMatchedContent

  • 值:TrueValue: True

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{LogMatchedContent="True"}

限制 CPU 使用率Limit CPU consumption

AIP 统一标记扫描程序会限制资源消耗量,以确保计算机的总体 CPU 使用率永不超过 85%。The AIP unified labeling scanner limits resources consumption to ensure that the overall machine CPU is never higher than 85 percent.

从扫描程序版本 2.7.x.x 开始,我们建议使用以下 ScannerMaxCPUScannerMinCPU 高级设置方法来限制 CPU 使用率。Starting from scanner version 2.7.x.x, we recommend limiting CPU consumption using the following ScannerMaxCPU and ScannerMinCPU advanced settings method.

重要

当使用了以下线程限制策略时,将忽略 ScannerMaxCPUScannerMinCPU 高级设置。When the following thread limiting policy is in use, ScannerMaxCPU and ScannerMinCPU advanced settings are ignored. 若要使用 ScannerMaxCPUScannerMinCPU 高级设置限制 CPU 使用率,请取消使用限制线程数的策略。To limit CPU consumption using ScannerMaxCPU and ScannerMinCPU advanced settings, cancel the use of policies that limit the number of threads.

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的策略高级设置This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

若要限制扫描程序计算机上的 CPU 使用率,创建两个高级设置会更方便:To limit CPU consumption on the scanner machine, it is manageable by creating two advanced settings:

  • ScannerMaxCPUScannerMaxCPU:

    默认设置为 100,即,最大 CPU 使用率没有限制。Set to 100 by default, which means there is no limit of maximum CPU consumption. 在这种情况下,扫描程序进程会尝试使用所有可用 CPU 时间来最大化扫描速率。In this case, the scanner process will try to use all available CPU time to maximize your scan rates.

    如果将 ScannerMaxCPU 设置为小于 100,则扫描程序将监视过去 30 分钟的 CPU 使用率,如果最大 CPU 使用率超过了设置的限制,则它会开始减少为新文件分配的线程数。If you set ScannerMaxCPU to less than 100, scanner will monitor the CPU consumption over the past 30 minutes, and if the max CPU crossed the limit you set, it will start to reduce number of threads allocated for new files.

    只要 CPU 使用率高于 ScannerMaxCPU 的设置限制,就会继续实施线程数限制。The limit on the number of threads will continue as long as CPU consumption is higher than the limit set for ScannerMaxCPU.

  • ScannerMinCPUScannerMinCPU:

    仅检查 ScannerMaxCPU 是否不等于 100,不能设置为大于 ScannerMaxCPU 值的数字。Only checked if ScannerMaxCPU is not equal to 100, and cannot be set to a number that is higher than the ScannerMaxCPU value. 我们建议将 ScannerMinCPU 设置为至少比 ScannerMaxCPU 值小 15 个点。We recommend keeping ScannerMinCPU set at least 15 points lower than the value of ScannerMaxCPU.

    默认设置为 50,即,如果过去 30 分钟的 CPU 使用率低于此值,则扫描程序将开始添加新线程来并行扫描更多文件,直至 CPU 使用率达到你为 ScannerMaxCPU 设置的水平再减 15。Set to 50 by default, which means that if CPU consumption in the last 30 minutes when lower than this value, the scanner will start adding new threads to scan more files in parallel, until the CPU consumption reaches the level you have set for ScannerMaxCPU-15.

限制扫描程序使用的线程数Limit the number of threads used by the scanner

重要

当使用了以下线程限制策略时,将忽略 ScannerMaxCPUScannerMinCPU 高级设置。When the following thread limiting policy is in use, ScannerMaxCPU and ScannerMinCPU advanced settings are ignored. 若要使用 ScannerMaxCPUScannerMinCPU 高级设置限制 CPU 使用率,请取消使用限制线程数的策略。To limit CPU consumption using ScannerMaxCPU and ScannerMinCPU advanced settings, cancel use of policies that limit the number of threads.

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的策略高级设置This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

默认情况下,扫描程序使用运行扫描程序服务的计算机上的所有可用处理器资源。By default, the scanner uses all available processor resources on the computer running the scanner service. 如果需要在此服务正扫描时限制 CPU 使用率,请在标签策略中创建以下高级设置。If you need to limit the CPU consumption while this service is scanning, create the following advanced setting in a label policy.

对于该值,请指定扫描程序可以并行运行的并发线程数。For the value, specify the number of concurrent threads that the scanner can run in parallel. 扫描程序为其扫描的每个文件使用单独的线程,因此此限制配置还定义了可以并行扫描的文件数。The scanner uses a separate thread for each file that it scans, so this throttling configuration also defines the number of files that can be scanned in parallel.

首次配置测试值时,建议为每个核心指定 2 个,然后监视结果。When you first configure the value for testing, we recommend you specify 2 per core, and then monitor the results. 例如,如果在具有 4 个核心的计算机上运行扫描程序,请先将值设置为 8。For example, if you run the scanner on a computer that has 4 cores, first set the value to 8. 如有必要,请根据扫描程序计算机所需的最终性能和扫描速率相应增减该数量。If necessary, increase or decrease that number, according to the resulting performance you require for the scanner computer and your scanning rates.

  • 键:ScannerConcurrencyLevelKey: ScannerConcurrencyLevel

  • 值: <number of concurrent threads>Value: <number of concurrent threads>

示例 PowerShell 命令,其中的标签策略名为“Scanner”:Example PowerShell command, where your label policy is named "Scanner":

Set-LabelPolicy -Identity Scanner -AdvancedSettings @{ScannerConcurrencyLevel="8"}

从 Secure Islands 和其他标记解决方案迁移标签Migrate labels from Secure Islands and other labeling solutions

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的标签高级设置This configuration uses a label advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

此配置与文件扩展名为 .ppdf 的受保护 PDF 文件不兼容。This configuration is not compatible with protected PDF files that have a .ppdf file name extension. 客户端无法使用文件资源管理器或 PowerShell 打开这些文件。These files cannot be opened by the client using File Explorer or PowerShell.

对于已由 Secure Islands 标记的 Office 文档,可以通过定义的映射使用敏感度标签来重新标记这些文档。For Office documents that are labeled by Secure Islands, you can relabel these documents with a sensitivity label by using a mapping that you define. 此外,这种方法还可用于重用其他解决方案对 Office 文档标记的标签。You also use this method to reuse labels from other solutions when their labels are on Office documents.

使用此配置选项后,Azure 信息保护统一标记客户端将按如下所述应用新的敏感度标签:As a result of this configuration option, the new sensitivity label is applied by the Azure Information Protection unified labeling client as follows:

  • 对于 Office 文档:在桌面应用中打开该文档时,新的敏感度标签将显示为已设置,并在保存该文档时应用。For Office documents: When the document is opened in the desktop app, the new sensitivity label is shown as set and is applied when the document is saved.

  • 对于 PowerShellSet-AIPFileLabelSet-AIPFileClassificiation 可以应用新的敏感度标签。For PowerShell: Set-AIPFileLabel and Set-AIPFileClassificiation can apply the new sensitivity label.

  • 对于文件资源管理器:在“Azure 信息保护”对话框中,新的敏感度标签将会显示,但未经过设置。For File Explorer: In the Azure Information Protection dialog box, the new sensitivity label is shown but isn't set.

此配置要求你为要映射到旧标签的每个敏感度标签指定名为 labelByCustomProperties 的高级设置。This configuration requires you to specify an advanced setting named labelByCustomProperties for each sensitivity label that you want to map to the old label. 然后,使用以下语法设置每个条目的值:Then for each entry, set the value by using the following syntax:

[migration rule name],[Secure Islands custom property name],[Secure Islands metadata Regex value]

指定所选的迁移规则名称。Specify your choice of a migration rule name. 使用描述性的名称,以帮助确定应如何将旧标记解决方案中的一个或多个标签映射到敏感度标签。Use a descriptive name that helps you to identify how one or more labels from your previous labeling solution should be mapped to sensitivity label.

请注意,此设置不会从文档中删除原始标签,也不会删除可能已应用原始标签的文档中的任何视觉标记。Note that this setting does not remove the original label from the document or any visual markings in the document that the original label might have applied. 若要删除页眉和页脚,请参阅删除其他标记解决方案中的页眉和页脚To remove headers and footers, see Remove headers and footers from other labeling solutions.

示例:Examples:

要进一步自定义,请参阅:For additional customization, see:

备注

如果要从跨租户的标签进行迁移(例如,在公司合并之后),我们建议阅读我们的有关公司合并与分拆的博客文章了解详细信息。If you are migrating from your labels across tenants, such as after a company merger, we recommend that you read our blog post on mergers and spinoffs for more information.

示例 1:相同标签名称的一对一映射Example 1: One-to-one mapping of the same label name

要求:对于已由 Secure Islands 标记为“保密”的文档,应由 Azure 信息保护重新标记为“保密”。Requirement: Documents that have a Secure Islands label of "Confidential" should be relabeled as "Confidential" by Azure Information Protection.

在此示例中:In this example:

  • Secure Islands 标签名为“Confidential”,存储在名为“Classification”的自定义属性中。The Secure Islands label is named Confidential and stored in the custom property named Classification.

高级设置:The advanced setting:

  • 键:labelByCustomPropertiesKey: labelByCustomProperties

  • 值:Secure Islands label is Confidential,Classification,ConfidentialValue: Secure Islands label is Confidential,Classification,Confidential

示例 PowerShell 命令,其中的标签名为“Confidential”:Example PowerShell command, where your label is named "Confidential":

Set-Label -Identity Confidential -AdvancedSettings @{labelByCustomProperties="Secure Islands label is Confidential,Classification,Confidential"}

示例 2:不同标签名称的一对一映射Example 2: One-to-one mapping for a different label name

要求:对于已由 Secure Islands 标记为“敏感”的文档,应由 Azure 信息保护重新标记为“高度保密”。Requirement: Documents labeled as "Sensitive" by Secure Islands should be relabeled as "Highly Confidential" by Azure Information Protection.

在此示例中:In this example:

  • Secure Islands 标签名为“Sensitive”,存储在名为“Classification”的自定义属性中。The Secure Islands label is named Sensitive and stored in the custom property named Classification.

高级设置:The advanced setting:

  • 键:labelByCustomPropertiesKey: labelByCustomProperties

  • 值:Secure Islands label is Sensitive,Classification,SensitiveValue: Secure Islands label is Sensitive,Classification,Sensitive

示例 PowerShell 命令,其中的标签名为“Highly Confidential”:Example PowerShell command, where your label is named "Highly Confidential":

Set-Label -Identity "Highly Confidential" -AdvancedSettings @{labelByCustomProperties="Secure Islands label is Sensitive,Classification,Sensitive"}

示例 3:标签名称的多对一映射Example 3: Many-to-one mapping of label names

要求:有两个 Secure Islands 标签均包含“内部”一词,你希望 Azure 信息保护统一标记客户端将带有这两个 Secure Islands 标签之一的文档重新标记为“常规”。Requirement: You have two Secure Islands labels that include the word "Internal" and you want documents that have either of these Secure Islands labels to be relabeled as "General" by the Azure Information Protection unified labeling client.

在此示例中:In this example:

  • Secure Islands 标签包含单词“Internal”,存储在名为“Classification”的自定义属性中。The Secure Islands labels include the word Internal and are stored in the custom property named Classification.

高级客户端设置:The advanced client setting:

  • 键:labelByCustomPropertiesKey: labelByCustomProperties

  • 值:Secure Islands label contains Internal,Classification,.*Internal*。Value: Secure Islands label contains Internal,Classification,.*Internal.*

示例 PowerShell 命令,其中的标签名为“General”:Example PowerShell command, where your label is named "General":

Set-Label -Identity General -AdvancedSettings @{labelByCustomProperties="Secure Islands label contains Internal,Classification,.*Internal.*"}

示例 4:同一标签的多个规则Example 4: Multiple rules for the same label

需要对同一标签应用多个规则时,请为同一键定义多个字符串值。When you need multiple rules for the same label, define multiple string values for the same key.

在此示例中,名为“Confidential”和“Secret”的 Secure Islands 标签存储在名为 Classification 的自定义属性中,你希望 Azure 信息保护统一标记客户端应用名为“Confidential”的敏感度标签:In this example, the Secure Islands labels named "Confidential" and "Secret" are stored in the custom property named Classification, and you want the Azure Information Protection unified labeling client to apply the sensitivity label named "Confidential":

Set-Label -Identity Confidential -AdvancedSettings @{labelByCustomProperties=ConvertTo-Json("Migrate Confidential label,Classification,Confidential", "Migrate Secret label,Classification,Secret")}

将标签迁移规则扩展到电子邮件Extend your label migration rules to emails

除了对 Office 文档之外,还可以通过指定附加标签策略高级设置,对 Outlook 电子邮件使用通过 labelByCustomProperties 高级设置定义的配置。You can use the configuration you've defined with the labelByCustomProperties advanced setting for Outlook emails, in addition to Office documents, by specifying an additional label policy advanced setting.

但是,此设置已知会对 Outlook 的性能造成负面影响,因此,请仅在你的业务迫切需要此项附加设置时才配置此设置,并记得在完成从其他标记解决方案的迁移后将其设置为 null 字符串值。However, this setting has a known negative impact on the performance of Outlook, so configure this additional setting only when you have a strong business requirement for it and remember to set it to a null string value when you have completed the migration from the other labeling solution.

若要配置此高级设置,请为所选标签策略输入以下字符串:To configure this advanced setting, enter the following strings for the selected label policy:

  • 键:EnableLabelByMailHeaderKey: EnableLabelByMailHeader

  • 值:TrueValue: True

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableLabelByMailHeader="True"}

将标签迁移规则扩展到 SharePoint 属性Extend your label migration rules to SharePoint properties

可以通过指定附加标签策略高级设置,对可作为列公开给用户的 SharePoint 属性使用通过 labelByCustomProperties 高级设置定义的配置。You can use the configuration you've defined with the labelByCustomProperties advanced setting for SharePoint properties that you might expose as columns to users by specifying an additional label policy advanced setting.

使用 Word、Excel 和 PowerPoint 时支持此设置。This setting is supported when you use Word, Excel, and PowerPoint.

若要配置此高级设置,请为所选标签策略输入以下字符串:To configure this advanced setting, enter the following strings for the selected label policy:

  • 键:EnableLabelBySharePointPropertiesKey: EnableLabelBySharePointProperties

  • 值:TrueValue: True

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableLabelBySharePointProperties="True"}

应用标签时应用自定义属性Apply a custom property when a label is applied

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的标签高级设置This configuration uses a label advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

在某些情况下,除了对敏感标签所应用的元数据之外,你还可能想要对文档或电子邮件应用一个或多个自定义属性。There might be some scenarios when you want to apply one or more custom properties to a document or email message in addition to the metadata that's applied by a sensitivity label.

例如:For example:

  • 你正在从另一个标记解决方案迁移(例如,从 Secure Islands 迁移)。You are in the process of migrating from another labeling solution, such as Secure Islands. 为了在迁移过程中实现互操作性,你希望敏感度标签还应用一个由其他标记解决方案使用的自定义属性。For interoperability during the migration, you want sensitivity labels to also apply a custom property that is used by the other labeling solution.

  • 对于内容管理系统(例如 SharePoint,或其他供应商的文档管理解决方案),你希望使用一致的自定义属性名称,并为标签使用不同的值和易记的名称,而不使用标签 GUID。For your content management system (such as SharePoint or a document management solution from another vendor) you want to use a consistent custom property name with different values for the labels, and with user-friendly names instead of the label GUID.

对于用户使用 Azure 信息保护统一标记客户端标记的 Office 文档和 Outlook 电子邮件,可以添加你定义的一个或多个自定义属性。For Office documents and Outlook emails that users label by using the Azure Information Protection unified labeling client, you can add one or more custom properties that you define. 对于尚未由统一标记客户端标记的内容,还可以使用此方法来让统一标记客户端将自定义属性显示为来自其他解决方案的标签。You can also use this method for the unified labeling client to display a custom property as a label from other solutions for content that isn't yet labeled by the unified labeling client.

使用此配置选项后,Azure 信息保护统一标记客户端将按如下所述应用所有附加的自定义属性:As a result of this configuration option, any additional custom properties are applied by the Azure Information Protection unified labeling client as follows:

环境Environment 说明Description
Office 文档Office documents 在桌面应用中标记文档后,将在保存该文档时应用附加的自定义属性。When the document is labeled in the desktop app, the additional custom properties are applied when the document is saved.
Outlook 电子邮件Outlook emails 在 Outlook 中标记电子邮件后,将在发送该电子邮件时向 x-header 应用附加属性。When the email message is labeled in Outlook, the additional properties are applied to the x-header when the email is sent.
PowerShellPowerShell Set-AIPFileLabelSet-AIPFileClassificiation 在标记和保存文档时应用附加的自定义属性。Set-AIPFileLabel and Set-AIPFileClassificiation applies the additional custom properties when the document is labeled and saved.

如果未应用敏感度标签,Get-AIPFileStatus 会将自定义属性显示为映射的标签。Get-AIPFileStatus displays custom properties as the mapped label if a sensitivity label isn't applied.
文件资源管理器File Explorer 当用户右键单击文件并应用标签时,将应用自定义属性。When the user right-clicks the file and applies the label, the custom properties are applied.

此配置要求你为要应用附加自定义属性的每个敏感度标签指定名为 customPropertiesByLabel 的高级设置。This configuration requires you to specify an advanced setting named customPropertiesByLabel for each sensitivity label that you want to apply the additional custom properties. 然后,使用以下语法设置每个条目的值:Then for each entry, set the value by using the following syntax:

[custom property name],[custom property value]

重要

在字符串中使用空格将导致不会应用标签。Use of white spaces in the string will prevent application of the labels.

例如:For example:

示例 1:为标签添加单个自定义属性Example 1: Add a single custom property for a label

要求:由 Azure 信息保护统一标记客户端标记为“保密”的文档应具有名为“Classification”、值为“Secret”的附加自定义属性。Requirement: Documents that are labeled as "Confidential" by the Azure Information Protection unified labeling client should have the additional custom property named "Classification" with the value of "Secret".

在此示例中:In this example:

  • 敏感度标签名为 Confidential,将创建名为 Classification、值为 Secret 的自定义属性。The sensitivity label is named Confidential and creates a custom property named Classification with the value of Secret.

高级设置:The advanced setting:

  • 键:customPropertiesByLabelKey: customPropertiesByLabel

  • 值:Classification,SecretValue: Classification,Secret

示例 PowerShell 命令,其中的标签名为“Confidential”:Example PowerShell command, where your label is named "Confidential":

    Set-Label -Identity Confidential -AdvancedSettings @{customPropertiesByLabel="Classification,Secret"}

示例 2:为标签添加多个自定义属性Example 2: Add multiple custom properties for a label

若要为同一个标签添加多个自定义属性,需要为同一个键定义多个字符串值。To add more than one custom property for the same label, you need to define multiple string values for the same key.

示例 PowerShell 命令,其中的标签名为“General”;你想要添加一个名为 Classification、值为 General 的自定义属性,以及名为 Sensitivity、值为 Internal 的另一个自定义属性:Example PowerShell command, where your label is named "General" and you want to add one custom property named Classification with the value of General and a second custom property named Sensitivity with the value of Internal:

Set-Label -Identity General -AdvancedSettings @{customPropertiesByLabel=ConvertTo-Json("Classification,General", "Sensitivity,Internal")}

将标签配置为在 Outlook 中应用 S/MIME 保护Configure a label to apply S/MIME protection in Outlook

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的标签高级设置This configuration uses label advanced settings that you must configure by using Office 365 Security & Compliance Center PowerShell.

仅当你有有效的 S/MIME 部署并且希望标签自动对电子邮件应用此保护方法(而不是 Azure 信息保护提供的 Rights Management 保护)时,才使用这些设置。Use these settings only when you have a working S/MIME deployment and want a label to automatically apply this protection method for emails rather than Rights Management protection from Azure Information Protection. 应用的保护与用户通过在 Outlook 中手动选择 S/MIME 选项应用的保护一样。The resulting protection is the same as when a user manually selects S/MIME options from Outlook.

配置Configuration 键/值Key/Value
S/MIME 数字签名S/MIME digital signature 若要配置用于 S/MIME 数字签名的高级设置,请为所选标签输入以下字符串:To configure an advanced setting for an S/MIME digital signature, enter the following strings for the selected label:

- 键:SMimeSign- Key: SMimeSign

- 值:True- Value: True
S/MIME 加密S/MIME encryption 若要配置用于 S/MIME 加密的高级设置,请为所选标签输入以下字符串:To configure an advanced setting for S/MIME encryption, enter the following strings for the selected label:

- 键:SMimeEncrypt- Key: SMimeEncrypt

- 值:True- Value: True

如果指定的标签已配置用于加密,则对于 Azure 信息保护统一标记客户端而言,S/MIME 保护只是取代了 Outlook 中的 Rights Management 保护。If the label you specify is configured for encryption, for the Azure Information Protection unified labeling client, S/MIME protection replaces the Rights Management protection only in Outlook. 客户端将继续使用在管理中心为标签指定的加密设置。The client continues to use the encryption settings specified for the label in the admin center.

对于带有内置标签的 Office 应用,这些设置不会应用 S/MIME 保护,而是应用“不要转发”保护。For Office apps with built-in labeling, these do not apply the S/MIME protection but instead, apply Do Not Forward protection.

如果你希望标签仅在 Outlook 中可见,请将要应用加密的标签配置为“仅限 Outlook 中的电子邮件”。If you want the label to be visible in Outlook only, configure the label to apply encryption to Only email messages in Outlook.

示例 PowerShell 命令,其中的标签名为“Recipients Only”:Example PowerShell commands, where your label is named "Recipients Only":

Set-Label -Identity "Recipients Only" -AdvancedSettings @{SMimeSign="True"}

Set-Label -Identity "Recipients Only" -AdvancedSettings @{SMimeEncrypt="True"}

为父标签指定默认子标签Specify a default sublabel for a parent label

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的标签高级设置This configuration uses a label advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

当你将子标签添加到标签时,用户不再可以对文档或电子邮件应用父标签。When you add a sublabel to a label, users can no longer apply the parent label to a document or email. 默认情况下,用户会选择父标签来查看他们可以应用的子标签,然后选择其中一个子标签。By default, users select the parent label to see the sublabels that they can apply, and then select one of those sublabels. 如果你配置了此高级设置,当用户选择父标签时,系统会自动为其选择并应用一个子标签:If you configure this advanced setting, when users select the parent label, a sublabel is automatically selected and applied for them:

  • 键:DefaultSubLabelIdKey: DefaultSubLabelId

  • 值: <sublabel GUID>Value: <sublabel GUID>

示例 PowerShell 命令,其中的父标签名为“Confidential”,“All Employees”子标签的 GUID 为 8faca7b8-8d20-48a3-8ea2-0f96310a848e:Example PowerShell command, where your parent label is named "Confidential" and the "All Employees" sublabel has a GUID of 8faca7b8-8d20-48a3-8ea2-0f96310a848e:

Set-Label -Identity "Confidential" -AdvancedSettings @{DefaultSubLabelId="8faca7b8-8d20-48a3-8ea2-0f96310a848e"}

开启在后台持续运行的分类Turn on classification to run continuously in the background

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的标签高级设置This configuration uses a label advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

配置此设置时,它会更改 Azure 信息保护统一标记客户端对文档应用自动和建议标签的默认行为:When you configure this setting, it changes the default behavior of how the Azure Information Protection unified labeling client applies automatic and recommended labels to documents:

对于 Word、Excel 和 PowerPoint,自动分类在后台持续运行。For Word, Excel, and PowerPoint, automatic classification runs continuously in the background.

此行为不会对 Outlook 变化。The behavior does not change for Outlook.

当 Azure 信息保护统一标记客户端根据指定的条件规则定期检查文档时,此行为将为存储在 SharePoint 或 OneDrive 中的 Office 文档启用自动和建议的分类与保护,前提是已启用自动保存。When the Azure Information Protection unified labeling client periodically checks documents for the condition rules that you specify, this behavior enables automatic and recommended classification and protection for Office documents that are stored in SharePoint or OneDrive, as long as auto-save is turned on. 由于条件规则已运行,因此还可以更快保存大型文件。Large files also saved more quickly because the condition rules have already run.

条件规则不会作为用户类型实时运行。The condition rules do not run in real time as a user types. 而会在文档发生修改时作为后台任务定期运行。Instead, they run periodically as a background task if the document is modified.

若要配置此高级设置,请输入以下字符串:To configure this advanced setting, enter the following strings:

  • 键:RunPolicyInBackgroundKey: RunPolicyInBackground
  • 值:TrueValue: True

示例 PowerShell 命令:Example PowerShell command:

Set-LabelPolicy -Identity PolicyName -AdvancedSettings @{RunPolicyInBackground = "true"}

备注

此功能目前处于预览状态。This feature is currently in PREVIEW. Azure 预览版补充条款包含适用于 beta 版、预览版或其他尚未正式发布的 Azure 功能的其他法律条款。The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

指定标签的颜色Specify a color for the label

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的标签高级设置This configuration uses label advanced settings that you must configure by using Office 365 Security & Compliance Center PowerShell.

使用此高级设置可以设置标签的颜色。Use this advanced setting to set a color for a label. 若要指定颜色,请输入红色、绿色和蓝色 (RGB) 颜色成分的十六进制三联代码。To specify the color, enter a hex triplet code for the red, green, and blue (RGB) components of the color. 例如,#40e0d0 是青绿色的 RGB 十六进制值。For example, #40e0d0 is the RGB hex value for turquoise.

如需这些代码的参考,可以在 MSDN Web 文档的 <color> 页中找到一个有用的表格。还可以在许多用于编辑图片的应用程序中找到这些代码。If you need a reference for these codes, you'll find a helpful table from the <color> page from the MSDN web docs. You also find these codes in many applications that let you edit pictures. 例如,通过 Microsoft 画图,从调色板中选择自定义颜色,系统将自动显示 RGB 值,该值可供复制。For example, Microsoft Paint lets you choose a custom color from a palette and the RGB values are automatically displayed, which you can then copy.

若要配置标签颜色的高级设置,请为所选标签输入以下字符串:To configure the advanced setting for a label's color, enter the following strings for the selected label:

  • 键:colorKey: color

  • 值: <RGB hex value>Value: <RGB hex value>

示例 PowerShell 命令,其中的标签名为“Public”:Example PowerShell command, where your label is named "Public":

Set-Label -Identity Public -AdvancedSettings @{color="#40e0d0"}

以其他用户身份登录Sign in as a different user

生产环境中的 AIP 不支持以多个用户的身份登录。Signing in with multiple users is not supported by AIP in production. 本过程说明如何以不同用户的身份登录(仅出于测试目的)。This procedure describes how to sign in as a different user for testing purposes only.

可以使用“Microsoft Azure 信息保护”对话框来验证当前使用了哪个帐户登录:打开 Office 应用程序,在“主页”选项卡上选择“敏感度”按钮,然后选择“帮助和反馈”。 You can verify which account you're currently signed in as by using the Microsoft Azure Information Protection dialog box: Open an Office application and on the Home tab, select the Sensitivity button, and then select Help and feedback. 帐户名称会显示在“客户端状态”部分中。Your account name is displayed in the Client status section.

请确保还要检查所显示的登录帐户的域名。Be sure to also check the domain name of the signed in account that's displayed. 很容易忽视的一点是,使用正确的帐户名登录,但域不正确。It can be easy to miss that you're signed in with the right account name but wrong domain. 使用错误帐户出现的症状包括无法下载标签,或者看不到预期的标签或行为。A symptom of using the wrong account includes failing to download the labels, or not seeing the labels or behavior that you expect.

若要以其他用户的身份登录To sign in as a different user:

  1. 导航到 %localappdata%\Microsoft\MSIP 并删除 TokenCache 文件。Navigate to %localappdata%\Microsoft\MSIP and delete the TokenCache file.

  2. 重新启动任何打开的 Office 应用程序,并使用其他用户帐户登录。Restart any open Office applications and sign in with your different user account. 如果 Office 应用程序中未显示登录到 Azure 信息保护服务的提示,请返回“Microsoft Azure 信息保护”对话框,并在已更新的“客户端状态”部分选择“登录”。 If you do not see a prompt in your Office application to sign in to the Azure Information Protection service, return to the Microsoft Azure Information Protection dialog box and select Sign in from the updated Client status section.

此外:Additionally:

场景Scenario 说明Description
仍已登录到旧帐户Still signed in to the old account 如果在完成这些步骤后仍已使用旧帐户在 Azure 信息保护统一标记客户端中登录,请从 Internet Explorer 中删除所有 Cookie,然后重复步骤 1 至 2。If the Azure Information Protection unified labeling client is still signed in with the old account after completing these steps, delete all cookies from Internet Explorer, and then repeat steps 1 and 2.
正在使用单一登录Using single sign-on 如果使用的是单一登录,必须在删除令牌文件后注销 Windows,再使用其他用户帐户登录。If you are using single sign-on, you must sign out from Windows and sign in with your different user account after deleting the token file.

然后,Azure 信息保护统一标记客户端会使用当前已登录的用户帐户自动进行身份验证。The Azure Information Protection unified labeling client then automatically authenticates by using your currently signed in user account.
不同的租户Different tenants 此解决方案支持以同一租户中的其他用户身份登录。This solution is supported for signing in as another user from the same tenant. 不支持以不同租户中的其他用户身份登录。It is not supported for signing in as another user from a different tenant.

若要使用多个租户测试 Azure 信息保护,请使用不同的计算机。To test Azure Information Protection with multiple tenants, use different computers.
重置设置Reset settings 可以使用“帮助和反馈”中的“重置设置”选项注销,然后从 Office 365 安全与合规中心、Microsoft 365 安全中心或 Microsoft 365 合规中心删除当前已下载的标签和策略设置。 You can use the Reset settings option from Help and Feedback to sign out and delete the currently downloaded labels and policy settings from the Office 365 Security & Compliance Center, the Microsoft 365 Security center, or the Microsoft 365 Compliance center.

对断开连接的计算机的支持Support for disconnected computers

重要

以下标记方案支持已断开连接的计算机:文件资源管理器、PowerShell、Office 应用和扫描程序。Disconnected computers are supported for the following labeling scenarios: File Explorer, PowerShell, your Office apps and the scanner.

默认情况下,Azure 信息保护统一标记客户端会自动尝试连接到 Internet,以从标记管理中心(Office 365 安全与合规中心、Microsoft 365 安全中心或 Microsoft 365 合规中心)下载标签和标签策略设置。By default, the Azure Information Protection unified labeling client automatically tries to connect to the internet to download the labels and label policy settings from your labeling management center (the Office 365 Security & Compliance Center, the Microsoft 365 security center, or the Microsoft 365 compliance center).

如果计算机在一段时间内无法连接到 Internet,你可以导出并复制用于手动管理统一标记客户端策略的文件。If you have computers that cannot connect to the internet for a period of time, you can export and copy files that manually manages the policy for the unified labeling client.

若要支持在统一标记客户端中使用已断开连接的计算机,请执行以下操作:To support disconnected computers from the unified labeling client:

  1. 在 Azure AD 中选择或创建一个用户帐户,用于下载要在已断开连接的计算机上使用的标签和策略设置。Choose or create a user account in Azure AD that you will use to download labels and policy settings that you want to use on your disconnected computer.

  2. 作为此帐户的附加标签策略设置,请使用 EnableAudit 高级设置禁用向 Azure 信息保护分析发送审核数据As an additional label policy setting for this account, disable sending audit data to Azure Information Protection analytics by using the EnableAudit advanced setting.

    我们建议执行此步骤,因为如果已断开连接的计算机能够间歇性地建立 Internet 连接,则它会将包含步骤 1 中所述用户名的日志记录信息发送到 Azure 信息保护分析。We recommend this step because if the disconnected computer does have periodic internet connectivity, it will send logging information to Azure Information Protection analytics that includes the user name from step 1. 该用户帐户可能不同于在已断开连接的计算机上使用的本地帐户。That user account might be different from the local account you're using on the disconnected computer.

  3. 在已建立 Internet 连接、装有统一标记客户端并且你已使用步骤 1 中所述用户帐户登录到的计算机中,下载标签和策略设置。From a computer with internet connectivity that has the unified labeling client installed and signed in with the user account from step 1, download the labels and policy settings.

  4. 从此计算机导出日志文件。From this computer, export the log files.

    例如,运行 Export-AIPLogs cmdlet,或使用客户端的“帮助和反馈”对话框中的“导出日志”选项。For example, run the Export-AIPLogs cmdlet, or use the Export Logs option from the client's Help and Feedback dialog box.

    日志文件将作为单个压缩文件导出。The log files are exported as a single compressed file.

  5. 打开压缩文件,然后复制 MSIP 文件夹中带有 .xml 扩展名的所有文件。Open the compressed file, and from the MSIP folder, copy any files that have an .xml file name extension.

  6. 将这些文件粘贴到已断开连接的计算机上的 %localappdata%\Microsoft\MSIP 文件夹中。Paste these files into the %localappdata%\Microsoft\MSIP folder on the disconnected computer.

  7. 如果所选的用户帐户是平时用于连接 Internet 的帐户,请通过将 EnableAudit 值设置为 True,再次启用审核数据发送。If your chosen user account is one that usually connects to the internet, enable sending audit data again, by setting the EnableAudit value to True.

请注意,如果此计算机上的用户在“帮助和反馈”中选择了“重置设置”选项,此操作将删除策略文件,从而导致在你手动替换这些文件,或者在客户端连接到 Internet 并下载这些文件之前,客户端无法正常运行。Be aware that if a user on this computer selects the Reset Settings option from Help and feedback, this action deletes the policy files and renders the client inoperable until you manually replace the files or the client connects to the internet and downloads the files.

如果已断开连接的计算机正在运行 Azure 信息保护扫描程序,则必须执行额外的配置步骤。If your disconnected computer is running the Azure Information Protection scanner, there are additional configuration steps you must take. 有关详细信息,请参阅扫描程序部署说明中的限制:扫描程序服务器无法连接到 InternetFor more information, see Restriction: The scanner server cannot have internet connectivity from the scanner deployment instructions.

更改本地日志记录级别Change the local logging level

默认情况下,Azure 信息保护统一标记客户端会将客户端日志文件写入 %localappdata%\Microsoft\MSIP 文件夹中。By default, the Azure Information Protection unified labeling client writes client log files to the %localappdata%\Microsoft\MSIP folder. 这些文件供 Microsoft 支持部门用来排除故障。These files are intended for troubleshooting by Microsoft Support.

若要更改这些文件的日志记录级别,请在注册表中找到以下值名称,并将值数据设置为所需的日志记录级别:To change the logging level for these files, locate the following value name in the registry and set the value data to the required logging level:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSIP\LogLevelHKEY_CURRENT_USER\SOFTWARE\Microsoft\MSIP\LogLevel

将日志记录级别设置为以下值之一:Set the logging level to one of the following values:

  • Off:不记录本地日志。Off: No local logging.

  • Error:仅记录错误。Error: Errors only.

  • Warn:记录错误和警告。Warn: Errors and warnings.

  • Info:记录最少量的信息,不包括事件 ID(扫描程序的默认设置)。Info: Minimum logging, which includes no event IDs (the default setting for the scanner).

  • Debug:记录完整信息。Debug: Full information.

  • Trace:详细日志记录(客户端的默认设置)。Trace: Detailed logging (the default setting for clients).

此注册表设置不会更改发送到 Azure 信息保护进行集中报告的信息。This registry setting does not change the information that's sent to Azure Information Protection for central reporting.

在扫描期间根据文件特性跳过或忽略文件Skip or ignore files during scans depending on file attributes

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的策略高级设置This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

默认情况下,Azure 信息保护统一标记扫描程序会扫描所有相关文件。By default, the Azure Information Protection unified labeling scanner scans all relevant files. 但是,你可能希望定义要跳过的特定文件,例如,已存档的文件或已移动的文件。However, you may want to define specific files to be skipped, such as for archived files or files that have been moved.

使用 ScannerFSAttributesToSkip 高级设置可使扫描程序根据文件特性跳过特定的文件。Enable the scanner to skip specific files based on their file attributes by using the ScannerFSAttributesToSkip advanced setting. 在设置值中,列出当其全部设置为 true 时可以跳过特定文件的文件特性。In the setting value, list the file attributes that will enable the file to be skipped when they are all set to true. 此文件特性列表使用 AND 逻辑。This list of file attributes uses the AND logic.

以下示例 PowerShell 命令演示如何对名为“Global”的标签使用此高级设置。The following sample PowerShell commands illustrate how to use this advanced setting with a label named "Global".

跳过只读文件和已存档的文件Skip files that are both read-only and archived

Set-LabelPolicy -Identity Global -AdvancedSettings @{ ScannerFSAttributesToSkip =" FILE_ATTRIBUTE_READONLY, FILE_ATTRIBUTE_ARCHIVE"}

跳过只读文件或已存档的文件Skip files that are either read-only or archived

若要使用 OR 逻辑,请多次运行同一属性。To use an OR logic, run the same property multiple times. 例如:For example:

Set-LabelPolicy -Identity Global -AdvancedSettings @{ ScannerFSAttributesToSkip =" FILE_ATTRIBUTE_READONLY"}
Set-LabelPolicy -Identity Global -AdvancedSettings @{ ScannerFSAttributesToSkip =" FILE_ATTRIBUTE_ARCHIVE"}

提示

建议考虑让扫描程序跳过具有以下特性的文件:We recommend that you consider enabling the scanner to skip files with the following attributes:

  • FILE_ATTRIBUTE_SYSTEMFILE_ATTRIBUTE_SYSTEM
  • FILE_ATTRIBUTE_HIDDENFILE_ATTRIBUTE_HIDDEN
  • FILE_ATTRIBUTE_DEVICEFILE_ATTRIBUTE_DEVICE
  • FILE_ATTRIBUTE_OFFLINEFILE_ATTRIBUTE_OFFLINE
  • FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESSFILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS
  • FILE_ATTRIBUTE_RECALL_ON_OPENFILE_ATTRIBUTE_RECALL_ON_OPEN
  • FILE_ATTRIBUTE_TEMPORARYFILE_ATTRIBUTE_TEMPORARY

有关可在 ScannerFSAttributesToSkip 高级设置中定义的所有文件特性的列表,请参阅 Win32 文件特性常量For a list of all file attributes that can be defined in the ScannerFSAttributesToSkip advanced setting, see the Win32 File Attribute Constants

在标记期间保留 NTFS 所有者(公共预览版)Preserve NTFS owners during labeling (public preview)

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的策略高级设置This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

默认情况下,扫描程序、PowerShell 和文件资源管理器扩展名标记不会保留进行标记之前定义的 NTFS 所有者。By default, scanner, PowerShell, and File Explorer extension labeling do not preserve the NTFS owner that was defined before the labeling.

若要确保保留 NTFS 所有者值,请将所选标签策略的 UseCopyAndPreserveNTFSOwner 高级设置指定为 trueTo ensure that the NTFS owner value is preserved, set the UseCopyAndPreserveNTFSOwner advanced setting to true for the selected label policy.

注意

仅当可以确保在扫描程序与扫描的存储库之间保持低延迟且可靠的网络连接时,才定义此高级设置。Define this advanced setting only when you can ensure a low-latency, reliable network connection between the scanner and the scanned repository. 在自动标记过程中发生网络故障可能会导致文件丢失。A network failure during the automatic labeling process can cause the file to be lost.

标签策略名为“Global”时的示例 PowerShell 命令:Sample PowerShell command, when your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{ UseCopyAndPreserveNTFSOwner ="true"}

备注

此功能目前处于预览状态。This feature is currently in PREVIEW. Azure 预览版补充条款包含适用于 beta 版、预览版或其他尚未正式发布的 Azure 功能的其他法律条款。The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

自定义已修改标签的理由提示文本Customize justification prompt texts for modified labels

自定义当最终用户更改文档和电子邮件的分类标签时,在 Office 和 AIP 客户端中显示的理由提示。Customize the justification prompts that are displayed in both Office and the AIP client, when end users change classification labels on documents and emails.

例如,管理员可能想要提醒用户不要将任何客户身份信息添加到此字段:For example, as an administrator, you may want to remind your users not to add any customer identifying information into this field:

自定义的理由提示文本

若要修改显示的默认“其他”文本,请将 JustificationTextForUserText 高级属性与 Set-LabelPolicy cmdlet 结合使用。To modify the default Other text that's displayed, use the JustificationTextForUserText advanced property with the Set-LabelPolicy cmdlet. 将值设置为要改用的文本。Set the value to the text you want to use instead.

标签策略名为“Global”时的示例 PowerShell 命令:Sample PowerShell command, when your label policy is named "Global":


[Set-LabelPolicy](https://docs.microsoft.com/powershell/module/exchange/set-labelpolicy) -Identity Global -AdvancedSettings @{JustificationTextForUserText="Other (please explain) - Do not enter sensitive info"}

自定义 Outlook 弹出消息Customize Outlook popup messages

AIP 管理员可以自定义向 Outlook 中的最终用户显示的弹出消息,例如:AIP administrators can customize the popup messages that appear to end users in Outlook, such as:

  • 有关已阻止电子邮件的消息Messages for blocked emails
  • 用于提示用户验证其正在发送的内容的警告消息Warning messages that prompt users to verify the content that they're sending
  • 用于请求用户为其发送的内容给出理由的理由消息Justification messages that request users to justify the content that they're sending

重要

此过程将替代你已使用 OutlookUnlabeledCollaborationAction 高级属性定义的任何设置。This procedure will override any settings you've already defined using the OutlookUnlabeledCollaborationAction advanced property.

在生产环境中,我们建议使用 OutlookUnlabeledCollaborationAction 高级属性定义规则,或使用下面定义的 json 文件来定义复杂规则,而不要同时使用这两种方法,以避免将问题复杂化。 In production, we recommend that you avoid complications by either using the OutlookUnlabeledCollaborationAction advanced property to define your rules, or defining complex rules with a json file as defined below, but not both.

若要自定义 Outlook 弹出消息,请执行以下操作:To customize your Outlook popup messages:

  1. 创建 .json 文件,每个文件包含一个用于配置 Outlook 如何向用户显示弹出消息的规则。Create .json files, each with a rule that configures how Outlook displays popup messages to your users. 有关详细信息,请参阅规则值 .json 语法用于自定义弹出消息的 .json 示例代码For more information, see Rule value .json syntax and Sample popup customization .json code.

  2. 使用 PowerShell 来定义用于控制所要配置的弹出消息的高级设置。Use PowerShell to define advanced settings that control the popup messages you're configuring. 针对要配置的每个规则单独运行一组命令。Run a separate set of commands for each rule you want to configure.

    每组 PowerShell 命令必须包含要配置的策略的名称,以及用于定义规则的键和值。Each set of PowerShell commands must include the name of the policy you're configuring, as well as the key and value that defines your rule.

    使用以下语法:Use the following syntax:

    $filedata = Get-Content "<Path to json file>”
    Set-LabelPolicy -Identity <Policy name> -AdvancedSettings @{<Key> ="$filedata"}
    

    其中:Where:

    • <Path to json file> 是创建的 json 文件的路径。<Path to json file> is the path to the json file you created. 例如:C:\Users\msanchez\Desktop\dlp\OutlookCollaborationRule_1.jsonFor example: C:\Users\msanchez\Desktop\ \dlp\OutlookCollaborationRule_1.json.

    • <Policy name> 是要配置的策略的名称。<Policy name> is the name of the policy you want to configure.

    • <Key> 是规则的名称。<Key> is a name for your rule. 使用以下语法,其中 <#> 是规则的序列号:Use the following syntax, where <#> is the serial number for your rule:

      OutlookCollaborationRule_<x>

    有关详细信息,请参阅对 Outlook 自定义规则进行排序规则值 json 语法For more information, see Ordering your Outlook customization rules and Rule value json syntax.

提示

为进一步方便进行组织,请使用与 PowerShell 命令中的键所用的同一字符串来命名文件。For additional organization, name your file with the same string as the key used in your PowerShell command. 例如,将文件命名为 OutlookCollaborationRule_1.json,然后同样使用 OutlookCollaborationRule_1 作为键。For example, name your file OutlookCollaborationRule_1.json, and then also use OutlookCollaborationRule_1 as your key.

为了确保即使在从 Outlook 外部共享文档(“文件”>“共享”>“附加副本”)时也会显示弹出消息,另请配置 PostponeMandatoryBeforeSave 高级设置。To ensure that popups are displayed even when documents are shared from outside Outlook (File > Share > Attach a copy), also configure the PostponeMandatoryBeforeSave advanced setting.

对 Outlook 自定义规则进行排序Ordering your Outlook customization rules

AIP 使用输入的键中的序列号来确定规则的处理顺序。AIP uses the serial number in the key you enter to determine the order in which the rules are processed. 定义用于每个规则的键时,请使用较小的数字来定义较严格的规则,接着使用较大的数字来定义不太严格的规则。When defining the keys used for each rule, define your more restrictive rules with lower numbers, followed by less restrictive rules with higher numbers.

找到特定的规则匹配项后,AIP 将停止处理规则,并执行与匹配规则关联的操作。Once a specific rule match is found, AIP stops processing the rules, and performs the action associated with the matching rule. (“找到第一个匹配项即退出”逻辑)(First match - > Exit logic)

示例Example:

假设你要在所有“内部”电子邮件中配置特定的“警告”消息,但一般情况下你不希望阻止这些电子邮件。 Say you want to configure all Internal emails with a specific Warning message, but you don't generally want to block them. 不过,你确实想要阻止用户发送分类为“机密”的附件,即使是在“内部”电子邮件中。 However, you do want to block users from sending attachments classified as Secret, even as Internal emails.

在这种情况下,请将更具体规则的“阻止机密”规则键排序在更宽泛的“在内部邮件中警告”规则键的前面: In this scenario, order your Block Secret rule key, which is the more specific rule, before your more generic Warn on Internal rule key:

  • 对于“阻止”消息:OutlookCollaborationRule_1 For the Block message: OutlookCollaborationRule_1
  • 对于“警告”消息:OutlookCollaborationRule_2 For the Warn message: OutlookCollaborationRule_2

规则值 .json 语法Rule value .json syntax

按如下所示定义规则的 json 语法:Define your rule's json syntax as follows:

"type" : "And",
"nodes" : []

必须至少有两个节点,第一个节点表示规则的条件,最后一个节点表示规则的操作。You must have at least two nodes, the first representing your rule's condition, and the last representing the rule's action. 有关详情,请参阅:For more information, see:

规则条件语法Rule condition syntax

规则条件节点必须包含节点类型,然后包含条件本身。Rule condition nodes must include the node type, and then the conditions themselves.

支持的文件类型包括:Supported node types include:

节点类型Node type 描述Description
AndAnd 对所有子节点执行 andPerforms and on all child nodes
OrOr 对所有子节点执行 orPerforms or on all child nodes
NotNot 对自身的子节点执行 notPerforms not for its own child
ExceptExcept 对自身的子节点返回 not,导致其行为如同指定了 AllReturns not for its own child, causing it to behave as All
SentTo 后接 Domains: listOfDomainsSentTo, followed by Domains: listOfDomains 执行以下检查之一:Checks one of the following:
- 如果父节点为 Except,则检查是否 所有 (All) 收件人都在某一个域中- If the Parent is Except, checks whether All of the recipients are in one of the domains
- 如果父节点是除 Except 以外的其他任何节点,则检查是否有 任何 (Any) 收件人在某一个域中。- If the Parent is anything else but Except, checks whether Any of the recipients are in one of the domains.
EMailLabel 后接标签EMailLabel, followed by label 下列类型作之一:One of the following:
- 标签 ID- The label ID
- null,如果未标记- null, if not labeled
AttachmentLabel 后接 标签 和支持的 扩展名AttachmentLabel, followed by Label and supported Extensions 下列类型作之一:One of the following:

truetrue:
- 如果父节点是 Except,则检查标签中是否存在 所有 使用某个受支持扩展名的附件- If the Parent is Except, checks whether All of the attachments with one supported extension exists within the label
- 如果父节点是除 Except 以外的其他任何节点,则检查标签中是否存在 任何 使用某个受支持扩展名的附件- If the Parent is anything else but Except, checks whether Any of the attachments with one supported extension exists within the label
- 如果未标记,并且 label = null- If not labeled, and label = null

false:对于所有其他情况false: For all other cases

注意:如果 Extensions 属性为空或缺失,则规则中包含所有受支持的文件类型(扩展名)。Note: If the Extensions property is empty or missing, all supported file types (extensions) are included in the rule.

规则操作语法Rule action syntax

规则操作可以是下列其中一项:Rule actions can be one of the following:

操作Action 语法Syntax 示例消息Sample message
阻止Block Block (List<language, [title, body]>) *已阻止电子邮件 _*Email Blocked _

_你要向一个或多个不受信任的收件人发送分类为“机密”的内容:
rsinclair@contoso.com

你的组织策略不允许此操作。
_You are about to send content classified as Secret to one or more untrusted recipients:
rsinclair@contoso.com

Your organization policy does not allow this action.
请考虑删除这些收件人,或替换内容。Consider removing these recipients or replace the content.
警告Warn Warn (List<language,[title,body]>) *需要确认 _*Confirmation Required _

_你要向一个或多个不受信任的收件人发送分类为“常规”的内容:
rsinclair@contoso.com

你的组织策略要求在确认后才允许你发送此内容。
_You are about to send content classified as General to one or more untrusted recipients:
rsinclair@contoso.com

Your organization policy requires confirmation for you to send this content.
理由Justify Justify (numOfOptions, hasFreeTextOption, List<language, [Title, body, options1,options2….]> )

最多包括三个选项。Including up to three options.
*必须提供理由 _*Justification Required _

_你的组织策略要求你在向不受信任的收件人发送分类为“常规”的内容之前提供理由。

- 我确认收件人已经过批准,可与其共享此内容
- 我的经理已批准共享此内容
- 其他,请看解释*
_Your organization policy requires justification for you to send content classified as General to untrusted recipients.

- I confirm the recipients are approved for sharing this content
- My manager approved sharing of this content
- Other, as explained*
操作参数Action parameters

如果未为操作提供任何参数,弹出消息将包含默认文本。If no parameters are provided for an action, the pop-ups will have the default text.

所有文本都支持以下动态参数:All texts support the following dynamic parameters:

参数Parameter 说明Description
${MatchedRecipientsList} SentTo 条件的最后一个匹配项The last match for the SentTo conditions
${MatchedLabelName} 邮件/附件 标签,以及策略中的本地化名称The mail/attachment Label, with the localized name from the policy
${MatchedAttachmentName} AttachmentLabel 条件的最后一个匹配项中的附件名称The name of the attachment from the last match for the AttachmentLabel condition

备注

所有消息附带“告知详情”选项以及“帮助”和“反馈”对话框。 All messages include the Tell Me More option, as well as the Help and Feedback dialogs.

Language 是区域设置名称的 CultureName,例如:英语 = en-us西班牙语 = es-esThe Language is the CultureName for the locale name, such as: English = en-us; Spanish = es-es

还支持仅限父级的语言名称,例如仅输入 enParent-only language names are also supported, such as en only.

用于自定义弹出消息的 .json 示例代码Sample popup customization .json code

以下 .json 代码集演示如何定义用于控制 Outlook 如何向用户显示弹出消息的各种规则。The following sets of .json code show how you can define a variety of rules that control how Outlook displays popup messages for your users.

示例 1:阻止内部电子邮件或附件Example 1: Block Internal emails or attachments

以下 .json 代码阻止将已分类为“内部”的电子邮件或附件发送到外部收件人。The following .json code will block emails or attachments that are classified as Internal from being set to external recipients.

在此示例中,89a453df-5df4-4976-8191-259d0cf9560a 是“内部”标签的 ID,内部域包括 contoso.commicrosoft.comIn this example, 89a453df-5df4-4976-8191-259d0cf9560a is the ID of the Internal label, and internal domains include contoso.com and microsoft.com.

由于未指定特定的扩展名,因此包括所有受支持的文件类型。Since no specific extensions are specified, all supported file types are included.

{   
    "type" : "And",     
    "nodes" : [         
        {           
            "type" : "Except" ,             
            "node" :{               
                "type" : "SentTo",                  
                "Domains" : [                   
                    "contoso.com",                  
              "microsoft.com"
                ]               
            }       
        },
        {           
            "type" : "Or",          
            "nodes" : [                 
                {           
                    "type" : "AttachmentLabel",             
                    "LabelId" : "89a453df-5df4-4976-8191-259d0cf9560a"      
                },{                     
                    "type" : "EmailLabel",                  
                    "LabelId" : "89a453df-5df4-4976-8191-259d0cf9560a"              
                }
            ]
        },      
        {           
            "type" : "Block",           
            "LocalizationData": {               
                "en-us": {                
                    "Title": "Email Blocked",                 
                    "Body": "The email or at least one of the attachments is classified as <Bold>${MatchedLabelName}</Bold>. Documents classified as <Bold> ${MatchedLabelName}</Bold> cannot be sent to external recipients (${MatchedRecipientsList}).<br><br>List of attachments classified as <Bold>${MatchedLabelName}</Bold>:<br><br>${MatchedAttachmentName}<br><br><br>This message will not be sent.<br>You are responsible for ensuring compliance with classification requirements as per Contoso’s policies."               
                },              
                "es-es": {                
                    "Title": "Correo electrónico bloqueado",                  
                    "Body": "El correo electrónico o al menos uno de los archivos adjuntos se clasifica como <Bold> ${MatchedLabelName}</Bold>."                
                }           
            },          
            "DefaultLanguage": "en-us"      
        }   
    ] 
}

示例 2:阻止未分类的 Office 附件Example 2: Block unclassified Office attachments

以下 .json 代码阻止将未分类的 Office 附件或电子邮件发送到外部收件人。The following .json code blocks unclassified Office attachments or emails from being sent to external recipients.

在以下示例中,需要标记的附件列表为: .doc,.docm,.docx,.dot,.dotm,.dotx,.potm,.potx,.pps,.ppsm,.ppsx,.ppt,.pptm,.pptx,.vdw,.vsd,.vsdm,.vsdx,.vss,.vssm,.vst,.vstm,.vssx,.vstx,.xls,.xlsb,.xlt,.xlsm,.xlsx,.xltm,.xltxIn the following example, the attachment list that requires labeling is: .doc,.docm,.docx,.dot,.dotm,.dotx,.potm,.potx,.pps,.ppsm,.ppsx,.ppt,.pptm,.pptx,.vdw,.vsd,.vsdm,.vsdx,.vss,.vssm,.vst,.vstm,.vssx,.vstx,.xls,.xlsb,.xlt,.xlsm,.xlsx,.xltm,.xltx

{   
    "type" : "And",     
    "nodes" : [         
        {           
            "type" : "Except" ,             
            "node" :{               
                "type" : "SentTo",                  
                "Domains" : [                   
                    "contoso.com",                  
                    "microsoft.com"
                ]               
            }       
        },
        {           
            "type" : "Or",          
            "nodes" : [                 
                {           
                    "type" : "AttachmentLabel",
                     "LabelId" : null,
                    "Extensions": [
                                    ".doc",
                                    ".docm",
                                    ".docx",
                                    ".dot",
                                    ".dotm",
                                    ".dotx",
                                    ".potm",
                                    ".potx",
                                    ".pps",
                                    ".ppsm",
                                    ".ppsx",
                                    ".ppt",
                                    ".pptm",
                                    ".pptx",
                                    ".vdw",
                                    ".vsd",
                                    ".vsdm",
                                    ".vsdx",
                                    ".vss",
                                    ".vssm",
                                    ".vst",
                                    ".vstm",
                                    ".vssx",
                                    ".vstx",
                                    ".xls",
                                    ".xlsb",
                                    ".xlt",
                                    ".xlsm",
                                    ".xlsx",
                                    ".xltm",
                                    ".xltx"
                                 ]
                    
                },{                     
                    "type" : "EmailLabel",
                     "LabelId" : null
                }
            ]
        },      
        {           
            "type" : "Email Block",             
            "LocalizationData": {               
                "en-us": {                
                    "Title": "Emailed Blocked",                   
                    "Body": "Classification is necessary for attachments to be sent to external recipients.<br><br>List of attachments that are not classified:<br><br>${MatchedAttachmentName}<br><br><br>This message will not be sent.<br>You are responsible for ensuring compliance to classification requirement as per Contoso’s policies.<br><br>For MS Office documents, classify and send again.<br><br>For PDF files, classify the document or classify the email (using the most restrictive classification level of any single attachment or the email content) and send again."               
                },              
                "es-es": {                
                    "Title": "Correo electrónico bloqueado",                  
                    "Body": "La clasificación es necesaria para que los archivos adjuntos se envíen a destinatarios externos."              
                }           
            },          
            "DefaultLanguage": "en-us"      
        }   
    ] 
}

示例 3:要求用户接受发送保密电子邮件或附件Example 3: Require the user to accept sending a Confidential email or attachment

以下示例会使 Outlook 显示一条消息,警告用户他们正在向外部收件人发送“保密”电子邮件或附件,同时还要求用户选择“I accept”(我接受)。 The following example causes Outlook to display a message that warns the user that they are sending a Confidential email or attachment to external recipients, and also requires that the user selects I accept.

此类警告消息在技术上被视为理由,因为用户必须选择“I accept”。This sort of warning message is technically considered to be a justification, as the user must select I accept.

由于未指定特定的扩展名,因此包括所有受支持的文件类型。Since no specific extensions are specified, all supported file types are included.

{   
    "type" : "And",     
    "nodes" : [         
        {           
            "type" : "Except" ,             
            "node" :{               
                "type" : "SentTo",                  
                "Domains" : [                   
                    "contoso.com",                  
                    "microsoft.com"
                ]               
            }       
        },
        {           
            "type" : "Or",          
            "nodes" : [                 
                {           
                    "type" : "AttachmentLabel",             
                    "LabelId" : "3acd2acc-2072-48b1-80c8-4da23e245613"      
                },{                     
                    "type" : "EmailLabel",                  
                    "LabelId" : "3acd2acc-2072-48b1-80c8-4da23e245613"              
                }
            ]
        },      
        {           
            "type" : "Justify",             
            "LocalizationData": {               
                "en-us": {                
                    "Title": "Warning",                   
                    "Body": "You are sending a document that is classified as <Bold>${MatchedLabelName}</Bold> to at least one external recipient. Please make sure that the content is correctly classified and that the recipients are entitled to receive this document.<br><br>List of attachments classified as <Bold>${MatchedLabelName}</Bold>:<br><br>${MatchedAttachmentName}<br><br><Bold>List of external email addresses:</Bold><br>${MatchedRecipientsList})<br><br>You are responsible for ensuring compliance to classification requirement as per Contoso’s policies.<br><br><Bold>Acknowledgement</Bold><br>By clicking <Bold>I accept<\Bold> below, you confirm that the recipient is entitled to receive the content and the communication complies with CS Policies and Standards",
                    "Options": [                        
                        "I accept"              
                    ] 
                },              
                "es-es": {                
                    "Title": "Advertencia",                   
                    "Body": "Está enviando un documento clasificado como <Bold>${MatchedLabelName}</Bold> a al menos un destinatario externo. Asegúrese de que el contenido esté correctamente clasificado y que los destinatarios tengan derecho a recibir este documento.",
                    "Options": [                        
                        "Acepto"                    
                    ]                   
                }           
            },          
            "HasFreeTextOption":"false",            
            "DefaultLanguage": "en-us"      
        }   
    ] 
}

示例 4:针对没有标签的邮件以及具有特定标签的附件发出警告Example 4: Warn on mail with no label, and an attachment with a specific label

以下 .json 代码 会使 Outlook 警告用户他们正在发送一封没有标签的内部电子邮件,以及一个具有特定标签的附件。The following .json code causes Outlook to warn the user when they are sending an internal email has no label, with an attachment that has a specific label.

在此示例中,bcbef25a-c4db-446b-9496-1b558d9edd0e 是附件标签的 ID,规则应用于 .docx、.xlsx 和 .pptx 文件。In this example, bcbef25a-c4db-446b-9496-1b558d9edd0e is the ID of the attachment's label, and the rule applies to .docx, .xlsx, and .pptx files.

默认情况下,包含带标签的附件的电子邮件不会自动获得相同的标签。By default, emails that have labeled attachments do not automatically receive the same label.

{   
    "type" : "And",     
    "nodes" : [         
        {           
            "type" : "EmailLabel",
                     "LabelId" : null           
        },
        {
          "type": "AttachmentLabel",
          "LabelId": "bcbef25a-c4db-446b-9496-1b558d9edd0e",
          "Extensions": [
                ".docx",
                ".xlsx",
                ".pptx"
             ]
        },
    {           
            "type" : "SentTo",              
            "Domains" : [               
                "contoso.com",              
            ]           
        },      
        {           
            "type" : "Warn" 
        }   
    ] 
}

示例 5:提示通过两个预定义的选项以及一个额外的自由文本选项给出理由Example 5: Prompt for a justification, with two predefined options, and an extra free-text option

以下 .json 代码使 Outlook 提示用户提供其操作理由。The following .json code causes Outlook to prompt the user for a justification for their action. 理由文本包含两个预定义的选项,以及一个自由文本选项(第三个选项)。The justification text includes two predefined options, as well as a third, free-text option.

由于未指定特定的扩展名,因此包括所有受支持的文件类型。Since no specific extensions are specified, all supported file types are included.

{   
    "type" : "And",     
    "nodes" : [         
        {           
            "type" : "Except" ,             
            "node" :{               
                "type" : "SentTo",                  
                "Domains" : [                   
                    "contoso.com",                                  
                ]               
            }       
        },      
        {           
            "type" : "EmailLabel",          
            "LabelId" : "34b8beec-40df-4219-9dd4-553e1c8904c1"      
        },      
        {           
            "type" : "Justify",             
            "LocalizationData": {               
                "en-us": {                  
                    "Title": "Justification Required",                  
                    "Body": "Your organization policy requires justification for you to send content classified as <Bold> ${MatchedLabelName}</Bold>,to untrusted recipients:<br>Recipients are: ${MatchedRecipientsList}",                     
                    "Options": [                        
                        "I confirm the recipients are approved for sharing this content",                   
                        "My manager approved sharing of this content",                      
                        "Other, as explained"                   
                    ]               
                },              
                "es-es": {                  
                    "Title": "Justificación necesaria",                     
                    "Body": "La política de su organización requiere una justificación para que envíe contenido clasificado como <Bold> ${MatchedLabelName}</Bold> a destinatarios que no sean de confianza.",                  
                    "Options": [                        
                        "Confirmo que los destinatarios están aprobados para compartir este contenido.",
                        "Mi gerente aprobó compartir este contenido",
                        "Otro, como se explicó"                     
                    ]               
                }           
            },          
            "HasFreeTextOption":"true",             
            "DefaultLanguage": "en-us"      
        }   
    ] 
}

配置 SharePoint 超时Configure SharePoint timeouts

SharePoint 交互的超时默认为两分钟,超过此时间后,尝试的 AIP 操作将会失败。By default, the timeout for SharePoint interactions is two minutes, after which the attempted AIP operation fails.

版本 2.8.85.0 开始,AIP 管理员可以使用 hh:mm:ss 语法来定义超时,并使用以下高级属性控制此超时:Starting in version 2.8.85.0, AIP administrators can control this timeout using the following advanced properties, using an hh:mm:ss syntax to define the timeouts:

  • SharepointWebRequestTimeoutSharepointWebRequestTimeout. 确定向 SharePoint 发送所有 AIP Web 请求的超时。Determines the timeout for all AIP web requests to SharePoint. 默认值 = 2 分钟。Default = 2 minutes.

    例如,如果策略名为 Global,则以下 PowerShell 命令示例会将 Web 请求超时更新为 5 分钟。For example, if your policy is named Global, the following sample PowerShell command updates the web request timeout to 5 minutes.

    Set-LabelPolicy -Identity Global -AdvancedSettings @{SharepointWebRequestTimeout="00:05:00"}
    
  • SharepointFileWebRequestTimeoutSharepointFileWebRequestTimeout. 确定专用通过 AIP Web 请求发送 SharePoint 文件的超时。Determines the timeout specifically for SharePoint files via AIP web requests. 默认值 = 15 分钟Default = 15 minutes

    例如,如果策略名为 Global,则以下 PowerShell 命令示例会将文件 Web 请求超时更新为 10 分钟。For example, if your policy is named Global, the following sample PowerShell command updates the file web request timeout to 10 minutes.

    Set-LabelPolicy -Identity Global -AdvancedSettings @{SharepointFileWebRequestTimeout="00:10:00"}
    

避免 SharePoint 中的扫描程序超时Avoid scanner timeouts in SharePoint

如果 SharePoint 2013 或更高版本中存在很长的文件路径,请确保 SharePoint 服务器的 httpRuntime.maxUrlLength 值大于默认的 260 个字符。If you have long file paths in SharePoint version 2013 or higher, ensure that your SharePoint server's httpRuntime.maxUrlLength value is larger than the default 260 characters.

此值是在 ASP.NET 配置的 HttpRuntimeSection 类中定义的。This value is defined in the HttpRuntimeSection class of the ASP.NET configuration.

若要更新 HttpRuntimeSection 类,请执行以下操作:To update the HttpRuntimeSection class:

  1. 备份 web.config 配置。Back up your web.config configuration.

  2. 根据需要更新 maxUrlLength 值。Update the maxUrlLength value as needed. 例如:For example:

    <httpRuntime maxRequestLength="51200" requestValidationMode="2.0" maxUrlLength="5000"  />
    
  3. 重启 SharePoint Web 服务器,并验证它是否可正常加载。Restart your SharePoint web server and verify that it loads correctly.

    例如,在 Windows Internet Information Servers (IIS) 管理器中选择你的站点,然后在“管理网站”下选择“重启”。 For example, in Windows Internet Information Servers (IIS) Manager, select your site, and then under Manage Website, select Restart.

防止 S/MIME 电子邮件导致 Outlook 性能问题Prevent Outlook performance issues with S/MIME emails

如果在阅读窗格中打开 S/MIME 电子邮件,Outlook 可能会出现性能问题。Performance issues may occur in Outlook when the S/MIME emails are opened in Reading Pane. 若要防止这些问题,请启用 OutlookSkipSmimeOnReadingPaneEnabled 高级属性。To prevent these issues, enable the OutlookSkipSmimeOnReadingPaneEnabled advanced property.

启用此属性可防止 AIP 栏和电子邮件分类显示在阅读窗格中。Enabling this property prevents the AIP bar and the email classifications from being shown in the Reading Pane.

例如,如果策略名为 Global,以下 PowerShell 命令示例将启用 OutlookSkipSmimeOnReadingPaneEnabled 属性:For example, if your policy is named Global, the following sample PowerShell command enables the OutlookSkipSmimeOnReadingPaneEnabled property:

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookSkipSmimeOnReadingPaneEnabled="true"}

禁用文档跟踪功能(公共预览版)Turn off document tracking features (public preview)

默认已经为租户启用了文档跟踪功能。By default, document tracking features are turned on for your tenant. 若要将其禁用(例如,出于组织或所在区域的隐私保护要求),请将 EnableTrackAndRevoke 值设置为 FalseTo turn them off, such as for privacy requirements in your orgnization or region, set the EnableTrackAndRevoke value to False.

禁用后,将不再在您的组织中提供文档跟踪数据,而用户将不再会在其 Office 应用中看到“撤销”菜单选项。Once turned off, document tracking data will not longer be available in your organization, and users will no longer see the Revoke menu option in their Office apps.

对于所选的标签策略,请指定以下字符串:For the selected label policy, specify the following strings:

  • 键:EnableTrackAndRevokeKey: EnableTrackAndRevoke

  • 值:FalseValue: False

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableTrackAndRevoke="False"}

将此值设置为 False 后,将会禁用跟踪和撤销,如下所述:After setting this value to False, track and revoke is turned off as follows:

  • 使用 AIP 统一标记客户端打开受保护的文档将不再注册文档跟踪和撤销功能。Opening protected documents with the AIP unified labeling client no longer registers the documents for track and revoke.
  • 最终用户不再会在其 Office 应用中看到“撤销”菜单选项。End-users will no longer see the Revoke menu option in their Office apps.

但是,已注册跟踪功能的受保护文档将继续受到跟踪,而管理员仍可以通过 PowerShell 撤销访问权限。However, protected documents that are already registered for tracking will continue to be track, and administrators can still revoke access from PowerShell. 若要彻底禁用跟踪和撤销功能,另请运行 Disable-AipServiceDocumentTrackingFeature cmdlet。To full turn off track and revoke features, also run the Disable-AipServiceDocumentTrackingFeature cmdlet.

此配置使用必须通过 Office 365 安全与合规中心 PowerShell 进行配置的策略高级设置This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

备注

若要重新启用跟踪和撤销,请将 EnableTrackAndRevoke 设置为 true,并运行 Enable-AipServiceDocumentTrackingFeature cmdlet。To turn track and revoke back on, set the EnableTrackAndRevoke to true, and also run the Enable-AipServiceDocumentTrackingFeature cmdlet.

配置针对 Office 文件的自动标记超时Configure the autolabeling timeout on Office files

扫描程序针对 Office 文件的自动标记超时默认为 3 秒。By default, the scanner's autolabeling timeout on Office files is 3 seconds.

如果你的 Excel 文件比较复杂,其中包含多个工作表或行,3 秒时间可能并不足以自动完成应用标签的操作。If you have a complex Excel file with many sheets or rows, 3 seconds may not be enough to automatically apply labels. 若要根据所选标签策略增大此超时,请指定以下字符串:To increase this timeout for the selected label policy, specify the following strings:

  • 键:OfficeContentExtractionTimeoutKey: OfficeContentExtractionTimeout

  • 值:采用以下格式的秒数:hh:mm:ssValue: Seconds, in the following format: hh:mm:ss.

重要

建议不要将此超时提高到 15 秒以上。We recommend that you do not raise this timeout to higher than 15 seconds.

示例 PowerShell 命令,其中的标签策略名为“Global”:Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{OfficeContentExtractionTimeout="00:00:15"}

更新的超时将应用于针对所有 Office 文件的自动标记操作。The updated timeout applies to autolabeling on all Office files.

后续步骤Next steps

自定义 Azure 信息保护统一标记客户端后,接下来请参阅以下资源,获取为了支持此客户端而可能需要了解的其他信息:Now that you've customized the Azure Information Protection unified labeling client, see the following resources for additional information that you might need to support this client: