管理员指南:将 PowerShell 与 Azure 信息保护统一客户端配合使用Admin Guide: Using PowerShell with the Azure Information Protection unified client

适用范围:Azure 信息保护、Windows 10、Windows 8.1、Windows 8、Windows Server 2019、Windows Server 2016、Windows Server 2012 R2、Windows Server 2012***Applies to: Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012*

如果你有 Windows 7 或 Office 2010,请参阅 AIP 与旧版 Windows 和 OfficeIf you have Windows 7 or Office 2010, see AIP and legacy Windows and Office versions.

相关客户端:适用于 Windows 的 Azure 信息保护统一标记客户端Relevant for: Azure Information Protection unified labeling client for Windows. *对于经典客户端,请参阅经典客户端管理指南For the classic client, see the classic client admin guide.

安装 Azure 信息保护统一标记客户端时,会自动将 PowerShell 命令作为 AzureInformationProtection 模块的一部分进行安装,其中包含用于标记的 cmdlet。When you install the Azure Information Protection unified labeling client, PowerShell commands are automatically installed as part of the AzureInformationProtection module, with cmdlets for labeling.

使用 AzureInformationProtection 模块,可以通过运行自动化脚本的命令来管理客户端。The AzureInformationProtection module enables you to manage the client by running commands for automation scripts.

例如:For example:

  • Get-AIPFileStatus:获取指定文件的 Azure 信息保护标签和保护信息。Get-AIPFileStatus: Gets the Azure Information Protection label and protection information for a specified file or files.
  • Set-AIPFileClassification:扫描某个文件,以便根据策略中配置的条件自动设置文件的 Azure 信息保护标签。Set-AIPFileClassification: Scans a file to automatically set an Azure Information Protection label for a file, according to conditions that are configured in the policy.
  • Set-AIPFileLabel:设置或删除文件的 Azure 信息保护标签,并根据标签配置或自定义权限设置或删除保护。Set-AIPFileLabel: Sets or removes an Azure Information Protection label for a file, and sets or removes the protection according to the label configuration or custom permissions.
  • Set-AIPAuthentication:设置 Azure 信息保护客户端的身份验证凭据。Set-AIPAuthentication: Sets the authentication credentials for the Azure Information Protection client.

将 AzureInformationProtection 模块安装在 \ProgramFiles (x86)\Microsoft Azure Information Protection 文件夹中,然后将此文件夹添加到 PSModulePath 系统变量。The AzureInformationProtection module is installed in the \ProgramFiles (x86)\Microsoft Azure Information Protection folder, and then adds this folder to the PSModulePath system variable. 此模块的 .dll 命名为 AIP.dllThe .dll for this module is named AIP.dll.

重要

AzureInformationProtection 模块不支持配置标签或标签策略的高级设置。The AzureInformationProtection module doesn't support configuring advanced settings for labels or label policies.

对于这些设置,你需要 Office 365 安全与合规中心 PowerShell。For these settings, you need the Office 365 Security & Compliance Center PowerShell. 有关详细信息,请参阅 Azure 信息保护统一标记客户端的自定义配置For more information, see Custom configurations for the Azure Information Protection unified labeling client.

提示

若要使用路径长度超过 260 个字符的 cmdlet,请使用自 Windows 10 版本 1607 开始提供的以下组策略设置To use cmdlets with path lengths greater than 260 characters, use the following group policy setting that is available starting Windows 10, version 1607:
“本地计算机策略” > “计算机配置” > “管理模板” > “所有设置” > “启用 Win32 长路径”Local Computer Policy > Computer Configuration > Administrative Templates > All Settings > Enable Win32 long paths

对于 Windows Server 2016,在安装 Windows 10 的最新管理模板 (.admx) 时,可以使用相同的组策略设置。For Windows Server 2016, you can use the same group policy setting when you install the latest Administrative Templates (.admx) for Windows 10.

有关详细信息,请参阅 Windows 10 开发人员文档中的最大路径长度限制一节。For more information, see the Maximum Path Length Limitation section from the Windows 10 developer documentation.

使用 AzureInformationProtection 模块的先决条件Prerequisites for using the AzureInformationProtection module

除了安装 AzureInformationProtection 模块的先决条件之外,在使用 Azure 信息保护的标记 cmdlet 时还有额外的先决条件:In addition to the prerequisites for installing the AzureInformationProtection module, there are extra prerequisites for when you use the labeling cmdlets for Azure Information Protection:

  • 必须激活 Azure 权限管理服务。The Azure Rights Management service must be activated.

    如果你的 Azure 信息保护租户未激活,请参阅从 Azure 信息保护中激活保护服务的说明。If your Azure Information Protection tenant is not activated, see the instructions for Activating the protection service from Azure Information Protection.

  • 使用自己的帐户从他人的文件中删除保护:To remove protection from files for others using your own account:

    • 必须为你的组织启用超级用户功能。The super user feature must be enabled for your organization.
    • 你的帐户必须配置为 Azure权限管理的超级用户。Your account must be configured to be a super user for Azure Rights Management.

    例如,你可能想要删除对其他人的保护,以便发现或恢复数据。For example, you may want to remove protection for others for the sake of data discovery or recovery. 如果使用标签应用保护,则可以通过设置一个不应用保护的新标签来删除该保护,也可以直接删除标签。If you are using labels to apply protection, you can remove that protection by setting a new label that doesn't apply protection, or you can remove the label.

    若要删除保护,请将 Set-AIPFileLabel cmdlet 与 RemoveProtection 参数结合使用。To remove protection, use the Set-AIPFileLabel cmdlet with the RemoveProtection parameter. 默认情况下,删除保护功能处于禁用状态,必须先使用 Set-LabelPolicy cmdlet 启用该功能。The remove protection capability is disabled by default and must first be enabled using the Set-LabelPolicy cmdlet.

RMS 到统一标记 cmdlet 的映射RMS to unified labeling cmdlet mapping

如果已从 Azure RMS 迁移,请注意,与 RMS 相关的 cmdlet 已弃用,可用于统一标记。If you've migrated from Azure RMS, note that RMS-related cmdlets have been deprecated for use in unified labeling.

已为统一标记将某些旧 cmdlet 替换为新 cmdlet。Some of the legacy cmdlets have been replaced with new cmdlets for unified labeling. 例如,如果将 New-RMSProtectionLicense 与 RMS 保护一起使用,并已迁移到统一标记,请改用 New-AIPCustomPermissions。For example, if you used New-RMSProtectionLicense with RMS protection and have migrated to unified labeling, use New-AIPCustomPermissions instead.

下表通过用于统一标记的更新版 cmdlet 映射了与 RMS 相关的 cmdlet:The following table maps RMS-related cmdlets with the updated cmdlets used for unified labeling:

RMS cmdletRMS cmdlet 统一标记 cmdletUnified labeling cmdlet
Get-RMSFileStatusGet-RMSFileStatus Get AIPFileStatusGet-AIPFileStatus
Get-RMSServerGet-RMSServer 与统一标记无关。Not relevant for unified labeling.
Get-RMSServerAuthenticationGet-RMSServerAuthentication Set-AIPAuthenticationSet-AIPAuthentication
Clear-RMSAuthenticationClear-RMSAuthentication Set-AIPAuthenticationSet-AIPAuthentication
Set-RMSServerAuthenticationSet-RMSServerAuthentication Set-AIPAuthenticationSet-AIPAuthentication
Get-RMSTemplateGet-RMSTemplate 与统一标记无关Not relevant for unified labeling
New-RMSProtectionLicenseNew-RMSProtectionLicense New-AIPCustomPermissionsSet-AIPFileLabel,带有 CustomPermissions 参数New-AIPCustomPermissions, and Set-AIPFileLabel, with the CustomPermissions parameter
Protect-RMSFileProtect-RMSFile Set-AIPFileLabel,带有 RemoveProtection 参数Set-AIPFileLabel, with the RemoveProtection parameter

如何以非交互方式为 Azure 信息保护标记文件How to label files non-interactively for Azure Information Protection

默认情况下,运行 cmdlet 进行标记时,命令会在交互式 PowerShell 会话中你自己的用户上下文运行。By default, when you run the cmdlets for labeling, the commands run in your own user context in an interactive PowerShell session.

有关详情,请参阅:For more information, see:

备注

如果计算机无法访问 Internet,则无需在 Azure AD 中创建应用并运行 Set-AIPAuthentication cmdlet。If the computer cannot have internet access, there's no need to create the app in Azure AD and run the Set-AIPAuthentication cmdlet. 相反,请按照断开连接的计算机中的说明操作。Instead, follow the instructions for disconnected computers.

以无人参与方式运行 AIP 标记 cmdlet 的先决条件Prerequisites for running AIP labeling cmdlets unattended

若要以无人参与方式运行 Azure 信息保护标记 cmdlet,请使用以下访问详细信息:To run Azure Information Protection labeling cmdlets unattended, use the following access details:

  • 可以交互方式登录的 Windows 帐户。A Windows account that can sign in interactively.

  • 用于委派访问的 Azure AD 帐户。An Azure AD account, for delegated access. 为了便于管理,请使用从 Active Directory 同步到 Azure AD 的单个帐户。For ease of administration, use a single account that's synchronized from Active Directory to Azure AD.

    对于委派用户帐户:For the delegated user account:

    要求Requirement 详细信息Details
    标签策略Label policy 请确保已为此帐户分配了标签策略,并且该策略包含要使用的已发布标签。Make sure that you have a label policy assigned to this account and that the policy contains the published labels you want to use.

    如果对不同用户使用标签策略,可能需要创建新的标签策略,发布所有标签,并仅将此策略发布到该委派用户帐户。If you use label policies for different users, you might need to create a new label policy that publishes all your labels, and publish the policy to just this delegated user account.
    解密内容Decrypting content 如果此帐户需要解密内容,例如,要重新保护文件并检查其他人保护的文件,请使其成为 Azure 信息保护的超级用户,并确保已启用超级用户功能。If this account needs to decrypt content, for example, to reprotect files and inspect files that others have protected, make it a super user for Azure Information Protection and make sure the super user feature is enabled.
    载入控件Onboarding controls 如果对分阶段部署实现了载入控件,还请确保已配置的载入控件中包含此帐户。If you have implemented onboarding controls for a phased deployment, make sure that this account is included in your onboarding controls you've configured.
  • Azure AD 访问令牌,用于设置和存储委派用户的凭据,以向 Azure 信息保护进行身份验证。An Azure AD access token, which sets and stores credentials for the delegated user to authenticate to Azure Information Protection. Azure AD 中的令牌过期后,必须再次运行此 cmdlet,以获取新令牌。When the token in Azure AD expires, you must run the cmdlet again to acquire a new token.

    Set-AIPAuthentication 的参数使用 Azure AD 中的应用注册过程中的值。The parameters for Set-AIPAuthentication use values from an app registration process in Azure AD. 有关详细信息,请参阅为 Set-AIPAuthentication 创建和配置 Azure AD 应用程序For more information, see Create and configure Azure AD applications for Set-AIPAuthentication.

首先运行 Set-AIPAuthentication cmdlet,以非交互方式运行标记 cmdlet。Run the labeling cmdlets non-interactively by first running the Set-AIPAuthentication cmdlet.

运行 AIPAuthentication cmdlet 的计算机会下载标记管理中心(如 Microsoft 365 安全与合规中心)中分配给你的委派用户帐户的标记策略。The computer running the AIPAuthentication cmdlet downloads the labeling policy that's assigned to your delegated user account in your labeling management center, such as the Microsoft 365 Security & compliance center.

为 Set-AIPAuthentication 创建和配置 Azure AD 应用程序Create and configure Azure AD applications for Set-AIPAuthentication

备注

Azure 中国门户尚不支持 Azure 信息保护,你可以使用 Azure Information Protection PowerShell commands 实现相同的功能。Azure Information Protection is not currently supported on Azure China portal. You can achieve the same functionality using the Azure Information Protection PowerShell commands.

Set-AIPAuthentication cmdlet 要求对 AppId 和 AppSecret 参数进行应用注册。The Set-AIPAuthentication cmdlet requires an app registration for the AppId and AppSecret parameters.

对于最近从经典客户端迁移并为以前的 WebAppID 和 NativeAppId 参数创建了应用注册的用户,你将需要为统一标记客户端创建新的应用注册。For users who've recently migrated from the classic client, and had created an app registration for the previous WebAppID and NativeAppId parameters, you'll need to create a new app registration for the unified labeling client.

若要为统一标记客户端 Set-AIPAuthentication cmdlet 创建新应用注册,请执行以下操作:To create a new app registration for the unified labeling client Set-AIPAuthentication cmdlet:

  1. 在新的浏览器窗口中,登录到与 Azure 信息保护配合使用的 Azure AD 租户的 Azure 门户In a new browser window, sign in the Azure portal to the Azure AD tenant that you use with Azure Information Protection.

  2. 导航到“Azure Active Directory” > “管理” > “应用注册”,然后选择“新注册”。Navigate to Azure Active Directory > Manage > App registrations, and select New registration.

  3. 在“注册应用程序”窗格上,指定以下值,然后单击“注册”:On the Register an application pane, specify the following values, and then click Register:

    选项Option Value
    名称Name AIP-DelegatedUser
    根据需要指定其他名称。Specify a different name as needed. 对于每个租户,该名称必须是唯一的。The name must be unique per tenant.
    支持的帐户类型Supported account types 选择“仅此组织目录中的帐户”。Select Accounts in this organizational directory only.
    重定向 URI(可选)Redirect URI (optional) 选择“Web”,然后输入 https://localhostSelect Web, and then enter https://localhost.
  4. 在“AIP-DelegatedUser”窗格中,复制“应用程序(客户端) ID”的值。On the AIP-DelegatedUser pane, copy the value for the Application (client) ID.

    此值类似于以下示例:77c3c1c3-abf9-404e-8b2b-4652836c8c66The value looks similar to the following example: 77c3c1c3-abf9-404e-8b2b-4652836c8c66.

    运行 Set-AIPAuthentication cmdlet 时,此值用于 AppId 参数。This value is used for the AppId parameter when you run the Set-AIPAuthentication cmdlet. 粘贴并保存此值,供以后参考。Paste and save the value for later reference.

  5. 从侧栏中选择“管理” > “证书和密码”。From the sidebar, select Manage > Certificates & secrets.

    在“AIP-DelegatedUse - 证书和密码”窗格的“客户端密码”部分选择“+ 新建客户端密码”。Then, on the AIP-DelegatedUser - Certificates & secrets pane, in the Client secrets section, select New client secret.

  6. 对于“添加客户端密码”,请指定以下各项,然后选择“添加”:For Add a client secret, specify the following, and then select Add:

    字段Field Value
    说明Description Azure Information Protection unified labeling client
    ExpiresExpires 指定所选的持续时间(1 年、2 年或永不过期)Specify your choice of duration (1 year, 2 years, or never expires)
  7. 返回到“AIP-DelegatedUser - 证书和密码”窗格,在“客户端密码”部分复制“VALUE”的字符串。Back on the AIP-DelegatedUser - Certificates & secrets pane, in the Client secrets section, copy the string for the VALUE.

    此字符串类似于以下示例:OAkk+rnuYc/u+]ah2kNxVbtrDGbS47L4This string looks similar to the following example: OAkk+rnuYc/u+]ah2kNxVbtrDGbS47L4.

    若要确保复制所有字符,请选择“复制到剪贴板”图标。To make sure you copy all the characters, select the icon to Copy to clipboard.

    重要

    请务必保存此字符串,因为它不会再次显示,并且无法检索。It's important that you save this string because it is not displayed again and it cannot be retrieved. 对于所使用的任何敏感信息,请安全地存储保存的值并限制对它的访问。As with any sensitive information that you use, store the saved value securely and restrict access to it.

  8. 从边栏中选择“管理” > “API 权限”。From the sidebar, select Manage > API permissions.

    在“AIP-DelegatedUser - API 权限”窗格上,选择“添加权限”。On the AIP-DelegatedUser - API permissions pane, select Add a permission.

  9. 在“请求 API 权限”窗格上,确保你在“Microsoft API”选项卡上,然后选择“Azure 权限管理服务”。On the Request API permissions pane, make sure that you're on the Microsoft APIs tab, and select Azure Rights Management Services.

    当系统提示你提供应用程序所需的权限类型时,请选择“应用程序权限”。When you're prompted for the type of permissions that your application requires, select Application permissions.

  10. 对于“选择权限”,展开“内容”并选择以下各项,然后选择“添加权限”。For Select permissions, expand Content and select the following, and then select Add permissions.

    • Content.DelegatedReaderContent.DelegatedReader
    • Content.DelegatedWriterContent.DelegatedWriter
  11. 返回到“AIP-DelegatedUser - API 权限”窗格上,再次选择“添加权限”。Back on the AIP-DelegatedUser - API permissions pane, select Add a permission again.

    在“请求 AIP 权限”窗格上,选择“我的组织使用的 API”,并搜索“Microsoft 信息保护同步服务”。On the Request AIP permissions pane, select APIs my organization uses, and search for Microsoft Information Protection Sync Service.

  12. 在“请求获取 API 权限”窗格上,选择“应用程序权限”。On the Request API permissions pane, select Application permissions.

    对于“选择权限”,展开“UnifiedPolicy”,选择“UnifiedPolicy.Tenant.Read”,然后选择“添加权限”。For Select permissions, expand UnifiedPolicy, select UnifiedPolicy.Tenant.Read, and then select Add permissions.

  13. 返回到“AIP-DelegatedUser - API 权限”窗格,选择“对 <your tenant name> 授予管理员同意”,然后在出现确认提示时选择“是”。Back on the AIP-DelegatedUser - API permissions pane, select Grant admin consent for <your tenant name> and select Yes for the confirmation prompt.

    API 权限应如下图所示:Your API permissions should look like the following image:

    Azure AD 中已注册应用的 API 权限

现在,你已使用密码完成此应用的注册,接下来可以运行带有 AppId 和 AppSecret 参数的 Set-AIPAuthenticationNow you've completed the registration of this app with a secret, you're ready to run Set-AIPAuthentication with the parameters AppId, and AppSecret. 此外,还需要租户 ID。Additionally, you'll need your tenant ID.

提示

可以使用 Azure 门户快速复制你的租户 ID:“Azure Active Directory” > “管理” > “属性” > “目录 ID”。You can quickly copy your tenant ID by using Azure portal: Azure Active Directory > Manage > Properties > Directory ID.

运行 Set-AIPAuthentication cmdletRunning the Set-AIPAuthentication cmdlet

  1. 在选中“以管理员身份运行”选项的情况下打开 Windows PowerShell。Open Windows PowerShell with the Run as administrator option.

  2. 在 PowerShell 会话中,创建一个变量以存储将以非交互方式运行的 Windows 用户帐户的凭据。In your PowerShell session, create a variable to store the credentials of the Windows user account that will run non-interactively. 例如,如果为扫描程序创建了服务帐户:For example, if you created a service account for the scanner:

    $pscreds = Get-Credential "CONTOSO\srv-scanner"
    

    系统将提示你输入此帐户的密码。You're prompted for this account's password.

  3. 运行带有 OnBeHalfOf 参数的 Set-AIPAuthentication Cmdlet,将所创建的变量指定为其值。Run the Set-AIPAuthentication cmdlet, with the OnBeHalfOf parameter, specifying as its value the variable that you created.

    同时,在 Azure AD 中指定你的应用注册值、租户 ID 和委派用户帐户的名称。Also specify your app registration values, your tenant ID, and the name of the delegated user account in Azure AD. 例如:For example:

    Set-AIPAuthentication -AppId "77c3c1c3-abf9-404e-8b2b-4652836c8c66" -AppSecret "OAkk+rnuYc/u+]ah2kNxVbtrDGbS47L4" -TenantId "9c11c87a-ac8b-46a3-8d5c-f4d0b72ee29a" -DelegatedUser scanner@contoso.com -OnBehalfOf $pscreds
    

后续步骤Next steps

在 PowerShell 会话中,要获得 cmdlet 帮助,请键入 Get-Help <cmdlet name> -onlineFor cmdlet help when you are in a PowerShell session, type Get-Help <cmdlet name> -online. 例如:For example:

Get-Help Set-AIPFileLabel -online

有关详细信息,请参阅:For more information, see: