教程:安装 Azure 信息保护 (AIP) 统一标记扫描程序Tutorial: Installing the Azure Information Protection (AIP) unified labeling scanner

适用范围:Azure 信息保护Applies to: Azure Information Protection

相关内容:**用于 Windows 的 Azure 信息保护统一标记客户端Relevant for: Azure Information Protection unified labeling client for Windows*

本教程介绍如何安装 Azure 信息保护 (AIP) 本地扫描程序。This tutorial describes how to install the Azure Information Protection (AIP) on-premises scanner. 通过扫描程序,AIP 管理员能够扫描其网络和内容共享以获取敏感数据,并应用组织策略中配置的分类和保护标签。The scanner enables AIP administrators to scan their networks and content shares for sensitive data, and apply classification and protection labels as configured in their organization's policy.

所需时间:可在 30 分钟内完成本教程。Time required: You can complete this tutorial in 30 minutes..

教程先决条件Tutorial prerequisites

备注

Azure 中国门户尚不支持 Azure 信息保护,你可以使用 Azure Information Protection PowerShell commands 实现相同的功能。Azure Information Protection is not currently supported on Azure China portal. You can achieve the same functionality using the Azure Information Protection PowerShell commands.

若要安装统一标记扫描程序并完成本教程,你需要:To install the unified labeling scanner and complete this tutorial, you'll need:

要求Requirement 说明Description
支持订阅A supporting subscription 你需要包含 Azure 信息保护的 Azure 订阅。You'll need an Azure subscription that includes Azure Information Protection.

如果没有上述任一订阅,则请为组织创建一个免费帐户。If you don't have one of these subscriptions, create a trial account for your organization.
对 Azure 门户的管理员访问权限Admin access to the Azure portal 请确保可以通过以下管理员帐户之一登录到 Azure 门户Make sure that you can sign in to the Azure portal with one of the following administrator accounts:

- 合规性管理员- Compliance administrator
- 合规性数据管理员- Compliance data administrator
- 安全管理员- Security administrator
- 全局管理员- Global administrator
客户端已安装Client installed 在计算机上安装 AIP 统一标记客户端以访问扫描程序安装。Install the AIP unified labeling client on your computer to access the scanner installation.

Microsoft 下载中心下载并运行 AzInfoProtection_UL.exe。Download and run the AzInfoProtection_UL.exe from the Microsoft Download Center.

安装完成后,系统可能会提示你重启计算机或 Office 软件。When the installation is complete, you may be prompted to restart your computer or Office software. 根据需要重启以继续。Restart as needed to continue.

有关详细信息,请参阅快速入门:部署 Azure 信息保护 (AIP) 统一标记客户端For more information, see Quickstart: Deploying the Azure Information Protection (AIP) unified labeling client.
SQL ServerSQL Server 若要运行扫描程序,你需要在扫描程序计算机上安装 SQL Server。To run the scanner, you'll need SQL Server installed on the scanner machine.

若要安装,请转到 SQL Server 下载页,然后选择要安装的安装选项下的“立即下载”。To install, go to the SQL Server download page and select Download now under the installation option you want to install. 在安装程序中,选择“基本”安装类型。In the installer, select the Basic installation type.

注意:我们建议为生产环境安装 SQL Server Enterprise,仅为测试环境安装 Express。Note: We recommend installing SQL Server Enterprise for production environments, and Express only for testing environments.
Azure Active Directory 帐户Azure Active Directory account 使用标准的云连接环境时,要用于扫描程序的域服务帐户必须同步到 Azure Active DirectoryWhen working with a standard, cloud-connected environment, the domain service account you want to use for the scanner must be synchronized to Azure Active Directory. 如果正在脱机工作,则不需要这样做。This isn't necessary if you're working offline.

如果你不确定你的帐户,请联系你的系统管理员来验证同步状态。If you're not sure about your account, contact one of your system administrators to verify the synch status.
敏感度标签和已发布的策略Sensitivity labels and a published policy 必须已创建敏感度标签,并将至少有一个标签的策略发布到标记管理中心,用于扫描程序服务帐户。You must have created sensitivity labels, and published a policy with at least one label to your labeling admin center, for the scanner service account.

在标记管理中心(包括 Microsoft 365 合规中心、Microsoft 365 安全中心或 Microsoft 365 安全与合规中心)配置敏感度标签。Configure sensitivity labels in your labeling admin center, including the Microsoft 365 compliance center, the Microsoft 365 security center, or the Microsoft 365 Security & Compliance Center. 有关详细信息,请参阅 Microsoft 365 文档For more information, see the Microsoft 365 documentation.

确认先决条件后,在 Azure 门户中配置 Azure 信息保护Once you've confirmed your prerequisites, Configure Azure Information Protection in the Azure portal.

在 Azure 门户中配置 Azure 信息保护Configure Azure Information Protection in the Azure portal

Azure 信息保护可能在 Azure 门户中不可用,或者当前可能未激活保护。Azure Information Protection may not be available for you in the Azure portal, or protection may not be currently activated.

根据需要执行以下步骤一二:Perform one or both of the following steps, as needed:

然后继续在 Azure 门户中配置初始扫描程序设置Then, continue with Configure initial scanner settings in the Azure portal.

将 Azure 信息保护添加到 Azure 门户Add Azure Information Protection to the Azure portal

  1. 使用支持的管理员帐户登录到 Azure 门户Sign in to the Azure portal using a supporting admin account.

  2. 选择“+ 创建资源”。 Select + Create a resource. 在搜索框中,搜索然后选择“Azure 信息保护”。In the search box, search for and then select Azure Information Protection. 在“Azure 信息保护”页上,选择“创建”,然后再次选择“创建”。On the Azure Information Protection page, select Create, and then Create again.

    将 Azure 信息保护添加到 Azure 门户

    提示

    如果这是你第一次执行此步骤,你将会在窗格名称旁看到“固定到仪表板”固定到仪表板图标。If this is the first time you're performing this step, you'll see a Pin to dashboard Pin to dashboard icon icon next to the pane name. 选择“固定”图标以在仪表板上创建磁贴,以便你下一次可以直接导航到此处。Select the pin icon to create a tile on your dashboard so that you can navigate directly here next time.

继续确认已激活保护Continue with Confirm that protection is activated.

确认已激活保护Confirm that protection is activated

如果已有可用的 Azure 信息保护,请确保已激活保护:If you already have Azure Information Protection available for you, make sure that protection is activated:

  1. 在“Azure 信息保护”区域中的左侧“管理”下,选择“保护激活” 。In the Azure Information Protection area, under Manage on the left, select Protection Activation.

  2. 确认是否已为租户激活保护。Confirm whether protection is activated for your tenant. 例如:For example:

    确认 AIP 激活

如果保护未激活,请选择激活 AIP 激活。If protection isn't activated, select Activate AIP Activate. 激活完成后,信息栏将显示“激活已成功完成”。When activation is complete, the information bar displays Activation finished successfully.

继续在 Azure 门户中配置初始扫描程序设置Continue with Configure initial scanner settings in the Azure portal.

在Azure 门户中配置初始扫描程序设置Configure initial scanner settings in the Azure portal

在计算机上安装扫描程序之前,请先在 Azure 门户中准备初始扫描程序设置。Prepare your initial scanner settings in the Azure portal before you install the scanner on your machine.

  1. 在“Azure 信息保护”区域中的左侧“扫描程序”下,选择 “群集” 。

  2. 在“群集”页上,选择 “添加”以创建新群集来管理扫描程序。

  3. 在右侧打开的“添加新群集”窗格中,输入有意义的群集名称和可选说明。In the Add a new cluster pane that opens on the right, enter a meaningful cluster name and an optional description.

    重要

    安装扫描程序时,需要此群集的名称。You'll need the name of this cluster when installing your scanner.

    例如:For example:

    添加用于教程的新群集

  4. 创建初始内容扫描作业。Create an initial content scan job. 在左侧的“扫描程序”菜单中,选择 “内容扫描作业”,然后选择 “添加”。

  5. 在“添加新的内容扫描作业”窗格中,输入内容扫描作业有意义的名称和可选说明。In the Add a new content scan job pane, enter a meaningful name for your content scan job, and an optional description.

    然后,向下滚动页面到“策略强制”,然后选择“关闭” 。Then, scroll down the page to Policy enforcement, and select Off.

    完成后,保存所做的更改。Save your changes when you're done.

    此默认扫描作业将扫描所有已知的敏感信息类型。This default scan job will scan for all known sensitive information types.

  6. 关闭内容扫描作业的详细信息窗格,然后返回到 “内容扫描作业”网格。

    在为内容扫描作业显示的新行中的“群集名称”列中,选择“+ 分配到群集”。In the new row that appears for your content scan job, in the Cluster Name column, select +Assign to cluster. 然后,在右侧显示的“分配到群集”窗格中,选择群集。Then, in the Assign to cluster pane that appears on the right, select your cluster.

    分配到群集

现在,你已准备好安装 AIP 统一标记扫描程序Now you're ready to Install the AIP unified labeling scanner.

安装 AIP 统一标记扫描程序Install the AIP unified labeling scanner

在 Azure 门户中配置基本扫描程序设置后,在 AIP 客户端计算机上安装统一标记扫描程序。Once you've configured basic scanner settings in the Azure portal, install the unified labeling scanner on your AIP client machine.

  1. 在客户端计算机上,使用“以管理员身份运行”选项打开 PowerShell 会话。On your client machine, open a PowerShell session with the Run as an administrator option.

  2. 使用以下命令安装扫描程序。Use the following command to install the scanner. 在命令中,指定要安装的扫描程序的位置,以及在 Azure 门户中创建的群集的名称。In your command, specify where you want to install the scanner, as well as the name of the cluster you created in the Azure portal.

    Install-AIPScanner -SqlServerInstance <your SQL installation location>\SQLEXPRESS -Cluster <cluster name>
    

    例如:For example:

    Install-AIPScanner -SqlServerInstance localhost\SQLEXPRESS -Cluster Quickstart
    

    当 PowerShell 提示你输入凭据时,请输入用户名和密码。When PowerShell prompts you for credentials, enter the username and password.

    对于“用户名称”字段,请使用以下语法:<domain\user name>For the User name field, use the following syntax: <domain\user name>. 例如:emea\contososcannerFor example: emea\contososcanner.

  3. 返回到 Azure 门户。Go back to the Azure portal. 在左侧“扫描程序”菜单中,选择 “节点” 。

    现在应会看到扫描程序添加到了网格。You should now see your scanner added to the grid. 例如:For example:

    节点网格上显示的新安装的扫描程序

继续获取用于扫描程序的 Azure Active Directory 令牌,以使扫描程序服务帐户能够以非交互方式运行。Continue with Get an Azure Active directory token for the scanner to enable your scanner service account to run non-interactively.

获取扫描程序的 Azure Active directory 令牌Get an Azure Active directory token for the scanner

当你使用标准的云连接环境时,请执行此过程,以允许扫描程序对 AIP 服务进行身份验证,使服务能够以非交互方式运行。Perform this procedure when you're working with a standard, cloud-connected environment, to allow the scanner to authenticate to the AIP service, enabling the service to run non-interactively.

如果仅脱机工作,则不需要此过程。This procedure is not required if you're working offline only.

有关详细信息,请参阅如何以非交互方式为 Azure 信息保护标记文件For more information, see How to label files non-interactively for Azure Information Protection.

若要获取扫描程序的 Azure AD 令牌,请执行以下操作:To get an Azure AD token for the scanner:

  1. 在 Azure 门户中,创建 Azure AD 应用程序来指定用于身份验证的访问令牌。In the Azure portal, create an Azure AD application to specify an access token for authentication.

  2. 在扫描程序计算机上,使用已被授予“本地登录”权限的扫描程序服务帐户进行登录,并启动 PowerShell 会话。On your scanner machine, sign in with a scanner service account that's been granted the Log on locally right, and start a PowerShell session.

  3. 启动 PowerShell 会话,并使用从 Azure AD 应用程序复制的值运行以下命令。Start a PowerShell session, and run the following command, using the values copied from your Azure AD application.

    Set-AIPAuthentication -AppId <ID of the registered app> -AppSecret <client secret sting> -TenantId <your tenant ID> -DelegatedUser <Azure AD account>
    

    例如:For example:

    $pscreds = Get-Credential CONTOSO\scanner
    Set-AIPAuthentication -AppId "77c3c1c3-abf9-404e-8b2b-4652836c8c66" -AppSecret "OAkk+rnuYc/u+]ah2kNxVbtrDGbS47L4" -DelegatedUser scanner@contoso.com -TenantId "9c11c87a-ac8b-46a3-8d5c-f4d0b72ee29a" -OnBehalfOf $pscreds
    
    Acquired application access token on behalf of CONTOSO\scanner.
    

    提示

    如果无法向扫描程序服务帐户授予“本地登录”的安装权限,请将 OnBehalfOf 参数与 Set-AIPAuthentication(而非 DelegatedUser 参数)一起使用。If your scanner service account cannot be granted the Log on locally right for the installation, use the OnBehalfOf parameter with Set-AIPAuthentication, instead of the DelegatedUser parameter.

扫描程序现在具有要对 Azure AD 进行身份验证的令牌。The scanner now has a token to authenticate to Azure AD. 只要在 Azure Active Directory 中配置过,此令牌就有效。This token is valid for as long as you've configured in Azure Active Directory. 如果令牌过期,则必须重复此过程。You must repeat this procedure when the token expires.

继续安装可选的网络发现服务,通过该服务,你能够扫描网络存储库中可能存在风险的内容,然后将这些存储库添加到内容扫描作业中。Continue with installing the optional Network Discovery service, which enables you to scan your network repositories for content that may be at risk, and then add those repositories to a content scan job.

安装网络发现服务(公共预览版)Install the Network Discovery service (public preview)

从 AIP 统一标记客户端的版本 2.8.85.0 开始,管理员可以使用 AIP 扫描程序扫描网络存储库,然后添加任何看似对内容扫描作业有风险的存储库。Starting in version 2.8.85.0 of the AIP unified labeling client, administrators can use the AIP scanner to scan network repositories, and then add any repositories that seem risky to a content scan job.

网络扫描作业通过尝试同时作为管理员和公共用户访问已配置的存储库,帮助你了解内容可能面临的风险。Network scan jobs help you understand where your content may be at risk, by attempting to access configured repositories as both an administrator and a public user.

例如,如果发现存储库同时具有读取和写入公共访问权限,可能需要进一步扫描并确认没有在其中存储敏感数据。For example, if a repository is found to have both read and write public access, you may want to scan further and confirm that no sensitive data is stored there.

备注

此功能目前处于预览状态。This feature is currently in PREVIEW. Azure 预览版补充条款包含适用于 beta 版、预览版或其他尚未正式发布的 Azure 功能的其他法律条款。The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

若要安装网络发现服务,请执行以下操作:To install the Network Discovery service:

  1. 在扫描程序计算机上,以管理员的身份打开 PowerShell 会话。On the scanner machine, open a PowerShell session as an administrator.

  2. 定义你希望 AIP 在运行网络发现服务时以及模拟管理员和公共用户访问时使用的凭据。Define the credentials you want AIP to use when running the Network Discovery service, as well as when simulating admin and public user access.

    使用以下语法提示时,请输入每个命令的凭据:domain\userEnter the credentials for each command when prompted using the following syntax: domain\user. 例如: emea\msanchezFor example: emea\msanchez

    运行:Run:

    运行网络发现服务的凭据:Credentials to run the Network Discovery service:

    $serviceacct= Get-Credential 
    

    模拟管理员访问权限的凭据:Credentials to simulate admin access:

    $shareadminacct= Get-Credential 
    

    模拟公共用户访问权限的凭据:Credentials to simulate public user access:

    $publicaccount= Get-Credential 
    
  3. 若要安装网络发现服务,请运行:To install the Network Discovery service, run:

    Install-MIPNetworkDiscovery [-ServiceUserCredentials] <PSCredential> [[-StandardDomainsUserAccount] <PSCredential>] [[-ShareAdminUserAccount] <PSCredential>] [-SqlServerInstance] <String> -Cluster <String> [-WhatIf] [-Confirm] [<CommonParameters>]
    
    For example:
    
    ```PowerShell
    Install-MIPNetworkDiscovery -SqlServerInstance SQLSERVER1\SQLEXPRESS -Cluster Quickstart -ServiceUserCredentials $serviceacct  -ShareAdminUserAccount $shareadminacct -StandardDomainsUserAccount $publicaccount
    
    

安装完成后,系统将显示确认消息。The system shows a confirmation message when the installation is complete.

后续步骤Next steps

安装扫描程序和网络发现服务后,即可开始扫描。Once you have the scanner and the Network Discovery service installed, you're ready to start scanning.

有关详细信息,请参阅教程:使用 Azure 信息保护 (AIP) 扫描程序发现敏感内容For more information, see Tutorial: Discovering your sensitive content with the Azure Information Protection (AIP) scanner.

提示

如果你安装了版本 2.8.85.0,建议扫描网络以发现可能包含有风险的内容的存储库。If you've installed version 2.8.85.0, we recommend that you scan your network to discover repositories that may have content at risk.

若要扫描有风险的存储库以寻找敏感数据,然后进行分类并避免外部用户使用这些数据,请使用找到的存储库的详细信息更新内容扫描作业。To scan your risky repositories for sensitive data, and then classify and protect that data from outside users, update your content scan job with the details of the repositories you've found.

另请参阅:See also: