教程:从 Azure 信息保护 (AIP) 经典客户端迁移到统一标记解决方案Tutorial: Migrating from the Azure Information Protection (AIP) classic client to unified labeling solution

适用范围:Azure 信息保护Applies to: Azure Information Protection

相关内容:适用于 Windows 的 Azure 信息保护经典客户端Relevant for: Azure Information Protection classic client for Windows*

备注

为了提供统一、简化的客户体验,Azure 门户中的 Azure 信息保护经典客户端和标签管理将于 2021 年 3 月 31 日弃用。To provide a unified and streamlined customer experience, Azure Information Protection's classic client and Label Management in the Azure portal are being deprecated as of March 31, 2021.

在此时间框架内,所有 Azure 信息保护经典客户端客户都可以使用 Microsoft 信息保护统一标记平台转换到 AIP 统一标记解决方案。This time frame enables all current Azure Information Protection classic client customers to transition to the AIP unified labeling, which uses Microsoft Information Protection's Unified Labeling solution. 有关详细信息,请参阅官方弃用通知Learn more in the official deprecation notice.

本教程介绍如何将组织的 Azure 信息保护部署从经典客户端和 Azure 门户中的标签/标签策略管理迁移到统一标记解决方案和 Microsoft 365 敏感度标签This tutorial describes how to migrate your organization's Azure Information Protection deployment from the classic client, and label/label policy management in the Azure portal, to the unified labeling solution and Microsoft 365 sensitivity labels.

所需时间:完成迁移所需的时间取决于策略的复杂程度以及使用的 AIP 功能。Time required: The time required to complete a migration depends on how complex your policies are and the AIP features you use. 在后台迁移时,你可以继续使用经典客户端。You can continue to work with the classic client while you migrate in the background.

本教程提供了每个步骤的大致说明,然后引用 Microsoft 文档中其他位置的相关部分以了解更多详细信息。This tutorial provides a high-level description of each step, and then references to the relevant section elsewhere in Microsoft documentation for more details.

在本教程中,你将:In this tutorial, you'll:

  • 了解如何规划迁移Learn about planning your migration
  • 将标签迁移到统一标记平台Migrate your labels to the unified labeling platform
  • 了解如何在新标记管理中心配置高级设置Learn how to configure advanced settings in your new labeling admin center
  • 将策略复制到统一标记平台Copy your policies to the unified labeling platform
  • 部署统一标记客户端Deploy the unified labeling client

为何要迁移到统一标记解决方案?Why migrate to the unified labeling solution?

迁移到统一标记解决方案,不仅能够应对计划的经典客户端弃用,还能有效地保护整个数字资产中的敏感数据。In addition to the planned classic client deprecation, migrating to the unified labeling solution enables you to effectively protect sensitive data across your digital estate. 迁移后,可将 Microsoft 信息保护 (MIP) 用于 Microsoft 365 云服务、本地、第三方 SaaS 应用程序等。Once you've migrated, use Microsoft Information Protection (MIP) in Microsoft 365 cloud services, on-premises, in third-party SaaS applications, and more.

MIP 支持许多基本信息保护功能的内置标记服务,使你能够仅为内置标记不支持的额外功能保留客户端使用。MIP supports built-in labeling services for many basic information protection features, enabling you to reserve client usage only for extra features not supported by built-in labeling.

  • 通过减少部署和维护的额外软件来降低维护成本Lower your maintenance costs, by deploying and maintaining less additional software

  • 提高 Office 性能,无需其他加载项Increase Office performance, without the need for additional add-ins

  • 使用标记管理中心,在 AIP、Office 365 和 Windows 中简化标记和保护策略管理。Streamline your labeling and protection policy management across AIP, Office 365, and Windows, using your labeling admin center.

    受支持的管理中心包括 Microsoft 365 合规中心、Microsoft 365 安全中心或 Microsoft 365 安全与合规中心。Supported admin centers include the Microsoft 365 compliance center, the Microsoft 365 security center, or the Microsoft 365 Security & Compliance Center.

有关详细信息,请参阅了解统一标记迁移博客For more information, see the Understanding unified labeling migration blog.

规划迁移Planning your migration

虽然 AIP 经典客户端可用的大多数功能也可用于统一标记客户端,但有些功能尚未完全可用,还有些在统一标记方面配置方式不同。While most functionality available for the AIP classic client is also available for the unified labeling client, some features are not yet fully available, and some are configured differently for unified labeling.

查看以下文章,了解使用统一标记客户端时使用的信息保护功能有何不同:Review the following articles to understand how the Information Protection features you use may differ when using the unified labeling client:

提示

如果在影响最终用户行为的客户端之间记录了差异,我们建议你在部署统一标记客户端和发布新策略之前,有效地向用户传达这些更改。If there are documented differences between the clients that impact your end users' behavior, we recommend communicating these changes effectively to your users before deploying the unified labeling client and publishing your new policy.

计划迁移并了解将发生的更改后,请继续将标记迁移到统一标记平台Once you've planned your migration and understood the changes that will occur, continue with Migrating labels to the unified labeling platform.

将标签迁移到统一标记平台Migrating labels to the unified labeling platform

备注

Azure 中国门户尚不支持 Azure 信息保护,你可以使用 Azure Information Protection PowerShell commands 实现相同的功能。Azure Information Protection is not currently supported on Azure China portal. You can achieve the same functionality using the Azure Information Protection PowerShell commands.

规划迁移并考虑如何处理客户端的差异后,即可激活统一标记并迁移标记。Once you've planned you migration and considered how you will manage the differences in the clients, you're ready to activate unified labeling and migrate your labels.

迁移时,可以继续在 Azure 门户中使用 Azure 信息保护区域中的 AIP 经典客户端和策略。While you migrate, you can continue to use the AIP classic client and the policies in the Azure Information Protection area in the Azure portal. 两个客户端可以并行工作,而无需任何其他配置。The two clients can work side by side without any additional configuration.

  1. 以具有以下角色之一的管理员身份,登录到 Azure 门户Sign in to the Azure portal as an administrator with one of the following roles:

    • 法规管理员Compliance administrator
    • 合规性数据管理员Compliance data administrator
    • 安全管理员Security administrator
    • 全局管理员Global administrator
  2. 在“Azure 信息保护”区域的左侧“管理”下,选择“统一标记” 。On the Azure Information Protection area, under Manage on the left, select Unified labeling.

    在页面顶部,选择 “激活”以激活统一标记。

    标记将从 Azure 信息保护复制到统一标记平台,现在存储在两个系统中。Your labels are copied from Azure Information Protection to the unified labeling platform, and are now stored in both systems.

    打开标记管理中心,比较显示在此中心和 Azure 信息保护区域中的标记。Open your labeling admin center to compare the labels displayed there and in the Azure Information Protection area. 这两个列表应相同。The two lists should be identical. 例如,与 Microsoft 365 安全与合规中心进行比较时:For example, when comparing to the Microsoft 365 Security & Compliance Center:

    比较 Azure 门户和安全与合规中心之间的迁移标签

    备注

    如果需要,请继续使用两个系统中的标签,直到完成迁移。If needed, continue using the labels in both systems until you finish migrating. 有关详细信息,请参阅同步标记编辑For more information, see Synchronizing labeling edits.

继续将策略复制到统一标记平台Continue with Copy policies to the unified labeling platform.

同步标记编辑Synchronizing labeling edits

当你将标签迁移到标签管理中心(包括 Microsoft 365 安全中心、Microsoft 365 合规性中心或 Microsoft 365 安全与合规中心)后,继续在 Azure 门户中对迁移后的标签进行的任何编辑都会自动同步到管理中心内的相同标签,以实现统一标签。Once you've migrated your labels to your labeling admin center, including the Microsoft 365 security center, Microsoft 365 compliance center, or the Microsoft 365 Security & Compliance Center, any edits you continue to make to the migrated labels in the Azure portal are automatically synchronized to the same label in the admin center for unified labeling.

但是,对管理中心中的已迁移标签所做的编辑不同步到 Azure 门户。However, edits made to migrated labels in your admin center are not synchronized back to the Azure portal. 如果在管理中心进行编辑,并且需要在 Azure 门户中更新它们,请返回到门户以发布更新。If you make edits in the admin center and need them updated in the Azure portal, return to the portal to publish the update.

若要在 Azure 门户中发布更新的标签,请执行以下操作:To publish an updated label in the Azure portal:

  1. 在“Azure 信息保护”区域的左侧“管理”下,选择“统一标记” 。On the Azure Information Protection area, under Manage on the left, select Unified labeling.

  2. 选择 “发布”。

备注

仅当你在统一标记平台中对迁移的标记进行了编辑,并且需要这些编辑同步到 Azure 门户时,才需要执行此步骤。This step is only required if you've made edits to your migrated labels in the unified labeling platform, and need those edits synchronized back with the Azure portal.

通过 PowerShell 迁移标签Migrating labels via PowerShell

还可以使用 PowerShell 迁移现有标签,例如对于 GCC High 环境。You can also use PowerShell to migrate your existing labels, such as for a GCC High environment.

使用 New-Label cmdlet 迁移现有敏感度标签。Use the New-Label cmdlet to migrate your existing sensitivity labels.

例如,如果你的敏感度标签具有加密功能,你可以使用 New-Label cmdlet,如下所示:For example, if your sensitivity label has encryption, you might use the New-Label cmdlet as follows:

New-Label -Name 'aipscopetest' -Tooltip 'aipscopetest' -Comment 'admin notes' -DisplayName 'aipscopetest' -Identity 'b342447b-eab9-ea11-8360-001a7dda7113' -EncryptionEnabled $true -EncryptionProtectionType 'template' -EncryptionTemplateId 'a32027d7-ea77-4ba8-b2a9-7101a4e44d89' -EncryptionAipTemplateScopes "['allcompany@labelaction.onmicrosoft.com','admin@labelaction.onmicrosoft.com']"

有关在 GCC、GCC-High 和 DoD 环境中工作的详细信息,请参阅 Azure 信息保护高级政府服务说明For more information about working in GCC, GCC-High, and DoD environments, see the Azure Information Protection Premium Government Service Description.

将策略复制到统一标记平台Copy policies to the unified labeling platform

复制你存储在 Azure 门户中并希望在统一标记平台中启用的任何策略。Copy any policies you have stored in the Azure portal that you want to have available as they are in the unified labeling platform.

此功能目前处于预览状态。This feature is currently in PREVIEW. Azure 预览版补充条款包含适用于 beta 版、预览版或其他尚未正式发布的 Azure 功能的其他法律条款。The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

备注

复制策略具有某些限制。Copying policies has certain limitations. 你还可以从头开始,在标记管理中心手动创建策略。You can also start from scratch and create your policies manually in your labeling admin center. 有关详细信息,请参阅 Microsoft 365 文档For more information, see the Microsoft 365 documentation.

若要复制策略:To copy your policies:

  1. 请考虑以下项目,并确认此时要复制策略:Consider the following items and confirm that you want to copy your policies at this time:

    注意事项Consideration 说明Description
    复制策略会复制你的所有策略Copying policies copies all your policies 复制策略不支持仅复制特定策略 - 现在要么复制所有策略,要么都不复制。Copying policies does not support copying specific policies only - it's all of your policies, or none of them now.
    复制时会自动发布策略Copying automatically publishes your policies 将策略复制到统一标记客户端会自动将其发布到统一标记支持的所有客户端。Copying your policies to the unified labeling client automatically publishes them to all unified labeling-supported clients.

    重要提示:如果不想发布策略,请不要复制它们。Important: Do not copy your policies if you don't want to publish them.
    复制时会覆盖具有相同名称的现有策略Copying overwrites existing policies of the same name 如果你的管理中心中已有同名策略,则复制策略将覆盖该策略中定义的任何设置。If you have a policy with the same name already existing in your admin center, copying your policies will overwrite any settings defined in that policy.

    从 Azure 门户复制的所有策略都通过以下语法命名:AIP_<policy name>All policies copied from the Azure portal are named with the following syntax: AIP_<policy name>.
    不会复制某些客户端设置Some client settings are not copied 某些客户端设置不会复制到统一标记平台,迁移后必须手动配置。Some client settings are not copied to the unified labeling platform, and must be configured manually after migrating.

    有关详细信息,请参阅配置高级标记设置For more information, see Configuring advanced labeling settings
  2. 以具有以下角色之一的管理员身份,登录到 Azure 门户Sign in to the Azure portal as an administrator with one of the following roles:

    • 法规管理员Compliance administrator
    • 合规性数据管理员Compliance data administrator
    • 安全管理员Security administrator
    • 全局管理员Global administrator
  3. 在“Azure 信息保护”区域的左侧“管理”下,选择“统一标记” 。On the Azure Information Protection area, under Manage on the left, select Unified labeling.

  4. 选择 “复制策略(预览版)”。 存储在 Azure 门户中的所有策略都会复制到管理中心。All of the policies you have stored in the Azure portal are copied to your admin center.

    如果管理中心中已有具有相同名称的任何策略,则 Azure 门户中的设置将覆盖这些策略。If there are any policies already in the admin center with the same name, the policies are overwritten with the settings from the Azure portal.

    重要

    如果当前使用 Microsoft Cloud App Security 和 Azure 信息保护标签,请验证是否已将带有最小标签集的至少一个策略发布到标记管理中心,即使该策略的适用范围是单个用户。If you currently use Microsoft Cloud App Security and Azure Information Protection labels, verify that you have published at least one policy with a minimal set of labels to your labeling admin center, even if the policy is scoped to a single user.

    Microsoft Cloud App Security 需要此策略来标识标记管理中心的所有标签,并在 Microsoft Cloud App Security 门户中显示它们。This policy is required for Microsoft Cloud App Security to identify all the labels in the labeling admin center, and show them in the Microsoft Cloud App Security portal.

现在,你已经迁移了标签和策略,请继续配置高级标记设置,以涵盖未迁移的任何高级配置。Now that you've migrated both your labels and policies, continue with Configuring advanced labeling settings to cover any advanced configurations that were not migrated.

配置高级标记设置Configuring advanced labeling settings

规划阶段所述,某些高级标记设置不会自动迁移,必须为统一标记平台重新配置它们。As explained during the planning phase, some advanced labeling settings are not migrated automatically, and must be reconfigured for the unified labeling platform.

有关详情,请参阅:For more information, see:

在 PowerShell 中配置高级标记设置Configure advanced labeling settings in PowerShell

  1. 连接到 Office 365 安全与合规中心 PowerShell 模块。Connect to the Office 365 Security & Compliance Center PowerShell module. 有关详细信息,请参阅安全与合规中心 PowerShell 文档For more information, see Security & Compliance Center PowerShell documentation.

  2. 若要定义高级标签设置,请使用 Set-Label cmdlet,指定 AdvancedSettings 参数、要向其应用设置的标签,以及定义设置的键/值对 。To define an advanced label setting, use the Set-Label cmdlet, specifying the AdvancedSettings parameter, the label you want to apply the setting to, as well as key/value pairs to define your setting.

    使用以下语法:Use the following syntax:

    Set-Label -Identity <LabelGUIDorName> -AdvancedSettings @{<Key>="<value1>,<value2>"}
    

    其中:Where:

    • <LabelGUIDorName> 使用标签名称或 GUID 标识标签<LabelGUIDorName> identifies your label, using the label name or GUID
    • <Key> 是你希望部署到设备的高级设置的键或名称<Key> is the key, or name of the advanced setting you want to device
    • <Value> 是要定义的设置值。<Value> is the setting value you want to define. 用引号括住值,用逗号分隔多个值。Surround your value in quotes, and separate multiple values by commas. 不支持空格。White spaces are not supported.
  3. 由配置以下高级设置开始:Get started by configuring the following advanced settings:

    有关可用高级配置的详细信息,请参阅管理员指南:Azure 信息保护统一标记客户端的自定义配置For more information about advanced configurations available, see Admin Guide: Custom configurations for the Azure Information Protection unified labeling client.

备注

若要利用为统一标记平台定义的设置,最终用户必须在其计算机上安装统一标记客户端。To leverage the settings you've defined for the unified labeling platform, end-users must have the unified labeling client installed on their machines.

这些高级设置不适用于仅具有 Office 365 提供的内置标记的用户。These advanced settings are not available for users who have only built-in labeling provided by Office 365.

在标记管理中心定义标签条件Define label conditions in the labeling admin center

与 Azure 门户中创建的对应条件相比,统一标记条件提供了更多灵活性和更高的准确性。Unified labeling conditions provide more flexibility and better accuracy than their counterparts that had been created in the Azure portal.

若要利用统一标记条件功能,请手动在标记管理中心创建标记条件,包括:To leverage unified labeling condition features, create your labeling conditions manually in your labeling admin center, including:

  • Microsoft 365 合规中心The Microsoft 365 compliance center
  • Microsoft 365 安全中心The Microsoft 365 security center
  • Microsoft 365 安全与合规中心The Microsoft 365 Security & Compliance Center

有关详细信息,请参阅 Microsoft 365 文档中的敏感度标签能执行的操作For more information, see What sensitivity labels can do in the Microsoft 365 documentation.

提示

如果你有任何用于 Office 365 DLP 或 Microsoft Cloud App Security 的自定义敏感信息类型,请将它们按原样应用于统一标记。If you have any custom sensitive information types created for use with Office 365 DLP or Microsoft Cloud App Security, apply them as-is to unified labeling. 有关详细信息,请参阅 Microsoft 365 文档For more information, see the Microsoft 365 documentation.

部署统一标记客户端Deploy a unified labeling client

部署支持跨用户计算机的统一标记的客户端,以确保他们能够使用统一标记策略和标签。Deploy a client that supports unified labeling across your users' machines to ensure that they will be able to use your unified labeling policies and labels.

用户必须具有可连接到标记管理中心并拉取统一标记策略的受支持的客户端。Users must have a supported client that can connect to your labeling admin center and pull the unified labeling policy.

有关详情,请参阅:For more information, see:

非 Windows 平台Non-Windows platforms

对于非 Windows 平台上的用户,统一标记功能直接集成到 Office 客户端中,并可直接使用你发布的任何标签。For users on non-Windows platforms, unified labeling capabilities are integrated directly in the Office clients, and can use any labels you've published immediately.

具有集成的统一标记功能的 Office 客户端包括:Office clients with integrated unified labeling capabilities include:

  • 适用于 macOS 的 Office 客户端Office clients for macOS
  • Office 网页版(预览版)Office for the web (preview)
  • Outlook Web AppThe Outlook Web App
  • Outlook 移动版Outlook for mobile

有关这些平台中的统一标记的详细信息,请参阅 Microsoft 支持站点上的将敏感度标签应用于 Office 中的文件和电子邮件For more information about unified labeling in these platforms, see the Apply sensitivity labels to your files and email in Office on the Microsoft Support site.

Windows 平台Windows platforms

对于具有 Microsoft 365 企业应用版的 Windows 计算机,请使用 Office 版本 1910 及更高版本中提供的内置标记支持,或安装 Azure 信息保护统一标记客户端,以将 AIP 功能扩展到文件资源管理器或 PowerShell。For Windows machines with Microsoft 365 Apps for Enterprise, use the built-in labeling support provided in Office versions 1910 and higher, or install the Azure Information Protection unified labeling client to extend AIP functionality to the File Explorer or PowerShell.

有关详情,请参阅:For more information, see:

可以从 Microsoft 下载中心下载 Azure 信息保护统一标记客户端。The Azure Information Protection unified labeling client can be downloaded from the Microsoft Download Center.

请确保使用 AzInfoProtection_UL 文件来部署客户端。Make sure that you use the AzInfoProtection_UL file to deploy the client. 如果当前计算机上安装了经典客户端,则安装统一标记客户端将执行就地升级。If you currently have the classic client installed on the machine, installing the unified labeling client performs an in-place upgrade.

备注

在确定何时使用内置标记以及何时使用统一标记客户端时,请考虑组织当前所需的 AIP 功能。Consider the AIP functionality currently required by your organization when determining when to use built-in labeling and when to use the unified labeling client.

对经典客户端最终用户而言有哪些变化?What changes for classic client end users?

对使用 Azure 信息保护经典客户端的最终用户而言,主要、最明显的区别在于,Office 应用中的“保护”按钮已替换为“敏感度”按钮 。The main, most visible difference for end users who have been using the Azure Information Protection classic client is that the Protect button in Office apps is replaced by the Sensitivity button.

当你利用敏感度标签和统一标记支持的其他功能后,最终用户也将在 Office 应用中看到这些更改。Once you leverage the additional capabilities supported by sensitivity labels and unified labeling, end users will also see those changes in their Office apps.

例如:For example:

  • Windows AIP 经典客户端Windows AIP classic client

    经典客户端中的保护按钮

  • Windows AIP 统一标记客户端Windows AIP unified labeling client

    Microsoft Office 中统一标记客户端的示例按钮

提示

如果你已发布标签,并且具有内置支持的客户端未显示“敏感度”按钮,请根据需要查看相关故障排除指南。If you have published your labels and the clients that have built-in support do not show the Sensitivity button, review the relevant troubleshooting guide as needed.

后续步骤Next steps

根据需要迁移标签、策略和已部署的客户端后,请继续仅在标记管理中心(包括 Microsoft 365 合规性中心、Microsoft 365 安全中心或 Microsoft 365 安全与合规中心)中管理标签和标记策略Once you've migrated your labels, policies, and deployed clients as needed, continue by managing labels and labeling policies only in your labeling admin center, including the Microsoft 365 compliance center, the Microsoft 365 security center, or the Microsoft 365 Security & Compliance Center.

使用统一标记平台,你只需返回到 Azure 门户中的 Azure 信息保护区域,以:With the unified labeling platform, you'll only need to return to the Azure Information Protection area in the Azure portal to:

我们建议最终用户利用适用于 Web、Mac、iOS 和 Android 的最新 Office 应用以及 Microsoft 365 企业应用版中的内置标记功能。We recommend that end-users leverage built-in labeling capabilities in the latest Office apps for web, Mac, iOS, and Android, as well as Microsoft 365 Apps for Enterprise.

若要使用内置标记不支持的其他 AIP 功能,建议使用适用于 Windows 的最新统一标记客户端。To use additional AIP features not yet supported by built-in labeling, we recommend using the latest unified labeling client for Windows.