教程:使用 Azure 信息保护 (AIP) 防止 Outlook 中的过度共享Tutorial: Preventing oversharing in Outlook using Azure Information Protection (AIP)

适用范围:Azure 信息保护*Applies to: Azure Information Protection*

相关内容:**用于 Windows 的 Azure 信息保护统一标记客户端Relevant for: Azure Information Protection unified labeling client for Windows*

作为系统管理员,你需要确保组织的内容保持安全,并且仅与受信任的用户共享。As a system admin, you need to ensure that your organization's content remains secure, and is shared only with trusted users. 用户不当共享内容的最常见方式之一是通过电子邮件。One of the most common ways that users share content inappropriately is by email. 配置策略以防止通过 Outlook 过度共享,例如仅将访问权限限制于特定用户,或仅允许用户与受信任的外部用户共享内容。Configure your policy to prevent oversharing via Outlook, such as limiting access to specific users only, or allowing users to share content only with trusted external users.

所需时间:可在 30 分钟内完成本教程。Time required: You can complete this tutorial in 30 minutes.

在本教程中,你将了解:In this tutorial, you learn how to:

  • 为特定标记条件配置警告、解释和阻止行为Configure warning, justification, and blocking behaviors for specific labeling conditions
  • 在实际操作中查看设置See your settings in action
  • 查看事件日志中记录的用户消息和操作Review the logged user messages and actions in the Event Log

教程先决条件Tutorial prerequisites

在开始本教程之前,请确保满足以下系统要求。Make sure you have the following system requirements before starting this tutorial.

先决条件Prerequisites 说明Description
计算机需求Machine requirements 请确保:Make sure that you:

- 有 Windows 计算机,其中安装了 Azure 信息保护统一标记客户端。- Have a Windows computer, with the Azure Information Protection unified labeling client installed. 有关详细信息,请参阅快速入门:部署 Azure 信息保护 (AIP) 统一标记客户端For more information, see Quickstart: Deploying the Azure Information Protection (AIP) unified labeling client.

- 已安装 PowerShell,并且你可以以管理员身份运行 PowerShell。- Have PowerShell installed, and that you can run PowerShell as an administrator.

- 可以登录到 Outlook。- Can sign into Outlook. 做好在本教程中多次重启 Outlook 的准备。Be prepared to restart Outlook multiple times during this tutorial.
Azure 信息保护订阅Azure Information Protection subscription 你需要包含 Azure 信息保护的 Azure 订阅。You'll need an Azure subscription that includes Azure Information Protection.

如果没有上述任一订阅,则请为组织创建一个免费帐户。If you don't have one of these subscriptions, create a trial account for your organization.
敏感度标签和测试策略Sensitivity labels and a testing policy 在策略中配置的“常规”敏感度标签。A General sensitivity label configured in your policy.

在标记管理中心(包括 Microsoft 365 合规中心、Microsoft 365 安全中心或 Microsoft 365 安全与合规中心)配置敏感度标签。Configure sensitivity labels in your labeling admin center, including the Microsoft 365 compliance center, the Microsoft 365 security center, or the Microsoft 365 Security & Compliance Center. 有关详细信息,请参阅 Microsoft 365 文档For more information, see the Microsoft 365 documentation.

建议使用测试策略完成本教程,以免影响活动策略。We recommend using a testing policy for this tutorial so that you don't affect your live policy.
请确保你可以随时使用策略名称以及“常规”标签的 GUID。Make sure that you have the name of your policy handy, as well as the GUID for your General label.

现在就开始吧。Let's get started.

为标记为“常规”的电子邮件实施警告消息Implement a warning message for emails labeled as General

此过程介绍如何配置策略,以在 Outlook 用户发送标记为“常规”的电子邮件之前向其显示警告。This procedure describes how to configure your policy to warn Outlook users before they send an email labeled General.

用户可以选择遵循警告更改标签或内容,也可以选择继续发送电子邮件。The users can choose to heed the warning, and either change the label or the content, or they can choose to send the email anyway.

  1. 在客户端计算机上,以管理员身份运行 PowerShell。On the client machine, run PowerShell as an administrator.

  2. 运行以下命令,为“常规”标签定义警告消息。Run the following command, to define a warning message for the General label. 复制此命令时,请将“Global”替换为策略的名称,并将长字符串替换为你自己的标签 ID。When you copy this command, replace Global with the name of your policy, and the long string of characters with your own label ID.

    Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookWarnUntrustedCollaborationLabel="8faca7b8-8d20-48a3-8ea2-0f96310a848e"}
    

    在本示例中,该策略名为“Global”,“常规”标签的 GUID 为“8faca7b8-8d20-48a3-8ea2-0f96310a848e” 。In this example, the policy is named Global, and the GUID for the General label is 8faca7b8-8d20-48a3-8ea2-0f96310a848e.

    提示

    如果要将此设置应用于多个标签,请在值中列出其 GUID,用逗号分隔。If you wanted to apply this setting to multiple labels, list their GUIDs in the value, separated by commas.

  3. 在 Outlook 中测试设置:Test your setting in Outlook:

    1. 在客户端计算机上,打开或重启 Outlook 以拉取更新的设置。On your client computer, open or restart Outlook to pull the updated settings.

    2. 创建新的电子邮件,并应用“常规”标签。Create a new email message, and apply the General label. 在消息工具栏中,选择 “敏感度”按钮,然后选择“常规” 。

    3. 使用你自己的电子邮件地址定义“收件人”字段,并将“主题”字段定义为:Testing a warning message for the General label,然后发送电子邮件 。Define the To field with your own email address, the Subject field as: Testing a warning message for the General label, and then send the email.

      你应看到以下警告,要求在发送电子邮件之前进行确认。You should see the following warning, asking you to confirm before sending the email. 例如:For example:

      测试“常规”标签的警告消息

    4. 假设你是一名用户,失误地尝试通过电子邮件发送标记为“常规”的内容。Pretend that you're a user who has mistakenly tried to email something that was labeled General. 在本例中,我们要查看警告,因此请选择“取消”。In this case, you want to heed the warning, so select Cancel.

      不会发送电子邮件,而会使其保持打开,以便你可以更改内容或标签。Your email is not sent, but remains open so that you can either change the content or the label.

    5. 无需进行任何更改,你可以确定发送内容是正当行为。There's no need to make any changes, and you can decide that the content is appropriate to send. 再次选择“发送”。Select Send again. 这一次出现警告时,请选择“确认并发送”。This time, when the warning appears, select Confirm and Send.

      电子邮件已发送。The email is sent.

继续仅在外部发送常规电子邮件时显示警告消息Continue with Show a warning message for General emails only when they're sent externally.

仅在外部发送“常规”电子邮件时显示警告消息Show a warning message for General emails only when they're sent externally

此过程介绍如何向之前配置的警告消息添加异常,以便仅向外部收件人显示警告消息。This procedure describes how to add an exception to the warning message you configured earlier, so that the warning message is only displayed for external recipients.

在内部发送“常规”电子邮件时,将不会显示警告消息。When sending a General email internally, the warning message is not displayed.

  1. 在客户端计算机上,以管理员身份运行 PowerShell。On the client machine, run PowerShell as an administrator.

  2. 运行以下命令,将域定义为警告消息的受信任域。Run the following command to define your domain as a trusted domain for warning messages. 复制此命令时,请将“Global”替换为策略名称,将“contoso.com”替换为你自己的域 。When you copy this command, replace Global with the name of your policy, and contoso.com with your own domain.

    Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookWarnTrustedDomains="contoso.com"}    
    

    提示

    如果要将此设置应用于多个域(例如要添加受信任的合作伙伴),请在值中列出域,用逗号分隔。If you wanted to apply this setting to multiple domains, such as if you wanted to add trusted partners, list their domains in the value, separated by commas.

  3. 在 Outlook 中测试设置:Test your setting in Outlook:

    1. 在客户端计算机上,打开或重启 Outlook 以拉取更新的设置。On your client computer, open or restart Outlook to pull the updated settings.

    2. 创建新的电子邮件,并应用“常规”标签。Create a new email message, and apply the General label. 在消息工具栏中,选择 “敏感度”按钮,然后选择“常规” 。

    3. 使用你自己的电子邮件地址定义“收件人”字段,并将“主题”字段定义为:Testing a warning message for the General label,然后发送电子邮件 。Define the To field with your own email address, the Subject field as: Testing a warning message for the General label, and then send the email.

      电子邮件发送,不显示警告。The email is sent, and no warning is displayed.

请求用户解释发送未标记内容的理由Request users to justify sending unlabeled content

此过程介绍如何配置高级设置,以要求用户解释其发送未标记内容的理由。This procedure describes how to configure advanced settings so that users must justify their reasoning for sending unlabeled content.

  1. 在客户端计算机上,以管理员身份运行 PowerShell。On the client machine, run PowerShell as an administrator.

  2. 若要让 Outlook 在用户尝试发送未标记的电子邮件时显示要求其解释理由的消息,请将“Global”替换为你的策略的名称,然后运行:To have Outlook display a justification message for your users if they try to send an unlabeled email, replace Global with the name of your policy, and run:

    Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookUnlabeledCollaborationAction="Justify"}
    
  3. 在 Outlook 中测试设置:Test your setting in Outlook:

    1. 在客户端计算机上,打开或重启 Outlook 以拉取更新的设置。On your client computer, open or restart Outlook to pull the updated settings.

    2. 创建新的电子邮件,并确保没有应用标签。Create a new email message, and make sure that there is no label applied.

      例如,如果策略应用默认标签,请使用 按钮删除它。

    3. 使用你自己的电子邮件地址定义“收件人”字段,并将“主题”字段定义为:Testing the justification message for unlabeled content,然后发送电子邮件 。Define the To field with your own email address, the Subject field as: Testing the justification message for unlabeled content, and then send the email.

      弹出项将显示为以下相似示例:A popup is displayed similar to the following example:

      未标记内容的示例解释消息

    4. 选择一个选项。Select one of the options. 如果选择第三项“其他,如所述”,请在文本框中输入一些示例文本。If you select the third option Other, as explained, enter some sample text in the text box.

    5. 选择“确认并发送”。Select Confirm and Send.

      电子邮件已发送。The email is sent.

继续自定义自由文本解释提示Continue with Customize the free text justification prompt.

自定义自由文本解释提示Customize the free text justification prompt

此过程介绍如何自定义默认解释消息中的第三个选项。This procedure describes how to customize the third option in the default justification message.

例如,你可能希望在此处添加文本以提示用户添加特定详细信息,或提醒用户不要输入任何敏感数据。For example, you may want to add text there to prompt the user to add specific details, or remind users not to enter any sensitive data.

  1. 在客户端计算机上,以管理员身份运行 PowerShell。On the client machine, run PowerShell as an administrator.

  2. 若要自定义显示的解释消息中的自由文本提示,请将“Global”替换为你的策略名称,然后运行:To customize the free text prompt in the justification message displayed, replace Global with your policy name, and run:

    Set-LabelPolicy -Identity Global -AdvancedSettings @{JustificationTextForUserText="Other (please explain) - Do not enter sensitive info"}
    

    提示

    请将引号中的值替换为你想添加的任何其他文本。Feel free to replace the value in quotes with any other text you want to add there instead.

  3. 在 Outlook 中测试设置:Test your setting in Outlook:

    1. 在客户端计算机上,打开或重启 Outlook 以拉取更新的设置。On your client computer, open or restart Outlook to pull the updated settings.

    2. 创建新的电子邮件,并确保没有应用标签。Create a new email message, and make sure there is no label applied.

      例如,如果策略应用默认标签,请使用 按钮删除它。

    3. 使用你自己的电子邮件地址定义“收件人”字段,并将“主题”字段定义为:Testing a customized free text justification prompt,然后发送电子邮件 。Define the To field with your own email address, the Subject field as: Testing a customized free text justification prompt, and then send the email.

      将显示要求解释理由的弹出窗口,这次它将包含你的自定义文本。The justification popup is displayed, this time with your customized text. 例如:For example:

      包含自定义自由文本提示的示例解释提示

阻止用户发送未标记的 PowerPoint 消息Block users from sending unlabeled PowerPoint messages

此过程介绍如何阻止用户从 Outlook 发送未标记的 PowerPoint 文件。This procedure describes how to block your users from sending unlabeled PowerPoint files from Outlook.

  1. 在客户端计算机上,以管理员身份运行 PowerShell。On the client machine, run PowerShell as an administrator.

  2. 若要阻止从 Outlook 发送未标记的内容,请将“Global”替换为你的策略名称,然后运行:To block unlabeled content from being sent from Outlook, replace Global with your policy name, and run:

    Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookUnlabeledCollaborationAction="Block"}
    
  3. 若要将阻止行为限制于特定 PowerPoint 文件类型,请将“Global”替换为你的策略名称,然后运行:To limit the blocking behavior to specific PowerPoint file types only, replace Global with your policy name, and run:

    Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookOverrideUnlabeledCollaborationExtensions=".PPTX,.PPTM,.POTX,.POTM,.POT,.PPTX"}
    
  4. 在 Outlook 中测试设置:Test your setting in Outlook:

    1. 在客户端计算机上,打开 PowerPoint 并创建新的 .pptx 文件,确保将该文件保留为未标记。On your client computer, open PowerPoint and create a new .pptx file, making sure to leave the file unlabeled.

    2. 打开或重启 Outlook 以拉取更新的设置。Open or restart Outlook to pull the updated settings.

    3. 将未标记的 PowerPoint 文件附加到新的 Outlook 消息。Attach your unlabeled PowerPoint file to a new Outlook message.

    4. 使用你自己的电子邮件地址定义“收件人”字段,并将“主题”字段定义为:Testing sending unlabeled PowerPoint files,然后发送电子邮件 。Define the To field with your own email address, the Subject field as: Testing sending unlabeled PowerPoint files, and then send the email.

      Outlook 阻止发送电子邮件,并显示以下消息:Outlook blocks the email from being sent, and displays the following message:

      未标记的 PowerPoint 附件的示例阻止消息

继续为未标记的 PowerPoint 消息自定义阻止消息Continue with Customize the block message for unlabeled PowerPoint messages.

为未标记的 PowerPoint 消息自定义阻止消息Customize the block message for unlabeled PowerPoint messages

此过程介绍如何自定义消息,在用户尝试向外部用户发送未标记的 PowerPoint 文件时显示。This procedure describes how to customize the message that appears when a user tries to send an unlabeled PowerPoint file to external users.

重要

此过程将覆盖已使用 OutlookUnlabeledCollaborationAction 高级属性定义的任何设置,仅出于教程目的显示。This procedure will override any settings you've already defined using the OutlookUnlabeledCollaborationAction advanced property, and is shown for tutorial purposes only.

在生产环境中,建议使用 OutlookUnlabeledCollaborationAction 高级属性定义规则,或使用下述 json 文件定义复杂规则,而不要同时使用这两种方法,以避免将问题复杂化。In production, we recommend that you avoid complications by either using the OutlookUnlabeledCollaborationAction advanced property to define your rules, or defining complex rules with a json file as defined below, but not both.

若要使用 JSON 文件定义规则,请执行以下操作:To define your rule using a json file:

  1. 使用以下代码创建名为 OutlookCollaborationRule_1.json 的 .json 文件 :Create a .json file, named OutlookCollaborationRule_1.json, with the following code:

    {   
    "type" : "And",     
    "nodes" : [         
        {           
            "type" : "Except" ,             
            "node" :{               
                "type" : "SentTo",                  
                "Domains" : [                   
                    "contoso.com",                  
                ]               
            }       
        },
        {           
            "type" : "Or",          
            "nodes" : [                 
                {           
                    "type" : "AttachmentLabel",
                     "LabelId" : null,
                    "Extensions": [
                                    ".PPTX",
                                    ".PPTM",
                                    ".POTX",
                                    ".POTM",
                                    ".POT",
                                    ".PPTX"
                                 ]
    
                },
                {                   
                    "type" : "EmailLabel",
                     "LabelId" : null
                }
            ]
        },      
        {           
            "type" : "Email Block",             
            "LocalizationData": {               
                "en-us": {                
                    "Title": "Email Blocked",                 
                    "Body": "Sending PowerPoint files to external recipients requires that you label your files so that we can classify and protect Contoso content.<br><br>List of attachments that are not labeled:<br><br>${MatchedAttachmentName}<br><br><br>This message will not be sent.<br>You are responsible for ensuring compliance to classification requirement as per Contoso’s policies.<br><br>Label your document and send it again."              
                },          
            },          
            "DefaultLanguage": "en-us"      
        }   
      ] 
    }
    
  2. 将 OutlookCollaborationRule_1.json 文件保存在客户端计算机可访问的位置。Save your OutlookCollaborationRule_1.json file in a location that's accessible by your client machine.

  3. 在客户端计算机上,以管理员身份运行 PowerShell。On the client machine, run PowerShell as an administrator.

  4. 若要自定义阻止消息,请复制以下代码,将 C:\OutlookCollaborationRule_1.json 替换为 .json 文件的路径,将“General”替换为你的策略的名称 。To customize your blocking message, copy the following code, replacing C:\OutlookCollaborationRule_1.json with the path to your .json file, and General with the name of your policy.

    $filedata = Get-Content "C:\OutlookCollaborationRule_1.json”
    Set-LabelPolicy -Identity General -AdvancedSettings @{OutlookCollaborationRule_1 ="$filedata"}    
    

    运行代码来实现 .json 文件中定义的设置。Run the code to implement the settings defined in your .json file.

  5. 在 Outlook 中测试设置:Test your setting in Outlook:

    1. 在客户端计算机上,打开 PowerPoint 并创建新的 .pptx 文件,确保将该文件保留为未标记。On your client computer, open PowerPoint and create a new .pptx file, making sure to leave the file unlabeled.

    2. 打开或重启 Outlook 以拉取更新的设置。Open or restart Outlook to pull the updated settings.

    3. 将未标记的 PowerPoint 文件附加到新的 Outlook 消息。Attach your unlabeled PowerPoint file to a new Outlook message.

    4. 使用你自己的电子邮件地址定义“收件人”字段,并将“主题”字段定义为:Testing customized blocking message for unlabeled PowerPoint files,然后发送电子邮件 。Define the To field with your own email address, the Subject field as: Testing customized blocking message for unlabeled PowerPoint files, and then send the email.

      Outlook 阻止发送电子邮件,并显示以下消息:Outlook blocks the email from being sent, and displays the following message:

      不带标签的 PowerPoint 文件的自定义阻止消息

继续使用“事件日志”标识“常规”标签的消息和用户操作Continue with Use Event Log to identify the messages and user actions for the General label.

使用“事件日志”标识“常规”标签的消息和用户操作Use Event Log to identify the messages and user actions for the General label

在本教程中,你已了解如何在 Outlook 中自定义 AIP 的行为,以防止几种类型的过度分享,包括警告、解释和阻止消息。In this tutorial, you learned how to customize AIP's behavior in Outlook to prevent a few types of oversharing, including warning, justification, and block messages. 你还查看了本地客户端计算机上 Outlook 的行为。You've also checked the behavior from Outlook on your local client computer.

现在,可以启动 Windows 事件查看器,查看日志以了解发生的操作。Now you can start the Windows Event Viewer to check the logs for the actions that occurred.

若要检查事件查看器中是否有 AIP 日志记录事件,请执行以下操作:To check the Event Viewer for AIP logging events:

在客户端计算机上,打开 Windows 事件查看器应用程序,然后导航到“应用程序和服务日志” > “Azure 信息保护” 。On your client machine, open the Windows Event Viewer application, and navigate to Applications and Services Logs > Azure Information Protection.

你将看到为你执行的每个测试记录的信息事件,包括有关消息和用户响应的详细信息:You'll see an information event logged for each test you performed, including details about both the message and user response:

  • 警告消息:信息 ID 301Warn messages: Information ID 301
  • 解释消息:信息 ID 302Justify messages: Information ID 302
  • 阻止消息:信息 ID 303Block messages: Information ID 303

例如:For example:

查看警告消息测试的事件日志Check the Event log for your warning message tests

第一次测试是向用户发出警告,你选择了“取消”。The first test was to warn the user, and you selected Cancel. 在本例中,第一个事件 301 的“用户响应”显示“已忽略” :In this case, the User Response displays Dismissed in the first Event 301:

Client Version: 2.8.85.0
Client Policy ID: e5287fe6-f82c-447e-bf44-6fa8ff146ef4
Item Full Path: Testing a warning message for the General label.msg
Item Name: Testing a warning message for the General label
Process Name: OUTLOOK
Action: Warn
Label After Action: General
Label ID After Action: 0e421e6d-ea17-4fdb-8f01-93a3e71333b8
Action Source: 
User Response: Dismissed

但随后你选择了“确认并发送”,这反映在下一个事件 301 中,其中“用户响应”显示为“已确认”:However, you then selected Confirm and Send, which is reflected in the next Event 301, where the User Response displays Confirmed:

Client Version: 2.8.85.0
Client Policy ID: e5287fe6-f82c-447e-bf44-6fa8ff146ef4
Item Full Path: Testing a warning message for the General label.msg
Item Name: Testing a warning message for the General label
Process Name: OUTLOOK
Action: Warn
Label After Action: General
Label ID After Action: 0e421e6d-ea17-4fdb-8f01-93a3e71333b8
Action Source: 
User Response: Confirmed

查看解释消息测试的事件日志Check the Event log for your justify message tests

对于证明消息重复相同的模式,其具有事件 302。The same pattern is repeated for the justify message, which has an Event 302. 第一个事件的“用户响应”为“已取消”,第二个事件显示所选的理由。The first event has a User Response of Dismissed, and the second shows the justification that was selected. 例如:For example:

Client Version: 2.8.85.0
Client Policy ID: e5287fe6-f82c-447e-bf44-6fa8ff146ef4
Item Full Path: Testing the justification message for unlabeled content.msg
Item Name: Testing the justification message for unlabeled content
Process Name: OUTLOOK
Action: Justify
Label After Action: General
Label ID After Action: 0e421e6d-ea17-4fdb-8f01-93a3e71333b8
User Justification: I confirm the recipients are approved for sharing this content
Action Source: 
User Response: Confirmed

查看阻止消息测试的事件日志Check the Event log for your block message tests

在事件日志的顶部,可以看到已记录的阻止邮件,其中有一个事件 303。At the top of the event log, you see the block message logged, which has an Event 303. 例如:For example:

Client Version: 2.8.85.0
Client Policy ID: e5287fe6-f82c-447e-bf44-6fa8ff146ef4
Item Full Path: Testing sending unlabeled PowerPoint files.msg
Item Name: Testing sending unlabeled PowerPoint files
Process Name: OUTLOOK
Action: Block
Label After Action: General
Label ID After Action: 0e421e6d-ea17-4fdb-8f01-93a3e71333b8
Action Source: 

清理资源Clean up resources

完成本教程后,可以保留测试策略以作进一步参考,或删除该策略以清理资源。Once you're finished with this tutorial, you can keep the testing policy for further reference, or delete it to clean up your resources.

如果要删除策略,请到创建策略的管理中心执行此操作、包括 Microsoft 365 合规性中心、Microsoft 365 安全中心或 Microsoft 365 安全与合规中心。If you want to delete your policy, do so in the admin center where it was created, either the Microsoft 365 compliance center, the Microsoft 365 security center, or the Microsoft 365 Security & Compliance Center.

有关详细信息,请参阅 Microsoft 365 文档For more information, see the Microsoft 365 documentation

删除后,在客户端计算机上重启 Outlook,使其不再配置为本教程中定义的设置。Once deleted, restart Outlook on the client machine so that it's no longer configured with the settings defined in this tutorial.

后续步骤Next steps

为了更快地进行测试,本教程使用电子邮件发送给单个收件人,并且没有附件。For quicker testing, this tutorial used an email message to a single recipient, and without attachments.

将相同的方法应用于多个收件人和标签,或应用于附件,其中标记状态有时对用户不太明显。Apply the same methods with multiple recipients and labels, or to attachments, where labeling status is sometimes less obvious to users.

例如,你可能想要在标记为“公共”的电子邮件中显示一条弹出消息,但附加了标记为“常规”的 PowerPoint 演示文稿。For example, you may want to have a popup message appear on email messages labeled Public, but have a PowerPoint presentation attached that's labeled General.

有关高级属性和 Outlook 自定义的详细信息,请参阅管理员指南:Azure 信息保护统一标记客户端的自定义配置For more information about advanced properties and Outlook customizations, see Admin Guide: Custom configurations for the Azure Information Protection unified labeling client.