Microsoft 365: Konfigurasi untuk layanan online menggunakan layanan Azure Rights Management
Gunakan bagian berikut untuk membantu Anda mengonfigurasi Exchange Online, Microsoft SharePoint, dan Microsoft OneDrive untuk menggunakan layanan Azure Rights Management dari Perlindungan Informasi Azure.
Exchange Online: Konfigurasi IRM
Untuk informasi tentang cara kerja Exchange Online dengan layanan Azure Rights Management, lihat bagian Exchange Online dan Server Exchange dari Cara aplikasi Office likasi dan layanan mendukung Azure Rights Management.
Exchange Online mungkin sudah diaktifkan untuk menggunakan layanan Azure Rights Management. Untuk memeriksanya, jalankan perintah berikut:
Jika ini pertama kalinya Anda menggunakan Windows PowerShell untuk Exchange Online di komputer, Anda harus mengonfigurasi Windows PowerShell untuk menjalankan skrip yang ditandatangani. Mulai sesi Windows PowerShell Anda dengan menggunakan opsi Jalankan sebagai administrator , lalu ketik:
Set-ExecutionPolicy RemoteSigned
Tekan Y untuk mengonfirmasi.
Di sesi Windows PowerShell Anda, masuk ke Exchange Online dengan menggunakan akun yang diaktifkan untuk akses Shell jarak jauh. Secara default, semua akun yang dibuat di Exchange Online diaktifkan untuk akses Shell jarak jauh tetapi ini dapat dinonaktifkan (dan diaktifkan) dengan menggunakan perintah Set-UserIdentity <> -RemotePowerShellEnabled.
Untuk masuk, ketik pertama:
Connect-ExchangeOnline
Kemudian, dalam kotak dialog permintaan kredensial Windows PowerShell, berikan nama pengguna dan kata sandi Microsoft 365 Anda.
Jalankan perintah Get-IRMConfiguration untuk menampilkan konfigurasi Exchange Online Anda untuk layanan perlindungan:
Get-IRMConfiguration
Dari output, temukan nilai AzureRMSLicensingEnabled :
Jika AzureRMSLicensingEnabled diatur ke True, Exchange Online sudah diaktifkan untuk layanan Azure Rights Management.
Jika AzureRMSLicensingEnabled diatur False, jalankan perintah berikut untuk mengaktifkan Exchange Online untuk layanan Azure Rights Management:
Set-IRMConfiguration -AzureRMSLicensingEnabled $true
Untuk menguji bahwa Exchange Online berhasil dikonfigurasi, jalankan perintah berikut:
Test-IRMConfiguration -Sender <user email address>
Misalnya: Test-IRMConfiguration -Sender adams@contoso.com
Perintah ini menjalankan serangkaian pemeriksaan yang mencakup verifikasi konektivitas ke layanan, mengambil konfigurasi, mengambil URI, lisensi, dan templat apa pun. Dalam sesi Windows PowerShell, Anda akan melihat hasil masing-masing dan di akhir, jika semuanya melewati pemeriksaan ini: HASIL KESELURUHAN: LULUS
Saat Exchange Online diaktifkan untuk menggunakan layanan Azure Rights Management, Anda bisa mengonfigurasi fitur berikut:
Enkripsi Pesan Purview menggunakan aturan alur email.
Enkripsi menggunakan kebijakan pencegahan kehilangan data (DLP).
Label sensitivitas dengan enkripsi menggunakan Outlook di Web, Mac, iOS, dan Android.
Kebijakan pelabelan otomatis di Exchange untuk menerapkan label sensitivitas dengan enkripsi ke email dan pesan pesan suara yang dilindungi.
SharePoint di Microsoft 365 dan OneDrive: Konfigurasi IRM
Untuk informasi tentang cara kerja SharePoint IRM dengan layanan Azure Rights Management, lihat SharePoint di Microsoft 365 dan SharePoint Server dari bagian perlindungan Manajemen Hak dari dokumentasi ini.
Untuk mengonfigurasi SharePoint di Microsoft 365 dan OneDrive untuk mendukung layanan Azure Rights Management, Anda harus terlebih dahulu mengaktifkan layanan manajemen hak informasi (IRM) untuk SharePoint dengan menggunakan pusat admin SharePoint. Kemudian, pemilik situs dapat memproteksi daftar SharePoint dan pustaka dokumen mereka, dan pengguna dapat melindungi pustaka OneDrive mereka secara IRM sehingga dokumen yang disimpan di sana, dan dibagikan dengan orang lain, secara otomatis dilindungi oleh layanan Manajemen Hak Azure.
Catatan
Pustaka yang dilindungi IRM untuk SharePoint di Microsoft 365 dan OneDrive memerlukan versi terbaru klien sinkronisasi OneDrive baru (OneDrive.exe), dan versi klien RMS dari Pusat Unduhan Microsoft. Instal versi klien RMS ini meskipun Anda telah menginstal klien Perlindungan Informasi Azure. Untuk informasi selengkapnya tentang skenario penyebaran ini, lihat Menyebarkan klien sinkronisasi OneDrive baru di lingkungan perusahaan.
Untuk mengaktifkan layanan manajemen hak informasi (IRM) untuk SharePoint, lihat instruksi berikut dari dokumentasi Office:
Konfigurasi ini dilakukan oleh administrator Microsoft 365.
Mengonfigurasi IRM untuk pustaka dan daftar
Setelah Anda mengaktifkan layanan IRM untuk SharePoint, pemilik situs bisa memproteksi pustaka dan daftar dokumen SharePoint mereka. Untuk petunjuknya, lihat hal berikut ini dari situs web Office:
Konfigurasi ini dilakukan oleh administrator situs SharePoint.
Mengonfigurasi IRM untuk OneDrive
Setelah Anda mengaktifkan layanan IRM untuk SharePoint, pustaka dokumen OneDrive pengguna atau folder individual kemudian dapat dikonfigurasi untuk perlindungan Manajemen Hak. Pengguna dapat mengonfigurasi ini sendiri dengan menggunakan situs web OneDrive mereka. Meskipun administrator tidak dapat mengonfigurasi perlindungan ini untuk mereka dengan menggunakan pusat admin SharePoint, Anda bisa melakukannya dengan menggunakan Windows PowerShell.
Catatan
Untuk informasi selengkapnya tentang mengonfigurasi OneDrive, lihat dokumentasi OneDrive .
Konfigurasi untuk pengguna
Beri pengguna instruksi berikut sehingga mereka bisa mengonfigurasi OneDrive mereka untuk melindungi file bisnis mereka.
Masuk ke Microsoft 365 dengan akun kerja atau sekolah Anda dan buka situs web OneDrive.
Di panel navigasi, di bagian bawah, pilih Kembali ke OneDrive klasik.
Pilih ikon Pengaturan. Di panel Pengaturan, jika Pita diatur ke Nonaktif, pilih pengaturan ini untuk mengaktifkan pita.
Untuk mengonfigurasi semua file OneDrive yang akan diproteksi, pilih tab PUSTAKA dari pita, lalu pilih Pustaka Pengaturan.
Pada halaman Pengaturan Dokumen > , di bagian Izin dan Manajemen, pilih Manajemen Hak Informasi.
Pada halaman Pengaturan Manajemen Hak Informasi, pilih kotak centang Batasi izin pada pustaka ini pada unduhan. Tentukan nama pilihan Anda dan deskripsi untuk izin, dan secara opsional, klik TAMPILKAN OPSI untuk mengonfigurasi konfigurasi opsional, lalu klik OK.
Karena konfigurasi ini bergantung pada pengguna daripada administrator untuk melindungi file OneDrive mereka IRM, mendidik pengguna tentang manfaat melindungi file mereka dan cara melakukan ini. Misalnya, jelaskan bahwa ketika mereka berbagi dokumen dari OneDrive, hanya orang yang mereka otorisasi yang dapat mengaksesnya dengan batasan apa pun yang mereka konfigurasi, bahkan jika file diganti namanya dan disalin di tempat lain.
Konfigurasi untuk administrator
Meskipun Anda tidak dapat mengonfigurasi IRM untuk OneDrive pengguna dengan menggunakan pusat admin SharePoint, Anda bisa melakukannya dengan menggunakan Windows PowerShell. Untuk mengaktifkan IRM untuk pustaka ini, ikuti langkah-langkah berikut:
Unduh dan instal SDK Komponen Klien SharePoint.
Unduh dan instal SharePoint Management Shell.
Salin konten skrip berikut dan beri nama file Set-IRMOnOneDriveForBusiness.ps1 di komputer Anda.
**Penafian**: Contoh skrip ini tidak didukung di bawah program atau layanan dukungan standar Microsoft apa pun. Contoh skrip ini disediakan AS IS tanpa jaminan apa pun.
# Requires Windows PowerShell version 3 <# Description: Configures IRM policy settings for OneDrive and can also be used for SharePoint libraries and lists Script Installation Requirements: SharePoint Client Components SDK https://www.microsoft.com/download/details.aspx?id=42038 SharePoint Management Shell https://www.microsoft.com/download/details.aspx?id=35588 ====== #> # URL will be in the format https://<tenant-name>-admin.sharepoint.com $sharepointAdminCenterUrl = "https://contoso-admin.sharepoint.com" $tenantAdmin = "admin@contoso.com" $webUrls = @("https://contoso-my.sharepoint.com/personal/user1_contoso_com", "https://contoso-my.sharepoint.com/personal/user2_contoso_com", "https://contoso-my.sharepoint.com/personal/user3_contoso_com") <# As an alternative to specifying the URLs as an array, you can import them from a CSV file (no header, single value per row). Then, use: $webUrls = Get-Content -Path "File_path_and_name.csv" #> $listTitle = "Documents" function Load-SharePointOnlineClientComponentAssemblies { [cmdletbinding()] param() process { # assembly location: C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI try { Write-Verbose "Loading Assembly: Microsoft.Office.Client.Policy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" [System.Reflection.Assembly]::Load("Microsoft.Office.Client.Policy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null Write-Verbose "Loading Assembly: Microsoft.Office.Client.TranslationServices, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" [System.Reflection.Assembly]::Load("Microsoft.Office.Client.TranslationServices, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.DocumentManagement, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.DocumentManagement, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Publishing, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Publishing, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Runtime, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Runtime, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Search.Applications, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Search.Applications, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Search, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Search, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Taxonomy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Taxonomy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.UserProfiles, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.UserProfiles, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null return $true } catch { if($_.Exception.Message -match "Could not load file or assembly") { Write-Error -Message "Unable to load the SharePoint Server 2013 Client Components.`nDownload Location: https://www.microsoft.com/download/details.aspx?id=42038" } else { Write-Error -Exception $_.Exception } return $false } } } function Load-SharePointOnlineModule { [cmdletbinding()] param() process { do { # Installation location: C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell $spoModule = Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ErrorAction SilentlyContinue if(-not $spoModule) { try { Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking return $true } catch { if($_.Exception.Message -match "Could not load file or assembly") { Write-Error -Message "Unable to load the SharePoint Online Management Shell.`nDownload Location: https://www.microsoft.com/download/details.aspx?id=35588" } else { Write-Error -Exception $_.Exception } return $false } } else { return $true } } while(-not $spoModule) } } function Set-IrmConfiguration { [cmdletbinding()] param( [parameter(Mandatory=$true)][Microsoft.SharePoint.Client.List]$List, [parameter(Mandatory=$true)][string]$PolicyTitle, [parameter(Mandatory=$true)][string]$PolicyDescription, [parameter(Mandatory=$false)][switch]$IrmReject, [parameter(Mandatory=$false)][DateTime]$ProtectionExpirationDate, [parameter(Mandatory=$false)][switch]$DisableDocumentBrowserView, [parameter(Mandatory=$false)][switch]$AllowPrint, [parameter(Mandatory=$false)][switch]$AllowScript, [parameter(Mandatory=$false)][switch]$AllowWriteCopy, [parameter(Mandatory=$false)][int]$DocumentAccessExpireDays, [parameter(Mandatory=$false)][int]$LicenseCacheExpireDays, [parameter(Mandatory=$false)][string]$GroupName ) process { Write-Verbose "Applying IRM Configuration on '$($List.Title)'" # reset the value to the default settings $list.InformationRightsManagementSettings.Reset() $list.IrmEnabled = $true # IRM Policy title and description $list.InformationRightsManagementSettings.PolicyTitle = $PolicyTitle $list.InformationRightsManagementSettings.PolicyDescription = $PolicyDescription # Set additional IRM library settings # Do not allow users to upload documents that do not support IRM $list.IrmReject = $IrmReject.IsPresent $parsedDate = Get-Date if([DateTime]::TryParse($ProtectionExpirationDate, [ref]$parsedDate)) { # Stop restricting access to the library at <date> $list.IrmExpire = $true $list.InformationRightsManagementSettings.DocumentLibraryProtectionExpireDate = $ProtectionExpirationDate } # Prevent opening documents in the browser for this Document Library $list.InformationRightsManagementSettings.DisableDocumentBrowserView = $DisableDocumentBrowserView.IsPresent # Configure document access rights # Allow viewers to print $list.InformationRightsManagementSettings.AllowPrint = $AllowPrint.IsPresent # Allow viewers to run script and screen reader to function on downloaded documents $list.InformationRightsManagementSettings.AllowScript = $AllowScript.IsPresent # Allow viewers to write on a copy of the downloaded document $list.InformationRightsManagementSettings.AllowWriteCopy = $AllowWriteCopy.IsPresent if($DocumentAccessExpireDays) { # After download, document access rights will expire after these number of days (1-365) $list.InformationRightsManagementSettings.EnableDocumentAccessExpire = $true $list.InformationRightsManagementSettings.DocumentAccessExpireDays = $DocumentAccessExpireDays } # Set group protection and credentials interval if($LicenseCacheExpireDays) { # Users must verify their credentials using this interval (days) $list.InformationRightsManagementSettings.EnableLicenseCacheExpire = $true $list.InformationRightsManagementSettings.LicenseCacheExpireDays = $LicenseCacheExpireDays } if($GroupName) { # Allow group protection. Default group: $list.InformationRightsManagementSettings.EnableGroupProtection = $true $list.InformationRightsManagementSettings.GroupName = $GroupName } } end { if($list) { Write-Verbose "Committing IRM configuration settings on '$($list.Title)'" $list.InformationRightsManagementSettings.Update() $list.Update() $script:clientContext.Load($list) $script:clientContext.ExecuteQuery() } } } function Get-CredentialFromCredentialCache { [cmdletbinding()] param([string]$CredentialName) #if( Test-Path variable:\global:CredentialCache ) if( Get-Variable O365TenantAdminCredentialCache -Scope Global -ErrorAction SilentlyContinue ) { if($global:O365TenantAdminCredentialCache.ContainsKey($CredentialName)) { Write-Verbose "Credential Cache Hit: $CredentialName" return $global:O365TenantAdminCredentialCache[$CredentialName] } } Write-Verbose "Credential Cache Miss: $CredentialName" return $null } function Add-CredentialToCredentialCache { [cmdletbinding()] param([System.Management.Automation.PSCredential]$Credential) if(-not (Get-Variable CredentialCache -Scope Global -ErrorAction SilentlyContinue)) { Write-Verbose "Initializing the Credential Cache" $global:O365TenantAdminCredentialCache = @{} } Write-Verbose "Adding Credential to the Credential Cache" $global:O365TenantAdminCredentialCache[$Credential.UserName] = $Credential } # load the required assemblies and Windows PowerShell modules if(-not ((Load-SharePointOnlineClientComponentAssemblies) -and (Load-SharePointOnlineModule)) ) { return } # Add the credentials to the client context and SharePoint service connection # check for cached credentials to use $o365TenantAdminCredential = Get-CredentialFromCredentialCache -CredentialName $tenantAdmin if(-not $o365TenantAdminCredential) { # when credentials are not cached, prompt for the tenant admin credentials $o365TenantAdminCredential = Get-Credential -UserName $tenantAdmin -Message "Enter the password for the Microsoft 365 admin" if(-not $o365TenantAdminCredential -or -not $o365TenantAdminCredential.UserName -or $o365TenantAdminCredential.Password.Length -eq 0 ) { Write-Error -Message "Could not validate the supplied tenant admin credentials" return } # add the credentials to the cache Add-CredentialToCredentialCache -Credential $o365TenantAdminCredential } # connect to Office365 first, required for SharePoint cmdlets to run Connect-SPOService -Url $sharepointAdminCenterUrl -Credential $o365TenantAdminCredential # enumerate each of the specified site URLs foreach($webUrl in $webUrls) { $grantedSiteCollectionAdmin = $false try { # establish the client context and set the credentials to connect to the site $script:clientContext = New-Object Microsoft.SharePoint.Client.ClientContext($webUrl) $script:clientContext.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($o365TenantAdminCredential.UserName, $o365TenantAdminCredential.Password) # initialize the site and web context $script:clientContext.Load($script:clientContext.Site) $script:clientContext.Load($script:clientContext.Web) $script:clientContext.ExecuteQuery() # load and ensure the tenant admin user account if present on the target SharePoint site $tenantAdminUser = $script:clientContext.Web.EnsureUser($o365TenantAdminCredential.UserName) $script:clientContext.Load($tenantAdminUser) $script:clientContext.ExecuteQuery() # check if the tenant admin is a site admin if( -not $tenantAdminUser.IsSiteAdmin ) { try { # grant the tenant admin temporary admin rights to the site collection Set-SPOUser -Site $script:clientContext.Site.Url -LoginName $o365TenantAdminCredential.UserName -IsSiteCollectionAdmin $true | Out-Null $grantedSiteCollectionAdmin = $true } catch { Write-Error $_.Exception return } } try { # load the list orlibrary using CSOM $list = $null $list = $script:clientContext.Web.Lists.GetByTitle($listTitle) $script:clientContext.Load($list) $script:clientContext.ExecuteQuery() # ************** ADMIN INSTRUCTIONS ************** # If necessary, modify the following Set-IrmConfiguration parameters to match your required values # The supplied options and values are for example only # Example that shows the Set-IrmConfiguration command with all parameters: Set-IrmConfiguration -List $list -PolicyTitle "Protected Files" -PolicyDescription "This policy restricts access to authorized users" -IrmReject -ProtectionExpirationDate $(Get-Date).AddDays(180) -DisableDocumentBrowserView -AllowPrint -AllowScript -AllowWriteCopy -LicenseCacheExpireDays 25 -DocumentAccessExpireDays 90 Set-IrmConfiguration -List $list -PolicyTitle "Protected Files" -PolicyDescription "This policy restricts access to authorized users" } catch { Write-Error -Message "Error setting IRM configuration on site: $webUrl.`nError Details: $($_.Exception.ToString())" } } finally { if($grantedSiteCollectionAdmin) { # remove the temporary admin rights to the site collection Set-SPOUser -Site $script:clientContext.Site.Url -LoginName $o365TenantAdminCredential.UserName -IsSiteCollectionAdmin $false | Out-Null } } } Disconnect-SPOService -ErrorAction SilentlyContinue
Tinjau skrip dan buat perubahan berikut:
Cari
$sharepointAdminCenterUrl
dan ganti nilai contoh dengan URL pusat admin SharePoint Anda sendiri.Anda akan menemukan nilai ini sebagai URL dasar saat masuk ke pusat admin SharePoint, dan memiliki format berikut: https://< tenant_name-admin.sharepoint.com>
Misalnya, jika nama penyewa adalah "contoso", maka Anda akan menentukan: https://contoso-admin.sharepoint.com
Cari
$tenantAdmin
dan ganti nilai contoh dengan akun administrator global Anda sendiri yang sepenuhnya memenuhi syarat untuk Microsoft 365.Nilai ini sama dengan yang Anda gunakan untuk masuk ke pusat admin Microsoft 365 sebagai administrator global dan memiliki format berikut: nama> domain user_name@<tenant.com
Misalnya, jika nama pengguna administrator global Microsoft 365 adalah "admin" untuk domain penyewa "contoso.com", Anda akan menentukan: admin@contoso.com
Cari
$webUrls
dan ganti nilai contoh dengan URL web OneDrive pengguna Anda, menambahkan atau menghapus entri sebanyak yang Anda butuhkan.Atau, lihat komentar dalam skrip tentang cara mengganti array ini dengan mengimpor . File CSV yang berisi semua URL yang perlu Anda konfigurasi. Kami telah menyediakan contoh skrip lain untuk mencari dan mengekstrak URL secara otomatis untuk mengisi ini. File CSV. Saat Anda siap untuk melakukan ini, gunakan Skrip tambahan untuk menghasilkan semua URL OneDrive ke . Bagian file CSV segera setelah langkah-langkah ini.
URL web untuk OneDrive pengguna dalam format berikut: https://< nama-my.sharepoint.com/personal/<> user_name>_<tenant_com>
Misalnya, jika pengguna di penyewa contoso memiliki nama pengguna "rsimone", Anda akan menentukan: https://contoso-my.sharepoint.com/personal/rsimone_contoso_com
Karena kita menggunakan skrip untuk mengonfigurasi OneDrive, jangan ubah nilai Dokumen untuk variabel tersebut
$listTitle
.Cari
ADMIN INSTRUCTIONS
. Jika Anda tidak membuat perubahan pada bagian ini, OneDrive pengguna akan dikonfigurasi untuk IRM dengan judul kebijakan "File Terproteksi" dan deskripsi "Kebijakan ini membatasi akses ke pengguna yang berwenang". Tidak ada opsi IRM lain yang akan diatur, yang mungkin sesuai untuk sebagian besar lingkungan. Namun, Anda dapat mengubah judul dan deskripsi kebijakan yang disarankan, dan juga menambahkan opsi IRM lain yang sesuai untuk lingkungan Anda. Lihat contoh yang dikomentari dalam skrip untuk membantu Anda membuat sekumpulan parameter Anda sendiri untuk perintah Set-IrmConfiguration.
Simpan skrip dan tanda tangani. Jika Anda tidak menandatangani skrip (lebih aman), Windows PowerShell harus dikonfigurasi di komputer Anda untuk menjalankan skrip yang tidak ditandatangani. Untuk melakukan ini, jalankan sesi Windows PowerShell dengan opsi Jalankan sebagai Administrator , dan ketik: Set-ExecutionPolicy Unrestricted. Namun, konfigurasi ini memungkinkan semua skrip yang tidak ditandatangani berjalan (kurang aman).
Untuk informasi selengkapnya tentang menandatangani skrip Windows PowerShell, lihat about_Signing di pustaka dokumentasi PowerShell.
Jalankan skrip dan jika diminta, berikan kata sandi untuk akun admin Microsoft 365. Jika Anda mengubah skrip dan menjalankannya di sesi Windows PowerShell yang sama, Anda tidak akan dimintai kredensial.
Tip
Anda juga bisa menggunakan skrip ini untuk mengonfigurasi IRM untuk pustaka SharePoint. Untuk konfigurasi ini, Anda mungkin ingin mengaktifkan opsi tambahan Jangan izinkan pengguna mengunggah dokumen yang tidak mendukung IRM, untuk memastikan bahwa pustaka hanya berisi dokumen yang dilindungi. Untuk melakukannya, tambahkan -IrmReject
parameter ke perintah Set-IrmConfiguration dalam skrip.
Anda juga perlu memodifikasi $webUrls
variabel (misalnya, https://contoso.sharepoint.com) dan $listTitle
variabel (misalnya, $Reports).
Jika Anda perlu menonaktifkan IRM untuk pustaka OneDrive pengguna, lihat bagian Skrip untuk menonaktifkan IRM untuk OneDrive .
Skrip tambahan untuk menghasilkan semua URL OneDrive ke . File CSV
Untuk langkah 4c di atas, Anda dapat menggunakan skrip Windows PowerShell berikut untuk mengekstrak URL untuk pustaka OneDrive semua pengguna, yang kemudian dapat Anda periksa, edit jika perlu, lalu impor ke skrip utama.
Skrip ini juga memerlukan SDK Komponen Klien SharePoint dan SharePoint Management Shell. Ikuti instruksi yang sama untuk menyalin dan menempelkannya, simpan file secara lokal (misalnya, "Report-OneDriveForBusinessSiteInfo.ps1"), ubah $sharepointAdminCenterUrl
nilai dan $tenantAdmin
seperti sebelumnya, lalu jalankan skrip.
**Penafian**: Contoh skrip ini tidak didukung di bawah program atau layanan dukungan standar Microsoft apa pun. Contoh skrip ini disediakan AS IS tanpa jaminan apa pun.
# Requires Windows PowerShell version 3
<#
Description:
Queries the search service of a Microsoft 365 tenant to retrieve all OneDrive sites.
Details of the discovered sites are written to a .CSV file (by default,"OneDriveForBusinessSiteInfo_<date>.csv").
Script Installation Requirements:
SharePoint Client Components SDK
https://www.microsoft.com/download/details.aspx?id=42038
SharePoint Management Shell
https://www.microsoft.com/download/details.aspx?id=35588
======
#>
# URL will be in the format https://<tenant-name>-admin.sharepoint.com
$sharepointAdminCenterUrl = "https://contoso-admin.sharepoint.com"
$tenantAdmin = "admin@contoso.onmicrosoft.com"
$reportName = "OneDriveForBusinessSiteInfo_$((Get-Date).ToString("yyyy-MM-dd_hh.mm.ss")).csv"
$oneDriveForBusinessSiteUrls= @()
$resultsProcessed = 0
function Load-SharePointOnlineClientComponentAssemblies
{
[cmdletbinding()]
param()
process
{
# assembly location: C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI
try
{
Write-Verbose "Loading Assembly: Microsoft.Office.Client.Policy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
[System.Reflection.Assembly]::Load("Microsoft.Office.Client.Policy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
Write-Verbose "Loading Assembly: Microsoft.Office.Client.TranslationServices, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
[System.Reflection.Assembly]::Load("Microsoft.Office.Client.TranslationServices, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
[System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.DocumentManagement, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
[System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.DocumentManagement, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Publishing, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
[System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Publishing, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Runtime, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
[System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Runtime, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Search.Applications, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
[System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Search.Applications, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Search, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
[System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Search, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Taxonomy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
[System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Taxonomy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.UserProfiles, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
[System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.UserProfiles, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
return $true
}
catch
{
if($_.Exception.Message -match "Could not load file or assembly")
{
Write-Error -Message "Unable to load the SharePoint Server 2013 Client Components.`nDownload Location: https://www.microsoft.com/download/details.aspx?id=42038"
}
else
{
Write-Error -Exception $_.Exception
}
return $false
}
}
}
function Load-SharePointOnlineModule
{
[cmdletbinding()]
param()
process
{
do
{
# Installation location: C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell
$spoModule = Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ErrorAction SilentlyContinue
if(-not $spoModule)
{
try
{
Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking
return $true
}
catch
{
if($_.Exception.Message -match "Could not load file or assembly")
{
Write-Error -Message "Unable to load the SharePoint Online Management Shell.`nDownload Location: https://www.microsoft.com/download/details.aspx?id=35588"
}
else
{
Write-Error -Exception $_.Exception
}
return $false
}
}
else
{
return $true
}
}
while(-not $spoModule)
}
}
function Get-CredentialFromCredentialCache
{
[cmdletbinding()]
param([string]$CredentialName)
#if( Test-Path variable:\global:CredentialCache )
if( Get-Variable O365TenantAdminCredentialCache -Scope Global -ErrorAction SilentlyContinue )
{
if($global:O365TenantAdminCredentialCache.ContainsKey($CredentialName))
{
Write-Verbose "Credential Cache Hit: $CredentialName"
return $global:O365TenantAdminCredentialCache[$CredentialName]
}
}
Write-Verbose "Credential Cache Miss: $CredentialName"
return $null
}
function Add-CredentialToCredentialCache
{
[cmdletbinding()]
param([System.Management.Automation.PSCredential]$Credential)
if(-not (Get-Variable CredentialCache -Scope Global -ErrorAction SilentlyContinue))
{
Write-Verbose "Initializing the Credential Cache"
$global:O365TenantAdminCredentialCache = @{}
}
Write-Verbose "Adding Credential to the Credential Cache"
$global:O365TenantAdminCredentialCache[$Credential.UserName] = $Credential
}
# load the required assemblies and Windows PowerShell modules
if(-not ((Load-SharePointOnlineClientComponentAssemblies) -and (Load-SharePointOnlineModule)) ) { return }
# Add the credentials to the client context and SharePoint service connection
# check for cached credentials to use
$o365TenantAdminCredential = Get-CredentialFromCredentialCache -CredentialName $tenantAdmin
if(-not $o365TenantAdminCredential)
{
# when credentials are not cached, prompt for the tenant admin credentials
$o365TenantAdminCredential = Get-Credential -UserName $tenantAdmin -Message "Enter the password for the Office 365 admin"
if(-not $o365TenantAdminCredential -or -not $o365TenantAdminCredential.UserName -or $o365TenantAdminCredential.Password.Length -eq 0 )
{
Write-Error -Message "Could not validate the supplied tenant admin credentials"
return
}
# add the credentials to the cache
Add-CredentialToCredentialCache -Credential $o365TenantAdminCredential
}
# establish the client context and set the credentials to connect to the site
$clientContext = New-Object Microsoft.SharePoint.Client.ClientContext($sharepointAdminCenterUrl)
$clientContext.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($o365TenantAdminCredential.UserName, $o365TenantAdminCredential.Password)
# run a query against the Microsoft 365 tenant search service to retrieve all OneDrive URLs
do
{
# build the query object
$query = New-Object Microsoft.SharePoint.Client.Search.Query.KeywordQuery($clientContext)
$query.TrimDuplicates = $false
$query.RowLimit = 500
$query.QueryText = "SPSiteUrl:'/personal/' AND contentclass:STS_Site"
$query.StartRow = $resultsProcessed
$query.TotalRowsExactMinimum = 500000
# run the query
$searchExecutor = New-Object Microsoft.SharePoint.Client.Search.Query.SearchExecutor($clientContext)
$queryResults = $searchExecutor.ExecuteQuery($query)
$clientContext.ExecuteQuery()
# enumerate the search results and store the site URLs
$queryResults.Value[0].ResultRows | % {
$oneDriveForBusinessSiteUrls += $_.Path
$resultsProcessed++
}
}
while($resultsProcessed -lt $queryResults.Value.TotalRows)
$oneDriveForBusinessSiteUrls | Out-File -FilePath $reportName
Skrip untuk menonaktifkan IRM untuk OneDrive
Gunakan contoh skrip berikut jika Anda perlu menonaktifkan IRM untuk OneDrive pengguna.
Skrip ini juga memerlukan SDK Komponen Klien SharePoint dan SharePoint Management Shell. Salin dan tempel konten, simpan file secara lokal (misalnya, "Disable-IRMOnOneDriveForBusiness.ps1"), dan ubah $sharepointAdminCenterUrl
nilai dan $tenantAdmin
. Tentukan URL OneDrive secara manual atau gunakan skrip di bagian sebelumnya sehingga Anda dapat mengimpornya, lalu menjalankan skrip.
**Penafian**: Contoh skrip ini tidak didukung di bawah program atau layanan dukungan standar Microsoft apa pun. Contoh skrip ini disediakan AS IS tanpa jaminan apa pun.
# Requires Windows PowerShell version 3
<#
Description:
Disables IRM for OneDrive and can also be used for SharePoint libraries and lists
Script Installation Requirements:
SharePoint Client Components SDK
https://www.microsoft.com/download/details.aspx?id=42038
SharePoint Management Shell
https://www.microsoft.com/download/details.aspx?id=35588
======
#>
$sharepointAdminCenterUrl = "https://contoso-admin.sharepoint.com"
$tenantAdmin = "admin@contoso.com"
$webUrls = @("https://contoso-my.sharepoint.com/personal/user1_contoso_com",
"https://contoso-my.sharepoint.com/personal/user2_contoso_com",
"https://contoso-my.sharepoint.com/personal/person3_contoso_com")
<# As an alternative to specifying the URLs as an array, you can import them from a CSV file (no header, single value per row).
Then, use: $webUrls = Get-Content -Path "File_path_and_name.csv"
#>
$listTitle = "Documents"
function Load-SharePointOnlineClientComponentAssemblies
{
[cmdletbinding()]
param()
process
{
# assembly location: C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI
try
{
Write-Verbose "Loading Assembly: Microsoft.Office.Client.Policy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
[System.Reflection.Assembly]::Load("Microsoft.Office.Client.Policy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
Write-Verbose "Loading Assembly: Microsoft.Office.Client.TranslationServices, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
[System.Reflection.Assembly]::Load("Microsoft.Office.Client.TranslationServices, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
[System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.DocumentManagement, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
[System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.DocumentManagement, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Publishing, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
[System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Publishing, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Runtime, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
[System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Runtime, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Search.Applications, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
[System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Search.Applications, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Search, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
[System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Search, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Taxonomy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
[System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Taxonomy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.UserProfiles, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
[System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.UserProfiles, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
return $true
}
catch
{
if($_.Exception.Message -match "Could not load file or assembly")
{
Write-Error -Message "Unable to load the SharePoint Server 2013 Client Components.`nDownload Location: https://www.microsoft.com/download/details.aspx?id=42038"
}
else
{
Write-Error -Exception $_.Exception
}
return $false
}
}
}
function Load-SharePointOnlineModule
{
[cmdletbinding()]
param()
process
{
do
{
# Installation location: C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell
$spoModule = Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ErrorAction SilentlyContinue
if(-not $spoModule)
{
try
{
Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking
return $true
}
catch
{
if($_.Exception.Message -match "Could not load file or assembly")
{
Write-Error -Message "Unable to load the SharePoint Online Management Shell.`nDownload Location: https://www.microsoft.com/download/details.aspx?id=35588"
}
else
{
Write-Error -Exception $_.Exception
}
return $false
}
}
else
{
return $true
}
}
while(-not $spoModule)
}
}
function Remove-IrmConfiguration
{
[cmdletbinding()]
param(
[parameter(Mandatory=$true)][Microsoft.SharePoint.Client.List]$List
)
process
{
Write-Verbose "Disabling IRM Configuration on '$($List.Title)'"
$List.IrmEnabled = $false
$List.IrmExpire = $false
$List.IrmReject = $false
$List.InformationRightsManagementSettings.Reset()
}
end
{
if($List)
{
Write-Verbose "Committing IRM configuration settings on '$($list.Title)'"
$list.InformationRightsManagementSettings.Update()
$list.Update()
$script:clientContext.Load($list)
$script:clientContext.ExecuteQuery()
}
}
}
function Get-CredentialFromCredentialCache
{
[cmdletbinding()]
param([string]$CredentialName)
#if( Test-Path variable:\global:CredentialCache )
if( Get-Variable O365TenantAdminCredentialCache -Scope Global -ErrorAction SilentlyContinue )
{
if($global:O365TenantAdminCredentialCache.ContainsKey($CredentialName))
{
Write-Verbose "Credential Cache Hit: $CredentialName"
return $global:O365TenantAdminCredentialCache[$CredentialName]
}
}
Write-Verbose "Credential Cache Miss: $CredentialName"
return $null
}
function Add-CredentialToCredentialCache
{
[cmdletbinding()]
param([System.Management.Automation.PSCredential]$Credential)
if(-not (Get-Variable CredentialCache -Scope Global -ErrorAction SilentlyContinue))
{
Write-Verbose "Initializing the Credential Cache"
$global:O365TenantAdminCredentialCache = @{}
}
Write-Verbose "Adding Credential to the Credential Cache"
$global:O365TenantAdminCredentialCache[$Credential.UserName] = $Credential
}
# load the required assemblies and Windows PowerShell modules
if(-not ((Load-SharePointOnlineClientComponentAssemblies) -and (Load-SharePointOnlineModule)) ) { return }
# Add the credentials to the client context and SharePoint service connection
# check for cached credentials to use
$o365TenantAdminCredential = Get-CredentialFromCredentialCache -CredentialName $tenantAdmin
if(-not $o365TenantAdminCredential)
{
# when credentials are not cached, prompt for the tenant admin credentials
$o365TenantAdminCredential = Get-Credential -UserName $tenantAdmin -Message "Enter the password for the Office 365 admin"
if(-not $o365TenantAdminCredential -or -not $o365TenantAdminCredential.UserName -or $o365TenantAdminCredential.Password.Length -eq 0 )
{
Write-Error -Message "Could not validate the supplied tenant admin credentials"
return
}
# add the credentials to the cache
Add-CredentialToCredentialCache -Credential $o365TenantAdminCredential
}
# connect to Office365 first, required for SharePoint cmdlets to run
Connect-SPOService -Url $sharepointAdminCenterUrl -Credential $o365TenantAdminCredential
# enumerate each of the specified site URLs
foreach($webUrl in $webUrls)
{
$grantedSiteCollectionAdmin = $false
try
{
# establish the client context and set the credentials to connect to the site
$script:clientContext = New-Object Microsoft.SharePoint.Client.ClientContext($webUrl)
$script:clientContext.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($o365TenantAdminCredential.UserName, $o365TenantAdminCredential.Password)
# initialize the site and web context
$script:clientContext.Load($script:clientContext.Site)
$script:clientContext.Load($script:clientContext.Web)
$script:clientContext.ExecuteQuery()
# load and ensure the tenant admin user account if present on the target SharePoint site
$tenantAdminUser = $script:clientContext.Web.EnsureUser($o365TenantAdminCredential.UserName)
$script:clientContext.Load($tenantAdminUser)
$script:clientContext.ExecuteQuery()
# check if the tenant admin is a site admin
if( -not $tenantAdminUser.IsSiteAdmin )
{
try
{
# grant the tenant admin temporary admin rights to the site collection
Set-SPOUser -Site $script:clientContext.Site.Url -LoginName $o365TenantAdminCredential.UserName -IsSiteCollectionAdmin $true | Out-Null
$grantedSiteCollectionAdmin = $true
}
catch
{
Write-Error $_.Exception
return
}
}
try
{
# load the list orlibrary using CSOM
$list = $null
$list = $script:clientContext.Web.Lists.GetByTitle($listTitle)
$script:clientContext.Load($list)
$script:clientContext.ExecuteQuery()
Remove-IrmConfiguration -List $list
}
catch
{
Write-Error -Message "Error setting IRM configuration on site: $webUrl.`nError Details: $($_.Exception.ToString())"
}
}
finally
{
if($grantedSiteCollectionAdmin)
{
# remove the temporary admin rights to the site collection
Set-SPOUser -Site $script:clientContext.Site.Url -LoginName $o365TenantAdminCredential.UserName -IsSiteCollectionAdmin $false | Out-Null
}
}
}
Disconnect-SPOService -ErrorAction SilentlyContinue
Saran dan Komentar
https://aka.ms/ContentUserFeedback.
Segera hadir: Sepanjang tahun 2024 kami akan menghentikan penggunaan GitHub Issues sebagai mekanisme umpan balik untuk konten dan menggantinya dengan sistem umpan balik baru. Untuk mengetahui informasi selengkapnya, lihat:Kirim dan lihat umpan balik untuk