Microsoft 365：線上服務 使用 Azure Rights Management 服務的設定

使用下列各節可協助您設定 Exchange Online、Microsoft SharePoint 和 Microsoft OneDrive，以使用 Azure 資訊保護 的 Azure Rights Management 服務。

Exchange Online：IRM 組態

如需 Exchange Online 如何與 Azure Rights Management 服務搭配運作的資訊，請參閱如何支援 Azure Rights Management Office 應用程式 lications 和服務中的 Exchange Online 和 Exchange Server 一節。

Exchange Online 可能已經啟用以使用 Azure Rights Management 服務。 若要檢查，請執行下列命令：

1. 如果這是您第一次在計算機上使用 Windows PowerShell for Exchange Online，您必須將 Windows PowerShell 設定為執行已簽署的腳本。 使用 [ 以系統管理員 身分執行] 選項啟動您的 Windows PowerShell 會話，然後輸入：

   Set-ExecutionPolicy RemoteSigned
   

   按 Y 確認。

2. 在您的 Windows PowerShell 工作階段中，使用已啟用遠端 Shell 存取的帳戶登入 Exchange Online。 根據預設，在 Exchange Online 中建立的所有帳戶都會啟用遠端殼層存取，但可以使用 Set-User UserIdentity> -RemotePowerShellEnabled 命令來停用（並啟用）。<

   若要登入，請先輸入：

   Connect-ExchangeOnline
   

   然後，在 [ Windows PowerShell 認證要求 ] 對話框中，提供您的 Microsoft 365 使用者名稱和密碼。

3. 執行 Get-IRMConfiguration 命令，以檢視保護服務的 Exchange Online 組態：

   Get-IRMConfiguration
   

   從輸出中 ，找出 AzureRMSLicensingEnabled 值：

   • 如果 AzureRMSLicensingEnabled 設定為 True，則 Azure Rights Management 服務已經啟用 Exchange Online。

   • 如果 AzureRMSLicensingEnabled 設定 為 False，請執行下列命令以啟用 Azure Rights Management 服務的 Exchange Online： Set-IRMConfiguration -AzureRMSLicensingEnabled $true

4. 若要測試 Exchange Online 設定成功，請執行下列命令：

   Test-IRMConfiguration -Sender <user email address>
   

   例如： Test-IRMConfiguration -Sender adams@contoso.com

   此命令會執行一系列檢查，包括驗證服務的連線、擷取組態、擷取 URI、授權，以及任何範本。 在 Windows PowerShell 工作階段中，如果一切都通過下列檢查，您將會看到每個的結果，並在結尾看到：整體結果： PASS

啟用 Exchange Online 以使用 Azure Rights Management 服務時，您可以設定下列功能：

• 使用 郵件流程規則進行 Purview 郵件加密。

• 使用 數據外洩防護 （DLP） 原則進行加密。

• 使用 Outlook 網頁版、Mac、iOS 和 Android 加密的敏感度標籤。

• Exchange 中的自動套用標籤 原則，以將具有加密的敏感度標籤套用至郵件和 受保護的語音信箱 訊息。

Microsoft 365 和 OneDrive 中的 SharePoint：IRM 組態

如需 SharePoint IRM 如何與 Azure Rights Management 服務搭配運作的詳細資訊，請參閱本檔的 Rights Management 保護一節中的 SharePoint in Microsoft 365 和 SharePoint Server。

若要在 Microsoft 365 和 OneDrive 中設定 SharePoint 以支援 Azure Rights Management 服務，您必須先使用 SharePoint 系統管理中心啟用 SharePoint 的信息版權管理 （IRM） 服務。 然後，網站擁有者可以 IRM 保護其 SharePoint 清單和文檔庫，而且使用者可以保護其 OneDrive 文件庫，讓儲存在那裡並與其他人共用的檔，會自動受到 Azure Rights Management 服務的保護。

注意

Microsoft 365 和 OneDrive 中 SharePoint 受 IRM 保護的連結庫需要最新版的新 OneDrive 同步處理 用戶端 （OneDrive.exe），以及 Microsoft 下載中心的 RMS 用戶端版本。 即使您已安裝 Azure 資訊保護 用戶端，也請安裝此版本的 RMS 用戶端。 如需此部署案例的詳細資訊，請參閱在企業環境中部署新的 OneDrive 同步處理 用戶端。

若要啟用 SharePoint 的信息版權管理 （IRM） 服務，請參閱 Office 檔中的下列指示：

• 在 SharePoint 系統管理中心設定資訊版權管理 （IRM）

此設定是由 Microsoft 365 系統管理員完成。

設定連結庫和清單的 IRM

啟用 SharePoint 的 IRM 服務之後，網站擁有者可以保護其 SharePoint 文件庫和清單。 如需指示，請參閱 Office 網站的下列內容：

• 將資訊版權管理套用至清單或連結庫

此設定是由 SharePoint 網站管理員完成。

設定 OneDrive 的 IRM

啟用 SharePoint 的 IRM 服務之後，就可以為 Rights Management 保護設定使用者的 OneDrive 文檔庫或個別資料夾。 用戶可以使用其 OneDrive 網站自行設定此設定。 雖然系統管理員無法使用 SharePoint 系統管理中心為其設定此保護，但您可以使用 Windows PowerShell 來執行此動作。

注意

如需設定 OneDrive 的詳細資訊，請參閱 OneDrive 檔。

用戶的設定

提供下列指示，讓使用者可以設定 OneDrive 來保護其商務檔案。

1. 使用您的公司或學校帳戶登入 Microsoft 365，並移至 OneDrive 網站。

2. 在瀏覽窗格中，選取底部的 [返回傳統 OneDrive]。

3. 選取 設定 圖示。 在 [設定] 窗格中，如果功能區設定為 [關閉]，請選取此設定以開啟功能區。

4. 若要設定要保護的所有 OneDrive 檔案，請從功能區選取 [連結庫] 索引卷標，然後選取 [連結庫 設定]。

5. 在 [文件 > 設定] 頁面上的 [許可權和管理] 區段中，選取 [信息版權管理]。

6. 在 [信息版權管理 設定] 頁面上，選取 [下載時限制此連結庫的許可權] 複選框。 指定您選擇的名稱和許可權描述，並選擇性地按兩下 [顯示選項 ] 來設定選擇性組態，然後按兩下 [ 確定]。

由於此設定依賴使用者而非系統管理員來保護其 OneDrive 檔案，請教育使用者保護其檔案的優點，以及如何執行這項操作。 例如，說明當他們從 OneDrive 共用檔時，只有他們授權的人員可以使用他們設定的任何限制來存取它，即使檔案重新命名並複製到別處也一樣。

系統管理員的設定

雖然您無法使用 SharePoint 系統管理中心來設定使用者的 OneDrive IRM，但您可以使用 Windows PowerShell 來執行此動作。 若要啟用這些連結庫的 IRM，請遵循下列步驟：

1. 下載並安裝 SharePoint 用戶端元件 SDK。

2. 下載並安裝 SharePoint 管理命令介面。

3. 複製下列文稿的內容，並將電腦上的 Set-IRMOnOneDriveForBusiness.ps1 檔案命名為 。

   **免責聲明**：任何 Microsoft 標準支援計劃或服務都不支援此範例腳本。 此範例腳本提供 AS IS，不保證任何種類。

   # Requires Windows PowerShell version 3
   
   <#
     Description:
   
       Configures IRM policy settings for OneDrive and can also be used for SharePoint libraries and lists
   
    Script Installation Requirements:
   
      SharePoint Client Components SDK
      https://www.microsoft.com/download/details.aspx?id=42038
   
      SharePoint Management Shell
      https://www.microsoft.com/download/details.aspx?id=35588
   
   ======
   #>
   
   # URL will be in the format https://<tenant-name>-admin.sharepoint.com
   $sharepointAdminCenterUrl = "https://contoso-admin.sharepoint.com"
   
   $tenantAdmin = "admin@contoso.com"
   
   $webUrls = @("https://contoso-my.sharepoint.com/personal/user1_contoso_com",
                "https://contoso-my.sharepoint.com/personal/user2_contoso_com",
                "https://contoso-my.sharepoint.com/personal/user3_contoso_com")
   
   <# As an alternative to specifying the URLs as an array, you can import them from a CSV file (no header, single value per row).
      Then, use: $webUrls = Get-Content -Path "File_path_and_name.csv"
   
   #>
   
   $listTitle = "Documents"
   
   function Load-SharePointOnlineClientComponentAssemblies
   {
       [cmdletbinding()]
       param()
   
       process
       {
           # assembly location: C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI
           try
           {
               Write-Verbose "Loading Assembly: Microsoft.Office.Client.Policy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
               [System.Reflection.Assembly]::Load("Microsoft.Office.Client.Policy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
   
               Write-Verbose "Loading Assembly: Microsoft.Office.Client.TranslationServices, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
               [System.Reflection.Assembly]::Load("Microsoft.Office.Client.TranslationServices, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
   
               Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
               [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
   
               Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.DocumentManagement, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
               [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.DocumentManagement, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
   
               Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Publishing, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
               [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Publishing, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
   
               Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Runtime, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
               [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Runtime, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
   
               Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Search.Applications, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
               [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Search.Applications, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
   
               Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Search, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
               [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Search, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
   
               Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Taxonomy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
               [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Taxonomy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
   
               Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.UserProfiles, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
               [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.UserProfiles, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
   
               return $true
           }
           catch
           {
               if($_.Exception.Message -match "Could not load file or assembly")
               {
                   Write-Error -Message "Unable to load the SharePoint Server 2013 Client Components.`nDownload Location: https://www.microsoft.com/download/details.aspx?id=42038"
               }
               else
               {
                   Write-Error -Exception $_.Exception
               }
               return $false
           }
       }
   }
   
   function Load-SharePointOnlineModule
   {
       [cmdletbinding()]
       param()
   
       process
       {
           do
           {
               # Installation location: C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell
               $spoModule = Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ErrorAction SilentlyContinue
   
               if(-not $spoModule)
               {
                   try
                   {
                       Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking
                       return $true
                   }
                   catch
                   {
                       if($_.Exception.Message -match "Could not load file or assembly")
                       {
                           Write-Error -Message "Unable to load the SharePoint Online Management Shell.`nDownload Location: https://www.microsoft.com/download/details.aspx?id=35588"
                       }
                       else
                       {
                           Write-Error -Exception $_.Exception
                       }
                       return $false
                   }
               }
               else
               {
                   return $true
               }
           }
           while(-not $spoModule)
       }
   }
   
   function Set-IrmConfiguration
   {
       [cmdletbinding()]
       param(
           [parameter(Mandatory=$true)][Microsoft.SharePoint.Client.List]$List,
           [parameter(Mandatory=$true)][string]$PolicyTitle,
           [parameter(Mandatory=$true)][string]$PolicyDescription,
           [parameter(Mandatory=$false)][switch]$IrmReject,
           [parameter(Mandatory=$false)][DateTime]$ProtectionExpirationDate,
           [parameter(Mandatory=$false)][switch]$DisableDocumentBrowserView,
           [parameter(Mandatory=$false)][switch]$AllowPrint,
           [parameter(Mandatory=$false)][switch]$AllowScript,
           [parameter(Mandatory=$false)][switch]$AllowWriteCopy,
           [parameter(Mandatory=$false)][int]$DocumentAccessExpireDays,
           [parameter(Mandatory=$false)][int]$LicenseCacheExpireDays,
           [parameter(Mandatory=$false)][string]$GroupName
       )
   
       process
       {
           Write-Verbose "Applying IRM Configuration on '$($List.Title)'"
   
           # reset the value to the default settings
           $list.InformationRightsManagementSettings.Reset()
   
           $list.IrmEnabled = $true
   
           # IRM Policy title and description
   
               $list.InformationRightsManagementSettings.PolicyTitle       = $PolicyTitle
               $list.InformationRightsManagementSettings.PolicyDescription = $PolicyDescription
   
           # Set additional IRM library settings
   
               # Do not allow users to upload documents that do not support IRM
               $list.IrmReject = $IrmReject.IsPresent
   
               $parsedDate = Get-Date
               if([DateTime]::TryParse($ProtectionExpirationDate, [ref]$parsedDate))
               {
                   # Stop restricting access to the library at <date>
                   $list.IrmExpire = $true
                   $list.InformationRightsManagementSettings.DocumentLibraryProtectionExpireDate = $ProtectionExpirationDate
               }
   
               # Prevent opening documents in the browser for this Document Library
               $list.InformationRightsManagementSettings.DisableDocumentBrowserView = $DisableDocumentBrowserView.IsPresent
   
           # Configure document access rights
   
               # Allow viewers to print
               $list.InformationRightsManagementSettings.AllowPrint = $AllowPrint.IsPresent
   
               # Allow viewers to run script and screen reader to function on downloaded documents
               $list.InformationRightsManagementSettings.AllowScript = $AllowScript.IsPresent
   
               # Allow viewers to write on a copy of the downloaded document
               $list.InformationRightsManagementSettings.AllowWriteCopy = $AllowWriteCopy.IsPresent
   
               if($DocumentAccessExpireDays)
               {
                   # After download, document access rights will expire after these number of days (1-365)
                   $list.InformationRightsManagementSettings.EnableDocumentAccessExpire = $true
                   $list.InformationRightsManagementSettings.DocumentAccessExpireDays   = $DocumentAccessExpireDays
               }
   
           # Set group protection and credentials interval
   
               if($LicenseCacheExpireDays)
               {
                   # Users must verify their credentials using this interval (days)
                   $list.InformationRightsManagementSettings.EnableLicenseCacheExpire = $true
                   $list.InformationRightsManagementSettings.LicenseCacheExpireDays   = $LicenseCacheExpireDays
               }
   
               if($GroupName)
               {
                   # Allow group protection. Default group:
                   $list.InformationRightsManagementSettings.EnableGroupProtection = $true
                   $list.InformationRightsManagementSettings.GroupName             = $GroupName
               }
       }
       end
       {
           if($list)
           {
               Write-Verbose "Committing IRM configuration settings on '$($list.Title)'"
               $list.InformationRightsManagementSettings.Update()
               $list.Update()
               $script:clientContext.Load($list)
               $script:clientContext.ExecuteQuery()
           }
       }
   }
   
   function Get-CredentialFromCredentialCache
   {
       [cmdletbinding()]
       param([string]$CredentialName)
   
       #if( Test-Path variable:\global:CredentialCache )
       if( Get-Variable O365TenantAdminCredentialCache -Scope Global -ErrorAction SilentlyContinue )
       {
           if($global:O365TenantAdminCredentialCache.ContainsKey($CredentialName))
           {
               Write-Verbose "Credential Cache Hit: $CredentialName"
               return $global:O365TenantAdminCredentialCache[$CredentialName]
           }
       }
       Write-Verbose "Credential Cache Miss: $CredentialName"
       return $null
   }
   
   function Add-CredentialToCredentialCache
   {
       [cmdletbinding()]
       param([System.Management.Automation.PSCredential]$Credential)
   
       if(-not (Get-Variable CredentialCache -Scope Global -ErrorAction SilentlyContinue))
       {
           Write-Verbose "Initializing the Credential Cache"
           $global:O365TenantAdminCredentialCache = @{}
       }
   
       Write-Verbose "Adding Credential to the Credential Cache"
       $global:O365TenantAdminCredentialCache[$Credential.UserName] = $Credential
   }
   
   # load the required assemblies and Windows PowerShell modules
   
       if(-not ((Load-SharePointOnlineClientComponentAssemblies) -and (Load-SharePointOnlineModule)) ) { return }
   
   # Add the credentials to the client context and SharePoint service connection
   
       # check for cached credentials to use
       $o365TenantAdminCredential = Get-CredentialFromCredentialCache -CredentialName $tenantAdmin
   
       if(-not $o365TenantAdminCredential)
       {
           # when credentials are not cached, prompt for the tenant admin credentials
           $o365TenantAdminCredential = Get-Credential -UserName $tenantAdmin -Message "Enter the password for the Microsoft 365 admin"
   
           if(-not $o365TenantAdminCredential -or -not $o365TenantAdminCredential.UserName -or $o365TenantAdminCredential.Password.Length -eq 0 )
           {
               Write-Error -Message "Could not validate the supplied tenant admin credentials"
               return
           }
   
           # add the credentials to the cache
           Add-CredentialToCredentialCache -Credential $o365TenantAdminCredential
       }
   
   # connect to Office365 first, required for SharePoint cmdlets to run
   
       Connect-SPOService -Url $sharepointAdminCenterUrl -Credential $o365TenantAdminCredential
   
   # enumerate each of the specified site URLs
   
       foreach($webUrl in $webUrls)
       {
           $grantedSiteCollectionAdmin = $false
   
           try
           {
               # establish the client context and set the credentials to connect to the site
               $script:clientContext = New-Object Microsoft.SharePoint.Client.ClientContext($webUrl)
               $script:clientContext.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($o365TenantAdminCredential.UserName, $o365TenantAdminCredential.Password)
   
               # initialize the site and web context
               $script:clientContext.Load($script:clientContext.Site)
               $script:clientContext.Load($script:clientContext.Web)
               $script:clientContext.ExecuteQuery()
   
               # load and ensure the tenant admin user account if present on the target SharePoint site
               $tenantAdminUser = $script:clientContext.Web.EnsureUser($o365TenantAdminCredential.UserName)
               $script:clientContext.Load($tenantAdminUser)
               $script:clientContext.ExecuteQuery()
   
               # check if the tenant admin is a site admin
               if( -not $tenantAdminUser.IsSiteAdmin )
               {
                   try
                   {
                       # grant the tenant admin temporary admin rights to the site collection
                       Set-SPOUser -Site $script:clientContext.Site.Url -LoginName $o365TenantAdminCredential.UserName -IsSiteCollectionAdmin $true | Out-Null
                       $grantedSiteCollectionAdmin = $true
                   }
                   catch
                   {
                       Write-Error $_.Exception
                       return
                   }
               }
   
               try
               {
                   # load the list orlibrary using CSOM
   
                   $list = $null
                   $list = $script:clientContext.Web.Lists.GetByTitle($listTitle)
                   $script:clientContext.Load($list)
                   $script:clientContext.ExecuteQuery()
   
                   # **************  ADMIN INSTRUCTIONS  **************
                   # If necessary, modify the following Set-IrmConfiguration parameters to match your required values
                   # The supplied options and values are for example only
                   # Example that shows the Set-IrmConfiguration command with all parameters: Set-IrmConfiguration -List $list -PolicyTitle "Protected Files" -PolicyDescription "This policy restricts access to authorized users" -IrmReject -ProtectionExpirationDate $(Get-Date).AddDays(180) -DisableDocumentBrowserView -AllowPrint -AllowScript -AllowWriteCopy -LicenseCacheExpireDays 25 -DocumentAccessExpireDays 90
   
                   Set-IrmConfiguration -List $list -PolicyTitle "Protected Files" -PolicyDescription "This policy restricts access to authorized users"  
               }
               catch
               {
                   Write-Error -Message "Error setting IRM configuration on site: $webUrl.`nError Details: $($_.Exception.ToString())"
               }
          }
          finally
          {
               if($grantedSiteCollectionAdmin)
               {
                   # remove the temporary admin rights to the site collection
                   Set-SPOUser -Site $script:clientContext.Site.Url -LoginName $o365TenantAdminCredential.UserName -IsSiteCollectionAdmin $false | Out-Null
               }
          }
       }
   
   Disconnect-SPOService -ErrorAction SilentlyContinue
   

4. 檢閱文本並進行下列變更：

   1. $sharepointAdminCenterUrl搜尋並將範例值取代為您自己的 SharePoint 系統管理中心 URL。

      當您進入 SharePoint 系統管理中心時，您會發現此值為基底 URL，且其格式如下：https://< tenant_name-admin.sharepoint.com>

      例如，如果租用戶名稱是 「contoso」，則您會指定： https://contoso-admin.sharepoint.com

   2. $tenantAdmin搜尋並將範例值取代為您自己的 Microsoft 365 完整全域管理員帳戶。

      這個值與您用來以全域管理員身分登入 Microsoft 365 系統管理中心 相同，且格式如下：user_name@<租用戶功能變數名稱>.com

      例如，如果 「contoso.com」 租使用者網域的 Microsoft 365 全域管理員使用者名稱是 “admin”，您會指定： admin@contoso.com

   3. $webUrls搜尋並取代範例值與使用者的 OneDrive Web URL，視需要新增或刪除多個專案。

      或者，請參閱腳本中的批注，瞭解如何匯入 來取代這個陣列。CSV 檔案，其中包含您需要設定的所有 URL。 我們已提供另一個範例腳本，以自動搜尋並擷取 URL 以填入此 。CSV 檔案。 當您準備好執行此動作時，請使用 [其他腳本] 將所有 OneDrive URL 輸出至 。CSV 檔案 區段緊接在這些步驟之後。

      使用者的 OneDrive Web URL 的格式如下：https:// 租使用者名稱>-my.sharepoint.com/personal/<< user_name>_<tenant 名稱_com>

      例如，如果 contoso 租使用者中的使用者具有 「rsimone」 的使用者名稱，您會指定： https://contoso-my.sharepoint.com/personal/rsimone_contoso_com

   4. 因為我們使用腳本來設定 OneDrive，因此請勿變更變數的 Documents$listTitle 值。

   5. 搜尋 ADMIN INSTRUCTIONS。 如果您未對本節進行任何變更，則會針對 IRM 設定使用者的 OneDrive，其原則標題為「受保護的檔案」，以及「此原則會限制授權使用者的存取」的描述。 不會設定其他 IRM 選項，這可能適用於大多數環境。 不過，您可以變更建議的原則標題和描述，並新增適合您環境的任何其他 IRM 選項。 請參閱腳本中的批註範例，以協助您為 Set-IrmConfiguration 命令建構自己的參數集。

5. 儲存腳本並簽署。 如果您未簽署文本（更安全），則必須在計算機上設定Windows PowerShell 以執行未簽署的腳本。 若要這樣做，請使用 [以 管理員 istrator 執行] 選項執行 Windows PowerShell 會話，然後輸入：Set-ExecutionPolicy Unrestricted。 不過，此設定可讓所有未簽署的腳本執行 （較不安全）。

   如需簽署 Windows PowerShell 腳本的詳細資訊，請參閱 PowerShell 文檔庫中的about_Signing 。

6. 執行腳本，如果出現提示，請提供 Microsoft 365 系統管理員帳戶的密碼。 如果您修改文本並在相同的 Windows PowerShell 工作階段中執行，則不會提示您輸入認證。

提示

您也可以使用此腳本來設定 SharePoint 文件庫的 IRM。 針對此設定，您可能會想要啟用其他選項 [不允許使用者上傳不支援 IRM 的檔]，以確保文檔庫只包含受保護的檔。 若要這樣做，請將 -IrmReject 參數新增至腳本中的 Set-IrmConfiguration 命令。

您也需要修改 $webUrls 變數 （例如 https://contoso.sharepoint.com， ） 和 $listTitle 變數 （例如， $Reports）。

如果您需要停用使用者的 OneDrive 連結庫 IRM，請參閱 停用 OneDrive 的 IRM 腳本一節。

將所有 OneDrive URL 輸出至 的其他腳本。CSV 檔案

針對上述步驟 4c，您可以使用下列 Windows PowerShell 腳本來擷取所有使用者 OneDrive 連結庫的 URL，然後視需要檢查、編輯，然後匯入主要腳本。

此腳本也需要 SharePoint 用戶端元件 SDK 和 SharePoint 管理命令介面。 請遵循相同的指示來複製並貼上它、將檔案儲存在本機（例如“Report-OneDriveForBusinessSiteInfo.ps1”），修改 $sharepointAdminCenterUrl 和 $tenantAdmin 值，然後執行腳本。

**免責聲明**：任何 Microsoft 標準支援計劃或服務都不支援此範例腳本。 此範例腳本提供 AS IS，不保證任何種類。

# Requires Windows PowerShell version 3

<#
  Description:

    Queries the search service of a Microsoft 365 tenant to retrieve all OneDrive sites.  
    Details of the discovered sites are written to a .CSV file (by default,"OneDriveForBusinessSiteInfo_<date>.csv").

 Script Installation Requirements:

   SharePoint Client Components SDK
   https://www.microsoft.com/download/details.aspx?id=42038

   SharePoint Management Shell
   https://www.microsoft.com/download/details.aspx?id=35588

======
#>

# URL will be in the format https://<tenant-name>-admin.sharepoint.com
$sharepointAdminCenterUrl = "https://contoso-admin.sharepoint.com"

$tenantAdmin = "admin@contoso.onmicrosoft.com"                           

$reportName = "OneDriveForBusinessSiteInfo_$((Get-Date).ToString("yyyy-MM-dd_hh.mm.ss")).csv"

$oneDriveForBusinessSiteUrls= @()
$resultsProcessed = 0

function Load-SharePointOnlineClientComponentAssemblies
{
    [cmdletbinding()]
    param()

    process
    {
        # assembly location: C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI
        try
        {
            Write-Verbose "Loading Assembly: Microsoft.Office.Client.Policy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.Office.Client.Policy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.Office.Client.TranslationServices, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.Office.Client.TranslationServices, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.DocumentManagement, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.DocumentManagement, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Publishing, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Publishing, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Runtime, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Runtime, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Search.Applications, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Search.Applications, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Search, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Search, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Taxonomy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Taxonomy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.UserProfiles, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.UserProfiles, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            return $true
        }
        catch
        {
            if($_.Exception.Message -match "Could not load file or assembly")
            {
                Write-Error -Message "Unable to load the SharePoint Server 2013 Client Components.`nDownload Location: https://www.microsoft.com/download/details.aspx?id=42038"
            }
            else
            {
                Write-Error -Exception $_.Exception
            }
            return $false
        }
    }
}

function Load-SharePointOnlineModule
{
    [cmdletbinding()]
    param()

    process
    {
        do
        {
            # Installation location: C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell
            $spoModule = Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ErrorAction SilentlyContinue

            if(-not $spoModule)
            {
                try
                {
                    Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking
                    return $true
                }
                catch
                {
                    if($_.Exception.Message -match "Could not load file or assembly")
                    {
                        Write-Error -Message "Unable to load the SharePoint Online Management Shell.`nDownload Location: https://www.microsoft.com/download/details.aspx?id=35588"
                    }
                    else
                    {
                        Write-Error -Exception $_.Exception
                    }
                    return $false
                }
            }
            else
            {
                return $true
            }
        }
        while(-not $spoModule)
    }
}

function Get-CredentialFromCredentialCache
{
    [cmdletbinding()]
    param([string]$CredentialName)

    #if( Test-Path variable:\global:CredentialCache )
    if( Get-Variable O365TenantAdminCredentialCache -Scope Global -ErrorAction SilentlyContinue )
    {
        if($global:O365TenantAdminCredentialCache.ContainsKey($CredentialName))
        {
            Write-Verbose "Credential Cache Hit: $CredentialName"
            return $global:O365TenantAdminCredentialCache[$CredentialName]
        }
    }
    Write-Verbose "Credential Cache Miss: $CredentialName"
    return $null
}

function Add-CredentialToCredentialCache
{
    [cmdletbinding()]
    param([System.Management.Automation.PSCredential]$Credential)

    if(-not (Get-Variable CredentialCache -Scope Global -ErrorAction SilentlyContinue))
    {
        Write-Verbose "Initializing the Credential Cache"
        $global:O365TenantAdminCredentialCache = @{}
    }

    Write-Verbose "Adding Credential to the Credential Cache"
    $global:O365TenantAdminCredentialCache[$Credential.UserName] = $Credential
}

# load the required assemblies and Windows PowerShell modules

    if(-not ((Load-SharePointOnlineClientComponentAssemblies) -and (Load-SharePointOnlineModule)) ) { return }

# Add the credentials to the client context and SharePoint service connection

    # check for cached credentials to use
    $o365TenantAdminCredential = Get-CredentialFromCredentialCache -CredentialName $tenantAdmin

    if(-not $o365TenantAdminCredential)
    {
        # when credentials are not cached, prompt for the tenant admin credentials
        $o365TenantAdminCredential = Get-Credential -UserName $tenantAdmin -Message "Enter the password for the Office 365 admin"

        if(-not $o365TenantAdminCredential -or -not $o365TenantAdminCredential.UserName -or $o365TenantAdminCredential.Password.Length -eq 0 )
        {
            Write-Error -Message "Could not validate the supplied tenant admin credentials"
            return
        }

        # add the credentials to the cache
        Add-CredentialToCredentialCache -Credential $o365TenantAdminCredential
    }

# establish the client context and set the credentials to connect to the site

    $clientContext = New-Object Microsoft.SharePoint.Client.ClientContext($sharepointAdminCenterUrl)
    $clientContext.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($o365TenantAdminCredential.UserName, $o365TenantAdminCredential.Password)

# run a query against the Microsoft 365 tenant search service to retrieve all OneDrive URLs

    do
    {
        # build the query object
	    $query = New-Object Microsoft.SharePoint.Client.Search.Query.KeywordQuery($clientContext)
	    $query.TrimDuplicates        = $false
	    $query.RowLimit              = 500
	    $query.QueryText             = "SPSiteUrl:'/personal/' AND contentclass:STS_Site"
	    $query.StartRow              = $resultsProcessed
	    $query.TotalRowsExactMinimum = 500000

        # run the query
	    $searchExecutor = New-Object Microsoft.SharePoint.Client.Search.Query.SearchExecutor($clientContext)
	    $queryResults = $searchExecutor.ExecuteQuery($query)
	    $clientContext.ExecuteQuery()

        # enumerate the search results and store the site URLs
        $queryResults.Value[0].ResultRows | % {
            $oneDriveForBusinessSiteUrls += $_.Path
            $resultsProcessed++
        }
    }
    while($resultsProcessed -lt $queryResults.Value.TotalRows)

$oneDriveForBusinessSiteUrls | Out-File -FilePath $reportName

停用 OneDrive IRM 的腳本

如果您需要停用使用者的 OneDrive IRM，請使用下列範例腳本。

此腳本也需要 SharePoint 用戶端元件 SDK 和 SharePoint 管理命令介面。 複製並貼上內容、將檔案儲存在本機（例如“Disable-IRMOnOneDriveForBusiness.ps1”），並修改 $sharepointAdminCenterUrl 和 $tenantAdmin 值。 手動指定 OneDrive URL 或使用上一節中的腳本，以便匯入這些 URL，然後執行腳本。

**免責聲明**：任何 Microsoft 標準支援計劃或服務都不支援此範例腳本。 此範例腳本提供 AS IS，不保證任何種類。

# Requires Windows PowerShell version 3

<#
  Description:

    Disables IRM for OneDrive and can also be used for SharePoint libraries and lists

 Script Installation Requirements:

   SharePoint Client Components SDK
   https://www.microsoft.com/download/details.aspx?id=42038

   SharePoint Management Shell
   https://www.microsoft.com/download/details.aspx?id=35588

======
#>

$sharepointAdminCenterUrl = "https://contoso-admin.sharepoint.com"

$tenantAdmin = "admin@contoso.com"

$webUrls = @("https://contoso-my.sharepoint.com/personal/user1_contoso_com",
             "https://contoso-my.sharepoint.com/personal/user2_contoso_com",
             "https://contoso-my.sharepoint.com/personal/person3_contoso_com")

<# As an alternative to specifying the URLs as an array, you can import them from a CSV file (no header, single value per row).
   Then, use: $webUrls = Get-Content -Path "File_path_and_name.csv"

#>

$listTitle = "Documents"

function Load-SharePointOnlineClientComponentAssemblies
{
    [cmdletbinding()]
    param()

    process
    {
        # assembly location: C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI
        try
        {
            Write-Verbose "Loading Assembly: Microsoft.Office.Client.Policy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.Office.Client.Policy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.Office.Client.TranslationServices, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.Office.Client.TranslationServices, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.DocumentManagement, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.DocumentManagement, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Publishing, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Publishing, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Runtime, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Runtime, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Search.Applications, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Search.Applications, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Search, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Search, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Taxonomy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Taxonomy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.UserProfiles, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.UserProfiles, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            return $true
        }
        catch
        {
            if($_.Exception.Message -match "Could not load file or assembly")
            {
                Write-Error -Message "Unable to load the SharePoint Server 2013 Client Components.`nDownload Location: https://www.microsoft.com/download/details.aspx?id=42038"
            }
            else
            {
                Write-Error -Exception $_.Exception
            }
            return $false
        }
    }
}

function Load-SharePointOnlineModule
{
    [cmdletbinding()]
    param()

    process
    {
        do
        {
            # Installation location: C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell
            $spoModule = Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ErrorAction SilentlyContinue

            if(-not $spoModule)
            {
                try
                {
                    Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking
                    return $true
                }
                catch
                {
                    if($_.Exception.Message -match "Could not load file or assembly")
                    {
                        Write-Error -Message "Unable to load the SharePoint Online Management Shell.`nDownload Location: https://www.microsoft.com/download/details.aspx?id=35588"
                    }
                    else
                    {
                        Write-Error -Exception $_.Exception
                    }
                    return $false
                }
            }
            else
            {
                return $true
            }
        }
        while(-not $spoModule)
    }
}

function Remove-IrmConfiguration
{
    [cmdletbinding()]
    param(
        [parameter(Mandatory=$true)][Microsoft.SharePoint.Client.List]$List
    )

    process
    {
        Write-Verbose "Disabling IRM Configuration on '$($List.Title)'"

        $List.IrmEnabled = $false
        $List.IrmExpire  = $false
        $List.IrmReject  = $false
        $List.InformationRightsManagementSettings.Reset()
    }
    end
    {
        if($List)
        {
            Write-Verbose "Committing IRM configuration settings on '$($list.Title)'"
            $list.InformationRightsManagementSettings.Update()
            $list.Update()
            $script:clientContext.Load($list)
            $script:clientContext.ExecuteQuery()
        }
    }
}

function Get-CredentialFromCredentialCache
{
    [cmdletbinding()]
    param([string]$CredentialName)

    #if( Test-Path variable:\global:CredentialCache )
    if( Get-Variable O365TenantAdminCredentialCache -Scope Global -ErrorAction SilentlyContinue )
    {
        if($global:O365TenantAdminCredentialCache.ContainsKey($CredentialName))
        {
            Write-Verbose "Credential Cache Hit: $CredentialName"
            return $global:O365TenantAdminCredentialCache[$CredentialName]
        }
    }
    Write-Verbose "Credential Cache Miss: $CredentialName"
    return $null
}

function Add-CredentialToCredentialCache
{
    [cmdletbinding()]
    param([System.Management.Automation.PSCredential]$Credential)

    if(-not (Get-Variable CredentialCache -Scope Global -ErrorAction SilentlyContinue))
    {
        Write-Verbose "Initializing the Credential Cache"
        $global:O365TenantAdminCredentialCache = @{}
    }

    Write-Verbose "Adding Credential to the Credential Cache"
    $global:O365TenantAdminCredentialCache[$Credential.UserName] = $Credential
}

# load the required assemblies and Windows PowerShell modules

    if(-not ((Load-SharePointOnlineClientComponentAssemblies) -and (Load-SharePointOnlineModule)) ) { return }

# Add the credentials to the client context and SharePoint service connection

    # check for cached credentials to use
    $o365TenantAdminCredential = Get-CredentialFromCredentialCache -CredentialName $tenantAdmin

    if(-not $o365TenantAdminCredential)
    {
        # when credentials are not cached, prompt for the tenant admin credentials
        $o365TenantAdminCredential = Get-Credential -UserName $tenantAdmin -Message "Enter the password for the Office 365 admin"

        if(-not $o365TenantAdminCredential -or -not $o365TenantAdminCredential.UserName -or $o365TenantAdminCredential.Password.Length -eq 0 )
        {
            Write-Error -Message "Could not validate the supplied tenant admin credentials"
            return
        }

        # add the credentials to the cache
        Add-CredentialToCredentialCache -Credential $o365TenantAdminCredential
    }

# connect to Office365 first, required for SharePoint cmdlets to run

    Connect-SPOService -Url $sharepointAdminCenterUrl -Credential $o365TenantAdminCredential

# enumerate each of the specified site URLs

    foreach($webUrl in $webUrls)
    {
        $grantedSiteCollectionAdmin = $false

        try
        {
            # establish the client context and set the credentials to connect to the site
            $script:clientContext = New-Object Microsoft.SharePoint.Client.ClientContext($webUrl)
            $script:clientContext.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($o365TenantAdminCredential.UserName, $o365TenantAdminCredential.Password)

            # initialize the site and web context
            $script:clientContext.Load($script:clientContext.Site)
            $script:clientContext.Load($script:clientContext.Web)
            $script:clientContext.ExecuteQuery()

            # load and ensure the tenant admin user account if present on the target SharePoint site
            $tenantAdminUser = $script:clientContext.Web.EnsureUser($o365TenantAdminCredential.UserName)
            $script:clientContext.Load($tenantAdminUser)
            $script:clientContext.ExecuteQuery()

            # check if the tenant admin is a site admin
            if( -not $tenantAdminUser.IsSiteAdmin )
            {
                try
                {
                    # grant the tenant admin temporary admin rights to the site collection
                    Set-SPOUser -Site $script:clientContext.Site.Url -LoginName $o365TenantAdminCredential.UserName -IsSiteCollectionAdmin $true | Out-Null
                    $grantedSiteCollectionAdmin = $true
                }
                catch
                {
                    Write-Error $_.Exception
                    return
                }
            }

            try
            {
                # load the list orlibrary using CSOM

                $list = $null
                $list = $script:clientContext.Web.Lists.GetByTitle($listTitle)
                $script:clientContext.Load($list)
                $script:clientContext.ExecuteQuery()

               Remove-IrmConfiguration -List $list
            }
            catch
            {
                Write-Error -Message "Error setting IRM configuration on site: $webUrl.`nError Details: $($_.Exception.ToString())"
            }
       }
       finally
       {
            if($grantedSiteCollectionAdmin)
            {
                # remove the temporary admin rights to the site collection
                Set-SPOUser -Site $script:clientContext.Site.Url -LoginName $o365TenantAdminCredential.UserName -IsSiteCollectionAdmin $false | Out-Null
            }
       }
    }

Disconnect-SPOService -ErrorAction SilentlyContinue