用于保护聊天Teams组和文件的策略建议Policy recommendations for securing Teams chats, groups, and files

本文介绍如何实施推荐的标识和设备访问策略来保护聊天Microsoft Teams组以及文件和日历等内容。This article describes how to implement the recommended identity and device-access policies to protect Microsoft Teams chats, groups, and content such as files and calendars. 本指南基于通用标识和设备访问策略,并包含特定于Teams信息。This guidance builds on the common identity and device access policies, with additional information that's Teams-specific. 由于Teams集成了其他产品,因此另请参阅有关保护 SharePoint网站和文件的策略建议和用于保护电子邮件的策略建议Because Teams integrates with our other products, also see Policy recommendations for securing SharePoint sites and files and Policy recommendations for securing email.

这些建议基于三种不同安全层和保护 Teams,可基于你的需求粒度应用这些层:基线、敏感和高度管控。These recommendations are based on three different tiers of security and protection for Teams that can be applied based on the granularity of your needs: baseline, sensitive, and highly regulated. 可以在标识和设备访问配置中了解有关这些安全层以及这些建议所引用 的策略的更多信息You can learn more about these security tiers and the recommended policies referenced by these recommendations in the Identity and device access configurations.

本文包含特定于 Teams部署的建议,以涵盖特定身份验证情况,包括针对组织外部的用户。More recommendations specific to Teams deployment are included in this article to cover specific authentication circumstances, including for users outside your organization. 你需要遵循本指南,获得完整的安全体验。You will need to follow this guidance for a complete security experience.

其他相关Teams服务之前入门Getting started with Teams before other dependent services

无需启用依赖服务,就无需开始使用Microsoft Teams。You don't need to enable dependent services to get started with Microsoft Teams. 这些服务将全部"正常工作"。These services will all "just work." 但是,您需要准备好管理以下与服务相关的元素:However, you do need to be prepared to manage the following service-related elements:

  • Microsoft 365 组Microsoft 365 groups
  • SharePoint 团队网站SharePoint team sites
  • OneDrive for BusinessOneDrive for Business
  • Exchange 邮箱Exchange mailboxes
  • Stream videos and Planner plans (if these services are enabled) Stream videos and Planner plans (if these services are enabled)

更新常用策略以包括TeamsUpdating common policies to include Teams

为了保护用户中的聊天、组Teams,下图说明了从通用标识和设备访问策略更新的策略。To protect chat, groups and content in Teams, the following diagram illustrates which policies to update from the the common identity and device access policies. 对于要更新的每个策略,请确保Teams和依赖服务包含在云应用的分配中。For each policy to update, make sure that Teams and dependent services are included in the assignment of cloud apps.

用于保护对服务及其依赖Teams的访问的策略更新摘要Summary of policy updates for protecting access to Teams and its dependent services

这些服务是分配云应用时要包括的Teams:These services are the dependent services to include in the assignment of cloud apps for Teams:

  • Microsoft TeamsMicrosoft Teams
  • Sharepoint 和 OneDrive for BusinessSharePoint and OneDrive for Business
  • Exchange OnlineExchange Online
  • Skype for Business OnlineSkype for Business Online
  • Microsoft Stream (会议录制) Microsoft Stream (meeting recordings)
  • Microsoft Planner (Planner 任务和规划数据) Microsoft Planner (Planner tasks and plan data)

此表列出了需要重新访问的策略以及指向通用标识和设备访问策略中每个策略的链接,这些策略具有针对所有 Office 应用程序设置更广泛的策略。This table lists the policies that need to be revisited and links to each policy in the common identity and device access policies, which has the wider policy set for all Office applications.

保护级别Protection level 策略Policies 有关实现Teams信息Further information for Teams implementation
BaselineBaseline 当登录风险为中或高 时需要 MFARequire MFA when sign-in risk is medium or high 请确保Teams服务及其从属服务包含在应用列表中。Be sure Teams and dependent services are included in the list of apps. Teams需要考虑来宾访问和外部访问规则,您将在本文的稍后部分了解有关这些规则的更多内容。Teams has Guest Access and External Access rules to consider as well, you'll learn more about these rules later in this article.
阻止不支持新式身份验证的客户端Block clients that don't support modern authentication 在Teams应用分配中包括相关服务和相关服务。Include Teams and dependent services in the assignment of cloud apps.
高风险用户必须更改密码High risk users must change password 强制Teams在登录时更改其密码(如果检测到其帐户存在高风险活动)。Forces Teams users to change their password when signing in if high-risk activity is detected for their account. 请确保Teams服务及其从属服务包含在应用列表中。Be sure Teams and dependent services are included in the list of apps.
应用 APP 数据保护策略Apply APP data protection policies 请确保Teams服务及其从属服务包含在应用列表中。Be sure Teams and dependent services are included in the list of apps. 针对 iOS、Android、 (的每个平台更新Windows) 。Update the policy for each platform (iOS, Android, Windows).
定义设备合规性策略Define device compliance policies 在此Teams包括服务及其依赖服务。Include Teams and dependent services in this policy.
需要兼容电脑Require compliant PCs 在此Teams包括服务及其依赖服务。Include Teams and dependent services in this policy.
敏感Sensitive 登录风险低、中或高 时需要 MFARequire MFA when sign-in risk is low, medium or high Teams需要考虑来宾访问和外部访问规则,您将在本文的稍后部分了解有关这些规则的更多内容。Teams has Guest Access and External Access rules to consider as well, you'll learn more about these rules later in this article. 在此Teams包括服务及其依赖服务。Include Teams and dependent services in this policy.
要求兼容电脑 移动设备Require compliant PCs and mobile devices 在此Teams包括服务及其依赖服务。Include Teams and dependent services in this policy.
高度管控Highly regulated 始终 需要 MFAAlways require MFA 无论用户身份如何,组织都将使用 MFA。Regardless of user identity, MFA will be used by your organization. 在此Teams包括服务及其依赖服务。Include Teams and dependent services in this policy.

Teams服务体系结构Teams dependent services architecture

为了参考,下图说明了Teams的服务。For reference, the following diagram illustrates the services Teams relies on. 有关详细信息和图示,请参阅Microsoft Teams IT 架构师的 Microsoft 365和相关生产力服务For more information and illustrations, see Microsoft Teams and related productivity services in Microsoft 365 for IT architects.

显示Teams、SharePoint、OneDrive for Business和ExchangeDiagram showing Teams dependencies on SharePoint, OneDrive for Business, and Exchange

查看此图像的较大版本See a larger version of this image

来宾和外部访问TeamsGuest and external access for Teams

Microsoft Teams定义以下访问类型:Microsoft Teams defines the following access types:

  • 来宾访问 使用 Azure AD B2B 帐户作为来宾或外部用户,可以添加为团队成员,并且具有访问团队通信和资源的所有权限。Guest access uses an Azure AD B2B account for a guest or external user that can be added as a member of a team and have all permissioned access to the communication and resources of the team.

  • 外部访问 适用于没有 Azure AD B2B 帐户的外部用户。External access is for an external user that does not have an Azure AD B2B account. 外部访问可以包括邀请和参与通话、聊天和会议,但不包括团队成员身份和访问团队资源。External access can include invitations and participation in calls, chats, and meetings, but does not include team membership and access to the resources of the team.

条件访问策略仅适用于 Teams,因为存在相应的 Azure AD B2B 帐户。Conditional Access policies only apply to guest access in Teams because there is a corresponding Azure AD B2B account.

有关允许使用 Azure AD B2B 帐户的来宾和外部用户访问的建议策略,请参阅允许来宾和外部 B2B 帐户访问的策略For recommended policies to allow access for guest and external users with an Azure AD B2B account, see Policies for allowing guest and external B2B account access.

Teams 中的来宾访问Guest access in Teams

除了针对企业或组织内部用户的策略之外,管理员还允许来宾访问以用户为基础,允许企业或组织外部的用户访问 Teams 资源,并与内部人员进行群组对话、聊天和会议等操作。In addition to the policies for users who are internal to your business or organization, administrators may enable guest access to allow, on a user-by-user basis, people who are external to your business or organization to access Teams resources and interact with internal people for things like group conversations, chat, and meetings.

有关来宾访问以及如何实现它的信息,请参阅Teams访问For more information about guest access and how to implement it, see Teams guest access.

外部访问TeamsExternal access in Teams

外部访问有时与来宾访问混淆,因此必须明确这两种非内部访问机制是不同类型的访问。External access is sometimes confused with guest access, so it's important to be clear that these two non-internal access mechanisms are different types of access.

外部访问是一种Teams域中的用户在外部域中查找、呼叫、聊天和设置Teams。External access is a way for Teams users from an entire external domain to find, call, chat, and set up meetings with your users in Teams. Teams管理员在组织级别配置外部访问。Teams administrators configure external access at the organization level. 有关详细信息,请参阅管理Microsoft Teams 中的外部访问For more information, see Manage external access in Microsoft Teams.

与通过来宾访问添加的用户相比,外部访问用户具有的访问和功能更少。External access users have less access and functionality than an individual who's been added via guest access. 例如,外部访问用户可以与内部用户聊天,Teams但不能访问团队频道、文件或其他资源。For example, external access users can chat with your internal users with Teams but cannot access team channels, files, or other resources.

外部访问不使用 Azure AD B2B 用户帐户,因此不使用条件访问策略。External access does not use Azure AD B2B user accounts and therefore does not use Conditional Access policies.

Teams策略Teams policies

除了上面列出的常见策略之外,Teams特定策略,这些策略可以且应该配置为管理各种Teams功能。Outside of the common policies listed above, there are Teams-specific policies that can and should be configured to manage various Teams functionalities.

Teams和频道策略Teams and channels policies

Teams 频道和频道是 Microsoft Teams 中常用的两个元素,您可以使用一些策略来控制用户在使用团队和频道时可以执行和不能执行哪些操作。Teams and channels are two commonly used elements in Microsoft Teams, and there are policies you can put in place to control what users can and cannot do when using teams and channels. 虽然可以创建一个全局团队,但如果贵组织的用户数小于或小于 5000,则可能会发现,与组织需求一起,让较小的团队和频道用于特定用途可能会很有帮助。While you can create a global team, if your organization has 5000 users or less, you are likely to find it helpful to have smaller teams and channels for specific purposes, in-line with your organizational needs.

建议更改默认策略或创建自定义策略,你可以在此链接中了解有关管理策略Microsoft Teams。Changing the default policy or creating custom policies would be recommended, and you can learn more about managing your policies at this link: Manage teams policies in Microsoft Teams.

消息传递策略Messaging policies

消息或聊天也可通过默认全局策略或自定义策略进行管理,这可帮助用户以适合贵组织的方式相互通信。Messaging, or chat, can also be managed through the default global policy, or through custom policies, and this can help your users communicate with one another in a way that's appropriate for your organization. 可以在管理邮件策略中查看此信息Teams。This information can be reviewed at Managing messaging policies in Teams.

会议策略Meeting policies

如果不规划和Teams有关会议的策略,将无法完成Teams讨论。No discussion of Teams would be complete without planning and implementing policies around Teams meetings. 会议是会议的重要Teams,允许用户一次正式开会并呈现给许多用户,并共享与会议相关的内容。Meetings are an essential component of Teams, allowing people to formally meet and present to many users at once, and to share content relevant to the meeting. 为组织围绕会议设置正确的策略至关重要。Setting the right policies for your organization around meetings is essential.

有关详细信息,请参阅管理会议策略Teams。For more information, review Manage meeting policies in Teams.

应用权限策略App permission policies

Teams还允许你在各种位置(如频道或个人聊天)使用应用。Teams also allows you to use apps in various places, such as channels or personal chats. 对于维护同样安全的内容丰富的环境来说,制定有关可添加和使用的应用的策略以及在何处添加策略至关重要。Having policies around what apps can be added and used, and where, is essential to maintaining a content-rich environment that is also secure.

有关应用程序权限策略的更多阅读,请查看管理应用程序权限策略Microsoft Teams。For more reading about App Permission Policies, check out Manage app permission policies in Microsoft Teams.

后续步骤Next steps

步骤 4:云Microsoft 365策略

为:配置条件访问策略:Configure Conditional Access policies for: