配置具有三层保护的 TeamsConfigure Teams with three tiers of protection

本系列中的文章为如何在 Microsoft Teams 中配置团队及其关联 SharePoint 网站以实现通过轻松协作权衡安全性的文件保护提供了相关建议。The articles in this series provide recommendations for configuring teams in Microsoft Teams and their associated SharePoint sites for file protection that balances security with ease of collaboration.

本文定义了四个不同的配置,首先介绍的是具有最开放的共享策略的公共团队。This article defines four different configurations, starting with a public team with the most open sharing policies. 每个额外配置均表示有意义的保护设置,对 Teams 中存储的文件的访问和协作限定为一组相关团队成员。Each additional configuration represents a meaningful step up in protection, while the ability to access and collaborate on files stored within teams is reduced to the relevant set of team members.

本文中的配置符合 Microsoft 针对数据、标识和设备的三层保护的建议:The configurations in this article align with Microsoft's recommendations for three tiers of protection for data, identities, and devices:

  • 基线保护Baseline protection

  • 敏感保护sensitive protection

  • 高度敏感保护Highly sensitive protection

有关这些保护层以及针对每层建议的功能的详细信息,请参阅面向企业架构师的 Microsoft 云图解For more information about these tiers and capabilities recommended for each tier, see Microsoft cloud for enterprise architects illustrations

三个层级概览Three tiers at a glance

下表总结了各层的配置。The following table summarizes the configurations for each tier. 使用这些配置作为起点建议并调整网站配置,以满足组织的需求。Use these configurations as starting point recommendations and adjust the configurations to meet the needs of your organization. 可能不需要每一层。You may not need every tier.

- 基准(公共)Baseline (Public) 基准(专用)Baseline (Private) 敏感Sensitive 高度敏感Highly sensitive
专用或公用团队Private or public team 公开Public PrivatePrivate PrivatePrivate PrivatePrivate
谁可以访问?Who has access? 组织中的每个人(包括 B2B 用户)。Everybody in the organization, including B2B users. 仅限团队成员。Only members of the team. 其他人可以请求访问关联的网站。Others can request access to the associated site. 仅限团队成员。Only members of the team. 仅限团队成员。Only members of the team.
专用频道Private channels 所有者和成员可以创建专用频道Owners and members can create private channels 所有者和成员可以创建专用频道Owners and members can create private channels 仅所有者可创建专用频道Only owners can create private channels 仅所有者可创建专用频道Only owners can create private channels
网站级别来宾访问Site-level guest access 新来宾和现有来宾(默认值)。New and existing guests (default). 新来宾和现有来宾(默认值)。New and existing guests (default). 新来宾和现有来宾仅组织中的人员 取决于团队需求。New and existing guests or Only people in your organization depending on team needs. 新来宾和现有来宾仅组织中的人员 取决于团队需求。New and existing guests or Only people in your organization depending on team needs.
网站共享设置Site sharing settings 网站所有者和成员以及拥有编辑权限的人员可共享文件和文件夹,但只有网站所有者才可共享网站Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site. 网站所有者和成员以及拥有编辑权限的人员可共享文件和文件夹,但只有网站所有者才可共享网站Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site. 网站所有者和成员以及拥有编辑权限的人员可共享文件和文件夹,但只有网站所有者才可共享网站Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site. 仅网站所有者可以共享文件、文件夹和网站Only site owners can share files, folders, and the site.
访问请求 关闭Access requests Off.
网站级别未托管设备的访问Site-level unmanaged device access 从桌面版应用程序、移动应用程序和 web 完全访问(默认值)。Full access from desktop apps, mobile apps, and the web (default). 从桌面版应用程序、移动应用程序和 web 完全访问(默认值)。Full access from desktop apps, mobile apps, and the web (default). 允许限制性的 web 访问Allow limited, web-only access. 阻止访问Block access.
默认共享链接类型Default sharing link type 仅组织内部人员Only people in your organization 仅组织内部人员Only people in your organization 特定人员Specific people 现有访问权限者People with existing access
敏感度标签Sensitivity labels None None 敏感度标签用于对团队进行分类并控制来宾共享和未托管设备访问。Sensitivity label used to classify the team and control guest sharing and unmanaged device access. 敏感度标签用于对团队进行分类并控制来宾共享和未托管设备访问。Sensitivity label used to classify the team and control guest sharing and unmanaged device access. 还可在文件上使用标签对文件进行加密。Label can also be used on files to encrypt files.

具有安全隔离的团队是高度敏感选项的变体,为一个团队使用唯一敏感度标签,从而提供更高的安全性。A variation of the Highly sensitive option, Teams with security isolation uses a unique sensitivity label for one team, which provides additional security. 可以使用此标签来加密文件,只有该团队成员才能读取它们。You can use this label to encrypt files, and only members of that team will be able to read them.

基线保护包括公共和私人团队。Baseline protection includes public and private teams. 组织中的任何人均可发现和访问公共团队。Public teams can be discovered and accessed by anybody in the organization. 只有团队成员可以发现和访问私人团队。Private teams can only be discovered and accessed by members of the team. 这两种配置都将共享 SharePoint 网站的共享限制为团队所有者,以帮助进行权限管理。Both of these configurations restrict sharing of the associated SharePoint site to team owners to assist in permissions management.

敏感和高度敏感保护团队是私有团队,在该团队中对关联站点的共享和访问请求受到限制,并且敏感度标签用于设置有关来宾共享、设备访问和内容加密策略。Teams for sensitive and highly sensitive protection are private teams in which sharing and the requesting of access for the associated site is limited and sensitivity labels are used to set policies around guest sharing, device access, and content encryption.

敏感度标签Sensitivity labels

敏感层和高度敏感层使用敏感度标签来帮助保护团队和其文件。The sensitive and highly sensitive tiers use sensitivity labels to help secure the team and its files. 为实现这些层,必须启用用于保护 Microsoft Teams、Office 365 和 SharePoint 网站中内容的敏感度标签To implement these tiers, you must enable sensitivity labels to protect content in Microsoft Teams, Office 365 groups, and SharePoint sites.

虽然基线层不需要敏感度标签,但请考虑创建“常规”标签,然后要求标记所有团队。While the baseline tier does not require sensitivity labels, consider creating a "general" label and then requiring that all teams be labeled. 这将有助于确保用户在创建团队时就敏感度做出有意识的选择。This will help ensure that users make a conscious choice about sensitivity when they create a team. 如果计划部署敏感或高度敏感层,建议创建一个“常规”标签,该标签可用于基线团队和不敏感的文件。If you plan to deploy the sensitive or highly sensitive tiers, we do recommend creating a "general" label that you can use for baseline teams and for files that are not sensitive.

如果不熟悉敏感度标签,建议阅读敏感度标签以开始使用。If you're new to using sensitivity labels, we recommend reading Get started with sensitivity labels to get started.

如果已经在组织中推出了敏感度标签,请考虑敏感和高度敏感层中所使用的标签如何与整体标签策略配合使用。If you have already rolled out sensitivity labels in your organization, consider how the labels used in the sensitive and highly sensitive tiers fit with your overall label strategy.

共享 SharePoint 网站Sharing the SharePoint site

每个团队都有存储文档的关联 SharePoint 网站。Each team has an associated SharePoint site where documents are stored. (这是团队渠道中的“文件”选项卡。)SharePoint 网站保留自己的权限管理,但关联到团队权限。(This is the Files tab in a teams channel.) The SharePoint site retains its own permission management, but is linked to team permissions. 团队所有者被包含为网站所有者,而团队成员被包含为关联网站中的站点成员。Team owners are included as site owners and team members are included as site members in the associated site.

生成的权限允许:The resulting permissions allow:

  • 团队所有者管理网站,并对网站内容拥有完全控制权。Team owners to administer the site and have full control over the site contents.
  • 团队成员在网站上创建和编辑文件。Team members to create and edit files on the site.

默认情况下,团队所有者和成员可以与团队外部的人员共享网站本身,而无需将其实际添加到团队中。By default, team owners and members can share the site itself with people outside the team without actually adding them to the team. 建议不要使用此方法,因为这会让用户管理变得复杂,并可能会导致非团队成员的人员能够在团队拥有者不知情的情况下存取团队文件。We recommend against this as it complicates user management and can lead to people who are not team members having access to team files without team owners realizing it. 为了防止这种情况,从基线保护级别开始,我们建议仅允许所有者直接共享站点。To help prevent this, starting in the baseline level of protection, we recommend that only owners be allowed to share the site directly.

尽管团队没有只读权限选项,但 SharePoint 网站有此权限。While teams do not have a read-only permission option, the SharePoint site does. 如果你的合作伙伴组利益干系人能够查看团队文件但是不能编辑,考虑直接将其添加至具有“读取”权限的 SharePoint 网站。If you have stakeholders of partner groups who need to be able to view team files but not edit them, consider adding them directly to the SharePoint site with Read permissions.

共享文件和文件夹Sharing files and folders

默认情况下,团队所有者和成员都可以与团队外部的人员共享文件和文件夹。By default, both owners and members of the team can share files and folders with people outside the team. 如果允许来宾共享,则其中可能包括组织外部人员。This may include people outside your organization, if you have allowed guest sharing. 在所有三个层中,我们都会更新默认共享链接类型,有助于避免意外的过度共享。In all three tiers, we update the default sharing link type to help avoid accidental oversharing. 在高度敏感层中,我们仅将这种共享限制为团队所有者。In the highly sensitive tier, we restrict such sharing to team owners only.

来宾共享Guest sharing

如果需要与组织外部人员进行协作,建议配置 SharePoint 和 OneDrive 与 Azure AD B2B 集成,以获得最佳的共享和管理体验。If you need to collaborate with people outside your organization, we recommend configuring SharePoint and OneDrive integration with Azure AD B2B for the best sharing and administration experience.

默认情况下,团队来宾共享处于关闭状态,但 Office 365 组(存储团队成员资格)和 SharePoint 的共享处于打开状态。Teams guest sharing is off by default, though sharing for Office 365 groups (where team membership is stored) and SharePoint is on. 我们在基线层中启用 Teams共享,如果需要,可以使用敏感度标签在敏感层和高度敏感层中将其关闭。We turn Teams sharing on in the baseline tier, and you can turn it off if needed in the sensitive and highly sensitive tiers by using a sensitivity label.

敏感度标签仅影响团队的来宾共享。The sensitivity label only affects guest sharing for the team. 关联 SharePoint 网站的来宾共享设置是单独控制的,我们协调敏感层和高度敏感层的设置。Guest sharing settings for the associated SharePoint site are controlled separately, and we have you align the two settings for both the sensitive and highly sensitive tiers.

在高度敏感层,我们将敏感度标签配置为加密应用标签的文件。In the highly sensitive tier, we configure the sensitivity label to encrypt files to which it is applied. 如果需要来宾访问这些文件,必须在创建标签时必须授予他们权限。If you need guests to have access to these files, you must give them permissions when you create the label.

如果需要与组织外部的人员进行协作,强烈建议基线层和敏感层或高度敏感层启用来宾共享。We highly recommend that you leave guest sharing on for the baseline tier and for the sensitive or highly sensitive tiers if you need to collaborate with people outside your organization. 相比将文件作为附件发送到电子邮件中,Microsoft 365 的来宾共享功能提供了更为安全和可管理的共享体验。The guest sharing features in Microsoft 365 provide a much more secure and governable sharing experience than sending files as attachments in email messages. 用户使用不受管制的消费产品与合法的外部合作者共享时,还降低了影子 IT 的风险。It also reduces the risk of shadow IT where users use ungoverned consumer products to share with legitimate external collaborators.

请参阅以下参考材料,为组织创建安全高效的来宾共享环境:See the following references to create a secure and productive guest sharing environment for your organization:

非托管设备的访问Access from unmanaged devices

对于敏感层和高度敏感层,我们使用敏感度标签限制对 SharePoint 内容的访问。For the sensitive and highly sensitive tiers, we restrict access to SharePoint content with sensitivity labels. Azure AD 条件访问提供很多用于确定用户如何访问 Microsoft 365 的选项,包括基于位置、风险、设备合规性和其他因素的限制。Azure AD conditional access offers many options for determining how people access Microsoft 365, including limitations based on location, risk, device compliance, and other factors. 建议阅读什么是条件访问?,并考虑哪些其他策略可能适用于你的组织。We recommend you read What is Conditional Access? and consider which additional policies might be appropriate for your organization.

请注意,来宾通常没有组织管理的设备。Note that guests often don't have devices that are managed by your organization. 如果在任何层中允许来宾,请考虑他们将使用哪些设备访问团队和网站并相应地设置非托管设备策略。If you allow guests in any of the tiers, consider what kinds of devices they'll be using to access teams and sites and set your unmanaged device policies accordingly.

后续步骤Next step

首先配置基线保护级别Start by configuring the baseline level of protection. 如果需要,可在基线上添加敏感保护高度敏感保护If needed you can add sensitive protection and highly sensitive protection on top of the baseline.

另请参阅See also

Microsoft Teams 中的安全性和合规性Security and compliance in Microsoft Teams

安全与合规中心警报策略Alert policies in the security and compliance center