在 Microsoft Teams 中管理应用权限策略Manage app permission policies in Microsoft Teams

作为管理员,你可以使用应用权限策略来控制适用于组织中的 Microsoft Teams 用户的应用。As an admin, you can use app permission policies to control what apps are available to Microsoft Teams users in your organization. 你可以允许或阻止由 Microsoft、第三方和你的组织发布的所有应用或特定应用。You can allow or block all apps or specific apps published by Microsoft, third-parties, and your organization. 阻止某个应用后,具有该策略的用户将无法从 Teams 应用商店安装它。When you block an app, users who have the policy are unable to install it from the Teams app store. 必须是全局管理员或 Teams 服务管理员才能管理这些策略。You must be a global admin or Teams service admin to manage these policies.

你可以在 Microsoft 团队管理中心中管理应用权限策略。You manage app permission policies in the Microsoft Teams admin center. 你可以使用全局(组织范围默认)策略或创建并分配自定义策略。You can use the global (Org-wide default) policy or create and assign custom policies. 除非你创建并分配了自定义策略,你组织中的用户将自动获取全局策略。Users in your organization will automatically get the global policy unless you create and assign a custom policy. 编辑或分配策略后,可能需要几个小时才能使更改生效。After you edit or assign a policy, it can take a few hours for changes to take effect.

应用权限策略的屏幕截图

备注

组织范围内的应用设置替代全局策略和你创建并分配给用户的任何自定义策略。Org-wide app settings override the global policy and any custom policies that you create and assign to users.

如果您的组织已在团队中,则在 Microsoft 365 管理中心的租户范围设置中配置的应用设置将反映在 "管理应用程序" 页面上的组织范围内应用设置中。If your organization is already on Teams, the app settings you configured in Tenant-wide settings in the Microsoft 365 admin center are reflected in org-wide app settings on the Manage apps page. 如果您不熟悉团队,并且只是开始使用,则默认情况下,所有应用都允许在全局策略中使用。If you're new to Teams and just getting started, by default, all apps are allowed in the global policy. 这包括由 Microsoft、第三方和你的组织发布的应用。This includes apps published by Microsoft, third-parties, and your organization.

例如,你希望阻止所有第三方应用,并允许 Microsoft 针对你的组织中的人力资源团队应用特定应用。Say, for example, you want to block all third-party apps and allow specific apps from Microsoft for the HR team in your organization. 首先,你将转到 "管理应用" 页面,并确保你希望为 HR 团队允许的应用在组织级别允许。First, you would go to the Manage apps page and make sure that the apps that you want to allow for the HR team are allowed at the org level. 然后,创建名为 HR App 权限策略的自定义策略,将其设置为阻止并允许你所需的应用,并将其分配给 HR 团队上的用户。Then, create a custom policy named HR App Permission Policy, set it to block and allow the apps that you want, and assign it to users on the HR team.

备注

如果你在 Microsoft 365 政府社区云(GCC)环境中部署团队,请参阅管理 microsoft 365 政府组织范围内的应用设置,了解有关特定于 GCC 的第三方应用设置的详细信息。If you deployed Teams in a Microsoft 365 Government Community Cloud (GCC) environment, see Manage org-wide app settings for Microsoft 365 Government to learn more about third-party app settings that are unique to GCC.

创建自定义应用权限策略Create a custom app permission policy

如果你希望控制组织中不同组用户可用的应用,请创建并分配一个或多个自定义应用权限策略。If you want to control the apps that are available for different groups of users in your organization, create and assign one or more custom app permission policies. 你可以基于 Microsoft、第三方或你的组织发布的应用创建和分配单独的自定义策略。You can create and assign separate custom policies based on whether apps are published by Microsoft, third-parties, or your organization. 请务必注意,在创建自定义策略后,如果在组织范围的应用设置中禁用了第三方应用,则无法更改它。It's important to know that after you create a custom policy, you can't change it if third-party apps are disabled in org-wide app settings.

  1. 在 Microsoft 团队管理中心的左侧导航中,转到 "团队应用 > 权限策略"。In the left navigation of the Microsoft Teams admin center, go to Teams apps > Permission policies.

  2. 单击“添加”****。Click Add.
    新应用权限策略的屏幕截图Screenshot of new app permission policy

  3. 输入策略的名称和说明。Enter a name and description for the policy.

  4. 在 " Microsoft 应用"、"第三方应用" 和 "自定义应用" 下,选择下列操作之一:Under Microsoft apps, Third-party apps, and Custom apps, select one of the following:

    • 允许所有应用Allow all apps
    • 允许特定应用和阻止所有其他应用Allow specific apps and block all others
    • 阻止特定应用并允许所有其他应用Block specific apps and allow all others
    • 阻止所有应用Block all apps
  5. 如果你选择 "允许特定应用" 并阻止其他应用,请添加你希望允许的应用:If you selected Allow specific apps and block others, add the apps that you want to allow:

    1. 选择 "允许应用"。Select Allow apps.
    2. 搜索要允许的应用,然后单击 "添加"。Search for the apps that you want to allow, and then click Add. 搜索结果将筛选到应用发布者(Microsoft 应用第三方应用自定义应用)。The search results are filtered to the app publisher (Microsoft apps, Third-party apps, or Custom apps).
    3. 选择应用列表后,单击 "允许"。When you've chosen the list of apps, click Allow.
  6. 同样,如果你选择 "阻止特定应用" 并允许所有其他应用,请搜索并添加要阻止的应用,然后单击 "阻止"。Similarly, if you selected Block specific apps and allow all others, search for and add the apps that you want to block, and then click Block.

  7. 单击“保存”。Click Save.

编辑应用权限策略Edit an app permission policy

你可以使用 Microsoft 团队管理中心编辑策略,包括全局策略和你创建的自定义策略。You can use the Microsoft Teams admin center to edit a policy, including the global policy and custom policies that you create.

  1. 在 Microsoft 团队管理中心的左侧导航中,转到 "团队应用 > 权限策略"。In the left navigation of the Microsoft Teams admin center, go to Teams apps > Permission policies.
  2. 通过单击策略名称左侧,然后单击 "编辑",选择策略。Select the policy by clicking to the left of the policy name, and then click Edit.
  3. 在此处进行所需的更改。From here, make the changes that you want. 你可以基于应用发布者管理设置,并根据 "允许/阻止" 设置添加和删除应用。You can manage settings based on the app publisher and add and remove apps based on the allow/block setting.
  4. 单击“保存”。Click Save.

向用户分配自定义应用权限策略Assign a custom app permission policy to users

你可以将策略直接分配给用户,也可以通过批处理分配(如果支持策略类型)单独或按比例分配,或者分配给用户是其成员的组(如果该策略类型支持)。You can assign a policy directly to users, either individually or at scale through a batch assignment (if supported for the policy type), or to a group that the users are members of (if supported for the policy type).

若要了解可为用户分配策略的不同方式,请参阅为团队中的用户分配策略To learn about the different ways that you can assign policies to users, see Assign policies to your users in Teams.

管理 Microsoft 365 政府组织范围内的应用设置Manage org-wide app settings for Microsoft 365 Government

在 Microsoft 365 政府版团队部署中,请务必了解以下有关适用于 GCC 的第三方应用设置的信息。In a Microsoft 365 Government - GCC deployment of Teams, it's important to know the following about third-party app settings, which are unique to GCC.

在 GCC 中,默认情况下将阻止所有第三方应用。In GCC, all third-party apps are blocked by default. 此外,在 Microsoft 团队管理中心的 "应用权限策略" 页面上,你将看到以下有关管理第三方应用的说明。Additionally, you'll see the following note about managing third-party apps on the app permission policies page in the Microsoft Teams admin center.

GCC 中的应用权限策略的屏幕截图

使用组织范围内的应用设置控制用户是否可以安装第三方应用。Use org-wide app settings to control whether users can install third-party apps. 组织范围内的应用设置控制所有用户的行为,并替代分配给用户的任何其他应用权限策略。Org-wide app settings govern the behavior for all users and override any other app permission policies assigned to users. 你可以使用它们控制恶意或有问题的应用。You can use them to control malicious or problematic apps.

  1. 在 "权限策略" 页面上,选择 "组织范围内的应用设置"。On the Permission policies page, select Org-wide app settings. 然后,你可以在面板中配置所需的设置。You can then configure the settings you want in the panel.

    组织范围内的应用设置的屏幕截图

  2. 在 "第三方应用" 下,关闭或打开这些设置以控制对第三方应用的访问:Under Third-party apps, turn off or turn on these settings to control access to third-party apps:

    • 允许第三方应用:此操作控制用户是否可以使用第三方应用。Allow third-party apps: This controls whether users can use third-party apps. 如果关闭此设置,你的用户将无法安装或使用任何第三方应用。If you turn off this setting, your users won't be able to install or use any third-party apps. 在 Microsoft 365 政府版团队部署中,此设置默认情况下处于关闭状态。In a Microsoft 365 Government - GCC deployment of Teams, this setting is off by default.
    • 默认情况下允许发布到应用商店的任何新第三方应用:这将控制发布到团队应用商店的新的第三方应用是否会自动在团队中可用。Allow any new third-party apps published to the store by default: This controls whether new third-party apps that are published to the Teams app store become automatically available in Teams. 仅当你允许第三方应用时,你才能设置此选项。You can only set this option if you allow third-party apps.
  3. 在 "已阻止的应用" 下,添加要在组织内阻止的应用。Under Blocked apps, add the apps you want to block across your organization. 在 Microsoft 365 政府版团队部署中,默认情况下,所有第三方应用都添加到此列表中。In a Microsoft 365 Government - GCC deployment of Teams, all third-party apps are added to this list by default. 对于你想要在你的组织中允许的任何第三方应用,请从此 "阻止的应用" 列表中删除该应用。For any third-party app you want to allow in your organization, remove the app from this blocked apps list. 当你阻止应用组织范围时,将对所有用户自动阻止应用,无论是否允许在任何应用权限策略中使用它When you block an app org-wide, the app is automatically blocked for all your users, regardless of whether it's allowed in any app permission policies

  4. 单击 "保存" 以使组织范围内的应用设置生效。Click Save for org-wide app settings to take effect.

如前面所述,若要允许第三方应用,您可以编辑和使用全局(组织范围默认)策略,或者创建和分配自定义策略。As mentioned earlier, to allow third-party apps, you can either edit and use the global (Org-wide default) policy or create and assign custom policies.

常见问题FAQ

使用应用权限策略Working with app permission policies

权限策略影响的应用交互是什么?What app interactions do permission policies affect?

权限策略通过控制最终用户的安装、发现和交互来控制应用的使用情况。Permission policies govern app usage by controlling installation, discovery, and interaction for end users. 管理员仍然可以管理 Microsoft 团队管理中心中的应用,而不管分配给他们的权限策略如何。Admins can still manage apps in the Microsoft Teams admin center regardless of the permission policies assigned to them.

是否可以控制业务线(LOB)应用?Can I control line of business (LOB) apps?

是的,你可以使用应用权限策略控制自定义(LOB)应用的推出和分发。Yes, you can use app permission policies to control the rollout and distribution of custom (LOB) apps. 你可以创建自定义策略或编辑全局策略,以根据你的组织的需要允许或阻止自定义应用。You can create a custom policy or edit the global policy to allow or block custom apps based on the needs of your organization.

应用权限策略与已固定的应用和应用设置策略有何关系?How do app permission policies relate to pinned apps and app setup policies?

你可以将应用设置策略与应用权限策略结合使用。You can use app setup policies together with app permission policies. 已从用户的已启用应用集中选择预固定的应用。Pre-pinned apps are selected from the set of enabled apps for a user. 此外,如果用户具有在应用设置策略中阻止应用的应用权限策略,则该应用不会显示在团队中。Additionally, if a user has an app permission policy that blocks an app in their app setup policy, that app won't appear in Teams.

是否可以使用应用权限策略来限制上载自定义应用程序?Can I use app permission policies to restrict uploading custom apps?

你可以在 "管理应用" 页面上使用组织范围内的设置,或使用应用设置策略来限制为你的组织上载自定义应用。You can use org-wide settings on the Manage apps page, or app setup policies to restrict uploading custom apps for your organization.

若要限制特定用户上载自定义应用程序,请使用自定义应用策略。To restrict specific users from uploading custom apps, use custom app policies. 若要了解详细信息,请参阅管理团队中的自定义应用策略和设置To learn more, see Manage custom app policies and settings in Teams.

阻止应用是否会应用到团队移动客户端?Does blocking an app apply to Teams mobile clients?

是的,当你阻止应用时,将阻止所有团队客户端上的应用。Yes, when you block an app, that app is blocked across all Teams clients.

用户体验User experience

应用被阻止时的用户体验?What does a user experience when an app is blocked?

用户无法与已阻止的应用或其功能(如 bot、选项卡和消息传递扩展)交互。Users can't interact with a blocked app or its capabilities, such bots, tabs, and messaging extensions. 在共享上下文(如团队或群组聊天)中,机器人仍可向该上下文的所有参与者发送消息。In a shared context, such as a team or group chat, bots can still send messages to all participants of that context. 团队在应用被阻止时向用户显示。Teams indicates to the user when an app is blocked.

例如,当应用被阻止时,用户不能执行以下任一操作:For example, when an app is blocked, users can't do any of the following:

  • 将应用程序个人或聊天添加到聊天或团队Add the app personally or to a chat or team
  • 将消息发送到应用的 botSend messages to the app’s bot
  • 执行将信息发送回应用的按钮操作,例如可操作的消息Perform button actions that send information back to the app, such as actionable messages
  • 查看应用的选项卡View the app’s tab
  • 设置连接器以接收通知Set up connectors to receive notifications
  • 使用应用的消息扩展Use the app’s messaging extension

旧版门户允许在组织级别控制应用,这意味着当应用被阻止时,组织中的所有用户都将阻止该应用。The legacy portal allowed controlling apps at the organization level, which means when an app is blocked, it's blocked for all users in the organization. 在 "管理应用程序" 页面上阻止应用的工作方式完全相同。Blocking an app on the Manage apps page works exactly the same way.

对于分配给特定用户的应用权限策略,如果允许使用支持机器人或连接器功能的应用,并且该应用仅允许共享上下文中的某些用户,则不具有该应用权限的组聊天或频道的成员可以查看由 bot 或连接器发布的邮件历史记录和消息,但无法与之交互。For app permission policies assigned to specific users, if an app with bot or connector capability was allowed and then blocked, and if the app is then allowed only for some users in a shared context, members of a group chat or channel that don't have permission to that app can see the message history and messages that were posted by the bot or connector, but can't interact with it.

Teams 中适用于应用的管理设置Admin settings for apps in Teams

向团队中的用户分配策略Assign policies to your users in Teams