適用于企業的 Microsoft 365 應用程式的 Office 雲端原則服務概覽Overview of the Office cloud policy service for Microsoft 365 Apps for enterprise

Office 雲端原則服務可讓您針對企業版 Microsoft 365 應用程式強制執行原則設定, (先前命名的 Office 365 專業增強版在使用者裝置上) ,即使裝置未加入網域或其他管理也一樣。The Office cloud policy service lets you enforce policy settings for Microsoft 365 Apps for enterprise (previously named Office 365 ProPlus) on a user's device, even if the device isn't domain joined or otherwise managed. 當使用者在裝置上登入企業版 Microsoft 365 應用程式時,原則設定會漫遊到該裝置。When a user signs into Microsoft 365 Apps for enterprise on a device, the policy settings roam to that device. 您也可以針對已登入的使用者以及匿名存取文檔的使用者,強制執行 Office 版 Office 的一些原則設定。You can also enforce some policy settings for Office for the web, both for users who are signed in and for users who access documents anonymously.

Office 雲端原則服務是用來管理企業版 Microsoft 365 應用程式的 入口網站 的一部分。The Office cloud policy service is part of a portal for managing Microsoft 365 Apps for enterprise. 此服務包括許多在群組原則中提供的與使用者相同的原則設定。The service includes many of the same user-based policy settings that are available in Group Policy. 您也可以直接在 Microsoft 端點管理器系統管理中心中使用 Office 雲端原則服務。You can also use the Office cloud policy service directly in the Microsoft Endpoint Manager admin center.

當您建立原則設定時,您可以查看並套用 Microsoft 建議的安全性基準原則原則的原則。When you create policy configurations, you can review and apply policies that are recommended by Microsoft as security baseline policies. 選取原則時,這些建議會標示為「安全性基準」。These recommendations are marked as "Security Baseline" when selecting policies. 您也可以使用 [安全性原則審查程式] 來接收及實施安全性原則建議。You can also use Security Policy Advisor to receive and implement security policy recommendations. 這些建議是根據 Microsoft 最佳做法和您現有環境的相關資訊。These recommendations are based on Microsoft best practices and information about your existing environment. 如需詳細資訊,請參閱 安全性原則審查程式概覽For more information, see Overview of Security Policy Advisor.

使用 Office 雲端原則服務的需求Requirements for using the Office cloud policy service

以下是在適用于企業的 Microsoft 365 應用程式中使用 Office 雲端原則服務的需求:The following are the requirements for using the Office cloud policy service with Microsoft 365 Apps for enterprise:

  • 最低版本1808(適用于企業的 Microsoft 365 應用程式)。At least Version 1808 of Microsoft 365 Apps for enterprise.
  • 建立或同步處理到 Azure Active Directory (AAD) 的使用者帳戶。User accounts created in or synchronized to Azure Active Directory (AAD). 使用者必須使用以 AAD 為基礎的帳戶登入適用于企業的 Microsoft 365 應用程式。The user must be signed into Microsoft 365 Apps for enterprise with an AAD-based account.
  • Office 雲端原則服務支援在 Azure AD 中建立的安全群組和已啟用郵件功能的安全性群組。Office cloud policy service supports security groups and mail-enabled security groups created in Azure AD. 成員資格類型可以是 [動態] 或 [指派]。The membership type can be either Dynamic or Assigned.
  • 若要建立原則設定,您必須在 Azure Active Directory (AAD) 中指派下列其中一個角色:全域系統管理員、安全性系統管理員或 Office App 系統管理員。To create a policy configuration, you must be assigned one of the following roles in Azure Active Directory (AAD): Global Administrator, Security Administrator, or Office Apps Admin.

重要

  • 擁有下列方案的客戶無法使用 Office 雲端原則服務:由世紀運營的 Office 365、Office 365 德國、Office 365 GCC 或 Office 365 GCC 高和 DoD。The Office cloud policy service isn't available to customers who have the following plans: Office 365 operated by 21Vianet, Office 365 Germany, Office 365 GCC, or Office 365 GCC High and DoD.
  • 原則設定無法套用至使用「隨選即用」的其他商務版本的 Office,例如 Office 專業增強版2019或 Office 標準版2019。A policy configuration can't be applied to other commercial versions of Office that use Click-to-Run, such as Office Professional Plus 2019 or Office Standard 2019.
  • 您可以建立適用于商務用 Microsoft 365 應用程式的原則設定,但只支援與隱私權控制項相關的原則設定。You can create a policy configuration for Microsoft 365 Apps for business, but only policy settings related to privacy controls are supported. 如需詳細資訊,請參閱使用原則設定來管理 Microsoft 365 Apps 企業版的隱私權控制For more information, see Use policy settings to manage privacy controls for Microsoft 365 Apps for enterprise.

建立原則配置的步驟Steps for creating a policy configuration

以下是建立原則配置的基本步驟。The following are the basic steps for creating a policy configuration.

  1. 登入 入口網站,查看條款,然後選擇 [Accept] ( 接受)。Sign into the portal, review the terms, and then choose Accept.
  2. 在 [ 自訂] 下,選擇 [ 原則管理]。Under Customization, choose Policy Management.
  3. 在 [ 原則 設定] 頁面上,選擇 [ 建立]。On the Policy configurations page, choose Create.
  4. 在 [ 建立原則 設定] 頁面上,執行下列動作:On the Create policy configuration page, do the following:
    • 輸入名稱。Enter a name.
    • 提供 (選用) 的描述。Provide a description (optional).
    • 在 [作業] 中,選擇此原則是適用于企業版 Microsoft 365 應用程式的所有使用者,或只針對使用 web Office 匿名存取檔的使用者。In assignments, choose whether this policy applies to all users of Microsoft 365 Apps for enterprise, or just to users who anonymously access documents using Office for the web.
    • 選取指派給原則配置的 AAD 安全性群組。Select the AAD-based security group that is assigned to the policy configuration. 每個原則設定只能指派給一個群組,且每個群組只能指派一個原則設定。Each policy configuration can only be assigned to one group, and each group can only be assigned one policy configuration.
    • 設定要納入原則設定中的原則設定。Configure the policy settings to be included in the policy configuration. 您可以搜尋原則設定名稱,找出您要設定的原則設定。You can search on the policy setting name to find the policy setting that you want to configure. 您也可以在應用程式上篩選,不論原則是建議的安全性比較基準,還是是否已設定原則。You can also filter on the application, on whether the policy is a recommended security baseline, and on whether the policy has been configured. [平臺] 欄會指出原則是否已套用至適用于 Windows 裝置的 Microsoft 365 App、Office for web,或全部。The platform column indicates whether the policy is applied to Microsoft 365 Apps for enterprise for Windows devices, Office for the web, or all.
  5. 完成選取之後,請選擇 [ 建立]。After you've made your selections, choose Create.

若要變更原則設定,請選取 [ 原則 設定] 頁面上的原則設定,然後選擇 [Edit] ( 編輯)。To change a policy configuration, select the policy configuration on the Policy configurations page, and then choose Edit. 進行適當的變更,然後選擇 [ 儲存]。Make the appropriate changes and then choose Save. 您可以透過篩選 [狀態] 來尋找已設定的原則。You can find the configured policies by filtering on status.

如果您想要建立與現有原則設定類似的新原則設定,請選取 [ 原則 設定] 頁面上的現有原則設定,然後選擇 [ 複製寄件者]。If you want to create a new policy configuration that is similar to an existing policy configuration, select the existing policy configuration on the Policy configurations page, and then choose Copy from. 進行適當的變更,然後選擇 [ 儲存]。Make the appropriate changes and then choose Save.

管理原則設定Managing policy configurations

每個原則設定的健康情況,包括原則是否已套用到群組中的用戶端裝置,都會顯示在 [ 原則 設定] 頁面上。The health of each policy configuration, including whether the policy has been applied to the client devices in the group, is shown on the Policy configurations page. 若要查看任何錯誤的詳細資料,您可以按一下原則設定的健康情況狀態。To see more details about any errors, you can click the health status for a policy configuration.

若要查看在您編輯原則設定時所設定的原則,請選擇 [ 狀態],然後選擇 [ 已設定]。To see which policies are configured when you are editing a policy configuration, choose Status, and then choose Configured. 您也可以依應用程式篩選。You can also filter by application.

若要變更原則設定的優先順序順序,請按一下 [原則設定] 頁面上的 [重新排列優先順序]。To change the priority order for the policy configurations, click Reorder priority on the Policy configurations page.

如何套用原則配置How the policy configuration is applied

Microsoft 365 App 所使用的隨選即用服務會定期使用 Office 雲端原則服務,以查看是否有任何與使用者有關的原則設定。The Click-to-Run service used by Microsoft 365 Apps for enterprise checks with the Office cloud policy service on a regular basis to see if there are any policy configurations that pertain to the user. 如果有,則會套用適當的原則設定,並在使用者下次開啟 Office app (例如 Word 或 Excel)時生效。If there are, then the appropriate policy settings are applied and take effect the next time the user opens the Office app, such as Word or Excel.

例如,當使用者第一次在裝置上登入 Office 時,會立即進行檢查,以查看是否有適用于使用者的原則設定。For example, when a user signs into Office on a device for the first time, a check is immediately made to see if there is a policy configuration that pertains to the user. 如果使用者不是指派原則設定的 AAD 群組成員,則在24小時內再次進行另一個檢查。If the user isn't a member of an AAD group that is assigned a policy configuration, then another check is made again in 24 hours. 如果使用者是指派原則設定的 AAD 群組成員,則會套用適當的原則設定,並在90分鐘後再次進行檢查。If the user is a member of an AAD group that is assigned a policy configuration, then the appropriate policy settings are applied and a check is made again in 90 minutes. 發生錯誤時,當使用者開啟 Office app (例如 Word 或 Excel)時,會進行檢查。In the event of an error, a check is made when the user opens an Office app, such as Word or Excel. 如果在下一個檢查排程時,沒有 Office 應用程式正在執行,則會在使用者下次開啟 Office app 時進行檢查。If no Office apps are running when the next check is scheduled, then the check will be made the next time the user opens an Office app.

注意

Office 雲端原則服務的原則只會在重新開機 Office app 時套用。Policies from the Office cloud policy service are applied only when the Office app is restarted. 行為與群組原則相同。The behavior is the same as with Group Policy. 針對 Windows 裝置,系統會根據登入至企業版 Microsoft 365 應用程式的主要使用者,強制執行原則。For Windows devices, policies are enforced based on the primary user that is signed into Microsoft 365 Apps for enterprise. 如果有多個帳戶已登入,則只會套用主要帳戶的原則。If there are multiple accounts signed in, only policies for the primary account are applied. 如果主要帳戶已切換,除非重新開機 Office 應用程式,否則指派給該帳戶的大多數原則都不會生效。If the primary account is switched, most of the policies assigned to that account will not apply until the Office apps are restarted. 某些與 隱私權控制項 相關的原則會套用,不需重新開機任何 Office app。Some policies related to privacy controls will apply without restarting any Office apps.

如果使用者是多個具有衝突原則設定的 AAD 群組成員,優先順序會用來判斷要套用的原則設定。If the user is a member of multiple AAD groups with conflicting policy settings, priority is used to determine which policy setting is applied. 套用最高優先順序,且 "0" 是您可以指派的最高優先順序。The highest priority is applied, with "0" being the highest priority that you can assign. 您可以選擇 [原則設定] 頁面上的 [重新排列優先順序] 來設定優先順序。You can set the priority by choosing Reorder priority on the Policy configurations page.

此外,使用 Office 雲端原則服務所實現的原則設定優先于使用 Windows Server 上的 [群組原則] 所實現的原則設定,以及優先于喜好設定或本機套用的原則設定。Also, policy settings implemented by using Office cloud policy service take precedence over policy settings implemented by using Group Policy on Windows Server, as well as taking precedence over preference settings or locally applied policy settings.

Office 雲端原則服務的其他相關資訊Additional information about the Office cloud policy service

  • 僅提供以使用者為基礎的原則設定。Only user-based policy settings are available. 無法使用電腦型原則設定。Computer-based policy settings aren't available.
  • 並非所有以使用者為基礎的原則設定都可以使用。Not all user-based policy settings are available. 目前只提供設定單一值的使用者原則設定。Only user-based policy settings that configure a single value are available currently. 完成工作後,就可以使用更多使用者提供的原則設定。Work is being done to make more user-based policy settings available.
  • 在 Office 提供新的使用者原則設定之後,Office 雲端原則服務會自動新增它們。As new user-based policy settings are made available for Office, the Office cloud policy service will automatically add them. (ADMX/ADML) 不需要下載更新的系統管理範本檔案。There is no need to download updated Administrative Templates files (ADMX/ADML).
  • 您也可以建立原則設定,在 Project 和 Visio 桌面應用程式的訂閱版本中,套用版本1808或更新版本的原則設定。You can also create policy configurations to apply policy settings for Version 1808 or later of the subscription versions of the Project and Visio desktop apps.
  • Microsoft 365 應用程式版本1808(適用于企業版 (,以及 Project 和 Visio 桌面應用) 程式的訂閱版本)都可在目前通道、每月企業頻道、Semi-Annual 企業頻道 (預覽版) 以及 Semi-Annual Enterprise 通道中取得。Version 1808 of Microsoft 365 Apps for enterprise (and for the subscription versions of the Project and Visio desktop apps) is available in Current Channel, Monthly Enterprise Channel, Semi-Annual Enterprise Channel (Preview), and Semi-Annual Enterprise Channel. 針對企業版版本資訊的 Microsoft 365 應用程式,請參閱 microsoft 365 應用程式的更新歷程記錄For Microsoft 365 Apps for enterprise release information, see Update history for Microsoft 365 Apps.
  • 如果使用者位於嵌套群組中,而父群組是以 OCPS 的原則為目標,則嵌套群組中的使用者會收到原則。If users are located in nested groups and the parent group is targeted for policies in OCPS, the users in the nested groups will receive the policies.

疑難排解提示Troubleshooting tips

如果預期原則還沒有正確套用至使用者的裝置,請嘗試下列步驟:If the expected policies haven't been correctly applied to a user's device, try the following:

  • 請確定使用者已登入適用于企業的 Microsoft 365 App、已啟用,且具有有效的授權。Make sure the user is signed into Microsoft 365 Apps for enterprise, has activated it, and has a valid license.
  • 確認使用者屬於適當的安全性群組。Make sure the user is part of the appropriate security group.
  • 檢查 OCPS 中原則設定的優先順序。Check the priority of the policy configurations in OCPS.如果使用者位於已獲指派策略配置的多個安全性群組中,則原則設定的優先順序會決定哪些原則生效。  If the user is in multiple security groups that have policy configurations assigned to them, then the priority of the policy configurations determines which policies take effect.
  • 在某些情況下,如果有不同原則的兩個使用者在相同的裝置上,或在相同的 Windows 會話期間登入 Office 365,就可能無法正確套用原則。In some cases, policies might not be applied correctly if two users with different policies sign into Office 365 on the same device and during the same Windows session.
  • 從 Office 雲端原則服務檢索到的原則設定會儲存在 [HKEY_CURRENT_USER\Software\Policies\Microsoft\Cloud\Office\16.0] 下的 [登錄] 中。Policy settings retrieved from the Office cloud policy service are stored in the registry under HKEY_CURRENT_USER\Software\Policies\Microsoft\Cloud\Office\16.0. 每當在簽入程式期間從策略服務中檢索到一組新的原則時,就會覆寫此金鑰。This key is overwritten each time a new set of policies is retrieved from the policy service during the check-in process.
  • 原則服務簽入活動儲存在登錄的 [HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\CloudPolicy] 下。Policy service check-in activity is stored in the registry under HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\CloudPolicy. 刪除此金鑰並重新啟動 Office 應用程式,將會觸發策略服務在下一次啟動 Office app 時進行檢查。Deleting this key and restarting the Office apps will trigger the policy service to check in the next time an Office app is launched.