管理 Microsoft 365 群組、小組和 SharePoint 中的存取權Governing access in Microsoft 365 groups, Teams, and SharePoint

有許多控制項可讓您控制人員在群組、小組和 SharePoint 中存取資源的方式。There are many controls that enable you to govern how people access resources in groups, teams, and SharePoint. 請查看這些選項,並考慮其如何對應至您的業務需求、資料敏感度,以及您的使用者需要共同作業的人員範圍。Review these options and consider how they map to your business needs, the sensitivity of your data, and the scope of people that your users need to collaborate with.

下表提供 Microsoft 365 中可用之存取控制的快速參考。The following table provides a quick reference for the access controls available in Microsoft 365. 以下各節提供進一步的資訊。Further information is provided in the following sections.

類別Category 描述Description 參考Reference
[成員資格]Membership
個人小組探索Discovery of private teams 管理 Microsoft 小組中的私營小組探索Manage discovery of private teams in Microsoft Teams
根據規則的動態群組成員資格Dynamic group membership based on rules 在 Azure Active Directory 中建立或更新動態群組Create or update a dynamic group in Azure Active Directory
控制誰可以共用檔案、資料夾及網站。Control who can share files, folders, and sites. 設定及管理存取要求Set up and manage access requests
條件式存取Conditional access
Multi-Factor 驗證Multi-Factor Authentication Azure AD Multi-Factor AuthenticationAzure AD Multi-Factor Authentication
根據群組、小組或網站敏感度來控制裝置存取。Control device access based on group, team, or site sensitivity. 使用敏感度標籤來保護 Microsoft Teams、Microsoft 365 群組和 SharePoint 網站中的內容Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites
限制未受管理裝置的網站存取。Limit site access for unmanaged devices. 控制從非管理裝置 SharePoint 存取Control SharePoint access from unmanaged devices
根據位置控制網站存取Control site access based on location 根據網路位置控制對 SharePoint 和 OneDrive 資料的存取Control access to SharePoint and OneDrive data based on network location
來賓存取Guest access
允許或封鎖 SharePoint 從指定的網域共用。Allow or block SharePoint sharing from specified domains. 依網域限制 SharePoint 和 OneDrive 內容的共用Restrict sharing of SharePoint and OneDrive content by domain
允許或封鎖來自指定網域的小組或群組成員資格。Allow or block team or group membership from specified domains. 允許或封鎖從特定組織 B2B 使用者的邀請Allow or block invitations to B2B users from specific organizations
阻止匿名共用。Prevent anonymous sharing. 關閉 [任何人] 連結Turn off Anyone links
控制匿名存取連結的許可權。Control the permissions for anonymous access links. 設定任何人的連結許可權連結Set link permissions for Anyone links
控制匿名共用連結的到期。Control the expiration of anonymous sharing links. 設定任何人連結的到期日Set an expiration date for Anyone links
根據預設,控制使用者顯示的共用連結類型。Control the type of sharing link shown to users by default. 變更網站的預設連結類型Change the default link type for a site
限制對特定人員的外部共用。Limit external sharing to specific people. 限制對指定安全性群組的外部共用Limit external sharing to specified security groups
根據資訊敏感度,控制對群組、小組或網站的來賓存取。Control guest access to a group, team, or site based on information sensitivity. 使用敏感度標籤來保護 Microsoft Teams、Microsoft 365 群組和 SharePoint 網站中的內容Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites
關閉 [共用選項]。Turn off sharing options. 在 Microsoft 365 中限制共用Limit sharing in Microsoft 365
使用者管理User management
定期查看小組和群組成員資格。Review team and group membership on a regular basis. 何謂 Azure AD access 評論?What are Azure AD access reviews?
將存取管理自動化至群組和團隊。Automate access management to groups and teams. 何謂 Azure AD 的權利管理?What is Azure AD entitlement management?
允許或封鎖人員在小組中建立專用通道。Allow or block people from creating private channels in Teams. 在 Microsoft 小組中管理專用通道的生命週期Manage the life cycle of private channels in Microsoft Teams

[成員資格]Membership

小組和群組的成員資格是由擁有者所控制。Membership of teams and groups is controlled by owners. 成員可以邀請其他人,但邀請會傳送給擁有者以供核准。Members can invite others, but the invitations are sent to owners for approval. 雖然組織中的任何人都會發現公用團隊和群組,但您可以控制是否可探索私人團隊和群組:While public teams and groups are discoverable by anyone in the organization, you can control whether private teams and groups are discoverable:

您可以根據某些準則(例如部門),以動態方式管理群組或小組的成員資格。You can manage membership of a group or team dynamically based on some criteria, such as department. 在此情況下,成員和擁有者無法邀請人員加入小組。In this case, members and owners cannot invite people to the team.

SharePoint 網站可讓您加入群組或小組成員資格以外的人員、成員及訪客之外的功能。SharePoint sites provide the ability to add owners, members, and visitors apart from group or team membership. 視您的需求而定,您可能會想要限制誰可以邀請人員加入網站。Depending on your requirements, you may want to restrict who can invite people to the site. 此外,根據特定網站中資訊的靈敏度,您可能想要限制誰可以共用檔案和資料夾。Also, depending on the sensitivity of the information in a given site, you may want to restrict who can share files and folder. 這些限制是由小組、群組或網站擁有者所設定:These restrictions are configured by the team, group, or site owner:

條件式存取Conditional access

使用 Microsoft 365,您可以對組織內部和外部的人員要求多重要素驗證。With Microsoft 365, you can require multi-factor authentication for both people inside and outside your organization. 有許多選項會提示使用者輸入第二個驗證因素的情況。There are many options for the circumstances when people are prompted for a second factor of authentication. 強烈建議您為組織部署多重要素驗證:We highly recommend that you deploy multi-factor authentication for your organization:

如果您的某些群組和小組有機密資訊,您可以根據群組或小組的靈敏度標籤強制執行裝置管理原則。If you have sensitive information in some of your groups and teams, you can enforce device management policies based on a group or team's sensitivity label. 您可以完全封鎖非受管理裝置的存取,或僅允許有限的 web 存取:You can block access entirely from unmanaged devices, or allow limited, web only access:

在 SharePoint 中,您可以限制特定網路位置的網站存取權。In SharePoint, you can restrict access to sites from specified network locations.

其他資源:Additional resources:

來賓存取Guest access

您可以根據電子郵件地址的網域來限制來賓。You can restrict guests based on the domain of their email address. SharePoint 提供整個組織和網站特有的網域限制設定。SharePoint offers organization-wide and site-specific domain restriction settings. 群組和團隊使用 Azure AD 中的網域允許和拒絕清單。Groups and Teams use the domain allow and deny lists in Azure AD. 請務必設定這兩項設定,以避免不必要的共用,並確保一致的使用者體驗:Be sure to configure both settings to avoid unwanted sharing and ensure a consistent user experience:

Microsoft 365 允許以共用連結的 任何人 匿名共用檔案和資料夾。Microsoft 365 allows anonymous sharing of files and folders by using Anyone sharing links. 可以轉寄 任何人 的連結,且具有連結的任何人都可以存取共用專案。Anyone links can be forwarded and anyone with the link can access the shared item. 視您的資料敏感度而定,請考慮如何使用 任何使用任何 連結的連結-包括完全關閉,將連結許可權限制為唯讀,或為其設定到期時間:Depending on the sensitivity of your data, consider governing how Anyone links are used - including turning them off entirely, restricting link permissions to read-only, or setting an expiration time for them:

共用檔案或資料夾時,使用者可以選擇數種連結類型。When sharing files or folders, users have several link types to choose from. 若要降低意外共用不當的風險,您可以變更使用者共用時呈現給使用者的預設連結類型。To reduce the risk of accidental inappropriate sharing, you can change the default link type presented to users when they share. 例如,從 [ 任何人 ] 連結(可讓 您的組織連結中 的「匿名存取人員」)變更預設值,可降低敏感資訊不需要的外部共用共用風險。For example, changing the default from Anyone links - which allow anonymous access - to People in your organization links can reduce the risk of unwanted external sharing of sensitive information:

如果您的組織有需要與來賓共用的機密資料,但您卻擔心不適當的共用,您可以將檔案和資料夾的外部共用限制于指定之安全性群組的成員。If your organization has sensitive data that you need to share with guests, but you're concerned about inappropriate sharing, you can limit external sharing of files and folders to the members of specified security groups. 如此一來,您就可以限制外部與特定人員群組共用,或要求您的使用者在將其新增至安全性群組之前,先進行適當的外部共用訓練:In this way, you can restrict sharing externally to a specific group of people, or require your users to take training around appropriate external sharing before adding them to the security group:

群組和團隊具有允許或拒絕來賓存取的組織層級設定。Groups and Teams have organization-level setting that allow or deny guest access. 雖然您可以 使用 Microsoft PowerShell 限制對特定小組或群組的 guest 存取,但我們建議您透過敏感度標籤來執行此動作。While you can restrict guest access to specific teams or groups by using Microsoft PowerShell, we recommend doing this by means of a sensitivity label. 使用靈敏度標籤,您可以根據所套用的標籤自動允許或拒絕來賓存取:With sensitivity labels you can automatically allow or deny guest access based on the label applied:

Microsoft 365 提供許多不同的共用資訊方法。Microsoft 365 offers many different methods of sharing information. 如果您有機密資訊,而且想要限制共用的方式,請參閱限制共用的選項:If you have sensitive information and you want to restrict how it's shared, review the options for limiting sharing:

其他資源:Additional resources:

使用者管理User management

當組織中的群組和團隊演變時,很好的作法是定期查看小組和群組成員資格。As groups and teams evolve in your organization, a good practice is to review team and group membership on a regular basis. 對於具有變更成員資格的小組和群組、包含機密資訊的小組和群組,或包含來賓的小組和群組,這可能特別有用。This may be particularly useful for teams and groups with a changing membership, those that contain sensitive information, or those that include guests. 請考慮為這些小組和群組設定存取權檢查:Consider setting up access reviews for these teams and groups:

許多組織都與其他組織或主要廠商合作,其深度共同合作。Many organizations have business partnerships with other organizations or key vendors with whom they collaborate in depth. 在這些案例中管理使用者管理和存取資源的難度很困難。User management and access to resources can be challenging to manage in these scenarios. 請考慮自動化部分使用者管理工作,甚至將部分轉移至夥伴組織:Consider automating some of the user management tasks and even transitioning some of them to your partner organization:

小組中的私人通道允許範圍內的交談和小組成員的子集間的檔案共用。Private channels in Teams allow for scoped conversations and file sharing between a subset of team members. 視您的特定業務需求而定,您可能會想要允許或封鎖此功能。Depending on your specific business needs, you may want to allow or block this capability.

其他資源:Additional resources:

共同作業管理規劃逐步Collaboration governance planning step-by-step

建立共同作業管理計畫Create your collaboration governance plan

Microsoft Teams 中的安全性與合規性Security and compliance in Microsoft Teams

在 SharePoint 中管理共用設定Manage sharing settings in SharePoint

在 Yammer 中建立及管理外部網路Create and manage an external network in Yammer

為小組設定三層保護Configure Teams with three tiers of protection