為小組設定安全性隔離Configure a team with security isolation

本文會為您提供一些建議和步驟,讓您在 Microsoft Teams 設定私人小組,並使用唯一的敏感度標籤來加密檔案,以便只有小組成員可以解密檔案。This article provides you with recommendations and steps to configure a private team in Microsoft Teams and use a unique sensitivity label to encrypt files so that only team members can decrypt them.

除了私人存取外,本文還說明如何設定相關聯的 SharePoint 網站 (可從小組頻道的 [檔案] 區段來存取),以獲得所需的額外安全性進而能夠儲存受到高度管制的資料。Beyond the private access, this article describes how to configure the associated SharePoint site, which you can access from the Files section of a team channel, for the additional security needed to store highly regulated data.

具有安全性隔離小組的設定元素如下:The elements of configuration for a team with security isolation are:

  • 私人小組A private team
  • 小組的相關聯 SharePoint 網站需要的額外安全性有:Additional security on the associated SharePoint site for the team that:
    • 防止網站成員與其他人共用網站。Prevents members of the site from sharing the site with others.
    • 避免非網站成員要求網站的存取權。Prevents non-members of the site from requesting access to the site.
  • 專門用於此小組的敏感度標籤:A sensitivity label specifically for this team that:
    • 防止從未受管理的裝置存取 SharePoint 內容Prevents access to SharePoint content from unmanaged devices
    • 視您的需求而定,允許或拒絕來賓存取小組Allows or denies guest access to the team, depending on your requirements
    • 加密已套用此標籤的文件Encrypts documents to which the label is applied


請先確定您已啟用敏感度標籤以保護 Microsoft Teams、Office 365 群組和 SharePoint 網站中的內容,然後再繼續進行本文中的步驟。Be sure you have enabled sensitivity labels to protect content in Microsoft Teams, Office 365 groups, and SharePoint sites before you proceed with the steps in this article.

觀看這段影片以獲取部署程序概觀。Watch this video for an overview of the deployment process.

如需此案例的 1 頁式摘要,請參閱具有安全性隔離的 Microsoft Teams 海報For a 1-page summary of this scenario, see the Microsoft Teams with security isolation poster.

具有安全性隔離的 Microsoft Teams 海報Microsoft Teams with security isolation poster

您也可以用 PDFPowerPoint 格式下載此海報,以及用 Letter、Legal 或 Tabloid (11 x 17) 大小的紙張列印此海報。You can also download this poster in PDF or PowerPoint formats and print it on letter, legal, or tabloid (11 x 17) size paper.

使用 這些指示 您自己的測試實驗室環境中嘗試此設定。Try this configuration in your own test lab environment with these instructions.

查看 Contoso Corporation 如何使用獨立的小組進行 此案例研究 中的機密專案。See how the Contoso Corporation used an isolated team for a top-secret project in this case study.

初始保護Initial protections

為了協助保護對於小組及其基礎 SharePoint 網站的存取,請檢閱下列最佳做法:To help protect access to the team and its underlying SharePoint site, review the following best practices:

來賓共用Guest sharing

視貴公司的性質而定,您不一定會想要為此小組啟用來賓共用。Depending on the nature of your business, you may or may not want to enable guest sharing for this team. 如果您打算與小組內的非組織內部人員共同作業,請啟用來賓共用。If you do plan to collaborate with people outside your organization in the team, enable guest sharing.

如需如何安全地與來賓共用的詳細資訊,請參閱下列資源:For details about sharing with guests securely, see the following resources:

為了允許或封鎖來賓共用,我們會使用敏感度標籤 (適用於小組) 和網站層級共用控制 (適用於相關聯的 SharePoint 網站) 的組合,後面會有這兩種機制的討論。To allow or block guest sharing, we use a combination of a sensitivity label for the team and site-level sharing controls for the associated SharePoint site, both discussed later.

建立私人小組Create a private team

由於我們要建立專門用於此小組的敏感度標籤,所以下一步要建立該小組。Since we are creating a sensitivity label specifically for this team, the next step is to create the team. 如果您擁有現有的小組,則可以使用該小組。If you have an existing team, you can use that.

為敏感資訊建立小組To create a team for sensitive information

  1. 在 Teams 中,按一下應用程式左側的 [團隊],然後按一下團隊清單底部的 [加入或建立團隊]In Teams, click Teams on the left side of the app, then click Join or create a team at the bottom of the teams list.
  2. 按一下 [建立團隊] (左上角的第一張卡片)。Click Create team (first card, top left corner).
  3. 選擇 [從頭建置小組]Choose Build a team from scratch.
  4. [敏感度] 清單中,保留預設值。In the Sensitivity list, keep the default.
  5. [隱私權] 底下,按一下 [私人]Under Privacy, click Private.
  6. 為與敏感專案相關的小組輸入其名稱。Type a name for the team that is related to your sensitive project. 例如,土星專案For example, Project Saturn.
  7. 按一下 [建立]Click Create.
  8. 將使用者新增至小組,然後按一下 [關閉]Add users to the team, and then click Close.

私人頻道設定Private channel settings

建議您限制只有小組擁有者能夠建立私人頻道。We recommend restricting creating private channels to team owners.

限制私人頻道的建立To restrict private channel creation

  1. 在該團隊中,按一下 [更多選項],然後按一下 [管理團隊]In the team, click More options, and then click Manage team.
  2. [設定] 索引標籤上展開 [成員權限]On the Settings tab, expand Member permissions.
  3. 清除 [允許成員建立私人頻道] 核取方塊。Clear the Allow members to create private channels check box.

您也可以使用小組原則來控制可以建立私人頻道的人員。You can also use teams policies to control who can create private channels.

建立敏感度標籤Create a sensitivity label

為了為小組設定安全性隔離,我們會使用專為這個小組建立的敏感度標籤。To configure a team for security isolation, we'll be using a sensitivity label created specifically for this team. 此標籤會在小組層級使用,以控制來賓共用並封鎖未受管理裝置的存取權。This label is used at the team level to control guest sharing and to block access from unmanaged devices. 其也可用來分類和加密小組中的個別檔案,以便只有小組擁有者和成員可以開啟這些檔案。It can also be used to classify and encrypt individual files in the team so that only team owners and members can open them.

如果您有內部合作夥伴或專案關係人群組,而他們應該要能夠檢視加密的文件,但不能加以編輯,則可以將這些人新增至具有僅限檢視權限的標籤。If you have an internal partner or stakeholder group who should be able to view encrypted documents but not edit them, you can add them to the label with view-only permissions. 然後,您可以將這些人新增至具有讀者權限的小組 SharePoint 網站,這些人便會擁有文件保存所在網站的唯讀權限,而非擁有小組本身的唯讀權限。You can then add these people to the team's SharePoint site with Reader permissions, and they will have read-only access to the site where the documents are kept, but not the team itself.

建立敏感度標籤To create a sensitivity label

  1. 開啟 Microsoft 365 合規性中心Open the Microsoft 365 compliance center.
  2. [解決方案] 底下,按一下 [資訊保護]Under Solutions, click Information protection.
  3. 按一下 [建立標籤]Click Create a label.
  4. 為標籤命名。Give the label a name. 我們建議您將其命名為將與您一起使用的小組。We suggest naming it after the team that you'll be using it with.
  5. 新增顯示名稱和描述,然後按 [下一步 ]Add a display name and description, and then click Next.
  6. 在 [定義此標籤頁面的範圍 ] 上,選取 [檔案和電子郵件 ] 和 [群組和網站 ],然後按 [下一步 ]On the Define the scope for this label page, select Files & emails and Groups & sites and click Next.
  7. 在 [選擇檔案和電子郵件的保護設定 ] 頁面上,選取 [加密檔案和電子郵件 ],然後按 [下一步 ]On the Choose protection settings for files and emails page, select Encrypt files and emails, and then click Next.
  8. 在 [加密 ] 頁面上,選擇 [設定加密設定 ]On the Encryption page, choose Configure encryption settings.
  9. 按一下 [新增使用者或群組 ],選取您所建立的小組,然後按一下 [新增 ]Click Add users or groups, select the team that you created, and then click Add
  10. 按一下 [選擇權限 ]Click Choose permissions.
  11. 從下拉式清單中選擇 [共同作者],然後按一下 [儲存]Choose Co-Author from the dropdown list, and then click Save.
  12. 對於具有此標籤的檔案,如果您想要將有其唯讀存取權的使用者或群組包含進來:If you want to include users or groups with read-only access to files with the label:
    1. 按一下 [指派權限 ]Click Assign permissions.
    2. 按一下 [新增使用者或群組 ],選取您要新增的使用者或群組,然後按一下 [新增 ]Click Add users or groups, select the users or groups that you want to add, and then click Add.
    3. 按一下 [選擇權限 ]Click Choose permissions.
    4. 從下拉式清單中選擇 [檢視者 ],然後按一下 [儲存 ]Choose Viewer from the dropdown list, and then click Save.
  13. 按一下 [儲存 ],然後按 [下一步 ]Click Save, and then click Next.
  14. 在 [自動為檔案和電子郵件加上標籤 ] 頁面上按 [下一步 ]On the Auto-labeling for files and emails* page, click Next.
  15. 在 [定義群組及網站的保護設定 ] 頁面上,選取 [隱私權和外部使用者存取權設定 ] 和 [裝置存取權和外部共用設定 ],然後按 [下一步 ]On the Define protection settings for groups and sites page, select Privacy and external user access settings and Device access and external sharing settings and click Next.
  16. 在 [定義隱私權和外部使用者存取權設定 ] 頁面上,於 [隱私權 ] 底下選取 [私人 ] 選項。On the Define privacy and external user access settings page, under Privacy, select the Private option.
  17. 如果您想要允許來賓存取,請在 [外部使用者存取權 ] 底下,選取 [讓 Microsoft 365 群組擁有者將貴組織外部人員新增到群組做為來賓 ] 群組。If you want to allow guest access, under External user access, select Let Microsoft 365 Group owners add people outside your organization to the group as guests.
  18. 按 [下一步 ]Click Next.
  19. 在 [定義外部共用和裝置存取權設定 ] 頁面上,選取 [從已套用標籤的 SharePoint 網站控制外部共用 ]On the Define external sharing and device access settings page, select Control external sharing from labeled SharePoint sites.
  20. 如果您要允許來賓存取,在 [內容可以與誰共用 ] 底下,選擇 [新的及現有的來賓 ],或如果您不要允許來賓存取,則選擇 [僅限組織中的人員 ]Under Content can be shared with, choose New and existing guests if you're allowing guest access or Only people in your organization if not.
  21. 在 [從未受控裝置存取 ] 下,選擇 [封鎖存取 ]Under Access from unmanaged devices, choose Block access.
  22. 按 [下一步 ]Click Next.
  23. 在 [為資料庫資料行自動加上標籤 ] 頁面上,按 [下一步 ]On the Auto-labeling for database columns page, click Next.
  24. 按一下 [建立標籤 ],然後按一下 [完成 ]Click Create label, and then click Done.

在建立好標籤後,您必須將標籤發佈給將使用該標籤的使用者。Once you've created the label, you need to publish it to the users who will use it. 在本案例中,我們只會將標籤提供給小組人員使用。In this case, we'll make the label available only to people in the team.

發佈敏感度標籤To publish a sensitivity label

  1. 在 Microsoft 365 合規性中心的 [資訊保護] 頁面上,選擇 [標籤原則] 索引標籤。In the Microsoft 365 compliance center, on the Information protection page, choose the Label policies tab.
  2. 按一下 [發佈標籤]Click Publish labels.
  3. [選擇要發佈的敏感度標籤] 頁面上,按一下 [選擇要發佈的敏感度標籤]On the Choose sensitivity labels to publish page, click Choose sensitivity labels to publish.
  4. 選取您所建立的標籤,然後按一下 [新增]Select the label that you created, and then click Add.
  5. [下一步]Click Next.
  6. 在 [發佈給使用者與群組] 頁面上,按一下 [選擇使用者和群組]On the Publish to users and groups page, click Choose users and groups.
  7. 按一下 [新增],然後選取您建立的小組。Click Add, and then select the team that you created.
  8. 按一下 [新增],然後按一下 [完成]Click Add, and then click Done.
  9. [下一步]Click Next.
  10. 在 [原則設定] 頁面上,選取 [使用者必須提供移除標籤或降低分類標籤的理由] 核取方塊,然後按 [下一步]On the Policy settings page, select the Users must provide justification to remove a label or lower classification label check box, and then click Next.
  11. 輸入原則的名稱,然後按 [下一步]Type a name for the policy, and then click Next.
  12. 按一下 [提交],然後按一下 [完成]Click Submit and then click Done.

將標籤套用至小組Apply the label to the team

當標籤發佈之後,您必須將其套用至小組,才能讓來賓共用和受管理的裝置設定生效。Once the label has been published, you must apply it to the team in order for the guest sharing and managed devices settings to take effect. 您可在 SharePoint 系統管理中心完成此操作。This is done in the SharePoint admin center. 請注意,標籤發佈後可能需要一些時間才能使用。Note, it may take some time for the label to become available after it's been published.

套用敏感度標籤To apply the sensitivity label

  1. 開啟 SharePoint 系統管理中心Open the SharePoint admin center.
  2. [網站] 底下,按一下 [使用中網站]Under Sites, click Active sites.
  3. 按一下與小組相關聯的網站。Click the site that is associated with team.
  4. [原則] 索引標籤的 [敏感度] 底下,按一下 [編輯]On the Policies tab, under Sensitivity, click Edit.
  5. 選取您所建立的標籤,然後按一下 [儲存]Select the label that you created, and then click Save.

SharePoint 設定SharePoint settings

您必須在 SharePoint 中執行三個步驟:There are three steps to do in SharePoint:

  • 在 SharePoint 系統管理中心內更新網站的來賓共用設定,使其符合您在建立標籤時所選擇的設定,並將預設的共用連結更新為 擁有現有存取權的人員Update the guest sharing settings for the site in the SharePoint admin center to match what you chose when you created the label, and update the default sharing link to People with existing access.
  • 更新網站本身的網站共用設定以防止成員共用檔案、資料夾或網站,並關閉存取要求。Update the site sharing settings in the site itself to prevent members from sharing files, folders, or the site, and turn off access requests.
  • 如果您已將人員或群組新增至具有檢視者權限的標籤,則可以將其新增至具有讀取權限的 SharePoint 網站。If you added people or groups to the label with Viewer permissions, you can add them to the SharePoint site with Read permissions.

SharePoint 來賓設定SharePoint guest settings

您在建立標籤時所選擇的來賓共用設定 (這只會影響小組成員資格) 應符合相關聯 SharePoint 網站的來賓共用設定,如下所示:The guest sharing setting that you chose when you created the label (which only affects team membership) should match the guest sharing settings for the associated SharePoint site as follows:

標籤設定Label setting SharePoint 網站設定SharePoint site setting
已選取 [讓 Office 365 群組擁有者將組織外部人員新增到群組]Let Office 365 group owners add people outside the organization to the group selected [新的及現有的來賓] (新團隊的預設值)New and existing guests (default for new teams)
未選取 [讓 Office 365 群組擁有者將組織外部人員新增到群組]Let Office 365 group owners add people outside the organization to the group not selected 只有貴組織中的人員Only people in your organization

我們也會更新預設的共用連結類型,以降低不小心將檔案和資料夾共用給更多非預期對象的風險。We'll also update the default sharing link type to reduce the risk of accidentally sharing files and folders to a wider audience than intended.

更新網站設定To update site settings

  1. 開啟 SharePoint 系統管理中心Open the SharePoint admin center.
  2. [網站] 底下,按一下 [使用中網站]Under Sites, click Active sites.
  3. 按一下與小組相關聯的網站。Click the site that is associated with team.
  4. [原則] 索引標籤的 [外部共用] 下,按一下 [編輯]On the Policies tab, under External sharing, click Edit.
  5. 如果您在建立敏感度標籤時允許來賓共用,請確定您已選取 [新的及現有的來賓]If you allowed guest sharing when you created the sensitive label, ensure that New and existing guests is selected. 如果您在建立標籤時未允許共用,請選擇 [只有貴組織中的人員]If you didn't allow sharing when you created the label, choose Only people in your organization.
  6. [預設的共用連結類型] 底下,清除 [與組織層級設定相同] 核取方塊,然後選取 [擁有現有存取權的人員]Under Default sharing link type, clear the Same as organization-level setting check box, and select People with existing access.
  7. 按一下 [儲存]Click Save.

私人頻道Private channels

如果您在小組中新增私人頻道,則每個私人頻道都會使用預設的共用設定建立一個新的 SharePoint 網站。If you add private channels to the team, each private channel creates a new SharePoint site with the default sharing settings. 這些網站不會顯示在 SharePoint 系統管理中心內,因此您必須使用 Set-SPOSite PowerShell Cmdlet 與下列參數來更新來賓共用設定:These sites are not visible in the SharePoint admin center, so you must use the Set-SPOSite PowerShell cmdlet with the following parameters to update the guest sharing settings:

  • -SharingCapability Disabled,以關閉來賓共用 (預設為開啟)-SharingCapability Disabled to turn off guest sharing (it's on by default)
  • -DefaultSharingLinkType Internal,以將預設共用連結變更為 [特定人員]-DefaultSharingLinkType Internal to change the default sharing link to Specific people

如果您不打算讓小組使用私人頻道,請考慮在 小組設定中的 [成員權限] 底下,關閉可供小組成員建立私人頻道的功能。If you don't plan to use private channels with your team, consider turning off the ability for team members to create them under Member permissions in team settings.

網站共用設定Site sharing settings

為了協助確保 SharePoint 網站不會與非小組成員的人員共用,我們將這種共用功能限制為只有擁有者能使用。To help ensure that the SharePoint site does not get shared with people who are not members of the team, we limit such sharing to owners. 我們也會將檔案和資料夾的共用功能限制為只有小組擁有者能使用。We also limit sharing of files and folders to team owners. 這可協助您確保每次有檔案與非小組人員共用時,擁有者都會知情。This helps ensure that owners are aware whenever a file is shared with someone outside the team.

設定僅限擁有者使用的網站共用功能To configure owners-only site sharing

  1. 在 Teams 中,瀏覽至所要更新團隊的 [一般] 索引標籤。In Teams, navigate to the General tab of the team you want to update.
  2. 在小組的工具列中,按一下 [檔案]In the tool bar for the team, click Files.
  3. 按一下省略符號,然後按一下 [在 SharePoint 中開啟]Click the ellipsis, and then click Open in SharePoint.
  4. 在基礎 SharePoint 網站的工具列中,按一下設定圖示,然後按一下 [網站權限]In the tool bar of the underlying SharePoint site, click the settings icon, and then click Site permissions.
  5. 在 [網站權限] 窗格的 [共用設定] 之下,按一下 [變更共用設定]In the Site permissions pane, under Sharing Settings, click Change sharing settings.
  6. [共用權限] 之下,選擇 [只有網站擁有者可以共用檔案、資料夾及網站],然後按一下 [儲存]Under Sharing permissions, choose Only site owners can share files, folders, and the site, and then click Save.

自訂網站權限Custom site permissions

如果您已將具有檢視者權限的人員新增至敏感度標籤,則可以將其新增至具有讀取權限的 SharePoint 網站,讓這些人可以輕鬆存取檔案。If you added people with Viewer permissions to the sensitivity label, you can add them to the SharePoint site with Read access so they have easy access to the files.

將使用者新增至網站To add users to the site

  1. 在網站中,按一下 [設定] 圖示,然後按一下 [網站權限]In the site, click the settings icon, and then click Site permissions.
  2. 按一下 [邀請人員],然後按一下 [僅共用網站]Click Invite people, and then click Share site only.
  3. 輸入所要邀請使用者和群組的名稱。Type the names of the users and groups that you want to invite.
  4. 針對您新增的每個人員或群組,將其權限從 [編輯] 變更為 [讀取]For each person or group that you add, change their permissions from Edit to Read.
  5. 選擇是否要向其傳送含有網站連結的電子郵件。Choose if you want to send them an email with a link to the site.
  6. 按一下 [新增]Click Add.

其他保護Additional protections

Microsoft 365 提供了其他方法來保護您的內容。Microsoft 365 offers additional methods for securing your content. 請想想下列選項是否有助於改善貴組織的安全性。Consider if the following options would help improve security for your organization.

對小組成員推動使用者採用Drive user adoption for team members

小組成立後,您就可以開始對小組成員推動採用此小組及其額外的安全性。With the team in place, it's time to drive the adoption of this team and its additional security to team members.

訓練您的使用者Train your users

小組成員可以存取小組及其所有資源,包括聊天、會議及其他應用程式。Members of the team can access the team and all of its resources, including chats, meetings, and other apps. 從頻道的 [檔案] 區段使用檔案時,小組成員應將敏感度標籤指派給其所建立的檔案。When working with files from the Files section of a channel, members of the team should assign the sensitivity label to the files they create.

當標籤套用到檔案時,其會進行加密。When the label gets applied to the file, it is encrypted. 小組成員可以開啟檔案並即時共同作業。Members of the team can open it and collaborate in real time. 如果檔案離開網站並轉寄給惡意使用者,這些使用者必須提供小組成員的使用者帳戶認證,才能開啟檔案並檢視其內容。If the file leaves the site and gets forwarded to a malicious user, they will have to supply credentials of a user account that is member of the team to open the file and view its contents.

訓練您的小組成員:Train your team members:

  • 了解使用新的小組進行聊天、會議、檔案和 SharePoint 網站上其他資源的重要性,以及高度管制資料外洩的後果,例如法律後果、法規罰款、勒索軟體或喪失競爭優勢。On the importance of using the new team for chats, meetings, files, and the other resources of the SharePoint site and the consequences of a highly regulated data leak, such as legal ramifications, regulatory fines, ransomware, or loss of competitive advantage.
  • 如何存取小組。How to access the team.
  • 如何在網站上建立新檔案,以及上傳儲存在本機的新檔案。How to create new files on the site and upload new files stored locally.
  • 如何使用適合小組的正確敏感度標籤為檔案加上標籤。How to label files with the correct sensitivity label for the team.
  • 標籤如何保護檔案,即使檔案從網站外洩。How the label protects files even when they are leaked off the site.

此訓練應該包含實際操作練習,讓您的小組成員可以體驗這些功能及其結果。This training should include hands-on exercises so that your team members can experience these capabilities and their results.

舉辦定期的使用狀況檢閱和處理小組成員的意見反應Conduct periodic reviews of usage and address team member feedback

在訓練後的幾週內:In the weeks after training:

  • 快速處理小組成員的意見反應,並微調原則和設定。Quickly address team member feedback and fine tune polices and configurations.
  • 分析小組的使用方式,並且與預期使用方式進行比較。Analyze usage for the team and compare it with usage expectations.
  • 確認高度管制檔案已正確地標示敏感度標籤。Verify that highly regulated files have been properly labeled with the sensitivity label. (您可以在 SharePoint 檢視資料夾,然後透過 [新增欄][顯示/隱藏欄] 選項新增 [敏感度] 欄,查看哪些檔案有被指派標籤。(You can see which files have a label assigned by viewing a folder in SharePoint and adding the Sensitivity column through the Show/hide columns option of Add column.

視需要重新訓練您的使用者。Retrain your users as needed.

另請參閱See also

Azure AD Privileged Identity ManagementAzure AD Privileged Identity Management