將原則指派給學校中的大型使用者Assign policies to large sets of users in your school

重要

您可以執行Microsoft Teams 教育版原則精靈以輕鬆將原則套用到您的學生、授課者和教職員身上。You can run the Teams for Education Policy Wizard to easily apply policies for your students, educators and staff. 該工具使用我們為學生安全建議的設置來調整一組核心原則的全域(全組織預設值)原則定義,並將其套用到學生身上。The tool adjusts the Global (Org-wide default) policy definition of a core set of policies with settings that we recommend for student safety and applies it to students. 該工具還會創建一套自定義原則,並將其分配給授課者和教職員。The tool also creates and assigns a set of custom policies to educators and staff. 如果您已使用精靈來套用原則到您的學生、授課者和教職員身上,則 在您想手動為學生、授課者和教職員建立和管理原則時,才參照這篇文章。If you already used the wizard to apply policies for your students, educators and staff, use this article as a reference or only if you want to manually create and manage policies for your students, educators and staff.

注意

如需在 Microsoft 團隊中指派原則的較大故事,請參閱 在小組中指派原則給您的使用者For the larger story on assigning policies in Microsoft Teams, see Assign policies to your users in Teams.

概觀Overview

您是否需要給予學生與教育版 Microsoft 團隊中不同功能的存取權?Do you need to give your students and educators access to different features in Microsoft Teams? 您可以透過授權類型快速識別貴組織中的使用者,然後指派適當的原則。You can quickly identify the users in your organization by license type and then assign them the appropriate policy. 本教學課程會示範如何將會議原則指派給學校中的大型使用者。This tutorial shows you how to assign a meeting policy to large sets of users in your school. 您可以使用 Microsoft 團隊系統管理中心和 PowerShell 來指派策略,我們會為您顯示這兩種方法。You can assign policies using the Microsoft Teams admin center and PowerShell and we'll show you both ways.

您可以將會議原則指派給安全性群組,這些使用者是透過批次原則分派來縮放的使用者,或直接傳送給使用者。You can assign a meeting policy to a security group that the users are members of or directly to users at scale through a batch policy assignment. 您將瞭解如何:You'll learn how to:

  • 使用 原則指派給群組 ,將會議原則指派給安全性群組 (建議的)Use policy assignment to groups to assign a meeting policy to a security group (recommended). 這個方法可讓您根據群組成員資格指派原則。This method lets you assign a policy based on group membership. 您可以將原則指派給安全性群組或通訊群組清單。You can assign a policy to a security group or distribution list. 在群組中新增或移除成員時,系統會據此更新其繼承的原則分派。As members are added to or removed from the group, their inherited policy assignments are updated accordingly. 我們建議您使用這個方法,因為它會減少管理新使用者的原則或使用者角色變更的時間。We recommend you use this method because it reduces the time to manage policies for new users or when users' roles change. 這個方法最適合用於50000使用者的群組,但也適用于較大的群組。This method works best for groups of up to 50,000 users but will also work with larger groups.

  • 使用 批次原則 分派將會議原則直接指派給使用者Use batch policy assignment to assign a meeting policy directly to users in bulk. 您一次最多可以為5000使用者指派原則。You can assign a policy for up to 5,000 users at a time. 如果您的使用者超過5000個,您可以提交多個批次。If you have more than 5,000 users, you can submit multiple batches. 使用這個方法,當您有新的使用者時,您必須重新執行批次指派,才能將原則指派給新的使用者。With this method, when you have new users, you'll need to re-run the batch assignment to assign the policy to those new users.

請記住,在團隊中,使用者會自動取得團隊原則類型的全域 (組織範圍預設) 原則,除非您建立並指派自訂原則。Remember that in Teams, users automatically get the Global (Org-wide default) policy for a Teams policy type unless you create and assign a custom policy. 因為學生人數通常是最大的一組使用者,且通常會收到最嚴格的設定,所以建議您執行下列動作:Because the student population is often the largest set of users and they often receive the most restrictive settings, we recommend that you do the following:

  • 建立可讓核心功能(例如私人聊天和會議排程)的自訂原則,並將原則指派給您的員工和教育者。Create a custom policy that allows core capabilities such as private chat and meeting scheduling and assign the policy to your staff and educators.
  • 將自訂原則指派給您的員工和教育版。Assign the custom policy to your staff and educators.
  • 編輯並套用全域 (組織範圍的預設) 原則,以限制學生的功能。Edit and apply the Global (Org-wide default) policy to restrict capabilities for students.

請記住,全域原則會套用至您學校中的所有使用者,直到您建立自訂原則並將它指派給您的員工和教育版。Keep in mind that the Global policy will apply to all users in your school until you create a custom policy and assign it to your staff and educators.

在本教學課程中,學生將會取得全域會議原則,我們會將名為 EducatorMeetingPolicy 的自訂會議原則指派給教職員工和教育版。In this tutorial, students will get the Global meeting policy and we'll assign a custom meeting policy named EducatorMeetingPolicy to staff and educators. 我們假設您已編輯 [全域原則],為學生調整會議設定,並 建立自訂的原則 ,以定義員工和教育版的會議體驗。We assume that you've edited the Global policy to tailor meeting settings for students and created a custom policy that defines the meeting experience for staff and educators.

[團隊管理中心] 的 [會議原則] 頁面的螢幕擷取畫面

指派原則給群組Assign a policy to a group

請依照下列步驟,為您的員工和教育版建立安全性群組,然後將名為 EducatorMeetingPolicy 的自訂會議原則指派給該安全性群組。Follow these steps to create a security group for your staff and educators, and then assign a custom meeting policy named EducatorMeetingPolicy to that security group.

開始之前Before you get started

重要

當您將原則指派給群組時,原則指派會根據優先順序規則傳播到群組的成員。When you assign a policy to a group, the policy assignment is propagated to members of the group according to precedence rules. 例如,如果使用者直接指派原則 (或透過批次指派) ,該原則會優先于從群組繼承的原則。For example, if a user is directly assigned a policy (either individually or through a batch assignment), that policy takes precedence over a policy that's inherited from a group. 這也表示如果使用者有直接指派給他們的會議原則,您必須先移除該使用者的會議原則,才能從安全性群組繼承會議原則。This also means that if a user has a meeting policy that was directly assigned to them, you'll have to remove that meeting policy from the user before they can inherit a meeting policy from a security group.

在您開始之前,請務必瞭解 優先規則群組指派排名Before you get started, it's important to understand precedence rules and group assignment ranking. 請務必閱讀並瞭解 關於群組原則指派所需瞭解的概念Make sure that you read and understand the concepts in What you need to know about policy assignment to groups.

您需要為員工完成所有這些步驟,並準備好從安全性群組繼承會議原則。You'll need to complete all these steps for your staff and educators to inherit a meeting policy from a security group.

  1. 建立安全性群組Create security groups.
  2. 指派原則給安全性群組Assign a policy to a security group.
  3. 移除直接指派給使用者的原則Remove a policy that was directly assigned to users.

建立安全性群組Create security groups

首先,為您的員工和教育版建立一個安全性群組。First, create a security group for your staff and educators.

使用 學校資料同步 處理 (SDS) ,您就可以輕鬆地在學校中 建立教育版和學生的安全性群組With School Data Sync (SDS), you can easily create security groups educators and students in your school. 建議您使用 SDS 來建立管理學校的原則所需的安全性群組。We recommend that you use SDS to create the security groups you need to manage policies for your school.

如果您無法在您的環境中部署 SDS,請使用 此 PowerShell 腳本 來建立兩個安全性群組,一個適用于已指派教職員授權的所有員工,以及另一個指派了「學生授權」的學生。If you're unable to deploy SDS within your environment, use this PowerShell script to create two security groups, one for all staff and educators who have a Faculty license assigned and another for all students who have a Student license assigned. 您必須定期執行此腳本,以保持群組的新鮮及最新狀態。You'll need to run this script routinely to keep the groups fresh and up to date.

指派原則給安全性群組Assign a policy to a security group

使用 Microsoft Teams 系統管理中心Using the Microsoft Teams admin center

注意

目前,使用 Microsoft 團隊系統管理中心群組的原則指派只適用于小組呼叫原則、小組通話寄存原則、團隊原則、團隊即時事件原則、團隊會議原則和團隊訊息原則。Currently, policy assignment to groups using the Microsoft Teams admin center is only available for Teams calling policy, Teams call park policy, Teams policy, Teams live events policy, Teams meeting policy, and Teams messaging policy. 針對其他原則類型,請使用 PowerShell。For other policy types, use PowerShell.

  1. 在 Microsoft 團隊系統管理中心的左導覽中,前往 [會議 > 會議原則]。In the left navigation of the Microsoft Teams admin center, go to Meetings > Meeting policies.

  2. 選取 [ 群組原則指派 ] 索引標籤。Select the Group policy assignment tab.

  3. 選取 [ 新增群組],然後在 [ 將原則指派給群組 ] 窗格中,執行下列動作:Select Add group, and then in the Assign policy to group pane, do the following:

    顯示會議原則之 [編輯設定] 窗格的螢幕擷取畫面

    1. 在 [ 選取群組 ] 方塊中,搜尋並新增包含您的員工與教育者的安全性群組。In the Select a group box, search for and add the security group that contains your staff and educators.
    2. 在 [ 選取排名 ] 方塊中,輸入 1In the Select rank box, enter 1.
    3. 在 [ 選取原則 ] 方塊中,選取 [ EducatorMeetingPolicy]。In the Select a policy box, select EducatorMeetingPolicy.
    4. 選取 [ 套用]。Select Apply.

若要移除群組原則指派,請在 [原則] 頁面的 [ 群組原則指派 ] 索引標籤上,選取 [群組指派],然後選取 [ 移除]。To remove a group policy assignment, on the Group policy assignment tab of the policy page, select the group assignment, and then select Remove.

若要變更群組指派的排名,您必須先移除 [群組原則指派]。To change the ranking of a group assignment, you have to first remove the group policy assignment. 然後,按照上述步驟,將原則指派給群組。Then, follow the steps above to assign the policy to a group.

使用 PowerShellUsing PowerShell

注意

目前,對於所有團隊原則類型,使用 PowerShell 的群組的原則指派都無法使用。Currently, policy assignment to groups using PowerShell isn't available for all Teams policy types. 如需支援的原則類型清單,請參閱 新-CsGroupPolicyAssignmentSee New-CsGroupPolicyAssignment for the list of supported policy types.

安裝並連接至 Microsoft 團隊 PowerShell 模組Install and connect to the Microsoft Teams PowerShell module

執行下列動作,以安裝 團隊 PowerShell 模組 ((如果尚未安裝)) 。Run the following to install the Teams PowerShell module (if it's not already installed). 請確定您已安裝版本1.0.5 或更新版本。Make sure you install version 1.0.5 or later.

Install-Module -Name MicrosoftTeams

執行下列動作以連線至團隊並啟動會話。Run the following to connect to Teams and start a session.

Connect-MicrosoftTeams

出現提示時,請使用您的系統管理員認證登入。When you're prompted, sign in using your admin credentials.

指派原則給群組Assign a policy to a group

執行下列動作,將名為 EducatorMeetingPolicy 的會議原則指派給包含您的員工和教育者的安全性群組,並將作業排名設定為1。Run the following to assign the meeting policy named EducatorMeetingPolicy to the security group that contains your staff and educators and set the assignment ranking to 1. 您可以使用物件識別碼、會話初始通訊協定 (SIP) 位址或電子郵件地址來指定安全性群組。You can specify a security group by using the object Id, Session Initiation Protocol (SIP) address, or email address. 在這個範例中,我們使用 (staff-faculty@contoso.com) 的電子郵件地址。In this example, we use an email address (staff-faculty@contoso.com).

New-CsGroupPolicyAssignment -GroupId staff-faculty@contoso.com -PolicyType TeamsMeetingPolicy -PolicyName "EducatorMeetingPolicy" -Rank 1

移除直接指派給使用者的原則Remove a policy that was directly assigned to users

請記住,如果使用者是在個別或透過批次作業) 直接指派原則 (,該原則會優先取得優先順序。Remember that if a user was directly assigned a policy (either individually or through a batch assignment), that policy takes precedence. 這表示如果使用者有直接指派給他們的會議原則,您必須先移除該使用者的會議原則,才能從安全性群組繼承會議原則。This means that if a user has a meeting policy that was directly assigned to them, you'll have to remove that meeting policy from the user before they can inherit a meeting policy from a security group.

若要深入瞭解,請參閱將 原則指派給群組所需注意的事項To learn more, see What you need to know about policy assignment to groups.

請依照下列步驟移除直接指派給您的員工和教育版的會議原則。Follow these steps to remove the meeting policy that was directly assigned to your staff and educators.

安裝並連接至 Microsoft 團隊 PowerShell 模組Install and connect to the Microsoft Teams PowerShell module

執行下列動作,以安裝 團隊 PowerShell 模組 ((如果尚未安裝)) 。Run the following to install the Teams PowerShell module (if it's not already installed). 請確定您已安裝版本1.0.5 或更新版本。Make sure you install version 1.0.5 or later.

Install-Module -Name MicrosoftTeams

執行下列動作以連線至團隊並啟動會話。Run the following to connect to Teams and start a session.

Connect-MicrosoftTeams

出現提示時,請使用您用來連線至 Azure AD 的相同管理員認證登入。When you're prompted, sign in using the same admin credentials you used to connect to Azure AD.

取消指派直接指派給使用者的原則Unassign a policy that was directly assigned to users

執行下列動作,從直接指派該原則的使用者中移除會議原則。Run the following to remove a meeting policy from users who were directly assigned that policy. 您可以透過電子郵件地址或物件識別碼來指定使用者。You can specify users by email address or object ID.

在這個範例中,已從使用者的電子郵件地址所指定的使用者移除會議原則。In this example, the meeting policy is removed from users specified by their email address.

$users_ids = @("reda@contoso.com", "nikica@contoso.com", "jamie@contoso.com")
New-CsBatchPolicyAssignmentOperation -PolicyType TeamsMeetingPolicy -PolicyName $null -Identity $users_ids -OperationName "Unassign meeting policy"

在這個範例中,會從名為 user_ids.txt 之文字檔的使用者清單中移除會議原則。In this example, the meeting policy is removed from the list of users in a text file named user_ids.txt.

$user_ids = Get-Content .\users_ids.txt
New-CsBatchPolicyAssignmentOperation -PolicyType TeamsMeetingPolicy -PolicyName $null -Identity $users_ids -OperationName "Unassign meeting policy"
取得群組的原則指派Get policy assignments for a group

執行下列動作,查看指派給特定安全性群組的所有原則。Run the following to see all the policies assigned to a specific security group. 請注意,即使其 SIP 位址或電子郵件地址是用來指派原則,群組也永遠會依其群組識別碼列出。Note that groups are always listed by their group ID even if its SIP address or email address was used to assign the policy.

Get-CsGroupPolicyAssignment -GroupId staff-faculty@contoso.com

取得指派給使用者的原則Get the policies assigned to a user

執行下列動作,查看指派給特定使用者的所有原則。Run the following to see all the policies that are assigned to a specific user. 下列範例顯示如何取得指派給 reda@contoso.com 的原則。The following example shows you how to get the policies that are assigned to reda@contoso.com.

Get-CsUserPolicyAssignment -Identity reda@contoso.com

指派原則給一批使用者Assign a policy to a batch of users

請依照下列步驟,將名為 EducatorMeetingPolicy 的自訂會議原則直接指派給您的員工,然後大量地進行教育。Follow these steps to assign a custom meeting policy named EducatorMeetingPolicy directly to your staff and educators in bulk.

使用 PowerShellUsing PowerShell

連線到適用于圖形模組與團隊 PowerShell 模組的 Azure AD PowerShellConnect to the Azure AD PowerShell for Graph module and the Teams PowerShell module

在您執行本文中的步驟前,您必須安裝並聯機至 Azure AD PowerShell for Graph 模組 (,以透過其指派的授權) 來識別使用者,以及將原則指派給) 使用者的 Microsoft 團隊 PowerShell 模組 (。Before you perform the steps in this article, you'll need to install and connect to the Azure AD PowerShell for Graph module (to identify users by their assigned licenses) and the Microsoft Teams PowerShell module (to assign the policies to those users).

安裝並連接至 Azure AD PowerShell for Graph 模組Install and connect to the Azure AD PowerShell for Graph module

開啟提升許可權的 Windows PowerShell 命令提示字元 (以系統管理員身分執行 Windows PowerShell) ,然後執行下列動作來安裝適用于 Graph 模組的 Azure Active Directory PowerShell。Open an elevated Windows PowerShell command prompt (run Windows PowerShell as an administrator), and then run the following to install the Azure Active Directory PowerShell for Graph module.

Install-Module -Name AzureAD

執行下列動作以連線至 Azure AD。Run the following to connect to Azure AD.

Connect-AzureAD

出現提示時,請使用您的系統管理員認證登入。When you're prompted, sign in using your admin credentials.

若要深入瞭解,請參閱 使用 Azure Active Directory PowerShell For Graph 模組進行連線。To learn more, see Connect with the Azure Active Directory PowerShell for Graph module.

安裝並連接至 Microsoft 團隊 PowerShell 模組Install and connect to the Microsoft Teams PowerShell module

執行下列動作,以安裝 團隊 PowerShell 模組 ((如果尚未安裝)) 。Run the following to install the Teams PowerShell module (if it's not already installed). 請確定您已安裝版本1.0.5 或更新版本。Make sure you install version 1.0.5 or later.

Install-Module -Name MicrosoftTeams

執行下列動作以連線至團隊並啟動會話。Run the following to connect to Teams and start a session.

Connect-MicrosoftTeams

出現提示時,請使用您用來連線至 Azure AD 的相同管理員認證登入。When you're prompted, sign in using the same admin credentials you used to connect to Azure AD.

識別您的使用者Identify your users

首先,請執行下列動作來識別您的員工,並依授權類型進行教育。First, run the following to identify your staff and educators by license type. 這會告訴您組織中使用的 Sku。This tells you what SKUs are in use in your organization. 然後,您就可以找出已指派教職員 SKU 的員工和教育版。You can then identify staff and educators that have a Faculty SKU assigned.

Get-AzureAdSubscribedSku | Select-Object -Property SkuPartNumber,SkuId

返回:Which returns:

SkuPartNumber      SkuId
-------------      -----
M365EDU_A5_FACULTY e97c048c-37a4-45fb-ab50-922fbf07a370
M365EDU_A5_STUDENT 46c119d4-0379-4a9d-85e4-97c66d3f909e

在這個範例中,輸出顯示教職員授權 SkuId 是「e97c048c-37a4-45fb-ab50-922fbf07a370」。In this example, the output shows that the Faculty license SkuId is "e97c048c-37a4-45fb-ab50-922fbf07a370".

注意

若要查看教育版 Sku 和 SKU 識別碼的清單,請參閱 教育 sku 參考To see a list of Education SKUs and SKU IDs, see Education SKU reference.

接著,我們會執行下列動作來找出擁有此授權的使用者,並將它們一起收集。Next, we run the following to identify the users that have this license and collect them all together.

$faculty = Get-AzureADUser -All $true | Where-Object {($_.assignedLicenses).SkuId -contains "e97c048c-37a4-45fb-ab50-922fbf07a370"}

大量指派原則Assign a policy in bulk

現在,我們會大量將適當的原則指派給使用者。Now, we assign the appropriate policies to users in bulk. 您可以指派或更新原則的使用者數目上限為5000一次。The maximum number of users for which you can assign or update policies is 5,000 at a time. 例如,如果您有超過5000名員工和教育版,您將需要提交多個批次。For example, if you have more than 5,000 staff and educators, you'll need to submit multiple batches.

執行下列動作,將名為 EducatorMeetingPolicy 的自訂會議原則指派給您的員工和教育者。Run the following to assign a custom meeting policy named EducatorMeetingPolicy to your staff and educators.

New-CsBatchPolicyAssignmentOperation -PolicyType TeamsMeetingPolicy -PolicyName EducatorMeetingPolicy -Identity $faculty.ObjectId

注意

若要大量指派不同的原則類型(例如 TeamsMessagingPolicy),您必須變更 PolicyType 為您要指派的原則,以及 PolicyName 策略名稱。To assign a different policy type in bulk, like TeamsMessagingPolicy, you'll need to change PolicyType to the policy that you're assigning and PolicyName to the policy name.

取得大量作業的狀態Get the status of a bulk assignment

每個大量指派都會傳回作業識別碼,您可以用來追蹤原則指派的進度,或找出任何可能發生的失敗。Each bulk assignment returns an operation ID, which you can use to track the progress of the policy assignments or identify any failures that might occur. 例如,執行下列動作:For example, run the following:

Get-CsBatchPolicyAssignmentOperation -OperationId 3964004e-caa8-4eb4-b0d2-7dd2c8173c8c | fl

若要在批次作業中查看每位使用者的作業狀態,請執行下列操作。To view the assignment status of each user in the batch operation, run the following. 每個使用者的詳細資料都在 UserState 屬性中。Details of each user are in the UserState property.

Get-CsBatchPolicyAssignmentOperation -OperationId 3964004e-caa8-4eb4-b0d2-7dd2c8173c8c | Select -ExpandProperty UserState

如果您有超過5000個使用者,則會大量指派原則Assign a policy in bulk if you have more than 5,000 users

首先,請執行下列動作,查看您擁有多少名員工和教育人數:First, run the following to see how many staff and educators you have:

$faculty.count

請不要提供完整的使用者識別碼清單,而是執行下列動作,以指定第一個5000,以及下一個5000等。Instead of providing the whole list of user IDs, run the following to specify the first 5,000, and then the next 5,000, and so on.

New-CsBatchPolicyAssignmentOperation -PolicyType TeamsMeetingPolicy -PolicyName EducatorMeetingPolicy -Identity $faculty[0..19999].ObjectId

您可以變更使用者識別碼的範圍,直到您到達完整的使用者清單為止。You can change the range of user IDs until you reach the full list of users. 例如,輸入 $faculty[0..4999 第一個批次,使用第二批次, $faculty[5000..9999 輸入第 $faculty[10000..14999 三批次,依此類推。For example, enter $faculty[0..4999 for the first batch, use $faculty[5000..9999 for the second batch, enter $faculty[10000..14999 for the third batch, and so on.

取得指派給使用者的原則Get the policies assigned to a user

執行下列動作,查看指派給特定使用者的所有原則。Run the following to see all the policies that are assigned to a specific user. 下列範例顯示如何取得指派給 hannah@contoso.com 的原則。The following example shows you how to get the policies that are assigned to hannah@contoso.com.

Get-CsUserPolicyAssignment -Identity hannah@contoso.com

常見問題集FAQ

我不熟悉 PowerShell for 團隊。何處可以深入瞭解?I'm not familiar with PowerShell for Teams. Where can I learn more?

如需使用 PowerShell 來管理團隊的概覽,請參閱 團隊 PowerShell 概覽For an overview of using PowerShell to manage Teams, see Teams PowerShell overview. 如需本文中使用的 Cmdlet 的詳細資訊,請參閱:For more information about the cmdlets used in this article, see: