如何為一線員工大規模佈建 TeamsHow to provision Teams at scale for Frontline Workers

您是否需要讓大量使用者快速加入 Microsoft Teams,並為他們設定簡化的使用體驗?Do you need to rapidly onboard a large number of users to Microsoft Teams and configure a streamlined experience for them? 逐步完成下列指示,您就可以快速佈建身分識別、設定小組,並指派所有相關原則來控制使用者的使用者體驗。You can quickly provision identities, provision teams, and assign all relevant policies to control the end user experience by walking through the following instructions.

在本逐步解說中,您將了解如何:In this walkthrough, you'll learn how to:

  • 建立大量使用者。Create a large number of users.
  • 建立大量小組,並設定適當的頻道。Create a large number of teams and set up the appropriate channels.
  • 大規模指派授權。Assign licensing at scale.
  • 建立適當的小組訊息原則、應用程式設定原則和應用程式權限原則。Create appropriate Teams Messaging Policies, App Setup Policies, and App Permission Policies.
  • 對大量使用者套用這些原則。Apply those policies to users at scale.
  • 將大量使用者指派到指定的小組。Assign a large number of users into a designated team.

注意

如果您已檢閱此資訊,但仍覺得需要協助或有一些問題,則可以 按一下這裡,以聯繫 White Glove Support。If you've reviewed this information and feel like you need some help or have some questions, you can click here to reach out for White Glove Support.

必要條件Prerequisites

此位置下載資產。Download the assets from this location.

重要

上述連結中的指令碼是 Microsoft 所提供的原始指令碼,您必須根據個別需求加以修改。The scripts in the link provided above are provided as-is by Microsoft, and must be modified for your individual needs.

技術需求Technical requirements

  • 您的租用戶必須具備涵蓋 Microsoft Teams 的適當授權數量。Your tenant must have the appropriate number of licenses available that include Microsoft Teams. 如果您還沒有這些授權,請參閱 Teams 探索,以取得免費的試用訂閱。If you do not already have these licenses, check out Teams Exploratory for a free trial subscription.
  • 執行這些步驟的使用者必須已獲指派下列角色:全域系統管理員、使用者系統管理員及 Teams 服務系統管理員 (在 Azure AD 中)。The user taking these steps must have these roles assigned: Global Admin, User Admin, and Teams Service Admin, in Azure AD.
  • 使用者必須有權在其本機電腦上安裝和設定軟體。User must have the rights to install and configure software on their local machine.

逐步程序概觀Step-by-step process overview

  1. 設定您的環境Set up Your Environment
    1. 從包含 PowerShell 指令碼範例和文件的 GitHub 存放庫下載Download from the GitHub repository containing the sample PowerShell scripts and documentation
    2. 設定本機環境Configure the local environment
    3. 設定認證Setup credentials
    4. 設定 PowerShell 模組和環境變數Configure PowerShell Modules and environmental variables
  2. 建立及設定 TeamsCreate and Setup Teams
    1. 建立團隊Create teams
    2. 建立團隊的步驟Steps to create teams
    3. 為團隊建立頻道Create channels for teams
  3. 建立 Teams 原則Create Teams Policies
    1. 建立 Teams 訊息原則Create Teams message policies
    2. 建立 Teams 應用程式設定原則Create Teams app setup policies
    3. 建立 Teams 應用程式權限原則Create Teams app permission policies
  4. 使用者和安全性群組Users and Security Groups
    1. 建立使用者和安全性群組Create users and security groups
    2. 透過群組型授權將授權指派給使用者Assign licensing to users via group-based licensing
  5. 指派使用者和原則Assign Users and Policies
    1. 將使用者指派給團隊Assign users to Teams
    2. 指派 Teams 原則給使用者Assign Teams policies to users
    3. 選用:轉換群組成員資格類型OPTIONAL: Convert group membership type
  6. 測試與驗證Test and Validate
    1. 以測試使用者的身分登入 TeamsLogin to Teams with a test user
    2. 檢查錯誤Check for errors
    3. 錯誤處理Error handling
  7. 深入閱讀Further reading

設定您的環境Set up your environment

下列步驟可讓您設定您的環境:The following steps will allow you to set up your environment:

從包含 PowerShell 指令碼範例和文件的 GitHub 存放庫下載Download from the GitHub repository containing sample PowerShell scripts and documentation

在您繼續進行之前,您必須先在此位置下載指令碼。Before you can proceed, you'll need to download the scripts at this location.

設定本機環境Configure the local environment

設定本機環境變數,會允許使用相對路徑執行此處參考的指令碼。Setting the local environment variables allows the scripts referenced here to be run using relative paths. rootPath 是您複製此存放庫的根目錄,且 tenantName 的格式為 yourTenant.onmicrosoft.com (不應包含 https)。The rootPath is the root of where you cloned this repository, and the tenantName is in the form yourTenant.onmicrosoft.com (https should not be included).

  1. 開啟 PowerShell 工作階段,並瀏覽至複製的 Git 存放庫內的 scripts 資料夾。Open a PowerShell session and navigate to the scripts folder inside the cloned git repo.
  2. 執行此指令碼 .\SetConfig.ps1 -tenantName [您的租用戶名稱] -rootPath "Git 存放庫根目錄的完整路徑"。Run the script .\SetConfig.ps1 -tenantName [your tenant name] -rootPath "full path to the root of the git repo".

例如:.\SetConfig.ps1 -tenantName contoso.onmicrosoft.com -rootPath "C:\data\source\FLWTeamsScale"For example: .\SetConfig.ps1 -tenantName contoso.onmicrosoft.com -rootPath "C:\data\source\FLWTeamsScale"

設定認證Setup credentials

重要

在這些指令碼中管理認證的方式,可能不適合您的使用,但易於變更,以符合您的需求。How credentials are managed in these scripts may not be appropriate for your use, and they're easily changed to meet your requirements. 請務必遵循公司用於保護服務帳戶和管理身分識別的標準和做法。Always follow your company's standards and practices for securing service accounts and managed identities.

該指令碼會使用以 XML 檔案格式儲存在 $ENV:LOCALAPPDATA\keys 中的認證,也就是 AppData\Local 資料夾。The scripts use credentials that are stored as XML files in $ENV:LOCALAPPDATA\keys, that is, the AppData\Local folder. 需要呼叫模組 BulkAddFunctions.psm1 中的 Set-Creds Helper 函數,以設定用來執行這些指令碼的認證。The helper function Set-Creds in the module BulkAddFunctions.psm1 needs to be called to set the credentials used to run these scripts. 此方式可讓您不再需要對所有服務端點進行驗證,同時在本機存放區中維護認證。This technique removes the need for you to authenticate to all various service endpoints while maintaining the credentials in a local store. 從每個指令碼內,系統會使用 Helper 函數 Get-Creds 來讀取適當認證,且這些認證會用來與各種服務連線。From within each script, the appropriate credentials are read with the helper function Get-Creds and those credentials are used to connect to the various services.

呼叫 Set-Creds 時,系統會提示您提供要寫入 $ENV:LOCALAPPDATA\keys 的 XML 檔案名稱。When you call Set-Creds, you're prompted to provide an XML file name that will be written to $ENV:LOCALAPPDATA\keys. 不同的服務可能有不同的認證。You might have different credentials for different services. 例如,您可能會有用於 MicrosoftTeams、AzureAD 和 MSonline 的不同認證,在這種情況下,您可以執行 Set-Creds 一次以上,將每個認證檔案以對其本身有意義的名稱儲存。For example, you might have different credentials for MicrosoftTeams, AzureAD, and MSonline, in which case you can run Set-Creds more than once, saving each credential file with its own meaningful name.

範例:Set-Creds msol-cred.xml Set-Creds azuread-cred.xml Set-Creds teams-cred.xmlExamples: Set-Creds msol-cred.xml Set-Creds azuread-cred.xml Set-Creds teams-cred.xml

執行指令碼 SetCreds.ps1 以儲存您的認證。Run the script SetCreds.ps1 to save your credentials. 系統會提示您「正在執行作業 "Export-Clixml"...」,請輸入 'Y' 來核准。You will be prompted with "Performing the operation "Export-Clixml"..." and enter 'Y' to approve.

注意

用於認證的帳戶不可要求多重要素驗證 (MFA)。The account used for the credentials cannot require Multi-Factor Auth (MFA).

下列範例說明各種指令碼如何使用已儲存的認證來進行驗證:Here's an example of how the various scripts use the saved credentials to authenticate:

# Connect to MicrosoftTeams
$teams_cred = Get-Creds teams-cred.xml
Connect-MicrosoftTeams -Credential $teams_cred

設定 PowerShell 模組和環境變數Configure PowerShell modules and environmental variables

您必須安裝並連線到數個 PowerShell 模組,包括 Azure AD、MSAL、MSCloudUtils 和 MicrosoftTeams。You'll need to install and connect to several PowerShell modules, including Azure AD, MSAL, MSCloudUtils, and MicrosoftTeams.

  1. 在存放庫的 scripts 資料夾中,尋找 ConfigurePowerShellModules.ps1Find the ConfigurePowerShellModules.ps1 in the scripts folder in the repository.
  2. 從 PowerShell 中執行 ConfigurePowerShellModules.ps1 指令碼。From PowerShell, run the ConfigurePowerShellModules.ps1 script.

建立及設定小組Create and set up Teams

為了與您的一線員工交流並進行共同作業,您必須先建立一系列的小組,並為這些小組新增標準頻道,我們將在下一節中說明。In order to communicate and collaborate with your Frontline Workers, you will first need to establish a series of Teams and add standard Channels to those teams, which we'll walk through next.

建立團隊Create teams

小組是組織內人員、內容和工具的集合。Teams are a collection of people, content, and tools within your organization. 對於大部分以一線員工為中心的組織而言,最佳做法是以實體位置為中心來定位小組。For most Frontline Worker-centric organizations, it is best practice to anchor a Team around a physical location. 例如,為下列每一項建立團隊:For example, a Team for each of the following:

  • 商店Store
  • 配送中心Distribution Center
  • 製造廠Manufacturing Plant
  • 醫院Hospital
  • 雜貨店Grocery Store

最佳做法討論:設計小組時,務必注意 小組限制和規格Best Practice Discussion: When designing your teams, it's important to keep in mind Teams limits and specifications. 對於較小的組織,可使用整個組織作為小組來簡化溝通工作,並讓實體位置結構變得更完整。For smaller organizations, an org-wide team can be used to streamline communication and complement a physical location structure. 對其他組織來說,結構良好的實體位置小組命名慣例,有助於公司透過交叉發佈輕鬆地同時與多個小組通訊。For others, a structured physical location Team naming convention helps assist Corporate Communications with Cross Posting to multiple teams simultaneously with ease. 例如,若要以所有「美國」地區的團隊為目標,您可以搜尋名稱中有「美國」的所有 Teams,並對其進行交叉發佈。For example, you can search and cross-post to all Teams with US in the name to target all US locations. 您可以在這裡找到有關交叉發佈的詳細資訊。More information on cross-posting can be found here.

建立團隊的步驟Steps to create teams

  1. 在存放庫的 data 資料夾中,尋找 TeamsInformation.csv 檔案。Find the TeamsInformation.csv file in the data folder in the repository.
  2. 使用您組織的特定資訊來更新 TeamsInformation.csv 檔案中的資訊。Update the information in the TeamsInformation.csv file with your organization's specific information. 請記住上述的最佳做法。Keep in mind our best practices above.
  3. 尋找 CreateTeams.ps1 指令碼。Find the CreateTeams.ps1 script.
  4. 從 PowerShell 中執行 CreateTeams.ps1 指令碼。From PowerShell, run the CreateTeams.ps1 script.

為團隊建立頻道Create channels for teams

頻道是小組內的專用區段,可保存依特定主題、專案、分項等等而統整的交談。Channels are dedicated sections within a team to keep conversations organized by specific topic, project, discipline, and more. 每個小組都會自動取得「一般」頻道,但是您可以根據企業需求在此處自訂您的結構。Every Team automatically gets a General channel, but from there you can customize your structure according to the needs of your business. 例如,您的額外頻道結構可能包括:For example, your additional channel structure could include:

  • 製造 - 安全、產線 1、產線 2、公司通訊、訓練Manufacturing - Safety, Line 1, Line 2, Corporate Communications, Training
  • 雜貨 - 麵包、農產品、肉類、公司通訊、訓練Grocery - Bakery, Produce, Meat, Corporate Communications, Training
  • 醫療保健 - 護士、醫生、加護病房 1、加護病房 2Healthcare - Nurses, Doctors, Critical Care Unit 1, Critical Care Unit 2
  • 飯店觀光 - 櫃台、維護、房務、停車和行李服務、公司通訊、訓練Hospitality - Front Desk, Maintenance, Housekeeping, Valet and Baggage, Corporate Communications, Training
  • 零售 - 商店前方、商店後方、公司通訊、訓練Retail - Front of Store, Back of Store, Corporate Communications, Training

注意

頻道不應視為安全性界限。Channels should not be thought of as a security boundary. 這是您組織工人以進行共同作業的方式。They are a means of organizing your workers for the purposes of collaboration.

最佳做法討論:設計頻道結構時,務必要讓一切簡單,特別是當您想要讓許多使用者上手時。Best Practice Discussion: When designing your channel structure, it's important to keep things simple, especially when you're looking to onboard a lot of users. 避免針對每個狀況、角色或主題建立頻道,以將訓練的需求降至最低。Resist the urge to create channels for every situation, role, or topic in order to minimize the need for training. 一開始最多挑選 3-5 個頻道。Pick 3-5 channels at most to get started. 您可以在需求增加時輕鬆地建立其他頻道。Additional channels can easily be created as the need arises. 事實上,您現在就可以獨自使用一般通道了!In fact, it's okay to just use the General channel alone for now!

建立 Teams 頻道的步驟Steps to Create Channels for Teams

  1. 在存放庫的 scripts 資料夾中,尋找 TeamsChannels.csv 檔案。Find the TeamsChannels.csv file in the scripts folder in the repository.
  2. 使用您組織的特定資訊來更新 TeamsChannels.csv 檔案。Update the TeamsChannels.csv file with your organization's specific information. 請記住上述的最佳做法。Keep in mind our best practices above.
  3. 在存放庫的 scripts 資料夾中,尋找 CreateTeamsChannels.ps1Find the CreateTeamsChannels.ps1 script in the scripts folder in the repository.
  4. 從 PowerShell,執行 CreateTeamsChannels.ps1 指令碼。From PowerShell, run the CreateTeamsChannels.ps1 script.

建立 Teams 原則Create Teams policies

如果您是系統管理員,您可以使用 Microsoft Teams 中的小組原則來控制您組織中使用者可看見和可執行的項目。As an admin, you can use teams policies in Microsoft Teams to control what users in your organization see and can. 例如,您可以控制要將哪些應用程式釘選到桌面或網頁瀏覽器的左側滑軌,或行動裝置的底部工具列,以簡化加入大量使用者的使用者體驗。For example, you can control which applications are pinned to the left rail on your Desktop or Web browser, or the bottom bar on mobile devices, in order to simplify the end user experience when onboarding a large amount of users. 其中有些原則可使用 PowerShell 建立,但其他原則必須在 Teams 系統管理員主控台上手動建立。Some of these policies can be created with PowerShell, and others have to be manually created in the Teams Admin Console.

最佳做法討論:針對下列每個原則,我們將選擇實際建立兩個原則:一個用於一線員工,一個用於一線管理者。Best Practice Discussion: For each of the following policies, we're choosing to actually create two policies: one for Frontline Workers and one for Frontline Managers. 您可以根據自己的喜好,選擇建立任意數量的原則。You can choose to create as many or as few as you like. 對大部分客戶而言,兩個是較佳的起點 (即使您一開始對每個群組都進行相同的設定)。For most customers, two is a good place to start, even if you give the same settings to each group initially. 隨著您對 Teams 愈來愈熟悉,您可以選擇進一步區別他們的經驗,若已建立此兩個原則,則可讓此動作變得更簡單。As your experience with Teams grows, you may choose to differentiate their experience further and having the two separate policies already created can make that simpler.

建立 Teams 訊息原則Create Teams message policies

管理原則是用來控制 Microsoft Teams. 中使用者可使用的聊天及頻道訊息功能。Messaging policies are used to control which chat and channel messaging features are available to users in Microsoft Teams.

最佳做法討論:雖然您可以使用自動建立的預設全域原則,但我們選擇使用下列步驟建立自訂原則,以便為一線管理者和一線員工提供更隱密、簡單且與眾不同的使用體驗。Best Practice Discussion: While you can use the default Global policy that is created automatically, we have opted to create a custom policy using the steps below to provide a more locked down, simple, and differentiated experience for Frontline Managers and Frontline Workers.

建立 Teams 訊息原則的步驟Steps to Create Teams Message Policies

  1. 在存放庫的 scripts 資料夾中,尋找 TeamsMessagingPolicies.csv 檔案。Find the TeamsMessagingPolicies.csv file in the scripts folder in the repository.
  2. 使用您組織的特定資訊更新 TeamsMessagingPolicies.csv 檔案。Update the TeamsMessagingPolicies.csv file with your organization's specific information. 您可以在這裡找到一些不同選項的詳細資訊。Additional information on some of the various options can be found here.
  3. 在存放庫的 scripts 資料夾中,尋找 CreateTeamsMessagePolicies.ps1Find the CreateTeamsMessagePolicies.ps1 script in the scripts folder in the repository.
  4. 從 PowerShell,執行 CreateTeamsMessagePolicies.ps1 指令碼。From PowerShell, run the CreateTeamsMessagePolicies.ps1 script.

建立 Teams 應用程式設定原則Create Teams app setup policies

如果您是系統管理員,您可以使用應用程式設定原則來執行下列動作:As an admin, you can use app setup policies to do the following:

  • 自訂 Teams 以強調對使用者而言最重要的應用程式。Customize Teams to highlight the apps that are most important for your users. 您可以選擇要釘選的應用程式,並設定其顯示順序。You choose the apps to pin and set the order in which they appear. 釘選應用程式可讓您展示組織中使用者所需的應用程式,包括由第三方或您組織開發人員所建立的應用程式。Pinning apps lets you showcase apps that users in your organization need, including those built by third parties or by developers in your organization.
  • 控制使用者是否可以將應用程式釘選到 Teams。Control whether users can pin apps to Teams.

應用程式會釘選到應用程式列。Apps are pinned to the app bar. 這是位於 Teams 桌面用戶端側邊和 Teams 行動用戶端 (iOS 和 Android) 底部的應用程式列。This is the bar on the side of the Teams desktop client and at the bottom of the Teams mobile clients (iOS and Android).

Teams 桌面用戶端Teams Desktop Client Teams 行動用戶端Teams Mobile Client
將應用程式釘選到 應用程式 列的 Teams 桌面用戶端螢幕擷取畫面。 將應用程式釘選到 底部 工具列的 Teams 桌面用戶端螢幕擷取畫面。

最佳做法討論:您可以在 Microsoft Teams 系統管理中心管理應用程式設定原則。Best Practice Discussion: You manage app setup policies in the Microsoft Teams admin center. 這些原則無法使用 PowerShell 建立。They aren't able to be created with PowerShell. 您可以使用全域 (預設為全組織) 原則或建立自訂原則,並指派給使用者。You can use the global (Org-wide default) policy or create custom policies and assign them to users. 除非您建立並指派自訂原則,否則您組織中的使用者將會自動獲派全域原則。Users in your organization will automatically be assigned to the global policy unless you create and assign a custom policy. 根據我們的目的,我們要為一線員工和一線管理者建立兩個新的原則,為他們提供更簡單且更精簡的體驗,以便輕鬆地同時加入大量使用者。For our purposes, we are creating two new policies for Frontline Workers and Frontline Managers, in order to provide them a simpler and more streamlined experience to ease onboarding a large number of users simultaneously. 您可以選擇根據業務需求來自訂體驗。You can choose to customize the experience as your business needs.

建立一線管理員的應用程式設定原則Create the Frontline Manager app setup policy

您可以根據業務需求來自訂下列設定。The following settings can be customized to meet your business needs. 我們已根據最佳做法選擇了一些建議選項,讓您可更輕鬆地加入大量新使用者。We have chosen some recommended options based on best practices and to improve the ease of onboarding new users at scale. 如需詳細資訊,請按一下這裡For more information, click here.

  1. 在 Microsoft Teams 系統管理中心的左側瀏覽窗格中,移至  [Teams 應用程式] > [設定原則]In the left navigation of the Microsoft Teams admin center, go to Teams apps > Setup policies.

  2. 按一下  [新增]Click Add.

  3. 輸入原則的名稱和描述。Enter a name and description for the policy. 範例:一線管理者的應用程式設定原則As an example: Frontline Manager App Setup Policy. 一線管理者的應用程式設定原則影像。Frontline manager app setup policy image.

  4. 關閉 [上傳自訂應用程式]Turn off Upload custom apps.

  5. 關閉 [允許使用者釘選]Turn off Allow user pinning. 允許使用者釘選的切換影像。Allow user pinning switch image.

  6. 新增 Shifts 應用程式 (如果尚未列出的話)。If it's not already listed, add the Shifts app. 如需有關 Shifts 的詳細資訊,請按一下 這裡For more information about Shifts, click here. 新增釘選應用程式的畫面,並顯示 [新增] 按鈕旁邊已列出 Shifts 應用程式。Add pinned apps screen, showing the Shifts app listed next to an Add button.

  7. 移除 [通話] 功能 (如果有的話)。Remove Calling, if it appears. 注意:移除此功能不會為使用者停用此功能,但會防止其顯示在應用程式列上,藉此簡化使用者體驗。Note: removing this feature will not disable it for the user, but will prevent it from appearing on the app bar to simplify the end user experience.

  8. 按照下列順序排列應用程式,以指定應用程式在 Teams 應用程式列中的順序,然後按一下  [儲存]Arrange the apps in the following order to dictate their order in the Teams App Bar, and then click Save.

    1. 活動Activity
    2. 聊天Chat
    3. TeamsTeams
    4. 行事曆Calendar
    5. Shifts 依序列出管理者應用程式的螢幕擷取畫面Shifts Screenshot of the manager apps list in order.

建立一線員工的應用程式設定原則Create the Frontline Worker app setup policy

您可以根據業務需求來自訂下列設定。The following settings can be customized to meet your business needs. 我們已根據最佳做法選擇了一些建議選項,讓您可更輕鬆地加入大量新使用者。We have chosen some recommended options based on best practices and to improve the ease of onboarding new users at scale. 如需詳細資訊,請按一下這裡For more information, click here.

  1. 在 Microsoft Teams 系統管理中心的左側瀏覽窗格中,移至  [Teams 應用程式] > [設定原則]In the left navigation of the Microsoft Teams admin center, go to Teams apps > Setup policies.

  2. 按一下  [新增]Click Add.

  3. 輸入原則的名稱和描述。Enter a name and description for the policy. 範例:一線員工的應用程式設定原則As an example: Frontline Worker App Setup Policy. 一線員工的應用程式設定原則影像。Frontline worker app setup policy image.

  4. 關閉 [上傳自訂應用程式]Turn off Upload custom apps.

  5. 關閉 [允許使用者釘選]Turn off Allow user pinning. 允許使用者釘選的切換影像。Allow user pinning switch image.

  6. 新增 Shifts 應用程式 (如果尚未列出的話)。If it's not already listed, add the Shifts app. 如需有關 Shifts 的詳細資訊,請按一下這裡。For more information about Shifts, click here. 新增釘選應用程式的畫面,並顯示 [新增] 按鈕旁邊已列出 Shifts 應用程式。Add pinned apps screen, showing the Shifts app listed next to an Add button.

  7. 移除 [會議] 和 [通話] (如果有的話)。Remove Meetings and Calling, if they appear. 注意:移除這些功能不會為使用者停用這些功能,但會防止其顯示在應用程式列上,藉此簡化使用者體驗。Note: removing these features will not disable them for the user, but will prevent them from appearing on the app bar to simplify the end user experience.

  8. 按照下列順序排列應用程式,以指定應用程式在 Teams 應用程式列中的順序,然後按一下  [儲存]Arrange the apps in the following order to dictate their order in the Teams App Bar, and then click Save.

    1. 活動Activity
    2. 聊天Chat
    3. TeamsTeams
    4. Shifts 依序列出員工應用程式的螢幕擷取畫面。Shifts Screenshot of the worker apps list in order.

建立 Teams 應用程式權限原則Create Teams app permission policies

身為系統管理員,您可以使用應用程式權限原則來控制組織中 Microsoft Teams 使用者可使用的應用程式。As an admin, you can use app permission policies to control what apps are available to Microsoft Teams users in your organization. 您可以允許或封鎖所有應用程式,或是由 Microsoft、第三方和您組織發行的特定應用程式。You can allow or block all apps, or specific apps published by Microsoft, third-parties, and your organization. 當您封鎖應用程式時,擁有原則的使用者將無法從 Teams 應用程式商店安裝該應用程式。When you block an app, users who have the policy are unable to install it from the Teams app store. 您必須是全域系統管理員或 Teams 服務系統管理員,才能管理這些原則。You must be a global admin or Teams service admin to manage these policies.

最佳做法討論:您可以在 Microsoft Teams 系統管理中心管理應用程式設定原則。Best Practice Discussion: You manage app setup policies in the Microsoft Teams admin center. 這些原則無法使用 PowerShell 建立。They aren't able to be created with PowerShell. 您可以使用全域 (預設為全組織) 原則或建立自訂原則,並指派給使用者。You can use the global (Org-wide default) policy or create custom policies and assign them to users. 除非您建立並指派自訂原則,否則貴組織中的使用者將會自動取得全域原則。Users in your organization will automatically get the global policy unless you create and assign a custom policy. 根據我們的目的,我們要為一線員工和一線管理者建立兩個新的原則,為他們提供安全且更精簡的體驗,以便輕鬆地同時加入大量使用者。For our purposes, we are creating two new policies for Frontline Workers and Frontline Managers in order to provide a secure and more streamlined experience to ease onboarding a large number of users simultaneously. 當然,您可以選擇根據您的業務需求來自訂體驗。You can of course choose to customize the experience as your business needs.

建立一線管理者的應用程式權限原則Create the Frontline Manager app permission policy

您可以根據業務需求來自訂下列設定。The following settings can be customized to meet your business needs. 以下是根據最佳做法提供的建議選項,可讓您更輕鬆地加入大量新使用者。These are some recommended options based on best practices that can improve the ease of onboarding new users at scale. 如需詳細資訊,請按一下這裡For more information, click here.

  1. 在 Microsoft Teams 系統管理中心的左側瀏覽窗格中,移至  [Teams 應用程式] > [權限原則]In the left navigation of the Microsoft Teams admin center, go to Teams apps > Permission policies.

  2. 按一下  [新增]Click Add. 顯示新增應用程式權限原則頁面,其中包含 Microsoft、第三方和租用戶應用程式的區段。Shows the add app permission policy page, with sections for Microsoft, third-party, and tenant apps.

  3. 輸入原則的名稱和描述。Enter a name and description for the policy. 範例:一線管理者的應用程式權限原則。As an example: Frontline Manager App Permission Policy.

  4. 在 [Microsoft 應用程式] 底下,選取 [允許所有應用程式]Under Microsoft apps, select Allow all apps.

  5. 在 [第三方應用程式] 底下,選取 [允許所有應用程式]Under Third-party apps, select Allow all apps.

  6. 在 [租用戶應用程式] 底下,選取 [允許所有應用程式]Under Tenant apps, select Allow all apps.

  7. 按一下  [儲存]Click Save.

建立一線員工的應用程式權限原則Create the Frontline Worker App Permission Policy

您可以根據業務需求來自訂下列設定。The following settings can be customized to meet your business needs. 以下是根據最佳做法提供的建議選項,可讓您更輕鬆地加入大量新使用者。These are some recommended options based on best practices that can improve the ease of onboarding new users at scale. 如需詳細資訊,請按一下這裡For more information, click here.

  1. 在 Microsoft Teams 系統管理中心的左側瀏覽窗格中,移至  [Teams 應用程式] > [權限原則]In the left navigation of the Microsoft Teams admin center, go to Teams apps > Permission policies.

  2. 按一下  [新增]Click Add. 顯示新增應用程式權限原則頁面,其中包含 Microsoft、第三方和租用戶應用程式的區段。Shows the add app permission policy page, with sections for Microsoft, third-party, and tenant apps.

  3. 輸入原則的名稱和描述。Enter a name and description for the policy. 範例:一線員工的應用程式權限原則。As an example: Frontline Worker App Permission Policy.

  4. 在 [Microsoft 應用程式] 底下,選取 [允許所有應用程式]Under Microsoft apps, select Allow all apps.

  5. 在 [第三方應用程式] 底下,選取 [封鎖所有應用程式]Under Third-party apps, select Block all apps.

  6. 在 [租用戶應用程式] 底下,選取 [允許所有應用程式]Under Tenant apps, select Allow all apps.

  7. 按一下  [儲存]Click Save.

使用者和安全性群組Users and security groups

建立使用者和安全性群組Create users and security groups

若要在 Teams 中與大量使用者合作,您必須先在 Azure AD 中建立使用者。To work with a large amount of users in Teams you first need to have the users created in Azure AD. 佈建大量使用者的方法有很多種,但我們會著重說明以下內容:There are many ways to provision a large number of users, but we're going to highlight the following:

若要以更有效率的方式管理大量使用者,您必須為一線員工和一線管理者建立兩個安全性群組,並按照下列步驟將這些使用者直接佈建到安全性群組:In order to manage these users at scale more effectively, you need to create two security groups for Frontline Workers and Frontline Managers, and provision those users into the security groups directly, following these steps:

  1. 在存放庫的 scripts 資料夾中,尋找 Users.csv 檔案。Find the Users.csv file in the scripts folder in the repository.
  2. 使用您組織的特定資訊來更新 Users.csv 檔案。Update the Users.csv file with your organization's specific information.
    1. 根據預設,我們提供的指令碼會建立一個使用者和暫時性密碼,第一次登入時必須變更此密碼。By default, the script we've provided will create a user with a temporary password that must be changed on first login. 如果您不想要使用預設密碼,請編輯 CreateUsers.ps1 指令碼,以符合您的需求。If you don't want to use the default password, edit the CreateUsers.ps1 script to meet your requirements.
    2. 請務必更新 SecurityGroup 欄位,以反映先前建立的適當名稱。Make sure to update the SecurityGroup field to reflect the appropriate name created earlier.
  3. 在存放庫的 scripts 資料夾中,尋找 SecurityGroups.csv 檔案。Find the SecurityGroups.csv file in the scripts folder in the repository.
  4. 使用您組織的特定安全性群組資訊更新 SecurityGroups.csv 檔案。Update the SecurityGroups.csv file with your organization's specific security group information.
    1. 請務必更新 [MessagePolicy][AppPermissionPolicy][AppSetupPolicy] 欄位,以對應您之前建立的適當原則。Make sure to update the MessagePolicy, AppPermissionPolicy, and AppSetupPolicy fields to map to the appropriate policies you created earlier.
    2. 請務必更新 [LicensePlan] 欄位,以反映您要如何將授權提供給每位使用者。Make sure to update the LicensePlan field to reflect the licensing that you intend to give each of these users. 如需產品名稱與服務方案識別碼的詳細資訊,請參閱此處的文件。For more information on product names and service plan identifiers, review the documentation here.
  5. 從 PowerShell,執行資產中的 CreateUsers.ps1 指令碼。From PowerShell, run the script CreateUsers.ps1 from assets.

透過群組型授權將授權指派給使用者Assign licensing to users via group-based licensing

Microsoft 付費雲端服務 (例如 Microsoft 365、Office 365、Enterprise Mobility + Security、Dynamics 365 及其他類似產品) 都需要授權。Microsoft paid cloud services, such as Microsoft 365, Office 365, Enterprise Mobility + Security, Dynamics 365, and other similar products, require licenses. 這些授權會指派給需要存取這些服務的每位使用者。These licenses are assigned to each user who needs access to these services. 若要管理授權,系統管理員可使用其中一個管理入口網站 (Office 或 Azure) 和 PowerShell Cmdlet。To manage licenses, administrators use one of the management portals (Office or Azure) and PowerShell cmdlets. Azure Active Directory (Azure AD) 是支援所有 Microsoft 雲端服務身分識別管理的基礎結構。Azure Active Directory (Azure AD) is the underlying infrastructure that supports identity management for all Microsoft cloud services. Azure AD 會儲存使用者授權指派狀態的相關資訊。Azure AD stores information about license assignment states for users.

為了大規模啟用授權,Azure AD 目前已包含群組型授權,而且基於這個原因,我們已在本文前面建立了安全性群組。In order to enable licensing at scale, Azure AD now includes group-based licensing, and for this reason we created the security groups earlier in this article. 您可以將一個或多個產品授權指派給群組。You can assign one or more product licenses to a group. Azure AD 可確保授權會指派給群組的所有成員。Azure AD ensures that the licenses are assigned to all members of the group. 任何加入群組的新成員都會獲派適當的授權。Any new members who join the group are assigned the appropriate licenses. 如果成員離開該群組,授權也會移除。Licenses are removed from members who leave the group. 此授權管理免除透過 PowerShell 自動化授權管理的必要,並根據每個使用者來反映組織和部門結構中的變更。This licensing management eliminates the need for automating license management via PowerShell to reflect changes in the organization and departmental structure on a per-user basis.

指派使用者和原則Assign Users and Policies

將使用者指派給團隊Assign users to teams

現在您已建立使用者並建立了 Teams,您現在可以將所有使用者放在適當的 Teams 中。Now that you've created the users and created the Teams, it's time to put all the users in the appropriate Teams.

  1. 在存放庫的 data 資料夾中,尋找 Users.csv 檔案,並確認您在此檔案中有與 Teams 的準確對應。Find the Users.csv file in the data folder in the repository and make sure you have accurate mapping to Teams in this file.
  2. 透過 PowerShell,執行存放庫的 scripts 資料夾中的指令碼 AssignUserstoTeams.ps1From PowerShell, run the script AssignUserstoTeams.ps1 from the scripts folder in the repository.

指派 Teams 原則給使用者Assign Teams policies to users

現在您已建立使用者和用來修改小組體驗的原則,接著您可以將這些原則指派給正確的使用者。Now that you've created the users and the policies to modify their experience in Teams, it's time to assign those policies to the correct users.

  1. 在存放庫的 data 資料夾中,尋找 SecurityGroups.csv 檔案,並確認您有與群組準確對應的原則。Find the SecurityGroups.csv file in the data folder in the repository and make sure you have accurate mapping of the policies to the groups.
  2. 透過 PowerShell,執行存放庫的 scripts 資料夾中的指令碼 AssignPoliciestoUsers.ps1From PowerShell, run the script AssignPoliciestoUsers.ps1 from the scripts folder in the repository.

選用:轉換群組成員資格類型OPTIONAL: Convert group membership type

注意

此步驟適合擁有 Azure AD P1 或更新版本的使用者。This step is for people who have Azure AD P1 or above.

取得 Azure AD P1 或更新版本授權時,您可以選擇使用動態群組成員資格,而非使用指派的成員資格。When licensed for Azure AD P1 or above, you have the option of using Dynamic Group Membership instead of using assigned membership. 建立 Teams 的指令碼也建立了成員資格類型為「已指派」的 Office 群組,這表示其成員必須明確地新增。The scripts that created the Teams also created Office Groups of the membership type Assigned, which means its members must be explicitly added.

使用動態成員資格,其編寫的規則可用來判斷是否有人為團隊的成員。Using Dynamic membership, rules are written to determine if someone is a member of the team or not.

注意

執行此指令碼時,系統會移除群組的目前成員資格 (其擁有者除外),並且會在成員資格同步作業執行時加入新的成員。When you run this script, the current membership of the group will be removed (except for its owners), and new members will be added when the membership synch job runs.

  1. 在存放庫的 data 資料夾中,尋找 migrateGroups.csv 檔案。Find the migrateGroups.csv file in the data folder in the repository.
  2. 將 CSV 檔案 migrateGroups.csv 更新為將進行移轉的群組,並加上用於動態成員資格的規則。Update the CSV file migrateGroups.csv with the groups that will be migrated, along with the rule for dynamic membership.
  3. 在存放庫的 scripts 資料夾中,尋找 ConvertGroupMembershipType.ps1 檔案。Find the ConvertGroupMembershipType.ps1 file in the scripts folder in the repository.
  4. 從 PowerShell,執行指令碼 ConvertGroupMembershipType.ps1From PowerShell, run the script ConvertGroupMembershipType.ps1

測試與驗證Test and validate

以測試使用者的身分登入 TeamsLogin to Teams with a test user

完成所有步驟之後,您就可以驗證您所完成的工作了。Now that you've completed all the steps, it's time to verify the work you've completed.

  1. 建立的使用者將會具有的初始密碼位於 CreateUsers.ps1 中,且使用者必須在第一次登入時變更密碼。The created user will have an initial password that is in the CreateUsers.ps1 and they are required to change it at their first login.
  2. 確認 Teams 的外觀與風格是否與您所預期的相同。Verify the look and feel of Teams is what you expected. 如果不是,請檢閱 建立 Teams 原則指派 Teams 原則給使用者 區段。If not, review the Create Teams Policies and the Assign Teams Policies to Users sections.
  3. 驗證使用者是否屬於正確的小組。Verify the user is in the correct team. 如果不是,請檢閱 建立及設定使用者將使用者指派給小組 區段。If not, review the Create and Setup Users and Assign Users to Teams sections.

注意

如果一線員工佈建是透過您的身分識別和存取管理團隊來管理,您將必須遵循其用於提供員工認證的程序。If Frontline employee provisioning is managed through your Identity and Access Management team, you will need to follow their process for providing the employee their credentials.

檢查錯誤Check for errors

當您執行較舊的指令碼時,系統會將錯誤或例外狀況寫入到位於存放庫複本 logs 資料夾中的 .csv 檔案。As you ran the earlier scripts, errors or exceptions were written to a .csv file located in the logs folder in your copy of the repository. 您可以使用此檔案來調查可能發生的任何問題。This file can be used to investigate any issues that may have occurred.

例如,如果您嘗試建立已存在於租用戶的小組,就可能會發生例外狀況。An example of an exception could be if you tried to create a team that already existed in your tenant.

  1. 尋找 [記錄] 資料夾,然後檢視其中包含的任何 .csv 檔案。Find the Logs folder and review any .csv file it may contain. 如果沒有例外狀況,表示您可能無法在此找到例外狀況檔案。If there are no exceptions, you may not find an exception file here.

錯誤處理Error handling

這些範例指令碼中已實作最基本的錯誤處理。Minimal error handling has been implemented in these sample scripts. 有 try/catch 區塊,而如果觸發,我們會將錯誤儲存到 catch 區塊中的某個變數。There are try/catch blocks and, if triggered, we store the error into a variable in the catch block. 必須根據您的喜好執行其他錯誤處理。Additional error handling must be implemented according to your preferences.

深入閱讀Further reading