管理 Microsoft 團隊中的 app 許可權原則Manage app permission policies in Microsoft Teams

身為系統管理員,您可以使用應用程式權限原則來控制組織中 Microsoft Teams 使用者可使用的應用程式。As an admin, you can use app permission policies to control what apps are available to Microsoft Teams users in your organization. 您可以允許或封鎖由 Microsoft、協力廠商及貴組織發佈的所有 app 或特定應用程式。You can allow or block all apps or specific apps published by Microsoft, third-parties, and your organization. 當您封鎖應用程式時,擁有原則的使用者將無法從 Teams 應用程式商店安裝該應用程式。When you block an app, users who have the policy are unable to install it from the Teams app store. 您必須是全域系統管理員或 Teams 服務系統管理員,才能管理這些原則。You must be a global admin or Teams service admin to manage these policies.

您可以在 Microsoft 團隊系統管理中心管理 app 許可權原則。You manage app permission policies in the Microsoft Teams admin center. 您可以使用全域 (組織範圍的預設) 原則,或是建立並指派自訂原則。You can use the global (Org-wide default) policy or create and assign custom policies. 除非您建立並指派自訂原則,否則貴組織中的使用者將會自動取得全域原則。Users in your organization will automatically get the global policy unless you create and assign a custom policy. 在您編輯或指派原則之後,可能需要幾個小時的時間,變更才會生效。After you edit or assign a policy, it can take a few hours for changes to take effect.

App 許可權原則的螢幕擷取畫面

注意

整個組織內的應用程式設定會覆寫全域原則和您建立並指派給使用者的任何自訂原則。Org-wide app settings override the global policy and any custom policies that you create and assign to users.

如果您的組織已在團隊中,您在 Microsoft 365 系統管理中心的 [整個租使用者] 設定 中所設定的應用程式設定會反映在 [ 管理應用程式 ] 頁面上的 [組織內應用程式設定] 中。If your organization is already on Teams, the app settings you configured in Tenant-wide settings in the Microsoft 365 admin center are reflected in org-wide app settings on the Manage apps page. 如果您是團隊新手,且剛開始使用,則預設會允許全域原則中的所有 app。If you're new to Teams and just getting started, by default, all apps are allowed in the global policy. 這包含由 Microsoft、協力廠商及貴組織發佈的應用程式。This includes apps published by Microsoft, third-parties, and your organization.

例如,您想要封鎖所有協力廠商應用程式,並允許 Microsoft 針對貴組織中的人力資源小組特定應用程式。Say, for example, you want to block all third-party apps and allow specific apps from Microsoft for the HR team in your organization. 首先,您會移至 [ 管理應用程式 ] 頁面,並確認您想要在人力資源團隊中允許的應用程式可在組織層級使用。First, you would go to the Manage apps page and make sure that the apps that you want to allow for the HR team are allowed at the org level. 接著,建立名為 HR App 許可權原則的自訂原則,將它設定為 [封鎖] 並允許您想要的 app,然後將它指派給 HR 小組的使用者。Then, create a custom policy named HR App Permission Policy, set it to block and allow the apps that you want, and assign it to users on the HR team.

注意

如果您在 Microsoft 365 政府社區雲端 (GCC) 環境中部署團隊,請參閱 管理 Microsoft 365 政府的整個組織結構設定 ,以深入瞭解適用于 GCC 的協力廠商應用程式設定。If you deployed Teams in a Microsoft 365 Government Community Cloud (GCC) environment, see Manage org-wide app settings for Microsoft 365 Government to learn more about third-party app settings that are unique to GCC.

建立自訂應用程式許可權原則Create a custom app permission policy

如果您想要控制貴組織中不同群組使用者的可用應用程式,請建立並指派一或多個自訂應用程式許可權原則。If you want to control the apps that are available for different groups of users in your organization, create and assign one or more custom app permission policies. 您可以根據 Microsoft、協力廠商或您的組織發佈的應用程式,建立並指派個別的自訂原則。You can create and assign separate custom policies based on whether apps are published by Microsoft, third-parties, or your organization. 您必須知道,在您建立自訂原則之後,如果已停用組織內應用程式設定中的協力廠商應用程式,就無法變更它。It's important to know that after you create a custom policy, you can't change it if third-party apps are disabled in org-wide app settings.

  1. 在 Microsoft 團隊系統管理中心的左導覽中,移至 [團隊 app] > 許可權原則In the left navigation of the Microsoft Teams admin center, go to Teams apps > Permission policies.

  2. 按一下 [ 新增]。Click Add.
    新應用程式許可權原則的螢幕擷取畫面Screenshot of new app permission policy

  3. 輸入原則的名稱和描述。Enter a name and description for the policy.

  4. 在 [ Microsoft app]、[ 協力廠商應用 程式] 和 [ 自訂應用程式] 底下,選取下列其中一項:Under Microsoft apps, Third-party apps, and Custom apps, select one of the following:

    • 允許所有 appAllow all apps
    • 允許特定的 app 和封鎖所有人Allow specific apps and block all others
    • 封鎖特定應用程式並允許所有其他 appBlock specific apps and allow all others
    • 封鎖所有 appBlock all apps
  5. 如果您已選取 [ 允許特定應用程式並封鎖其他 app],請新增您想要允許的應用程式:If you selected Allow specific apps and block others, add the apps that you want to allow:

    1. 選取 [ 允許應用程式]。Select Allow apps.
    2. 搜尋您要允許的應用程式,然後按一下 [ 新增]。Search for the apps that you want to allow, and then click Add. 搜尋結果會篩選到 app 發行者 (Microsoft app、 協力廠商應用程式,或) 的 自訂應用程式The search results are filtered to the app publisher (Microsoft apps, Third-party apps, or Custom apps).
    3. 當您選取 app 清單後,請按一下 [ 允許]。When you've chosen the list of apps, click Allow.
  6. 同樣地,如果您已選取 [ 封鎖特定應用程式並允許所有人],請搜尋並新增您想要封鎖的應用程式,然後按一下 [ 封鎖]。Similarly, if you selected Block specific apps and allow all others, search for and add the apps that you want to block, and then click Block.

  7. 按一下 [儲存]Click Save.

編輯應用程式許可權原則Edit an app permission policy

您可以使用 Microsoft 團隊系統管理中心來編輯原則,包括您建立的全域原則和自訂原則。You can use the Microsoft Teams admin center to edit a policy, including the global policy and custom policies that you create.

  1. 在 Microsoft 團隊系統管理中心的左導覽中,移至 [團隊 app] > 許可權原則In the left navigation of the Microsoft Teams admin center, go to Teams apps > Permission policies.
  2. 按一下原則名稱左邊的,然後按一下 [ 編輯],選取原則。Select the policy by clicking to the left of the policy name, and then click Edit.
  3. 您可以從這裡進行所要的變更。From here, make the changes that you want. 您可以根據應用程式發行者管理設定,然後根據 [允許/封鎖] 設定新增及移除應用程式。You can manage settings based on the app publisher and add and remove apps based on the allow/block setting.
  4. 按一下 [儲存]Click Save.

將自訂應用程式許可權原則指派給使用者Assign a custom app permission policy to users

您可以將原則直接指派給使用者,或是透過批次指派(如果該原則類型支援)或群組(如果原則類型支援))將原則指派給使用者。You can assign a policy directly to users, either individually or at scale through a batch assignment (if supported for the policy type), or to a group that the users are members of (if supported for the policy type).

若要瞭解您可以將原則指派給使用者的不同方式,請參閱將原則指派給您的小組中的使用者To learn about the different ways that you can assign policies to users, see Assign policies to your users in Teams.

管理 Microsoft 365 政府的整個組織性應用程式設定Manage org-wide app settings for Microsoft 365 Government

在 Microsoft 365 政府版的團隊部署中,請務必瞭解下列關於適用于 GCC 的協力廠商應用程式設定。In a Microsoft 365 Government - GCC deployment of Teams, it's important to know the following about third-party app settings, which are unique to GCC.

在 GCC 中,預設會封鎖所有協力廠商應用程式。In GCC, all third-party apps are blocked by default. 此外,您會在 Microsoft 團隊系統管理中心的 [應用程式許可權原則] 頁面上,看到有關管理協力廠商應用程式的相關資訊。Additionally, you'll see the following note about managing third-party apps on the app permission policies page in the Microsoft Teams admin center.

在 GCC 中應用程式許可權原則的螢幕擷取畫面

使用整個組織的 app 設定來控制使用者是否可以安裝協力廠商應用程式。Use org-wide app settings to control whether users can install third-party apps. 全組織式應用程式設定會控制所有使用者的行為,並覆寫指派給使用者的任何其他應用程式許可權原則。Org-wide app settings govern the behavior for all users and override any other app permission policies assigned to users. 您可以使用它們來控制惡意或有問題的 app。You can use them to control malicious or problematic apps.

  1. 在 [ 許可權原則 ] 頁面上,選取 [ 全組織式應用程式設定]。On the Permission policies page, select Org-wide app settings. 接著,您可以在面板中設定您想要的設定。You can then configure the settings you want in the panel.

    整個組織內的應用程式設定的螢幕擷取畫面

  2. 協力廠商應用程式 下,關閉或開啟這些設定以控制對協力廠商應用程式的存取:Under Third-party apps, turn off or turn on these settings to control access to third-party apps:

    • 允許協力廠商應用程式:控制使用者是否可以使用協力廠商應用程式。Allow third-party apps: This controls whether users can use third-party apps. 如果您關閉此設定,您的使用者將無法安裝或使用任何協力廠商應用程式。If you turn off this setting, your users won't be able to install or use any third-party apps. 在 Microsoft 365 政府版的團隊部署中,此設定預設為關閉。In a Microsoft 365 Government - GCC deployment of Teams, this setting is off by default.
    • 允許預設發佈至商店的任何新的協力廠商應用程式:這會控制發佈至 [小組] 應用程式商店的新的協力廠商應用程式是否會自動在小組中提供。Allow any new third-party apps published to the store by default: This controls whether new third-party apps that are published to the Teams app store become automatically available in Teams. 如果您允許協力廠商應用程式,則只能設定此選項。You can only set this option if you allow third-party apps.
  3. 在 [ 封鎖的應用程式] 底下,新增您想要封鎖在整個組織中的 app。Under Blocked apps, add the apps you want to block across your organization. 在 Microsoft 365 政府版的團隊部署中,所有協力廠商應用程式預設都會新增到此清單。In a Microsoft 365 Government - GCC deployment of Teams, all third-party apps are added to this list by default. 針對您想要在組織中允許的任何協力廠商應用程式,請從這個封鎖的應用程式清單中移除 app。For any third-party app you want to allow in your organization, remove the app from this blocked apps list. 當您封鎖 app 的整個應用程式時,系統會自動封鎖所有使用者的 app,不論應用程式許可權原則是否允許該應用程式。When you block an app org-wide, the app is automatically blocked for all your users, regardless of whether it's allowed in any app permission policies

  4. 按一下 [ 儲存 以組織範圍內的應用程式設定] 生效。Click Save for org-wide app settings to take effect.

如前文所述,若要允許協力廠商應用程式,您可以編輯及使用全域 (組織範圍預設) 原則,或是建立及指派自訂原則。As mentioned earlier, to allow third-party apps, you can either edit and use the global (Org-wide default) policy or create and assign custom policies.

常見問題集FAQ

使用應用程式許可權原則Working with app permission policies

許可權原則會影響哪些 app 互動?What app interactions do permission policies affect?

許可權原則可控制使用者的安裝、探索及互動,以控制應用程式的使用狀況。Permission policies govern app usage by controlling installation, discovery, and interaction for end users. 無論指派的許可權原則為何,管理員仍可管理 Microsoft 團隊系統管理中心中的 app。Admins can still manage apps in the Microsoft Teams admin center regardless of the permission policies assigned to them.

我可以 (LOB) 應用程式控制業務線嗎?Can I control line of business (LOB) apps?

是的,您可以使用應用程式許可權原則來控制自訂 (LOB) app 的推出與發佈。Yes, you can use app permission policies to control the rollout and distribution of custom (LOB) apps. 您可以建立自訂原則或編輯全域原則,以根據貴組織的需求來允許或封鎖自訂應用程式。You can create a custom policy or edit the global policy to allow or block custom apps based on the needs of your organization.

App 許可權原則如何與釘選的 app 和 app 設定原則相關?How do app permission policies relate to pinned apps and app setup policies?

您可以將應用程式設定原則與 app 許可權原則搭配使用。You can use app setup policies together with app permission policies. 已從使用者的已啟用應用程式集中選取預先固定的 app。Pre-pinned apps are selected from the set of enabled apps for a user. 此外,如果使用者有應用程式許可權原則,而該策略封鎖 app 設定原則中的 app,該 app 就不會出現在小組中。Additionally, if a user has an app permission policy that blocks an app in their app setup policy, that app won't appear in Teams.

我可以使用應用程式許可權原則來限制上傳自訂應用程式嗎?Can I use app permission policies to restrict uploading custom apps?

您可以在 [ 管理 app] 頁面上使用整個組織的設定,或按一下 [應用程式設定原則],限制您的組織上傳自訂應用程式。You can use org-wide settings on the Manage apps page, or app setup policies to restrict uploading custom apps for your organization.

若要限制特定使用者上傳自訂應用程式,請使用自訂 app 原則。To restrict specific users from uploading custom apps, use custom app policies. 若要深入瞭解,請參閱 管理團隊中的自訂應用程式原則和設定To learn more, see Manage custom app policies and settings in Teams.

封鎖應用程式適用于團隊行動用戶端嗎?Does blocking an app apply to Teams mobile clients?

是的,當您封鎖應用程式時,該應用程式會在所有團隊用戶端間封鎖。Yes, when you block an app, that app is blocked across all Teams clients.

使用者體驗User experience

當應用程式遭到封鎖時,使用者有何體驗?What does a user experience when an app is blocked?

使用者無法與封鎖的 app 或其功能(例如 bot、索引標籤和訊息延伸)互動。Users can't interact with a blocked app or its capabilities, such bots, tabs, and messaging extensions. 在共用的內容(例如小組或群組聊天)中,機器人仍可以傳送訊息給該內容的所有參與者。In a shared context, such as a team or group chat, bots can still send messages to all participants of that context. 小組會在應用程式遭到封鎖時向使用者顯示。Teams indicates to the user when an app is blocked.

例如,當應用程式遭到封鎖時,使用者就不能執行下列任何一項動作:For example, when an app is blocked, users can't do any of the following:

  • 將 app 新增至個人或加入聊天或團隊Add the app personally or to a chat or team
  • 傳送訊息給應用程式的 botSend messages to the app’s bot
  • 執行傳送資訊回到應用程式的按鈕動作,例如可操作的訊息Perform button actions that send information back to the app, such as actionable messages
  • [查看] 應用程式的索引標籤View the app’s tab
  • 設定連接器接收通知Set up connectors to receive notifications
  • 使用應用程式的訊息延伸Use the app’s messaging extension

舊版入口網站允許您在組織階層控制應用程式,這表示當應用程式遭到封鎖時,系統會封鎖組織中的所有使用者。The legacy portal allowed controlling apps at the organization level, which means when an app is blocked, it's blocked for all users in the organization. 封鎖 [ 管理應用程式 ] 頁面上的應用程式的運作方式與此完全相同。Blocking an app on the Manage apps page works exactly the same way.

針對指派給特定使用者的 app 許可權原則,如果允許並封鎖具有機器人或連接器功能的應用程式,而且如果只允許共用內容中的部分使用者使用該應用程式,則群組聊天或頻道的成員不具備該應用程式的許可權,就能看到由 bot 或連接器張貼的訊息歷程記錄和訊息。,但無法與它互動。For app permission policies assigned to specific users, if an app with bot or connector capability was allowed and then blocked, and if the app is then allowed only for some users in a shared context, members of a group chat or channel that don't have permission to that app can see the message history and messages that were posted by the bot or connector, but can't interact with it.

在 Teams 中的應用程式系統管理設定Admin settings for apps in Teams

指派策略給小組中的使用者Assign policies to your users in Teams