保護學生個人資料Protecting Student Personal Data

學校地區可以在 Office 365 和 Azure Active Directory 中使用 Microsoft School Data Sync,對學生個人資料執行訪問限制和其他保護。School districts can implement access limitations and other protections for student personal data using Microsoft's School Data Sync in Office 365 and Azure Active Directory. 透過 SDS,您可以從 SIS 或 MIS 匯入您的學生清單,並自動將其標記為未成年人,以供 Microsoft 和協力廠商應用程式來處理。With SDS, you can import your list of students from your SIS or MIS, and automatically mark them as minors so that Microsoft and third-party applications can treat them as such. 您甚至可以設定 Azure Active Directory,以防止學生使用協力廠商應用程式。You can even configure Azure Active Directory to prevent students from using third-party applications.

選項 A:具有 School Data Sync 的簡化解決方案Option A: Simplified solution with School Data Sync

IT 系統管理員365針對教育版,您可以使用簡化的解決方案,透過下列步驟,將保護套用至 SDS 所同步的所有學生:IT admins for Office 365 for Education can use the simplified solution to apply protections to all students synced by SDS by following the steps below:

步驟 A1:學生個人資料保護Step A1: Student Personal Data Protection

開啟 School Data Sync,然後移至 [設定]-> 學生個人資料保護Open School Data Sync and go to Settings -> Student Personal Data Protection

Protecting-student-personal-data-1 .png

如果您想要將學生標示為未成年人,請選取 [將所有學生標示為未成年人]。If you want to mark students as minors, select Mark all students as minors. 此設定會將所有由 SDS 同步處理的學生的法律年齡群組分類屬性設定為MinorWithParentalConsent,亦即,「父母/法律監護人」已授權您可以與 Microsoft 的線上服務搭配使用。This setting sets the legal age group classification property on all students synced by SDS to MinorWithParentalConsent, i.e., a minor that the parent/legal guardian has authorized you to use with online services from Microsoft. 如需法律年齡群組分類屬性的詳細資訊,請參閱此處For more information on the legal age group classification property, see here.

若要防止學生使用協力廠商應用程式,請選取 [封鎖學生使用協力廠商應用程式]。If you want to prevent students from using third-party applications, select Block students from using third-party apps. 此設定會建立所有學生的安全性群組,以及 Azure Active Directory 條件式存取原則,可防止所有學生使用 Microsoft 所建立的任何應用程式。This setting creates a security group of All Students, and an Azure Active Directory Conditional Access Policy that prevents All Students from using any apps not created by Microsoft.

您可以自訂此原則,讓學生可以在Azure Active Directory 允入準則式存取原則編輯器中使用特定的協力廠商應用程式。You may customize this policy to allow students to use specific third-party applications in the Azure Active Directory Portal Conditional Access Policy Editor.

選項 B:對學生的子集套用保護Option B: Apply protections for a subset of your students

上述指示適用于與 SDS 同步處理的每個學生。The instructions above apply to every student synced with SDS. 如果您想要將這些保護套用至學員的子集,請使用 PowerShell 和 Azure Active Directory:If you prefer to apply these protections to a subset of your students, use PowerShell and Azure Active Directory:

步驟 B1:建立您想標示為未成年人的學生清單Step B1: Create a list of the students you want to mark as minors

您可以使用任何方法來建立此清單。You may use any method to create this list. 為了方便您使用,Microsoft 提供了授權的SDS 保留期間門供學生使用的腳本,其會建立 Office 365 教育版授權的所有使用者清單。For your convenience, Microsoft has provided a script for SDS age gating for students by license that will create a list of all users with an Office 365 Education for Students license.

步驟 B2:將這些學生標示為未成年人Step B2: Mark these students as minors

您可以將這些學生標示為未成年人,讓 Microsoft 和協力廠商應用程式可以像這樣那樣加以對待。You may mark these students as minors so that Microsoft and third-party applications can treat them as such. 使用「 SDS 保留時間」與「父母同意」,將您在步驟4中所產生的學生清單標示為未成年人。Use the SDS age gating with parental consent to mark the list of students you generated in Step 4 as minors.

步驟 B3:建立您想要阻止登入協力廠商應用程式的學生清單Step B3: Create a list of the students you want to prevent from signing in to third party apps

您可以使用任何方法來建立此清單,包括步驟 B1 中所列的腳本。You may use any method to create this list, including the script listed in step B1.

步驟 B4:建立這些學生的安全性群組Step B4: Create a security group of these students

您可以使用任何方法來建立此群組,包括使用步驟 B1 中的腳本所提供的學員清單。You may use any method to create this group, including using the list of students provided by the script in Step B1.

步驟 B5:建立一個條件式存取原則,以封鎖學生使用協力廠商應用程式Step B5: Create a Conditional Access Policy to block students from using third party apps

請移至Azure Active Directory 允入準則式存取原則編輯器,並建立條件式存取原則,並執行下列動作:Go the Azure Active Directory Portal Conditional Access Policy Editor and create a conditional access policy and do the following:

  • 針對工作分派->使用者和群組,選取您在步驟 B4 中建立的安全性群組。For Assignments->Users and Groups, select the security group you created in Step B4.

    Protecting-student-personal-data-2 .png

  • 針對工作分派->Cloud App,包括「所有雲端應用程式」和排除「Microsoft 應用程式」For Assignments->Cloud Apps, include “All cloud apps” and exclude “Microsoft applications”

    Protecting-student-personal-data-3 .png

    Protecting-student-personal-data-4 .png

  • 若要存取控制->條件,請選取「封鎖存取」For Access Controls->Conditions, select “Block Access”

  • 按一下 [啟用原則]Click Enable Policy

  • Click SaveClick Save

  • 您可以自訂此條件式存取原則,讓學生群組也可以使用特定的協力廠商應用程式。You may customize this conditional access policy to allow the group of students to also use specific third-party applications. 若要這麼做,請移至 [工作分派->Cloud App->排除],選取您要允許的協力廠商應用程式,然後儲存原則。To do so, go to Assignments->Cloud Apps->Exclude, select the third party applications you want to allow, then save the policy.