您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

如何:使用条件访问要求批准的客户端应用访问 cloud appHow To: Require approved client apps for cloud app access with Conditional Access

员工使用移动设备执行个人和工作任务。Your employees use mobile devices for both personal and work tasks. 既要确保提高员工的工作效率,也要防止数据丢失。While making sure your employees can be productive, you also want to prevent data loss. 借助 Azure Active Directory (Azure AD) 条件访问,可以限制对云应用程序的访问,仅允许可以保护公司数据的经批准的客户端应用进行访问。With Azure Active Directory (Azure AD) Conditional Access, you can restrict access to your cloud apps to approved client apps that can protect your corporate data.

本主题介绍了如何配置要求使用经批准的客户端应用的条件访问策略。This topic explains how to configure condition access policies that require approved client apps.

概述Overview

借助 Azure AD 条件访问,可以微调授权用户访问资源的方式。With Azure AD Conditional Access, you can fine-tune how authorized users can access your resources. 例如,可以限制为只允许受信任的设备访问云应用程序。For example, you can limit the access to your cloud apps to trusted devices.

可以使用 Intune 应用程序保护策略,帮助保护公司数据。You can use Intune app protection policies to help protect your company’s data. Intune 应用程序保护策略不要求使用移动设备管理 (MDM) 解决方案,即无论是否在设备管理解决方案中注册设备,都可以帮助保护公司数据。Intune app protection policies don't require mobile-device management (MDM) solution, which enables you to protect your company’s data with or without enrolling devices in a device management solution.

借助 Azure Active Directory 条件访问,可以限制对云应用的访问,仅允许支持 Intune 应用保护策略的客户端应用进行访问。Azure Active Directory Conditional Access enables you to limit access to your cloud apps to client apps that support Intune app protection policies. 例如,可以限制为只有 Outlook 应用程序,才能访问 Exchange Online。For example, you can restrict access to Exchange Online to the Outlook app.

在“条件访问”这一术语范畴内,这些客户端应用被称为“核准客户端应用”。In the Conditional Access terminology, these client apps are known as approved client apps.

条件性访问

有关核准客户端应用程序的列表,请参阅核准客户端应用程序要求For a list of approved client apps, see approved client app requirement.

可以将基于应用的条件访问策略与其他策略(如基于设备的条件访问策略)结合使用,从而更灵活地保护个人和公司设备数据。You can combine app-based Conditional Access policies with other policies such as device-based Conditional Access policies to provide flexibility in how to protect data for both personal and corporate devices.

开始之前Before you begin

本主题假定你熟悉以下内容:This topic assumes that you are familiar with:

先决条件Prerequisites

若要创建基于应用的条件访问策略,必须先订阅企业移动性 + 安全性或 Azure Active Directory Premium,且用户必须获得 EMS 或 Azure AD 许可。To create an app-based Conditional Access policy, you must have an Enterprise Mobility + Security or an Azure Active Directory premium subscription, and the users must be licensed for EMS or Azure AD.

Exchange Online 策略Exchange Online policy

此方案包含的基于应用的条件访问策略旨在访问 Exchange Online。This scenario consists of an app-based Conditional Access policy for access to Exchange Online.

方案演练Scenario playbook

此方案假定用户:This scenario assumes that a user:

  • 使用 iOS 或 Android 上的本地邮件应用程序配置电子邮件,以连接到 ExchangeConfigures email using a native mail application on iOS or Android to connect to Exchange
  • 收到一封电子邮件,邮件指示只能通过 Outlook 应用进行访问Receives an email that indicates that access is only available using Outlook app
  • 通过链接下载该应用程序Downloads the application with the link
  • 打开 Outlook 应用程序,并使用 Azure AD 凭据登录Opens the Outlook application and signs in with the Azure AD credentials
  • 收到系统提示,要求安装验证器 (iOS) 或公司门户 (Android) 以继续操作Is prompted to install either Authenticator (iOS) or Company Portal (Android) to continue
  • 安装该应用程序,并可返回 Outlook 应用以继续操作Installs the application and can return to the Outlook app to continue
  • 收到系统提示,要求注册设备Is prompted to register a device
  • 可访问电子邮件Is able to access email

每次访问公司数据时,都会激活任何 Intune 应用保护策略,并且可能提示用户重启应用程序,使用其他 PIN 码等(前提是为应用程序和平台配置了策略)。Any Intune app protection policies are activated at the time the access corporate data and may prompt the user to restart the application, use an additional PIN etc. (if configured for the application and platform).

配置Configuration

步骤 1 - 为 Exchange Online 配置 Azure AD 条件访问策略Step 1 - Configure an Azure AD Conditional Access policy for Exchange Online

对于此步骤中的条件访问策略,需配置以下各项内容:For the Conditional Access policy in this step, you need to configure the following components:

  1. 条件访问策略的“名称”。The Name of your Conditional Access policy.

  2. 用户和组:每个条件访问策略必须至少选择一个用户或组。Users and groups: Each Conditional Access policy must have at least one user or group selected.

  3. 云应用: 对于云应用,需选择 Office 365 Exchange Online。Cloud apps: As cloud apps, you need to select Office 365 Exchange Online.

  4. 条件: 对于“条件”,需配置“设备平台”和“客户端应用”:Conditions: As Conditions, you need to configure Device platforms and Client apps:

    1. 对于“设备平台”,请选择 Android 和 iOS。As Device platforms, select Android and iOS.
    2. 对于“客户端应用(预览版)”,选择“移动应用和桌面应用”以及“新式身份验证客户端”。As Client apps (preview), select Mobile apps and desktop apps and Modern authentication clients.
  5. 对于“访问控制”,需选中“需要批准的客户端应用(预览)”。As Access controls, you need to have Require approved client app (preview) selected.

    条件性访问

步骤 2 - 为 Exchange Online with Active Sync (EAS) 配置 Azure AD 条件访问策略Step 2 - Configure an Azure AD Conditional Access policy for Exchange Online with Active Sync (EAS)

对于此步骤中的条件访问策略,需配置以下各项内容:For the Conditional Access policy in this step, you need to configure the following components:

  1. 条件访问策略的“名称”。The Name of your Conditional Access policy.
  2. 用户和组:每个条件访问策略必须至少选择一个用户或组。Users and groups: Each Conditional Access policy must have at least one user or group selected.
  3. 云应用: 对于云应用,需选择 Office 365 Exchange Online。Cloud apps: As cloud apps, you need to select Office 365 Exchange Online.
  4. 条件: 对于“条件”,需要配置“客户端应用(预览版)”。Conditions: As Conditions, you need to configure Client apps (preview).
    1. 对于“客户端应用(预览版)”,选择“移动应用和桌面客户端”以及“Exchange ActiveSync 客户端”。As Client apps (preview), select Mobile apps and desktop clients and Exchange ActiveSync clients.

    2. 对于“访问控制”,需选中“需要批准的客户端应用(预览)”。As Access controls, you need to have Require approved client app (preview) selected.

      条件性访问

步骤 3 - 为 iOS 和 Android 客户端应用程序配置 Intune 应用保护策略Step 3 - Configure Intune app protection policy for iOS and Android client applications

请参阅使用 Microsoft Intune 保护应用和数据了解详细信息。See Protect apps and data with Microsoft Intune for more information.

Exchange Online 和 SharePoint Online 策略Exchange Online and SharePoint Online policy

此方案包括提供移动应用管理策略的条件访问,适用于使用批准的应用访问 Exchange Online 和 SharePoint Online。This scenario consists of a Conditional Access with mobile app management policy for access to Exchange Online and SharePoint Online with approved apps.

方案演练Scenario playbook

此方案假定用户:This scenario assumes that a user:

  • 尝试使用 SharePoint 应用进行连接并查看其公司站点Tries to use the SharePoint app to connect and also to view their corporate sites
  • 尝试使用与 Outlook 应用凭据相同的凭据登录Attempts to sign in with the same credentials as the Outlook app credentials
  • 无需重新注册并且可以获取对资源的访问权限Does not have to re-register and can get access to the resources

配置Configuration

步骤 1 - 为 Exchange Online 和 SharePoint Online 配置 Azure AD 条件访问策略Step 1 - Configure an Azure AD Conditional Access policy for Exchange Online and SharePoint Online

对于此步骤中的条件访问策略,需配置以下各项内容:For the Conditional Access policy in this step, you need to configure the following components:

  1. 条件访问策略的“名称”。The Name of your Conditional Access policy.

  2. 用户和组:每个条件访问策略必须至少选择一个用户或组。Users and groups: Each Conditional Access policy must have at least one user or group selected.

  3. 云应用: 对于云应用,需选择 Office 365 Exchange Online 和 Office 365 SharePoint Online。Cloud apps: As cloud apps, you need to select Office 365 Exchange Online and Office 365 SharePoint Online.

  4. 条件: 对于“条件”,需配置“设备平台”和“客户端应用”:Conditions: As Conditions, you need to configure Device platforms and Client apps:

    1. 对于“设备平台”,请选择 Android 和 iOS。As Device platforms, select Android and iOS.
    2. 对于“客户端应用(预览版)”,选择“移动应用和桌面客户端”以及“新式身份验证客户端”。As Client apps (preview), select Mobile apps and desktop clients and Modern authentication clients.
  5. 对于“访问控制”,需选中“需要批准的客户端应用(预览)”。As Access controls, you need to have Require approved client app (preview) selected.

    条件性访问

步骤 2 - 为 Exchange Online with Active Sync (EAS) 配置 Azure AD 条件访问策略Step 2 - Configure an Azure AD Conditional Access policy for Exchange Online with Active Sync (EAS)

对于此步骤中的条件访问策略,需配置以下各项内容:For the Conditional Access policy in this step, you need to configure the following components:

  1. 条件访问策略的“名称”。The Name of your Conditional Access policy.
  2. 用户和组:每个条件访问策略必须至少选择一个用户或组。Users and groups: Each Conditional Access policy must have at least one user or group selected.
  3. 云应用: 对于云应用,需选择 Office 365 Exchange Online。Cloud apps: As cloud apps, you need to select Office 365 Exchange Online. 联机Online
  4. 条件: 对于“条件”,无需配置“客户端应用”:Conditions: As Conditions, you need to configure Client apps:
    1. 对于“客户端应用(预览版)”,选择“移动应用和桌面客户端”以及“Exchange ActiveSync 客户端”。As Client apps (preview), select Mobile apps and desktop clients and Exchange ActiveSync clients.

    2. 对于“访问控制”,需选中“需要批准的客户端应用(预览)”。As Access controls, you need to have Require approved client app (preview) selected.

      条件性访问

步骤 3 - 为 iOS 和 Android 客户端应用程序配置 Intune 应用保护策略Step 3 - Configure Intune app protection policy for iOS and Android client applications

条件性访问

请参阅使用 Microsoft Intune 保护应用和数据了解详细信息。See Protect apps and data with Microsoft Intune for more information.

用于访问 Exchange Online 和 SharePoint Online 的基于应用程序或相容设备策略App-based or compliant device policy for Exchange Online and SharePoint Online

此方案包含用于访问 Exchange Online 的基于应用或兼容的设备条件访问策略。This scenario consists of an app-based or compliant device Conditional Access policy for access to Exchange Online.

方案演练Scenario playbook

此方案假定:This scenario assumes that:

  • 一些用户已进行了注册(无论是否有公司设备)Some users are already enrolled (with or without corporate devices)
  • 未使用受保护应用程序向 Azure AD 登记并注册的用户需注册设备,获取资源访问权限Users who are not enrolled and registered with Azure AD using an app protected application need to register a device to access resources
  • 已使用受保护应用程序注册的用户无需重新注册设备Enrolled users using the app protected application don't have to re-register the device

配置Configuration

步骤 1 - 为 Exchange Online 和 SharePoint Online 配置 Azure AD 条件访问策略Step 1 - Configure an Azure AD Conditional Access policy for Exchange Online and SharePoint Online

对于此步骤中的条件访问策略,需配置以下各项内容:For the Conditional Access policy in this step, you need to configure the following components:

  1. 条件访问策略的“名称”。The Name of your Conditional Access policy.
  2. 用户和组:每个条件访问策略必须至少选择一个用户或组。Users and groups: Each Conditional Access policy must have at least one user or group selected.
  3. 云应用: 对于云应用,需选择 Office 365 Exchange Online 和 Office 365 SharePoint Online。Cloud apps: As cloud apps, you need to select Office 365 Exchange Online and Office 365 SharePoint Online.
  4. 条件: 对于“条件”,无需配置“设备平台”和“客户端应用”。Conditions: As Conditions, you need to configure Device platforms and Client apps.
    1. 对于“设备平台”,请选择 Android 和 iOS。As Device platforms, select Android and iOS.
    2. 对于“客户端应用(预览版)”,选择“移动应用和桌面客户端”以及“新式身份验证客户端”。As Client apps (preview), select Mobile apps and desktop clients and Modern authentication clients.
  5. 对于“访问控制”,需选中以下内容:As Access controls, you need to have the following selected:
    • “要求将设备标记为合规”Require device to be marked as compliant

    • “需要批准的客户端应用(预览)”Require approved client app (preview)

    • “需要某一已选控件”Require one of the selected controls

      条件性访问

步骤 2 - 为 Exchange Online with Active Sync (EAS) 配置 Azure AD 条件访问策略Step 2 - Configure an Azure AD Conditional Access policy for Exchange Online with Active Sync (EAS)

对于此步骤中的条件访问策略,需配置以下各项内容:For the Conditional Access policy in this step, you need to configure the following components:

  1. 条件访问策略的“名称”。The Name of your Conditional Access policy.

  2. 用户和组:每个条件访问策略必须至少选择一个用户或组。Users and groups: Each Conditional Access policy must have at least one user or group selected.

  3. 云应用: 对于云应用,需选择 Office 365 Exchange Online。Cloud apps: As cloud apps, you need to select Office 365 Exchange Online.

  4. 条件: 对于“条件”,无需配置“客户端应用”.Conditions: As Conditions, you need to configure Client apps.

    1. 对于“客户端应用(预览版)”,选择“移动应用和桌面客户端”以及“Exchange ActiveSync 客户端”。As Client apps (preview), select Mobile apps and desktop clients and Exchange ActiveSync clients.
  5. 对于“访问控制”,需选中“需要批准的客户端应用(预览)”。As Access controls, you need to have Require approved client app (preview) selected.

    条件性访问

步骤 3 - 为 iOS 和 Android 客户端应用程序配置 Intune 应用保护策略Step 3 - Configure Intune app protection policy for iOS and Android client applications

条件性访问

请参阅使用 Microsoft Intune 保护应用和数据了解详细信息。See Protect apps and data with Microsoft Intune for more information.

用于访问 Exchange Online 和 SharePoint Online 的基于应用程序和相容设备策略App-based and compliant device policy for Exchange Online and SharePoint Online

此方案包含用于访问 Exchange Online 的基于应用和兼容的设备条件访问策略。This scenario consists of an app-based and compliant device Conditional Access policy for access to Exchange Online.

方案演练Scenario playbook

此方案假定用户:This scenario assumes that a user:

  • 使用 iOS 或 Android 上的本地邮件应用程序配置电子邮件,以连接到 ExchangeConfigures email using a native mail application on iOS or Android to connect to Exchange
  • 收到一封电子邮件,邮件指示需注册设备才能进行访问Receives an email that indicates that access requires your device to be enrolled
  • 下载公司门户并登录公司门户Downloads the company portal and signs in to company portal
  • 检查邮件,并且要求使用 Outlook 应用Checks mail and is asked to use the Outlook app
  • 下载 Outlook 应用Downloads the Outlook app
  • 打开 Outlook 应用,并输入注册时使用的凭据Opens the Outlook app and enters the credentials used in the enrollment
  • 可访问电子邮件User is able to access email

只要访问公司数据,任何 Intune 应用保护策略都会被激活,且会提示用户重启应用程序,使用其他 PIN 码等(前提是为应用程序和平台配置了策略)。Any Intune app protection policies are activated at the time of access to the corporate data and may prompt the user to restart the application, use an additional PIN etc. (if configured for the application and platform)

配置Configuration

步骤 1 - 为 Exchange Online 和 SharePoint Online 配置 Azure AD 条件访问策略Step 1 - Configure an Azure AD Conditional Access policy for Exchange Online and SharePoint Online

对于此步骤中的条件访问策略,需配置以下各项内容:For the Conditional Access policy in this step, you need to configure the following components:

  1. 条件访问策略的“名称”。The Name of your Conditional Access policy.
  2. 用户和组:每个条件访问策略必须至少选择一个用户或组。Users and groups: Each Conditional Access policy must have at least one user or group selected.
  3. 云应用: 对于云应用,需选择 Office 365 Exchange Online 和 Office 365 SharePoint Online。Cloud apps: As cloud apps, you need to select Office 365 Exchange Online and Office 365 SharePoint Online.
  4. 条件: 对于“条件”,无需配置“设备平台”和“客户端应用”。Conditions: As Conditions, you need to configure Device platforms and Client apps.
    1. 对于“设备平台”,请选择 Android 和 iOS。As Device platforms, select Android and iOS.
    2. 对于“客户端应用(预览版)”,选择“移动应用和桌面应用”以及“新式身份验证客户端”。As Client apps (preview), select Mobile apps and desktop apps and Modern authentication clients.
  5. 对于“访问控制”,需选中以下内容:As Access controls, you need to have the following selected:
    • “要求将设备标记为合规”Require device to be marked as compliant

    • “需要批准的客户端应用(预览)”Require approved client app (preview)

    • ”需要所有已选控件“Require all the selected controls

      条件性访问

步骤 2 - 为 Exchange Online with Active Sync (EAS) 配置 Azure AD 条件访问策略Step 2 - Configure an Azure AD Conditional Access policy for Exchange Online with Active Sync (EAS)

对于此步骤中的条件访问策略,需配置以下各项内容:For the Conditional Access policy in this step, you need to configure the following components:

  1. 条件访问策略的“名称”。The Name of your Conditional Access policy.

  2. 用户和组:每个条件访问策略必须至少选择一个用户或组。Users and groups: Each Conditional Access policy must have at least one user or group selected.

  3. 云应用: 对于云应用,需选择 Office 365 Exchange Online。Cloud apps: As cloud apps, you need to select Office 365 Exchange Online.

  4. 条件: 对于“条件”,需要配置“客户端应用(预览版)”。Conditions: As Conditions, you need to configure Client apps (preview).

    1. 对于“客户端应用(预览版)”,选择“移动应用和桌面客户端”以及“Exchange ActiveSync 客户端”。As Client apps (preview), select Mobile apps and desktop clients and Exchange ActiveSync clients.

    条件性访问

  5. 对于“访问控制”,需选中以下内容:As Access controls, you need to have the following selected:

    • “要求将设备标记为合规”Require device to be marked as compliant
    • “需要批准的客户端应用(预览)”Require approved client app (preview)
    • ”需要所有已选控件“Require all the selected controls

步骤 3 - 为 iOS 和 Android 客户端应用程序配置 Intune 应用保护策略Step 3 - Configure Intune app protection policy for iOS and Android client applications

条件性访问

请参阅使用 Microsoft Intune 保护应用和数据了解详细信息。See Protect apps and data with Microsoft Intune for more information.

后续步骤Next steps

若要了解如何配置条件访问策略,请参阅通过 Azure Active Directory 条件访问要求特定应用必须使用 MFAIf you want to know how to configure a Conditional Access policy, see Require MFA for specific apps with Azure Active Directory Conditional Access.

如果已准备好针对环境配置条件访问策略,请参阅 Azure Active Directory 中条件访问的最佳做法If you are ready to configure Conditional Access policies for your environment, see the best practices for Conditional Access in Azure Active Directory.