您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

快速入门:使用 Azure Active Directory 条件访问要求针对特定应用进行 MFAQuickstart: Require MFA for specific apps with Azure Active Directory Conditional Access

为了简化用户的登录体验,你可能希望允许他们使用用户名和密码登录你的云应用。To simplify the sign in experience of your users, you might want to allow them to sign in to your cloud apps using a user name and a password. 但是,在许多环境中,总有几个应用更适合实施更强大的帐户验证形式(如多重身份验证 (MFA))。However, many environments have at least a few apps for which it is advisable to require a stronger form of account verification, such as multi-factor authentication (MFA). 此策略可能适用于访问组织的电子邮件系统或人力资源应用。This policy might be true for access to your organization's email system or your HR apps. 在 Azure Active Directory (Azure AD) 中,可以使用条件访问策略来实现此目标。In Azure Active Directory (Azure AD), you can accomplish this goal with a Conditional Access policy.

本快速入门介绍如何配置 Azure AD 条件访问策略,以要求针对环境中的所选云应用进行多重身份验证。This quickstart shows how to configure an Azure AD Conditional Access policy that requires multi-factor authentication for a selected cloud app in your environment.

Azure 门户中的条件访问策略示例

如果没有 Azure 订阅,请在开始之前创建一个免费帐户If you don't have an Azure subscription, create a free account before you begin.

先决条件Prerequisites

若要完成本快速入门中的方案,你需要:To complete the scenario in this quickstart, you need:

  • 对 Azure AD Premium 版本的访问权限:Azure AD 条件访问是一项 Azure AD Premium 功能。Access to an Azure AD Premium edition - Azure AD Conditional Access is an Azure AD Premium capability.
  • 名为 Isabella Simonsen 的测试帐户:如果不知道如何创建测试帐户,请参阅添加基于云的用户A test account called Isabella Simonsen - If you don't know how to create a test account, see Add cloud-based users.

本快速入门中的方案要求测试帐户未启用每用户 MFA。The scenario in this quickstart requires that per user MFA is not enabled for your test account. 有关详细信息,请参阅如何要求对用户进行双重验证For more information, see How to require two-step verification for a user.

测试体验Test your experience

此步骤的目标是在没有条件访问策略的情况下获得体验的印象。The goal of this step is to get an impression of the experience without a Conditional Access policy.

若要初始化环境,请执行以下操作:To initialize your environment:

  1. 以 Isabella Simonsen 身份登录到 Azure 门户。Sign in to your Azure portal as Isabella Simonsen.
  2. 注销。Sign out.

创建条件访问策略Create your Conditional Access policy

此部分介绍如何创建所需的条件访问策略。This section shows how to create the required Conditional Access policy. 本快速入门中的方案使用:The scenario in this quickstart uses:

  • Azure 门户作为需要 MFA 的云应用的占位符。The Azure portal as placeholder for a cloud app that requires MFA.
  • 示例用户来测试条件访问策略。Your sample user to test the Conditional Access policy.

在策略中,设置:In your policy, set:

设置Setting Value
用户和组Users and groups Isabella SimonsenIsabella Simonsen
云应用Cloud apps Microsoft Azure 管理Microsoft Azure Management
授予访问权限Grant access 需要多重身份验证Require multi-factor authentication

扩展的条件访问策略

若要配置条件访问策略,请执行以下操作:To configure your Conditional Access policy:

  1. 以全局管理员、安全管理员或条件访问管理员的身份登录到 Azure 门户Sign in to your Azure portal as global administrator, security administrator, or a Conditional Access administrator.

  2. 在 Azure 门户的左侧导航栏中,单击“Azure Active Directory”。 In the Azure portal, on the left navbar, click Azure Active Directory.

    Azure Active Directory

  3. 在“Azure Active Directory” 页的“安全性” 部分中,单击“条件访问” 。On the Azure Active Directory page, in the Security section, click Conditional Access.

    条件性访问

  4. 在“条件访问”页顶部的工具栏中,单击“新建策略” 。On the Conditional Access page, in the toolbar on the top, click New policy.

    添加

  5. 在“新建”页面的“名称”文本框中,键入“需要 MFA 才能访问 Azure 门户” 。On the New page, in the Name textbox, type Require MFA for Azure portal access.

    名称

  6. 在“分配”部分中,单击“用户和组”。 In the Assignment section, click Users and groups.

    用户和组

  7. 在“用户和组”页,执行以下步骤 :On the Users and groups page, perform the following steps:

    用户和组

    1. 单击“选择用户和组”,然后选择“用户和组” 。Click Select users and groups, and then select Users and groups.
    2. 单击“选择” 。Click Select.
    3. 在“选择”页上,选择“Isabella Simonsen”,然后单击“选择” 。On the Select page, select Isabella Simonsen, and then click Select.
    4. 在“用户和组”页,单击“完成” 。On the Users and groups page, click Done.
  8. 单击“云应用” 。Click Cloud apps.

    云应用

  9. 在“云应用”页上执行以下步骤: On the Cloud apps page, perform the following steps:

    选择云应用

    1. 单击“选择应用”。 Click Select apps.
    2. 单击“选择” 。Click Select.
    3. 在“选择”页上,选择“Microsoft Azure 管理”,然后单击“选择” 。On the Select page, select Microsoft Azure Management, and then click Select.
    4. 在“云应用”页上,单击“完成”。 On the Cloud apps page, click Done.
  10. 在“访问控制”部分中,单击“授予”。 In the Access controls section, click Grant.

    访问控制

  11. 在“授权”页,执行以下步骤 :On the Grant page, perform the following steps:

    授权

    1. 选择“授予访问权限” 。Select Grant access.
    2. 选择“需要多重身份验证”。 Select Require multi-factor authentication.
    3. 单击“选择” 。Click Select.
  12. 在“启用策略”部分中,单击“开” 。In the Enable policy section, click On.

    启用策略

  13. 单击“创建”。 Click Create.

评估模拟登录Evaluate a simulated sign in

你已经配置了条件访问策略,现在可能想知道它是否按预期工作。Now that you have configured your Conditional Access policy, you probably want to know whether it works as expected. 第一步,使用条件访问 what if 策略工具模拟测试用户登录。As a first step, use the Conditional Access what if policy tool to simulate a sign in of your test user. 该模拟会估计此登录对策略的影响并生成模拟报告。The simulation estimates the impact this sign in has on your policies and generates a simulation report.

若要初始化 What If 策略评估工具,请设置:To initialize the What If policy evaluation tool, set:

  • Isabella Simonsen 作为用户Isabella Simonsen as user
  • Microsoft Azure 管理作为云应用Microsoft Azure Management as cloud app

单击“What If”会创建一个模拟报告,该报告 :Clicking What If creates a simulation report that shows:

  • 在“将应用的策略”下显示“需要 MFA 才能访问 Azure 门户” Require MFA for Azure portal access under Policies that will apply
  • 显示“需要多重身份验证”作为“授权控件” 。Require multi-factor authentication as Grant Controls.

What if 策略工具

若要评估条件访问策略,请执行以下操作:To evaluate your Conditional Access policy:

  1. 条件访问 - 策略页上,单击顶部菜单中的“What If”。 On the Conditional Access - Policies page, in the menu on the top, click What If.

    What If

  2. 单击“用户”,选择“Isabella Simonsen”,然后单击“选择” 。Click Users, select Isabella Simonsen, and then click Select.

    用户

  3. 若要选择云应用,请执行以下步骤:To select a cloud app, perform the following steps:

    云应用

    1. 单击“云应用” 。Click Cloud apps.
    2. 在“云应用”页上,单击“选择应用” 。On the Cloud apps page, click Select apps.
    3. 单击“选择” 。Click Select.
    4. 在“选择”页上,选择“Microsoft Azure 管理”,然后单击“选择” 。On the Select page, select Microsoft Azure Management, and then click Select.
    5. 在“云应用”页上,单击“完成” 。On the cloud apps page, click Done.
  4. 单击“What If” 。Click What If.

测试条件访问策略Test your Conditional Access policy

在上一部分中,你已经了解如何评估模拟登录。In the previous section, you have learned how to evaluate a simulated sign in. 除了模拟之外,还应该测试条件访问策略,以确保其按预期工作。In addition to a simulation, you should also test your Conditional Access policy to ensure that it works as expected.

若要测试策略,请尝试使用 Isabella Simonsen 测试帐户登录 Azure 门户To test your policy, try to sign in to your Azure portal using your Isabella Simonsen test account. 你应该会看到一个对话框,要求你为帐户设置额外的安全性验证。You should see a dialog that requires you to set up your account for additional security verification.

多重身份验证

清理资源Clean up resources

不再需要测试用户和条件访问策略时,请将其删除:When no longer needed, delete the test user and the Conditional Access policy:

  • 如果不知道如何删除 Azure AD 用户,请参阅从 Azure AD 中删除用户If you don't know how to delete an Azure AD user, see Delete users from Azure AD.

  • 若要删除策略,请选择该策略,然后在快速访问工具栏中单击“删除” 。To delete your policy, select your policy, and then click Delete in the quick access toolbar.

    多重身份验证

后续步骤Next steps