您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure Active Directory 条件访问中的条件是什么?What are conditions in Azure Active Directory Conditional Access?

您可以控制用户可以访问你的云应用通过使用Azure Active Directory (Azure AD) 条件性访问You can control how users access your cloud apps by using Azure Active Directory (Azure AD) Conditional Access. 在条件性访问策略中,定义的响应 ("然后执行此操作") 到 ("在此情况下") 触发策略的原因。In a Conditional Access policy, you define the response ("Then do this") to the reason for triggering your policy ("When this happens").


条件性访问的上下文中这何时发生称为条件In the context of Conditional Access, When this happens is called a condition. “则执行此操作”称为“访问控制”。 Then do this is called an access control. 你的条件和访问控制的组合表示条件性访问策略。The combination of your conditions and your access controls represents a Conditional Access policy.


不会应用尚未配置条件性访问策略中的条件。Conditions you haven't configured in a Conditional Access policy aren't applied. 某些条件均必需将条件性访问策略应用到环境。Some conditions are mandatory to apply a Conditional Access policy to an environment.

本文是条件和及其使用方式的条件性访问策略中的概述。This article is an overview of the conditions and how they're used in a Conditional Access policy.

用户和组Users and groups

用户和组条件是条件性访问策略中必需的。The users and groups condition is mandatory in a Conditional Access policy. 在策略中,可以选择所有用户或选择特定的用户和组。In your policy, you can either select All users or select specific users and groups.


选择“所有用户”时,策略将应用到目录中的所有用户,包括来宾用户。 When you select All users, your policy is applied to all users in the directory, including guest users.

选择用户和组时,可以设置以下选项:When you Select users and groups, you can set the following options:

  • “所有来宾用户”使策略面向 B2B 来宾用户。 All guest users targets a policy to B2B guest users. 此条件与将 userType 属性设置为“来宾”的所有用户帐户匹配。 This condition matches any user account that has the userType attribute set to guest. 如果在 Azure AD 的邀请流中创建帐户后需要应用策略,请使用此设置。Use this setting when a policy needs to be applied as soon as the account is created in an invite flow in Azure AD.
  • “目录角色”基于用户的角色分配定位策略。 Directory roles targets a policy based on a user’s role assignment. 此条件支持目录角色,如“全局管理员” 或“密码管理员” 。This condition supports directory roles like Global administrator or Password administrator.
  • “用户和组”面向特定的用户集。 Users and groups targets specific sets of users. 例如,将某个人力资源应用选作云应用时,可以选择包含人力资源部所有成员的组。For example, you can select a group that contains all members of the HR department when an HR app is selected as the cloud app. 某个组可以是 Azure AD 中任何类型的组,包括动态组,或分配的安全组和通讯组。A group can be any type of group in Azure AD, including dynamic or assigned security and distribution groups.

此外,你还可以从策略中排除特定的用户或组。You can also exclude specific users or groups from a policy. 例如,在策略强制实施多重身份验证 (MFA) 的情况下,往往会排除服务帐户。One common use case is service accounts if your policy enforces multifactor authentication (MFA).

若要部署新策略,面向特定的用户集十分有用。Targeting specific sets of users is useful for the deployment of a new policy. 在新策略中,应该只将初始用户集用作目标来验证策略行为。In a new policy, you should target only an initial set of users to validate the policy behavior.

云应用程序和操作Cloud apps and actions

云应用是网站、 服务或终结点保护的 Azure AD 应用程序代理。A cloud app is a website, service, or endpoint protected by Azure AD Application Proxy. 有关受支持云应用的详细说明,请参阅云应用分配For a detailed description of supported cloud apps, see cloud apps assignments. 云应用程序或操作条件是条件性访问策略中必需的。The Cloud apps or actions condition is mandatory in a Conditional Access policy. 在策略中,您可以选中所有云应用,或者指定使用应用程序选择应用In your policy, you can either select All cloud apps or specify apps with Select apps.

组织可以选择以下选项:Organizations can choose from the following:

  • 所有云应用时应用基准策略要应用于整个组织。All cloud apps when applying baseline policies to apply to the entire organization. 将此选项用于所有云应用检测到登录风险时都要求多重身份验证的策略。Use this selection for policies that require multi-factor authentication when sign-in risk is detected for any cloud app. 应用于所有云应用的策略适用于访问到所有网站和服务。A policy applied to All cloud apps applies to access to all websites and services. 此设置不限于选择应用程序列表中显示的云应用。This setting isn't limited to the cloud apps that appear on the Select apps list.
  • “选择应用”,以便根据策略将特定服务指定为目标 。Select apps to target specific services by your policy. 例如,可以要求用户具有兼容的设备访问 SharePoint Online。For example, you can require users to have a compliant device to access SharePoint Online. 当其他服务访问 SharePoint 内容时,也会对这些服务应用此策略。This policy is also applied to other services when they access SharePoint content. 例如 Microsoft Teams。An example is Microsoft Teams.


可以从策略中排除特定的应用。You can exclude specific apps from a policy. 但是,这些应用仍受到应用于它们访问的服务的策略的限制。However, these apps are still subject to the policies applied to the services they access.

用户操作是用户可以执行的任务。User actions are tasks that can be performed by a user. 当前支持的唯一操作是注册安全信息 (预览版) ,它允许条件性访问策略强制执行时组合注册为启用的用户尝试注册其安全信息。The only currently supported action is Register security information (preview), which allows Conditional Access policy to enforce when users who are enabled for combined registration attempt to register their security information. 可在本文中,找到更多信息启用结合安全信息注册 (预览版)More information can be found in the article, Enable combined security information registration (preview).

登录风险Sign-in risk

登录风险指不是由用户帐户合法所有者执行的登录的可能性(高、中或低)。A sign-in risk is an indicator of the likelihood (high, medium, or low) that a sign-in wasn't made by the legitimate owner of a user account. Azure AD 在用户登录期间会计算登录风险级别。Azure AD calculates the sign-in risk level during a user's sign-in. 计算登录风险级别可用作条件性访问策略中的条件。You can use the calculated sign-in risk level as condition in a Conditional Access policy.


若要使用此条件,需要启用 Azure Active Directory 标识保护To use this condition, you need to have Azure Active Directory Identity Protection enabled.

此条件的常见用例包括提供以下保护的策略:Common use cases for this condition are policies that have the following protections:

  • 阻止存在高登录风险的用户。Block users with a high sign-in risk. 此项保护可防止潜在的非法用户访问你的云应用。This protection prevents potentially non-legitimate users from accessing your cloud apps.
  • 要求中等登录风险的用户执行多重身份验证。Require multifactor authentication for users with a medium sign-in risk. 通过强制实施多重身份验证,可以更加肯定登录操作是由帐户的合法所有者执行的。By enforcing multifactor authentication, you can provide additional confidence that the sign-in is done by the legitimate owner of an account.

有关详细信息,请参阅检测到会话风险时阻止访问For more information, see block access when a session risk is detected.

设备平台Device platforms

设备平台根据设备上运行的操作系统来定义特征。The device platform is characterized by the operating system that runs on your device. Azure AD 使用设备(例如用户代理)提供的信息来标识平台。Azure AD identifies the platform by using information provided by the device, such as user agent. 此信息未经验证。This information is unverified. 我们建议在所有平台中应用某个策略。We recommend that all platforms have a policy applied to them. 该策略应阻止访问、要求符合 Microsoft Intune 政策,或要求设备加入域。The policy should either block access, require compliance with Microsoft Intune policies, or require the device be domain joined. 默认设置是将策略应用到所有设备平台。The default is to apply a policy to all device platforms.


有关支持的设备平台列表,请参阅设备平台条件For a list of the supported device platforms, see device platform condition.

此条件的一个常见用例是,策略将云应用的访问权限制为托管设备A common use case for this condition is a policy that restricts access to your cloud apps to managed devices. 有关更多方案,包括设备平台条件,请参阅Azure Active Directory 基于应用的条件性访问For more scenarios including the device platform condition, see Azure Active Directory app-based Conditional Access.

设备状态Device state

设备状态条件排除加入的混合 Azure AD 的设备和设备标记为符合条件访问策略中。The device state condition excludes hybrid Azure AD joined devices and devices marked as compliant from a Conditional Access policy.


当策略仅应用到非托管设备以使会话更安全时,此条件非常有用。This condition is useful when a policy should apply only to an unmanaged device to provide additional session security. 例如,当设备处于非托管状态时,仅强制执行 Microsoft Cloud App Security 会话控制。For example, only enforce the Microsoft Cloud App Security session control when a device is unmanaged.


使用位置可以基于尝试连接的位置定义条件。By using locations, you can define conditions based on where a connection was attempted.


此条件的常见用例包括提供以下保护的策略:Common use cases for this condition are policies with the following protections:

  • 用户访问服务,它们在公司网络时要求多重身份验证。Require multi-factor authentication for users accessing a service when they're off the corporate network.
  • 阻止特定国家或地区的用户访问服务。Block access for users accessing a service from specific countries or regions.

有关详细信息,请参阅什么是 Azure Active Directory 条件访问中的位置条件?For more information, see What is the location condition in Azure Active Directory Conditional Access?.

客户端应用Client apps

默认情况下,条件性访问策略应用于以下应用:By default, a Conditional Access policy applies to the following apps:

  • 浏览器应用 - 浏览器应用包括使用 SAML、WS-Federation 或 OpenID Connect Web SSO 协议的网站。Browser apps - Browser apps include websites using the SAML, WS-Federation, or OpenID Connect web SSO protocols. 这也适用于已注册为 OAuth 机密客户端的任何网站或 Web 服务。This also applies to any website or web service that has been registered as an OAuth confidential client. 例如,Office 365 SharePoint 网站。For example, the Office 365 SharePoint website.
  • 使用新式身份验证的移动和桌面应用 - 这些应用包括 Office 桌面应用和手机应用。Mobile and desktop apps using modern authentication - These apps include the Office desktop apps and phone apps.

另外,可以让策略针对不使用新式身份验证的特定客户端应用,例如:Additionally, you can target a policy to specific client apps that are not using modern authentication, for example:


此条件的常见用例包括提供以下要求的策略:Common use cases for this condition are policies with the following requirements:

  • 对于将数据下载到设备的移动和桌面应用程序, 要求使用托管设备Require a managed device for mobile and desktop applications that download data to a device. 同时,允许从任何设备上的浏览器进行访问。At the same time, allow browser access from any device. 此方案阻止将文档保存并同步到非托管设备。This scenario prevents saving and syncing documents to an unmanaged device. 使用此方法,在设备丢失或失窃的情况下就可以降低数据丢失的可能性。With this method, you can reduce the probability for data loss if the device is lost or stolen.
  • 对于使用 ActiveSync 来访问 Exchange Online 的应用, 需要托管设备Require a managed device for apps using ActiveSync to access Exchange Online.
  • 阻止向 Azure AD 进行的旧身份验证 (其他客户端)Block legacy authentication to Azure AD (other clients)
  • 阻止从 Web 应用程序访问,但允许从移动和桌面应用程序访问。Block access from web applications but allow access from mobile and desktop applications.

Exchange ActiveSync 客户端Exchange ActiveSync clients

只有在以下情况下,才可以选在“Exchange ActiveSync 客户端”: You can only select Exchange ActiveSync clients if:

  • Microsoft Office 365 Exchange Online 是所选的唯一云应用。Microsoft Office 365 Exchange Online is the only cloud app you've selected.


  • 未在策略中配置其他条件。You don't have other conditions configured in a policy. 但是,可以缩小此条件的范围,使之仅应用到支持的平台However, you can narrow down the scope of this condition to apply only to supported platforms.


如果系统因为要求使用托管设备而阻止某些用户的访问,则受影响的用户会收到一封引导他们使用 Intune 的邮件。When access is blocked because a managed device is required, the affected users get a single mail that guides them to use Intune.

如果系统要求使用经审核的应用,则受影响的用户会收到 Outlook 移动客户端的安装和使用指南。If an approved app is required, the affected users get guidelines to install and use the Outlook mobile client.

在其他情况下(例如,需要 MFA),则会阻止受影响用户,因为使用基本身份验证的客户端不支持 MFA。In other cases, for example, if MFA is required, the affected users are blocked, because clients using Basic authentication don't support MFA.

只能将此设置用于用户和组。You can only target this setting to users and groups. 它不支持来宾或角色。It doesn’t support guests or roles. 如果配置来宾或角色的条件,因为无法确定条件性访问,或不如果该策略将应用到用户,将阻止所有用户。If a guest or role condition is configured, all users are blocked because Conditional Access can't determine if the policy should apply to the user or not.

有关详细信息,请参阅:For more information, see:

后续步骤Next steps