您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure Active Directory 条件访问中的访问控制是什么?What are access controls in Azure Active Directory Conditional Access?

使用Azure Active Directory (Azure AD)条件访问,可以控制授权用户访问云应用的方式。With Azure Active Directory (Azure AD) Conditional Access, you can control how authorized users access your cloud apps. 在条件性访问策略中,定义触发策略的原因("当发生此情况时")的响应("执行此操作")。In a Conditional Access policy, you define the response ("do this") to the reason for triggering your policy ("when this happens").

控制

在条件性访问的上下文中,In the context of Conditional Access,

  • “出现这种情况时”称为条件"When this happens" is called conditions
  • “则执行此操作”称为访问控制"Then do this" is called access controls

Condition 语句与您的控件的组合表示一种条件性访问策略。The combination of a condition statement with your controls represents a Conditional Access policy.

控制

每个控制要么限制人员或系统必须满足哪些要求才能登录,要么限制用户在登录后可以执行哪些操作。Each control is either a requirement that must be fulfilled by the person or system signing in, or a restriction on what the user can do after signing in.

访问控制分为两种类型:There are two types of controls:

  • 授权控制 - 旨在限制访问Grant controls - To gate access
  • 会话控制 - 旨在限制可以在会话中执行的操作Session controls - To restrict access within a session

本主题介绍 Azure AD 条件访问中可用的各种控件。This topic explains the various controls that are available in Azure AD Conditional Access.

授权控制Grant controls

使用授权控制,可以完全阻止访问,也可以选择所需的控制,限制为只有满足其他要求才能访问。With grant controls, you can either block access altogether or allow access with additional requirements by selecting the desired controls. 如果有多个控制,可以要求:For multiple controls, you can require:

  • 满足所有选定控制 (AND)All selected controls to be fulfilled (AND)
  • 满足一个选定控制 (OR)One selected control to be fulfilled (OR)

控制

多重身份验证Multi-factor authentication

此控制可用于要求必须通过多重身份验证,才能访问指定的云应用程序。You can use this control to require multi-factor authentication to access the specified cloud app. 此控制支持以下多重身份验证提供程序:This control supports the following multi-factor providers:

  • Azure 多重身份验证Azure Multi-Factor Authentication
  • 本地多重身份验证提供程序,与 Active Directory 联合身份验证服务 (AD FS) 结合使用。An on-premises multi-factor authentication provider, combined with Active Directory Federation Services (AD FS).

使用多重身份验证有助于保护资源,使其免遭可能已有权访问有效用户的主要凭据的未授权用户访问。Using multi-factor authentication helps protect resources from being accessed by an unauthorized user who might have gained access to the primary credentials of a valid user.

合规的设备Compliant device

可以配置基于设备的条件访问策略。You can configure Conditional Access policies that are device-based. 基于设备的条件性访问策略的目标是只向托管设备授予对所选云应用的访问权限。The objective of a device-based Conditional Access policy is to only grant access to the selected cloud apps from managed devices. 要求将设备标记为合规是限制对受管理设备的访问可以选择的一个选项。Requiring a device to be marked as compliant is one option you have to limit access to managed devices. 可以通过 Intune(适用于任何设备 OS)或通过适用于 Windows 10 设备的第三方 MDM 系统将设备标记为合规。A device can be marked as compliant by Intune (for any device OS) or by your third-party MDM system for Windows 10 devices. 不支持除 Windows 10 以外的设备 OS 类型的第三方 MDM 系统。Third-party MDM systems for device OS types other than Windows 10 are not supported.

你的设备需要先注册到 Azure AD,然后才能将其标记为合规。Your device needs to be registered to Azure AD before it can be marked as compliant. 若要注册设备,你有三种选择:To register a device, you have three options:

  • Azure AD 注册设备Azure AD registered devices
  • Azure AD 加入设备Azure AD joined devices
  • 混合 Azure AD 加入设备Hybrid Azure AD joined devices

这三个选项在 "什么是设备标识" 一文中进行了讨论。These three options are discussed in the article What is a device identity?

有关详细信息,请参阅如何要求使用条件访问的云应用访问托管设备For more information, see how to require managed devices for cloud app access with Conditional Access.

混合 Azure AD 加入设备Hybrid Azure AD joined device

需要混合 Azure AD 联接设备是另一个选项,你必须配置基于设备的条件访问策略。Requiring a hybrid Azure AD joined device is another option you have to configure device-based Conditional Access policies. 此要求是指已加入本地 Active Directory 的 Windows 台式机、笔记本电脑和企业平板电脑。This requirement refers to Windows desktops, laptops, and enterprise tablets that are joined to an on-premises Active Directory. 如果选择此选项,则条件访问策略会授权访问通过加入本地 Active Directory 和 Azure Active Directory 的设备进行的访问尝试。If this option is selected, your Conditional Access policy grants access to access attempts made with devices that are joined to your on-premises Active Directory and your Azure Active Directory. Mac 设备不支持混合 Azure AD 联接。Mac devices do not support hybrid Azure AD join.

有关详细信息,请参阅设置 Azure Active Directory 基于设备的条件性访问策略For more information, see set up Azure Active Directory device-based Conditional Access policies.

核准客户端应用程序Approved client app

由于员工使用移动设备执行个人和工作任务,因此可能需要能够保护设备访问的公司数据,即使这些设备不受你管理,也不例外。Because your employees use mobile devices for both personal and work tasks, you might want to have the ability to protect company data accessed using devices even in the case where they are not managed by you. 可以使用 Intune 应用程序保护策略,帮助保护公司数据,而不受任何移动设备管理 (MDM) 解决方案的影响。You can use Intune app protection policies to help protect your company’s data independent of any mobile-device management (MDM) solution.

利用核准客户端应用程序,可以要求客户端应用程序必须支持 Intune 应用程序保护策略,才能访问云应用程序。With approved client apps, you can require a client app that attempts to access your cloud apps to support Intune app protection policies. 例如,可以限制为只有 Outlook 应用程序,才能访问 Exchange Online。For example, you can restrict access to Exchange Online to the Outlook app. 要求批准的客户端应用的条件性访问策略也称为基于应用的条件性访问策略A Conditional Access policy that requires approved client apps is also known as app-based Conditional Access policy. 有关支持的核准客户端应用程序列表,请参阅核准客户端应用程序要求For a list of supported approved client apps, see approved client app requirement.

应用保护策略(预览)App protection policy (preview)

由于员工使用移动设备执行个人和工作任务,因此可能需要能够保护设备访问的公司数据,即使这些设备不受你管理,也不例外。Because your employees use mobile devices for both personal and work tasks, you might want to have the ability to protect company data accessed using devices even in the case where they are not managed by you. 可以使用 Intune 应用程序保护策略,帮助保护公司数据,而不受任何移动设备管理 (MDM) 解决方案的影响。You can use Intune app protection policies to help protect your company’s data independent of any mobile-device management (MDM) solution.

使用应用保护策略,你可以将访问权限限制为已报告给 Azure AD 的客户端应用程序已收到Intune 应用保护策略With app protection policy, you can limit access to client applications that have reported to Azure AD has having received Intune app protection policies. 例如,你可以将对 Exchange Online 的访问限制为具有 Intune 应用保护策略的 Outlook 应用。For example, you can restrict access to Exchange Online to the Outlook app that has an Intune app protection policy. 需要应用保护策略的条件访问策略也称为基于应用保护的条件性访问策略A Conditional Access policy that requires app protection policy is also known as app protection-based Conditional Access policy.

必须先将设备注册到 Azure AD,然后才能将应用程序标记为受策略保护。Your device must be registered to Azure AD before an application can be marked as policy protected.

有关受支持的受保护策略的客户端应用列表,请参阅应用保护策略要求For a list of supported policy protected client apps, see app protection policy requirement.

使用条款Terms of use

在向某个资源授予访问权限之前,可以要求租户中的用户同意相关使用条款。You can require a user in your tenant to consent to the terms of use before being granted access to a resource. 作为管理员,可以通过上传 PDF 文档配置和自定义使用条款。As an administrator, you can configure and customize terms of use by uploading a PDF document. 如果用户属于此控制范围,则仅在同意使用条款的情况下才授予某个应用程序的访问权限。If a user falls in scope of this control access to an application is only granted if the terms of use have been agreed.

自定义控件(预览版)Custom controls (preview)

自定义控件是 Azure Active Directory Premium P1 版的一项功能。Custom controls are a capability of the Azure Active Directory Premium P1 edition. 使用自定义控件时,用户将被重定向至兼容服务,以满足 Azure Active Directory 之外的其他要求。When using custom controls, your users are redirected to a compatible service to satisfy further requirements outside of Azure Active Directory. 若要满足此控件要求,用户浏览器将重定向至外部服务,执行任何需要的身份验证或验证活动,然后重定向回 Azure Active Directory。To satisfy this control, a user’s browser is redirected to the external service, performs any required authentication or validation activities, and is then redirected back to Azure Active Directory. Azure Active Directory 验证响应,并且如果用户已成功通过身份验证或验证,则用户将继续在条件访问流中。Azure Active Directory verifies the response and, if the user was successfully authenticated or validated, the user continues in the Conditional Access flow.

这些控件允许将某些外部或自定义服务用作条件性访问控制,并通常扩展条件性访问的功能。These controls allow the use of certain external or custom services as Conditional Access controls, and generally extend the capabilities of Conditional Access.

提供商当前提供的兼容服务包括:Providers currently offering a compatible service include:

有关这些服务的详细信息,请直接与提供商联系。For more information on those services, contact the providers directly.

创建自定义控件Creating custom controls

若要创建自定义控件,应首先联系想使用的控件的提供商。To create a custom control, you should first contact the provider that you wish to utilize. 每个非 Microsoft 提供程序都有自己的过程和要求来注册、订阅或以其他方式成为服务的一部分,并表明您希望与条件性访问集成。Each non-Microsoft provider has its own process and requirements to sign up, subscribe, or otherwise become a part of the service, and to indicate that you wish to integrate with Conditional Access. 此时,提供商将提供采用 JSON 格式的数据块。At that point, the provider will provide you with a block of data in JSON format. 此数据允许提供商和条件访问一起为你的租户一起工作,创建新的控件,并定义条件性访问如何判断你的用户是否已成功执行与提供程序的验证。This data allows the provider and Conditional Access to work together for your tenant, creates the new control and defines how Conditional Access can tell if your users have successfully performed verification with the provider.

自定义控件不能与需要多重身份验证的身份保护自动化一起使用,也不能在特权标识管理器(PIM)中提升角色。Custom controls cannot be used with Identity Protection's automation requiring multi-factor authentication or to elevate roles in Privileged Identity Manager (PIM).

复制 JSON 数据,然后将其粘贴到相关文本框中。Copy the JSON data and then paste it into the related textbox. 不要对 JSON 做任何更改,除非用户明确理解所做的更改。Do not make any changes to the JSON unless you explicitly understand the change you’re making. 做出任何更改可能中断提供商和 Microsoft 之间的联系,并且有可能将你和你的用户锁定在帐户之外。Making any change could break the connection between the provider and Microsoft and potentially lock you and your users out of your accounts.

用于创建自定义控件的选项位于 "条件访问" 页的 "管理" 部分中。The option to create a custom control is in the Manage section of the Conditional Access page.

控制

单击“新建自定义控件”,打开包含控件 JSON 数据文本框的边栏选项卡。Clicking New custom control, opens a blade with a textbox for the JSON data of your control.

控制

删除自定义控件Deleting custom controls

若要删除自定义控件,必须首先确保它未在任何条件性访问策略中使用。To delete a custom control, you must first ensure that it isn’t being used in any Conditional Access policy. 完成后:Once complete:

  1. 转到“自定义控件”列表Go to the Custom controls list
  2. 单击...Click …
  3. 选择“删除”。Select Delete.

编辑自定义控件Editing custom controls

若要编辑自定义控件,必须删除当前控件,然后使用更新的信息创建新控件。To edit a custom control, you must delete the current control and create a new control with the updated information.

会话控制Session controls

通过会话控制,可以限制云应用程序中的体验。Session controls enable limited experience within a cloud app. 会话控制由云应用强制实施,取决于由 Azure AD 提供给应用的有关会话的其他信息。The session controls are enforced by cloud apps and rely on additional information provided by Azure AD to the app about the session.

控制

使用应用所强制实施的限制Use app enforced restrictions

可以使用此控制要求 Azure AD 将设备信息传递给所选云应用。You can use this control to require Azure AD to pass device information to the selected cloud apps. 设备信息使云应用能够知道连接是从兼容设备还是已加入域设备发起的。The device information enables the cloud apps to know whether a connection is initiated from a compliant or domain-joined device. 此控制仅支持将 SharePoint Online 和 Exchange Online 作为选定的云应用。This control only supports SharePoint Online and Exchange Online as selected cloud apps. 选择后,云应用会使用设备信息为用户提供有限或完整的体验,具体取决于设备状态。When selected, the cloud app uses the device information to provide users, depending on the device state, with a limited or full experience.

若要了解更多信息,请参阅以下文章:To learn more, see:

后续步骤Next steps