您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure Active Directory 条件访问常见问题解答Azure Active Directory Conditional Access FAQs

哪些应用程序使用条件访问策略?Which applications work with Conditional Access policies?

有关使用条件访问策略的应用程序的信息,请参阅使用 Azure Active Directory 中条件访问规则的应用程序和浏览器For information about applications that work with Conditional Access policies, see Applications and browsers that use Conditional Access rules in Azure Active Directory.

是否对 B2B 协作和来宾用户强制实施条件性访问策略?Are Conditional Access policies enforced for B2B collaboration and guest users?

对企业到企业 (B2B) 协作用户执行策略。Policies are enforced for business-to-business (B2B) collaboration users. 但在某些情况下,用户可能无法满足策略要求。However, in some cases, a user might not be able to satisfy the policy requirements. 例如,来宾用户的组织可能不支持多重身份验证。For example, a guest user's organization might not support multi-factor authentication.

SharePoint Online 策略是否也适用于 OneDrive for Business?Does a SharePoint Online policy also apply to OneDrive for Business?

是的。Yes. SharePoint Online 策略也适用于 OneDrive for Business。A SharePoint Online policy also applies to OneDrive for Business.

为什么无法直接在客户端应用程序(如 Word 或 Outlook)上设置策略?Why can’t I set a policy directly on client apps, like Word or Outlook?

条件访问策略设置访问服务的要求。A Conditional Access policy sets requirements for accessing a service. 它在对该服务执行身份验证时执行。It's enforced when authentication to that service occurs. 不在客户端应用程序上直接设置策略。The policy is not set directly on a client application. 相反,在客户端调用服务时应用策略。Instead, it is applied when a client calls a service. 例如,在 SharePoint 上设置的策略适用于调用 SharePoint 的客户端。For example, a policy set on SharePoint applies to clients calling SharePoint. 在 Exchange 上设置的策略适用于 Outlook。A policy set on Exchange applies to Outlook.

条件访问策略是否应用于服务帐户?Does a Conditional Access policy apply to service accounts?

条件访问策略适用于所有用户帐户,Conditional Access policies apply to all user accounts. 其中包括用作服务帐户的用户帐户。This includes user accounts that are used as service accounts. 通常情况下,运行时无人参与的服务帐户无法满足条件访问策略的要求。Often, a service account that runs unattended can't satisfy the requirements of a Conditional Access policy. 例如,可能需要多重身份验证。For example, multi-factor authentication might be required. 可使用条件访问策略管理设置从策略中排除服务帐户。Service accounts can be excluded from a policy by using Conditional Access policy management settings.

图形 API 是否可用于配置条件访问策略?Are Graph APIs available for configuring Conditional Access policies?

目前不可以。Currently, no.

针对不受支持的设备平台的默认排除策略是什么?What is the default exclusion policy for unsupported device platforms?

目前,对于 iOS 和 Android 设备上的用户,会有选择地强制实施条件访问策略。Currently, Conditional Access policies are selectively enforced on users of iOS and Android devices. 默认情况下,其他设备平台上的应用程序不受针对 iOS 和 Android 设备的条件访问策略的影响。Applications on other device platforms are, by default, not affected by the Conditional Access policy for iOS and Android devices. 租户管理员可选择替代全局策略,禁止不受支持平台上的用户进行访问。A tenant admin can choose to override the global policy to disallow access to users on platforms that are not supported.

条件访问策略如何用于 Microsoft Teams?How do Conditional Access policies work for Microsoft Teams?

Microsoft Teams 的核心工作效率方案严重依赖 Exchange Online 和 SharePoint Online,例如会议、日历和文件共享。Microsoft Teams relies heavily on Exchange Online and SharePoint Online for core productivity scenarios, like meetings, calendars, and file sharing. 用户直接登录到 Microsoft Teams 时,为这些云应用设置的条件访问策略会应用于 Microsoft Teams。Conditional Access policies that are set for these cloud apps apply to Microsoft Teams when a user signs directly into Microsoft Teams.

Microsoft Teams 还在 Azure Active Directory 条件访问策略中作为云应用单独受到支持。Microsoft Teams also is supported separately as a cloud app in Azure Active Directory Conditional Access policies. 用户登录时,为云应用设置的条件访问策略会应用于 Microsoft Teams。Conditional Access policies that are set for a cloud app apply to Microsoft Teams when a user signs in. 然而,在没有对其他应用(如 Exchange Online 和 SharePoint Online)实施正确策略的情况下,用户仍可能能够直接访问这些资源。However, without the correct policies on other apps like Exchange Online and SharePoint Online users may still be able to access those resources directly.

适用于 Windows 和 Mac 的 Microsoft Teams 桌面客户端支持新式身份验证。Microsoft Teams desktop clients for Windows and Mac support modern authentication. 新式身份验证将基于 Azure Active Directory 身份验证库 (ADAL) 的登录引入 Microsoft Office 客户端应用程序。Modern authentication brings sign-in based on the Azure Active Directory Authentication Library (ADAL) to Microsoft Office client applications across platforms.

后续步骤Next steps