您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure Active Directory 条件访问中的位置条件是什么?What is the location condition in Azure Active Directory Conditional Access?

使用 Azure Active Directory (Azure AD) 条件访问,可以控制授权用户访问云应用的方式。With Azure Active Directory (Azure AD) Conditional Access, you can control how authorized users can access your cloud apps. 使用条件访问策略的位置条件可将访问控制设置绑定到用户的网络位置。The location condition of a Conditional Access policy enables you to tie access controls settings to the network locations of your users.

本文提供配置位置条件所需的信息。This article provides you with the information you need to configure the location condition.

位置Locations

Azure AD 允许从公共 internet 上的任何位置单一登录到设备、应用和服务。Azure AD enables single sign-on to devices, apps, and services from anywhere on the public internet. 使用位置条件,可以基于用户的网络位置来控制对云应用的访问。With the location condition, you can control access to your cloud apps based on the network location of a user. 位置条件的常见用例如下:Common use cases for the location condition are:

  • 要求用户在企业网络外部访问服务时执行多重身份验证。Requiring multi-factor authentication for users accessing a service when they are off the corporate network.
  • 阻止特定国家或地区的用户访问服务。Blocking access for users accessing a service from specific countries or regions.

位置是网络位置的标签,表示命名位置或多重身份验证信任的 IP。A location is a label for a network location that either represents a named location or multi-factor authentication Trusted IPs.

命名位置Named locations

使用命名位置可以创建 IP 地址范围或者国家和地区的逻辑分组。With named locations, you can create logical groupings of IP address ranges or countries and regions.

可在条件访问页的“管理”部分中访问命名位置。You can access your named locations in the Manage section of the Conditional Access page.

条件访问中的命名位置

命名位置包括以下组成部分:A named location has the following components:

创建新命名位置

  • 名称 - 命名位置的显示名称。Name - The display name of a named location.

  • IP 范围 - 采用 CIDR 格式的一个或多个 IPv4 地址范围。IP ranges - One or more IPv4 address ranges in CIDR format. 不支持指定 IPv6 地址范围。Specifying an IPv6 address range is not supported.

    备注

    IPv6 地址范围当前不能包含在命名位置。IPv6 address ranges cannot currently be included in a named location. 这意味着不能从条件性访问策略中排除 IPv6 范围。This means IPv6 ranges cannot be excluded from a Conditional Access policy.

  • 标记为可信位置 - 可为命名位置设置标志,以指示它是可信的位置。Mark as trusted location - A flag you can set for a named location to indicate a trusted location. 通常,可信位置是由 IT 部门控制的网络区域。Typically, trusted locations are network areas that are controlled by your IT department. 除了条件性访问以外,Azure Identity Protection 还会使用受信任的命名位置,并 Azure AD 安全报告来减少误报In addition to Conditional Access, trusted named locations are also used by Azure Identity Protection and Azure AD security reports to reduce false positives.

  • 国家/地区 - 使用此选项可以选择一个或多个国家或地区,以定义命名位置。Countries/Regions - This option enables you to select one or more country or region to define a named location.

  • 包含未知区域 - 某些 IP 地址未映射到特定的国家或地区。Include unknown areas - Some IP addresses are not mapped to a specific country or region. 使用此选项可以选择这些 IP 地址是否应包含在命名位置中。This option allows you to choose if these IP addresses should be included in the named location. 如果使用命名位置的策略需要应用到未知位置,则使用此设置。Use this setting when the policy using the named location should apply to unknown locations.

可配置的已命名位置数受限于 Azure AD 中相关对象的大小。The number of named locations you can configure is constrained by the size of the related object in Azure AD. 可以根据以下限制来配置位置:You can configure locations based on of the following limitations:

  • 一个命名位置最多可以有 1200 个 IP 范围。One named location with up to 1200 IP ranges.
  • 最多可有 90 个命名位置,其中每个都分配有一个 IP 范围。A maximum of 90 named locations with one IP range assigned to each of them.

条件访问策略适用于 IPv4 和 IPv6 流量。Conditional Access policy applies to IPv4 and IPv6 traffic. 目前,命名位置不允许配置 IPv6 范围。Currently named locations do not allow IPv6 ranges to be configured. 此限制导致以下情况:This limitation causes the following situations:

  • 条件访问策略的目标不能是特定的 IPv6 范围Conditional Access policy cannot be targeted to specific IPv6 ranges
  • 条件访问策略不能排除特定的 IPv6 范围Conditional Access policy cannot exclude specific IPV6 ranges

如果配置的策略适用于“任何位置”,则适用于 IPv4 和 IPv6 流量。If a policy is configured to apply to “Any location”, it will apply to IPv4 and IPv6 traffic. 为指定国家和地区配置的命名位置仅支持 IPv4 地址。Named locations configured for specified countries and regions only support IPv4 addresses. 只有在“包含未知区域”选项已选中的情况下,才会包括 IPv6 流量。IPv6 traffic is only included if the option to “include unknown areas” selected.

受信任的 IPTrusted IPs

还可以在多重身份验证服务设置中配置 IP 地址范围,用于表示组织的本地 Intranet。You can also configure IP address ranges representing your organization's local intranet in the multi-factor authentication service settings. 使用此功能最多可以配置 50 个 IP 地址范围。This feature enables you to configure up to 50 IP address ranges. IP 地址范围采用 CIDR 格式。The IP address ranges are in CIDR format. 有关详细信息,请参阅受信任的 IPFor more information, see Trusted IPs.

如果已配置受信任的 IP,这些 IP 将作为“MFA 受信任的 IP”显示在位置条件的位置列表中。If you have Trusted IPs configured, they show up as MFA Trusted IPS in the list of locations for the location condition.

跳过多重身份验证Skipping multi-factor authentication

在多重身份验证服务设置页中,可以通过选择“跳过多重身份验证以适用于我的 Intranet 上的联合用户发出的请求”,来标识企业 Intranet 用户。On the multi-factor authentication service settings page, you can identify corporate intranet users by selecting Skip multi-factor authentication for requests from federated users on my intranet. 此设置指示 AD FS 颁发的内部企业网络声明应受信任,并且应该用于将用户标识为位于企业网络中。This setting indicates that the inside corporate network claim, which is issued by AD FS, should be trusted and used to identify the user as being on the corporate network. 有关详细信息,请参阅使用条件访问启用受信任的 IP 功能For more information, see Enable the Trusted IPs feature by using Conditional Access.

选中此选项之后,“MFA 受信任的 IP”(包括命名位置)将应用到已选择此选项的所有策略。After checking this option, including the named location MFA Trusted IPS will apply to any policies with this option selected.

对于会话生存期较长的移动和桌面应用程序,将定期重新评估条件访问。For mobile and desktop applications, which have long lived session lifetimes, Conditional Access is periodically reevaluated. 默认设置是一小时评估一次。The default is once an hour. 如果只在初始身份验证时才颁发内部企业网络声明,则 Azure AD 可能没有受信任的 IP 范围列表。When the inside corporate network claim is only issued at the time of the initial authentication, Azure AD may not have a list of trusted IP ranges. 在这种情况下,更难以确定用户是否仍在企业网络中:In this case, it is more difficult to determine if the user is still on the corporate network:

  1. 检查用户的 IP 地址是否在某个受信任的 IP 范围内。Check if the user’s IP address is in one of the trusted IP ranges.
  2. 检查用户 IP 地址的前三个八位字节是否匹配初始身份验证 IP 地址的前三个八位字节。Check whether the first three octets of the user’s IP address match the first three octets of the IP address of the initial authentication. 当内部企业网络声明最初是初次颁发且用户位置已经过验证时,IP 地址将与初始身份验证进行比较。The IP address is compared with the initial authentication when the inside corporate network claim was originally issued and the user location was validated.

如果这两个步骤均失败,则将用户视为不再位于受信任的 IP 中。If both steps fail, a user is considered to be no longer on a trusted IP.

位置条件配置Location condition configuration

配置位置条件时,可以选择区分:When you configure the location condition, you have the option to distinguish between:

  • 任何位置Any location
  • 所有受信任的位置All trusted locations
  • 选定的位置Selected locations

位置条件配置

任何位置Any location

默认情况下,选择“任何位置”会将策略应用到所有 IP 地址,即 Internet 上的所有地址。By default, selecting Any location causes a policy to be applied to all IP addresses, which means any address on the Internet. 此设置不限于已配置为命名位置的 IP 地址。This setting is not limited to IP addresses you have configured as named location. 选择“任何位置”时,仍可从策略中排除特定位置。When you select Any location, you can still exclude specific locations from a policy. 例如,可将策略应用到除可信位置以外的所有位置,以将作用域设置为除企业网络以外的所有位置。For example, you can apply a policy to all locations except trusted locations to set the scope to all locations, except the corporate network.

所有受信任的位置All trusted locations

此选项将应用到:This option applies to:

  • 已标记为可信位置的所有位置All locations that have been marked as trusted location
  • MFA 受信任的 IP(如果已配置)MFA Trusted IPS (if configured)

选定的位置Selected locations

使用此选项可以选择一个或多个命名位置。With this option, you can select one or more named locations. 对于要应用此设置的策略,用户需要从任一选定位置建立连接。For a policy with this setting to apply, a user needs to connect from any of the selected locations. 单击“选择”时,将会打开显示命名网络列表的命名网络选择控件。When you click Select the named network selection control that shows the list of named networks opens. 此列表还显示网络位置是否已标记为可信。The list also shows if the network location has been marked as trusted. 名为“MFA 受信任的 IP”的命名位置用于包含可在多重身份验证服务设置页中配置的 IP 设置。The named location called MFA Trusted IPs is used to include the IP settings that can be configured in the multi-factor authentication service setting page.

要点What you should know

何时评估位置?When is a location evaluated?

条件访问策略的评估时机:Conditional Access policies are evaluated when:

  • 当用户最初登录到 Web 应用、移动应用或桌面应用程序时。A user initially signs in to a web app, mobile or desktop application.
  • 当使用新式身份验证的移动应用或桌面应用程序使用刷新令牌来获取新的访问令牌时。A mobile or desktop application that uses modern authentication, uses a refresh token to acquire a new access token. 默认情况下此检查一小时进行一次。By default this check is once an hour.

对于使用新式身份验证的移动应用和桌面应用程序,此检查意味着,在更改网络位置的一小时内会检测到位置更改。This check means for mobile and desktop applications using modern authentication, a change in location would be detected within an hour of changing the network location. 对于不使用新式身份验证的移动应用和桌面应用程序,此策略将应用于每个令牌请求。For mobile and desktop applications that don’t use modern authentication, the policy is applied on each token request. 请求的频率可能会因应用程序而异。The frequency of the request can vary based on the application. 同样,对于 Web 应用程序,此策略在初始登录时应用,并适合用于 Web 应用程序的会话生存期。Similarly, for web applications, the policy is applied at initial sign-in and is good for the lifetime of the session at the web application. 由于不同应用程序的会话生存期不同,因此策略评估间隔的时间也会有所不同。Due to differences in session lifetimes across applications, the time between policy evaluation will also vary. 每次应用程序请求新的登录令牌时,就会应用一次此策略。Each time the application requests a new sign-in token, the policy is applied.

默认情况下,Azure AD 每小时颁发一个令牌。By default, Azure AD issues a token on an hourly basis. 在移出企业网络后的一小时内,将使用新式身份验证对应用程序实施该策略。After moving off the corporate network, within an hour the policy is enforced for applications using modern authentication.

用户 IP 地址User IP address

在策略评估中使用的 IP 地址是用户的公共 IP 地址。The IP address that is used in policy evaluation is the public IP address of the user. 对于专用网络中的设备,此 IP 地址不是 Intranet 中用户设备的客户端 IP,而是专用网络连接到公共 Internet 时使用的地址。For devices on a private network, this IP address is not the client IP of the user’s device on the intranet, it is the address used by the network to connect to the public internet.

警告

如果设备只有一个 IPv6 地址,则不支持配置位置条件。If your device has only an IPv6 address, configuring the location condition is not supported.

批量上传和下载命名位置Bulk uploading and downloading of named locations

创建或更新命名位置时,若要进行批量更新,可以上传或下载含 IP 范围的 CSV 文件。When you create or update named locations, for bulk updates, you can upload or download a CSV file with the IP ranges. 上传过程会将列表中的 IP 范围替换为该文件中的 IP 范围。An upload replaces the IP ranges in the list with those from the file. 该文件的每行包含一个采用 CIDR 格式的 IP 地址范围。Each row of the file contains one IP Address range in CIDR format.

云代理和 VPNCloud proxies and VPNs

使用云托管代理或 VPN 解决方案时,Azure AD 在评估策略时使用的 IP 地址是该代理的 IP 地址。When you use a cloud hosted proxy or VPN solution, the IP address Azure AD uses while evaluating a policy is the IP address of the proxy. 不会使用包含用户公共 IP 地址的 X-Forwarded-For (XFF) 标头,因为没有任何机制验证该地址是否来自受信任的源,该标头可能提供了一种用于伪造 IP 地址的方法。The X-Forwarded-For (XFF) header that contains the user’s public IP address is not used because there is no validation that it comes from a trusted source, so would present a method for faking an IP address.

当云代理准备就绪时,可以使用一个策略来要求设备加入域,或使用来自 AD FS 的内部企业网络声明。When a cloud proxy is in place, a policy that is used to require a domain joined device can be used, or the inside corpnet claim from AD FS.

API 支持和 PowerShellAPI support and PowerShell

API 和 PowerShell 尚不支持命名位置或条件访问策略。API and PowerShell is not yet supported for named locations, or for Conditional Access policies.

后续步骤Next steps