您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

什么是条件访问?What is Conditional Access?

新式安全外围网络现已超出组织网络的范围,其中涵盖了用户和设备标识。The modern security perimeter now extends beyond an organization's network to include user and device identity. 在做出访问控制决策过程中,组织可以利用这些标识信号。Organizations can utilize these identity signals as part of their access control decisions.

Azure Active Directory 使用条件访问作为一种工具来统合信号、做出决策,以及实施组织策略。Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. 条件访问是新的标识驱动控制平面的核心。Conditional Access is at the heart of the new identity driven control plane.

概念性条件信号加上要实施的决策

最简单地讲,条件访问策略是一些 if-then 语句:如果用户想要访问某个资源,则必须完成某个操作。Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. 示例:薪资管理人员想要访问薪资应用程序,而需要执行多重身份验证才能访问。Example: A payroll manager wants to access the payroll application and is required to perform multi-factor authentication to access it.

管理员面临着两个主要目标:Administrators are faced with two primary goals:

  • 使用户能够随时随地保持高效的工作Empower users to be productive wherever and whenever
  • 保护组织的资产Protect the organization's assets

使用条件访问策略,可以在必要时应用适当的访问控制来确保组织的安全,并在不必要应用这些控制时,避免为用户造成阻碍。By using Conditional Access policies, you can apply the right access controls when needed to keep your organization secure and stay out of your user's way when not needed.

概念性条件访问的流程

重要

完成第一因素身份验证后将强制执行条件访问策略。Conditional Access policies are enforced after first-factor authentication is completed. 在遇到拒绝服务 (DoS) 攻击等情景中,条件访问不应充当组织的第一道防线,但它可以使用这些事件的信号来确定访问权限。Conditional Access isn't intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access.

常见信号Common signals

在做出策略方面的决策时,条件访问可以考虑的常见信号包括:Common signals that Conditional Access can take in to account when making a policy decision include the following signals:

  • 用户或组成员身份User or group membership
    • 策略可以针对特定的用户和组,并为管理员提供精细的访问控制。Policies can be targeted to specific users and groups giving administrators fine-grained control over access.
  • IP 定位信息IP Location information
    • 组织可以创建在做出策略决策时使用的受信任 IP 地址范围。Organizations can create trusted IP address ranges that can be used when making policy decisions.
    • 管理员可以指定要阻止或允许的整个流量来源国家/地区的 IP 范围。Administrators can specify entire countries/regions IP ranges to block or allow traffic from.
  • 设备Device
    • 实施条件访问策略时,用户可以使用的装有特定平台或标有特定状态的设备。Users with devices of specific platforms or marked with a specific state can be used when enforcing Conditional Access policies.
  • 应用程序Application
    • 尝试访问特定应用程序的用户可以触发不同的条件访问策略。Users attempting to access specific applications can trigger different Conditional Access policies.
  • 实时风险和计算风险检测Real-time and calculated risk detection
    • 将信号与 Azure AD 标识保护相集成可让条件访问策略识别有风险的登录行为。Signals integration with Azure AD Identity Protection allows Conditional Access policies to identify risky sign-in behavior. 然后,策略可以强制用户执行密码更改或多重身份验证,以降低其风险级别,或者在管理员采取手动措施之前阻止其访问。Policies can then force users to perform password changes or multi-factor authentication to reduce their risk level or be blocked from access until an administrator takes manual action.
  • Microsoft Cloud App Security (MCAS)Microsoft Cloud App Security (MCAS)
    • 实时监视和控制用户应用程序的访问和会话,提高云环境中执行的访问和活动的透明度与控制度。Enables user application access and sessions to be monitored and controlled in real time, increasing visibility and control over access to and activities performed within your cloud environment.

常见决策Common decisions

  • 阻止访问Block access
    • 最严格的决策Most restrictive decision
  • 授予访问权限Grant access
    • 最不严格的决策仍可要求以下一个或多个选项:Least restrictive decision, can still require one or more of the following options:
      • 需要多重身份验证Require multi-factor authentication
      • 要求将设备标记为合规Require device to be marked as compliant
      • 要求使用加入混合 Azure AD 的设备Require Hybrid Azure AD joined device
      • 需要批准的客户端应用Require approved client app
      • 需要应用保护策略(预览版)Require app protection policy (preview)

经常应用的策略Commonly applied policies

许多组织都存在条件访问策略可以帮助解决的常见访问问题,例如:Many organizations have common access concerns that Conditional Access policies can help with such as:

  • 要求具有管理角色的用户执行多重身份验证Requiring multi-factor authentication for users with administrative roles
  • 要求在运行 Azure 管理任务时执行多重身份验证Requiring multi-factor authentication for Azure management tasks
  • 阻止用户尝试使用旧式身份验证协议登录Blocking sign-ins for users attempting to use legacy authentication protocols
  • 要求在受信任的位置注册 Azure 多重身份验证Requiring trusted locations for Azure Multi-Factor Authentication registration
  • 阻止或允许来自特定位置的访问Blocking or granting access from specific locations
  • 阻止有风险的登录行为Blocking risky sign-in behaviors
  • 要求在组织管理的设备上使用特定的应用程序Requiring organization-managed devices for specific applications

许可要求License requirements

使用此功能需要 Azure AD Premium P1 许可证。Using this feature requires an Azure AD Premium P1 license. 若要根据需要查找合适的许可证,请参阅 比较免费版、基本版和高级版的正式发布功能To find the right license for your requirements, see Comparing generally available features of the Free, Basic, and Premium editions.

拥有 Microsoft 365 商业高级版许可证的客户也可以访问条件访问功能。Customers with Microsoft 365 Business Premium licenses also have access to Conditional Access features.

登录风险需要对标识保护的访问权限Sign-in Risk requires access to Identity Protection

后续步骤Next steps