您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

如何:要求托管设备使用条件访问访问 cloud appHow To: Require managed devices for cloud app access with Conditional Access

在移动优先、云优先的世界中,使用 Azure Active Directory (Azure AD) 可以实现从任意位置以单一登录方式登录到应用和服务。In a mobile-first, cloud-first world, Azure Active Directory (Azure AD) enables single sign-on to apps, and services from anywhere. 经授权的用户可以从一系列设备(包括移动设备和个人设备)访问云应用。Authorized users can access your cloud apps from a broad range of devices including mobile and also personal devices. 但是,许多环境中至少有几个应用会要求仅通过满足你的安全性和符合性标准的设备进行访问。However, many environments have at least a few apps that should only be accessed by devices that meet your standards for security and compliance. 这些设备也称为受管理设备。These devices are also known as managed devices.

本文介绍如何配置条件访问策略,这些策略需要托管设备才能访问环境中的某些云应用。This article explains how you can configure Conditional Access policies that require managed devices to access certain cloud apps in your environment.


需要将托管设备用于 cloud app access Azure AD 结合使用条件访问Azure AD 设备管理Requiring managed devices for cloud app access ties Azure AD Conditional Access and Azure AD device management together. 如果尚不熟悉其中的某项功能,应该先阅读以下主题:If you are not familiar with one of these areas yet, you should read the following topics, first:

方案描述Scenario description

掌控安全性与工作效率之间的平衡是一个难题。Mastering the balance between security and productivity is a challenge. 扩大用来访问云资源的受支持设备的范围有助于提高用户的工作效率。The proliferation of supported devices to access your cloud resources helps to improve the productivity of your users. 另一方面,你可能不希望具有未知保护级别的设备访问你的环境中的某些资源。On the flip side, you probably don't want certain resources in your environment to be accessed by devices with an unknown protection level. 对于受影响的资源,你应当要求用户只能使用受管理设备访问它们。For the affected resources, you should require that users can only access them using a managed device.

使用 Azure AD 条件性访问,你可以使用授予访问权限的单个策略满足此要求:With Azure AD Conditional Access, you can address this requirement with a single policy that grants access:

  • 授予对所选云应用的访问权限To selected cloud apps
  • 为所选用户和组授予权限For selected users and groups
  • 要求使用受管理设备Requiring a managed device

受管理设备Managed devices

简而言之,受管理设备是指处于某种组织控制之下的设备。In simple terms, managed devices are devices that are under some sort of organizational control. 在 Azure AD 中,受管理设备的先决条件是它已向 Azure AD 注册。In Azure AD, the prerequisite for a managed device is that it has been registered with Azure AD. 注册设备时会以设备对象的形式为设备创建标识。Registering a device creates an identity for the device in form of a device object. Azure 使用此对象来跟踪设备的状态信息。This object is used by Azure to track status information about a device. 作为 Azure AD 管理员,你可以使用此对象切换(启用/禁用)设备状态。As an Azure AD administrator, you can already use this object to toggle (enable/disable) the state of a device.


若要向 Azure AD 注册设备,你有三种选择:To get a device registered with Azure AD, you have three options:

  • Azure AD 注册的设备-获取注册了 Azure AD 的个人设备Azure AD registered devices - to get a personal device registered with Azure AD
  • Azure AD 联接的设备-用于获取未加入到使用 Azure AD 注册的本地 AD 的组织 Windows 10 设备。Azure AD joined devices - to get an organizational Windows 10 device that is not joined to an on-premises AD registered with Azure AD.
  • 混合 Azure AD 联接的设备-获取加入到使用 Azure AD 注册的本地 AD 的 Windows 10 或受支持的下层设备。Hybrid Azure AD joined devices - to get a Windows 10 or supported down-level device that is joined to an on-premises AD registered with Azure AD.

这三个选项在 "什么是设备标识" 一文中进行了讨论。These three options are discussed in the article What is a device identity?

若要成为受管理设备,注册设备必须是加入混合 Azure AD 的设备或者是已标记为合规的设备To become a managed device, a registered device must be either a Hybrid Azure AD joined device or a device that has been marked as compliant.


要求使用加入混合 Azure AD 的设备Require Hybrid Azure AD joined devices

在条件访问策略中,可以选择 "需要混合 Azure AD 联接的设备",以表明仅可使用托管设备访问所选云应用。In your Conditional Access policy, you can select Require Hybrid Azure AD joined device to state that the selected cloud apps can only be accessed using a managed device.


此设置仅适用于已加入本地 AD 的 Windows 10 或低级别设备(例如 Windows 7 或 Windows 8)。This setting only applies to Windows 10 or down-level devices such as Windows 7 or Windows 8 that are joined to an on-premises AD. 你只能使用混合 Azure AD 加入功能向 Azure AD 注册这些设备,这是一种注册 Windows 10 设备的自动化过程You can only register these devices with Azure AD using a Hybrid Azure AD join, which is an automated process to get a Windows 10 device registered.


怎样使加入混合 Azure AD 的设备成为受管理设备?What makes a Hybrid Azure AD joined device a managed device? 对于加入本地 AD 的设备,假定使用管理解决方案(如 System Center Configuration Manager (SCCM) )或组策略 (GP) 对这些设备进行控制来管理它们。For devices that are joined to an on-premises AD, it is assumed that the control over these devices is enforced using management solutions such as System Center Configuration Manager (SCCM) or group policy (GP) to manage them. 由于 Azure AD 无法确定是否已向设备应用这些方法中的任何一种,因此,在要求使用受管理设备的情况下,要求使用加入混合 Azure AD 的设备是一种相对较弱的机制。Because there is no method for Azure AD to determine whether any of these methods has been applied to a device, requiring a hybrid Azure AD joined device is a relatively weak mechanism to require a managed device. 如果加入本地域的设备同时也是加入混合 Azure AD 的设备,则由管理员判断应用于此类设备的方法是否强大到足以使其成为受管理设备。It is up to you as an administrator to judge whether the methods that are applied to your on-premises domain-joined devices are strong enough to constitute a managed device if such a device is also a Hybrid Azure AD joined device.

要求将设备标记为合规Require device to be marked as compliant

“要求将设备标记为合规”选项是一种用于请求受管理设备的最强大的形式。The option to require a device to be marked as compliant is the strongest form to request a managed device.


此选项要求向 Azure AD 注册设备,此外还要求通过以下方式将该设备标记为合规:This option requires a device to be registered with Azure AD, and also to be marked as compliant by:

  • IntuneIntune
  • 第三方移动设备管理 (MDM) 系统,该系统通过 Azure AD 集成管理 Windows 10 设备。A third-party mobile device management (MDM) system that manages Windows 10 devices via Azure AD integration. 不支持除 Windows 10 以外的设备 OS 类型的第三方 MDM 系统。Third-party MDM systems for device OS types other than Windows 10 are not supported.


对于标记为合规的设备,你可以假设:For a device that is marked as compliant, you can assume that:

  • 员工用来访问公司数据的移动设备是受管理设备The mobile devices your workforce uses to access company data are managed
  • 员工使用的移动应用是受管理应用Mobile apps your workforce uses are managed
  • 通过帮助控制员工访问和共享公司信息的方式,为公司信息提供保护Your company information is protected by helping to control the way your workforce accesses and shares it
  • 该设备及其应用符合公司安全要求The device and its apps are compliant with company security requirements

已知行为Known behavior

在 Windows 7、iOS、Android、macOS 和某些第三方 web 浏览器上 Azure AD 使用在 Azure AD 中注册设备时设置的客户端证书来标识设备。On Windows 7, iOS, Android, macOS, and some third-party web browsers Azure AD identifies the device using a client certificate that is provisioned when the device is registered with Azure AD. 当用户通过浏览器首次登录时,系统将提示用户选择证书。When a user first signs in through the browser the user is prompted to select the certificate. 最终用户必须选择此证书,然后才能继续使用浏览器。The end user must select this certificate before they can continue to use the browser.

后续步骤Next steps

在环境中配置基于设备的条件性访问策略之前,应查看Azure Active Directory 中的条件性访问的最佳做法Before configuring a device-based Conditional Access policy in your environment, you should take a look at the best practices for Conditional Access in Azure Active Directory.