您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

快速入门:在访问云应用之前要求接受使用条款Quickstart: Require terms of use to be accepted before accessing cloud apps

在访问前环境中的特定云应用中,你可能希望以接受使用条款 (ToU) 的形式获取用户的同意。Before accessing certain cloud apps in your environment, you might want to get consent from users in form of accepting your terms of use (ToU). Azure Active Directory (Azure AD) 条件访问提供:Azure Active Directory (Azure AD) Conditional Access provides you with:

  • 一种简单方法用于配置 ToUA simple method to configure ToU
  • 通过条件访问策略要求接受使用条款的选项The option to require accepting your terms of use through a Conditional Access policy

本快速入门介绍如何配置一个 Azure AD 条件访问策略,要求用户在访问环境中的选定云应用之前接受 ToU。This quickstart shows how to configure an Azure AD Conditional Access policy that requires a ToU to be accepted for a selected cloud app in your environment.

创建策略

如果没有 Azure 订阅,请在开始之前创建一个免费帐户If you don't have an Azure subscription, create a free account before you begin.

先决条件Prerequisites

若要完成本快速入门中的方案,你需要:To complete the scenario in this quickstart, you need:

  • 对 Azure AD Premium 版本的访问权限:Azure AD 条件访问是一项 Azure AD Premium 功能。Access to an Azure AD Premium edition - Azure AD Conditional Access is an Azure AD Premium capability.
  • 名为 Isabella Simonsen 的测试帐户:如果不知道如何创建测试帐户,请参阅添加基于云的用户A test account called Isabella Simonsen - If you don't know how to create a test account, see Add cloud-based users.

测试登录Test your sign-in

此步骤的目标是在没有条件访问策略的情况下获得登录体验的印象。The goal of this step is to get an impression of the sign-in experience without a Conditional Access policy.

测试登录:To test your sign-in:

  1. 以 Isabella Simonsen 身份登录到 Azure 门户Sign in to your Azure portal as Isabella Simonsen.
  2. 注销。Sign out.

创建使用条款Create your terms of use

本部分提供创建示例 ToU 的步骤。This section provides you with the steps to create a sample ToU. 创建 ToU 时,请选择“强制实施条件访问策略模板”的值。 When you create a ToU, you select a value for Enforce with Conditional Access policy templates. 创建 ToU 之后,选择“自定义策略”会随即打开一个对话框,可在其中创建新的条件访问策略。 Selecting Custom policy opens the dialog to create a new Conditional Access policy as soon as your ToU has been created.

创建使用条款:To create your terms of use:

  1. 在 Microsoft Word 中创建一个新文档。In Microsoft Word, create a new document.

  2. 键入“我的使用条款”,然后在计算机上将此文档保存为 mytou.pdfType My terms of use, and then save the document on your computer as mytou.pdf.

  3. 以全局管理员、安全管理员或条件访问管理员的身份登录到 Azure 门户Sign in to your Azure portal as global administrator, security administrator, or a Conditional Access administrator.

  4. 在 Azure 门户的左侧导航栏中,单击“Azure Active Directory”。 In the Azure portal, on the left navbar, click Azure Active Directory.

    Azure Active Directory

  5. 在“Azure Active Directory” 页的“安全性” 部分中,单击“条件访问” 。On the Azure Active Directory page, in the Security section, click Conditional Access.

    条件性访问

  6. 在“管理”部分,单击“使用条款”。 In the Manage section, click Terms of use.

    使用条款

  7. 在顶部菜单中,单击“新建项” 。In the menu on the top, click New terms.

    使用条款

  8. 在“新建使用条款”页上: On the New terms of use page:

    使用条款

    1. 在“名称” 文本框中,键入“我的 TOU”。 In the Name textbox, type My TOU.
    2. 在“显示名称” 文本框中,键入“我的 TOU” 。In the Display name textbox, type My TOU.
    3. 上传使用条款 PDF 文件。Upload your terms of use PDF file.
    4. 对于“语言”,请选择“英语”。 As Language, select English.
    5. 对于“要求用户展开使用条款”,请选择“打开”。 As Require users to expand the terms of use, select On.
    6. 对于“强制实施条件访问策略模板”,请选择“自定义策略”。 As Enforce with Conditional Access policy templates, select Custom policy.
    7. 单击“创建”。 Click Create.

创建条件访问策略Create your Conditional Access policy

此部分介绍如何创建所需的条件访问策略。This section shows how to create the required Conditional Access policy. 本快速入门中的方案使用:The scenario in this quickstart uses:

  • Azure 门户作为需要接受 ToU 的云应用的占位符。The Azure portal as placeholder for a cloud app that requires your ToU to be accepted.
  • 示例用户来测试条件访问策略。Your sample user to test the Conditional Access policy.

在策略中,设置:In your policy, set:

设置Setting Value
用户和组Users and groups Isabella SimonsenIsabella Simonsen
云应用Cloud apps Microsoft Azure 管理Microsoft Azure Management
授予访问权限Grant access 我的 TOUMy TOU

创建策略

若要配置条件访问策略,请执行以下操作:To configure your Conditional Access policy:

  1. 在“新建”页上的“名称”文本框中,键入“要求 Isabella 接受 TOU”。 On the New page, in the Name textbox, type Require TOU for Isabella.

    名称

  2. 在“分配”部分中,单击“用户和组”。 In the Assignment section, click Users and groups.

    用户和组

  3. 在“用户和组”页上: On the Users and groups page:

    用户和组

    1. 单击“选择用户和组”,然后选择“用户和组” 。Click Select users and groups, and then select Users and groups.
    2. 单击“选择” 。Click Select.
    3. 在“选择”页上,选择“Isabella Simonsen”,然后单击“选择” 。On the Select page, select Isabella Simonsen, and then click Select.
    4. 在“用户和组”页,单击“完成” 。On the Users and groups page, click Done.
  4. 单击“云应用” 。Click Cloud apps.

    云应用

  5. 在“云应用”页上: On the Cloud apps page:

    选择云应用

    1. 单击“选择应用”。 Click Select apps.
    2. 单击“选择” 。Click Select.
    3. 在“选择”页上,选择“Microsoft Azure 管理”,然后单击“选择” 。On the Select page, select Microsoft Azure Management, and then click Select.
    4. 在“云应用”页上,单击“完成”。 On the Cloud apps page, click Done.
  6. 在“访问控制”部分中,单击“授予”。 In the Access controls section, click Grant.

    访问控制

  7. 在“授予”页上: On the Grant page:

    授权

    1. 选择“授予访问权限” 。Select Grant access.
    2. 选择“我的 TOU” 。Select My TOU.
    3. 单击“选择” 。Click Select.
  8. 在“启用策略”部分中,单击“开” 。In the Enable policy section, click On.

    启用策略

  9. 单击“创建”。 Click Create.

评估模拟登录Evaluate a simulated sign-in

你已经配置了条件访问策略,现在可能想知道它是否按预期工作。Now that you have configured your Conditional Access policy, you probably want to know whether it works as expected. 第一步,使用条件访问 what if 策略工具模拟测试用户登录。As a first step, use the Conditional Access what if policy tool to simulate a sign-in of your test user. 该模拟会估计此登录对策略的影响并生成模拟报表。The simulation estimates the impact this sign-in has on your policies and generates a simulation report.

若要初始化 What If 策略评估工具,请设置:To initialize the What If policy evaluation tool, set:

  • Isabella Simonsen 作为用户Isabella Simonsen as user
  • Microsoft Azure 管理作为云应用Microsoft Azure Management as cloud app

单击“What If”会创建一个模拟报告,该报告 :Clicking What If creates a simulation report that shows:

  • “要应用的策略”下面的“要求 Isabella 接受 TOU” Require TOU for Isabella under Policies that will apply
  • 用作“授权控制措施”的“我的 TOU”。 My TOU as Grant Controls.

What if 策略工具

若要评估条件访问策略,请执行以下操作:To evaluate your Conditional Access policy:

  1. 条件访问 - 策略页上,单击顶部菜单中的“What If”。 On the Conditional Access - Policies page, in the menu on the top, click What If.

    What If

  2. 单击“用户”,选择“Isabella Simonsen”,然后单击“选择” 。Click Users, select Isabella Simonsen, and then click Select.

    用户

  3. 选择云应用:To select a cloud app:

    云应用

    1. 单击“云应用” 。Click Cloud apps.
    2. 在“云应用”页上,单击“选择应用” 。On the Cloud apps page, click Select apps.
    3. 单击“选择” 。Click Select.
    4. 在“选择”页上,选择“Microsoft Azure 管理”,然后单击“选择” 。On the Select page, select Microsoft Azure Management, and then click Select.
    5. 在“云应用”页上,单击“完成” 。On the cloud apps page, click Done.
  4. 单击“What If” 。Click What If.

测试条件访问策略Test your Conditional Access policy

在上一部分中,你已经了解如何评估模拟登录。In the previous section, you have learned how to evaluate a simulated sign-in. 除了模拟之外,还应该测试条件访问策略,以确保其按预期工作。In addition to a simulation, you should also test your Conditional Access policy to ensure that it works as expected.

若要测试策略,请尝试使用 Isabella Simonsen 测试帐户登录 Azure 门户To test your policy, try to sign-in to your Azure portal using your Isabella Simonsen test account. 此时应会出现一个要求接受使用条款的对话框。You should see a dialog that requires you to accept your terms of use.

使用条款

清理资源Clean up resources

不再需要测试用户和条件访问策略时,请将其删除:When no longer needed, delete the test user and the Conditional Access policy:

  • 如果不知道如何删除 Azure AD 用户,请参阅从 Azure AD 中删除用户If you don't know how to delete an Azure AD user, see Delete users from Azure AD.

  • 若要删除策略,请选择该策略,然后在快速访问工具栏中单击“删除” 。To delete your policy, select your policy, and then click Delete in the quick access toolbar.

    多重身份验证

  • 若要删除使用条款,请将其选中,然后单击顶部工具栏中的“删除条款”。 To delete your terms of use, select it, and then click Delete terms in the toolbar on top.

    多重身份验证

后续步骤Next steps