您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure Active Directory 条件访问设置参考Azure Active Directory Conditional Access settings reference

可以使用Azure Active Directory (Azure AD)条件访问来控制授权用户访问资源的方式。You can use Azure Active Directory (Azure AD) Conditional Access to control how authorized users can access your resources.

本文提供了有关条件访问策略中的下列配置选项的支持信息:This article provides you with support information for the following configuration options in a Conditional Access policy:

  • 云应用程序分配Cloud applications assignments
  • 设备平台条件Device platform condition
  • 客户端应用程序条件Client applications condition
  • 批准的客户端应用程序要求Approved client application requirement

云应用分配Cloud apps assignments

使用条件性访问策略,可以控制用户访问云应用的方式。With Conditional Access policies, you control how your users access your cloud apps. 配置条件访问策略时,需要至少选择一个云应用。When you configure a Conditional Access policy, you need to select at least one cloud app.

为策略选择云应用

Microsoft 云应用程序Microsoft cloud applications

可以将条件性访问策略分配给 Microsoft 的以下云应用:You can assign a Conditional Access policy to the following cloud apps from Microsoft:

  • Office 365 (预览版)Office 365 (preview)
  • Azure Analysis ServicesAzure Analysis Services
  • Azure DevOpsAzure DevOps
  • Azure SQL 数据库和数据仓库-了解详细信息Azure SQL Database and Data Warehouse - Learn more
  • Dynamics CRM OnlineDynamics CRM Online
  • Microsoft Application Insights AnalyticsMicrosoft Application Insights Analytics
  • Microsoft Azure 信息保护-了解详细信息Microsoft Azure Information Protection - Learn more
  • Microsoft Azure 管理-了解详细信息Microsoft Azure Management - Learn more
  • Microsoft Azure 订阅管理Microsoft Azure Subscription Management
  • Microsoft Cloud App SecurityMicrosoft Cloud App Security
  • Microsoft Commerce 工具访问控制门户Microsoft Commerce Tools Access Control Portal
  • Microsoft Commerce 工具身份验证服务Microsoft Commerce Tools Authentication Service
  • Microsoft FlowMicrosoft Flow
  • Microsoft FormsMicrosoft Forms
  • Microsoft IntuneMicrosoft Intune
  • Microsoft Intune 注册Microsoft Intune Enrollment
  • Microsoft PlannerMicrosoft Planner
  • Microsoft PowerAppsMicrosoft PowerApps
  • Microsoft Search in BingMicrosoft Search in Bing
  • Microsoft StaffHubMicrosoft StaffHub
  • Microsoft StreamMicrosoft Stream
  • Microsoft TeamsMicrosoft Teams
  • Office 365 Exchange OnlineOffice 365 Exchange Online
  • Office 365 SharePoint OnlineOffice 365 SharePoint Online
  • Office 365 YammerOffice 365 Yammer
  • Office DelveOffice Delve
  • Office SwayOffice Sway
  • Outlook 组Outlook Groups
  • Power BI 服务Power BI Service
  • Project OnlineProject Online
  • Skype for Business OnlineSkype for Business Online
  • 虚拟专用网络 (VPN)Virtual Private Network (VPN)
  • Windows Defender ATPWindows Defender ATP

Office 365 (预览版)Office 365 (preview)

Office 365 提供基于云的生产力和协作服务,如 Exchange、SharePoint 和 Microsoft 团队。Office 365 provides cloud-based productivity and collaboration services like Exchange, SharePoint, and Microsoft Teams. Office 365 云服务已深度集成,以确保顺利且协作体验。Office 365 cloud services are deeply integrated to ensure smooth and collaborative experiences. Office 365 (预览版)应用使你可以一次同时定位这些服务。The Office 365 (preview) app makes it possible to target these services all at once. 我们建议使用新的 Office 365 (预览版)应用程序,而不是以 Office 365 Exchange Online 和 Office 365 SharePoint Online 等单个云应用程序为目标,以避免因策略和服务依赖关系而导致的问题。We recommend using the new Office 365 (preview) app, instead of targeting individual cloud apps like Office 365 Exchange Online and Office 365 SharePoint Online to avoid issues that may arise due to inconsistent policies and service dependencies.

Office 365 (预览版)客户端应用程序中包含的关键应用程序:Key applications that are included in the Office 365 (preview) client app:

  • Office 365 Exchange OnlineOffice 365 Exchange Online
  • Office 365 SharePoint OnlineOffice 365 SharePoint Online
  • Microsoft TeamsMicrosoft Teams
  • Office 365 YammerOffice 365 Yammer
  • Office 门户Office portal
  • Microsoft FormsMicrosoft Forms
  • Microsoft 电源自动化Microsoft Power Automate
  • Microsoft PlannerMicrosoft Planner
  • Microsoft PowerAppsMicrosoft PowerApps

其他应用程序Other applications

除了 Microsoft cloud apps 外,还可以将条件性访问策略分配给以下类型的云应用:In addition to the Microsoft cloud apps, you can assign a Conditional Access policy to the following types of cloud apps:

  • 已连接 Azure AD 的应用程序Azure AD-connected applications
  • 预先集成的联合服务型软件 (SaaS) 应用程序Pre-integrated federated software as a service (SaaS) application
  • 使用密码单一登录 (SSO) 的应用程序Applications that use password single sign-on (SSO)
  • 业务线应用程序Line-of-business applications
  • 使用 Azure AD 应用程序代理的应用程序Applications that use Azure AD Application Proxy

设备平台条件Device platform condition

在条件访问策略中,可以配置设备平台条件,将策略绑定到客户端上的操作系统。In a Conditional Access policy, you can configure the device platform condition to tie the policy to the operating system on a client. Azure AD 条件访问支持以下设备平台:Azure AD Conditional Access supports the following device platforms:

  • AndroidAndroid
  • iOSiOS
  • Windows PhoneWindows Phone
  • WindowsWindows
  • macOSmacOS

将访问策略绑定到客户端 OS

如果使用其他客户端条件阻止旧身份验证,则还可以设置设备平台条件。If you block legacy authentication using the Other clients condition, you can also set the device platform condition.

客户端应用条件Client apps condition

在条件访问策略中,可以配置客户端应用条件,将策略绑定到已启动访问尝试的客户端应用。In your Conditional Access policy, you can configure the client apps condition to tie the policy to the client app that has initiated an access attempt. 设置客户端应用条件,在用户尝试从以下类型的客户端应用进行访问时授予其访问权限或阻止访问:Set the client apps condition to grant or block access when an access attempt is made from the following types of client apps:

  • 浏览器Browser
  • 移动应用和桌面应用Mobile apps and desktop apps

控制客户端应用的访问

支持的浏览器Supported browsers

在条件访问策略中,可以选择 "浏览器" 作为客户端应用。In your Conditional Access policy, you can select Browsers as client app.

控制受支持浏览器的访问

此设置适用于所有浏览器。This setting works with all browsers. 但是,若要符合设备策略(如兼容设备要求),支持以下操作系统和浏览器:However, to satisfy a device policy, like a compliant device requirement, the following operating systems and browsers are supported:

OSOS 浏览器Browsers
Windows 10Windows 10 Microsoft Edge、Internet Explorer、ChromeMicrosoft Edge, Internet Explorer, Chrome
Windows 8/8.1Windows 8 / 8.1 Internet Explorer、ChromeInternet Explorer, Chrome
Windows 7Windows 7 Internet Explorer、ChromeInternet Explorer, Chrome
iOSiOS Microsoft Edge,Intune Managed Browser,SafariMicrosoft Edge, Intune Managed Browser, Safari
AndroidAndroid Microsoft Edge、Intune Managed Browser、ChromeMicrosoft Edge, Intune Managed Browser, Chrome
Windows PhoneWindows Phone Microsoft Edge、Internet ExplorerMicrosoft Edge, Internet Explorer
Windows Server 2019Windows Server 2019 Microsoft Edge、Internet Explorer、ChromeMicrosoft Edge, Internet Explorer, Chrome
Windows Server 2016Windows Server 2016 Internet ExplorerInternet Explorer
Windows Server 2012 R2Windows Server 2012 R2 Internet ExplorerInternet Explorer
Windows Server 2008 R2Windows Server 2008 R2 Internet ExplorerInternet Explorer
macOSmacOS Chrome、SafariChrome, Safari

为什么在浏览器中看到证书提示Why do I see a certificate prompt in the browser

在 Windows 7、iOS、Android 和 macOS 上 Azure AD 使用在 Azure AD 中注册设备时设置的客户端证书来标识设备。On Windows 7, iOS, Android, and macOS Azure AD identifies the device using a client certificate that is provisioned when the device is registered with Azure AD. 当用户通过浏览器首次登录时,系统将提示用户选择证书。When a user first signs in through the browser the user is prompted to select the certificate. 用户必须先选择此证书,然后才能使用浏览器。The user must select this certificate before using the browser.

Chrome 支持Chrome support

对于windows 10 创意者更新(版本1703) 或更高版本中的 Chrome 支持,请安装windows 10 帐户扩展For Chrome support in Windows 10 Creators Update (version 1703) or later, install the Windows 10 Accounts extension. 如果条件访问策略需要特定于设备的详细信息,则需要此扩展。This extension is required when a Conditional Access policy requires device specific details.

若要自动将此扩展部署到 Chrome 浏览器,请创建以下注册表项:To automatically deploy this extension to Chrome browsers, create the following registry key:

路径Path HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallForcelistHKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallForcelist
名称Name 1
类型Type REG_SZ (String)REG_SZ (String)
数据Data ppnbnpeolgkicgegkbkbjmhlideopiji; https://clients2.google.com/service/update2/crxppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx

对于 Windows 8.1 和 7 中的 Chrome 支持,请创建以下注册表项:For Chrome support in Windows 8.1 and 7, create the following registry key:

路径Path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\AutoSelectCertificateForUrlsHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\AutoSelectCertificateForUrls
名称Name 1
类型Type REG_SZ (String)REG_SZ (String)
数据Data {"pattern":"https://device.login.microsoftonline.com","filter":{"ISSUER":{"CN":"MS-Organization-Access"}}}{"pattern":"https://device.login.microsoftonline.com","filter":{"ISSUER":{"CN":"MS-Organization-Access"}}}

这些浏览器支持设备身份验证,允许根据策略对设备进行识别和验证。These browsers support device authentication, allowing the device to be identified and validated against a policy. 如果浏览器以专用模式运行,设备检查将失败。The device check fails if the browser is running in private mode.

支持的移动应用程序和桌面客户端Supported mobile applications and desktop clients

在条件访问策略中,可以选择 "移动应用和桌面客户端" 作为客户端应用。In your Conditional Access policy, you can select Mobile apps and desktop clients as client app.

控制受支持移动应用或桌面客户端的访问

此设置会影响通过以下移动应用和桌面客户端做出的访问尝试:This setting has an impact on access attempts made from the following mobile apps and desktop clients:

客户端应用Client apps 目标服务Target Service 平台Platform
Dynamics CRM 应用Dynamics CRM app Dynamics CRMDynamics CRM Windows 10、Windows 8.1、iOS 和 AndroidWindows 10, Windows 8.1, iOS, and Android
“邮件/日历/联系人”应用、Outlook 2016、Outlook 2013(使用新式身份验证)Mail/Calendar/People app, Outlook 2016, Outlook 2013 (with modern authentication) Office 365 Exchange OnlineOffice 365 Exchange Online Windows 10Windows 10
用于应用的 MFA 和位置策略。MFA and location policy for apps. 不支持基于设备的策略。Device based policies are not supported. 任何“我的应用”应用服务Any My Apps app service Android 和 iOSAndroid and iOS
Microsoft Teams 服务 - 控制支持 Microsoft Teams 及其所有客户端应用(Windows 桌面、iOS、Android、WP 和 Web 客户端)的所有服务Microsoft Teams Services - this controls all services that support Microsoft Teams and all its Client Apps - Windows Desktop, iOS, Android, WP, and web client Microsoft TeamsMicrosoft Teams Windows 10、Windows 8.1、Windows 7、iOS、Android 和 macOSWindows 10, Windows 8.1, Windows 7, iOS, Android, and macOS
Office 2016 应用、Office 2013(采用新式身份验证)、OneDrive 同步客户端(参见说明Office 2016 apps, Office 2013 (with modern authentication), OneDrive sync client (see notes) Office 365 SharePoint OnlineOffice 365 SharePoint Online Windows 8.1、Windows 7Windows 8.1, Windows 7
Office 2016 应用、通用 Office 应用、Office 2013(采用新式身份验证)、OneDrive 同步客户端(参见说明)、计划将来提供的 Office 组支持、计划将来提供的 SharePoint 应用支持Office 2016 apps, Universal Office apps, Office 2013 (with modern authentication), OneDrive sync client (see notes), Office Groups support is planned for the future, SharePoint app support is planned for the future Office 365 SharePoint OnlineOffice 365 SharePoint Online Windows 10Windows 10
Office 2016(仅限 Word、Excel、PowerPoint、OneNote)。Office 2016 (Word, Excel, PowerPoint, OneNote only). 将来计划提供 OneDrive for Business 支持OneDrive for Business support planned for the future Office 365 SharePoint OnlineOffice 365 SharePoint Online macOSmacOS
Office 2019Office 2019 Office 365 SharePoint OnlineOffice 365 SharePoint Online Windows 10、macOSWindows 10, macOS
Office 移动应用Office mobile apps Office 365 SharePoint OnlineOffice 365 SharePoint Online Android、iOSAndroid, iOS
Office Yammer 应用Office Yammer app Office 365 YammerOffice 365 Yammer Windows 10、iOS、AndroidWindows 10, iOS, Android
Outlook 2019Outlook 2019 Office 365 SharePoint OnlineOffice 365 SharePoint Online Windows 10、macOSWindows 10, macOS
Outlook 2016 (Office for macOS)Outlook 2016 (Office for macOS) Office 365 Exchange OnlineOffice 365 Exchange Online macOSmacOS
Outlook 2016、Outlook 2013(采用新式身份验证)、Skype for Business(采用新式身份验证)Outlook 2016, Outlook 2013 (with modern authentication), Skype for Business (with modern authentication) Office 365 Exchange OnlineOffice 365 Exchange Online Windows 8.1、Windows 7Windows 8.1, Windows 7
Outlook 移动应用Outlook mobile app Office 365 Exchange OnlineOffice 365 Exchange Online Android、iOSAndroid, iOS
Power BI 应用程序Power BI app Power BI 服务Power BI service Windows 10、Windows 8.1、Windows 7、Android 和 iOSWindows 10, Windows 8.1, Windows 7, Android, and iOS
Skype for BusinessSkype for Business Office 365 Exchange OnlineOffice 365 Exchange Online Android、IOSAndroid, IOS
Visual Studio Team Services 应用Visual Studio Team Services app Visual Studio Team ServicesVisual Studio Team Services Windows 10、Windows 8.1、Windows 7、iOS 和 AndroidWindows 10, Windows 8.1, Windows 7, iOS, and Android

支持旧式身份验证Support for legacy authentication

通过选择“其他客户端”,可以指定一个条件,该条件会影响通过邮件协议(如 IMAP、MAPI、POP、SMTP)使用基本身份验证的应用和不使用新式身份验证的旧版 Office 应用。By selecting Other clients, you can specify a condition that affects apps that use basic authentication with mail protocols like IMAP, MAPI, POP, SMTP, and older Office apps that don't use modern authentication.

其他客户端

有关详细信息,请参阅客户端应用For more information, see Client apps.

批准的客户端应用要求Approved client app requirement

在条件访问策略中,可以要求从已批准的客户端应用对所选云应用进行的访问尝试。In your Conditional Access policy, you can require that an access attempt to the selected cloud apps needs to be made from an approved client app.

控制已批准客户端应用的访问

此设置适用于以下客户端应用:This setting applies to the following client apps:

  • Microsoft Azure 信息保护Microsoft Azure Information Protection
  • Microsoft BookingsMicrosoft Bookings
  • Microsoft CortanaMicrosoft Cortana
  • Microsoft Dynamics 365Microsoft Dynamics 365
  • Microsoft EdgeMicrosoft Edge
  • Microsoft ExcelMicrosoft Excel
  • Microsoft FlowMicrosoft Flow
  • Microsoft Intune Managed BrowserMicrosoft Intune Managed Browser
  • Microsoft InvoicingMicrosoft Invoicing
  • Microsoft KaizalaMicrosoft Kaizala
  • Microsoft LauncherMicrosoft Launcher
  • Microsoft OneDriveMicrosoft OneDrive
  • Microsoft OneNoteMicrosoft OneNote
  • Microsoft OutlookMicrosoft Outlook
  • Microsoft PlannerMicrosoft Planner
  • Microsoft PowerAppsMicrosoft PowerApps
  • Microsoft Power BIMicrosoft Power BI
  • Microsoft PowerPointMicrosoft PowerPoint
  • Microsoft SharePointMicrosoft SharePoint
  • Microsoft Skype for BusinessMicrosoft Skype for Business
  • Microsoft StaffHubMicrosoft StaffHub
  • Microsoft StreamMicrosoft Stream
  • Microsoft TeamsMicrosoft Teams
  • 微软待办Microsoft To-Do
  • Microsoft VisioMicrosoft Visio
  • Microsoft WordMicrosoft Word
  • Microsoft YammerMicrosoft Yammer

注释Remarks

  • 批准的客户端应用支持 Intune 移动应用管理功能。The approved client apps support the Intune mobile application management feature.
  • “需要批准的客户端应用”要求:The Require approved client app requirement:
  • 条件性访问无法在 InPrivate 模式下将 Microsoft Edge 视为批准的客户端应用。Conditional Access cannot consider Microsoft Edge in InPrivate mode an approved client app.

应用保护策略要求App protection policy requirement

在条件访问策略中,你可以要求在客户端应用上提供应用保护策略,然后才能访问所选的云应用。In your Conditional Access policy, you can require an app protection policy be present on the client app before access is available to the selected cloud apps.

使用应用保护策略控制访问

此设置适用于以下客户端应用:This setting applies to the following client apps:

  • Microsoft CortanaMicrosoft Cortana
  • Microsoft OneDriveMicrosoft OneDrive
  • Microsoft OutlookMicrosoft Outlook
  • Microsoft PlannerMicrosoft Planner

注释Remarks

  • 适用于应用保护策略的应用支持 Intune 移动应用程序管理功能与策略保护。Apps for app protection policy support the Intune mobile application management feature with policy protection.
  • 需要应用保护策略要求:The Require app protection policy requirements:

后续步骤Next steps