仅允许支持 Intune 应用保护策略的移动应用访问 Office 365 服务Allow only mobile apps that support Intune app protection policies to access Office 365 services

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

Intune 应用保护策略可帮助保护在 Intune 中注册进行管理的设备上的公司数据。Intune app protection policies help protect your company data on devices that are enrolled for management in Intune. 还可在 Intune 中注册进行管理的员工自有设备上使用应用保护策略。You can also use app protection policies on employee owned devices that are not enrolled for management in Intune. 在这种情况下,即使不管理该设备,仍需要确保公司数据和资源受保护。In this case, even though you don't manage the device, you still need to make sure that your company data and resources is protected. 使用基于应用的 MAM 条件性访问,可创建相应策略,仅允许支持 Intune 应用保护策略的移动应用访问 O365 服务(如 Exchange Online)。Using app-based conditional access with MAM, you can create a policy that allows only mobile apps that support Intune app protection policies to access O365 services like Exchange Online.

例如,通过仅允许 Microsoft Outlook 应用访问 Exchange Online,可以阻止 iOS 和 Android 上的内置邮件应用,这些应用不具有 Intune MAM 策略提供的数据保护,从而无法从 Exchange Online 获取电子邮件。For example, by only allowing the Microsoft Outlook app to access Exchange Online, you can block the built-in mail apps on iOS and Android, which don't have the data protection from Intune MAM policies to get email from Exchange Online. 或者可以阻止不受 Intune MAM 支持的移动应用访问 SharePoint OnlineOr you can block mobile apps that don’t have Intune MAM support from accessing SharePoint Online.

下图说明了基于应用的条件性访问策略采用何种流程来确定何时允许或阻止访问:显示决定是否允许访问时的各种必备条件的图表The diagram below illustrates the flow used by app-based conditional access policies to determine when to allow or block access: Diagram that shows the various criteria included to determine whether to allow or block access .

图表中使用的缩写的说明:Description of the abbreviations used in the diagrams:

  • CP:公司门户应用CP: Company Portal app
  • AA:Azure Authenticator 应用AA: Azure Authenticator app
  • AAD:Azure Active DirectoryAAD: Azure Active Directory
  • EAS:Exchange Active SyncEAS: Exchange Active Sync

先决条件Prerequisites

创建基于应用的条件性访问策略之前,必须具有“企业移动性 + 安全性”或 Azure Active Directory Premium 订阅,且用户必须获得 EMS 或 Azure AD 许可。Before you create an app-based conditional access policy, you must have an Enterprise Mobility + Security or an Azure Active Directory premium subscription, and the users must be licensed for EMS or Azure AD. 有关详细信息,请参阅企业移动性定价页Azure Active Directory 定价页For more details, see the Enterprise Mobility pricing page or the Azure Active Directory pricing page.

受支持的应用Supported apps

Exchange OnlineExchange Online:

  • 适用于 Android 和 iOS Microsoft OutlookMicrosoft Outlook for Android and iOS.

SharePoint OnlineSharePoint Online

  • 适用于 iOS 和 Android 的 Microsoft WordMicrosoft Word for iOS and Android
  • 适用于 iOS 和 Android 的 Microsoft ExcelMicrosoft Excel for iOS and Android
  • 适用于 iOS 和 Android 的 Microsoft PowerPointMicrosoft PowerPoint for iOS and Android
  • 适用于 iOS 和 Android 的 Microsoft OneDrive for BusinessMicrosoft OneDrive for Business for iOS and Android
  • 适用于 iOS 的 Microsoft OneNoteMicrosoft OneNote for iOS

重要

对于 Android 设备,必须通过登录到 OneDrive 应用或 Outlook 应用完成初始设备注册。For Android devices, the initial device registration must be done by logging into either the OneDrive app, or the Outlook app. 在没有注册的情况下,适用于 Android 的 OneNote 应用尚不支持 MAM。The OneNote app for Android does not yet support MAM without enrollment.

若要了解具有基于应用的条件性访问策略的应用的用户使用体验,请参阅将应用与 MAM CA 结合使用时预期会出现的情况To learn about the user experience with an app that has app-based conditional access policies, see What to expect when using an app with MAM CA.

后续步骤Next steps

为 MAM 应用创建 Exchange Online 策略Create an Exchange Online Policy for MAM apps

为 MAM 应用创建 SharePoint Online 策略Create a SharePoint Online Policy for MAM apps

阻止不具有新式验证的应用Block apps that do not have modern authentication

另请参阅See also

使用应用保护策略保护应用数据Protect app data with app protection policies