为 SharePoint Online 设置基于应用的条件性访问 (CA) 策略Set up app-based conditional access (CA) policies for SharePoint Online

适用于:IntuneApplies to: Intune
本主题适用于 Azure 门户和经典控制台中的 Intune。This topic applies to Intune in both the Azure portal and the classic console.

本主题将提供关于如何为 SharePoint Online 设置基于应用的条件性访问策略的指导。This topic provides guidance on how to set up app-based conditional access policy for SharePoint Online. 基于应用的 CA 将帮助管理员仅允许已应用 Intune 应用保护策略的移动应用。App-based CA helps admins to only allow mobile apps that have Intune app protection policies applied to.

为 SharePoint Online 创建基于应用的 CA 策略To create the app-based CA policy for SharePoint Online

  1. 转到“Azure 门户”,然后使用你的凭据登录。Go the Azure portal and sign in with your credentials.

    备注

    如果是刚接触 Azure 门户体验,请阅读应用保护策略的 Azure 门户主题。If you're new to the Azure portal experience read the Azure portal for app protection policies topic.

  2. 从左侧菜单中选择“更多服务”,然后在文本框筛选器中键入 IntuneChoose More services from the left menu, then type Intune in the text box filter.

  3. 选择“Intune 应用保护” > “Intune 移动应用程序管理” > “所有设置”。Choose Intune App Protection > Intune mobile application management > All Settings.

  4. 在“Intune 移动应用程序管理”边栏选项卡中,选择“SharePoint Online”磁贴。On the Intune mobile application management blade, choose the SharePoint Online tile.

  5. 在“允许的应用”边栏选项卡上,选择“允许支持 Intune 应用策略的应用”选项以便仅允许 Intune 应用保护策略支持的应用。On the Allowed apps blade, choose Allow apps that support Intune app policies option to allow only apps that are supported by Intune app protection policies.

    备注

    当选中仅允许 Intune 应用保护策略支持的应用的选项时,将显示仅包含支持的应用列表。When you select the option to only allow apps that are supported by Intune app protection policies, a list containing only the supported apps is displayed.

    显示应用列表的允许应用边栏选项卡的屏幕快照

将基于应用的 CA 策略分配给用户To assign app-based CA policies to your users

  1. 打开“已限制的用户组”边栏选项卡,然后选择“添加用户组”。Open the Restricted user groups blade, then choose Add user group.

  2. 选择应获取此策略的一个或多个用户组。Select one or more user groups that should get this policy.

    突出显示添加用户组选项的已限制用户组边栏选项卡的屏幕截图

    重要

    你可能希望在上一步中选择的用户组中的某些用户不受此策略影响。You may want some users in the user group you selected in the previous step not to be affected by this policy. 在这种情况下,将用户组添加到被免除的用户组列表。In such cases, add the group of users to the exempted user groups list.

  3. 在“SharePoint Online”边栏选项卡上,选择“被免除的用户组”,然后选择“添加用户组”以打开用户组列表。On the SharePoint Online blade, choose Exempted user groups, then choose Add user group to open the list of user groups.

  4. 选择要从此策略中免除的组。Select the groups you want to exempt from this policy.

从现有的基于应用的 CA 策略中修改或删除用户组To modify or delete user groups from an existing app-based CA policy

  1. 打开“已限制的用户组”边栏选项卡,然后突出显示要删除的用户组。Open the Restricted user groups blade, then highlight the user group you want to delete.
  2. 单击椭圆查看删除选项。Click on the ellipse to see the delete options.
  3. 选择“删除”以从列表中删除用户组。Choose Delete to remove the user group from the list.
备注

可以按照步骤过程从“被免除的用户组”列表中删除用户组。You can follow the steps procedure to remove a user group from the Exempted user group list.

后续步骤Next steps

阻止不使用现代身份验证的应用Block apps that do not use modern authentication

另请参阅See also

使用应用保护策略保护应用数据Protect app data with app protection policies

为 Exchange Online 配置基于应用的 CAConfigure app-based CA for Exchange Online

要提交产品反馈,请访问 Intune Feedback