使用 Intune 保护对 Dynamics CRM Online 的访问Protect access to Dynamics CRM Online with Intune

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

可使用 Microsoft Intune 条件性访问控制从 iOS 和 Android 设备对 Microsoft Dynamics CRM Online 进行的访问。You can control access to Microsoft Dynamics CRM Online from iOS and Android devices by using Microsoft Intune conditional access. Intune 条件访问包含两个组成部分:Intune conditional access has two components:

若要了解有关条件访问如何工作的详细信息,请阅读保护对电子邮件、O365 服务和其他服务的访问一文。To learn more about how conditional access works, read the protect access to email, 0365, and other services article.

重要

若要部署条件性访问,必须订阅 Intune 和 Azure Active Directory Premium,且必须向用户授予这两项产品的许可。To deploy conditional access, you must have subscriptions for Intune and Azure Active Directory Premium, and users must be licensed for both products. 企业移动性 + 安全性 (EMS) 订阅包括 Intune 和 Azure Active Directory Premium 订阅。The Enterprise Mobility + Security (EMS) subscription includes both Intune and Azure Active Directory Premium subscriptions. 有关详细信息,请参阅企业移动性定价页For more details, see the Enterprise Mobility pricing page. 如果没有 EMS 订阅,可获取 Azure Active Directory Premium 订阅。If you don't have the EMS subscription, you can get a subscription for Azure Active Directory Premium. 请参阅 Azure Active Directory 定价页See the Azure Active Directory pricing page.

当目标用户尝试在其设备上使用 Dynamics CRM 应用时,会进行以下评估:When a targeted user attempts to use the Dynamics CRM app on their device, the following evaluation occurs:

图示显示了用于确定是允许还是阻止设备访问服务的决策点

需要访问 Dynamics CRM Online 的设备必须:The device that needs access to Dynamics CRM Online must be:

  • AndroidiOS 设备。An Android or iOS device.
  • 已向 Intune 注册Enrolled with Intune.
  • 符合任何已部署的 Intune 合规性策略。Compliant with any deployed Intune compliance policies.

基于指定的条件,设备状态存储在可授予或阻止访问权限的 Azure Active Directory 中。The device state is stored in Azure Active Directory, which grants or blocks access based on the conditions that you specify.

如果不满足条件,用户在登录时将看到以下其中消息之一:If a condition is not met, the user is presented with one of the following messages when they sign in:

  • 如果设备未向 Intune 注册,或未在 Azure Active Directory 中注册,则会显示一条消息,说明如何安装公司门户应用并进行注册。If the device is not enrolled with Intune or is not registered in Azure Active Directory, a message is displayed with instructions about how to install the Company Portal app and enroll.
  • 如果设备不合规,则会显示一条消息,将用户定向到 Microsoft Intune 公司门户网站或公司门户应用,用户可在其中找到有关该问题及其修正方式的信息。If the device is not compliant, a message is displayed that directs the user to the Microsoft Intune Company Portal website or Company Portal app, where they can find information about the problem and how to remediate it.

配置 Dynamics CRM Online 的条件访问Configure conditional access for Dynamics CRM Online

步骤 1:配置 Active Directory 安全组Step 1: Configure Active Directory security groups

在开始之前,针对条件访问策略配置 Azure Active Directory 安全组。Before you start, configure Azure Active Directory security groups for the conditional access policy. 你可以在“Office 365 管理中心”中配置这些组。You can configure these groups in the Office 365 admin center. 这些组将用于以用户为目标或从策略中免除用户。You use these groups to target or exempt users from the policy. 如果将某个用户设定为策略的目标,则其使用的每个设备必须合规才能访问资源。When a user is targeted by a policy, each device they use must be compliant in order to access resources.

你可以指定两个用于 Dynamics CRM 策略的组类型:You can specify two group types to use for the Dynamics CRM policy:

  • 目标组Targeted groups. 包含该策略应用到的用户组。Contains groups of users that the policy applies to.
  • 免除组Exempted groups. 包含从策略中免除的用户组。Contains groups of users that are exempt from the policy.

如果用户位于两个组中,则会将其从策略中免除。If a user is in both groups, they are exempt from the policy.

步骤 2:配置和部署合规性策略Step 2: Configure and deploy a compliance policy

创建合规性策略并将其部署到将受此策略影响的所有设备,Create a compliance policy and deploy it to all devices that will be affected by the policy. 即“目标组”中的用户所使用的全部设备。These are all the devices that are used by the users in the Targeted groups.

备注

将合规性策略部署到 Intune 组,而条件性访问策略以 Azure Active Directory 安全组为目标。While compliance policies are deployed to Intune groups, conditional access policies are targeted to Azure Active Directory security groups.

重要

如果尚未部署合规性策略,那么设备将被视为合规。If you have not deployed a compliance policy, the devices will be treated as compliant.

准备就绪后,继续执行步骤 3。When you are ready, continue to Step 3.

步骤 3:配置 Dynamics CRM 策略Step 3: Configure the Dynamics CRM policy

接下来,配置策略以要求只有托管及合规设备才能访问 Dynamics CRM。Next, configure the policy to require that only managed and compliant devices can access Dynamics CRM. 此策略将存储在 Azure Active Directory 中。This policy will be stored in Azure Active Directory.

  1. 在 Intune 管理控制台中,选择“策略”>“条件性访问”>“Dynamics CRM Online 策略”。In the Intune administration console, choose Policy > Conditional Access > Dynamics CRM Online Policy.

    Dynamics CRM Online 条件访问策略页面的屏幕截图

  2. 选择“启用条件性访问”策略。Choose the Enable conditional access policy.

  3. 在“应用程序访问”下,可以选择将条件性访问策略应用到:Under Application access, you can choose to apply conditional access policy to:
    • iOSiOS
    • AndroidAndroid
  4. 在“目标组”下,选择“修改”以选择将应用策略的 Azure Active Directory 安全组。Under Targeted Groups, choose Modify to select the Azure Active Directory security groups that the policy will apply to. 你可以选择将此应用于所有用户或仅针对选择的用户组。You can choose to target this to all users or just a select group of users.
  5. 或者,在“免除组”下,选择“修改”以选择从此策略中免除的 Azure Active Directory 安全组。Under Exempted Groups, optionally, choose Modify to select the Azure Active Directory security groups that are exempt from this policy.
  6. 完成后,选择“保存”。When you are done, choose Save.

现在你已配置了Dynamics CRM 的条件访问。You have now configured conditional access for Dynamics CRM. 条件性访问策略无需部署,其立即生效。You do not have to deploy the conditional access policy—it takes effect immediately.

监视遵从性和条件性访问策略Monitor the compliance and conditional access policies

在“组” 工作区中,可以查看设备的条件访问状态。In the Groups workspace, you can view the conditional access status of your devices.

选择任何移动设备组,然后在“设备” 选项卡上,选择以下“筛选器”之一:Choose any mobile device group and then, on the Devices tab, choose one of the following Filters:

  • 未向 AAD 注册的设备Devices that are not registered with AAD. 阻止这些设备访问 Dynamics CRM。These devices are blocked from Dynamics CRM.
  • 不合规的设备Devices that are not compliant. 阻止这些设备访问 Dynamics CRM。These devices are blocked from Dynamics CRM.
  • 已向 AAD 注册并合规的设备Devices that are registered with AAD and compliant. 允许这些设备访问 Dynamics CRM。These devices can access Dynamics CRM.

后续步骤Next steps