使用 Microsoft Intune 保护对电子邮件、Office 365 和其他服务的访问Protect access to email, Office 365, and other services with Microsoft Intune

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

通过使用企业移动性 + 安全性 (EMS) 条件访问,可保护对公司电子邮件、Office 365 服务(如 Exchange 内部部署Exchange OnlineExchange Online DedicatedSharePoint OnlineSkype for Business Online)以及其他服务的访问。You can protect access to your company email, Office 365 services like Exchange On-premises, Exchange Online, Exchange Online Dedicated, SharePoint Online, Skype for Business Online, and other services by using Enterprise Mobility + Security (EMS) Conditional Access. 该功能可确保只有符合在 Intune 管理控制台或 Azure 经典门户中设置的条件性访问规则的设备,才能访问公司电子邮件和 Office 365 服务。This capability allows you to make sure that access to your company email and Office 365 services is restricted to devices that are compliant with the conditional access rules that you set either in the Intune admin console, or Azure classic portal.

条件性访问如何工作?How does conditional access work?

可使用合规性策略设置评估设备的合规性。You can use compliance policy settings to evaluate the compliance of a device. 条件性访问策略通过该评估来限制或允许对特定服务的访问。A conditional access policy uses the evaluation to restrict or allow access to a specific service. 结合使用条件性访问策略与设备合规性策略时,仅允许合规的设备访问该服务。When you use a conditional access policy in combination with a device compliance policy, only compliant devices are allowed to access the service. 将合规性策略和条件访问策略部署到用户。The compliance policy and the conditional access policy are deployed to the user. 检查用户用于访问服务的任何设备是否符合策略。Any device that the user uses to access the services is checked for compliance with the policies.

重要

记住,必须向使用该设备的用户部署合规性策略,才能评估设备的合规性。Keep in mind that the user who is using the device must have a compliance policy that is deployed to them in order for the device to be evaluated for compliance. 如果未向用户部署合规性策略,该设备将被视为合规且不会对其应用任何访问限制。If no compliance policy is deployed to the user, the device is treated as compliant, and no access restrictions are applied.

当设备不满足策略中设置的条件时,将指导最终用户完成注册设备并修复导致设备不合规问题的过程。When devices don't meet the conditions that are set in the policies, the end user is guided though the process of enrolling the device and fixing the issue that prevents the device from being compliant.

条件性访问的典型工作流:A typical flow of conditional access:

图示显示了用于确定是允许还是阻止设备访问服务的决策点

安装注意事项Setup considerations

许可Licensing

Microsoft Intune 与 Azure Active Directory (Azure AD) Premium 无缝地配合工作以便通过 EMS 条件性访问提供多层控制,如果想要使用 Intune部署条件性访问策略,必须先具有这两个产品的许可证。Microsoft Intune and Azure Active Directory (Azure AD) Premium work seamlessly together to provide multiple layers of control through EMS conditional access, if you want to deploy conditional access policies using Intune, you're required to have license for both products.

可以单独购买 Azure AD Premium 许可证,也可以作为企业版协议的一部分(与 Intune 一起)购买。Azure AD Premium licenses can be purchased as a standalone service or can be purchased (along with Intune) as part of the Enterprise agreement. 如果使用 Intune 部署条件性访问策略,请确保获得正确的 Azure AD Azure AD Premium 或EMS 许可证If you have deployed conditional access policies with Intune, please ensure that you have obtained the proper Azure AD Premium or EMS licenses.

此外,请确保将 Azure AD Premium 或 EMS 许可证分配给计划应用条件性访问策略的用户。Additionally, make sure the users you plan to apply conditional access policies are assigned with the Azure AD Premium or EMS licenses.

设备合规性设置Device compliance settings

若要设置条件性访问,请配置设备合规性策略和条件性访问策略。To set up conditional access, configure a device compliance policy and a conditional access policy. 合规性策略包括密码、加密以及设备是否已越狱等设置。The compliance policy includes settings like passcode, encryption, and whether or not a device is jailbroken. 设备必须满足这些规则才能视为合规。The device must meet these rules in order to be considered compliant.

条件性访问策略Conditional access policy

可以基于以下内容设置条件性访问策略以保护访问:You can set a conditional access policy to protect access based on:

  • 设备合规性状态。The device compliance status.
  • 在设备上运行的平台。The platform that is running on the device.
  • 用于访问服务的应用类型。The type of apps that are used to access the services.

与其他 Intune 策略不同,条件性访问策略无需部署。Unlike other Intune policies, you don't deploy conditional access policies. 配置策略并选择应该具有该策略的用户后,将向所有目标用户应用该策略。Instead, after you configure the policy and select the users that should have the policy, the policy is applied to all targeted users. 如果将某个用户设定为策略的目标,则其使用的每个设备必须合规才能访问资源。When a user is targeted by a policy, each device they use must be compliant in order for them to access resources.

后续步骤Next steps

  1. 创建设备合规性策略Create a device compliance policy.

  2. 为以下任一项 Microsoft 云服务/产品创建条件性访问策略:Create a conditional access policy for one of the following Microsoft cloud services/product: