使用 Intune 保护对 Exchange Online 和新版 Exchange Online Dedicated 的电子邮件访问Protect email access to Exchange Online and new Exchange Online Dedicated with Intune

适用于:经典控制台中的 IntuneApplies to: Intune in the classic console
正在查找有关 Azure 中的 Intune 的文档?Looking for documentation about Intune on Azure? 请转到此处Go here.

可通过 Microsoft Intune 配置对 Exchange Online 或 Exchange Online Dedicated 的条件性访问。You can configure conditional access for Exchange Online or Exchange Online Dedicated by using Microsoft Intune. 若要深入了解条件访问的工作原理,请阅读保护对电子邮件、O365 服务和其他服务的访问一文。To learn more about how conditional access works, read the Protect access to email, O365, and other services article.

备注

如果具有 Exchange Online Dedicated 环境并需要确定其采用的是新配置还是旧配置,请与帐户管理员联系。If you have an Exchange Online Dedicated environment and need to find out whether it's in the new or the legacy configuration, contact your account manager.

在开始之前Before you begin

若要配置条件性访问,必须:To configure conditional access, you must:

  • 拥有包含 Exchange Online(例如 E3)的 Office 365 订阅,并且用户必须获得 Exchange Online 许可。Have an Office 365 subscription that includes Exchange Online (such as E3), and users must be licensed for Exchange Online.

  • 具有企业移动性 + 安全性 (EMS) 订阅Azure Active Directory (Azure AD) Premium 订阅,并且用户必须获得 EMS 或 Azure AD 许可。Have an Enterprise Mobility + Security (EMS) subscription or an Azure Active Directory (Azure AD) Premium subscription, and users must be licensed for EMS or Azure AD. 有关详细信息,请参阅企业移动性定价页Azure Active Directory 定价页For more details, see the Enterprise Mobility pricing page or the Azure Active Directory pricing page.

  • 请考虑配置可选的“Intune 服务间连接器”,它将 Intune 连接到 Exchange Online,并通过 Intune 控制台帮助你管理设备信息。Consider configuring the optional Intune service-to-service connector, which connects Intune to Exchange Online and helps you manage device information through the Intune console. 不需要通过连接器来使用合规性策略或条件性访问策略,但要求运行帮助评估条件性访问影响的报告。You don't need to use the connector to use compliance policies or conditional access policies—but it's required to run reports that help evaluate the impact of conditional access.

    备注

    若要同时对 Exchange Online 和 Exchange 内部部署使用条件访问,则不要配置 Intune Service-to-Service Connector。Do not configure the Intune service-to-service connector if you intend to use conditional access for both Exchange Online and Exchange on-premises.

设备合规性要求Device compliance requirements

配置条件性访问策略并将它们面向用户时,在用户可以连接到其电子邮件前,他们使用的设备必须:When you configure conditional access policies and target them to a user, before a user can connect to their email, the device they use must be:

  • 是已加入域的电脑或已向 Intune 注册A domain-joined PC or enrolled with Intune.

  • 已在 Azure Active Directory 中注册Registered in Azure Active Directory. 向 Intune 注册设备时,会自动发生此情况。This happens automatically when the device is enrolled with Intune. 此外,还必须向 Azure Active Directory 注册客户端 Exchange ActiveSync ID。Additionally, the client Exchange ActiveSync ID must be registered with Azure Active Directory.

    Azure Active Directory 设备注册服务自动对 Intune 和 Office 365 客户激活。The Azure Active Directory Device Registration service is activated automatically for Intune and Office 365 customers. 已经部署了 ADFS 设备注册服务的用户不会在本地 Active Directory 上看到已注册的设备。Customers who have already deployed the ADFS Device Registration service will not see registered devices in on-premises Active Directory.

  • 符合任何已部署到该设备或已加入到本地域的域的 Intune 符合性策略。Compliant with any Intune compliance policies that are deployed to that device or domain joined to an on-premises domain.

设备不合规时When the device is not compliant

如果不满足条件访问策略,则设备将立即被隔离,并且用户会收到一封电子邮件,告知他们在登录时将看到以下隔离通知之一:If a conditional access policy isn't met, the device gets immediately quarantined, and the user receives an e-mail and sees one of the following quarantine notifications when they sign in:

  • 如果设备未向 Intune 注册,或未在 Azure Active Directory 中注册,则会显示一条消息,其中包含有关如何安装公司门户应用、注册设备和激活电子邮件的说明。If the device isn't enrolled with Intune or isn't registered in Azure Active Directory, a message is displayed with instructions about how to install the Company Portal app, enroll the device, and activate email. 此过程也将设备的 Exchange ActiveSync ID 和 Azure Active Directory 中的记录相关联。This process also associates the device’s Exchange ActiveSync ID with the record in Azure Active Directory.

  • 如果设备被评估为不遵循符合性策略规则,会将用户定向到 Intune 公司门户网站或公司门户应用,方便他们找到有关该问题及其修正方法的信息。If the device is evaluated as not compliant with the compliance policy rules, the user is directed to the Intune Company Portal website or the Company Portal app, where they can find information about the problem and how to remediate it.

条件性访问对 Exchange Online 的作用方式How conditional access works with Exchange Online

下图显示了 Exchange Online 条件性访问策略使用的流程。The following diagram illustrates the flow that is used by conditional access policies for Exchange Online.

图显示了确定是允许还是阻止设备访问的决策点

对移动设备的支持Support for mobile devices

可从 Outlook 和其他使用新式验证的应用保护对 Exchange Online 电子邮件的访问。You can protect access to Exchange Online email from Outlook and other apps that use modern authentication. 支持以下设备:The following are supported:

  • Android 4.0 及更高版本、Samsung Knox 标准版 4.0 及更高版本以及 Android for WorkAndroid 4.0 and later, Samsung Knox Standard 4.0 and later, and Android for Work
  • iOS 8.0 及更高版本iOS 8.0 and later

新式验证将基于 Active Directory 身份验证库 (ADAL) 的登录引入到 Microsoft Office 客户端中。Modern authentication brings sign-in based on Active Directory Authentication Library (ADAL) to Microsoft Office clients.

  • 基于 ADAL 的身份验证使 Office 客户端能够实现基于浏览器的身份验证(也称为被动身份验证)。The ADAL-based authentication enables Office clients to engage in browser-based authentication (also known as passive authentication). 为了进行身份验证,将用户导向登录网页。To authenticate, a user is directed to a sign-in web page.
  • 此新的登录方法实现了诸如“多重身份验证”和“基于证书的身份验证”等更佳的安全性。This new sign-in method enables better security like multi-factor authentication and certificate-based authentication. 有关更多详细信息,请参阅新式验证的工作原理For more detailed information, see How modern authentication works. 设置用于阻止“非新式验证”协议的 ADFS 声明规则。You can set up ADFS claim rules to block non-modern authentication protocols. 方案 3 中提供了详细的说明:阻止除了基于浏览器的应用程序之外的其他所有应用程序访问 O365Detailed instructions are provided in Scenario 3: Block all access to O365 except browser-based applications.

用户通过 iOSAndroid 设备上的浏览器进行访问时,可保护对 Exchange Online 上的 Outlook Web Access (OWA) 的访问。You can protect access to Outlook Web Access (OWA) on Exchange Online when a user accesses it from a browser on iOS and Android devices. 仅允许从合规设备上受支持的浏览器进行访问:Access is only allowed from supported browsers on compliant devices:

  • Safari (iOS)Safari (iOS)
  • Chrome (Android)Chrome (Android)
  • Intune Managed Browser(iOS、Android 5.0 及更高版本)Intune Managed Browser (iOS, Android 5.0 and later)

    重要

    将阻止不受支持的浏览器Unsupported browsers are blocked.

适用于 iOS 和 Android 的 OWA 应用可修改为不使用新式验证且不受支持。必须通过 ADFS 声明规则阻止来自 OWA 应用的访问。The OWA app for iOS and Android can be modified not to use modern authentication, and it isn't supported. Access from the OWA app must be blocked through ADFS claim rules.

在以下平台上,你可以从内置的“Exchange ActiveSync 电子邮件客户端”保护对 Exchange 电子邮件的访问:You can protect access to Exchange email from the built-in Exchange ActiveSync email client on the following platforms:

  • Android 4.0 及更高版本、Samsung Knox 标准版 4.0 及更高版本Android 4.0 and later, Samsung Knox Standard 4.0 and later

  • iOS 8.0 及更高版本iOS 8.0 and later

  • Windows Phone 8.1 及更高版本Windows Phone 8.1 and later

对 PC 的支持Support for PCs

可设置电脑的条件性访问,该电脑运行 Office 桌面应用程序以访问满足以下要求的电脑上的 Exchange OnlineSharePoint OnlineYou can set up conditional access for PCs that run Office desktop applications to access Exchange Online and SharePoint Online for PCs that meet the following requirements:

  • 电脑必须运行 Windows 7.0、Windows 8.1 或 Windows 10。The PC must be running Windows 7.0, Windows 8.1, or Windows 10.

    备注

    若要使用 Windows 10 电脑的条件访问,必须使用 Windows 10 周年更新更新电脑。To use conditional access with Windows 10 PCs, you must update those PCs with the Windows 10 Anniversary Update.

    PC 必须已加入域或符合合规性策略规则。The PC must either be domain joined or compliant with the compliance policy rules.

    为遵循符合性,电脑必须在 Intune 中注册且符合相应的策略。In order to be considered compliant, the PC must be enrolled in Intune and comply with the policies.

    对于加入域的电脑,必须设置条件性访问以便自动向 Azure Active Directory.注册设备For domain-joined PCs, you must set up conditional access to automatically register the device with Azure Active Directory.

    备注

    运行 Intune 计算机客户端的电脑不支持条件访问。Conditional access isn't supported on PCs that are running the Intune computer client.

  • Office 365 新式验证必须已启用,并且具有所有最新的 Office 更新。Office 365 modern authentication must be enabled and have all the latest Office updates.

    新式验证将基于 Active Directory 身份验证库 (ADAL) 的登录引入到 Office 2013/Windows 客户端中。Modern authentication brings sign-in based on Active Directory Authentication Library (ADAL) to Office 2013/Windows clients. 此方法实现了诸如“多重身份验证”和“基于证书的身份验证”等更佳的安全性。It enables better security like multi-factor authentication and certificate-based authentication.

  • 设置 ADFS 声明规则以阻止“非新式验证”协议。ADFS claim rules are set up to block non-modern authentication protocols. 方案 3 中提供了详细的说明 - 阻止除了基于浏览器的应用程序之外的其他所有应用程序访问 O365Detailed instructions are provided in Scenario 3: Block all access to O365 except browser based applications.

配置条件性访问Configure conditional access

步骤 1:配置和部署合规性策略Step 1: Configure and deploy a compliance policy

请确保创建合规性策略并将其部署到也会获得条件性访问策略的用户组。Make sure you create and deploy a compliance policy to the user groups that will also get the conditional access policy.

重要

如果尚未部署合规性策略,那么设备将被视为合规并将获得访问 Exchange 的权限。If you haven't deployed a compliance policy, the devices are considered compliant and are allowed access to Exchange.

步骤 2:评估条件性访问策略的影响Step 2: Evaluate the effect of the conditional access policy

在配置条件性访问策略后,你可以使用“移动设备清单报告”识别被阻止访问 Exchange 的设备。You can use the Mobile Device Inventory Reports to identify the devices that might be blocked from accessing Exchange after you configure the conditional access policy.

为此,请使用 Microsoft Intune 服务间连接器配置 Intune 和 Exchange 之间的连接。To do this, configure a connection between Intune and Exchange by using the Microsoft Intune service-to-service connector.

  1. 导航到“报告” > “移动设备清单报告”。Navigate to Reports > Mobile Device Inventory Reports. 移动设备清单报告页面的屏幕截图Screenshot of the Mobile Device Inventory Reports page

  2. 在报表参数中,选择想要评估的 Intune 组,并根据需要选择将应用策略的设备平台。In the report parameters, select the Intune group that you want to evaluate and, if required, the device platforms that the policy will apply to.

  3. 选择符合组织需求的标准后,选择“查看报告”。After you’ve selected the criteria that meets your organization’s needs, choose View Report. 将在新窗口中打开报表查看器。The Report Viewer opens in a new window. 移动设备清单报告示例的屏幕截图Screenshot of an sample mobile device inventory report

运行报表后,检查以下四列以确定是否将阻止用户:After you run the report, examine these four columns to determine whether a user will be blocked:

  • 管理通道:指示设备是否由 Intune 和/或 Exchange ActiveSync 进行管理。Management Channel: Indicates whether the device is managed by Intune, Exchange ActiveSync, or both.

  • 已向 AAD 注册:指示是否已向 Azure Active Directory 注册设备(称为“工作区加入”)。AAD Registered: Indicates whether the device is registered with Azure Active Directory (known as Workplace Join).

  • 合规:指示设备是否符合部署的任何合规性策略。Compliant: Indicates whether the device is compliant with any compliance policies that you deployed.

  • Exchange ActiveSync ID:iOS 和 Android 设备需要具有与 Azure Active Directory 中的设备注册记录相关联的 Exchange ActiveSync ID。Exchange ActiveSync ID: iOS and Android devices are required to have their Exchange ActiveSync ID associated with the device registration record in Azure Active Directory. 当用户选择隔离电子邮件中的“激活电子邮件”链接时可完成此操作。This happens when a user chooses the Activate Email link in the quarantine email.

    备注

    Windows Phone 设备始终在此列中显示一个值。Windows Phone devices always display a value in this column.

阻止属于目标组的设备访问 Exchange,除非列值与下表中列出的值匹配:Devices that are part of a targeted group are blocked from accessing Exchange unless the column values match those listed in the following table:


管理通道Management Channel 已向 ADD 注册AAD Registered 是否满足条件Compliant Exchange ActiveSync IDExchange ActiveSync ID 产生的操作Resulting action
由 Microsoft Intune 和 Exchange ActiveSync 管理Managed by Microsoft Intune and Exchange ActiveSync Yes Yes 显示一个值A value is displayed 允许电子邮件访问Email access is allowed
任何其他值Any other value No No 不显示任何值No value is displayed 阻止电子邮件访问Email access is blocked

你可以导出报告的内容,并使用“电子邮件地址”列来通知用户他们将会被阻止。You can export the contents of the report and use the Email Address column to tell your users that they will be blocked.

步骤 3:为条件性访问策略配置用户组Step 3: Configure user groups for the conditional access policy

条件性访问策略针对不同的 Azure Active Directory 安全用户组。Conditional access policies are targeted to different Azure Active Directory security groups of users. 也可以将某些用户从条件性访问策略中免除。You can also exempt certain user groups from a conditional access policy. 如果将某个用户设定为策略的目标,则其使用的每个设备必须合规才能访问电子邮件。When a user is targeted by a policy, each device that they use must be compliant in order to access email.

可在“Office 365 管理中心”,或“Intune 帐户门户”中配置这些组。You can configure these groups in the Office 365 admin center or in the Intune account portal.

你可以在每个策略中指定两种组类型:You can specify two group types in each policy:

  • 目标组:策略应用到的用户组。Targeted groups: User groups that the policy is applied to.

  • 免除组:从策略中免除的用户组(可选)。Exempted groups: User groups that are exempt from the policy (optional).

如果用户位于两个组中,则会将其从策略中免除。If a user is in both groups, they are exempt from the policy.

仅评估条件性访问策略针对的组。Only the groups that are targeted by the conditional access policy are evaluated.

步骤 4:配置条件访问策略Step 4: Configure the conditional access policy

备注

此外,还可在 Azure AD 管理控制台中创建条件访问策略。You can also create a conditional access policy in the Azure AD management console. Azure AD 管理控制台允许创建除其他条件访问策略(如多重身份验证)之外的 Intune 设备条件访问策略(在 Azure AD 中称为 基于设备的条件访问策略)。The Azure AD management console lets you create an Intune device conditional access policy (referred to as the device-based conditional access policy in Azure AD), in addition to other conditional access policies like multi-factor authentication.

还可为 Azure AD 支持的第三方企业应用(如 Salesforce 和 Box)设置条件访问策略。You can also set conditional access policies for third-party enterprise apps that Azure AD supports, like Salesforce and Box. 有关详细信息,请参阅如何将访问控制的基于 Azure Active Directory 设备的条件访问策略设置为 Azure Active Directory 连接的应用程序For more details, see How to set Azure Active Directory device-based conditional access policy for access control to Azure Active Directory-connected applications.

  1. Microsoft Intune 管理控制台中,选择“策略” > “条件性访问” > “Exchange Online 策略”。In the Microsoft Intune administration console, choose Policy > Conditional Access > Exchange Online Policy.

  2. 在“Exchange Online 策略”页面上,选择“启用 Exchange Online 的条件访问策略”。On the Exchange Online Policy page, choose Enable conditional access policy for Exchange Online.

    备注

    如果尚未部署合规性策略,那么设备将被视为合规。If you haven't deployed a compliance policy, devices are treated as compliant.

    无论符合性状态如何,策略针对的所有用户都需要向 Intune 注册其设备。Regardless of the compliance state, all users who are targeted by the policy are required to enroll their devices with Intune.

  3. 在“应用程序访问”下,对于使用新式验证的应用,有两种方式可选择策略应该应用到的平台。Under Application access, for apps that use modern authentication, you have two ways of choosing which platforms the policy should apply to. 受支持的平台包括 Android、iOS、Windows 和 Windows Phone。Supported platforms include Android, iOS, Windows, and Windows Phone.

    • 所有平台All platforms

      这要求用于访问 Exchange Online 的任何设备已在 Intune 中注册且符合策略。This requires that any device that is used to access Exchange Online is enrolled in Intune and compliant with the policies. 任何使用新式验证的客户端应用程序需遵守条件性访问策略。Any client application that uses modern authentication is subject to the conditional access policy. 如果目前 Intune 不支持该平台,则会阻止对 Exchange Online 的访问。If the platform is currently not supported by Intune, access to Exchange Online is blocked.

      选择“所有平台”选项意味着无论客户端应用程序报告的是什么平台,Azure Active Directory 都会将此策略应用于所有身份验证请求。Selecting the All platforms option means that Azure Active Directory applies this policy to all authentication requests, regardless of the platform that is reported by the client application. 所有平台都需已注册并合规,以下各项除外:All platforms are required to enroll and become compliant, except for:

      • Windows 设备需要注册并合规,并且/或者域已加入本地 Active Directory 域。Windows devices, which are required to be enrolled and compliant, domain joined with on-premises Active Directory, or both.
      • 不受支持的平台,如 Mac OS。Unsupported platforms like Mac OS. 但是,仍将阻止使用来自这些平台的新式验证的应用。However, apps that use modern authentication coming from these platforms is still blocked.
    • 特定平台Specific platforms

      条件性访问策略会应用到在指定的设备平台上使用新式验证的任何客户端应用。The conditional access policy applies to any client app that is using modern authentication on the device platforms that you specify.

  4. Outlook Web Access (OWA) 下,可选择仅允许通过受支持的浏览器(Safari (iOS) 和 Chrome (Android))来访问 Exchange Online。Under Outlook Web Access (OWA), you can choose to allow access to Exchange Online only through the supported browsers: Safari (iOS) and Chrome (Android). 将阻止来自其他浏览器的访问。Access from other browsers is blocked. 为 Outlook 的应用程序访问选择的相同平台限制在此处同样适用。The same platform restrictions that you selected for Application access for Outlook also apply here.

    Android 设备上,用户必须启用浏览器访问。On Android devices, users must enable browser access. 若要执行此操作,用户必须在已注册的设备上启用“启用浏览器访问”选项,如下所示:To do this, the user must enable the Enable Browser Access option on the enrolled device as follows:

    1. 打开“公司门户”应用。Open the Company Portal app.
    2. 通过省略号 (…) 或硬件菜单按钮,转到“设置”页面。Go to the Settings page from the ellipsis (…) or the hardware menu button.
    3. 按“启用浏览器访问”按钮。Press the Enable Browser Access button.
    4. 在 Chrome 浏览器中,从 Office 365 中注销并重启 Chrome。In the Chrome browser, sign out of Office 365 and restart Chrome.

    iOSAndroid 平台上,为了识别用于访问服务的设备,Azure Active Directory 将向设备颁发一个传输层安全性 (TLS) 证书。On iOS and Android platforms, to identify the device that is used to access the service, Azure Active Directory issues a Transport Layer Security (TLS) certificate to the device. 设备会显示证书,并提示用户选择证书,如下面的屏幕截图所示。The device displays the certificate with a prompt to the user to select the certificate, as shown in the following screenshots. 用户必须选择此证书后,才能继续使用该浏览器。The user must select this certificate before they can continue to use the browser.

    iOSiOS

    iPad 上证书提示的屏幕截图

    AndroidAndroid

    Android 设备上的证书提示的屏幕截图

  5. 在“Exchange ActiveSync 应用”下,你可以选择阻止非合规的设备访问 Exchange Online。Under Exchange ActiveSync apps, you can choose to block noncompliant devices from accessing Exchange Online. 当设备运行不受支持的平台时,还可以选择是允许还是阻止访问电子邮件。You can also select whether to allow or block access to email when the device isn't running a supported platform. 受支持的平台包括 Android、iOS、Windows 和 Windows Phone。Supported platforms include Android, iOS, Windows, and Windows Phone.

    Android for Work 设备上的 Exchange Active Sync 应用:Exchange Active Sync apps on Android for Work devices:

    • Android for Work 设备上仅支持工作配置文件中的 GmailNine Work 应用。Only Gmail and Nine Work apps in the work profile are supported on Android for Work devices. 若要使条件访问可在 Android for Work 设备上正常运行,必须为 Gmail 或 Nine Work 应用部署电子邮件配置文件,还要将其部署为必备安装。For conditional access to work on Android for Work devices, you must deploy an email profile for the Gmail or Nine Work app, and also deploy it as a required installation.
  6. 在“目标组”下,选择策略将应用到的 Active Directory 安全用户组。Under Targeted Groups, select the Active Directory security groups of users that the policy applies to. 你可以选择面向所有用户或面向选定的用户组列表。You can either choose to target all users or a selected list of user groups. Exchange Online 条件性访问策略页面的屏幕截图显示了“目标组”和“免除组”选项Screenshot of the Exchange Online conditional access policy page that shows the Targeted and Exempted group options

    备注

    对于“目标组”中的用户,Intune 策略会替换 Exchange 规则和策略。For users that are in the Targeted groups, the Intune polices replace Exchange rules and policies.

    出现以下情况时,Exchange 将仅强制执行 Exchange 允许、阻止和隔离规则及 Exchange 策略:Exchange only enforces the Exchange allow, block, and quarantine rules, and Exchange policies if:

    • 用户未获 Intune 授权。A user isn't licensed for Intune.
    • 用户已获 Intune 授权,但不属于条件访问策略所针对的任何安全组。A user is licensed for Intune, but the user doesn't belong to any security groups that are targeted in the conditional access policy.
  7. “免除组”下,选择将会从此策略中免除的 Active Directory 安全用户组。Under Exempted Groups, select the Active Directory security groups of users that are exempt from this policy. 如果用户同时处于目标组和免除组中,则会将其从策略中免除。If a user is in both the targeted and exempted groups, they are exempt from the policy.

  8. 完成后,选择“保存”。When you're done, choose Save.

  • 不需要部署条件访问策略—它会立即生效。You don't have to deploy the conditional access policy—it takes effect immediately.

  • 用户创建电子邮件帐户后,设备将立即被阻止。After a user creates an email account, the device is blocked immediately.

  • 如果被阻止的用户向 Intune 注册设备并修复任何不符合性的问题,将在两分钟内解除对电子邮件访问的阻止。If a blocked user enrolls the device with Intune and fixes any noncompliance issues, email access is unblocked within two minutes.

  • 如果用户取消对其设备的注册,将会在大约六小时后阻止电子邮件。If the user unenrolls their device, email is blocked after around six hours.

若要查看如何配置条件性访问策略以保护设备访问的示例方案,请参阅保护电子邮件访问的示例方案To see some example scenarios of how you would configure a conditional access policy to protect device access, see Protect email access example scenarios.

监视遵从性和条件性访问策略Monitor the compliance and conditional access policies

查看被 Exchange 阻止的设备To view devices that are blocked from Exchange

在 Intune 仪表板上,选择“被 Exchange 阻止的设备”磁贴,以显示被阻止设备的数目以及指向相关详细信息的链接。On the Intune dashboard, choose the Blocked Devices from Exchange tile to show the number of blocked devices and links to more information. Intune 仪表板的屏幕截图显示了被阻止访问 Exchange 的设备的数目Screenshot of the Intune dashboard showing the number of devices that are blocked from accessing Exchange

后续步骤Next steps

要提交产品反馈,请访问 Intune Feedback