使用 Microsoft Intune 保护对 SharePoint Online 的访问Protect access to SharePoint Online with Microsoft Intune

适用于:经典控制台中的 IntuneApplies to: Intune in the classic console
正在查找有关 Azure 中的 Intune 的文档?Looking for documentation about Intune on Azure? 请转到此处Go here.

使用 Microsoft Intune 条件访问控制对 SharePoint Online 上文件的访问。Use Microsoft Intune conditional access to control access to files that are located on SharePoint Online. 条件性访问有两个组件:Conditional access has two components:

  • 设备合规性策略,设备必须符合才能被视为合规。A device compliance policy that the device must comply with in order to be considered compliant.
  • 条件性访问策略,可指定设备必须满足才能访问服务的条件。A conditional access policy where you specify the conditions that the device must meet in order to access the service. 若要深入了解条件访问的工作原理,请参阅主题保护对电子邮件、O365 服务和其他服务的访问To learn more about how conditional access works, read the Protect access to email, O365, and other services topic.

将合规性和条件性访问策略部署到用户。You deploy the compliance and conditional access policies to users. 检查用户用于访问服务的设备是否符合策略。Any device that a user uses to access the services is checked for compliance with the policies.

如果用户尝试在其设备上使用受支持的应用(如 OneDrive)连接到文件,将进行以下评估:When a user attempts to connect to a file by using a supported app such as OneDrive on their device, the following evaluation occurs:

图示显示了确定允许访问还是阻止设备访问 SharePoint 的决策点

在配置 SharePoint Online 的条件性访问策略之前,必须:Before configuring a conditional access policy for SharePoint Online, you must:

  • 具有 SharePoint Online 订阅,并且用户必须获得 SharePoint Online 许可。Have a SharePoint Online subscription, and users must be licensed for SharePoint Online.
  • 具有企业移动性 + 安全性 (EMS) 订阅Azure Active Directory (Azure AD) Premium 订阅,并且用户必须获得 EMS 或 Azure AD 许可。Have an Enterprise Mobility + Security (EMS) subscription or an Azure Active Directory (Azure AD) Premium subscription, and users must be licensed for EMS or Azure AD. 有关详细信息,请参阅企业移动性定价页Azure Active Directory 定价页For more details, see the Enterprise Mobility pricing page or the Azure Active Directory pricing page.

若要连接到所需文件,设备必须:To connect to the required files, a device must be:

  • 已向 Intune 注册或是已加入域的电脑。Enrolled with Intune or a domain-joined PC.

  • 已在 Azure Active Directory 中注册(向 Intune 注册设备时会自动发生此情况)。Registered in Azure Active Directory (this happens automatically when the device is enrolled with Intune).

  • 符合任何已部署的 Intune 合规性策略。Compliant with any deployed Intune compliance policies.

根据指定的条件,设备状态存储在可授予或阻止对文件的访问权限的 Azure Active Directory 中。The device state is stored in Azure Active Directory, which grants or blocks access to the files, based on the conditions that you specify.

如果不满足条件,用户在登录时将看到以下消息之一:If a condition isn't met, the user sees one of the following messages when they sign in:

  • 如果未向 Intune 注册设备,或未在 Azure Active Directory 中注册,则会显示一条消息,其中包含有关如何安装公司门户应用和进行注册的说明。If the device isn't enrolled with Intune or isn't registered in Azure Active Directory, a message is displayed with instructions about how to install the Company Portal app and enroll.

  • 如果设备不符合策略,则会显示一条消息,将用户定向到 Intune 公司门户网站,用户可从中找到有关问题及其修正方法的信息。If the device isn't compliant, a message is displayed that directs the user to the Intune Company Portal website, where they can find information about the problem and how to remediate it.

条件访问不会应用于外部共享Conditional access doesn't apply to external sharing. 若要了解如何在租户或站点集合中阻止外部共享,请参阅管理您的 SharePoint Online 环境的外部共享To learn how to prevent external sharing in your tenant or site collection, see Manage external sharing for your SharePoint Online environment.


如果启用 SharePoint Online 的条件访问,建议你禁用列表上的域,如 Remove-SPOTenantSyncClientRestriction 主题中所述。If you enable conditional access for SharePoint Online, we recommend that you disable the domain on the list, as described in the Remove-SPOTenantSyncClientRestriction topic.

对移动设备的支持Support for mobile devices

支持以下设备:The following are supported:

  • iOS 8.0 及更高版本iOS 8.0 and later
  • Android 4.0 及更高版本、Samsung Knox 标准版 4.0 或更高版本Android 4.0 and later, Samsung Knox Standard 4.0 or later
  • Windows Phone 8.1 及更高版本Windows Phone 8.1 and later

通过 iOSAndroid 设备上的浏览器进行访问时,可保护对 SharePoint Online 的访问。You can protect access to SharePoint Online when iOS and Android devices access it from a browser. 仅允许从合规设备上受支持的浏览器进行访问:Access is only allowed from supported browsers on compliant devices:

  • Safari (iOS)Safari (iOS)
  • Chrome (Android)Chrome (Android)
  • Intune Managed Browser(iOS 和 Android 5.0 及更高版本)Intune Managed Browser (iOS and Android 5.0 and later)

将阻止不受支持的浏览器Unsupported browsers are blocked.

对 PC 的支持Support for PCs

支持以下设备:The following are supported:

  • Windows 8.1 及更高版本(若电脑已注册到 Intune)Windows 8.1 and later (when PCs are enrolled with Intune)
  • Windows 7.0、Windows 8.1 或 Windows 10(若电脑已加入域),Windows 7.0, Windows 8.1, or Windows 10 (when PCs are domain joined),


    若要使用 Windows 10 电脑的条件访问,必须使用 Windows 10 周年更新更新电脑。To use conditional access with Windows 10 PCs, you must update those PCs with the Windows 10 Anniversary Update.

    • 必须将已加入域的电脑设置为自动注册到 Azure Active Directory。You must set up domain-joined PCs to automatically register with Azure Active Directory. Azure AD 设备注册服务将对 Intune 和 Office 365 客户自动激活。The Azure AD Device Registration service will be activated automatically for Intune and Office 365 customers. 已经部署了 ADFS 设备注册服务的用户不会在本地 Active Directory 上看到已注册的设备。Customers who have already deployed the ADFS Device Registration service will not see registered devices in on-premises Active Directory.

    • 如果策略设置为要求加入域,而电脑未加入域,则会显示一条消息,要求与 IT 管理员联系。If the policy is set to require a domain join and the PC isn't domain joined, a message is displayed to contact the IT admin.

    • 如果策略设置要求加入域或合规,而电脑不符合任一要求,则会显示一条消息,其中包含有关如何安装公司门户应用和进行注册的说明。If the policy is set to require a domain join or compliance, and the PC doesn't meet either requirement, a message is displayed with instructions about how to install the Company Portal app and enroll.


      运行 Intune 计算机客户端的电脑不支持条件访问。Conditional access is not supported on PCs that are running the Intune computer client.

Office 365 新式验证必须已启用,并且具有所有最新的 Office 更新。Office 365 modern authentication must be enabled and have all the latest Office updates.

新式验证将基于 Active Directory 身份验证库 (ADAL) 的登录引入到 Office 2013 Windows 客户端中,并实现诸如“多重身份验证”和“基于证书的身份验证”等更佳的安全性。Modern authentication brings sign-in based on Active Directory Authentication Library (ADAL) to Office 2013 Windows clients and enables better security, like multi-factor authentication and certificate-based authentication.

配置 SharePoint Online 的条件性访问Configure conditional access for SharePoint Online

步骤 1:配置 Active Directory 安全组Step 1: Configure Active Directory security groups

在开始之前,针对条件访问策略配置 Azure Active Directory 安全组。Before you start, configure Azure Active Directory security groups for the conditional access policy. 可在“Office 365 管理中心”,或“Intune 帐户门户”中配置这些组。You can configure these groups in the Office 365 admin center or in the Intune account portal. 这些组将用于以用户为目标或从策略中免除用户。You use these groups to target or exempt users from the policy. 如果将某个用户设定为策略目标,则其使用的每个设备都必须合规才能访问资源。When a user is targeted by a policy, each device that they use must be compliant in order to access resources.

你可以在 SharePoint Online 策略中指定两种组类型:You can specify two group types in a SharePoint Online policy:

  • 目标组:包含将应用策略的用户组。Targeted groups: Contains groups of users that the policy applies to.

  • 免除组:包含从策略中免除的用户组。Exempted groups: Contains groups of users that are exempt from the policy.

如果用户位于两个组中,则会将其从策略中免除。If a user is in both groups, they are exempt from the policy.

步骤 2:配置和部署合规性策略Step 2: Configure and deploy a compliance policy

如果尚未执行此操作,请先创建合规性策略并将其部署到 SharePoint Online 策略将视为目标的用户。If you haven't already done so, create a compliance policy, and deploy it to the users that the SharePoint Online policy targets.


将合规性策略部署到 Intune 组,而条件性访问策略以 Azure Active Directory 安全组为目标。While compliance policies are deployed to Intune groups, conditional access policies are targeted to Azure Active Directory security groups.

若要深入了解如何配置合规性策略,请参阅创建合规性策略For details about how to configure the compliance policy, see Create a compliance policy.


如果尚未部署合规性策略,那么设备将被视为合规。If you haven't deployed a compliance policy, the devices are treated as compliant.

准备就绪后,继续执行步骤 3When you're ready, continue to Step 3.

步骤 3:配置 SharePoint Online 策略Step 3: Configure the SharePoint Online policy

接下来,配置策略以要求只有托管及合规设备才能访问 SharePoint Online。Next, configure the policy to require that only managed and compliant devices can access SharePoint Online. 此策略存储在 Azure Active Directory 中。This policy is stored in Azure Active Directory.


还可在 Azure AD 管理控制台中为 Intune 设备创建条件访问策略,该策略在 Azure AD 中称为“基于设备的条件访问策略”。You can also create a conditional access policy for Intune devices in the Azure AD management console (the policy is referred to as the device-based conditional access policy in Azure AD). 此外,可创建其他条件访问策略,如多重身份验证。In addition, you can create other conditional access policies like multi-factor authentication. 还可为 Azure AD 支持的第三方企业应用(如 Salesforce 和 Box)设置条件访问策略。You can also set conditional access policies for third-party enterprise apps that Azure AD supports, like Salesforce and Box. 有关详细信息,请参阅如何将 Azure Active Directory 针对访问控制的基于设备的条件访问策略设置为 Azure Active Directory 连接的应用程序For more details, see How to set Azure Active Directory device-based conditional access policy for access control to Azure Active Directory connected applications.

  1. Microsoft Intune 管理控制台中,选择“策略” > “条件访问” > “SharePoint Online 策略”。In the Microsoft Intune administration console, choose Policy > Conditional Access > SharePoint Online Policy. SharePoint Online 策略页面的屏幕截图Screenshot of the SharePoint Online Policy page

  2. 选择“启用 SharePoint Online 的条件性访问策略”。Select Enable conditional access policy for SharePoint Online.

  3. 在“应用程序访问”下,可以选择将条件性访问策略应用到:Under Application access, you can choose to apply the conditional access policy to:

    • 所有平台All platforms

      这要求用于访问 SharePoint Online 的设备已在 Intune 中注册且符合相应的策略。This requires that any device used to access SharePoint Online is enrolled in Intune and is compliant with the policies. 任何使用新式验证的客户端应用程序需遵守条件性访问策略。Any client application that uses modern authentication is subject to the conditional access policy. 如果 Intune 当前不支持该平台,则会阻止对 SharePoint Online 的访问。If the platform isn't currently supported by Intune, access to SharePoint Online is blocked.

      选择“所有平台”选项意味着无论客户端应用程序报告的是什么平台,Azure Active Directory 都会将此策略应用于所有身份验证请求。Selecting the All platforms option means that Azure Active Directory applies this policy to all authentication requests, regardless of the platform that is reported by the client application. 所有平台都需为已注册并合规,以下各项除外:All platforms are required to be enrolled and become compliant, except for:

      • Windows 设备需要注册并合规,并且/或者域已加入本地 Active Directory 域。Windows devices, which are required to be enrolled and compliant, domain joined with on-premises Active Directory, or both.
      • 不受支持的平台,如 Mac。Unsupported platforms like Mac. 但是,仍将阻止使用来自这些平台的新式验证的应用。However, apps using modern authentication that come from these platforms are still blocked.
    • 特定平台Specific platforms

      条件性访问策略会应用到在你指定的平台上使用新式验证的任何客户端应用。The conditional access policy applies to any client app that is using modern authentication on the platforms that you specify.

      Windows 电脑必须加入域,或是向 Intune 注册并符合策略。For Windows PCs, a PC must either be domain joined, or enrolled with Intune and compliant. 可以设置以下要求:You can set the following requirements:

      • 设备必须已加入域或必须是合规的。Devices must be domain joined or compliant. 选择此选项要求电脑必须已加入域或符合在 Intune 中设置的策略。Choose this option to require that PCs must either be domain joined or compliant with the policies that are set in Intune. 如果电脑不满足任一要求,系统会提示用户向 Intune 注册设备。If a PC doesn't meet either of these requirements, the user is prompted to enroll the device with Intune.

      • 设备必须是合规的。Devices must be compliant. 选择此选项要求电脑必须在 Intune 中注册并且必须符合策略。Choose this option to require that PCs must be enrolled in Intune and compliant. 如果电脑未注册,则会显示一条消息,其中包含有关如何注册的说明。If a PC isn't enrolled, a message with instructions on how to enroll is displayed.

  4. 浏览器访问 SharePoint Online 和 OneDrive for Business 下,可选择仅允许通过受支持的浏览器(Safari (iOS) 和 Chrome (Android))访问 Exchange Online。Under Browser access to SharePoint Online and OneDrive for Business, you can choose to allow access to Exchange Online only through the supported browsers: Safari (iOS) and Chrome (Android). 将阻止来自其他浏览器的访问。Access from other browsers is blocked. 为 OneDrive 的应用程序访问选择的相同平台限制在此处同样适用。The same platform restrictions that you selected for Application access for OneDrive also apply here.

    Android 设备上,用户必须启用浏览器访问。On Android devices, users must enable browser access. 若要执行此操作,用户必须在已注册的设备上选择“启用浏览器访问”选项,如下所示:To do this, a user must choose the Enable Browser Access option on the enrolled device as follows:

    1. 打开“公司门户”应用。Open the Company Portal app.
    2. 通过省略号 (…) 或硬件菜单按钮,转到“设置”页面。Go to the Settings page from the ellipsis (…) or hardware menu button.
    3. 按“启用浏览器访问”按钮。Press the Enable Browser Access button.
    4. 在 Chrome 浏览器中,从 Office 365 中注销并重启 Chrome。In the Chrome browser, sign out of Office 365 and restart Chrome.

    iOSAndroid 平台上,为了识别用于访问服务的设备,Azure Active Directory 将向设备颁发一个传输层安全性 (TLS) 证书。On iOS and Android platforms, to identify the device that is used to access the service, Azure Active Directory issues a Transport Layer Security (TLS) certificate to the device. 设备会显示证书,并提示用户选择证书,如下面的屏幕截图所示。The device displays the certificate with a prompt to the user to select the certificate, as shown in the following screenshots. 用户必须选择此证书,然后才能使用浏览器。The user must select this certificate before they can use the browser.


    iPad 上证书提示的屏幕截图


    Android 设备上证书提示的屏幕截图

  5. 在“目标组”下,选择“修改”选择将应用策略的 Azure Active Directory 安全组。Under Targeted Groups, choose Modify to select the Azure Active Directory security groups that the policy applies to. 你可以选择将此应用于所有用户或仅针对选择的用户组。You can choose to target this to all users or just a select group of users.

  6. 或者,在“免除组”下,选择“修改”以选择从此策略中免除的 Azure Active Directory 安全组。Under Exempted Groups, optionally, choose Modify to select the Azure Active Directory security groups that are exempt from this policy.

  7. 完成后,选择“保存”。When you're done, choose Save.

不需要部署条件访问策略—它会立即生效。You don't have to deploy the conditional access policy—it takes effect immediately.

步骤 4:监视合规性和条件访问策略Step 4: Monitor the compliance and conditional access policies

在“组”工作区中,可以查看设备的状态。In the Groups workspace, you can view the status of your devices.

选择任一移动设备组。Select any mobile device group. 然后在“设备” 选项卡上,选择以下“筛选器”之一:Then, on the Devices tab, choose one of the following Filters:

  • 未向 AAD 注册的设备Devices that are not registered with AAD. 阻止这些设备访问 SharePoint Online。These devices are blocked from SharePoint Online.

  • 不合规的设备Devices that are not compliant. 阻止这些设备访问 SharePoint Online。These devices are blocked from SharePoint Online.

  • 已向 AAD 注册并合规的设备Devices that are registered with AAD and compliant. 这些设备可访问 SharePoint Online。These devices can access SharePoint Online.

另请参阅See also

使用 Microsoft Intune 保护对电子邮件和 O365 服务的访问Protect access to email and O365 services with Microsoft Intune

要提交产品反馈,请访问 Intune Feedback