使用 Microsoft Intune 保护对 Skype for Business Online 的访问Protect access to Skype for Business Online with Microsoft Intune

适用于:经典控制台中的 IntuneApplies to: Intune in the classic console
正在查找有关 Azure 中的 Intune 的文档?Looking for documentation about Intune on Azure? 请转到此处Go here.

可使用 Skype for Business Online 的条件性访问策略控制对 Skype for Business Online 的访问。You can use a conditional access policy for Skype for Business Online to control access to Skype for Business Online. 条件性访问有两个组件:Conditional access has two components:

  • 设备合规性策略,设备必须符合才能被视为合规。A device compliance policy that the device must comply with in order to be considered compliant.
  • 条件性访问策略,可指定设备必须满足才能访问服务的条件。A conditional access policy where you specify the conditions that the device must meet in order for you to access the service. 若要了解有关条件性访问如何工作的详细信息,请阅读文章保护对电子邮件和 O365 服务的访问To learn more about how conditional access works, read the Protect access to email and O365 services article.

当目标用户尝试在其设备上使用 Skype for Business Online 时,会进行以下评估:When a targeted user attempts to use Skype for Business Online on their device, the following evaluation occurs:

图示显示了用于确定是允许还是阻止设备访问 Skype for Business Online 的决策点

在配置 Skype for Business Online 的条件性访问策略之前,必须:Before configuring a conditional access policy for Skype for Business Online, you must:

  • 具有 Skype for Business Online 订阅 并将 Skype for Business Online 许可证分配给用户。Have a Skype for Business Online subscription and assign the Skype for Business Online license to users.
  • 具有企业移动性 + 安全性 (EMS) 订阅Azure Active Directory (Azure AD) Premium 订阅,并让用户获得 EMS 或 Azure AD 许可。Have an Enterprise Mobility + Security (EMS) subscription or an Azure Active Directory (Azure AD) Premium subscription, and have users be licensed for EMS or Azure AD. 有关详细信息,请参阅企业移动性定价Azure Active Directory 定价For more details, see Enterprise Mobility pricing or Azure Active Directory pricing.

  • 为 Skype for Business Online启用“新式验证”Enable modern authentication for Skype for Business Online.

  • 让所有用户使用 Skype for Business OnlineHave all your users using Skype for Business Online. 如果本地具有同时使用 Skype for Business Online 和 Skype for Business 进行的部署,那么条件性访问策略将不会应用到用户。If you have a deployment with both Skype for Business Online and Skype for Business on-premises, the conditional access policy will not be applied to users.

需要访问 Skype for Business Online 的设备必须:The device that needs access to Skype for Business Online must:

  • AndroidiOS 设备。Be an Android or iOS device.

  • 已向 Intune 注册Be enrolled with Intune.

  • 符合任何已部署的 Intune 符合性策略。Be compliant with any deployed Intune compliance policies.

基于指定的条件,设备状态存储在可授予或阻止访问权限的 Azure Active Directory 中。The device state is stored in Azure Active Directory, which grants or blocks access based on the conditions that you specify.

如果不满足条件,用户在登录时将看到以下其中消息之一:If a condition is not met, the user is presented with one of the following messages when they sign in:

  • 如果设备未向 Intune 注册,或未在 Azure Active Directory 中注册,则会显示一条消息,说明如何安装公司门户应用并进行注册。If the device is not enrolled with Intune or is not registered in Azure Active Directory, a message is displayed with instructions about how to install the Company Portal app and enroll.

  • 如果设备不符合策略,则显示一条消息,将用户定向到 Intune 公司门户网站或公司门户应用,用户可从中找到相关问题及其修复方法的信息。If the device is not compliant, a message is displayed that directs the user to the Intune Company Portal website or Company Portal app, where they can find information about the problem and how to fix it.

配置 Skype for Business Online 的条件性访问Configure conditional access for Skype for Business Online

步骤 1:配置 Azure Active Directory 安全组Step 1: Configure Azure Active Directory security groups

在开始之前,针对条件访问策略配置 Azure Active Directory 安全组。Before you start, configure Azure Active Directory security groups for the conditional access policy. 你可以在“Office 365 管理中心”中配置这些组。You can configure these groups in the Office 365 admin center. 这些组将用于以用户为目标或从策略中免除用户。These groups will be used to target or exempt users from the policy. 如果将某个用户设定为策略的目标,则其使用的每个设备必须合规才能访问资源。When a user is targeted by the policy, each device they use must be compliant in order to access resources.

你可以指定两种用于 Skype for Business 策略的组类型:You can specify two group types to use for the Skype for Business policy:

  • 目标组:包含将应用策略的用户组。Targeted groups: Contains groups of users that the policy applies to.

  • 免除组:包含从策略中免除的用户组。Exempted groups: Contains groups of users that are exempt from the policy.

如果用户位于两个组中,则会将其从策略中免除。If a user is in both groups, they will be exempt from the policy.

步骤 2:配置和部署合规性策略Step 2: Configure and deploy a compliance policy

创建合规性策略并将其部署到将受此策略影响的所有设备。Create and deploy a compliance policy to all devices that will be affected by the policy. 这些将是“目标组”中的用户所使用的所有设备。These will be all the devices that are used by the users in the Targeted groups.

备注

将合规性策略部署到 Intune 组,而条件性访问策略以 Azure Active Directory 安全组为目标。While compliance policies are deployed to Intune groups, conditional access policies are targeted to Azure Active Directory security groups.

重要

如果尚未部署合规性策略,那么设备将被视为合规。If you haven't deployed a compliance policy, the devices will be treated as compliant.

准备就绪后,继续执行步骤 3When you're ready, continue to Step 3.

步骤 3:配置 Skype for Business Online 策略Step 3: Configure the Skype for Business Online policy

接下来,配置策略以要求只有托管及合规的设备才能访问 Skype for Business Online。Next, configure the policy to require that only managed and compliant devices can access Skype for Business Online. 此策略将存储在 Azure Active Directory 中。This policy will be stored in Azure Active Directory.

  1. Microsoft Intune 管理控制台中,选择“策略” > “条件性访问” > “Skype for Business Online 策略”。In the Microsoft Intune administration console, choose Policy > Conditional Access > Skype for Business Online Policy.

    Skype for Business Online 条件性访问策略页面的屏幕截图

  2. 选择“启用条件访问策略”。Choose Enable conditional access policy.

  3. 在“应用程序访问”下,可以选择将条件性访问策略应用到:Under Application access, you can choose to apply conditional access policy to:

    • iOSiOS

    • AndroidAndroid

  4. 在“目标组”下,选择“修改”以选择将应用策略的 Azure Active Directory 安全组。Under Targeted Groups, choose Modify to select the Azure Active Directory security groups that the policy will apply to. 你可以选择将此应用于所有用户或仅针对选择的用户组。You can choose to target this to all users or just a select group of users.

  5. 或者,在“免除组”下,选择“修改”以选择从此策略中免除的 Azure Active Directory 安全组。Under Exempted Groups, optionally, choose Modify to select the Azure Active Directory security groups that are exempt from this policy.

  6. 完成后,选择“保存”。When you're done, choose Save.

现在你已配置了 Skype for Business Online 的条件性访问。You have now configured conditional access for Skype for Business Online. 不需要部署条件访问策略—它会立即生效。You don't have to deploy the conditional access policy—it takes effect immediately.

监视遵从性和条件性访问策略Monitor the compliance and conditional access policies

在“组” 工作区中,可以查看设备的条件访问状态。In the Groups workspace, you can view the conditional access status of your devices.

选择任一移动设备组。Select any mobile device group. 然后在“设备” 选项卡上,选择以下“筛选器”之一:Then, on the Devices tab, choose one of the following Filters:

  • 未向 AAD 注册的设备:阻止这些设备访问 Skype for Business Online。Devices that are not registered with AAD: These devices are blocked from Skype for Business Online.

  • 不合规的设备:阻止这些设备访问 Skype for Business Online。Devices that are not compliant: These devices are blocked from Skype for Business Online.

  • 已向 AAD 注册并合规的设备:这些设备可以访问 Skype for Business Online。Devices that are registered with AAD and compliant: These devices can access Skype for Business Online.

要提交产品反馈,请访问 Intune Feedback