部署推荐的安全电子邮件策略Deploy recommended secure email policies

本部分讨论如何在新预配的环境中部署推荐的策略。This section discusses how to deploy the recommended policies in a newly provisioned environment. 通过在单独的实验室环境中设置这些策略,可以先了解和评估推荐的策略,然后再分阶段推出到预生产和生产环境。Setting up these policies in a separate lab environment allows you to understand and evaluate the recommended policies before staging the rollout to your pre-production and production environments. 新预配的环境可能仅限云,也可能是混合环境。Your newly provisioned environment may be cloud-only or Hybrid.

要成功部署推荐的策略,需要在 Azure 门户进行操作,满足前面介绍的先决条件。To successfully deploy the recommended polices, you need to take actions in the Azure portal to meet the prerequisites stated earlier. 具体而言,需要:Specifically, you need to:

  • 配置命名网络,确保 Azure Identity Protection 可以正确生成风险评分Configure named networks, to ensure Azure Identity Protection can properly generate a risk score
  • 要求所有用户注册多重身份验证 (MFA)Require all users to register for multi-factor authentication (MFA)
  • 配置密码同步和自助服务密码重置,使用户能自己重置密码Configure password sync and self-service password reset to enable users to be able to reset passwords themselves

可以使 Azure AD 和 Intune 策略都面向特定用户组。You can target both Azure AD and Intune policies towards specific groups of users. 建议分阶段推出先前定义的策略。We suggest rolling out the policies defined earlier in a staged way. 这样,可增量验证策略和与策略相关的支持团队的性能。This way you can validate the performance of the policies and your support teams relative to the policy incrementally.

基线条件访问策略Baseline conditional access policy

要创建新的条件访问策略,请使用管理员凭据登录到 Microsoft Azure 门户。To create a new conditional access policy, log in to the Microsoft Azure portal with your administrator credentials. 然后导航到“Azure Active Directory”>“安全”>“条件访问”。Then navigate to Azure Active Directory > Security > Conditional access.

可添加新策略 (+添加),如以下屏幕快照所示:You can add a new policy (+Add) as shown in the following screen shot:

基线 CA 策略

下表介绍了为每个保护层表达策略所需的正确设置。The following tables describe the appropriate settings necessary to express the policies required for each level of protection.

中等及以上风险需要进行 MFAMedium and above risk requires MFA

下表介绍了要为此策略实现的条件访问策略设置。The following table describes the conditional access policy settings to implement for this policy.

CategoriesCategories 类型Type 属性Properties Values 注意Notes
分配Assignments 用户和组Users and groups 包括Include 选择用户和组 - 选择包含目标用户的特定安全组Select users and groups – Select specific security group containing targeted users 从包含试点用户的安全组开始。Start with security group including pilot users.
排除Exclude 例外安全组;服务帐户(应用标识)Exception security group; service accounts (app identities) 按需临时修改的成员身份Membership modified on an as needed temporary basis
云应用Cloud apps 包括Include 选择应用 - 选择 Office 365 Exchange OnlineSelect apps - Select Office 365 Exchange Online
条件Conditions 已配置Configured Yes 根据自身环境和需求进行配置Configure specific to your environment and needs
登录风险Sign-in risk 风险级别Risk level 高、中High, medium 两项全选Check both
访问控制Access controls 授予Grant 授予访问权限Grant access TrueTrue 已选择Selected
需要进行 MFARequire MFA TrueTrue CheckCheck
需要兼容设备Require compliant devices FalseFalse
需要已加入域的设备Require domain joined devices FalseFalse
需要所有已选控件Require all the selected controls TrueTrue 已选择Selected
启用策略Enable policy On 部署条件访问策略Deploys conditional access policy

需要一个兼容或已加入域的设备Require a compliant or domain joined device

要为 Exchange Online 创建新的 Intune 条件访问策略,请使用管理员凭据登录 Microsoft 管理门户 (http://manage.microsoft.com),并导航到“策略”>“条件访问”>“Exchange Online 策略”。To create a new Intune Conditional Access Policy for Exchange Online, log in to the Microsoft Management portal (http://manage.microsoft.com) with your administrator credentials and then navigate to Policy > Conditional Access > Exchange Online Policy.

Exchange Online 策略

必须在 Intune 管理门户中为 Exchange Online 设置特定的条件访问策略,才可要求使用兼容设备或已加入域的设备。You must set a Conditional Access policy specifically for Exchange Online in the Intune Management portal to require a compliant or domain joined device.

CategoriesCategories 类型Type 属性Properties Values 注意Notes
应用程序访问Application access Outlook 和使用新式身份验证的其他应用Outlook and other apps that user modern authentication 所有平台All platforms TrueTrue 已选择Selected
Windows 必须满足以下要求Windows must meet the following requirement 设备必须已加入域或必须是兼容设备Device must be domain joined or compliant 已选择(列表)Selected (List)
已选择的平台Selected platform FalseFalse
Outlook Web Access (OWA)Outlook Web Access (OWA) 在与 Outlook 相同的平台上阻止不兼容的设备Block non-compliant devices on same platform as Outlook TrueTrue CheckCheck
使用基本身份验证的 Exchange ActiveSync 应用。Exchange ActiveSync apps that use basic authentication 阻止受 Microsoft Intune 支持的平台上的非合规设备Block non-compliant devices on platforms supported by Microsoft Intune TrueTrue CheckCheck
阻止不受 Microsoft Intune 支持的平台上的所有其他设备Block all other devices on platforms not supported by Microsoft Intune TrueTrue CheckCheck
策略部署Policy deployment 目标组Target groups 选择此策略要面向的 Active Directory 组Select the Active Directory groups to target with this policy
所有用户All users FalseFalse
所选安全组Selected security groups TrueTrue 已选择Selected
修改Modify 选择包含目标用户的特定安全组Select specific security group containing targeted users
被免除的组Exempt groups 选择要从此策略免除的 Active Directory 组(替代目标组列表的成员)Select the Active Directory groups to exempt from this policy (overrides members of the Targeted Groups list)
无免除用户No exempt users TrueTrue 已选择Selected
所选安全组Selected security groups FalseFalse

用于 Exchange Online 的移动应用管理条件访问Mobile application management conditional access for Exchange online

必须在 Intune 管理门户中为 Exchange Online 设置特定的条件访问策略,以便管理移动应用。You must set a Conditional Access policy specifically for Exchange Online in the Intune Management portal to manage mobile apps.

要管理移动应用,请使用管理员凭据登录 Microsoft Azure 门户,然后导航到“Intune 应用保护”>“设置”>“条件访问”>“Exchange Online”。To manage mobile apps, log in to the Microsoft Azure portal with your administrator credentials, and then navigate to Intune App Protection > Settings > Conditional Access > Exchange Online.

CategoriesCategories 类型Type 属性Properties Values 注意Notes
应用访问App access 允许的应用Allowed apps 启用应用访问Enable app access 允许支持 Intune 应用策略的应用Allow apps that support Intune app policies 已选择(列表)- 生成 Intune 应用策略支持的应用/平台组合列表Selected (list) – This results in a list of apps/platform combinations supported by Intune app policies
用户访问User access 允许的应用Allowed apps 受限用户组Restricted user groups 添加用户组 - 选择包含目标用户的特定安全组Add users groups – Select specific security group containing targeted users 从包含试点用户的安全组开始Start with security group including pilot users
被免除用户组Exempt user groups 例外安全组Exception security groups

应用于Apply to

完成试点项目后,应对组织中的所有用户应用这些策略。Once your pilot project has been completed, these policies should be applied to all users in your organization.

敏感条件访问策略Sensitive conditional access policy

较低及以上风险需要进行 MFALow and above risk requires MFA

下表介绍了要为较低及以上风险策略实现的条件访问策略设置。The following table describes the conditional access policy settings to implement for low- and above-risk policies.

CategoriesCategories 类型Type 属性Properties Values 注意Notes
分配Assignments 用户和组Users and groups 包括Include 选择用户和组 - 选择包含目标用户的特定安全组Select users and groups – Select specific security group containing targeted users 从包含试点用户的安全组开始Start with security group including pilot users
排除Exclude 例外安全组;服务帐户(应用标识)Exception security group; service accounts (app identities) 按需临时修改的成员身份Membership modified on an as needed temporary basis
云应用Cloud apps 包括Include 选择应用 - 选择 Office 365 Exchange OnlineSelect apps - Select Office 365 Exchange Online
条件Conditions 已配置Configured Yes 根据自身环境和需求进行配置Configure specific to your environment and needs
登录风险Sign-in risk 已配置Configured Yes 根据自身环境和需求进行配置Configure specific to your environment and needs
风险级别Risk level 低、中、高Low, medium, high 三项全选Check all three
访问控制Access controls 授予Grant 授予访问权限Grant access TrueTrue 已选择Selected
需要进行 MFARequire MFA TrueTrue CheckCheck
需要兼容设备Require compliant devices FalseFalse
需要已加入域的设备Require domain joined device FalseFalse
需要所有已选控件Require all the selected controls TrueTrue 已选择Selected
启用策略Enable policy On 部署条件访问策略Deploys conditional access policy

需要一个兼容或已加入域的设备Require a compliant or domain joined device

(请参阅基线说明)(See baseline instructions)

用于 Exchange Online 的移动应用管理条件访问Mobile application management conditional access for Exchange online

(请参阅基线说明)(See baseline instructions)

应用于Apply to

完成试点项目后,应对组织中需要访问机密电子邮件的用户应用这些策略。Once the pilot project has been completed, these policies should be applied to users in your organization who require access to email considered sensitive.

高度管控条件访问策略Highly regulated conditional access policy

需要进行 MFAMFA required

下表介绍了要为高度管控策略实现的条件访问策略设置。The following table describes the conditional access policy settings to implement for the highly regulated policy.

CategoriesCategories 类型Type 属性Properties Values 注意Notes
分配Assignments 用户和组Users and groups 包括Include 选择用户和组 - 选择包含目标用户的特定安全组Select users and groups – Select specific security group containing targeted users 从包含试点用户的安全组开始Start with security group including pilot users
排除Exclude 例外安全组;服务帐户(应用标识)Exception security group; service accounts (app identities) 按需临时修改的成员身份Membership modified on an as needed temporary basis
云应用Cloud apps 包括Include 选择应用 - 选择 Office 365 Exchange OnlineSelect apps - Select Office 365 Exchange Online
访问控制Access controls 授予Grant 授予访问权限Grant access TrueTrue 已选择Selected
需要进行 MFARequire MFA TrueTrue CheckCheck
需要兼容设备Require complaint devices FalseFalse CheckCheck
需要已加入域的设备Require domain joined device FalseFalse
需要所有已选控件Require all the selected controls TrueTrue 已选择Selected
启用策略Enable policy On 部署条件访问策略Deploys conditional access policy

需要一个兼容或已加入域的设备Require a compliant or domain joined device

(请参阅基线说明)(See baseline instructions)

用于 Exchange Online 的移动应用管理条件访问Mobile application management conditional access for Exchange online

(请参阅基线说明)(See baseline instructions)

应用于Apply to

完成试点项目后,应对组织中需要访问高度管控电子邮件的用户应用这些策略。Once the pilot project has been completed, these policies should be applied to users in your organization who require access to email considered highly regulated.

用户风险策略User risk policy

高风险用户必须更改密码High risk users must change password

为了确保在登录时对受侵害的所有高风险用户帐户强制执行密码更改,必须应用下列策略。To ensure that all high-risk users compromised accounts are forced to perform a password change when signing-in, you must apply the following policy.

使用管理员凭据登录 Microsoft Azure 门户 (http://portal.azure.com),然后导航到“Azure AD Identity Protection”>“用户风险策略”。Log in to the Microsoft Azure portal (http://portal.azure.com) with your administrator credentials, and then navigate to Azure AD Identity Protection > User Risk Policy.

CategoriesCategories 类型Type 属性Properties Values 注意Notes
分配Assignments UsersUsers 包括Include 所有用户All users 已选择Selected
排除Exclude None
条件Conditions 用户风险User risk High 已选择Selected
控制Controls 访问Access 允许访问Allow access TrueTrue 已选择Selected
访问Access 需要更改密码Require password change TrueTrue CheckCheck
审阅Review 不适用N/A 不适用N/A 不适用N/A 不适用N/A
强制执行策略Enforce policy On 启用强制执行策略Starts enforcing policy

其他配置Additional configurations

除上述策略外,还必须配置本节讨论的以下移动应用程序和设备管理设置。In addition to the above policies, you must configure the following Mobile Application and Device Management settings discussed in this section.

Intune 移动应用程序管理Intune mobile application management

为了确保使用前文所述针对各安全和数据保护层的策略建议保护电子邮件,必须从 Azure 门户中创建 Intune 应用保护策略。To ensure email is protected by the policy recommendations stated earlier for each security and data protection tier, you must create Intune app protection policies from within the Azure portal.

要创建新应用保护策略,请使用管理员凭据登录 Microsoft Azure 门户,然后导航到“Intune 应用保护”>“设置”>“应用策略”。To create a new app protection policy, log in to the Microsoft Azure portal with your administer credentials, and then navigate to Intune App Protection > Settings > App policy.

添加新策略 (+添加),如以下屏幕快照所示:Add a new policy (+Add) as shown in the following screen shot:

Intune 移动应用程序管理

备注

iOS 和 Android 的应用保护策略选项略有不同。There are slight differences in the app protection policy options between iOS and Android. 以下策略专用于 Android。The below policy is specifically for Android.

下表详细介绍了为每个保护层表达策略所需的正确设置。The following tables describe, in details, the appropriate settings necessary to express the policies required for each level of protection. | 下表介绍了推荐的 Intune 应用保护策略设置。| The following table describes the recommended Intune app protection policy settings.

CategoriesCategories 类型Type 属性Properties Values 注意Notes
常规General EmailEmail NameName 适用于 Android 的安全电子邮件策略Secure email policy for Android 输入策略名称Enter a policy name
说明Description 输入描述策略的文本Enter text that describes the policy
平台Platform AndroidAndroid iOS 和 Android 的应用保护策略选项略有不同,此策略专用于 AndroidThere are slight differences in the app protection policy options between iOS and Android; this policy is specifically for Android
应用Apps 应用程序Applications 应用Apps OutlookOutlook 已选择(列表)Selected (list)
设置Settings 数据重定位Data relocation 阻止 Android 备份Prevent Android backup Yes 在 iOS 上,这会专门调用 iTunes 和 iCloudOn iOS this will specifically call out iTunes and iCloud
允许应用向其他应用传送数据Allow app to transfer data to other apps 策略托管应用Policy managed apps
允许应用接收其他应用的数据Allow app to receive data to other apps 策略托管应用Policy managed apps
防止“另存为”Prevent "Save As" Yes
限制使用其他应用剪切、复制和粘贴Restrict cut, copy, and paste with other apps 策略托管应用Policy managed apps
限制显示在托管浏览器内的 Web 内容Restrict web content to display in the managed browser No
加密应用数据Encrypt app data Yes 在 iOS 上,选择选项:“锁定设备时”On iOS select option: When device is locked
禁用联系人同步Disable contacts sync No
访问Access 访问需要 PINRequire PIN for access Yes
重置 PIN 前的尝试次数Number of attempts before PIN reset 33
允许使用简单 PINAllow simple PIN No
PIN 长度PIN length 66
允许使用指纹而不是 PINAllow fingerprint instead of PIN Yes
访问需要公司凭据Require Corporate credentials for access No
阻止在已越狱或取得 root 权限的设备上运行托管应用Block managed apps from running on jailbroken or rooted devices Yes
在一定时间后重新检查访问要求(分钟)Recheck the access requirement after (minutes) 3030
离线宽限期Offline grace period 720720
擦除应用数据之前的脱机间隔时间(天)Offline interval (days) before app data is wiped 9090
阻止屏幕捕获和 Android 助手Block screen capture and Android assistant No 在 iOS 上,此选项不可用On iOS this is not an available option

完成后,请记住单击“创建”。When complete, remember to click "Create". 重复上述步骤,并将所选平台(下拉列表)替换为 iOS。Repeat the above steps and replace the selected platform (dropdown) with iOS. 这可创建两个应用策略,因此请在创建策略后将组分配到策略,并进行部署。This creates two app policies, so once you create the policy, then assign groups to the policy and deploy it.

Intune 移动设备管理Intune mobile device management

请使用管理员凭据登录 Microsoft 管理门户 (http://manage.microsoft.com),创建以下配置和符合性策略。You create the following Configuration and Compliance policies by logging into the Microsoft Management portal (http://manage.microsoft.com) with your administrator credentials.

iOS 电子邮件配置文件iOS email profile

Intune 管理门户 (https://manage.microsoft.com) 中,转到“策略”>“配置策略”>“添加”>“iOS”>“电子邮件配置文件(iOS 8 及更高版本)”,然后创建以下配置策略。In the Intune management portal (https://manage.microsoft.com) create the following Configuration policies at Policy > Configuration Policies > Add > iOS > Email Profile (iOS 8 and later).

CategoriesCategories 类型Type 属性Properties Values 注意Notes
电子邮件配置文件Email profile Exchange Active SyncExchange Active Sync 主机(#)Host (#) Outlook.office365.comOutlook.office365.com
帐户名(#)Account Name (#) SecureEmailAccountSecureEmailAccount 管理员选择Admini choice
UsernameUsername 用户主体名称User principal name 已选择 - 下拉列表Selected – Drop down
电子邮件地址Email address 主 SMTP 地址Primary SMTP address 已选择 - 下拉列表Selected – Drop down
身份验证方法Authentication method 用户名和密码Username and password 已选择 - 下拉列表Selected – Drop down
使用 S/MIMEUse S/MIME FalseFalse
同步设置Synchronization settings 要同步的电子邮件的天数Number of days of email to synchronize 两周Two weeks 已选择 - 下拉列表Selected – Drop down
使用 SSLUse SSL TrueTrue CheckCheck
允许将消息转移到其他电子邮件帐户Allow messages to be moved to other email accounts FalseFalse
允许从第三方应用程序发送电子邮件Allow email to be sent from third party applications TrueTrue
同步最近使用的电子邮件地址Synchronize recently used email addresses TrueTrue CheckCheck

共享配置文件的 iOS 应用iOS app sharing profile

Intune 管理门户 (https://manage.microsoft.com) 中,转到“策略”>“配置策略”>“添加”>“iOS”>“常规配置(iOS 8.0 及更高版本)”,然后创建以下配置策略。In the Intune management portal (https://manage.microsoft.com) create the following Configuration policies at Policy > Configuration Policies > Add > iOS > General Configuration (iOS 8.0 and later).

CategoriesCategories 类型Type 属性Properties Values 注意Notes
安全Security 全部All 全部All 未配置Not configured
Cloud 全部All 全部All 未配置Not configured
应用程序Applications 浏览器Browser 全部All 未配置Not configured
应用Apps 允许安装应用Allow installing apps 未配置Not configured
需要提供密码来访问应用程序商店Require a password to access application store 未配置Not configured
所有应用内购买All in-app purchases 未配置Not configured
允许其他托管应用中的托管文档(iOS 8.0 及更高版本)Allow managed documents in other managed apps (iOS 8.0 and later) No 已选择 - 下拉列表Selected – Drop down
允许在其他托管应用中使用非托管文档Allow unmanaged documents in other managed apps 未配置Not configured
允许视频会议Allow video conferencing 未配置Not configured
允许用户信任新的企业应用作者Allow the user to trust new enterprise app authors 未配置Not configured
游戏Games 全部All 未配置Not configured
媒体内容Media content 全部All 未配置Not configured

Android 电子邮件配置文件Android email profile

Intune 管理门户 (https://manage.microsoft.com) 中,转到“策略”>“配置策略”>“添加”>“iOS”>“电子邮件配置文件 (Samsung KNOX Standard 4.0 和更高版本)”,然后创建以下配置策略。In the Intune management portal (https://manage.microsoft.com) create the following Configuration policies at Policy > Configuration Policies > Add > iOS > Email Profile (Samsung KNOX Standard 4.0 and later).

CategoriesCategories 类型Type 属性Properties Values 注意Notes
电子邮件配置文件Email profile Exchange Active SyncExchange Active Sync 主机(#)Host (#) Outlook.office365.comOutlook.office365.com
帐户名(#)Account Name (#) SecureEmailAccountSecureEmailAccount 管理员选择Admini choice
UsernameUsername 用户主体名称User principal name 已选择 - 下拉列表Selected – Drop down
电子邮件地址Email address 主 SMTP 地址Primary SMTP address 已选择 - 下拉列表Selected – Drop down
身份验证方法Authentication method 用户名和密码Username and password 已选择 - 下拉列表Selected – Drop down
使用 S/MIMEUse S/MIME FalseFalse
同步设置Synchronization settings 要同步的电子邮件的天数Number of days of email to synchronize 两周Two weeks 已选择 - 下拉列表Selected – Drop down
同步计划Sync schedule 未配置Not configured 已选择 - 下拉列表Selected – Drop down
使用 SSLUse SSL TrueTrue CheckCheck
要同步的内容类型Content type to synchronize
EmailEmail TrueTrue 选中(已锁定)Check (locked)
联系人Contacts TrueTrue CheckCheck
日历Calenadr TrueTrue CheckCheck
“策略概述”Tasks TrueTrue CheckCheck
注意Notes TrueTrue CheckCheck

Android for Work 电子邮件配置文件Android for work email profile

Intune 管理门户 (https://manage.microsoft.com) 中,转到“策略”>“配置策略”>“添加”>“iOS”>“电子邮件配置文件 (Android for Work - Gmail)”,然后创建以下配置策略。In the Intune management portal (https://manage.microsoft.com) create the following Configuration policies at Policy > Configuration Policies > Add > iOS > Email Profile (Android for Work - Gmail).

CategoriesCategories 类型Type 属性Properties Values 注意Notes
电子邮件配置文件Email profile Exchange Active SyncExchange Active Sync 主机(#)Host(#) Outlook.office365.comOutlook.office365.com
帐户名(#)Account Name(#) SecureEmailAccountSecureEmailAccount 管理员选择Admini choice
UsernameUsername 用户主体名称User principal name 已选择 - 下拉列表Selected – Drop down
电子邮件地址Email address 主 SMTP 地址Primary SMTP address 已选择 - 下拉列表Selected – Drop down
身份验证方法Authentication method 用户名和密码Username and password 已选择 - 下拉列表Selected – Drop down
同步设置Synchronization settings 要同步的电子邮件的天数Number of days of email to synchronize 两周Two weeks 已选择 - 下拉列表Selected – Drop down
使用 SSLUse SSL TrueTrue CheckCheck

共享配置文件的 Android for Work 应用Android for work app sharing profile

Intune 管理门户 (https://manage.microsoft.com) 中,转到“策略”>“配置策略”>“添加”>“iOS”>“常规配置 (Android for Work)”,然后创建以下配置策略。In the Intune management portal (https://manage.microsoft.com) create the following Configuration policies at Policy > Configuration Policies > Add > iOS > General Configuration (Android for Work).

CategoriesCategories 类型Type 属性Properties Values 注意Notes
安全Security PasswordPassword 最短密码长度Minimum password length 未配置Not configured
删除工作配置文件之前的重复登录失败次数Number of repeated sign-in failures before the work profile is removed 未配置Not configured
设备锁定之前须经历的不活动分钟数Minutes of inactivity before device locks 未配置Not configured
密码过期(天)Password expiration (days) 未配置Not configured
记住密码历史记录Remember password history 未配置Not configured
需要密码才可解锁移动设备Require a password to unlock mobile device 未配置Not configured
允许指纹解锁(Android 6.0+)Allow fingerprint unlock (Android 6.0+) 未配置Not configured
允许 Smart Lock 和其他信任代理(Android 6.0+)Allow Smart Lock and other trust agents (Android 6.0+) 未配置Not configured
工作配置文件设置Work profile settings 允许在工作和个人配置文件之间共享数据Allow data sharing between work and personal profiles 工作配置文件中的应用可处理来自个人配置文件的共享请求Apps in work profile can handle sharing request from personal profile 已选择 - 下拉列表Selected – Drop down
设备锁定时隐藏工作配置文件通知(Android 6.0+)Hide work profile notifications when the device is locked (Android 6.0+) 未配置Not configured
设置默认应用权限策略(Android 6.0 +)Set default app permission policy (Android 6.0+) 未配置Not configured

设备符合性策略Device compliance policy

Intune 管理门户 (https://manage.microsoft.com) 中,转到“策略”>“符合性策略”>“添加”,然后创建以下配置策略。In the Intune management portal (https://manage.microsoft.com) create the following Configuration policies at Policy > Compliance Policy > Add.

CategoriesCategories 类型Type 属性Properties Values 注意Notes
系统安全System security PasswordPassword 需要密码才可解锁移动设备(...)Require a password to unlock mobile devices (...) Yes 已选择 - 下拉列表Selected – Drop down
允许简单密码(...)Allow simple passwords (...) No 已选择 - 下拉列表Selected – Drop down
最短密码长度(...)Minimum password length (...) 66 已选择 - 列表Selected – List
高级密码设置Advanced password settings 全部All 未配置Not configured
加密Encryption 需要对移动设备加密(...)Require encryption on mobile device (...) Yes 已选择 - 下拉列表Selected – Drop down
电子邮件配置文件Email profiles 电子邮件帐户必须由 Intune 管理(iOS 8.0+)Email account must be managed by Intune (iOS 8.0+) Yes 已选择 - 下拉列表Selected – Drop down
选择 (#)Select (#) 必须为 iOS 选择电子邮件配置策略:iOS 电子邮件策略(请参阅上面的配置策略)Must select Email Configuration Policy for iOS: iOS Email Policy (see configuration policies above)
设备运行状况Device health Windows 设备运行状况证明Windows decide health attestation 要求设备报告为正常运行(Windows 10 桌面版和移动版及更高版本)Require devices to be reported as healthy (Windows 10 Desktop and Mobile and later) Yes
设备安全设置Device security settings 全部All 未配置Not configured
设备威胁防护Device threat protection 全部All 未配置Not configured
破解Jailbreak 设备不得越狱或取得 root 权限(iOS 8.0+、Android 4.0+)Device must not be jailbroken or rooted (iOS 8.0+, Android 4.0+) Yes
设备属性Device properties 操作系统版本Operating system version 全部All 未配置Not configured

要将上述所有策略视为已部署,这些策略必须面向用户组。For all the above policies to be considered deployed, they must be targeted at user groups. 要完成此操作,可以创建策略(在“保存”上),或稍后在“策略”部分(与“添加”在同一级别)中选择“管理部署”。You can do this by creating the policy (on Save) or later by selecting Manage Deployment in the Policy section (same level as Add).

修正导致中等或高风险访问的事件Remediating events that have results in medium or high risk access

如果用户报告说,他们现在需要执行 MFA,而以前无需执行,支持团队可从风险角度审查其状态。If a user reports that they are now expected to perform MFA when this was previously not required, support can review their status from a risk perspective.

组织内具有全局管理员或安全管理员角色的用户可使用 Azure AD Identity Protection 来查看会增加风险评分的风险事件。Users within the organization with a Global Administrator or Security Administrator role can use Azure AD Identity Protection to review the risky events that contributed to the calculated risk score. 如果他们标识了某些标记为可疑的事件,但经确认这些事件有效(例如休假中的员工从不熟悉的位置登录),则管理员可解析该事件,使其不会增加风险评分。If they identify some events that were flagged as suspicious, but are confirmed to be valid (such as a login from an unfamiliar location when an employee is on vacation), the administrator can resolve the event so it no longer contributes to the risk score.

后续步骤Next steps

了解有关 Microsoft 365 服务的详细信息Learn more about Microsoft 365 services