启用条件访问以更好地保护用户、设备和数据Enable Conditional Access to better protect users, devices, and data

适用于:Applies to:

想要体验适用于终结点的 Defender?Want to experience Defender for Endpoint? 注册免费试用版。Sign up for a free trial.

条件访问是一项功能,它通过确保只有安全设备有权访问应用程序,来帮助你更好地保护用户和企业信息。Conditional Access is a capability that helps you better protect your users and enterprise information by making sure that only secure devices have access to applications.

使用条件访问,可以基于设备的风险级别控制对企业信息的访问。With Conditional Access, you can control access to enterprise information based on the risk level of a device. 这有助于在使用受信任应用程序的受信任设备上保留受信任的用户。This helps keep trusted users on trusted devices using trusted applications.

你可以定义安全条件,在这些设备和应用程序可以运行和访问来自网络的信息时,通过强制执行策略来阻止应用程序运行,直到设备返回到兼容状态。You can define security conditions under which devices and applications can run and access information from your network by enforcing policies to stop applications from running until a device returns to a compliant state.

Defender for Endpoint 中条件访问的实现基于 Intune Microsoft Intune (设备合规性) 策略,Azure Active Directory (Azure AD) 条件访问策略。The implementation of Conditional Access in Defender for Endpoint is based on Microsoft Intune (Intune) device compliance policies and Azure Active Directory (Azure AD) conditional access policies.

合规性策略与条件访问一起用于仅允许满足一个或多个设备合规性策略规则的设备访问应用程序。The compliance policy is used with Conditional Access to allow only devices that fulfill one or more device compliance policy rules to access applications.

了解条件访问流Understand the Conditional Access flow

设置条件访问,以便当在设备上看到威胁时,将阻止对敏感内容的访问,直到该威胁得到修正。Conditional Access is put in place so that when a threat is seen on a device, access to sensitive content is blocked until the threat is remediated.

该流程首先会发现设备具有较低、中等或高风险。The flow begins with devices being seen to have a low, medium, or high risk. 然后将这些风险确定发送到 Intune。These risk determinations are then sent to Intune.

根据在 Intune 中配置策略方式,可以设置条件访问,以便满足某些条件时应用策略。Depending on how you configure policies in Intune, Conditional Access can be set up so that when certain conditions are met, the policy is applied.

例如,可以将 Intune 配置为在高风险设备上应用条件访问。For example, you can configure Intune to apply Conditional Access on devices that have a high risk.

在 Intune 中,设备合规性策略与 Azure AD 条件访问结合使用,以阻止对应用程序的访问。In Intune, a device compliance policy is used in conjunction with Azure AD Conditional Access to block access to applications. 同时,启动自动调查和修正过程。In parallel, an automated investigation and remediation process is launched.

在进行自动调查和修正时,用户仍可以使用该设备,但在完全修复威胁之前,将阻止访问企业数据。A user can still use the device while the automated investigation and remediation is taking place, but access to enterprise data is blocked until the threat is fully remediated.

若要解决在设备上发现的风险,你需要将设备返回到兼容状态。To resolve the risk found on a device, you'll need to return the device to a compliant state. 设备在未发现任何风险时将返回到兼容状态。A device returns to a compliant state when there is no risk seen on it.

有三种方法可以解决风险:There are three ways to address a risk:

  1. 使用手动或自动修正。Use Manual or automated remediation.
  2. 解决设备上的活动警报。Resolve active alerts on the device. 这将从设备中删除风险。This will remove the risk from the device.
  3. 你可以从活动策略中删除设备,因此条件访问不会应用到该设备。You can remove the device from the active policies and consequently, Conditional Access will not be applied on the device.

手动修正需要 secops 管理员调查警报并解决在设备上看到的风险。Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. 自动修正通过下一节"配置条件访问"中提供的配置 设置进行配置The automated remediation is configured through configuration settings provided in the following section, Configure Conditional Access.

通过手动或自动修正来消除风险时,设备将返回到兼容状态,并授予对应用程序的访问权限。When the risk is removed either through manual or automated remediation, the device returns to a compliant state and access to applications is granted.

下面的示例事件序列说明了操作中的条件访问:The following example sequence of events explains Conditional Access in action:

  1. 用户打开恶意文件,并且 Defender for Endpoint 将设备标志为高风险。A user opens a malicious file and Defender for Endpoint flags the device as high risk.
  2. 高风险评估将传递到 Intune。The high risk assessment is passed along to Intune. 同时,启动自动调查以修正已识别的威胁。In parallel, an automated investigation is initiated to remediate the identified threat. 还可以执行手动修正来修正已识别的威胁。A manual remediation can also be done to remediate the identified threat.
  3. 根据在 Intune 中创建的策略,设备被标记为不兼容。Based on the policy created in Intune, the device is marked as not compliant. 然后,通过 Intune 条件访问策略将评估传达给 Azure AD。The assessment is then communicated to Azure AD by the Intune Conditional Access policy. 在 Azure AD 中,应用相应的策略来阻止对应用程序的访问。In Azure AD, the corresponding policy is applied to block access to applications.
  4. 已完成手动或自动调查和修正,并删除威胁。The manual or automated investigation and remediation is completed and the threat is removed. Defender for Endpoint 发现设备上没有风险,Intune 评估设备是否合规。Defender for Endpoint sees that there is no risk on the device and Intune assesses the device to be in a compliant state. Azure AD 应用允许访问应用程序的策略。Azure AD applies the policy which allows access to applications.
  5. 用户现在可以访问应用程序。Users can now access applications.