启用 OneDrive 同步应用中的条件访问支持Enable conditional access support in the OneDrive sync app

Azure Active Directory 中的条件访问控制功能为您提供了保护云中的资源的简单方法。Conditional access control capabilities in Azure Active Directory offer simple ways for you to secure resources in the cloud. 新的 OneDrive 同步应用与条件访问控制策略配合使用,以确保仅使用合规设备进行同步。The new OneDrive sync app works with the conditional access control policies to ensure syncing is only done with compliant devices. 例如,您可能要求同步仅在加入域的设备或满足由移动设备管理系统 ((如 Intune) )定义的合规性的设备上可用。For example, you might require sync to be available only on domain-joined devices or devices that meet compliance as defined by the Mobile Device Management system (like Intune).

有关条件访问的工作方式的信息,请参阅:For information about how conditional access works, see:

Windows 建议Recommendations for Windows

为了获得最佳体验,建议将 Windows 上的此功能与 无提示帐户配置 一起使用。We recommend using this feature on Windows together with silent account configuration for the best experience. OneDrive 同步应用程序将自动使用 ADAL,并且将支持基于设备和基于位置的条件访问策略。The OneDrive sync app will automatically use ADAL, and will support both device-based and location-based conditional access policies.

如果不使用无提示帐户配置,请设置 EnableADAL 注册表项:If you don't use silent account configuration, set the EnableADAL registry key:

[HKEY_CURRENT_USER \SOFTWARE\Microsoft\OneDrive]"EnableADAL" = dword:1[HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive] "EnableADAL"=dword:1

设置此注册表项会将 OneDrive 同步应用配置为直接使用 ADAL。Setting this registry key configures the OneDrive sync app to use ADAL directly.

已知问题Known issues

以下是此版本中的已知问题:The following are known issues with this release:

  • 如果在设备经过身份验证后创建了新的访问策略,则可能需要长达24小时才能使该策略生效。If you create a new access policy after the device has authenticated, it may take up to twenty-four hours for the policy to take effect.

  • 在某些情况下,可能会提示用户输入凭据两次。In some cases, the user may be prompted for credentials twice. 我们正在努力解决此问题。We are working on a fix for this issue.

  • 某些 ADFS 配置可能需要额外的设置才能在此版本中运行。Certain ADFS configurations may require additional setup to work with this release. 请在您的 ADFS 服务器上运行以下命令,以确保将 FormsAuthentication 添加到 PrimaryIntranetAuthenticationProvider 列表中:Please run the following command on your ADFS server to ensure FormsAuthentication is added to the list of PrimaryIntranetAuthenticationProvider:

    Set-AdfsGlobalAuthenticationPolicy -PrimaryIntranetAuthenticationProvider @('WindowsAuthentication', 'FormsAuthentication')

  • 如果启用基于位置的条件访问,则默认情况下,用户将在离开已批准 IP 地址范围集时收到每隔90到120分钟的提示。If you enable location-based conditional access, users will get a prompt about every 90 to 120 minutes by default when they leave the set of approved IP address ranges. 确切的计时方式取决于访问令牌的过期持续时间 (60 分钟默认) 、其计算机上次获取新的访问令牌以及放置任何特定的条件访问超时。The exact timing depends on the access token expiry duration (60 minutes by default), when their computer last obtained a new access token, and any specific conditional access timeouts put in place.

报告问题Reporting problems

如果你在使用此版本时遇到任何问题,请告知我们。Please let us know if you run into any problems while using this release.

报告问题To report a problem

  1. 右键单击 Windows 任务栏通知区域或 macOS 菜单栏中的 "蓝色 OneDrive 云" 图标。Right-click the blue OneDrive cloud icon in the Windows taskbar notification area or macOS menu bar.

  2. 单击 " 获取帮助"。Click Get help.

  3. 键入问题的简短说明,然后单击 " 提交"。Type a brief description of your issue, and then click Submit.