根据网络位置控制对 SharePoint 和 OneDrive 数据的访问Control access to SharePoint and OneDrive data based on network location

作为 IT 管理员,你可以根据你信任的已定义网络位置来控制对 Microsoft 365 中的 SharePoint 和 OneDrive 资源的访问权限。As an IT admin, you can control access to SharePoint and OneDrive resources in Microsoft 365 based on defined network locations that you trust. 这也称为“基于位置的策略”。This is also known as location-based policy.

为此,可以通过指定一个或多个授权 IP 地址范围来定义受信任的网络边界。To do this, you define a trusted network boundary by specifying one or more authorized IP address ranges. 试图从该网络边界(使用 web 浏览器、桌面应用程序或任何设备上的移动应用程序)访问 SharePoint 和 OneDrive 的任何用户都将被阻止。Any user who attempts to access SharePoint and OneDrive from outside this network boundary (using web browser, desktop app, or mobile app on any device) will be blocked.

重要

此功能依赖于可用的 Azure AD 条件访问策略。This feature relies on Azure AD Conditional Access policies being available. 你将需要 Azure AD 高级 P1 或 P2 订阅才能正常工作。You will need an Azure AD Premium P1 or P2 subscription for this to work. 有关此内容的详细信息,请参阅Azure Active Directory 标识博客中的通知For more info about this, refer to the announcement in the Azure Active Directory Identity Blog.

访问浏览器中限制的邮件

下面是设置基于位置的策略的一些重要注意事项:Here are some important considerations for setting a location-based policy:

  • 外部共享:如果与身份验证的来宾共享文件和文件夹,则他们将无法访问定义的 IP 地址范围之外的资源。External sharing: If files and folders have been shared with guests who authenticate, they will not be able to access the resources outside of the defined IP address range.

  • 从第一个和第三方应用程序访问:通常情况下,可以从 Exchange、Yammer、Skype、工作组、Planner、Power 自动化、PowerBI、power Apps、OneNote 等应用程序访问 SharePoint 文档。Access from first and third-party apps: Normally, a SharePoint document can be accessed from apps like Exchange, Yammer, Skype, Teams, Planner, Power Automate, PowerBI, Power Apps, OneNote, and so on. 启用基于位置的策略后,不支持基于位置的策略的应用程序将被阻止。When a location-based policy is enabled, apps that do not support location-based policies are blocked. 当前仅支持基于位置的策略的应用程序是团队、Yammer 和 Exchange。The only apps that currently support location-based policies are Teams, Yammer, and Exchange. 这意味着所有其他应用程序都将被阻止,即使这些应用程序托管在受信任网络边界内也是如此。This means that all other apps are blocked, even when these apps are hosted within the trusted network boundary. 这是因为 SharePoint 无法确定这些应用程序的用户是否在受信任的边界内。This is because SharePoint cannot determine whether a user of these apps is within the trusted boundary.

    备注

    建议在为 SharePoint 启用基于位置的策略时,应为 Exchange 和 Yammer 配置相同的策略和 IP 地址范围。We recommend that when a location-based policy is enabled for SharePoint, the same policy and IP address ranges should be configured for Exchange and Yammer. SharePoint 依靠这些服务强制实施这些应用程序的用户位于受信任的 IP 范围内。SharePoint relies on these services to enforce that the users of these apps are within the trusted IP range.

  • 从动态 IP 范围进行访问:多个服务和提供程序主机应用程序,它们具有动态起始 IP 地址。Access from dynamic IP ranges: Several services and providers host apps which have dynamic originating IP addresses. 例如,在从一个 Azure 数据中心运行时访问 SharePoint 的服务可能会因故障转移条件或其他原因而开始从不同的数据中心运行,从而动态更改其 IP 地址。For example, a service that accesses SharePoint while running from one Azure data center may start running from a different data center due to a failover condition or other reason, thus dynamically changing its IP address. 基于位置的条件访问策略依赖于固定的受信任 IP 地址范围。The location-based conditional access policy relies on fixed, trusted IP address ranges. 如果之前不能确定 IP 地址范围,则基于位置的策略可能不是您的环境的一个选项。If the IP address range cannot be determined up front, location-based policy may not be an option for your environment.

在新 SharePoint 管理中心中设置基于位置的策略Set a location-based policy in the new SharePoint admin center

备注

最长可能需要15分钟,这些设置才会生效。It can take up to 15 minutes for these settings to take effect.

  1. 转到新 SharePoint 管理中心的 "访问控制" 页,并使用对组织具有管理员权限的帐户进行登录。Go to the Access control page of the new SharePoint admin center, and sign in with an account that has admin permissions for your organization.

备注

如果你有 Office 365 德国,请登录到 Microsoft 365 管理中心,然后浏览到 SharePoint 管理中心并打开 "访问控制" 页。If you have Office 365 Germany, sign in to the Microsoft 365 admin center, then browse to the SharePoint admin center and open the Access control page.
如果你有由世纪互联(中国)运营的 Office 365,请登录到 Microsoft 365 管理中心,然后浏览到 SharePoint 管理中心并打开 "访问控制" 页。If you have Office 365 operated by 21Vianet (China), sign in to the Microsoft 365 admin center, then browse to the SharePoint admin center and open the Access control page.

  1. 选择 "网络位置",然后打开 "仅允许从特定 IP 地址范围访问"。Select Network location, and turn on Allow access only from specific IP address ranges.

    网络位置面板

  2. 输入以逗号分隔的 IP 地址和地址范围。Enter IP addresses and address ranges separated by commas.

    重要

    确保包含您自己的 IP 地址,这样您就不会锁定自己。此设置不仅限制对 OneDrive 和 SharePoint 网站的访问,还限制 OneDrive 和 SharePoint 管理中心以及运行 PowerShell cmdlet。Make sure you include your own IP address so you don't lock yourself out. This setting not only restricts access to OneDrive and SharePoint sites, but also to the OneDrive and SharePoint admin centers, and to running PowerShell cmdlets. 如果你锁定自己,并且无法从你指定的范围内的 IP 地址进行连接,你需要联系支持人员寻求帮助。If you lock yourself out and can't connect from an IP address within a range you specified, you will need to contact Support for help.
    如果保存了重叠的 IP 地址,用户将看到一般性错误消息,其中包含指向 "输入 IP 允许列表重叠" 的相关 ID。If you save overlapping IP addresses, your users will see a generic error message with a correlation ID that points to "The input IP allow list has overlaps."

备注

若要使用 PowerShell 设置基于位置的策略,请使用-IPAddressAllowList 参数运行 Set-spotenant。To set a location-based policy by using PowerShell, run Set-SPOTenant with the -IPAddressAllowList parameter. 有关详细信息,请参阅set-spotenantFor more info, see Set-SPOTenant.