快速入門:透過 Azure Active Directory 條件式存取來要求特定應用程式必須使用 MFAQuickstart: Require MFA for specific apps with Azure Active Directory Conditional Access

為了簡化使用者的登入體驗,您可以讓他們透過使用者名稱和密碼登入您的雲端應用程式。To simplify the sign in experience of your users, you might want to allow them to sign in to your cloud apps using a user name and a password. 不過,在許多環境中應該至少有好幾種應用程式建議必須採用更為強式的帳戶驗證,例如多重要素驗證 (MFA)。However, many environments have at least a few apps for which it is advisable to require a stronger form of account verification, such as multi-factor authentication (MFA). 針對組織的電子郵件系統或 HR 應用程式的存取就可能需要此原則。This policy might be true for access to your organization's email system or your HR apps. 在 Azure Active Directory (Azure AD) 中,您可以使用條件式存取原則來完成上述目標。In Azure Active Directory (Azure AD), you can accomplish this goal with a Conditional Access policy.

本快速入門示範如何針對環境中所選的雲端應用程式,將 Azure AD 條件式存取原則設為需要使用多重要素驗證。This quickstart shows how to configure an Azure AD Conditional Access policy that requires multi-factor authentication for a selected cloud app in your environment.

Azure 入口網站中的條件式存取原則範例

如果您沒有 Azure 訂用帳戶,請在開始前建立 免費帳戶If you don't have an Azure subscription, create a free account before you begin.

必要條件Prerequisites

若要完成本快速入門中的案例,您需要:To complete the scenario in this quickstart, you need:

  • Azure AD Premium 版的存取權 - Azure AD 條件式存取是 Azure AD Premium 中的功能。Access to an Azure AD Premium edition - Azure AD Conditional Access is an Azure AD Premium capability.
  • 稱為 Isabella Simonsen 的測試帳戶 - 如果您不知道如何建立測試帳戶,請參閱新增雲端式使用者A test account called Isabella Simonsen - If you don't know how to create a test account, see Add cloud-based users.

要部署本快速入門中的案例,您的測試帳戶必須未啟用每一使用者 MFA。The scenario in this quickstart requires that per user MFA is not enabled for your test account. 如需詳細資訊,請參閱如何要求使用者使用雙步驟驗證For more information, see How to require two-step verification for a user.

測試體驗Test your experience

此步驟的目標是要取得體驗的印象,而不需要條件式存取原則。The goal of this step is to get an impression of the experience without a Conditional Access policy.

若要初始化您的環境:To initialize your environment:

  1. 以 Isabella Simonsen 身分登入 Azure 入口網站。Sign in to your Azure portal as Isabella Simonsen.
  2. 登出。Sign out.

建立條件式存取原則Create your Conditional Access policy

本節說明如何建立必要的條件式存取原則。This section shows how to create the required Conditional Access policy. 本快速入門中的案例會使用:The scenario in this quickstart uses:

  • Azure 入口網站;作為必須使用 MFA 的雲端應用程式預留位置。The Azure portal as placeholder for a cloud app that requires MFA.
  • 您的範例使用者;用來測試條件式存取原則。Your sample user to test the Conditional Access policy.

為您的原則進行下列設定:In your policy, set:

設定Setting Value
使用者和群組Users and groups Isabella SimonsenIsabella Simonsen
雲端應用程式Cloud apps Microsoft Azure 管理Microsoft Azure Management
授與存取權Grant access 需要多重要素驗證Require multi-factor authentication

已展開條件式存取原則

若要設定條件式存取原則:To configure your Conditional Access policy:

  1. 以全域管理員、安全性系統管理員或條件式存取系統管理員的身分,登入 Azure 入口網站Sign in to your Azure portal as global administrator, security administrator, or a Conditional Access administrator.

  2. 在 Azure 入口網站的左側導覽列上,按一下 [Azure Active Directory] 。In the Azure portal, on the left navbar, click Azure Active Directory.

    Azure Active Directory

  3. 在 [Azure Active Directory] 頁面的 [安全性] 區段中,按一下 [條件式存取] 。On the Azure Active Directory page, in the Security section, click Conditional Access.

    條件式存取

  4. 在 [條件式存取] 頁面頂端的工具列中,按一下 [新增原則] 。On the Conditional Access page, in the toolbar on the top, click New policy.

    加

  5. 在 [新增] 頁面的 [名稱] 文字方塊中,鍵入「必須使用 MFA 才能存取 Azure 入口網站」 。On the New page, in the Name textbox, type Require MFA for Azure portal access.

    Name

  6. 在 [指派] 區段中,按一下 [使用者和群組] 。In the Assignment section, click Users and groups.

    使用者和群組

  7. 在 [使用者和群組] 頁面上,執行下列步驟︰On the Users and groups page, perform the following steps:

    使用者和群組

    1. 按一下 [選取使用者和群組] ,然後選取 [群組設定] 。Click Select users and groups, and then select Users and groups.
    2. 按一下 [選取] 。Click Select.
    3. 在 [選取] 頁面上,選取 [Isabella Simonsen] ,然後按一下 [選取] 。On the Select page, select Isabella Simonsen, and then click Select.
    4. 在 [使用者和群組] 頁面上,按一下 [完成] 。On the Users and groups page, click Done.
  8. 按一下 [雲端應用程式] 。Click Cloud apps.

    雲端應用程式

  9. 在 [雲端應用程式] 頁面上,執行下列步驟︰On the Cloud apps page, perform the following steps:

    選取雲端應用程式

    1. 按一下 [選取應用程式] 。Click Select apps.
    2. 按一下 [選取] 。Click Select.
    3. 在 [選取] 頁面中,選取 [Microsoft Azure 管理] ,然後按一下 [選取] 。On the Select page, select Microsoft Azure Management, and then click Select.
    4. 在 [雲端應用程式] 頁面上,按一下 [完成] 。On the Cloud apps page, click Done.
  10. 在 [存取控制] 區段中,按一下 [授與] 。In the Access controls section, click Grant.

    存取控制

  11. 在 [授與] 頁面上,執行下列步驟︰On the Grant page, perform the following steps:

    授與

    1. 選取 [授與存取權] 。Select Grant access.
    2. 選取 [需要 Multi-Factor Authentication] 。Select Require multi-factor authentication.
    3. 按一下 [選取] 。Click Select.
  12. 在 [啟用原則] 區段中,按一下 [開啟] 。In the Enable policy section, click On.

    啟用原則

  13. 按一下頁面底部的 [新增] 。Click Create.

評估模擬的登入狀況Evaluate a simulated sign in

現在您已設定條件式存取原則,建議您查看它是否如預期般運作。Now that you have configured your Conditional Access policy, you probably want to know whether it works as expected. 第一個步驟是使用條件式存取 What If 原則工具,模擬您測試使用者的登入情況。As a first step, use the Conditional Access what if policy tool to simulate a sign in of your test user. 該模擬可評估此登入對原則所造成的影響,並產生模擬報告。The simulation estimates the impact this sign in has on your policies and generates a simulation report.

若要初始化 What If 原則評估工具,請設定下列項目:To initialize the What If policy evaluation tool, set:

  • Isabella Simonsen 設為使用者Isabella Simonsen as user
  • 將 [Microsoft Azure 管理] 設為雲端應用程式Microsoft Azure Management as cloud app

按一下 [What If] 建立模擬報表,即會顯示:Clicking What If creates a simulation report that shows:

  • [會套用的原則] 下方顯示 [Require MFA for Azure portal access] (必須使用 MFA 才能存取 Azure 入口網站) Require MFA for Azure portal access under Policies that will apply
  • [需要多重要素驗證] 顯示為 [授與控制] 。Require multi-factor authentication as Grant Controls.

What If 原則工具

若要評估條件式存取原則:To evaluate your Conditional Access policy:

  1. 條件式存取 - 原則頁面頂端的功能表中,按一下 [What If] 。On the Conditional Access - Policies page, in the menu on the top, click What If.

    What If

  2. 按一下 使用者,選取 Isabella Simonsen,然後按一下 選取Click Users, select Isabella Simonsen, and then click Select.

    使用者

  3. 若要選取雲端應用程式,請執行下列步驟:To select a cloud app, perform the following steps:

    雲端應用程式

    1. 按一下 [雲端應用程式] 。Click Cloud apps.
    2. 在 [雲端應用程式] 頁面上,按一下 [選取應用程式] 。On the Cloud apps page, click Select apps.
    3. 按一下 [選取] 。Click Select.
    4. 在 [選取] 頁面中,選取 [Microsoft Azure 管理] ,然後按一下 [選取] 。On the Select page, select Microsoft Azure Management, and then click Select.
    5. 在 [雲端應用程式] 頁面上,按一下 [完成] 。On the cloud apps page, click Done.
  4. 按一下 [What If] 。Click What If.

測試條件式存取原則Test your Conditional Access policy

在上一節中,您已經學會如何評估模擬的登入狀況。In the previous section, you have learned how to evaluate a simulated sign in. 除了模擬,您也應該測試條件式存取原則,以確保它如預期般運作。In addition to a simulation, you should also test your Conditional Access policy to ensure that it works as expected.

若要測試原則,請再次使用 Isabella Simonsen 測試帳戶來嘗試登入 Azure 入口網站To test your policy, try to sign in to your Azure portal using your Isabella Simonsen test account. 此時應該會顯示一個對話方塊,要求您設定帳戶以進行其他安全性驗證。You should see a dialog that requires you to set up your account for additional security verification.

Multi-Factor Authentication

清除資源Clean up resources

當您不再需要測試使用者與條件式存取原則時,即可予以刪除:When no longer needed, delete the test user and the Conditional Access policy:

  • 如果您不知道如何刪除 Azure AD 使用者,請參閱從 Azure AD 刪除使用者If you don't know how to delete an Azure AD user, see Delete users from Azure AD.

  • 若要刪除原則,請選取您的原則,然後按一下快速存取工具列的 [刪除] 。To delete your policy, select your policy, and then click Delete in the quick access toolbar.

    Multi-Factor Authentication

後續步驟Next steps