如何:透過條件式存取需要應用程式防護原則和已核准的用戶端應用程式,才能存取雲端應用程式How to: Require app protection policy and an approved client app for cloud app access with Conditional Access

一般人平常使用其行動裝置來處理個人和工作事務。People regularly use their mobile devices for both personal and work tasks. 組織在確保員工生產力的同時,也希望能防止可能不安全的應用程式所造成的資料遺失。While making sure staff can be productive, organizations also want to prevent data loss from potentially unsecure applications. 透過條件式存取,組織可以限制對已套用 Intune 應用程式保護原則的已核准 (具備新式驗證功能) 用戶端應用程式進行的存取。With Conditional Access, organizations can restrict access to approved (modern authentication capable) client apps with Intune app protection policies applied to them.

本文提供三種案例來為資源(例如 Microsoft 365、Exchange Online 和 SharePoint)設定條件式存取原則。This article presents three scenarios to configure Conditional Access policies for resources like Microsoft 365, Exchange Online, and SharePoint.

在條件式存取中,這些用戶端應用程式已知會受到應用程式防護原則的保護。In the Conditional Access, these client apps are known to be protected with an app protection policy. 如需應用程式保護原則的詳細資訊,請參閱應用程式保護原則概觀一文More information about app protection policies can be found in the article, App protection policies overview

警告

並非所有應用程式都受核准的應用程式支援,也不支援應用程式保護原則。Not all applications are supported as approved applications or support application protection policies. 如需合格用戶端應用程式的清單,請參閱應用程式防護原則需求For a list of eligible client apps, see App protection policy requirement.

注意

Grant 控制項下的「需要其中一個選取的控制項」就像 OR 子句一樣。"Require one of the selected controls" under grant controls is like an OR clause. 這可在原則中使用,讓使用者能夠利用支援「 需要應用程式保護」原則需要核准的用戶端應用程式 授與控制的應用程式。This is used within policy to enable users to utilize apps that support either the Require app protection policy or Require approved client app grant controls. 如果兩個原則都支援應用程式,則需要強制執行應用程式保護原則Require app protection policy is enforced if an app is supported in both policies. 如需哪些應用程式支援需要應用程式防護原則授與控制的詳細資訊,請參閱應用程式防護原則需求For more information on which apps support the Require app protection policy grant control, see App protection policy requirement.

案例1: Microsoft 365 apps 需要具有應用程式保護原則的已核准應用程式Scenario 1: Microsoft 365 apps require approved apps with app protection policies

在此案例中,Contoso 已決定 Microsoft 365 資源的所有行動存取都必須使用已核准的用戶端應用程式(例如 Outlook mobile 和 OneDrive),以在接收存取權之前受到應用程式保護原則保護。In this scenario, Contoso has decided that all mobile access to Microsoft 365 resources must use approved client apps, like Outlook mobile and OneDrive, protected by an app protection policy prior to receiving access. 他們的所有使用者都已使用 Azure AD 認證登入,並指派授權給他們,其中包括 Azure AD Premium P1 或 P2 及 Microsoft Intune。All of their users already sign in with Azure AD credentials and have licenses assigned to them that include Azure AD Premium P1 or P2 and Microsoft Intune.

組織必須完成下列步驟,才能要求在行動裝置上使用已核准的用戶端應用程式。Organizations must complete the following steps in order to require the use of an approved client app on mobile devices.

步驟1:設定 Microsoft 365 的 Azure AD 條件式存取原則Step 1: Configure an Azure AD Conditional Access policy for Microsoft 365

  1. 以全域管理員、安全性系統管理員或條件式存取管理員的身分,登入 Azure 入口網站Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.
  2. 瀏覽至 [Azure Active Directory] > [安全性] > [條件式存取]。Browse to Azure Active Directory > Security > Conditional Access.
  3. 選取 [新增原則]。Select New policy.
  4. 為您的原則命名。Give your policy a name. 我們建議組織針對其原則的名稱建立有意義的標準。We recommend that organizations create a meaningful standard for the names of their policies.
  5. 在 [指派] 底下,選取 [使用者和群組]Under Assignments, select Users and groups
    1. 在 [包括] 底下,選取 [所有使用者] 或您想要套用此原則的特定使用者和群組Under Include, select All users or the specific Users and groups you wish to apply this policy to.
    2. 選取 [完成] 。Select Done.
  6. 在 [雲端應用程式] 或 [動作 > 包括] 下,選取 [ Office 365]。Under Cloud apps or actions > Include, select Office 365.
  7. 在 [條件] 下,選取 [裝置平台]。Under Conditions, select Device platforms.
    1. 將 [設定] 設定為 [是]。Set Configure to Yes.
    2. 包含 AndroidiOSInclude Android and iOS.
  8. 在 [ 條件] 底下,選取 [ 用戶端應用程式]。Under Conditions, select Client apps.
    1. 將 [設定] 設定為 [是]。Set Configure to Yes.
    2. 選取行動裝置 應用程式和桌面用戶端 ,並取消選取其他專案。Select Mobile apps and desktop clients and deselect everything else.
  9. 在 [存取控制] > [授與] 底下,選取下列選項:Under Access controls > Grant, select the following options:
    • [需要已核准的用戶端應用程式]Require approved client app
    • [需要應用程式防護原則 (預覽)]Require app protection policy (preview)
    • [需要所有選取的控制項]Require all the selected controls
  10. 確認您的設定,並將 [啟用原則] 設定為 [開啟]。Confirm your settings and set Enable policy to On.
  11. 選取 [建立] 以建立以啟用您的原則。Select Create to create and enable your policy.

步驟 2:使用 Active Sync (EAS) 設定 Exchange Online 的 Azure AD 條件式存取原則Step 2: Configure an Azure AD Conditional Access policy for Exchange Online with ActiveSync (EAS)

對於此步驟中的條件式存取原則,設定下列元件:For the Conditional Access policy in this step, configure the following components:

  1. 瀏覽至 [Azure Active Directory] > [安全性] > [條件式存取]。Browse to Azure Active Directory > Security > Conditional Access.
  2. 選取 [新增原則]。Select New policy.
  3. 為您的原則命名。Give your policy a name. 我們建議組織針對其原則的名稱建立有意義的標準。We recommend that organizations create a meaningful standard for the names of their policies.
  4. 在 [指派] 底下,選取 [使用者和群組]Under Assignments, select Users and groups
    1. 在 [包括] 底下,選取 [所有使用者] 或您想要套用此原則的特定使用者和群組Under Include, select All users or the specific Users and groups you wish to apply this policy to.
    2. 選取 [完成] 。Select Done.
  5. 在 [雲端應用程式或動作] > [包含] 底下,選取 [Office 365 Exchange Online]。Under Cloud apps or actions > Include, select Office 365 Exchange Online.
  6. 在 [ 條件] 底下,選取 [ 用戶端應用程式]:Under Conditions, select Client apps:
    1. 將 [設定] 設定為 [是]。Set Configure to Yes.
    2. 選取 Exchange ActiveSync 用戶端 ,並取消選取其他所有專案。Select Exchange ActiveSync clients and deselect everything else.
  7. 在 [存取控制] > [授與] 底下,選取 [授與存取權]、[需要應用程式防護原則],然後選取 [選取]。Under Access controls > Grant, select Grant access, Require app protection policy, and select Select.
  8. 確認您的設定,並將 [啟用原則] 設定為 [開啟]。Confirm your settings and set Enable policy to On.
  9. 選取 [建立] 以建立以啟用您的原則。Select Create to create and enable your policy.

步驟 3:設定 iOS 和 Android 用戶端應用程式的 Intune 應用程式防護原則Step 3: Configure Intune app protection policy for iOS and Android client applications

如需建立適用於 Android 和 iOS 的應用程式保護原則的步驟,請參閱如何建立和指派應用程式保護原則文章。Review the article How to create and assign app protection policies, for steps to create app protection policies for Android and iOS.

案例 2:瀏覽器應用程式需要具有應用程式保護原則的已核准應用程式Scenario 2: Browser apps require approved apps with app protection policies

在此案例中,Contoso 決定了 Microsoft 365 資源的所有行動網頁流覽存取權,都必須使用已核准的用戶端應用程式(例如 iOS 和 Android 的 Edge),並在接收存取權之前,受到應用程式保護原則的保護。In this scenario, Contoso has decided that all mobile web browsing access to Microsoft 365 resources must use an approved client app, like Edge for iOS and Android, protected by an app protection policy prior to receiving access. 他們的所有使用者都已使用 Azure AD 認證登入,並指派授權給他們,其中包括 Azure AD Premium P1 或 P2 及 Microsoft Intune。All of their users already sign in with Azure AD credentials and have licenses assigned to them that include Azure AD Premium P1 or P2 and Microsoft Intune.

組織必須完成下列步驟,才能要求在行動裝置上使用已核准的用戶端應用程式。Organizations must complete the following steps in order to require the use of an approved client app on mobile devices.

步驟1:設定 Microsoft 365 的 Azure AD 條件式存取原則Step 1: Configure an Azure AD Conditional Access policy for Microsoft 365

  1. 以全域管理員、安全性系統管理員或條件式存取管理員的身分,登入 Azure 入口網站Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.
  2. 瀏覽至 [Azure Active Directory] > [安全性] > [條件式存取]。Browse to Azure Active Directory > Security > Conditional Access.
  3. 選取 [新增原則]。Select New policy.
  4. 為您的原則命名。Give your policy a name. 我們建議組織針對其原則的名稱建立有意義的標準。We recommend that organizations create a meaningful standard for the names of their policies.
  5. 在 [指派] 底下,選取 [使用者和群組]Under Assignments, select Users and groups
    1. 在 [包括] 底下,選取 [所有使用者] 或您想要套用此原則的特定使用者和群組Under Include, select All users or the specific Users and groups you wish to apply this policy to.
    2. 選取 [完成] 。Select Done.
  6. 在 [雲端應用程式] 或 [動作 > 包括] 下,選取 [ Office 365]。Under Cloud apps or actions > Include, select Office 365.
  7. 在 [條件] 下,選取 [裝置平台]。Under Conditions, select Device platforms.
    1. 將 [設定] 設定為 [是]。Set Configure to Yes.
    2. 包含 AndroidiOSInclude Android and iOS.
  8. 在 [ 條件] 底下,選取 [ 用戶端應用程式]。Under Conditions, select Client apps.
    1. 將 [設定] 設定為 [是]。Set Configure to Yes.
    2. 選取 [ 瀏覽器 ],並取消選取其他專案。Select Browser and deselect everything else.
  9. 在 [存取控制] > [授與] 底下,選取下列選項:Under Access controls > Grant, select the following options:
    • [需要已核准的用戶端應用程式]Require approved client app
    • [需要應用程式防護原則 (預覽)]Require app protection policy (preview)
    • [需要所有選取的控制項]Require all the selected controls
  10. 確認您的設定,並將 [啟用原則] 設定為 [開啟]。Confirm your settings and set Enable policy to On.
  11. 選取 [建立] 以建立以啟用您的原則。Select Create to create and enable your policy.

步驟 2:設定 iOS 和 Android 用戶端應用程式的 Intune 應用程式防護原則Step 2: Configure Intune app protection policy for iOS and Android client applications

如需建立適用於 Android 和 iOS 的應用程式保護原則的步驟,請參閱如何建立和指派應用程式保護原則文章。Review the article How to create and assign app protection policies, for steps to create app protection policies for Android and iOS.

案例3: Exchange Online 和 SharePoint 需要核准的用戶端應用程式和應用程式保護原則Scenario 3: Exchange Online and SharePoint require an approved client app and app protection policy

在此案例中,Contoso 已決定使用者只能存取行動裝置上的電子郵件和 SharePoint 資料,只要他們使用經核准的用戶端應用程式 (例如,在接收存取權之前,受應用程式防護原則保護的 Outlook Mobile) 即可。In this scenario, Contoso has decided that users may only access email and SharePoint data on mobile devices as long as they use an approved client app like Outlook mobile protected by an app protection policy prior to receiving access. 他們的所有使用者都已使用 Azure AD 認證登入,並指派授權給他們,其中包括 Azure AD Premium P1 或 P2 及 Microsoft Intune。All of their users already sign in with Azure AD credentials and have licenses assigned to them that include Azure AD Premium P1 or P2 and Microsoft Intune.

組織必須完成下列步驟,才能要求在行動裝置上使用已核准的用戶端應用程式和 Exchange ActiveSync 用戶端。Organizations must complete the following three steps in order to require the use of an approved client app on mobile devices and Exchange ActiveSync clients.

步驟1:在存取 Exchange Online 和 SharePoint 時,需要使用已核准用戶端應用程式和應用程式保護原則的 Android 和 iOS 型新式驗證用戶端原則。Step 1: Policy for Android and iOS based modern authentication clients requiring the use of an approved client app and app protection policy when accessing Exchange Online and SharePoint.

  1. 以全域管理員、安全性系統管理員或條件式存取管理員的身分,登入 Azure 入口網站Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.
  2. 瀏覽至 [Azure Active Directory] > [安全性] > [條件式存取]。Browse to Azure Active Directory > Security > Conditional Access.
  3. 選取 [新增原則]。Select New policy.
  4. 為您的原則命名。Give your policy a name. 我們建議組織針對其原則的名稱建立有意義的標準。We recommend that organizations create a meaningful standard for the names of their policies.
  5. 在 [指派] 底下,選取 [使用者和群組]Under Assignments, select Users and groups
    1. 在 [包括] 底下,選取 [所有使用者] 或您想要套用此原則的特定使用者和群組Under Include, select All users or the specific Users and groups you wish to apply this policy to.
    2. 選取 [完成] 。Select Done.
  6. 在 [雲端應用程式或動作] > [包含] 底下,選取 [Office 365 Exchange Online] 和 [Office 365 SharePoint Online]。Under Cloud apps or actions > Include, select Office 365 Exchange Online and Office 365 SharePoint Online.
  7. 在 [條件] 下,選取 [裝置平台]。Under Conditions, select Device platforms.
    1. 將 [設定] 設定為 [是]。Set Configure to Yes.
    2. 包含 AndroidiOSInclude Android and iOS.
  8. 在 [ 條件] 底下,選取 [ 用戶端應用程式]。Under Conditions, select Client apps.
    1. 將 [設定] 設定為 [是]。Set Configure to Yes.
    2. 選取行動裝置 應用程式和桌面用戶端 ,並取消選取其他專案。Select Mobile apps and desktop clients and deselect everything else.
  9. 在 [存取控制] > [授與] 底下,選取下列選項:Under Access controls > Grant, select the following options:
    • [需要已核准的用戶端應用程式]Require approved client app
    • [需要應用程式防護原則 (預覽)]Require app protection policy (preview)
    • [需要其中一個選取的控制項]Require one of the selected controls
  10. 確認您的設定,並將 [啟用原則] 設定為 [開啟]。Confirm your settings and set Enable policy to On.
  11. 選取 [建立] 以建立以啟用您的原則。Select Create to create and enable your policy.

步驟 2:需要使用已核准用戶端應用程式的 Exchange ActiveSync 用戶端原則。Step 2: Policy for Exchange ActiveSync clients requiring the use of an approved client app.

  1. 瀏覽至 [Azure Active Directory] > [安全性] > [條件式存取]。Browse to Azure Active Directory > Security > Conditional Access.
  2. 選取 [新增原則]。Select New policy.
  3. 為您的原則命名。Give your policy a name. 我們建議組織針對其原則的名稱建立有意義的標準。We recommend that organizations create a meaningful standard for the names of their policies.
  4. 在 [指派] 底下,選取 [使用者和群組]Under Assignments, select Users and groups
    1. 在 [包括] 底下,選取 [所有使用者] 或您想要套用此原則的特定使用者和群組Under Include, select All users or the specific Users and groups you wish to apply this policy to.
    2. 選取 [完成] 。Select Done.
  5. 在 [雲端應用程式或動作] > [包含] 底下,選取 [Office 365 Exchange Online]。Under Cloud apps or actions > Include, select Office 365 Exchange Online.
  6. 在 [ 條件] 底下,選取 [ 用戶端應用程式]:Under Conditions, select Client apps:
    1. 將 [設定] 設定為 [是]。Set Configure to Yes.
    2. 選取 Exchange ActiveSync 用戶端 ,並取消選取其他所有專案。Select Exchange ActiveSync clients and deselect everything else.
  7. 在 [存取控制] > [授與] 底下,選取 [授與存取權]、[需要應用程式防護原則],然後選取 [選取]。Under Access controls > Grant, select Grant access, Require app protection policy, and select Select.
  8. 確認您的設定,並將 [啟用原則] 設定為 [開啟]。Confirm your settings and set Enable policy to On.
  9. 選取 [建立] 以建立以啟用您的原則。Select Create to create and enable your policy.

步驟 3:設定 iOS 和 Android 用戶端應用程式的 Intune 應用程式防護原則。Step 3: Configure Intune app protection policy for iOS and Android client applications.

如需建立適用於 Android 和 iOS 的應用程式保護原則的步驟,請參閱如何建立和指派應用程式保護原則文章。Review the article How to create and assign app protection policies, for steps to create app protection policies for Android and iOS.

後續步驟Next steps

何謂條件式存取?What is Conditional Access?

條件存取元件Conditional access components

一般條件式存取原則Common Conditional Access policies