何謂條件式存取?What is Conditional Access?

新式安全性的範圍現在已延伸到組織的網路之外,可包含使用者和裝置身分識別。The modern security perimeter now extends beyond an organization's network to include user and device identity. 組織可以利用這些身分識別訊號作為其存取控制決策的一部分。Organizations can utilize these identity signals as part of their access control decisions.

條件式存取是 Azure Active Directory 用來將訊號結合在一起、進行決策及強制執行組織原則的工具。Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. 條件式存取如何成為新身分識別導向控制平面的核心。Conditional Access is at the heart of the new identity driven control plane.

概念性的條件式訊號加上決策,然後強制執行

最簡單的條件式存取原則就是 if-then 陳述式,如果使用者想要存取資源,那麼他們就必須完成動作。Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. 範例:薪資管理員想要存取薪資應用程式,而且必須執行多重要素驗證才能進行存取。Example: A payroll manager wants to access the payroll application and is required to perform multi-factor authentication to access it.

系統管理員面臨兩個主要目標:Administrators are faced with two primary goals:

  • 讓使用者隨時隨地都具有生產力Empower users to be productive wherever and whenever
  • 保護組織的資產Protect the organization's assets

藉由使用條件式存取原則,您可以在需要時套用正確的存取控制,以確保組織處於安全狀態,並在不需要時阻擋使用者的存取。By using Conditional Access policies, you can apply the right access controls when needed to keep your organization secure and stay out of your user's way when not needed.

概念性的條件式存取流程

重要

完成第一個要素驗證後,即會強制執行條件式存取原則。Conditional Access policies are enforced after first-factor authentication is completed. 條件式存取不適合作為組織面對拒絕服務 (DoS) 攻擊之類情節的第一道防線,但是可以利用來自這些事件的訊號來決定存取權。Conditional Access isn't intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access.

一般訊號Common signals

條件式存取在做出原則決策時可以考慮的常見訊號包括下列訊號:Common signals that Conditional Access can take in to account when making a policy decision include the following signals:

  • 使用者或群組成員資格User or group membership
    • 原則能夠以特定使用者和群組為目標,讓系統管理員更精細地控制存取。Policies can be targeted to specific users and groups giving administrators fine-grained control over access.
  • IP 位置資訊IP Location information
    • 組織可以建立信任的 IP 位址範圍,以便在做出原則決策時使用。Organizations can create trusted IP address ranges that can be used when making policy decisions.
    • 系統管理員可以指定整個國家/區域的 IP 範圍,以封鎖或允許來自其中的流量。Administrators can specify entire countries/regions IP ranges to block or allow traffic from.
  • 裝置Device
    • 在強制執行條件式存取原則時,可以使用具有特定平台裝置或其裝置以特定狀態標記的使用者。Users with devices of specific platforms or marked with a specific state can be used when enforcing Conditional Access policies.
  • ApplicationApplication
    • 嘗試存取特定應用程式的使用者可以觸發不同的條件式存取原則。Users attempting to access specific applications can trigger different Conditional Access policies.
  • 即時和計算的風險偵測Real-time and calculated risk detection
    • 訊號與 Azure AD Identity Protection 整合後,可讓條件式存取原則識別有風險的登入行為。Signals integration with Azure AD Identity Protection allows Conditional Access policies to identify risky sign-in behavior. 然後,原則就能強制使用者執行密碼變更或多重要素驗證,以降低其風險層級,或在系統管理員採取手動動作之前封鎖存取。Policies can then force users to perform password changes or multi-factor authentication to reduce their risk level or be blocked from access until an administrator takes manual action.
  • Microsoft Cloud App Security (MCAS)Microsoft Cloud App Security (MCAS)
    • 即時監視和控制使用者應用程式的存取及工作階段,以提高雲端環境存取及其中所執行活動的可見度和控制權。Enables user application access and sessions to be monitored and controlled in real time, increasing visibility and control over access to and activities performed within your cloud environment.

一般決策Common decisions

  • 封鎖存取Block access
    • 最嚴格的決策Most restrictive decision
  • 授與存取權Grant access
    • 最不嚴格的決策,仍然可以要求下列一個或多個選項:Least restrictive decision, can still require one or more of the following options:
      • 需要多重要素驗證Require multi-factor authentication
      • 裝置需要標記為符合規範Require device to be marked as compliant
      • 需要已加入混合式 Azure AD 的裝置Require Hybrid Azure AD joined device
      • 需要已核准的用戶端應用程式Require approved client app
      • 需要應用程式保護原則 (預覽)Require app protection policy (preview)

一般會套用的原則Commonly applied policies

許多組織都有適用條件式存取原則的常見存取考量,例如:Many organizations have common access concerns that Conditional Access policies can help with such as:

  • 針對具有系統管理角色的使用者,要求執行多重要素驗證Requiring multi-factor authentication for users with administrative roles
  • Azure 管理工作需要多重要素驗證Requiring multi-factor authentication for Azure management tasks
  • 封鎖嘗試使用舊版驗證通訊協定的使用者登入Blocking sign-ins for users attempting to use legacy authentication protocols
  • 需要適用於 Azure AD Multi-Factor Authentication 註冊的信任位置Requiring trusted locations for Azure AD Multi-Factor Authentication registration
  • 封鎖或授與特定位置的存取權Blocking or granting access from specific locations
  • 封鎖有風險的登入行為Blocking risky sign-in behaviors
  • 需要由組織管理的裝置來使用特定應用程式Requiring organization-managed devices for specific applications

授權需求License requirements

使用此方法需要 Azure AD Premium P1 授權。Using this feature requires an Azure AD Premium P1 license. 若要尋找適用於您需求的正確授權,請參閱 比較 Free、Basic 及 Premium 版本的正式運作功能To find the right license for your requirements, see Comparing generally available features of the Free, Basic, and Premium editions.

擁有 Microsoft 365 商務進階版授權的客戶也有條件式存取功能的存取權。Customers with Microsoft 365 Business Premium licenses also have access to Conditional Access features.

登入風險需要存取身分識別Sign-in Risk requires access to Identity Protection

後續步驟Next steps