什麼是 Azure Active Directory 中的條件式存取?What is conditional access in Azure Active Directory?

  • 參與者
    • John Flores

安全性是使用雲端之組織的首要考量。Security is a top concern for organizations using the cloud. 就管理雲端資源而言,雲端安全性的關鍵層面就是身分識別和存取。A key aspect of cloud security is identity and access when it comes to managing your cloud resources. 在行動優先、雲端至上的世界中,使用者可以使用各種裝置和應用程式、從任何位置存取您組織的資源。In a mobile-first, cloud-first world, users can access your organization's resources using a variety of devices and apps from anywhere. 因此,只將焦點放在誰可以存取資源,已不再足夠。As a result of this, just focusing on who can access a resource is not sufficient anymore. 為了掌控安全性與生產力之間的平衡,您在進行存取控制決策時,也必須考量資源存取方式因素。To master the balance between security and productivity, you also need to factor how a resource is accessed into an access control decision. 有了 Azure Active Directory (Azure AD) 條件式存取,您就能夠因應這項需求。With Azure Active Directory (Azure AD) conditional access, you can address this requirement. 條件式存取是 Azure Active Directory 的功能。Conditional access is a capability of Azure Active Directory. 使用條件式存取,您便可以實作會根據條件存取雲端應用程式的自動化存取控制決定。With conditional access, you can implement automated access control decisions for accessing your cloud apps that are based on conditions.

完成第一個要素驗證之後,即會強制執行條件式存取原則。Conditional access policies are enforced after the first-factor authentication has been completed. 因此,條件式存取不適合作為拒絕服務 (DoS) 攻擊之類情節的第一道防線,但是可以利用來自這些事件的訊號 (例如登入風險層級、要求位置等等) 來決定存取權。Therefore, conditional access is not intended as a first line defense for scenarios like denial-of-service (DoS) attacks, but can utilize signals from these events (e.g. the sign-in risk level, location of the request, and so on) to determine access.

控制

本文提供您 Azure AD 中條件式存取的概念性概觀。This article provides you with a conceptual overview of conditional access in Azure AD.

常見案例Common scenarios

在行動第一、雲端第一的世界中,Azure Active Directory 可讓您從任何地方單一登入至裝置、應用程式和服務。In a mobile-first, cloud-first world, Azure Active Directory enables single sign-on to devices, apps, and services from anywhere. 隨著裝置 (包括 BYOD)、公司網路外部作業、第三方 SaaS 應用程式的激增,您面臨到兩個對立的目標︰With the proliferation of devices (including BYOD), work off corporate networks, and third-party SaaS apps, you are faced with two opposing goals:

  • 讓使用者隨時隨地都具有生產力Empower users to be productive wherever and whenever
  • 隨時保護公司資產Protect the corporate assets at any time

藉由使用條件式存取原則,您可以在所需的條件下套用正確的存取控制。By using conditional access policies, you can apply the right access controls under the required conditions. Azure AD 條件式存取可在您需要時提供多一層的安全性,並在不需要時也不妨礙您的使用者。Azure AD conditional access provides you with added security when needed and stays out of your user’s way when it isn’t.

以下是條件式存取能夠有所幫助的一些常見存取考量:Following are some common access concerns that conditional access can help you with:

  • 登入風險:Azure AD Identity Protection 會偵測登入風險。Sign-in risk: Azure AD Identity Protection detects sign-in risks. 如果偵測到的登入風險指出有不良執行者,您要如何限制存取?How do you restrict access if a detected sign-in risk indicates a bad actor? 當您想要取得登入使用者是合法使用者的更有力證據時,該怎麼辦?What if you would like to get stronger evidence that a sign-in was performed by the legitimate user? 當您的懷疑強烈到甚至足以封鎖定使用者存取應用程式時,又該怎麼辦?What if your doubts are strong enough to even block specific users from accessing an app?

  • 網路位置:從任何位置都可以存取 Azure AD。Network location: Azure AD is accessible from anywhere. 如果執行存取嘗試的來源網路位置不在您的 IT 部門控制下,該怎麼辦?What if an access attempt is performed from a network location that is not under the control of your IT department? 針對來自公司網路的存取嘗試,使用使用者名稱與密碼的組合可能就足以作為身分識別證明。A username and password combination might be good enough as proof of identity for access attempts from your corporate network. 如果針對從世界上其他非預期國家或地區起始的存取嘗試,您要求提供更強力的證明,該怎麼辦?What if you demand a stronger proof of identity for access attempts that are initiated from other unexpected countries or regions of the world? 當您甚至想要封鎖來自特定位置的存取嘗試時,又該怎麼辦?What if you even want to block access attempts from certain locations?

  • 裝置管理:在 Azure AD 中,使用者可以從種類廣泛的裝置 (包括行動裝置,還有個人裝置) 存取雲端應用程式。Device management: In Azure AD, users can access cloud apps from a broad range of devices including mobile and also personal devices. 如果您要求只有使用您 IT 部門所管理裝置的人才能嘗試存取,該怎麼辦?What if you demand that access attempts should only be performed with devices that are managed by your IT department? 當您甚至想要封鎖特定裝置類型存取您環境中的雲端應用程式時,又該怎麼辦?What if you even want to block certain device types from accessing cloud apps in your environment?

  • 用戶端應用程式:現今,您可以使用各種不同的應用程式類型 (例如 Web 型應用程式、行動應用程式或傳統型應用程式) 來存取許多雲端應用程式。Client application: Today, you can access many cloud apps using different app types such as web-based apps, mobile apps, or desktop apps. 如果存取嘗試是使用造成已知問題的用戶端應用程式類型來執行的,該怎麼辦?What if an access attempt is performed using a client app type that causes known issues? 如果您要求必須使用 IT 部門所管理的裝置才能使用某些應用程式類型,又該怎麼辦?What if you require a device that is managed by your IT department for certain app types?

這些問題和相關解答代表了 Azure AD 條件式存取的常見存取案例。These questions and the related answers represent common access scenarios for Azure AD conditional access. 條件式存取是 Azure Active Directory 的功能,可讓您使用以原則為基礎的方法來處理存取案例。Conditional access is a capability of Azure Active Directory that enables you to handle access scenarios using a policy-based approach.

條件式存取原則Conditional access policies

條件式存取原則是使用了下列模式的存取案例定義:A conditional access policy is a definition of an access scenario using the following pattern:

控制

Then do this 會指定您原則的回應。Then do this specifies the response of your policy. 請務必注意,條件式存取原則的目標不是要授與對雲端應用程式的存取權。It is important to note that the objective of a conditional access policy is not to grant access to a cloud app. 在 Azure AD 中,授與對雲端應用程式的存取權是使用者指派所要處理的主題。In Azure AD, granting access to cloud apps is subject of user assignments. 藉由條件式存取原則,您將可以控制已獲授權的使用者 (已取得雲端應用程式存取權的使用者) 在特定的條件下如何存取雲端應用程式。With a conditional access policy, you control how authorized users (users that have been granted access to a cloud app) can access cloud apps under specific conditions. 在您的回應中,您將強制額外的需求,例如多重要素驗證、受控裝置等。In your response, you enforce additional requirements such as multi-factor authentication, a managed device, and others. 在 Azure AD 條件式存取內容中,您原則所強制的需求稱為存取控制。In the context of Azure AD conditional access, the requirements your policy enforces are called access controls. 以最嚴格的限制形式來說,您的原則可以封鎖存取。In the most restrictive form, your policy can block access. 如需詳細資訊,請參閱 Azure Active Directory 條件式存取中的存取控制For more information, see Access controls in Azure Active Directory conditional access.

When this happens 定義了觸發您原則的原因。When this happens defines the reason for triggering your policy. 此原因是以一組已滿足的條件為特徵。This reason is characterized by a group of conditions that have been satisfied. 在 Azure AD 條件式存取中,有兩個指派條件扮演特殊的角色:In Azure AD conditional access, the two assignment conditions play a special role:

  • 使用者:執行存取嘗試的使用者 (執行者)。Users: The users performing an access attempt (Who).

  • 雲端應用程式:存取嘗試的目標 (目標)。Cloud apps: The targets of an access attempt (What).

這兩個條件是條件式存取原則中的必要條件。These two conditions are mandatory in a conditional access policy. 除了這兩個必要條件之外,您也可以納入說明存取嘗試執行方式的額外條件。In addition to the two mandatory conditions, you can also include additional conditions that describe how the access attempt is performed. 常見的範例包括使用您公司網路外的行動裝置或位置。Common examples are using mobile devices or locations that are outside your corporate network. 如需詳細資訊,請參閱 Azure Active Directory 條件式存取中的條件For more information, see Conditions in Azure Active Directory conditional access.

條件與存取控制的組合即代表了條件式存取原則。The combination of conditions with your access controls represents a conditional access policy.

控制

藉由 Azure AD 條件式存取,您將可以控制已獲授權的使用者如何存取您的雲端應用程式。With Azure AD conditional access, you can control how authorized users can access your cloud apps. 條件式存取原則的目標是要在對雲端應用程式的存取嘗試上,實施以存取嘗試執行方式為基礎的額外存取控制。The objective of a conditional access policy is to enforce additional access controls on an access attempt to a cloud app based on how an access attempt is performed.

使用以原則為基礎的方法來為您的雲端應用程式提供存取保護,可讓您使用本文簡述的結構來開始草擬您環境的原則需求,而無須擔心技術方面的實作。A policy-based approach to protect access to your cloud apps enables you to start drafting the policy requirements for your environment using the structure outlined in this article without worrying about the technical implementation.

Azure AD 條件式存取和同盟驗證Azure AD conditional access and federated authentication

條件式存取原則可完美地與同盟驗證搭配使用。Conditional access policies work seamlessly with federated authentication. 此支援包括所有支援的條件及控制項,以及可了解如何使用 Azure AD 報告將原則套用至作用中的使用者登入。This support includes all supported conditions and controls and visibility into how policy is applied to active user sign-ins using Azure AD reporting.

「使用 Azure AD 進行同盟驗證」表示受信任驗證服務會處理 Azure AD 的使用者驗證。Federated authentication with Azure AD means that a trusted authentication service handles user authentication to Azure AD. 受信任的驗證服務可能是 Active Directory 同盟服務 (AD FS),或任何其他同盟服務。A trusted authentication service is, for example, Active Directory Federation Services (AD FS), or any other federation service. 在此組態中,主要的使用者驗證會在服務上執行,而 Azure AD 會用來登入個別的應用程式。In this configuration, primary user authentication is performed at the service and then Azure AD is used to sign into individual applications. 需先套用 Azure AD 條件式存取,才能將存取權授與使用者要存取的應用程式。Azure AD conditional access is applied before access is granted to the application the user is accessing.

如果設定的條件式存取原則需要多重要素驗證,Azure AD 預設會使用 Azure MFA。When the configured conditional access policy requires multi-factor authentication, Azure AD defaults to using Azure MFA. 如果您使用同盟服務來進行 MFA,您可以在 PowerShell 中將 -SupportsMFA 設定為 $true,以在需要 MFA 時,將 Azure AD 重新導向至同盟服務。If you use the federation service for MFA, you can configure Azure AD to redirect to the federation service when MFA is needed by setting -SupportsMFA to $true in PowerShell. 此設定適用於支援 MFA 查問要求 (由 Azure AD 使用wauth= http://schemas.microsoft.com/claims/multipleauthn 所提出) 的同盟驗證服務。This setting works for federated authentication services that support the MFA challenge request issued by Azure AD using wauth= http://schemas.microsoft.com/claims/multipleauthn.

當使用者登入同盟驗證服務之後,Azure AD 會處理其他原則需求,例如裝置合規性或核准的應用程式。After the user has signed in to the federated authentication service, Azure AD handles other policy requirements such as device compliance or an approved application.

授權需求License requirements

使用此方法需要 Azure AD Premium P1 授權。Using this feature requires an Azure AD Premium P1 license. 若要尋找適用於您需求的正確授權,請參閱 比較 Free、Basic 及 Premium 版本的正式運作功能To find the right license for your requirements, see Comparing generally available features of the Free, Basic, and Premium editions.

後續步驟Next steps

若要了解如何在環境中實作條件式存取,請參閱在 Azure Active Directory 中規劃條件式存取部署To learn how to implement conditional access in your environment, see Plan your conditional access deployment in Azure Active Directory.