存取原則Access policies

適用於:Microsoft Cloud App SecurityApplies to: Microsoft Cloud App Security

Microsoft Cloud App Security 的存取原則可以根據使用者、位置、裝置和應用程式,即時監視和控制對雲端應用程式的存取。Microsoft Cloud App Security access policies enable real-time monitoring and control over access to cloud apps based on user, location, device, and app. 您可以為任何裝置建立存取原則,包括未混合式 Azure AD Join 的裝置,以及透過將用戶端憑證推出至受管理的裝置或使用現有憑證(例如協力廠商 MDM 憑證)而不是由 Microsoft Intune 管理的裝置。You can create access policies for any device, including devices that aren't Hybrid Azure AD Join, and not managed by Microsoft Intune by rolling out client certificates to managed devices or by using existing certificates, such as third-party MDM certificates. 例如,您可以將用戶端憑證部署到受控裝置,然後封鎖無憑證裝置的存取。For example, you can deploy client certificates to managed devices, and then block access from devices without a certificate.

注意

使用工作階段原則可以在允許存取的同時,監視工作階段及/或限制特定的工作階段活動,而不是完全允許或完全封鎖存取。Instead of allowing or blocking access completely, with session policies you can allow access while monitoring the session and/or limit specific session activities.

使用存取原則的必要條件Prerequisites to using access policies

建立 Cloud App Security 存取原則Create a Cloud App Security access policy

若要建立新的存取原則,請遵循此程序︰To create a new access policy, follow this procedure:

  1. 在入口網站中,選取後面跟著 [原則]**** 的 [控制]****。In the portal, select Control followed by Policies.

  2. 在 [原則]**** 頁面中,按一下 [建立原則]****,然後選取 [存取原則]****。In the Policies page, click Create policy and select Access policy.

  3. 在 [存取原則]**** 視窗中指派原則名稱,例如「封鎖不受控裝置的存取」**。In the Access policy window, assign a name for your policy, such as Block access from unmanaged devices.

  4. 在 [符合下列所有條件的活動]**** 區段的 [活動來源]**** 下,選取要套用至原則的其他活動篩選。In the Activities matching all of the following section, Under Activity source, select additional activity filters to apply to the policy. 篩選包括下列選項:Filters include the following options:

    • 裝置標記:用以篩選識別受管理的裝置。Device tags: Use this filter to identify unmanaged devices.

    • 位置:用以篩選識別不明 (所以有風險) 的位置。Location: Use this filter to identify unknown (and therefore risky) locations.

    • IP 位址:用這個篩選依 IP 位址篩選,或使用之前指派的 IP 位址標記篩選。IP address: Use this filter to filter per IP addresses or use previously assigned IP address tags.

    • 使用者代理程式標記:用以篩選啟用啟發學習法,以識別行動裝置及桌面應用程式。User agent tag: Use this filter to enable the heuristic to identify mobile and desktop apps. 此篩選可設為等於或不等於。This filter can be set to equals or does not equal. 針對每個雲端應用程式,應對您的行動應用程式和傳統型應用程式測試數值。The values should be tested against your mobile and desktop apps for each cloud app.

  5. 在 [動作]**** 下方,選取下列其中一個選項:Under Actions, select one of the following options:

    • 測試:將此動作設定為根據您設定的原則篩選準則明確地允許存取。Test: Set this action to explicitly allow access according to the policy filters you set.

    • 封鎖:設定此動作,根據您設定的原則篩選明確封鎖存取。Block: Set this action to explicitly block access according to the policy filters you set.

  6. 您可以 [Create an alert for each matching event with the policy's severity] (使用原則嚴重性為每個相符的事件建立警示)****,然後設定警示限制,選取要以電子郵件和/或來發送警示。You can Create an alert for each matching event with the policy's severity and set an alert limit and select whether you want the alert as an email, a text message or both.

後續步驟Next steps

另請參閱See also

若您遇到任何問題,我們隨時提供協助。If you run into any problems, we're here to help. 若要取得產品問題的協助或支援,請建立支援票證To get assistance or support for your product issue, please open a support ticket.