使用 Microsoft Cloud App Security 條件式存取應用程式控制來保護應用程式Protect apps with Microsoft Cloud App Security Conditional Access App Control

適用於:Microsoft Cloud App SecurityApplies to: Microsoft Cloud App Security

在現今的工作場所中,這通常不足以瞭解雲端環境中發生的狀況。In today's workplace, it's often not enough to know what's happening in your cloud environment after the fact. 您希望在員工有意或無意讓資料與組織面臨風險之前,就能夠即時阻止入侵與洩漏。You want to stop breaches and leaks in real time, before employees intentionally or inadvertently put your data and your organization at risk. 請務必讓您組織中的使用者在雲端應用程式中提供最多的服務和工具,讓他們能夠使用自己的裝置。It's important to enable users in your organization to make the most of the services and tools available to them in cloud apps and let them bring their own devices to work. 同時,您還需要有工具幫助您保護組織,即時防止發生資料外洩以及資料遭竊的情況。At the same time, you need tools to help protect your organization from data leaks, and data theft, in real time. Microsoft Cloud App Security 與任何身分識別提供者整合 (IdP) 以存取和會話控制項提供這些功能。Microsoft Cloud App Security integrates with any identity provider (IdP) to deliver these capabilities with access and session controls. 如果您使用 Azure Active Directory (Azure AD) 做為您的 IdP,則這些控制項會針對以 Azure AD 的 條件式存取工具建立的簡單、更量身打造的部署進行整合和簡化。If you are using Azure Active Directory (Azure AD) as your IdP, these controls are integrated and streamlined for a simpler and more tailored deployment built on Azure AD's Conditional Access tool.

注意

  • 若要使用 Cloud App Security 條件式存取應用程式控制,您需要 Azure Active Directory P1 授權,或是 IdP 方案所需的授權,以及 Cloud App Security 授權。To use Cloud App Security Conditional Access App Control, you need an Azure Active Directory P1 license, or the license required by your IdP solution, as well as a Cloud App Security license.

運作方式How it works

條件式存取應用程式控制使用反向 proxy 架構並與您的 IdP 整合。Conditional Access App Control uses a reverse proxy architecture and integrates with your IdP. 當您與 Azure AD 條件式存取整合時,只要按幾下滑鼠就可以設定應用程式來使用條件式存取應用程式控制,讓您可以根據條件式存取中的任何條件,輕鬆且選擇性地在組織的應用程式上強制執行存取和會話控制項。When integrating with Azure AD Conditional Access, you can configure apps to work with Conditional Access App Control with just a few clicks, allowing you to easily and selectively enforce access and session controls on your organization's apps based on any condition in Conditional Access. 這些條件會定義使用者或使用者群組) 的 (,以及雲端應用程式) 的 (,以及 ( 套用條件式存取原則的位置和網路) 。The conditions define who (user or group of users) and what (which cloud apps) and where (which locations and networks) a Conditional Access policy is applied to. 判斷出條件之後,您可以將使用者路由傳送至 Cloud App Security 您可以套用存取和會話控制項,以透過條件式存取應用程式控制來保護資料。After you've determined the conditions, you can route users to Cloud App Security where you can protect data with Conditional Access App Control by applying access and session controls.

條件式存取應用程式控制可根據存取和工作階段原則,即時監視與控制使用者應用程式存取和工作階段。Conditional Access App Control enables user app access and sessions to be monitored and controlled in real time based on access and session policies. Cloud App Security 入口網站內使用存取和工作段原則來進一步細化篩選並設定要對使用者採取的動作。Access and session policies are used within the Cloud App Security portal to further refine filters and set actions to be taken on a user. 使用存取和工作階段原則,您可以:With the access and session policies, you can:

  • 防止資料遭到外泄:您可以封鎖在非受控裝置上下載、剪下、複製和印表機密檔。Prevent data exfiltration: You can block the download, cut, copy, and print of sensitive documents on, for example, unmanaged devices.

  • 下載時保護:不會封鎖機密檔的下載,而是需要以 Azure 資訊保護標示和保護檔。Protect on download: Instead of blocking the download of sensitive documents, you can require documents to be labeled and protected with Azure Information Protection. 此動作可確保文件受到保護,並在潛在風險性工作階段中限制使用者的存取。This action ensures the document is protected and user access is restricted in a potentially risky session.

  • 防止上傳未標記的檔案:在上傳、散發及使用敏感性檔案之前,請務必確定檔案具有正確的標籤和保護。Prevent upload of unlabeled files: Before a sensitive file is uploaded, distributed, and used by others, it's important to make sure that the file has the right label and protection. 您可以確保在使用者分類內容之前,會封鎖具有敏感性內容的未標記檔案進行上傳。You can ensure that unlabeled files with sensitive content are blocked from being uploaded until the user classifies the content.

  • 封鎖潛在的惡意代碼:您可以封鎖可能的惡意檔案上傳,以防止您的環境遭受惡意程式碼的威脅。Block potential malware: You can protect your environment from malware by blocking the upload of potentially malicious files. 任何已上傳或下載的檔案都可以針對 Microsoft 威脅情報進行掃描,並立即封鎖。Any file that is uploaded or downloaded can be scanned against Microsoft threat intelligence and blocked instantaneously.

  • 監視使用者會話的合規性:在登入應用程式時監視具風險的使用者,並從會話內記錄其動作。Monitor user sessions for compliance: Risky users are monitored when they sign into apps and their actions are logged from within the session. 您可以調查及分析使用者的行為,以了解未來應該在什麼位置及什麼情況下套用工作階段原則。You can investigate and analyze user behavior to understand where, and under what conditions, session policies should be applied in the future.

  • 封鎖存取:根據數個風險因素,您可以細微地封鎖特定應用程式和使用者的存取。Block access: You can granularly block access for specific apps and users depending on several risk factors. 例如,如果使用用戶端憑證作為裝置管理的形式,您就可以封鎖它們。For example, you can block them if they are using client certificates as a form of device management.

  • 封鎖自訂活動:某些應用程式具有具有風險的獨特案例,例如,在 Microsoft 小組或工作區等應用程式中傳送具有敏感性內容的訊息。Block custom activities: Some apps have unique scenarios that carry risk, for example, sending messages with sensitive content in apps like Microsoft Teams or Slack. 在這類案例中,您可以掃描郵件中是否有機密內容,並即時封鎖它們。In these kinds of scenarios, you can scan messages for sensitive content and block them in real time.

工作階段控制如何運作How session control works

使用條件式存取應用程式控制來建立工作階段原則可讓您控制使用者工作階段,方法是將使用者重新導向為經過反向 Proxy,而不是直接進入應用程式。Creating a session policy with Conditional Access App Control enables you to control user sessions by redirecting the user through a reverse proxy instead of directly to the app. 然後,使用者要求和回應會經歷 Cloud App Security 而不是直接移至應用程式。From then on, user requests and responses go through Cloud App Security rather than directly to the app.

當會話受到 proxy 保護時,所有相關的 Url 和 cookie 都會由 Cloud App Security 取代。When a session is protected by proxy, all the relevant URLs and cookies are replaced by Cloud App Security. 例如,如果應用程式傳回的頁面具有以其網域結尾的連結 myapp.com ,連結的網域會加上類似的,如下所示 *.mcas.msFor example, if the app returns a page with links whose domains end with myapp.com, the link's domain is suffixed with something like *.mcas.ms, as follows:

應用程式 URLApp URL 取代的 URLReplaced URL
myapp.com myapp.com.mcas.ms

這種方法不需要您在裝置上安裝任何資訊,使其在監視或控制來自非受控裝置或合作夥伴使用者的會話時很理想。This method doesn't require you to install anything on the device making it ideal when monitoring or controlling sessions from unmanaged devices or partner users.

注意

  • 我們的技術使用一流的專利啟發學習法,來識別和控制使用者在目標應用程式中所執行的活動。Our technology uses best-in-class patented heuristics to identify and control activities performed by the user in the target app. 我們的啟發學習法是設計用來將安全性優化並與可用性進行平衡。Our heuristics are designed to optimize and balance security with usability. 在某些罕見的情況下,在伺服器端上封鎖活動會導致應用程式無法使用時,我們只會在用戶端上保護這些活動,因此可能會受到惡意測試人員的攻擊。In some rare scenarios, when blocking activities on the server-side renders the app unusable, we secure these activities only on the client-side, which makes them potentially susceptible to exploitation by malicious insiders.
  • Cloud App Security 利用世界各地的 Azure 資料中心,透過地理位置提供最佳化的效能。Cloud App Security leverages Azure Data Centers around the world to provide optimized performance through geolocation. 這表示使用者的工作階段可能會裝載在特定區域之外,視流量模式與其位置而定。This means that a user's session may be hosted outside of a particular region, depending on traffic patterns and their location. 不過,為了保護您的隱私權,這些資料中心不會儲存任何工作階段資料。However, to protect your privacy, no session data is stored in these data centers.
  • 我們的 proxy 伺服器不會儲存待用資料。Our proxy servers do not store data at rest. 快取內容時,我們會遵循 RFC 7234 中所述的需求 (HTTP 快取) ,而且只會快取公用內容。When caching content, we follow the requirements laid out in RFC 7234 (HTTP caching) and only cache public content.

識別受管理的裝置Managed device identification

條件式存取應用程式控制可讓您在考慮到裝置是否受控的情況下建立原則。Conditional Access App Control enables you to create policies that take into account whether a device is managed or not. 若要識別裝置的狀態,您可以設定存取和工作階段原則來檢查:To identify the state of a device, you can configure access and session policies to check for:

  • Microsoft Intune 相容裝置 [僅適用于 Azure AD]Microsoft Intune Compliant devices [only available with Azure AD]
  • 加入混合式 Azure AD 的裝置 [僅適用於 Azure AD]Hybrid Azure AD joined devices [only available with Azure AD]
  • 信任鏈結中是否有用戶端憑證Presence of client certificates in a trusted chain

符合 Intune 規範且混合式 Azure AD 加入的裝置Intune compliant and Hybrid Azure AD Joined devices

Azure AD 條件式存取可讓符合 Intune 規範混合式 Azure AD 的裝置資訊直接傳遞給 Cloud App Security。Azure AD Conditional Access enables Intune compliant and Hybrid Azure AD Joined device information to be passed directly to Cloud App Security. 此時,可使用裝置狀態作為篩選,開發存取原則或工作階段原則。From there, an access policy or a session policy can be developed that uses device state as a filter. 如需詳細資訊,請參閱 Azure Active Directory 中的裝置管理簡介For more information, see the Introduction to device management in Azure Active Directory.

注意

有些瀏覽器可能需要額外的設定,例如安裝延伸模組。Some browsers may require additional configuration such as installing an extension. 如需詳細資訊,請參閱 條件式存取瀏覽器支援For more information, see Conditional Access browser support.

使用用戶端憑證驗證的裝置Client-certificate authenticated devices

裝置識別機制可要求使用用戶端憑證驗證相關裝置。The device identification mechanism can request authentication from relevant devices using client certificates. 您可以使用組織中已部署的現有用戶端憑證,或推出受控裝置的新用戶端憑證。You can either use existing client certificates already deployed in your organization or roll out new client certificates to managed devices. 請確定用戶端憑證已安裝在使用者存放區中,而不是安裝在電腦存放區中。Make sure that the client certificate is installed in the user store and not the computer store. 然後,您可以使用這些憑證設定存取與工作階段原則。You then use the presence of those certificates to set access and session policies.

SSL 用戶端憑證會透過信任鏈進行驗證。SSL client certificates are verified via a trust chain. 您可以上傳 x.509 的根或中繼憑證授權單位單位 (CA) 以 PEM 憑證格式格式化。You can upload an X.509 root or intermediate certificate authority (CA) formatted in the PEM certificate format. 這些憑證必須包含 CA 的公開金鑰,然後使用該金鑰來簽署會話期間所呈現的用戶端憑證。These certificates must contain the public key of the CA, which is then used to sign the client certificates presented during a session.

上傳憑證並設定相關原則之後,當適用的會話條件式存取應用程式控制時,Cloud App Security 端點會要求瀏覽器顯示 SSL 用戶端憑證。Once the certificate is uploaded and a relevant policy is configured, when an applicable session traverses Conditional Access App Control, the Cloud App Security endpoint requests the browser to present the SSL client certificates. 瀏覽器會提供隨私密金鑰一起安裝的 SSL 用戶端憑證。The browser serves the SSL client certificates that are installed with a private key. 憑證和私密金鑰的組合是使用 PKCS #12 檔案格式(通常是 p12 或 .pfx)來完成。This combination of certificate and private key is done by using the PKCS #12 file format, typically .p12 or .pfx.

執行用戶端憑證檢查時,Cloud App Security 會檢查下列條件:When a client certificate check is performed, Cloud App Security checks for the following conditions:

  1. 選取的用戶端憑證有效,且位於正確的根或中繼 CA 底下。The selected client certificate is valid and is under the correct root or intermediate CA.
  2. (如果已啟用 CRL) ,則不會撤銷憑證。The certificate is not revoked (if CRL is enabled).

注意

大部分的主要瀏覽器都支援執行用戶端憑證檢查。Most major browsers support performing a client certificate check. 不過,行動裝置和桌面應用程式通常會利用可能不支援這項檢查的內建瀏覽器,因此會影響這些應用程式的驗證。However, mobile and desktop apps often leverage built-in browsers that may not support this check and therefore affect authentication for these apps.

若要設定原則以利用用戶端憑證的裝置管理:To configure a policy to leverage device management via client certificates:

  1. 在 Cloud App Security 的功能表列中,按一下 [設定] 齒輪 設定圖示 ,然後選取 [ 設定]。In Cloud App Security, in the menu bar, click the settings cog settings icon and select Settings.

  2. 選取 [ 裝置識別 ] 索引標籤。Select the Device identification tab.

  3. 依您的需要上傳任意數量的根或中繼憑證。Upload as many root or intermediate certificates as you require.

    提示

    若要測試其運作方式,您可以使用我們的範例根 CA 和用戶端憑證,如下所示:To test how this works, you can use our sample root CA and client certificate, as follows:

    1. 下載範例 根 CA用戶端憑證Download the sample root CA and client certificate.
    2. 將根 CA 上傳至 Cloud App Security。Upload the root CA to Cloud App Security.
    3. 將用戶端憑證 (password = Microsoft) 安裝到相關的裝置上。Install the client certificate (password=Microsoft) onto the relevant devices.

上傳憑證之後,您可以根據 裝置標記有效的用戶端憑證來建立存取和會話原則。After the certificates are uploaded, you can create access and session policies based on Device tag and Valid client certificate.

支援的應用程式和用戶端Supported apps and clients

會話和存取控制可以套用至任何互動式單一登入(使用 SAML 2.0 驗證通訊協定),或者,如果您使用 Azure AD,也可以使用 Open ID Connect 驗證通訊協定。Session and access controls can be applied to any interactive single sign-on, using the SAML 2.0 authentication protocol or, if you are using Azure AD, the Open ID Connect authentication protocol as well. 此外,如果您的應用程式是以 Azure AD 設定,您也可以將這些控制項套用至內部部署裝載的應用程式,該應用程式是以 Azure AD App Proxy設定。Furthermore, if your apps are configured with Azure AD, you can also apply these controls to apps hosted on-premises configured with the Azure AD App Proxy. 此外,存取控制可以套用至原生行動和桌面用戶端應用程式。In addition, access controls can be applied to native mobile and desktop client apps.

Cloud App Security 會使用其雲端應用程式類別目錄中的可用資訊來識別應用程式。Cloud App Security identifies Apps using information available in its Cloud App Catalog. 某些組織和使用者會藉由新增外掛程式來自訂應用程式。Some organizations and users customize apps by adding plugins. 不過,為了讓會話控制項能與這些外掛程式正確搭配運作,必須將相關聯的自訂網域新增至目錄中的個別應用程式。However, in order for session controls to work correctly with these plugins, the associated custom domains must be added to the respective app in the catalog.

注意

Authenticator 應用程式會使用非互動式的登入流程以及其他原生用戶端應用程式登入流程,且不能與存取控制搭配使用。The Authenticator app, among other native client app sign-in flows, uses a non-interactive sign-in flow and cannot be used with access controls.

存取控制Access controls

許多組織選擇使用適用于雲端應用程式的會話控制項來控制會話中的活動,也會套用存取控制來封鎖相同的原生行動和桌面用戶端應用程式集合,進而為應用程式提供完整的安全性。Many organizations that choose to use session controls for cloud apps to control in-session activities, also apply access controls to block the same set of native mobile and desktop client apps, thereby providing comprehensive security for the apps.

您可以將 用戶端應用程式 篩選器設定為 [行動裝置] 和 [桌面],以封鎖存取原生行動和桌面用戶端應用程式與存取原則。You can block access to native mobile and desktop client apps with access policies, by setting the Client app filter to Mobile and desktop. 某些原生用戶端應用程式可以個別辨識,而屬於應用程式套件一部分的其他應用程式則只能識別為其最上層應用程式。Some native client apps can be individually recognized, whilst others that are part of a suite of apps can only be identified as their top-level app. 例如,您只能藉由建立套用至 Office 365 應用程式的存取原則來辨識 SharePoint Online 之類的應用程式。For example, apps like SharePoint Online can only be recognized by creating an access policy applied to Office 365 apps.

注意

除非 用戶端應用程式 篩選器特別設為行動裝置 和桌面,否則產生的存取原則只會套用至瀏覽器會話。Unless the Client app filter is specifically set to Mobile and desktop, the resulting access policy will only apply to browser sessions. 這樣做的原因是為了避免不小心將使用者會話 proxy,這可能是使用此篩選器的副產品。The reason for this is to prevent inadvertently proxying user sessions, which may be a byproduct of using this filter. 雖然大部分的主要瀏覽器都支援執行用戶端憑證檢查,但某些行動和桌面應用程式會使用可能不支援這項檢查的內建瀏覽器。Whilst most major browsers support performing a client certificate check, some mobile and desktop apps use built-in browsers that may not support this check. 因此,使用此篩選可能會影響這些應用程式的驗證。Therefore, using this filter can affect authentication for these apps.

工作階段控制項Session controls

雖然已建立會話控制項來與任何作業系統上任何主要平臺上的任何瀏覽器搭配運作,但我們支援 Microsoft Edge (最新的) 、Google Chrome (最新的) 、Mozilla Firefox (最新的) ,或 Apple Safari (最新的) 。While session controls are built to work with any browser on any major platform on any operating system, we support Microsoft Edge (latest), Google Chrome (latest), Mozilla Firefox (latest), or Apple Safari (latest). 您也可以封鎖或允許存取行動和桌面應用程式。Access to mobile and desktop apps can also be blocked or allowed.

注意

  • Cloud App security 會利用傳輸層安全性 (TLS) 通訊協定 1.2 + 來提供最高等級的加密。Cloud App security leverages Transport Layer Security (TLS) protocols 1.2+ to provide best-in-class encryption. 使用會話控制設定時,將無法存取不支援 TLS 1.2 + 的原生用戶端應用程式和瀏覽器。Native client apps and browsers that do not support TLS 1.2+, will not be accessible when configured with session control. 不過,使用 TLS 1.1 或更低版本的 SaaS 應用程式,在使用 Cloud App Security 設定時,會在瀏覽器中顯示為使用 TLS 1.2+。However, SaaS apps that use TLS 1.1 or lower will appear in the browser as using TLS 1.2+ when configured with Cloud App Security.
  • 若要將會話控制項套用至 portal.office.com,您必須將 Microsoft 365 系統管理中心上架。To apply session controls to portal.office.com, you must onboard Microsoft 365 admin center. 如需有關將應用程式上架的詳細資訊,請參閱上 架及部署任何應用程式的條件式存取應用程式控制For more information about onboarding apps, see Onboard and deploy Conditional Access App Control for any app.

使用 先前提及的驗證通訊協定 設定的任何 web 應用程式,都可以上線以使用存取和會話控制項。Any web app configured using the previously mentioned authentication protocols can be onboarded to work with access and session controls. 此外,下列應用程式是由 Cloud App Security 所精選,而且已上線並準備好在任何租使用者中使用:In addition, the following apps are featured by Cloud App Security and are already onboarded and ready to use in any tenant:

  • AWSAWS
  • Azure DevOps (Visual Studio Team Services) Azure DevOps (Visual Studio Team Services)
  • Azure 入口網站Azure portal
  • BoxBox
  • ConcurConcur
  • CornerStone on DemandCornerStone on Demand
  • DocuSignDocuSign
  • DropboxDropbox
  • Dynamics 365 CRM (preview) Dynamics 365 CRM (preview)
  • egnyteEgnyte
  • Exchange OnlineExchange Online
  • G SuiteG Suite
  • GitHubGitHub
  • HighQHighQ
  • JIRA/ConfluenceJIRA/Confluence
  • 商務用 OneDriveOneDrive for Business
  • LinkedIn LearningLinkedIn Learning
  • Power BIPower BI
  • SalesforceSalesforce
  • ServiceNowServiceNow
  • SharePoint OnlineSharePoint Online
  • SlackSlack
  • TableauTableau
  • Microsoft Teams (預覽)Microsoft Teams (preview)
  • WorkdayWorkday
  • WorkivaWorkiva
  • Workplace by FacebookWorkplace by Facebook
  • Yammer (預覽)Yammer (preview)

以下是 Office 365 Cloud App Security 所支援的精選應用程式清單。The following is a list of featured apps that are supported in Office 365 Cloud App Security. 若要使用這些應用程式搭配 Cloud App Security,您必須擁有 Office 365 E5 授權。To use these apps with Cloud App Security, you must have an Office 365 E5 license.

  • Exchange OnlineExchange Online
  • 商務用 OneDriveOneDrive for Business
  • Power BIPower BI
  • SharePoint OnlineSharePoint Online
  • Microsoft Teams (預覽)Microsoft Teams (preview)
  • Yammer (預覽)Yammer (preview)

如果您對精選的特定應用程式有興趣,請 傳送應用程式的詳細資料If you're interested in a specific app being featured, send us details about the app. 請務必傳送您感興趣的使用案例來將它上架。Be sure to send the use case you're interested in for onboarding it.

接下來的步驟Next steps

若您遇到任何問題,我們隨時提供協助。If you run into any problems, we're here to help. 若要取得產品問題的協助或支援,請建立支援票證To get assistance or support for your product issue, please open a support ticket.