針對存取與工作階段控制進行疑難排解Troubleshooting access and session controls

本文提供系統管理員有關如何調查及解決系統 管理員使用者所經歷的一般存取和會話控制問題的指引。This article provides admins with guidance on how to investigate and resolve common access and session control issues as experienced by admins and end users.

繼續之前,請確定您的環境符合下列存取和會話控制項的最低一般需求。Before you proceed, make sure your environment meets the following minimum general requirements for access and session controls.

  • 授權:請確定您有有效的 授權Licensing: Make sure you have a valid license.
  • **單一登入 (SSO) **:應用程式必須使用其中一個支援的 SSO 解決方案進行設定。Single Sign-On (SSO): Apps must be configured with one of the supported SSO solutions.
    • 使用 SAML 2.0 或 OpenID Connect 2.0 Azure Active Directory (Azure AD) Azure Active Directory (Azure AD) using SAML 2.0 or OpenID Connect 2.0
    • 使用 SAML 2.0 的協力廠商 IdPThird-party IdP using SAML 2.0
  • 瀏覽器支援:這些受支援瀏覽器上的瀏覽器型會話可使用會話控制項: Microsoft Edge (最新的) 、Google Chrome (最新的) 、Mozilla Firefox (最新的) ,或 Apple Safari (最新的) Browser support: Session controls are available for browser-based sessions on these supported browsers: Microsoft Edge (latest), Google Chrome (latest), Mozilla Firefox (latest), or Apple Safari (latest)
  • 停機時間: Cloud App Security 可讓您定義當服務中斷時要套用的預設行為,例如元件無法正常運作。Downtime: Cloud App Security allows you to define the default behavior to apply in the event of a service disruption, such as a component not functioning correctly. 您可以選擇強化 (區塊) 或略過 (允許) 使用者在無法強制執行一般原則控制時,對可能的機密內容採取動作。You can choose to harden (block) or bypass (allow) users from taking actions on potentially sensitive content when the normal policy controls cannot be enforced. 您可以在 Cloud App Security 入口網站中設定系統停機期間的這個預設行為,如下所示:設定 > 條件式存取應用程式控制 > 預設行為 > 允許封鎖存取。This default behavior during system downtime can be configured in the Cloud App Security portal, as follows: Settings > Conditional Access App Control > Default behavior > Allow or Block access.

系統管理員所遇到的問題Issues experienced by admins

本節適用于使用 Cloud App Security 設定存取和會話控制項的系統管理員,並有助於找出下列領域可能發生的常見狀況:This section is for admins configuring access and session controls with Cloud App Security and helps identify common situations that may arise in the following areas:

區段Section 問題Issues
網路條件Network conditions - 流覽至瀏覽器頁面時發生網路錯誤- Network errors when navigating to a browser page
- 登入緩慢- Slow login
- 其他考慮- Additional considerations
裝置識別Device identification - 錯誤識別符合 Intune 規範或混合式 Azure AD 加入的裝置- Misidentified Intune Compliant or Hybrid Azure AD joined devices
- 用戶端憑證不會在需要時提示- Client certificates are not prompting when expected
- 用戶端憑證會在每次登入時提示- Client certificates are prompting at every login
- 其他考慮- Additional considerations
上架應用程式Onboarding an app - 應用程式未出現在 條件式存取應用程式控制 apps 頁面上- App does not appear on the Conditional Access App Control apps page
- 應用程式狀態:繼續安裝- App status: Continue Setup
- 無法設定原生應用程式的控制項- Cannot configure controls for native apps
- [無法辨識應用程式] 頁面- App is not recognized page appears
- 要求會話控制 選項出現- Request session control option appears
- 其他考慮- Additional considerations
建立存取和會話原則Creating access and session policies - 在條件式存取原則中,您看不到 條件式存取應用程式控制 選項- In Conditional Access policies, you cannot see the Conditional Access App Control option
- 建立原則時出現錯誤訊息:您未使用條件式存取應用程式控制部署任何應用程式- Error message when creating a policy: You don't have any apps deployed with Conditional Access App Control
- 無法建立應用程式的會話原則- Cannot create session policies for an app
- 無法選擇 檢查方法資料分類服務- Cannot choose Inspection Method: Data Classification Service
- 無法選擇 動作保護- Cannot choose Action: Protect
- 其他考慮- Additional considerations

網路條件Network conditions

您可能會遇到的常見網路狀況問題包括:Common network condition issues you may encounter include:

流覽至瀏覽器頁面時發生網路錯誤Network errors when navigating to a browser page

當您第一次設定應用程式的 Cloud App Security 存取和會話控制項時,可能發生的常見網路錯誤包括:「此網站不安全」和「沒有網際網路連線」。When you are first setting up Cloud App Security access and session controls for an app, common network errors that may arise include: "This site is not secure" and "There is no internet connection". 這些訊息可能表示一般網路設定錯誤。These messages can indicate a general network configuration error.

建議的步驟Recommended steps

  1. 設定您的防火牆,以使用與您環境相關的 Azure IP 位址和 DNS 名稱來處理 Cloud App Security。Configure your firewall to work with Cloud App Security using the Azure IP addresses and DNS names relevant to your environment.

    1. 針對Cloud App Security 資料中心的下列 IP 位址和 DNS 名稱,新增輸出埠 443Add outbound port 443 for the following IP addresses and DNS names for your Cloud App Security data center.
    2. 重新開機您的電腦和瀏覽器會話Restart your machine and your browser session
    3. 確認登入如預期般運作Verify that the login is working as expected
  2. 在瀏覽器的網際網路選項中啟用 TLS 1.2。Enable TLS 1.2 in your browser's internet options.

    注意

    • Cloud App Security 利用傳輸層安全性 (TLS) 通訊協定 1.2 + 來提供最高等級的加密。Cloud App Security leverages Transport Layer Security (TLS) protocols 1.2+ to provide best-in-class encryption. 使用會話控制設定時,將無法存取不支援 TLS 1.2 + 的原生用戶端應用程式和瀏覽器。Native client apps and browsers that do not support TLS 1.2+ will not be accessible when configured with session control. 不過,使用 TLS 1.1 或更低版本的 SaaS 應用程式,在使用 Cloud App Security 設定時,會在瀏覽器中顯示為使用 TLS 1.2+。However, SaaS apps that use TLS 1.1 or lower will appear in the browser as using TLS 1.2+ when configured with Cloud App Security.
    • 雖然已建立會話控制項來與任何作業系統上任何主要平臺上的任何瀏覽器搭配運作,但我們支援 Microsoft Edge (最新的) 、Google Chrome (最新的) 、Mozilla Firefox (最新的) ,或 Apple Safari (最新的) 。While session controls are built to work with any browser on any major platform on any operating system, we support Microsoft Edge (latest), Google Chrome (latest), Mozilla Firefox (latest), or Apple Safari (latest). 您也可以封鎖或允許存取行動和桌面應用程式。Access to mobile and desktop apps can also be blocked or allowed.
    瀏覽器Browser 步驟Steps
    Microsoft Internet ExplorerMicrosoft Internet Explorer 1. 開啟 Internet Explorer1. Open Internet Explorer
    2. 選取工具 > 網際網路選項的 [ > 前進] 索引標籤2. Select Tools > Internet Options > Advance tab
    3. 在 [安全性] 底下,選取 [ TLS 1.2 ]。3. Under Security, select TLS 1.2
    4. 選取 [套用], 然後選取 [確定]4. Select Apply, and then select OK
    5. 重新開機瀏覽器,並確認您可以存取應用程式5. Restart your browser and verify that you can access the app
    Microsoft Edge/Edge ChromiumMicrosoft Edge / Edge Chromium 1. 從工作列開啟 [搜尋],並搜尋 [網際網路選項]1. Open search from the taskbar and search for "Internet Options"
    2. 選取 網際網路選項2. Select Internet Options
    3. 在 [安全性] 底下,選取 [ TLS 1.2 ]。3. Under Security, select TLS 1.2
    4. 選取 [套用], 然後選取 [確定]4. Select Apply, and then select OK
    5. 重新開機瀏覽器,並確認您可以存取應用程式5. Restart your browser and verify that you can access the app
    Google ChromeGoogle Chrome 1. 開啟 Google Chrome1. Open Google Chrome
    2. 在右上方按一下 [其他 (3 垂直點]) > 設定2. At the top-right, click More (3 vertical dots) > Settings
    3. 在底部按一下 [ Advanced ]3. At the bottom, click Advanced
    4. 在 [系統] 底下,按一下 [開啟 proxy 設定]。4. Under System, click Open proxy settings
    5. 在 [ Advanced ] 索引標籤的 [安全性] 底下,選取 [ TLS 1.2 ]。5. On the Advanced tab, under Security, select TLS 1.2
    6. 按一下 [確定]6. Click OK
    7. 重新開機瀏覽器,並確認您能夠存取應用程式7. Restart your browser and verify that you are able to access the app
    Mozilla FirefoxMozilla Firefox 1. 開啟 Mozilla Firefox1. Open Mozilla Firefox
    2. 在網址列中搜尋 "about: config"2. In the address bar and search for "about:config"
    3. 在搜尋方塊中,搜尋 "TLS"3. In the Search box, search for "TLS"
    4. 按兩下 [安全性] 的專案。 最小值4. Double-click the entry for security.tls.version.min
    5. 將整數值設定為3,以將 TLS 1.2 強制為最小必要版本5. Set the integer value to 3 to force TLS 1.2 as the minimum required version
    6. 按一下 [ 儲存 (] 核取方塊右邊的核取記號) 6. Click Save (check mark to the right of the value box)
    7. 重新開機瀏覽器,並確認您能夠存取應用程式7. Restart your browser and verify that you are able to access the app
    SafariSafari 如果您使用 Safari 7 版或更高版本,則會自動啟用 TLS 1。2If you are using Safari version 7 or greater, TLS 1.2 is automatically enabled

登入緩慢Slow login

Proxy 連結和 nonce 處理是一些常見的問題,可能會導致登入效能變慢。Proxy chaining and nonce-handling are some of the common issues that could result in slow login performance.

建議的步驟Recommended steps

  1. 設定您的環境以移除防火牆和轉寄 proxy 鏈、連接兩部以上的 proxy 伺服器以流覽至預定的頁面,以及其他可能導致登入程式緩慢的外部因素。Configure your environment to remove firewall and forward proxy chaining, connecting two or more proxy servers to navigate to the intended page, and other external factors that can cause slowness in the login process.

    1. 識別您的環境中是否發生 proxy 連結Identify if proxy chaining is occurring in your environment
    2. 盡可能移除其他轉寄 proxyRemove additional forward proxies where possible
  2. 針對未使用 nonce 的應用程式關閉 nonce 處理。Turn off nonce-handling for your apps that do not use nonce.

    注意

    某些應用程式會在驗證期間使用 nonce 雜湊,以防止重新執行攻擊。Some apps use a nonce hash during authentication to prevent replay attacks. 根據預設,Cloud App Security 會假設應用程式使用 nonce。By default, Cloud App Security assumes an app uses a nonce. 如果您正在使用的應用程式未使用 nonce,您可以在 Cloud App Security 中停用此應用程式的 nonce 處理。If the app you are working with does not use nonce, you can disable nonce-handling for this app in Cloud App Security.

    1. 在 Cloud App Security 的功能表列中,按一下 [設定] 齒輪,然後選取 [ 條件式存取應用程式控制]。In Cloud App Security, in the menu bar, click the settings cog, and then select Conditional Access App Control.
    2. 在應用程式清單中,在您要設定之應用程式的資料列上出現,選擇資料列結尾的三個點,然後選擇 [ 編輯 應用程式]。In the list of apps, on the row in which the app you are configuring appears, choose the three dots at the end of the row, and then choose Edit app.
    3. 按一下 [ Nonce-處理 ] 以展開區段,然後清除 [ 啟用 Nonce 處理]。Click Nonce-handling to expand the section and then clear Enable nonce handling.
    4. 登出應用程式並關閉所有瀏覽器會話。Log out of the app and close out all browser sessions.
    5. 重新開機瀏覽器並登入應用程式,並確認登入如預期般運作。Restart your browser and login to the app and verify that the login is working as expected.

其他考量Additional considerations

針對網路狀況進行疑難排解時,請考慮 Cloud App Security proxy 的一些其他事項。While troubleshooting network conditions, there are some additional things to consider about the Cloud App Security proxy.

  • 正在將會話路由傳送至另一個資料中心Session is being routed to another data center

    Cloud App Security 利用世界各地的 Azure 資料中心,透過地理位置將效能優化。Cloud App Security leverages Azure Data Centers around the world to optimize performance through geolocation. 這表示使用者的會話可能會裝載在區域以外,視流量模式及其位置而定。This means that a user's session may be hosted outside of a region, depending on traffic patterns and their location. 不過,為了保護您的隱私權,這些資料中心不會儲存任何工作階段資料。However, to protect your privacy, no session data is stored in these data centers.

  • Proxy 效能Proxy performance

    衍生效能基準取決於 Cloud App Security 的 proxy 以外的許多因素,例如:Deriving a performance baseline depends on many factors outside of Cloud App Security's proxy, such as:

    • 使用此 proxy 的系列中有哪些其他 proxy 或閘道What other proxies or gateways sit in series with this proxy
    • 使用者的來源Where the user is coming from
    • 目標資源所在的位置Where the targeted resource resides
    • 頁面上的特定要求Specific requests on the page

    一般而言,任何 proxy 都會新增延遲。In general, any proxy will add latency. Cloud App Security proxy 的優點如下:The advantages of the Cloud App Security proxy are:

    • 利用 Azure 網域控制站的全球可用性,將使用者 geolocate 到最接近的節點,並減少因全球各地少數服務所擁有之規模的來回行程距離。Leveraging the global availability of Azure domain controllers to geolocate users to the nearest node and reduce their round-trip distance, on a scale that few services around the world have.
    • 利用與 Azure AD 條件式存取整合,僅將您想要 proxy 的會話路由傳送至我們的服務,而不是所有使用者的情況。Leveraging the integration with Azure AD Conditional Access to only route the sessions you want to proxy to our service, instead of all users in all situations.

裝置識別Device identification

Cloud App Security 提供下列選項來識別裝置的管理狀態。Cloud App Security provides the following options for identifying a device's management state.

  1. Microsoft Intune 合規性Microsoft Intune compliance
  2. 已加入混合式 Azure AD 網域Hybrid Azure AD Domain joined
  3. Client certificatesClient certificates

如需裝置識別的詳細資訊,請參閱 受管理的裝置識別For more information on device identification, see Managed Device Identification.

您可能會遇到的常見裝置識別問題包括Common device identification issues you may encounter include

錯誤識別符合 Intune 規範或混合式 Azure AD 加入的裝置Misidentified Intune Compliant or Hybrid Azure AD joined devices

Azure AD 條件式存取可讓符合 Intune 混合式 Azure AD 規範的裝置資訊直接傳遞至 Cloud App Security,而裝置狀態可以用來作為存取或會話原則的篩選準則。Azure AD Conditional Access enables Intune compliant and Hybrid Azure AD joined device information to be passed directly to Cloud App Security, where the device state can be used as a filter for access or session policies. 如需詳細資訊,請參閱 Azure Active Directory 中的裝置管理簡介For more information, see Introduction to device management in Azure Active Directory.

建議的步驟Recommended steps

  1. 在 Cloud App Security 的功能表列中,按一下 [設定] 齒輪,然後選取 [ 設定]。In Cloud App Security, in the menu bar, click the settings cog, and then select Settings.

  2. 在 [ 條件式存取應用程式控制] 下,選取 [ 裝置識別]。Under Conditional Access App Control, select Device identification. 此頁面會顯示 Cloud App Security 中可用的裝置識別選項。This page shows the device identification options available in Cloud App Security.

  3. 針對 符合 Intune 規範的裝置識別碼 ,並分別 混合式 Azure AD 聯結的識別 ,請按一下 [ View configuration ],並確認已設定服務。For Intune compliant device identification and Hybrid Azure AD joined identification respectively, click View configuration and verify that the services are set up.

    注意

    這些會分別從 Azure AD 和 Intune 自動同步處理。These are automatically synced from Azure AD and Intune respectively.

  4. 建立存取或會話原則,其 裝置標記 篩選等於 混合式 Azure AD 聯結符合 Intune 規範或兩者。Create an access or session policy with the Device Tag filter equal to Hybrid Azure AD joined, Intune compliant, or both.

  5. 在瀏覽器中,根據您的原則篩選器,登入已加入混合式 Azure AD 或符合 Intune 規範的裝置。In a browser, log in to a device that is Hybrid Azure AD joined or Intune compliant based on your policy filter.

  6. 確認來自這些裝置的活動正在擴展記錄。Verify that activities from these devices are populating the log. 在 Cloud App Security 的 [活動記錄] 頁面上,根據您的原則篩選器,篩選等於混合式 Azure AD 已加入]、[符合 Intune 規範] 或 [兩者] 的裝置標記In Cloud App Security, on the Activity log page, filter on Device Tag equal to Hybrid Azure AD joined, Intune compliant, or both based on your policy filters.

  7. 如果活動未填入 Cloud App Security 活動記錄檔中,請移至 Azure AD,然後執行下列動作:If activities are not populating in the Cloud App Security activity log, go to Azure AD and do the following:

    1. 在 [監視 > 登] 底下,確認記錄中有登入活動。Under Monitoring > Sign-ins, verify that there are sign-in activities in logs.
    2. 為您登入的裝置選取相關的記錄專案。Select the relevant log entry for the device you logged into.
    3. 在 [詳細資料] 窗格的 [裝置資訊] 索引標籤上,確認裝置為 [受控] (已加入混合式 Azure AD) 或 [相容] (與 Intune 相容)。In the Details pane, on the Device info tab, verify that the device is Managed (Hybrid Azure AD joined) or Compliant (Intune compliant). 如果您無法驗證其中任一狀態,請嘗試另一個記錄項目,或確定您已在 Azure AD 中正確設定裝置資料。If you cannot verify either state, try another log entry or ensure that your device data is configured correctly in Azure AD.
    4. 針對條件式存取,有些瀏覽器可能需要額外的設定,例如安裝延伸模組。For Conditional Access, some browsers may require additional configuration such as installing an extension. 使用 條件式存取瀏覽器支援 指南中的資訊來設定您的瀏覽器。Use the information in the Conditional Access browser support guide to configure your browser.
    5. 如果您仍未在 [登 ] 頁面中看到裝置資訊,請開啟 Azure AD 的支援票證。If you still do not see the device information in the Sign-ins page, open a support ticket for Azure AD.

用戶端憑證不會在需要時提示Client certificates are not prompting when expected

裝置識別機制可要求使用用戶端憑證驗證相關裝置。The device identification mechanism can request authentication from relevant devices using client certificates. 您可以上傳 x.509 的根或中繼憑證授權單位單位 (CA) 以 PEM 憑證格式格式化。You can upload an X.509 root or intermediate certificate authority (CA) formatted in the PEM certificate format. 這些憑證必須包含 CA 的公開金鑰,然後使用該金鑰來簽署會話期間所呈現的用戶端憑證。These certificates must contain the public key of the CA, which is then used to sign the client certificates presented during a session. 如需用戶端憑證的詳細資訊,請參閱 用戶端憑證驗證的裝置For more information about client certificates, see Client-certificate authenticated devices.

建議的步驟Recommended steps

  1. 在 Cloud App Security 的功能表列中,按一下 [設定] 齒輪,然後選取 [ 設定]。In Cloud App Security, in the menu bar, click the settings cog, and then select Settings.
  2. 在 [ 條件式存取應用程式控制] 下,選取 [ 裝置識別]。Under Conditional Access App Control, select Device identification. 此頁面會顯示 Cloud App Security 中可用的裝置識別選項。This page shows the device identification options available in Cloud App Security.
  3. 確認您上傳的是 x.509 根或中繼 CA。Verify that you uploaded an X.509 root or intermediate CA. 您必須上傳用來簽署相關憑證授權單位單位的 CA。You must upload the CA that is used to sign your relevant certificate authority.
  4. 使用等於有效用戶端憑證裝置標記篩選建立存取或會話原則。Create an access or session policy with the Device Tag filter equal to Valid client certificate.
  5. 請確定您的用戶端憑證是:Make sure that your client certificate is:
    • 使用 PKCS #12 檔案格式(通常是 p12 或 .pfx 副檔名)部署deployed using the PKCS #12 file format, typically a .p12 or .pfx file extension
    • 安裝在您要用於測試之電腦的使用者存放區,而不是裝置存放區中installed in the user store, not the device store, of the machine you are using for testing
  6. 重新開機瀏覽器會話Restart your browser session
  7. 登入受保護的應用程式時When logging in to the protected app
    • 確認您已重新導向至 URL <https://*.managed.access-control.cas.ms/aad_login>Verify that you are redirected to the URL <https://*.managed.access-control.cas.ms/aad_login>
    • 如果您使用的是 iOS,請確定您使用的是 Safari 瀏覽器If you are using iOS, make sure you are using the Safari browser
    • 如果您使用 Firefox,您也必須將憑證新增至 Firefox 自己的憑證存放區。If you are using Firefox, you must also add the certificate to Firefox's own certificate store. 所有其他瀏覽器都使用相同的預設憑證存放區。All other browsers use the same default certificate store. 瞭解 如何將憑證新增至 Firefox 憑證存放區Learn how to add a certificate to the Firefox certificate store.
  8. 驗證您的瀏覽器中是否出現用戶端憑證提示。Validate that the client certificate prompted in your browser.
    • 如果未出現,請嘗試不同的瀏覽器。If it does not appear, try a different browser. 大部分的主要瀏覽器都支援執行用戶端憑證檢查。Most major browsers support performing a client certificate check. 不過,行動裝置和桌面應用程式通常會利用可能不支援這項檢查的內建瀏覽器,因此會影響這些應用程式的驗證。However, mobile and desktop apps often leverage built-in browsers that may not support this check and therefore affect authentication for these apps.
  9. 確認來自這些裝置的活動正在擴展記錄。Verify that activities from these devices are populating the log. 在 Cloud App Security 的 [活動記錄] 頁面上,篩選等於有效用戶端憑證裝置標記In Cloud App Security, on the Activity log page, filter on Device Tag equal to Valid client certificate.
  10. 如果您仍然看不到提示,請開啟 支援票證 ,並包含下列資訊:If you still do not see the prompt, open a support ticket and include the following information:
    • 您遇到問題的瀏覽器或原生應用程式的詳細資料The details of the browser or native app where you experienced the problem
    • 作業系統版本 (例如The operating system version (ex. iOS/Android/Windows 10) iOS/Android/Windows 10)
    • 提及提示是否正在執行 Edge ChromiumMention if the prompt is working on Edge Chromium

用戶端憑證會在每次登入時提示Client certificates are prompting at every login

如果您在開啟新的索引標籤之後遇到用戶端憑證,這可能是因為 網際網路選項中隱藏了設定。If you are experiencing the client certificate popping up after opening a new tab, this might be due to settings hidden within Internet Options.

瀏覽器Browser 步驟Steps
Microsoft Internet ExplorerMicrosoft Internet Explorer 1. 開啟 Internet Explorer1. Open Internet Explorer
2. 選取工具 > 網際網路選項的 [ > 前進] 索引標籤2. Select Tools > Internet Options > Advance tab
3. 在 [安全性] 底下,選取 [當只有一個憑證時,不提示用戶端憑證選取]3. Under Security, select Don't prompt for Client Certificate selection when only one certificate exists
4. 選取 [套用], 然後選取 [確定]4. Select Apply, and then select OK
5. 重新開機瀏覽器,並確認您可以存取應用程式,而不需要額外的提示5. Restart your browser and verify that you can access the app without the additional prompts
Microsoft Edge/Edge ChromiumMicrosoft Edge / Edge Chromium 1. 從工作列開啟 [搜尋],並搜尋 [網際網路選項]1. Open search from the taskbar and search for "Internet Options"
2. 選取 網際網路選項2. Select Internet Options
3. 在 [安全性] 底下,選取 [當只有一個憑證時,不提示用戶端憑證選取]3. Under Security, select Don't prompt for Client Certificate selection when only one certificate exists
4. 選取 [套用], 然後選取 [確定]4. Select Apply, and then select OK
5. 重新開機瀏覽器,並確認您可以存取應用程式,而不需要額外的提示5. Restart your browser and verify that you can access the app without the additional prompts

其他考量Additional considerations

針對裝置識別進行疑難排解時,還有一些其他需要考慮的事項。While troubleshooting device identification, there are some additional things to consider.

  • 用戶端憑證撤銷通訊協定Client Certificate Revocation Protocol

    您可以要求用戶端憑證撤銷憑證。You can require certificate revocation for Client Certificates. 由 CA 撤銷的憑證將不再受到信任。Certificates that have been revoked by the CA no longer be trusted. 選取此選項將需要所有憑證傳遞 CRL 通訊協定。Selecting this option will require all certificates to pass the CRL protocol. 如果您的用戶端憑證未包含 CRL 端點,您將無法從受控裝置連線。If your client certificate does not contain a CRL endpoint, you will not be able to connect from the managed device.

上架應用程式Onboarding an app

您可以將下列類型的應用程式上架,以取得存取和會話控制項:You can onboard the following types of apps for access and session controls:

  • 精選應用程式:隨附會話控制項的應用程式,由 會話控制 標籤表示Featured apps: Apps that come with session controls out-of-the-box as indicated by the Session control label

  • 任何 (自訂) 應用程式:系統管理員可以將自訂企業營運 (LOB) 或內部部署應用程式上線至會話控制項Any (custom) apps: Custom line-of-business (LOB) or on-premises apps can be onboarded to session controls by an admin

顯示精選和任何 (自訂) 應用程式的 Proxy 清單

當您將應用程式上架時,請務必確定您遵循 proxy 部署指南中的每個步驟:When onboarding an app, it is crucial to make sure that you follow each step in the proxy deployment guides:

  1. 使用會話控制項部署精選應用程式Deploy featured apps with session controls
  2. 使用會話控制項部署自訂 LOB 應用程式、非精選 SaaS 應用程式,以及透過 Azure AD 應用程式 proxy 託管的內部部署應用程式Deploy custom LOB apps, non-featured SaaS apps, and on-premises apps hosted via the Azure AD app proxy with session controls

您在上架應用程式時可能會遇到的常見案例包括:Common scenarios you may encounter while onboarding an app include:

應用程式未出現在條件式存取應用程式控制 apps 頁面上App does not appear on the Conditional Access App Control apps page

當您將應用程式上架至條件式存取應用程式控制時,部署指南中的最後一個步驟是讓終端使用者流覽至應用程式。When onboarding an app to Conditional Access App Control, the final step in the deployment guides is to have the end user navigate to the app. 下列建議是當應用程式未通過指南之後,可以執行的步驟。The recommendations listed below are steps that can be done if the app is not appearing after having gone through the guides.

建議的步驟Recommended steps

  1. 請確定您的應用程式符合條件式存取應用程式必要條件Make sure your app meets the Conditional Access app prerequisites
識別提供者Identity provider 驗證Validations
Azure ADAzure AD 1. 除了 Cloud App Security 授權以外,請確定您有 Azure AD Premium P1 的有效授權1. Make sure you have a valid license for Azure AD Premium P1 in addition to a Cloud App Security license
2. 確認應用程式使用 SAML 2.0 或 OpenID Connect 通訊協定2. Make sure that the app uses the SAML 2.0 or the OpenID Connect protocol
3. 確認 Azure AD 中的應用程式 SSO3. Make sure that the app SSO in Azure AD
協力廠商Third-party 1. 請確定您有有效的 Cloud App Security 授權1. Make sure you have a valid Cloud App Security license
2. 建立重複的應用程式2. Create a duplicate app
3. 請確定應用程式使用 SAML 通訊協定3. Make sure that the app uses the SAML protocol
4. 驗證您已完全上線應用程式,且應用程式的狀態為 [已連線]4. Validate that you have fully onboarded the app and the status of the app is Connected
  1. 在您的 Azure AD 原則中,在 會話下,確定已強制將會話路由傳送至 Cloud App Security,進而讓應用程式出現在 [ 條件式存取應用程式控制應用程式 ] 頁面上,如下所示:In your Azure AD policy, under the Session, make sure that the session is forced to route to Cloud App Security, which will in turn allow the app to appear in on the Conditional Access App Control apps page, as follows:
    1. 已選取條件式存取應用程式控制Conditional Access App Control is selected
    2. 在 [內建原則] 下拉式清單中,確認已選取 [ 僅監視 ]。In the built-in policies drop-down, make sure Monitor only is selected
  2. 請務必使用新的 incognito 模式或再次登入,在新的瀏覽器會話中流覽至應用程式。Make sure to navigate to the app in a new browser session by using a new incognito mode or by signing in again.

應用程式狀態:繼續安裝App status: Continue Setup

應用程式的狀態可能會因 [ 繼續安裝]、[ 已連線] 和 [ 無活動] 而有所不同。An app's status can vary from Continue Setup, Connected, and No Activities.

對於透過協力廠商識別提供者連線的應用程式 (IdP) ,如果安裝程式未完成,則在存取應用程式時,您會看到一個頁面,其中包含 [ 繼續安裝] 的狀態。For apps connected via third-party identity providers (IdP), if the setup is not complete, when accessing the app you will see a page with the status of Continue Setup. 使用下列步驟來完成設定。Use the following steps complete the setup.

建議的步驟Recommended steps

  1. 按一下 [ 繼續安裝]。Click Continue Setup.
  2. 請流覽 部署指南 ,並確認您已完成所有步驟。Go through the deployment guide and verify that you have completed all the steps. 請特別注意下列事項:Pay particular attention to the following:
    1. 請務必建立新的自訂 SAML 應用程式。Make sure you create a new custom SAML app. 您需要此項才能變更資源庫應用程式中可能不提供的 Url 和 SAML 屬性。You need this to change the URLs and SAML attributes that might not be available in gallery apps.
    2. 如果您的身分識別提供者不允許重複使用相同的識別碼 (也稱為實體識別碼或物件) ,請變更原始應用程式的識別碼。If your identity provider does not allow the reuse of the same identifier (also known as Entity ID or Audience), change the identifier of the original app.

無法設定原生應用程式的控制項Cannot configure controls for native apps

您可以啟發式地原生應用程式,也可以使用存取原則來監視或封鎖原生應用程式。Native apps can be detected heuristically and you can use access policies to monitor or block them. 使用下列步驟來設定原生應用程式的控制項。Use the following steps to configure controls for native apps.

建議的步驟Recommended steps

  1. 在存取原則中,新增 用戶端應用程式 篩選器,並將它設定為 [行動裝置 和桌上型電腦]。In an access policy, add a Client app filter, and set it equal to Mobile and desktop.
  2. 在 [動作] 底下,選取 [ 封鎖]。Under Actions, select Block.
  3. (選擇性)自訂您的使用者在無法下載檔案時所收到的封鎖訊息,例如「您必須使用網頁瀏覽器來存取此應用程式」。Optionally, customize the blocking message that your users get when they're unable to download files, for example, "You must use a web browser to access this app".
  4. 測試並驗證控制項是否如預期般運作。Test and validate that the control is working as expected.

[無法辨識應用程式] 頁面App is not recognized page appears

Cloud App Security 可以透過雲端應用程式類別目錄來辨識超過16000的應用程式, (探索 -> cloud app catalog) 。Cloud App Security can recognize over 16,000 apps through the cloud app catalog (Discover -> Cloud app catalog). 如果您使用的自訂應用程式是透過不是16000應用程式之一的 Azure AD SSO 所設定,您將會進入 [ 無法辨識應用程式 ] 頁面。If you are using a custom app that is configured through Azure AD SSO that is NOT one of the 16,000 apps, you will come across an App is not recognized page. 若要解決此問題,您必須在條件式存取應用程式控制上設定應用程式。To resolve the issue, you must configure the app on the Conditional Access App Control.

建議的步驟Recommended steps

  1. 在 Cloud App Security 的功能表列中,按一下 [設定] 齒輪,然後選取 [ 條件式存取應用程式控制]。In Cloud App Security, in the menu bar, click the settings cog, and then select Conditional Access App Control.
  2. 在橫幅中,按一下 [ 查看新的應用程式]。In the banner, click View new apps.
  3. 在新的應用程式清單中,找出您要上架的應用程式,按一下 + 符號,然後按一下 [ 新增]。In the list of new apps, locate the app that you are onboarding, click on the + sign, and then click Add.
    1. 選取應用程式是否為 自訂標準 應用程式。Select whether the app is a custom or standard app.
    2. 繼續進行嚮導,確定指定的 使用者定義網域 對您要設定的應用程式而言是正確的。Continue through the wizard, make sure that specified User-defined domains are correct for the app you are configuring.
  4. 確認應用程式會出現在 [ 條件式存取應用程式控制應用程式 ] 頁面中。Verify the app appears in the Conditional Access App Control apps page.

要求會話控制選項出現Request session control option appears

新增應用程式之後,您可能會看到 [ 要求會話控制 ] 選項。After adding an app, you may see the Request session control option. 這是因為只有精選的應用程式有現成的會話控制項。This occurs because only featured apps have out-of-the-box session controls. 針對任何其他應用程式,您必須完成自我上執行緒序。For any other app, you must go through a self-onboarding process.

建議的步驟Recommended steps

  1. 在 Cloud App Security 的功能表列中,按一下 [設定] 齒輪,然後選取 [ 設定]。In Cloud App Security, in the menu bar, click the settings cog and select Settings.

  2. 在 [ 條件式存取應用程式控制] 下,選取 [ 應用程式上架/維護]。Under Conditional Access App Control, select App onboarding/maintenance.

  3. 輸入將讓應用程式上線的使用者的使用者主體名稱或電子郵件,然後按一下 [ 儲存]。Enter the user principal name or email for the users that will be onboarding the app, and then click Save.

  4. 移至您要部署的應用程式。Go to the app that you are deploying. 您看到的頁面取決於是否能辨識應用程式。The page you see depends on whether the app is recognized. 執行下列其中一個動作:Do one of the following:

    應用程式狀態App status DescriptionDescription 步驟Steps
    無法辨認Not recognized 您會看到 [無法辨識應用程式] 頁面,提示您設定應用程式。You will see an app not recognized page prompting you to configure your app. 1. 將應用程式新增至條件式存取應用程式控制1. Add the app to Conditional Access App Control.
    2. 新增應用程式的網域,然後返回應用程式並重新整理頁面。2. Add the domains for the app, and then return to the app and refresh the page.
    3. 安裝應用程式的憑證3. Install the certificates for the app.
    RecognizedRecognized 您會看到上線頁面,提示您繼續進行應用程式設定程式。You will see an onboarding page prompting you to continue the app configuration process. - 安裝應用程式的憑證- Install the certificates for the app.

    注意: 請確定應用程式已設定為讓應用程式正常運作所需的所有網域。Note: Make sure the app is configured with all domains required for the app to function correctly. 若要設定其他網域,請繼續 新增應用程式的網域,然後返回應用程式頁面。To configure additional domains, proceed to Add the domains for the app, and then return to the app page.

其他考量Additional considerations

在疑難排解上架應用程式時,還有一些其他需要考慮的事項。While troubleshooting onboarding apps, there are some additional things to consider.

  • 條件式存取應用程式控制中的應用程式不會與 Azure AD 應用程式一致Apps in Conditional Access App Control do not align with Azure AD apps

    Azure AD 和 Cloud App Security 中的應用程式名稱,可能會根據產品識別應用程式的方式而有所不同。The app names in Azure AD and Cloud App Security may differ based on the ways the products identify apps. Cloud App Security 會使用應用程式的網域來識別應用程式,並將其新增至 雲端應用程式目錄,其中有超過16000的應用程式。Cloud App Security identifies apps using the app's domains and adds them to the Cloud app catalog, where we have over 16,000 apps. 您可以在每個應用程式中,查看或新增至網域的子集。Within each app, there you can view or add to the subset of domains. 相反地,Azure AD 會識別使用服務主體的應用程式。In contrast, Azure AD identifies apps using service principals. 如需詳細資訊,請參閱 Azure AD 中的應用程式和服務主體物件For more information, see app and Service Principal Objects in Azure AD.

    在實務上,這表示在 Azure AD 中選取 SharePoint online 相當於在 Cloud App Security 中選取應用程式(例如 Word Online 和團隊),因為應用程式會使用該 sharepoint.com 網域。In practice, it means that selecting SharePoint Online in Azure AD is equivalent to selecting apps, such as Word Online and Teams, in Cloud App Security because the apps use the sharepoint.com domain.

建立存取和會話原則Creating access and session policies

Cloud App Security 提供下列可設定的原則:Cloud App Security provides the following configurable policies:

  1. 存取原則:監視或封鎖對瀏覽器、行動及/或桌面應用程式的存取Access policies: To monitor or block access to browser, mobile, and/or desktop apps
  2. 會話原則Session policies. 監視、封鎖和執行特定動作,以防止瀏覽器中的資料滲透和遭到外泄案例To monitor, block, and perform specific actions to prevent data infiltration and exfiltration scenarios in the browser

若要在 Cloud App Security 中使用這些原則,您必須先在 Azure AD 條件式存取中設定原則,以擴充會話控制項,如下所示:在 Azure AD 原則的 [存取控制] 底下,按一下 [會話],然後選取 [使用條件式存取應用程式控制],然後選擇 [僅限監視 ] 或 [ 封鎖下載] (,然後按一下 [選取]。To use these policies in Cloud App Security, you must first configure a policy in Azure AD Conditional Access to extend session controls, as follows: In the Azure AD policy, under Access controls, click Session, select Use Conditional Access App Control and choose a built-in policy (Monitor only or Block downloads) or Use custom policy to set an advanced policy in Cloud App Security, and then click Select.

設定這些原則時,您可能會遇到的常見案例包括:Common scenarios you may encounter while configuring these policies include:

在條件式存取原則中,您看不到條件式存取應用程式控制選項In Conditional Access policies, you cannot see the Conditional Access App Control option

若要將會話路由傳送至 Cloud App Security,必須將 Azure AD 條件式存取原則設定為包含條件式存取應用程式控制會話控制項。To route sessions to Cloud App Security, Azure AD Conditional Access policies must be configured to include Conditional Access App Control session controls.

建議的步驟Recommended steps

  • 如果您在條件式存取原則中看不到 [ 條件式存取應用程式控制 ] 選項,請確定您有 Azure AD Premium P1 的有效授權,以及有效的 Cloud App Security 授權。If you do not see the Conditional Access App Control option in your Conditional Access policy, make sure that you have a valid license for Azure AD Premium P1 as well as a valid Cloud App Security license.

建立原則時出現錯誤訊息:您未使用條件式存取應用程式控制部署任何應用程式Error message when creating a policy: You don't have any apps deployed with Conditional Access App Control

建立存取或會話原則時,您可能會看到下列錯誤訊息:「您沒有任何使用條件式存取應用程式控制部署的應用程式」。When creating an access or session policy, you may see the following error message: "You don't have any apps deployed with Conditional Access App Control". 此錯誤表示尚未部署應用程式。This error indicates that the app has not been deployed.

建議的步驟Recommended steps

  1. 在 Cloud App Security 的功能表列中,按一下 [設定] 齒輪,然後選取 [ 條件式存取應用程式控制]。In Cloud App Security, in the menu bar, click the settings cog, and then select Conditional Access App Control.

  2. 如果您看到 沒有任何應用程式連線的訊息,請使用下列指南來部署應用程式:If you see the message No apps connected, use the following guide to deploy apps:

  3. 如果您在部署應用程式時遇到任何問題,請參閱 將應用程式上架If you run into any issues while deploying the app, see Onboarding an app.

無法建立應用程式的會話原則Cannot create session policies for an app

新增自訂應用程式之後,在 [ 條件式存取應用程式控制應用程式 ] 頁面中,您可能會看到 [ 要求會話控制] 選項。After adding a custom app, in the Conditional Access App Control apps page, you may see the option: Request session control.

注意

精選應用程式 具有現成的會話控制項。Featured apps have out-of-the-box session controls. 針對任何其他應用程式,您必須完成自我上執行緒序。For any other apps, you must go through a self-onboarding process.

建議的步驟Recommended steps

  1. 使用下列自我入門指南,將任何應用程式部署到會話控制項: 部署自訂的企業營運應用程式、非精選的 SaaS 應用程式,以及 透過 Azure Active Directory 的 (Azure AD) 應用程式 Proxy 搭配會話控制項來裝載的內部部署應用程式。Use the following self-onboarding guide to deploy any app to session control: Deploy custom line-of-business apps, non-featured SaaS apps, and on-premise apps hosted via the Azure Active Directory (Azure AD) Application Proxy with session controls.
  2. 建立會話原則,選取 應用程式 篩選器,並確定您的應用程式現在已列在下拉式清單中。Create a session policy, select the App filter, make sure that your app is now listed in the dropdown list.

無法選擇 檢查方法資料分類服務Cannot choose Inspection Method: Data Classification Service

在會話原則中,使用 **控制檔案下載 (搭配檢查) ** 會話控制項類型時,您可以使用 資料分類服務 檢查方法來即時掃描檔案,以及偵測符合您已設定之任何準則的敏感內容。In session policies, when using the Control file download (with inspection) session control type, you can use the Data Classification Service inspection method to scan your files in real time and detect sensitive content that matches any of the criteria you have configured. 如果無法使用 資料分類服務 檢查方法,請使用下列步驟來調查問題。If the Data Classification Service inspection method is not available, use the following steps to investigate the issue.

建議的步驟Recommended steps

  1. 確認 [ 會話] 控制項類型 已設定為 [ 使用檢查) 控制檔案下載 (]。Verify that the Session control type is set to Control file download (with inspection).

    注意

    資料分類服務檢查方法只適用于具有檢查) 選項的控制檔案下載 (The Data Classification Service inspection method is only available for the Control file download (with inspection) option.

  2. 判斷您的區域中是否有可用的資料分類服務功能。Determine whether the Data Classification Service feature is available in your region.

    1. 如果您的區域無法使用該功能,請使用 內建的 DLP 檢查方法。If the feature is not available in your region, use the Built-in DLP inspection method.
    2. 如果您的區域中有該功能,但您仍看不到「 資料分類服務 」檢查方法,請開啟 支援票證If the feature is available in your region but you still can't see the Data Classification Service inspection method, open a support ticket.

無法選擇動作:保護Cannot choose Action: Protect

在會話原則中,使用 **控制檔案下載 (搭配檢查) ** 會話控制項類型,除了 監視封鎖 動作之外,您還可以指定 保護 動作。In session policies, when using the Control file download (with inspection) session control type, in addition to the Monitor and Block actions, you can specify the Protect action. 此動作可讓您根據條件、內容檢查或這兩者,允許以選項加密或套用檔案許可權的檔案下載。This action enables you to permit file downloads with the option to encrypt or apply permissions to the file based on conditions, content inspection, or both. 如果無法使用 保護 動作,請使用下列步驟來調查問題。If the Protect action is not available, use the following steps to investigate the issue.

建議的步驟Recommended steps

  1. 如果 [ 保護 ] 動作無法使用或呈現灰色,請確認您有 AZURE 資訊保護 (AIP) Premium P1 授權。If the Protect action is not available or is greyed out, verify that you have the Azure Information Protection (AIP) Premium P1 license. 如需詳細資訊,請參閱 Azure 資訊保護整合For more information, see Azure Information Protection integration.
  2. 如果有可用的 保護 動作,但未看見適當的標籤。If the Protect action is available, but are not seeing the appropriate labels.
    1. 在 Cloud App Security 的功能表列中,按一下 [設定] 齒輪,選取 [ Azure 資訊保護],然後確認已啟用 [AIP 整合]。In Cloud App Security, in the menu bar, click the settings cog, select Azure Information Protection, and verify that the AIP integration is enabled.
    2. 針對 Office 標籤,請在 AIP 入口網站中,確定已選取 [ 統一標籤 ]。For Office labels, in the AIP portal, make sure Unified Labeling is selected.

其他考量Additional considerations

在疑難排解上架應用程式時,還有一些其他需要考慮的事項。While troubleshooting onboarding apps, there are some additional things to consider.

  • 瞭解 Azure AD 條件式存取原則設定之間的差異:「僅限監視器」、「封鎖下載」和「使用自訂原則」Understanding the difference between the Azure AD Conditional Access policy settings: "Monitor only", "Block downloads", and "Use custom policy"

    在 Azure AD 條件式存取原則中,您可以設定下列內建的 Cloud App Security 控制項: 僅限監視封鎖下載In Azure AD Conditional Access policies, you can configure the following built-in Cloud App Security controls: Monitor only and Block downloads. 這會套用並強制執行 Azure AD 中所設定之雲端應用程式和條件的 Cloud App Security proxy 功能。This applies and enforces the Cloud App Security proxy feature for cloud apps and conditions configured in Azure AD. 針對更複雜的原則,請選取 [ 使用自訂原則],這可讓您在 Cloud App Security 中設定存取和會話原則。For more complex policies, select Use custom policy, which allows you to configure access and session policies in Cloud App Security.

  • 瞭解存取原則中的「行動和桌面」用戶端應用程式篩選選項Understanding the "Mobile and desktop" client app filter option in access policies

    在 Cloud App Security 存取原則中,除非 用戶端應用程式 篩選器特別設為行動裝置 和桌面,否則產生的存取原則只會套用至瀏覽器會話。In Cloud App Security access policies, unless the Client app filter is specifically set to Mobile and desktop, the resulting access policy will only apply to browser sessions. 這樣做的原因是為了避免不慎 proxy 使用者會話,這可能是使用此篩選器的副產品。The reason for this, is to prevent inadvertently proxying user sessions, which may be a byproduct of using this filter.

終端使用者遇到的問題Issues experienced by end users

本節適用于使用受 Cloud App Security 保護之應用程式的使用者,並有助於找出下列領域可能發生的常見狀況:This section is for end users using apps protected by Cloud App Security and helps identify common situations that may arise in the following areas:

未顯示使用者監視頁面User monitoring page is not appearing

當您透過 Cloud App Security 路由傳送使用者時,您可以通知使用者其會話將受到監視。When routing a user through the Cloud App Security, you can notify the user that their session will be monitored. 預設會啟用 [使用者監視] 頁面。By default, the user monitoring page is enabled.

建議的步驟Recommended steps

  1. 在 Cloud App Security 的功能表列中,按一下 [設定] 齒輪,然後選取 [ 設定]。In Cloud App Security, in the menu bar, click the settings cog, and then select Settings.

  2. 在 [ 條件式存取應用程式控制] 下,選取 [ 使用者監視]。Under Conditional Access App Control, select User monitoring. 此頁面會顯示 Cloud App Security 中可用的使用者監視選項。This page shows the user monitoring options available in Cloud App Security.

    顯示使用者監視選項的螢幕擷取畫面

  3. 確認已選取 [ 通知使用者正在監視其活動 ] 選項。Verify that the Notify users that their activity is being monitored option is selected.

  4. 選擇您要使用預設訊息或提供自訂訊息。Choose whether you want to use the default message or provide a custom message.

    訊息類型Message type 詳細資料Details
    預設Default 標頭Header:
    受監視的 [應用程式名稱會出現在此處] 的存取權Access to [App Name Will Appear Here] is monitored
    主體Body:
    為了提高安全性,您的組織允許 [監視] 模式中的 [應用程式名稱會出現在此處] 的存取權。For improved security, your organization allows access to [App Name Will Appear Here] in monitor mode. 存取權僅可從網頁瀏覽器取得。Access is only available from a web browser.
    自訂Custom 標頭Header:
    您可以使用此方塊來提供自訂標題,以通知他們受監視的使用者。Use this box to provide a custom heading to inform users they are being monitored.
    主體Body:
    您可以使用此方塊來為使用者新增其他自訂資訊,例如與問題聯繫的人員,並支援下列輸入:純文字、rtf 文字、超連結。Use this box to add additional custom information for the user, such as who to contact with questions, and supports the following inputs: plain text, rich text, hyperlinks.
  5. 按一下 [ 預覽 ],確認在存取應用程式之前出現的 [使用者監視] 頁面。Click Preview to verify the user monitoring page that appears before accessing an app.

  6. 按一下 [檔案] 。Click Save.

無法從協力廠商身分識別提供者存取應用程式Not able to access app from a third-party Identity Provider

如果使用者在登入協力廠商身分識別提供者的應用程式之後,收到一般失敗,請驗證協力廠商 IdP 設定。If an end user is receiving a general failure after logging into an app from a third-party Identity Provider, validate the third-party IdP configuration.

建議的步驟Recommended steps

  1. 在 Cloud App Security 的功能表列中,按一下 [設定] 齒輪,然後選取 [ 條件式存取應用程式控制]。In Cloud App Security, in the menu bar, click the settings cog, and then select Conditional Access App Control.
  2. 在應用程式清單中,在您無法存取應用程式的資料列上,選擇資料列結尾的三個點,然後選擇 [ 編輯 應用程式]。In the list of apps, on the row in which the app you are not able to access appears, choose the three dots at the end of the row, and then choose Edit app.
    1. 驗證已上傳的 SAML 憑證是否正確Validate that the SAML certificate that was uploaded is correct
    2. 確認應用程式設定中已提供有效的 SSO UrlVerify that valid SSO URLs have been provided in the app configuration
    3. 驗證自訂應用程式中的屬性和值會反映在 [識別提供者設定]  螢幕擷取畫面,顯示 [收集識別提供者 SAML 資訊] 頁面Validate that the attributes and values in the custom app are reflected in identity provider settings Screenshot showing gather identity providers SAML information page
  3. 如果您仍然無法存取該應用程式,請開啟 支援票證If you still can't access the app, open a support ticket.

發生錯誤的頁面出現Something Went Wrong page appears

有時候在 proxy 會話期間,可能會出現 錯誤 的頁面。Sometimes during a proxied session, the Something Went Wrong page may appear. 發生的時機為:This can happen when:

  1. 使用者在閒置一段時間後登入A user logs in after being idle for a while
  2. 重新整理瀏覽器和頁面載入時間超過預期Refreshing the browser and the page load takes longer than expected
  3. 協力廠商 IdP 應用程式未正確設定The third-party IdP app is not configured correctly

建議的步驟Recommended steps

  1. 如果終端使用者嘗試存取使用協力廠商 IdP 設定的應用程式,請參閱 無法從協力廠商 IdP 存取應用 程式和 應用程式狀態:繼續安裝程式If the end user is trying to access an app that is configured using a third-party IdP, see Not able to access app from a third-party IdP and App status: Continue Setup.
  2. 如果終端使用者未預期地到達此頁面,請執行下列動作:If the end user unexpectedly reached this page, do the following:
    1. 重新開機瀏覽器會話Restart your browser session
    2. 從瀏覽器清除歷程記錄、cookie 和快取Clear history, cookies, and cache from the browser

未封鎖剪貼簿動作或檔案控制項Clipboard actions or file controls are not being blocked

需要封鎖剪貼簿動作(例如,[剪下]、[複製]、[貼上] 和 [列印]、[上傳] 和 [列印] 等檔案控制項)來防止資料遭到外泄和滲透案例。The ability to block clipboard actions such as cut, copy, paste, and file controls such as download, upload, and print is required to prevent data exfiltration and infiltration scenarios. 這種能力可讓公司平衡終端使用者的安全性與生產力。This ability enables companies to balance security and productivity for end users. 如果您遇到這些功能的問題,請使用下列步驟來調查問題。If you are experiencing problems with these features, use the following steps to investigate the issue.

建議的步驟Recommended steps

如果會話是 proxy,請使用下列步驟來驗證原則:If the session is being proxied, use the following steps to verify the policy:

  1. 在 Cloud App Security 的 [ 調查] 下,選取 [ 活動記錄]。In Cloud App Security, under Investigate, Select Activity log.
  2. 使用 [advanced] 篩選器,選取 [套用的 動作 ],並將其值設定為 [已 封鎖]。Use the advanced filter, select Applied action and set its value equal to Blocked.
  3. 確認有封鎖的檔案活動。Verify that there are blocked file activities.
    1. 如果有活動,請按一下活動來展開活動的隱藏式選單If there is an activity, expand the activity drawer by clicking on the activity
    2. 在 [活動] 隱藏式選單的 [一般 ] 索引標籤上,按一下 [相符的原則] 連結,以確認您強制執行的原則存在On the activity drawer's General tab, click the matched policies link, to verify the policy you enforced is present.
    3. 如果您沒有看到您的原則,請參閱 建立存取和會話原則If you do not see your policy, see Creating access and session policies.
    4. 如果您看到 [ 存取遭封鎖/允許],因為預設行為,這表示系統已關閉且已套用預設行為。If you see Access blocked/allowed due to Default Behavior, this indicates that the system was down and the default behavior was applied.
      1. 若要變更預設行為,請在 Cloud App Security 的功能表列中,按一下 [設定] 齒輪,然後選取 [ 設定]。To change the default behavior, in Cloud App Security, in the menu bar, click the settings cog and select Settings. 然後選取 [ 條件式存取應用程式控制] 下的 [ 預設行為],並將預設行為設定為 [ 允許 ] 或 [ 封鎖 存取]。Then under Conditional Access App Control, select Default Behavior, and set the default behavior to Allow or Block access.
      2. 移至 https://status.cloudappsecurity.com/ 並監視系統停機時間的通知。Go to https://status.cloudappsecurity.com/ and monitor notifications about system downtime.
  4. 如果您仍然無法看到封鎖的活動,請開啟 支援票證If you still not able to see blocked activity, open a support ticket.

下載未受保護Downloads are not being protected

當使用者在非受控裝置上下載機密資料時,可能是必要的。As an end user, downloading sensitive data on an unmanaged device might be necessary. 在這些情況下,您可以使用 Azure 資訊保護保護檔。In these scenarios, you can protect documents with Azure Information Protection. 如果終端使用者無法成功加密檔,請使用下列步驟來調查問題。If the end user was not able to successfully encrypt the document, use the following steps to investigate the issue.

建議的步驟Recommended steps

  1. 在 Cloud App Security 的 [ 調查] 下,選取 [ 活動記錄]。In Cloud App Security, under Investigate, Select Activity log.
  2. 使用 [advanced] 篩選器,選取 [套用的 動作 ],並將其值設定為 [ 受保護]。Use the advanced filter, select Applied action and set its value equal to Protected.
  3. 確認有封鎖的檔案活動。Verify that there are blocked file activities.
    1. 如果有活動,請按一下活動來展開活動的隱藏式選單If there is an activity, expand the activity drawer by clicking on the activity
    2. 在 [活動] 隱藏式選單的 [一般 ] 索引標籤上,按一下 [相符的原則] 連結,以確認您強制執行的原則存在On the activity drawer's General tab, click the matched policies link, to verify the policy you enforced is present.
    3. 如果您沒有看到您的原則,請參閱 建立存取和會話原則If you do not see your policy, see Creating access and session policies.
    4. 如果您看到 [ 存取遭封鎖/允許],因為預設行為,這表示系統已關閉且已套用預設行為。If you see Access blocked/allowed due to Default Behavior, this indicates that the system was down and the default behavior was applied.
      1. 若要變更預設行為,請在 Cloud App Security 的功能表列中,按一下 [設定] 齒輪,然後選取 [ 設定]。To change the default behavior, in Cloud App Security, in the menu bar, click the settings cog, and then select Settings. 然後選取 [ 條件式存取應用程式控制] 下的 [ 預設行為],並將預設行為設定為 [ 允許 ] 或 [ 封鎖 存取]。Then under Conditional Access App Control, select Default Behavior, and set the default behavior to Allow or Block access.
      2. 移至 https://status.cloudappsecurity.com/ 並監視系統停機時間的通知。Go to https://status.cloudappsecurity.com/ and monitor notifications about system downtime.
    5. 如果您要使用 AIP 標籤或自訂許可權保護檔案,請在 [ 活動描述] 中,確定副檔名是下列其中一種支援的檔案類型:If you are protecting the file with an AIP label or custom permissions, in the Activity description, make sure the file extension is one of the following supported file types:
      • Word:docm、docx、dotm、dotxWord: docm, docx, dotm, dotx
      • Excel:xlam、xlsm、xlsx、xltxExcel: xlam, xlsm, xlsx, xltx
      • PowerPoint:potm、potx、ppsx、ppsm、pptm、pptxPowerPoint: potm, potx, ppsx, ppsm, pptm, pptx
      • PDF * 如果已啟用統一標籤PDF* if Unified Labeling is enabled
    • 如果檔案類型不受支援,則在會話原則中,您可以選取 [ 封鎖下載原生保護不支援的任何檔案,或原生保護失敗的位置]。If the file type is not supported, in the session policy, you can select Block download of any file that in unsupported by native protection or where native protection is unsuccessful.
  4. 如果您仍然無法看到封鎖的活動,請開啟 支援票證If you still not able to see blocked activity, open a support ticket.

尾碼 Url 的所有 proxy 都很容易發生內容遺失,而流覽至連結的問題會遺失連結的完整路徑,通常會落在應用程式的首頁上。All proxies that suffix URLs are susceptible to context loss, an issue where navigating to a link loses the full path of the link and typically lands on the home page of the app. Cloud App Security 是唯一定位來解決這項限制,並藉由與 Microsoft 和非 Microsoft 廠商合作來解決內容遺失。Cloud App Security is uniquely positioned to address this limitation and solve context loss by partnering with Microsoft and non-Microsoft vendors.

在 [精選應用程式] 頁面上標示為 ** (預覽) ** 的應用程式可能會受到內容遺失的影響。Apps on our featured apps page marked as (preview) may suffer from context loss. 同樣地,內容遺失的原因可能是封鎖協力廠商 cookie 或跨網站追蹤的全域原則。Similarly, context loss can be caused by global policies that block third-party cookies or cross-site tracking. 您可以停用這些選項來補救此問題。You can remediate the issue by disabling these options. 若為非精選應用程式遇到內容遺失,請提交支援票證。For non-featured apps experiencing context loss, please submit a support ticket. 我們會個別使用每個應用程式提供者來修正這些核心問題。We are working with each app provider individually to fix these core issues.

暫時的風險降低,您可以解決內容遺失問題,如下所示:As a temporary mitigation, you can workaround context loss issues, as follows:

  1. 流覽至發生內容遺失的 URL。Navigate to a URL where context loss occurs.
  2. 請記下尾碼 URL 網域,包括 Cloud App Security 新增的尾碼 https://www.yammer.com.us2.cas.msMake a note of the suffixed URL domain including the suffix added by Cloud App Security, for example https://www.yammer.com.us2.cas.ms.
  3. 複製原始 URL 的路徑,例如,如果原始特定 URL 為 https://www.yammer.com/organization/threads/threadnumber ,請複製 /organization/threads/threadnumberCopy the path from the original URL, for example if the original particular URL was https://www.yammer.com/organization/threads/threadnumber, copy /organization/threads/threadnumber.
  4. 例如,將複製的路徑附加至尾碼網域 https://www.yammer.com.us2.cas.ms/organization/threads/threadnumberAppend the copied path to the suffixed domain, for example https://www.yammer.com.us2.cas.ms/organization/threads/threadnumber.
  5. 流覽至新的尾碼 URL。Navigate to the new suffixed URL.

其他考量Additional considerations

針對應用程式進行疑難排解時,還有一些其他需要考慮的事項。While troubleshooting apps, there are some additional things to consider.

  • 支援新式瀏覽器的工作階段控制Session controls support for modern browsers

    Cloud App Security 的工作階段控制現在已可支援採用 Chromium 的新 Microsoft Edge 瀏覽器。Cloud App Security session controls now includes support for the new Microsoft Edge browser based on Chromium. 我們仍會為最新幾版的 Internet Explorer 及舊版的 Microsoft Edge 提供有限的支援,建議使用新的 Microsoft Edge 瀏覽器。Whilst we'll continue supporting the most recent versions of Internet Explorer and the legacy version of Microsoft Edge, the support will be limited and we recommend using the new Microsoft Edge browser.

  • 雙重登入Double login

    發生雙重登入的原因是,假設使用 nonce,也就是應用程式使用的密碼編譯權杖來防止重新執行攻擊。A double login occurs due to the presumed use of a nonce, a cryptographic token used by apps to prevent replay attacks. 根據預設,Cloud App Security 會假設應用程式使用 nonce。By default, Cloud App Security assumes an app uses a nonce. 如果您確信應用程式不會使用 nonce,您可以在 Cloud App Security 中編輯應用程式來停用此功能,將會解決此問題。If you are confident the app does not use a nonce, you can disable this by editing the app in Cloud App Security and the issue will be resolved. 如需停用 nonce 的步驟,請參閱 慢速登入。For steps to disable nonce, see Slow login.

    如果應用程式使用 nonce 但無法停用此功能,則第二次登入可能對使用者而言是透明的,否則系統可能會提示他們重新登入。If the app uses a nonce and this feature cannot be disabled, the second login may be transparent to users, or they may be prompted to log in again.

  • 預覽或列印 PDF 檔案可能會遭到封鎖Previewing or printing PDF files may be blocked

    當您有設定為封鎖下載的原則時,這是正常行為。This is normal behavior when you have a policy configured to block downloads. 在預覽或列印 PDF 檔案時,應用程式會在預覽或列印 PDF 檔案時,起始檔案的 Cloud App Security 下載,以確保會封鎖下載,且資料不會從您的環境洩漏。Occasionally when previewing or printing PDF files, apps initiate a download of the file causing Cloud App Security to intervene to ensure the download is blocked and that data is not leaked from your environment.

    如果您想要允許下載 PDF 檔案,您可以根據相關會話原則中的副檔名來排除 PDF 檔案。If you would like to allow PDF file downloads, you can exclude PDF files based on their file extension in the relevant session policy.