搭配 Intune 使用以應用程式為基礎的條件式存取App-based conditional access with Intune

適用對象:Azure 入口網站的 IntuneApplies to: Intune in the Azure portal
您需要傳統入口網站的 Intune 相關文件嗎?Looking for documentation about Intune in the classic portal? 請移至這裡Go here.

Intune 應用程式保護原則可協助保護您已在 Intune 中註冊之裝置上的公司資料。Intune app protection policies help protect your company data on devices that are enrolled into Intune. 您也可以在未向 Intune 註冊管理之員工擁有的裝置上,使用應用程式保護原則。You can also use app protection policies on employee owned devices that are not enrolled for management in Intune. 在此情況下,即使您的公司未管理裝置,仍然需要確定公司資料和資源受到保護。In this case, even though your company doesn't manage the device, you still need to make sure that company data and resources are protected.

以應用程式為基礎的條件式存取和行動應用程式管理,可增添一個安全性層級,方法是透過確定只有支援 Intune 應用程式保護原則的行動應用程式,才可以存取 Exchange Online 和其他 Office 365 服務。App-based conditional access and mobile app management add a security layer by making sure only mobile apps that support Intune app protection policies can access Exchange online and other Office 365 services.

注意

受管理應用程式是已套用應用程式保護原則的應用程式,而且可由 Intune 管理。A managed app is an app that has app protection policies applied to it, and can be managed by Intune.

當您只允許 Microsoft Outlook 應用程式存取 Exchange Online 時,可以封鎖 iOS 和 Android 上內建的郵件應用程式。You can block the built-in mail apps on iOS and Android when you allow only the Microsoft Outlook app to access Exchange Online. 此外,您可以封鎖沒有套用 Intune 應用程式保護原則的應用程式,阻擋它們存取 SharePoint Online。Additionally, you can block apps that don’t have Intune app protection policies applied from accessing SharePoint Online.

必要條件Prerequisites

在您建立以應用程式為基礎的條件式存取原則之前,必須擁有:Before you create an app-based conditional access policy, you must have:

  • Enterprise Mobility + Security (EMS)Azure Active Directory (AD) Premium 訂用帳戶Enterprise Mobility + Security (EMS) or an Azure Active Directory (AD) Premium subscription
  • 使用者必須獲得 EMS 或 Azure AD 的授權Users must be licensed for EMS or Azure AD

如需詳細資訊,請參閱 Enterprise Mobility 定價Azure Active Directory 定價For more information, see Enterprise Mobility pricing or Azure Active Directory pricing.

支援的應用程式Supported apps

您可以在 Azure Active Directory 條件式存取的技術參考文件中找到支援應用程式型條件式存取的應用程式清單。A list of apps that support app-based conditional access can be found in the Azure Active Directory conditional access technical reference documentation.

以應用程式為基礎的條件式存取也支援企業營運 (LOB) 應用程式,但這些應用程式需使用 Office 365 新式驗證App-based conditional access also supports line-of-business (LOB) apps, but these apps need to use Office 365 modern authentication.

以應用程式為基礎的條件式存取如何運作How app-based conditional access works

在這個範例中,系統管理員已經將應用程式保護原則套用至 Outlook 應用程式,接著套用條件式存取規則,將 Outlook 應用程式新增到可在存取公司電子郵件時使用之應用程式的核准清單中。In this example, the admin has applied app protection policies to the Outlook app followed by a conditional access rule that adds the Outlook app to an approved list of apps that can be used when accessing corporate e-mail.

注意

下方的流程圖結構可以用於其他受管理的應用程式。The flowchart structure below can be used for other managed apps.

搭配 Intune 使用應用程式型條件式存取流程圖

  1. 使用者嘗試從 Outlook 應用程式向 Azure AD 驗證。The user tries to authenticate to Azure AD from the Outlook app.

  2. 在第一次嘗試驗證時,系統會將使用者重新導向至應用程式市集,以安裝訊息代理程式應用程式。The user gets redirected to the app store to install a broker app when trying to authenticate for the first time. 訊息代理程式應用程式可以是適用於 iOS 的 Microsoft 驗證器,或適用於 Android 裝置的 Microsoft 公司入口網站。The broker app can be either the Microsoft Authenticator for iOS, or the Microsoft Company portal for Android devices.

    如果使用者嘗試使用原生電子郵件應用程式,系統會將他們重新導向至應用程式市集,然後安裝 Outlook 應用程式。If users try to use a native e-mail app, they’ll be redirected to the app store to then install the Outlook app.

  3. 會在裝置上安裝訊息代理程式應用程式。The broker app gets installed on the device.

  4. 訊息代理程式應用程式會啟動 Azure AD 註冊程序,這會在 Azure AD 中建立一筆裝置記錄。The broker app starts the Azure AD registration process which creates a device record in Azure AD. 這和行動裝置管理 (MDM) 註冊程序並不相同,但這筆記錄是必要的,因為這樣才能在裝置上強制套用條件式存取原則。This is not the same as the mobile device management (MDM) enrollment process, but this record is necessary so the conditional access policies can be enforced on the device.

  5. 訊息代理程式應用程式會確認應用程式的身分。The broker app verifies the identity of the app. 這裡有一個安全性階層,讓訊息代理程式應用程式能夠驗證應用程式是否已經取得授權,以供使用者使用。There’s a security layer so the broker app can validate if the app is authorized to be used by the user.

  6. 訊息代理程式應用程式會在使用者驗證程序中,將應用程式用戶端識別碼傳送至 Azure AD,以檢查該應用程式是否在原則核准的清單中。The broker app sends the App Client ID to Azure AD as part of the user authentication process to check if it’s in the policy approved list.

  7. Azure AD 可允許使用者依據原則核准的清單驗證及使用應用程式。Azure AD allows the user to authenticate and use the app based on the policy approved list. 如果應用程式不在清單中,Azure AD 會拒絕存取應用程式。If the app is not on the list, Azure AD denies access to the app.

  8. Outlook 應用程式會與 Outlook 雲端服務通訊,以起始和 Exchange Online 的通訊。The Outlook app communicates with Outlook Cloud Service to initiate communication with Exchange Online.

  9. Outlook 雲端服務會與 Azure AD 通訊,為使用者擷取 Exchange Online 服務存取權杖。Outlook Cloud Service communicates with Azure AD to retrieve Exchange Online service access token for the user.

  10. Outlook 應用程式會與 Exchange Online 通訊,以擷取使用者的公司電子郵件。The Outlook app communicates with Exchange Online to retrieve the user's corporate e-mail.

  11. 公司電子郵件就會傳遞到使用者的信箱。Corporate e-mail is delivered to the user's mailbox.

後續步驟Next steps

建立以應用程式為基礎的條件式存取原則Create an app-based conditional access policy

封鎖沒有新式驗證的應用程式Block apps that do not have modern authentication