設定以應用程式為基礎的條件式存取原則Set up app-based conditional access policies

適用對象:Azure 入口網站的 IntuneApplies to: Intune in the Azure portal
您需要傳統入口網站的 Intune 相關文件嗎?Looking for documentation about Intune in the classic portal? 請移至這裡Go here.

本主題說明如何為屬於已核准應用程式清單一部分的應用程式,設定以應用程式為基礎的條件式存取原則。This topic provides instructions on how to set up app-based conditional access policies for apps that are part of the list of approved apps. 已核准應用程式清單包含 Microsoft 已測試的應用程式。The list of approved apps consists of apps that were tested by Microsoft.

重要

本主題會逐步解說步驟,以使用 Exchange Online 新增以應用程式為基礎的條件式存取原則,但是在從已核准應用程式清單中新增其他應用程式,例如 SharePoint Online、Microsoft Teams 等時,您可以使用相同的步驟。This topic walks through the steps to add an app-based conditional access policy using Exchange Online, but you can use the same steps when adding other apps like SharePoint Online, Microsoft Teams, etc. from the list of approved apps.

建立以應用程式為基礎的條件式存取原則To create an app-based conditional access policy

  1. 移至 Azure 入口網站,並使用您的認證登入。Go the Azure portal and sign in with your credentials.

  2. 選擇 [更多服務] 並輸入 "Intune"。Choose More services, and type: "Intune".

  3. 選擇 [Intune 應用程式保護]。Choose Intune App Protection.

  4. 在 [Intune 行動應用程式管理] 刀鋒視窗中,選擇 [所有設定]。On the Intune mobile application management blade choose All Settings.

  5. 在 [條件式存取] 區段中,選擇 [Exchange Online]。On the Conditional access section, choose Exchange Online.

    顯示 [條件式存取] 區段並反白顯示 [Exchange Online] 選項之 [設定] 刀鋒視窗的螢幕擷取畫面

  6. 在 [允許的應用程式] 刀鋒視窗上,選擇 [Allow apps that support Intune app policies] (允許支援 Intune 應用程式原則的應用程式) 選項,只允許 Intune 應用程式保護原則支援的應用程式能夠存取 Exchange Online。On the Allowed apps blade, choose the Allow apps that support Intune app policies option to allow only apps that are supported by Intune app protection policies to have the ability to access Exchange Online. 當您選取此選項時,會顯示支援的應用程式清單。When you select this option, the list of supported apps is displayed.

    注意

    所有 Exchange Active Sync 郵件用戶端 (包括 iOS 和 Android 上連線到 Exchange Online 的內建郵件用戶端) 將無法傳送或接收電子郵件。All Exchange Active Sync mail clients, including the built-in mail clients on iOS and Android that connect to Exchange Online, will be prevented from sending or receiving email. 相反地,使用者會收到一封電子郵件,通知他們需要使用 Outlook 郵件應用程式。Users will instead receive a single email informing them that they need to use the Outlook mail app.

  7. 若要將此原則套用至使用者,請開啟 [受限的使用者群組] 刀鋒視窗,然後選擇 [新增使用者群組]。To apply this policy to users, open the Restricted user groups blade, and choose Add user group. 選取應取得此原則的一或多個使用者群組。Select one or more user groups that should get this policy.

    反白顯示 [新增使用者群組] 選項之 [受限的使用者群組] 刀鋒視窗的螢幕擷取畫面

  8. 您可能想要讓您在上一個步驟中所選取之使用者群組中的一些使用者不受此原則的影響。You may want some users in the user group you selected in the previous step not to be affected by this policy. 在此情況下,請將使用者群組新增至免套用使用者群組清單。In such cases, add the group of users to the exempted user groups list. 從 [Exchange Online] 刀鋒視窗選擇 [免套用使用者群組]。From the Exchange Online blade, choose Exempted user groups. 選擇 [新增使用者群組] 開啟使用者群組清單。Choose Add user group to open the list of user groups. 選取您要免除此原則的群組。Select the groups you want to exempt from this policy.

從現有以應用程式為基礎的 CA 原則中修改或刪除使用者群組To modify or delete user groups from an existing app-based CA policy

  1. 開啟 [受限的使用者群組] 刀鋒視窗,然後反白您想要刪除的使用者群組。Open the Restricted user groups blade, then highlight the user group you want to delete.
  2. 按一下省略符號以查看刪除選項。Click on the ellipse to see the delete options.
  3. 選擇 [刪除] 從清單中移除使用者群組。Choose Delete to remove the user group from the list.

在 Azure AD 工作負載中建立以應用程式為基礎的條件式存取原則Create app-based conditional access policies in Azure AD workload

從 Intune 1708 版本開始,IT 系統管理員可以從 Azure AD 工作負載建立以應用程式為基礎的條件式存取原則。Beginning with Intune 1708 release, IT admins can create app-based conditional access policies from the Azure AD workload. 這提供方便性,因此您不需要切換 Azure 與 Intune 工作負載。This gives convenience so you don't need to switch between the Azure and the Intune workloads.

重要

您必須要有 Azure AD Premium 授權,才能從 Intune Azure 入口網站建立 Azure AD 條件式存取原則。You need to have an Azure AD Premium license to create Azure AD conditional access policies from the Intune Azure portal.

建立以應用程式為基礎的條件式存取原則To create an app-based conditional access policy

重要

您需要先將 Intune 應用程式保護原則套用至應用程式,再使用以應用程式為基礎的條件式存取原則。You need to have Intune app protection policies applied to your apps before using app-based conditional access policies.

  1. 在 [Intune 儀表板] 中,選擇 [條件式存取]。In the Intune Dashboard, choose Conditional access.

  2. 在 [原則] 刀鋒視窗中,選擇 [新增原則] 來建立以應用程式為基礎的新條件式存取原則。In the Policies blade, choose New policy to create your new app-based conditional access policy.

  3. 在您輸入原則名稱並在 [指派] 區段中設定可用的設定之後,接著選擇 [存取控制] 區段下的 [授與]。Once you enter a policy name and configure the settings available in the Assignments section, then choose Grant under the Access controls section.

  4. 依序選擇 [需要經過核准的用戶端應用程式][選取]及 [確定] 儲存新的原則。Choose Require approved client app, choose Select, then choose OK to save the new policy.

後續步驟Next steps

封鎖沒有新式驗證的應用程式Block apps that do not have modern authentication

請參閱See also

使用應用程式保護原則保護應用程式資料 Azure Active Directory 中的條件式存取Protect app data with app protection policies Conditional Access in Azure Active Directory