設定以應用程式為基礎的條件式存取原則Set up app-based conditional access policies

適用於︰Azure 上的 IntuneApplies to: Intune on Azure
您需要傳統主控台中之 Intune 的相關文件嗎?Looking for documentation about Intune in the classic console? 請移至這裡Go to here.

本主題說明如何為屬於已核准應用程式清單一部分的應用程式,設定以應用程式為基礎的條件式存取原則。This topic provides instructions on how to set up app-based conditional access policies for apps that are part of the list of approved apps. 已核准應用程式清單包含 Microsoft 已測試的應用程式。The list of approved apps consists of apps that were tested by Microsoft.

重要

本主題會逐步解說步驟,以使用 Exchange Online 新增以應用程式為基礎的條件式存取原則,但是在從已核准應用程式清單中新增其他應用程式,例如 SharePoint Online、Microsoft Teams 等時,您可以使用相同的步驟。This topic walks through the steps to add an app-based conditional access policy using Exchange Online, but you can use the same steps when adding other apps like SharePoint Online, Microsoft Teams, etc. from the list of approved apps.

建立以應用程式為基礎的條件式存取原則To create an app-based conditional access policy

  1. 移至 Azure 入口網站,並使用您的認證登入。Go the Azure portal and sign in with your credentials.

  2. 選擇 [更多服務] 並輸入 "Intune"。Choose More services, and type: "Intune".

  3. 選擇 [Intune 應用程式保護]。Choose Intune App Protection.

  4. 在 [Intune 行動應用程式管理] 刀鋒視窗中,選擇 [所有設定]。On the Intune mobile application management blade choose All Settings.

  5. 在 [條件式存取] 區段中,選擇 [Exchange Online]。On the Conditional access section, choose Exchange Online.

    顯示 [條件式存取] 區段並反白顯示 [Exchange Online] 選項之 [設定] 刀鋒視窗的螢幕擷取畫面

  6. 在 [允許的應用程式] 刀鋒視窗上,選擇 [Allow apps that support Intune app policies] (允許支援 Intune 應用程式原則的應用程式) 選項,只允許 Intune 應用程式保護原則支援的應用程式能夠存取 Exchange Online。On the Allowed apps blade, choose the Allow apps that support Intune app policies option to allow only apps that are supported by Intune app protection policies to have the ability to access Exchange Online. 當您選取此選項時,會顯示支援的應用程式清單。When you select this option, the list of supported apps is displayed.

    注意

    所有 Exchange Active Sync 郵件用戶端 (包括 iOS 和 Android 上連線到 Exchange Online 的內建郵件用戶端) 將無法傳送或接收電子郵件。All Exchange Active Sync mail clients, including the built-in mail clients on iOS and Android that connect to Exchange Online, will be prevented from sending or receiving email. 相反地,使用者會收到一封電子郵件,通知他們需要使用 Outlook 郵件應用程式。Users will instead receive a single email informing them that they need to use the Outlook mail app.

  7. 若要將此原則套用至使用者,請開啟 [受限的使用者群組] 刀鋒視窗,然後選擇 [新增使用者群組]。To apply this policy to users, open the Restricted user groups blade, and choose Add user group. 選取應取得此原則的一或多個使用者群組。Select one or more user groups that should get this policy.

    反白顯示 [新增使用者群組] 選項之 [受限的使用者群組] 刀鋒視窗的螢幕擷取畫面

  8. 您可能想要讓您在上一個步驟中所選取之使用者群組中的一些使用者不受此原則的影響。You may want some users in the user group you selected in the previous step not to be affected by this policy. 在此情況下,請將使用者群組新增至免套用使用者群組清單。In such cases, add the group of users to the exempted user groups list. 從 [Exchange Online] 刀鋒視窗選擇 [免套用使用者群組]。From the Exchange Online blade, choose Exempted user groups. 選擇 [新增使用者群組] 開啟使用者群組清單。Choose Add user group to open the list of user groups. 選取您要免除此原則的群組。Select the groups you want to exempt from this policy.

從現有以應用程式為基礎的 CA 原則中修改或刪除使用者群組To modify or delete user groups from an existing app-based CA policy

  1. 開啟 [受限的使用者群組] 刀鋒視窗,然後反白您想要刪除的使用者群組。Open the Restricted user groups blade, then highlight the user group you want to delete.
  2. 按一下省略符號以查看刪除選項。Click on the ellipse to see the delete options.
  3. 選擇 [刪除] 從清單中移除使用者群組。Choose Delete to remove the user group from the list.

後續步驟Next steps

封鎖沒有新式驗證的應用程式Block apps that do not have modern authentication

請參閱See also

使用應用程式保護原則保護應用程式資料Protect app data with app protection policies

若要提交意見反應,請前往 Intune Feedback