如何在 Microsoft Intune 中為 Exchange 內部部署及舊版的 Exchange Online Dedicated 建立及指派條件式存取原則How to create and assign a conditional access policy for Exchange on-premises and legacy Exchange Online Dedicated in Microsoft Intune

適用於︰Azure 上的 IntuneApplies to: Intune on Azure
您需要傳統主控台中之 Intune 的相關文件嗎?Looking for documentation about Intune in the classic console? 請移至這裡Go to here.

本主題逐步說明如何依據裝置合規性,為 Exchange 內部部署設定條件式存取的程式。This topic walks you through the process of configuring conditional access for Exchange on-premises based on device compliance.

如果您有 Exchange Online Dedicated 環境,而且需要了解它是使用新版或舊版的設定,請連絡您的帳戶管理員。If you have an Exchange Online Dedicated environment and need to find out whether it is in the new or the legacy configuration, please contact your account manager. 若要控制 Exchange 內部部署或舊版 Exchange Online Dedicated 環境的電子郵件存取,請在 Intune 中設定 Exchange 內部部署的條件式存取。To control email access to Exchange on-premises or to your legacy Exchange Online Dedicated environment, configure conditional access to Exchange on-premises in Intune.

開始之前Before you begin

在設定條件式存取之前,請確定下列事項:Before you can configure conditional access, verify the following:

  • 您的 Exchange 版本必須是「Exchange 2010 SP1 或更新版本」。Your Exchange version must be Exchange 2010 SP1 or later. 支援 Exchange 伺服器用戶端存取伺服器 (CAS) 陣列。Exchange server Client Access Server (CAS) array is supported.

  • 您必須使用 Exchange Active Sync 內部部署 Exchange Connector,將 Intune 連線至內部部署 Exchange。You must use the Exchange Active Sync on-premises Exchange connector, which connects Intune to on-premises Exchange.

    重要

    內部部署 Exchange Connector 僅適用於您的 Intune 租用戶,無法搭配任何其他租用戶使用。The on-premises Exchange connector is specific to your Intune tenant and cannot be used with any other tenant. 您也應該確定適用於租用戶的 Exchange 連接器只安裝在一部電腦上You should also ensure that the exchange connector for your tenant is installed on only one machine.

  • 連接器可以安裝在任何電腦上,只要該電腦能與 Exchange 伺服器通訊。The connector can be installed on any machine as long as that machine is able to communicate with the Exchange server.

  • 此連接器支援 Exchange CAS 環境The connector supports Exchange CAS environment. 想要的話,在技術上您可以將連接器直接安裝在 Exchange CAS 伺服器上,但不建議這麼做,因為這會增加伺服器負載。You can technically install the connector on the Exchange CAS server directly if you wish to, but it is not recommended, as it will increase the load on the server. 設定連接器時,您必須將它設定成可以與其中一部 Exchange CAS 伺服器通訊。When configuring the connector, you must set it up to communicate to one of the Exchange CAS servers.

  • 必須以憑證式驗證或使用者認證項目來設定 Exchange ActiveSyncExchange ActiveSync must be configured with certificate based authentication, or user credential entry.

  • 設定條件式存取原則並以使用者為目標後,使用者使用的裝置必須符合下列條件,使用者才能連接到其電子郵件:When conditional access policies are configured and targeted to a user, before a user can connect to their email, the device they use must be:

    • 已向 Intune 註冊,或為加入網域的電腦。Either enrolled with Intune or is a domain joined PC.
    • 已在 Azure Active Directory 中註冊。Registered in Azure Active Directory. 此外,必須向 Azure Active Directory 註冊用戶端 Exchange ActiveSync 識別碼。Additionally, the client Exchange ActiveSync ID must be registered with Azure Active Directory.
  • Intune 和 Office 365 客戶將會自動啟用 AAD DRS。AAD DRS will be activated automatically for Intune and Office 365 customers. 已部署 ADFS 裝置註冊服務的客戶不會在其內部部署 Active Directory 中看到已註冊的裝置。Customers who have already deployed the ADFS Device Registration Service will not see registered devices in their on-premises Active Directory. 這不適用於 Windows 電腦和 Windows Phone 裝置This does not apply to Windows PCs and Windows Phone devices.

  • 「符合」部署到該裝置的合規性原則。Compliant with device compliance policies deployed to that device.

  • 若裝置不符合條件式存取設定,將會在使用者登入時,對其顯示下列訊息之一︰If the device does not meet conditional access settings, the user is presented with one of the following messages when they log in:

    • 若裝置未向 Intune 註冊,或未在 Azure Active Directory 中註冊,將會顯示一則訊息,指示使用者如何安裝公司入口網站應用程式、如何註冊裝置,以及如何啟用電子郵件。If the device is not enrolled with Intune, or is not registered in Azure Active Directory, a message is displayed with instructions about how to install the Company Portal app, enroll the device, and activate email. 此程序也會將裝置的 Exchange ActiveSync 識別碼與 Azure Active Directory 中的裝置記錄相關聯。This process also associates the device's Exchange ActiveSync ID with the device record in Azure Active Directory.
    • 若裝置不合規,將會顯示一則訊息,將使用者導向 Intune 公司入口網站或公司入口網站應用程式,讓使用者能夠從中尋找到問題及其修復方法的相關資訊。If the device is not compliant, a message is displayed that directs the user to the Intune Company Portal website, or the Company Portal app where they can find information about the problem and how to remediate it.

支援行動裝置Support for mobile devices

  • Windows Phone 8.1 和更新版本Windows Phone 8.1 and later
  • iOS 上的原生電子郵件應用程式。Native email app on iOS.
  • EAS 郵件用戶端 (例如 Android 4 或更新版本上的 Gmail)。EAS mail clients such as Gmail on Android 4 or later.
  • EAS 郵件用戶端 Android for Work 裝置:Android for Work 裝置只支援工作設定檔中的 GmailNine Work 應用程式。EAS mail clients Android for Work devices: Only Gmail and Nine Work apps in the work profile are supported on Android for Work devices. Android for Work 若要使用條件式存取,除了必須部署 Gmail 或 Nine Work 應用程式的電子郵件設定檔之外,還必須將這些應用程式部署為必要安裝。For conditional access to work with Android for Work, you must deploy an email profile for the Gmail or Nine Work app, and also deploy those apps as a required install.
注意

不支援適用於 Android 和 iOS 的 Microsoft Outlook 應用程式。Microsoft Outlook app for Android and iOS is not supported. Android for Work 即將在接下來幾個月陸續推出給 Intune 租用戶使用。Android for Work is currently being rolled out across Intune tenants over the next few months.

對電腦的支援Support for PCs

Windows 8.1 及更新版本上的原生「郵件」應用程式 (必須已向 Intune 註冊)The native Mail application on Windows 8.1 and later (when enrolled with Intune)

設定 Exchange 內部部署存取Configure Exchange on-premises access

  1. 移至 Azure 入口網站,並使用您的 Intune 認證登入。Go to the Azure portal, and sign in with your Intune credentials.

  2. 成功登入之後,您會看到 [Azure 儀表板]。After you've successfully signed in, you see the Azure Dashboard.

  3. 選擇左功能表中的 [更多服務],然後在文字方塊篩選中輸入 IntuneChoose More services from the left menu, then type Intune in the text box filter.

  4. 選擇 [Intune],您會看到 [Intune 儀表板]。Choose Intune, you see the Intune Dashboard.

  5. 選擇 [內部部署存取],然後選擇Choose On-Premise Access, then choose

  6. [內部部署] 刀鋒視窗會顯示條件式存取原則與受該原則影響之裝置的狀態。The On-premises blade shows the status of the conditional access policy and the devices that are affected by it.

  7. 從 [管理] 下選擇 [Exchange 內部部署存取]。Under Manage, choose Exchange on-premises access.

  8. 在 [Exchange 內部部署存取] 刀鋒視窗中選擇 [是],以啟用 Exchange 內部部署存取控制。On the Exchange on-premises access blade, choose Yes to enable Exchange on-premises access control.

    注意

    若未設定 Exchange Active Sync 內部部署連接器,將會停用此選項。If you have not configured the Exchange Active Sync on-premises connector, this option will be disabled. 您必須先安裝及設定此連接器,才能為 Exchange 內部部署啟用條件式存取。You must first install and configure this connector before enabling conditional access for Exchange on-premises. 如需詳細資訊,請參閱安裝 Intune 內部部署 Exchange 連接器For more details, see Install the Intune On-premises Exchange Connector

  9. 從 [指派] 下選擇 [包含的群組]。Under Assignment, choose Groups Included. 請使用應套用條件式存取的安全性使用者群組。Use the security user group that should have conditional access applied to it. 這會需要使用者向 Intune 註冊其裝置,而且必須符合合規性設定檔的規範。This would require the users to enroll their devices in Intune and be compliant with the compliance profiles.

  10. 若要排除特定的使用者群組,可以選擇 [排除的群組],然後選取要免套用裝置註冊與合規需求的使用者群組。If you want to exclude a certain groups of users, you can do so by choosing Groups Excluded and selecting a user group that you want to be exempt from requiring device enrollment and compliance.

  11. 從 [設定] 下選擇 [使用者通知],可修改預設的電子郵件訊息。Under Settings, choose User notifications to modify the default email message. 當使用者裝置不合規範,卻又要存取 Exchange 內部部署時,即會將此訊息會傳送給使用者。This message is sent to users if their device is not compliant and they want to access Exchange on-premises. 訊息範本會使用標記語言。The message template uses Markup language. 當您一邊輸入訊息時,會一邊顯示訊息的預覽。You will also see the preview of how the message looks as you type.

    提示

    若要深入了解標記語言,請參閱 Wikipedia 上的這篇文章To learn more about Markup language see this Wikipedia article.

  12. 依據接下來的兩個步驟所述,在 [Advanced Exchange Active Sync access settings](進階 Exchange Activesync 存取設定) 刀鋒視窗中,為從不是由 Intune 管理的裝置存取設定全域預設規則及平台層級規則。On the Advanced Exchange Active Sync access settings blade, set the global default rule for access from devices that are not managed by Intune, and for platform-level rules as described in the next two steps.

  13. 對於不受條件式存取影響的裝置或其他規則,您可以選擇允許它們存取 Exchange 或加以封鎖。For a device that is not affected by conditional access or other rules, you can choose to allow it to access Exchange, or block it.

    • 當您設定成允許存取時,所有裝置均能立即存取 Exchange 內部部署。When you set this to allow access, all devices will be able to access Exchange on-premises immediately. 包含的群組中之使用者的裝置稍後被評估為不符合合規性政策,或未向 Intune 註冊,將會予以封鎖。Devices that belong to the users in the Groups Included, are blocked if they are subsequently evaluated as not compliant with the compliant policies or not enrolled in Intune.
    • 當您設定為禁止存取時,將會立即禁止所有裝置存取 Exchange 內部部署。When you set this to block access, all devices will be immediately blocked from accessing Exchange on-premises initially. 包含的群組中之使用者的裝置若已向 Intune 註冊,並經評估為符合規範,即可存取 Exchange 內部部署。Devices that belong to users in the Groups Included will get access once the device is enrolled in Intune and is evaluated as compliant. 因為非執行 Samsung KNOX Standard 的 Android 裝置不支援此設定,所以一律無法 Exchange 內部部署。On Android devices that do not run Samsung KNOX standard will always be blocked as they do not support this setting.
  14. 從 [裝置平台例外狀況] 下選擇 [新增],以指定平台。Under Device platform exceptions, choose Add to specify the platforms. 若將 [未受管理的裝置存取] 設定設定為 [封鎖],即使已在平台例外狀況中指定要禁止的平台,仍會允許已經註冊且合規的裝置進行存取。If the unmanaged device access setting is set to blocked, devices that are enrolled and compliant will be allowed even if there is a platform exception to block. 選擇 [確定],以儲存設定。Choose Ok to save the settings.

  15. 在 [內部部署] 刀鋒視窗中按一下 [儲存],以儲存條件式存取原則。On the On-premises blade, click Save to save the conditional access policy.

在 Intune 中建立 Azure AD 條件式存取原則Create Azure AD Conditional access policies in Intune

從 Intune 1704 版開始,管理員可以從 Intune Azure 入口網站建立 Azure AD 條件式存取原則,如此您就不需要在 Azure 和 Intune 工作負載之間切換。Beginning with Intune 1704 release, admins can create Azure AD conditional access policies from the Intune Azure portal, which gives convenience so you don't need to switch between the Azure and Intune workloads.

重要

您必須要有 Azure AD Premium 授權,才能從 Intune Azure 入口網站建立 Azure AD 條件式存取原則。You need to have an Azure AD Premium license to create Azure AD conditional access policies from the Intune Azure portal.

建立 Azure AD條件式存取原則To create Azure AD conditional access policy

  1. 在 [Intune 儀表板] 中,選擇 [條件式存取]。In the Intune Dashboard, choose Conditional access.

  2. 在 [條件式存取儀表板] 中,選擇 [Azure Active Directory 中的條件式存取]。In the Conditional access dashboard, choose Conditional access in Azure Active Directory.

  3. 選擇 [新增原則] 來建立新的 Azure AD 條件式存取原則。Choose New policy to create your new Azure AD conditional access policy.

    Azure AD 條件式存取原則

請參閱See also

Azure Active Directory 中的條件式存取Conditional Access in Azure Active Directory

若要提交意見反應,請前往 Intune Feedback