透過 Intune 使用條件式存取的常見方式Common ways to use conditional access with Intune

適用於︰Azure 上的 IntuneApplies to: Intune on Azure
您需要傳統主控台中之 Intune 的相關文件嗎?Looking for documentation about Intune in the classic console? 請移至這裡Go to here.

您需要設定 Intune 行動裝置合規性政策和 Intune 行動應用程式管理 (MAM) 功能,以便在組織中導入條件式存取合規性。You need to configure Intune mobile device compliance policy, and the Intune mobile application management (MAM) capabilities to drive conditional access compliance at your organization. 讓我們來談談透過 Intune 使用條件式存取的常見方式。Let’s talk about the common ways to use conditional access with Intune.

裝置型條件式存取Device-based conditional access

Intune 與 Azure Active Directory 會共同運作,以確保只有受管理且符合規範的裝置可以存取電子郵件、Office 365 服務、軟體即服務 (SaaS) 應用程式及內部部署應用程式Intune and Azure Active Directory work together to make sure only managed and compliant devices are allowed access to email, Office 365 services, Software as a service (SaaS) apps, and on-premises apps. 此外,您可以在 Azure Active Directory 中設定原則,只讓加入網域的電腦或已在 Intune 中註冊的行動裝置存取 Office 365 服務。Additionally, you can set a policy in Azure Active Directory to only enable computers that are domain-joined, or mobile devices that are enrolled in Intune to access Office 365 services.

Intune 提供裝置合規性政策功能來評估裝置的合規性狀態。Intune provides device compliance policy capabilities that evaluate the compliance status of the devices. 合規性狀態會回報給 Azure Active Directory,在使用者嘗試存取公司資源時,使用它來強制執行 Azure Active Directory 中所建立的條件式存取原則。The compliance status is reported to Azure Active Directory that uses it to enforce the conditional access policy created in Azure Active Directory when the user tries to access company resources.

新版 Azure 入口網站開始,適用於 Exchange Online 和其他 Office 365 產品的裝置型條件式存取原則均透過 Azure 入口網站來設定。Starting at the new Azure portal, device-based conditional access policies for Exchange online and other Office 365 products are configured through the Azure portal.

Exchange 內部部署的條件式存取Conditional access for Exchange on-premises

條件式存取可依據裝置合規性政策與註冊狀態,用來允許或封鎖對 Exchange 內部部署的存取。Conditional access can be used to allow or block access to Exchange on-premises based on the device compliance policies and enrollment state. 當條件式存取與裝置合規性政策一起使用時,只有符合規範的裝置可以存取 Exchange 內部部署。When conditional access is used in combination with a device compliance policy, only compliant devices are allowed access to Exchange on-premises.

您可以設定條件式存取的進階設定,以進行更細微的控制,例如:You can configure advanced settings in conditional access for more granular control such as:

  • 允許或封鎖特定平台。Allow or block certain platforms.

  • 立即封鎖不受 Intune 管理的裝置。Immediately block devices that are not managed by Intune.

若已套用裝置合規性政策和條件式存取原則,即會檢查任何用來存取 Exchange 內部部署之裝置的合規性。Any device used to access Exchange on-premises is checked for compliance when device compliance and conditional access policies are applied.

若裝置不符合條件設定,將逐步引導使用者進行註冊裝置的程序,以修正使裝置不符合規範的問題。When devices do not meet the conditions set, the end user is guided through the process of enrolling the device to fix the issue that is making the device non-compliant.

Exchange 內部部署的條件式存取如何運作How conditional access for Exchange on-premises works

Intune Exchange Connector 會提取 Exchange Server 中現有的所有 Exchange Active Sync (EAS) 記錄,使 Intune 能夠取得這些 EAS 記錄,並將它們對應至 Intune 裝置記錄。The Intune Exchange connector pulls in all the Exchange Active Sync (EAS) records that exist at the Exchange server so Intune can take these EAS records and map them to Intune device records. 這些記錄是已註冊並且由 Intune 所辨識的裝置。These records are devices enrolled and recognized by Intune. 此程序會允許或封鎖電子郵件存取。This process allows or blocks e-mail access.

如果 EAS 記錄是全新的,而 Intune 並不知道它,則 Intune 會發出封鎖存取電子郵件的 Cmdlet。If the EAS record is brand new, and Intune is not aware of it, Intune issues a command-let that blocks access to e-mail. 以下是關於此程序如何運作的更詳細說明:Here are more details on how this process works:

透過 CA 流程圖的 Exchange 內部部署

  1. 使用者嘗試存取裝載於 Exchange 內部部署 2010 SP1 或更新版本的公司電子郵件。User tries to access corporate e-mail, which is hosted on Exchange on-premises 2010 SP1 or later.

  2. 如果裝置不受 Intune 管理,將會封鎖它對電子郵件的存取。If the device is not managed by Intune, it will be blocked access to e-mail. Intune 會將封鎖通知傳送至 EAS 用戶端。Intune sends block notification to the EAS client.

  3. EAS 會收到封鎖通知、將該裝置移到隔離,並傳送含有補救步驟的隔離電子郵件,其中包含連結,讓使用者能夠註冊其裝置。EAS receives block notification, moves the device to quarantine, and sends the quarantine e-mail with remediation steps that contain links so the users can enroll their devices.

  4. Workplace Join 程序即會進行,這是讓 Intune 管理裝置的第一個步驟。The Workplace join process happens, which is the first step to have the device managed by Intune.

  5. 讓裝置向 Intune 註冊。The device gets enrolled into Intune.

  6. Intune 會將 EAS 記錄對應至裝置記錄,並儲存裝置合規性狀態。Intune maps the EAS record to a device record, and saves the device compliance state.

  7. EAS 用戶端識別碼已由 Azure AD 裝置註冊程序註冊,這會在 Intune 裝置記錄與 EAS 用戶端識別碼之間建立關聯性。The EAS client ID gets registered by the Azure AD Device Registration process, which creates a relationship between the Intune device record, and the EAS client ID.

  8. Azure AD 裝置註冊會儲存裝置狀態資訊。The Azure AD Device Registration saves the device state information.

  9. 如果使用者符合條件式存取原則,Intune 會透過 Intune Exchange Connector 發出 Cmdlet,允許信箱進行同步。If the user meets the conditional access policies, Intune issues a command-let through the Intune Exchange connector that allows the mailbox to sync.

  10. Exchange Server 會傳送通知給 EAS 用戶端,讓使用者可以存取電子郵件。Exchange server sends the notification to EAS client so the user can access e-mail.

Intune 扮演何種角色?What’s the Intune role?

Intune 會評估和管理裝置狀態。Intune evaluates and manage the device state.

Exchange Server 扮演何種角色?What’s the Exchange server role?

Exchange Server 提供 API 和基礎結構,以將裝置移到它的隔離。Exchange server provides API and infrastructure to move devices to its quarantine.


請注意,裝置使用者必須具備合規性設定檔指派,該裝置才能接受合規性評估。Keep in mind that the user who’s using the device must have a compliance profile assigned to them so the device to be evaluated for compliance. 若使用者未獲部署合規性政策,便會將其裝視為符合規範,而且會對其套用沒有存取權限的限制。If no compliance policy is deployed to the user, the device is treated as compliant and no access restrictions are applied.

以網路存取控制為依據的條件式存取Conditional access based on network access control

Intune 已與夥伴 (例如 Cisco ISE、Aruba Clear Pass 及 Citrix NetScaler) 整合,以根據 Intune 註冊與裝置合規性狀態提供存取控制。Intune integrated with partners like Cisco ISE, Aruba Clear Pass, and Citrix NetScaler to provide access controls based on the Intune enrollment and the device compliance state.

當使用者嘗試存取公司 Wi-Fi 或 VPN 資源時,可根據裝置是否受到管理及是否符合 Intune 裝置合規性政策的規範來允許或拒絕使用者存取。Users can be allowed or denied access when trying to access corporate Wi-Fi or VPN resources based on whether the device is managed and compliant with Intune device compliance policies.

以裝置風險為依據的條件式存取Conditional access based on device risk

Intune 已與 Mobile Threat Defense 廠商建立夥伴關係,可提供安全性解決方案來偵測行動裝置上的惡意程式碼、特洛伊程式和其他威脅。Intune partnered with Mobile Threat Defense vendors that provides a security solution to detect malwares, Trojans, and other threats on mobile devices.

Intune 與 Mobile Threat Defense 整合的運作方式How the Intune and mobile threat defense integration works

若行動裝置已安裝 Mobile Threat Defense 代理程式,該代理程式就可將合規性狀態訊息傳回 Intune,以回報是否已在行動裝置本身發現威脅。When mobile devices have the mobile threat defense agent installed, the agent can send compliance state messages back to Intune reporting if a threat has been found in the mobile device itself.

Intune 與 Mobile Threat Defense 整合在以裝置風險為依據的條件式存取決策中扮演一個重要因素。The Intune and mobile threat defense integration plays a factor at the conditional access decisions based on device risk.

Windows 電腦的條件式存取Conditional access for Windows PCs

電腦的條件式存取提供適用於行動裝置的類似功能。Conditional access for PCs provide similar capabilities available for mobile devices. 讓我們來談談當您使用 Intune 管理電腦時,可使用條件式存取的方式。Let’s talk about the ways you can use conditional access when managing PCs with Intune.


  • 已加入內部部署 AD 網域:對組織而言,這是最常見的條件式存取部署選項,原因在於他們已經透過 AD 群組原則和/或使用 System Center Configuration Manager 管理其電腦。On premises AD domain joined: This has been the most common conditional access deployment option for organizations, whose are reasonable comfortable with the fact they’re already managing their PCs through AD group policies and/or with System Center Configuration Manager.

  • 已加入 Azure AD 網域和 Intune 管理:這種情況通常適用於「選擇您自己的裝置」(CYOD),以及使用膝上型電腦漫遊的情況,而其中的這些裝置很少會連線到公司網路。Azure AD domain joined and Intune management: This scenario is typically geared to Choose Your Own Device (CYOD), and roaming laptop scenarios where these devices are rarely connected to corporate-network. 裝置會加入 Azure AD 並向 Intune 註冊,以移除內部部署 AD 與網域控制站上的任何相依性。The device joins to the Azure AD and gets enrolled to Intune, which removes any dependency on on-premises AD, and domain controllers. 這可在存取公司資源時,用來做為條件式存取準則。This can be used as a conditional access criteria when accessing corporate resources.

  • 已加入 AD 網域和 System Center Configuration Manager:截至最新分支,除了作為加入網域的電腦之外,System Center Configuration Manager 還提供可評估特定合規性準則的條件式存取功能:AD domain joined and System Center Configuration Manager: As of current branch, System Center Configuration Manager provides conditional access capabilities that can evaluate specific compliance criteria, in addition to be a domain-joined PC:

    • 電腦是否加密?Is the PC encrypted?

    • 是否安裝惡意程式碼?Is Malware installed? 是否為最新狀態?Is it up-to-date?

    • 裝置是否已進行越獄或破解?Is the device jailbroken or rooted?

攜帶您自己的裝置 (BYOD)Bring your own device (BYOD)

  • Workplace Join 和 Intune 管理:使用者可以在這裡加入其個人裝置來存取公司資源和服務。Workplace join and Intune management: Here the user can join their personal devices to access corporate resources and services. 您可以使用 Workplace Join,並向 Intune 註冊裝置,以接收裝置層級原則,這也是評估條件式存取準則的另一個選項。You can use Workplace join and enroll devices into Intune to receive device-level policies, which is also another option to evaluate conditional access criteria.

以應用程式為基礎的條件式存取App-based conditional access

Intune 與 Azure Active Directory 會共同運作,以確保只有受管理的應用程式可以存取公司電子郵件或其他 Office 365 服務。Intune and Azure Active Directory work together to make sure only managed apps can access corporate e-mail or other Office 365 services.

後續步驟Next steps

如何在 Azure Active Directory 中設定條件式存取How to configure conditional access in Azure Active Directory

如何使用 Intune 安裝內部部署 Exchange ConnectorHow to install on-premises Exchange connector with Intune.

如何建立 Exchange 內部部署的條件存取原則How to create a conditional access policy for Exchange on-premises

若要提交意見反應,請前往 Intune Feedback