將條件式存取原則從 Intune 傳統入口網站重新指派給 Azure 入口網站Reassign conditional access policies from Intune classic portal to the Azure portal

自新的 Azure 入口網站開始,條件式存取支援每個應用程式可有多項原則,以及更多的自訂功能。Starting in the new Azure portal, conditional access offers support for multiple policies per application, along with more customizability.

開始之前Before you begin

若已準備好移往 Azure 入口網站,請遵循本主題中的步驟,重新指派先前在 Intune 傳統入口網站中建立的條件式存取原則:If you’re ready to move to the Azure portal, follow the steps in this topic to reassign the conditional access policies you previously created in the Intune classic portal:

  • 收集先前建立的條件式存取原則,以了解稍後重新指派時需要哪些設定。Gather the conditional access policies previously created, so you know what settings you need to reassign later.

  • 遵循本主題中的步驟,在 Azure 入口網站中重新建立這些原則。Follow the steps in this topic to re-create these policies in the Azure portal.

  • 確認新的原則在 Azure 入口網站中能如預期運作之後,請停用 Intune 傳統主控台中的條件式原則。Disable the conditional policies in the Intune classic console, after you have verified that the new policies are working as expected in the Azure portal.

    • 請先規劃如何將使用者移至新的原則,再停用 Intune 傳統入口網站中條件式存取原則。Before you disable the conditional access policies in the Intune classic portal, plan how you'll move users over to the new policy. 有兩種方式:There are two approaches:

      • 使用相同的包含群組來套用在 Azure 入口網站中建立的原則,並建立新的豁免群組來使用 Intune 傳統入口網站所套用的原則Use the same inclusion group to apply policies created in the Azure portal, and create a new exemption group to use with the policies applied by the Intune classic portal.
        • 逐漸將某些使用者移至傳統入口網站中指定的豁免群組。Gradually move some users into the exemption group specified in the classic portal. 這可避免 Intune 傳統入口網站套用目標原則。This prevents the policies targeted by the Intune classic portal from being applied. 除了 Intune 傳統入口網站中已套用的原則外,所有以 Azure 入口網站中相同的使用者群組為目標所建立的原則都會套用。The policies created and targeted to the same user group in the Azure portal are applied, in addition to the ones applied in the Intune classic portal.

      • 建立新的群組,以 Azure 入口網站的條件式存取原則為目標Create a new group to target the conditional access policies in the Azure portal. 如果選擇此方式,需要執行下列作業:If you choose this approach, you need to do the following:
        • 逐漸移除 Intune 傳統入口網站中以條件式存取原則為目標之安全性群組的使用者。Gradually remove users from the security groups that have conditional access policies targeted to them in the Intune classic portal.
        • 確認新原則可作用於這些使用者之後,即可停用 Intune 傳統入口網站中的原則。After you have confirmed the new policy is working for those users, you can disable the policy in the Intune classic portal.

  • 如已設定條件式存取原則設定在 Intune 傳統入口網站中使用 Exchange Active Sync (EAS),請參閱本主題中的指示在 Azure 入口網站中重新指派 EAS 條件式存取原則設定If you have your conditional access policy settings configured to use Exchange ActiveSync (EAS) in the Intune classic portal, see the instructions in this topic to reassign EAS conditional access policy settings in the Azure portal.

在 Intune 傳統入口網站中確認裝置型條件式存取原則To verify your device-based conditional access policies in the Intune classic portal

  1. 移至 Intune 傳統入口網站,並使用您的認證登入。Go to the Intune classic portal, and sign in with your credentials.

  2. 在左側功能表中選擇 [原則]。Choose Policy from the left menu.

  3. 選擇 [條件式存取],然後選取您已為其建立條件式存取原則的 Microsoft 雲端服務 (例如 Exchange Online 或 SharePoint Online)。Choose Conditional access, and then select the Microsoft cloud service (for example, Exchange Online or SharePoint Online) you created a conditional access policy for.

  4. 記下您的條件式存取設定,並在 Azure 入口網站中建立相同的條件式存取原則時參考這些設定。Take note of your conditional access settings, and refer to these when you create the same conditional access policies in the Azure portal.

應用程式和裝置型條件式存取原則一起使用App and device-based conditional access policies working together

Azure 入口網站中的 [Intune 應用程式防護] 刀鋒視窗,可讓系統管理員設定以應用程式為基礎的條件式規則,僅允許支援 Intune 應用程式防護原則的應用程式存取公司資源。The Intune App Protection blade in the Azure portal enables admins to set app-based conditional rules so that only apps that support the Intune app protection policies are allowed access to corporate resources. 您可以選擇使用裝置型條件式存取原則,來覆寫這些以應用程式為基礎的條件式存取原則。You can choose to overlap these app-based conditional access policies by using device-based conditional access policies. 您可以合併裝置型和以應用程式為基礎的條件式原則 (邏輯 AND),也可以提供任一選項 (邏輯 OR)。You can combine the device-based and app-based conditional policies (logical AND), or you can provide either option (logical OR). 如果您的條件式存取原則需求為:If your conditional access policy requirements are to:

提示

本主題提供 Intune 傳統入口網站和 Azure 入口網站的使用者體驗比較螢幕擷取畫面。This topic provides screenshots comparing the user experience in both the Intune classic portal and the Azure portal.

重新指派 Intune 裝置型條件式存取原則Reassign Intune device-based conditional access policies

  1. 移至 Azure 入口網站中的條件式存取並以您的認證登入。Go to Conditional access in the Azure portal, and sign in with your credentials.

  2. 選擇 [新增原則]。Choose New policy.

  3. 提供原則的名稱。Provide a name for the policy.

  4. 在 [指派] 區段下,選擇 [使用者和群組],以新的條件式存取原則為目標。Under the Assignments section, choose Users and groups to target the new conditional access policy.

    Intune 與 Azure 入口網站之間的使用者群組 UI 比較

    重要

    您在 Azure 入口網站中所做的選擇,應該會對應至您在 Intune 入口網站中所做的選擇。The selection you make for the Azure portal should correspond to the selection you made for the Intune portal. 例如,如已在 Intune 傳統入口網站中選取所有使用者,請在 Azure 入口網站中選取 [所有使用者]。For example, if you have all users selected in the Intune classic portal, select All users in the Azure portal. 此外,如已在 Intune 傳統入口網站中選擇 [豁免群組] 選項,也請在 Azure 入口網站中排除這些選取的群組。Additionally, if you’ve chosen the Exempt groups option in the Intune classic portal, also exclude those select groups in the Azure portal.

  5. 選擇群組之後,按一下 [選取],然後按一下 [完成]。After you choose your group, click Select, and then click Done.

  6. 在 [指派] 區段下,選擇 [雲端應用程式]。Under the Assignments section, choose Cloud apps.

  7. 在 [雲端應用程式] 刀鋒視窗中,選擇 [選取應用程式]。On the Cloud apps blade, choose Select apps.

  8. 選擇您想要套用新條件式存取原則的應用程式,然後按一下 [選取]。Choose the app you want to apply the new conditional access policy to, and click Select.

  9. 按一下 [完成]。Click Done.

    Intune 與 Azure 入口網站之間的雲端應用程式 UI 比較

    提示

    如有多個應用程式使用相同的原則,請考慮將它們合併成 Azure 入口網站中的單一原則。If you have multiple apps with the same policy, consider consolidating them into a single policy in the Azure portal.

  10. 在 [指派] 區段下,選擇 [條件]。Under the Assignments section, choose Conditions.

  11. 在 [條件] 刀鋒視窗中,選擇 [裝置平台],然後選擇適用的裝置平台。On the Conditions blade, choose Device platforms, and then choose the applicable device platforms.

  12. 完成選擇裝置平台後,請按兩下 [完成]。When you are finished choosing the device platforms, click Done twice.

    Intune 與 Azure 入口網站之間的裝置平台 UI 比較

    提示

    如已在 Intune 傳統入口網站中選擇個別平台,也請在 Azure 入口網站中選擇個別平台。If you have chosen individual platforms in the Intune classic portal, choose the individual platforms in the Azure portal.

    注意

    稍後可以指定 Windows 的加入網域或相容選項。You can specify the domain join or compliant options for Windows later.

  13. 在 [指派] 區段下,選擇 [條件]。Under the Assignments section, choose Conditions.

  14. 在 [條件] 刀鋒視窗中,選擇 [用戶端應用程式],然後選擇適用的用戶端應用程式。On the Conditions blade, choose Client apps, and then choose the applicable client app.

  15. 完成選擇用戶端應用程式後,請按兩下 [完成]。When you have finished choosing the client app, click Done twice.

    Intune 與 Azure 入口網站之間的用戶端應用程式 UI 比較

  16. 如已在 Intune 傳統入口網站中選擇瀏覽器設定,請在 Azure 入口網站中同時選取 [瀏覽器] 和 [行動裝置 App 及桌面用戶端]。If you have chosen the browser settings in the Intune classic portal, select both Browser and Mobile apps and desktop clients in the Azure portal. 如未在 Intune 傳統入口網站中選擇瀏覽器設定,請只選擇 [行動裝置 App 及桌面用戶端]。In case you have not chosen the browser settings in the Intune classic portal, choose Mobile apps and desktop clients only.

  17. 在 [存取控制] 區段下,選擇 [授與]。Under the Access controls section, choose Grant.

  18. Grant Access Controls) 下,選擇 [裝置需要標記為相容],然後按一下 [選取]。Under Grant Access Controls, choose Require device to be marked as compliant, and then click Select.

  19. 如有要求 Windows 裝置加入網域的原則,而您也允許 Intune 已註冊且相容的 Windows 裝置,請選擇 [要求已加入網域的裝置] 和 [裝置需要標記為相容],以及 [需要其中一個選取的控制項]。If you have a policy to require domain joined Windows devices, and you also allow Intune-enrolled and compliant Windows devices, choose Require domain joined device and Require device to be marked as compliant, along with Require one of the selected controls.

  20. 如不允許 Intune 已註冊且相容的 Windows 裝置,請從目前的原則中排除 Windows 原則。If you do not allow Intune enrolled and compliant Windows devices, exempt the Windows policy from the current policy. 然後另外建立原則,將 [裝置平台] 設為 [Windows],如上述包含其他條件為一個集合,然後選擇 Grant Access Controls 下的 [要求已加入網域的裝置]。Then create a separate policy with Device platforms set to Windows, include the other conditions as set per above, and choose Require domain joined device under Grant Access Controls.

  21. 在 [新增] 條件式存取原則刀鋒視窗中,開啟 [啟用原則] 切換,然後按一下 [建立]。On the New conditional access policy blade, turn on the Enable policy toggle, and then click Create.

    Intune 與 Azure 入口網站之間的啟用條件式存取原則 UI 比較

重新指派 EAS 用戶端的 Intune 裝置型條件式存取原則Reassign Intune device-based conditional access policies for EAS clients

如已在 Intune 傳統入口網站中將 Exchange Active Sync 設定為 Exchange Online 原則的一部分,則您需要在 Azure 入口網站中建立第二個條件式存取原則。If you have configured Exchange ActiveSync settings as part of an Exchange Online policy in the Intune classic portal, you need to create a second conditional access policy in the Azure portal.

  1. 移至 Azure 入口網站中的條件式存取並以您的認證登入。Go to Conditional access in the Azure portal, and sign in with your credentials.

  2. 選擇 [新增原則]。Choose New policy.

  3. 提供原則的名稱。Provide a name for the policy.

  4. 在 [指派] 區段下,選擇 [使用者和群組],以新的條件式存取原則為目標。Under the Assignments section, choose Users and groups to target the new conditional access policy.

    Intune 與 Azure 入口網站之間的使用者群組 UI 比較

    重要

    您在 Azure 入口網站中所做的選擇,應該會對應至您在 Intune 入口網站中所做的選擇。The selection you make for the Azure portal should correspond to the selection you made for the Intune portal. 例如,如已在 Intune 傳統入口網站中選取所有使用者,請在 Azure 入口網站中選取 [所有使用者]。For example, if you have all users selected in the Intune classic portal, select All users in the Azure portal. 此外,如已在 Intune 傳統入口網站中選擇 [豁免群組] 選項,也請在 Azure 入口網站中排除這些選取的群組。Additionally, if you’ve chosen the Exempt groups option in the Intune classic portal, also exclude those select groups in the Azure portal.

  5. 選擇群組之後,按一下 [選取],然後按一下 [完成]。After you choose your group, click Select, and then click Done.

  6. 在 [指派] 區段下,選擇 [雲端應用程式]。Under the Assignments section, choose Cloud apps.

  7. 在 [雲端應用程式] 刀鋒視窗中,按一下 [選取應用程式] 並選擇 [Exchange Online]。On the Cloud apps blade, click Select apps, and choose Exchange Online. 然後按一下 [選取] 和 [完成]。Then click Select and Done.

    Intune 與 Azure 入口網站之間的雲端應用程式 UI 比較

    重要

    EAS 用戶端的條件式存取原則不能包含任何其他雲端應用程式。Conditional access policies for EAS clients cannot include any other cloud app.

  8. 在 [條件] 刀鋒視窗中,選擇 [用戶端應用程式],然後選擇適用的用戶端應用程式。On the Conditions blade, choose Client apps, and then choose the applicable client app. 如已選擇封鎖 Intune 不支援的用戶端,請使用 [僅將原則套用至支援的平台] 選項。If you have chosen to block clients that aren’t supported by Intune, use the Apply policy only to supported platforms option.

    Intune 與 Azure 入口網站之間的用戶端應用程式 UI 比較

  9. 完成選擇用戶端應用程式後,請按兩下 [完成]。When you have finished choosing the client app, click Done twice.

  10. 在 [存取控制] 區段下,選擇 [授與]。Under the Access controls section, choose Grant.

  11. Grant Access Controls) 下,選擇 [裝置需要標記為相容],然後按一下 [選取]。Under Grant Access Controls, choose Require device to be marked as compliant, and then click Select.

    Intune 與 Azure 入口網站之間的授與存取權 UI 比較

  12. 在 [新增] 條件式存取原則刀鋒視窗中,開啟 [啟用原則] 切換,然後按一下 [建立]。On the New conditional access policy blade, turn on the Enable policy toggle, and then click Create.

    Intune 與 Azure 入口網站之間的啟用條件式存取原則 UI 比較

停用 Intune 傳統入口網站的條件式存取原則Disable conditional access policies in the Intune classic portal

在 Azure 入口網站中重新指派條件式存取原則之後,請務必逐漸停用先前在 Intune 傳統入口網站中建立的條件式存取原則。After you have reassigned your conditional access policies in the Azure portal, it's important to gradually disable the conditional access policies previously created in the Intune classic portal. 此外,您可能也需要使用相同的安全性群組,以套用在 Azure 入口網站中建立的條件式存取原則。Additionally, you might need to use the same security group to apply the conditional access policies created in the Azure portal.

注意

請先參閱本主題開頭的開始之前一節,再停用 Intune 傳統入口網站中的條件式存取原則。Before disabling your conditional access policies in the Intune classic portal, see the Before you begin section at the beginning of this topic.

停用條件式存取原則To disable the conditional access policies

  1. 移至 Intune 傳統入口網站,並使用您的認證登入。Go to the Intune classic portal, and sign in with your credentials.

  2. 在左側功能表中選擇 [原則]。Choose Policy from the left menu.

  3. 選擇 [條件式存取],然後選取您已為其建立條件式存取原則的 Microsoft 雲端服務 (例如 Exchange Online 或 SharePoint Online)。Choose Conditional access, and then select the Microsoft cloud service (for example, Exchange Online or SharePoint Online) that you created a conditional access policy for.

  4. 取消核取 [啟用 Exchange Online 的條件式存取原則] 選項,然後按一下 [儲存]。Uncheck the option Enable conditional access policy, and then click Save.

    停用 Intune 傳統入口網站的條件式存取原則

請參閱See also

若要提交意見反應,請前往 Intune Feedback