控制與 Active Directory 同盟服務組織的資料的存取權Controlling Access to Organizational Data with Active Directory Federation Services

本文件概述的所有 AD FS 進行存取控制提供場所,混合和雲端案例。This document provides an overview of access control with AD FS across on premises, hybrid and cloud scenarios.

AD FS 和條件存取場所資源AD FS and Conditional Access to On Premises Resources

Active Directory 同盟服務推出之後, 已可限制或允許要求的屬性資源和資源使用者存取授權原則。Since the introduction of Active Directory Federation Services, authorization policies have been available to restrict or allow users access to resources based on attributes of the request and the resource. AD FS 已經版本,因為已變更實作這些原則的方式。As AD FS has moved from version to version, how these policies are implemented has changed. 如版本存取控制功能的詳細資訊:For detailed information on access control features by version see:

AD FS 與在組織中混合條件存取AD FS and Conditional Access in a Hybrid Organization

AD FS 提供條件存取原則在混合案例中的上場所元件。AD FS provides the on premises component of conditional access policy in a hybrid scenario. AD FS 根據授權規則適用於非 Azure AD 的資源,例如場所上的應用程式聯盟直接與 AD FS。AD FS based authorization rules should be used for non Azure AD resources, such as on premises applications federated directly to AD FS. 雲端元件提供Azure AD 條件存取The cloud component is provided by Azure AD Conditional Access. Azure AD 連接提供連接兩個控制項平面。Azure AD Connect provides the control plane connecting the two.

例如,當您使用雲端資源條件存取 Azure AD 登記裝置,Azure AD 連接裝置重新寫入項功能可以讓裝置登記資訊可在場所 AD FS 使用並執行的原則。For example, when you register devices with Azure AD for conditional access to cloud resources, the Azure AD Connect device write back capability makes device registration information available on premises for AD FS policies to consume and enforce. 如此一來,您可以存取控制原則場所在兩個和雲端資源一致的方式。This way, you have a consistent approach to access control policies for both on premises and cloud resources.

條件存取

進化版的 Client 存取原則的 Office 365The evolution of Client Access Policies for Office 365

許多您正在使用 AD FS 進行 client 存取原則限制 Office 365,以及其他因素例如 client 及 client 所使用的應用程式類型的位置,包括的 Microsoft Online 服務的存取。Many of you are using client access policies with AD FS to limit access to Office 365 and other Microsoft Online services based on factors such as the location of the client and the type of client application being used.

這些原則的一些範例包括:Some examples of these policies include:

  • 封鎖所有的外部 client 存取 Office 365Block all extranet client access to Office 365
  • 封鎖所有外部 client 存取 Office 365,除了裝置存取換貨 Online Exchange 使用同步Block all extranet client access to Office 365, except for devices accessing Exchange Online for Exchange Active Sync

這些原則背後的基礎需要通常是確保只會在授權的戶端,應用程式,不會快取的資料,來降低資料洩露的風險或裝置,您可以停用從遠端可以取得資源。Often the underlying need behind these policies is to mitigate risk of data leakage by ensuring only authorized clients, applications that do not cache data, or devices that can be disabled remotely can get access to resources.

AD FS 上述記載的原則工作記載特定案例中,當他們使用的是限制因為它們無法使用一致的 client 資料而定。While the above documented policies for AD FS work in the specific scenarios documented, they have limitations because they depend on client data that is not consistently available. 例如 client 應用程式的身分只已經可 Exchange Online 型服務的資源,例如 SharePoint Online 位置相同的資料可能會存取透過瀏覽器或粗 client,例如 Word 或 Excel 不。For example, the identity of the client application has only been available for Exchange Online based services and not for resources such as SharePoint Online, where the same data might be accessed via the browser or a �thick client� such as Word or Excel. AD FS 也不知道的資源,例如 SharePoint Online 或 Online 換貨正在存取 Office 365 中。Also AD FS is unaware of the resource within Office 365 being accessed, such as SharePoint Online or Exchange Online.

地址這些限制及提供更穩定的方式使用原則,來管理商務用 Office 365 或其他根據 Azure AD 資源的資料的存取權,Microsoft 已導入 Azure AD 條件的存取。To address these limitations and provide a more robust way to use polices to manage access to business data in Office 365 or other Azure AD based resources, Microsoft has introduced Azure AD Conditional Access. Azure AD 條件存取原則可以 Azure AD 特定的資源,或是任何或所有資源 Office 365、SaaS 或自訂應用程式中的設定。Azure AD Conditional Access policies can be configured for a specific resource, or for any or all resources within Office 365, SaaS or custom applications in Azure AD. 這些原則樞紐上信任的裝置,位置,以及其他因素而有所不同。These policies pivot on device trust, location, and other factors.

若要深入了解條件 Azure AD 的存取,請查看在 Azure Active Directory 中條件存取To find out more about Azure AD Conditional Access, see Conditional Access in Azure Active Directory

主要變更,讓這些案例中為現代化驗證、驗證使用者與裝置的 Office 戶端、Skype、Outlook、和瀏覽器上運作的方式相同的新方式。A key change enabling these scenarios is modern authentication, a new way of authenticating users and devices that works the same way across Office clients, Skype, Outlook, and browsers.

後續步驟Next Steps

如需詳細資訊,前提和控制跨雲端存取上看到:For more information on controlling access across the cloud and on premises see: