如何:使用条件访问要求使用经批准的客户端应用进行云应用访问How to: Require approved client apps for cloud app access with Conditional Access

人们会经常将其移动设备用于个人任务和工作任务。People regularly use their mobile devices for both personal and work tasks. 在确保员工工作效率的同时,组织还需防止可能不安全的应用程序中出现数据丢失的情况。While making sure staff can be productive, organizations also want to prevent data loss from potentially unsecure applications. 使用条件访问,组织可以让员工只访问批准的(支持新式身份验证的)客户端应用。With Conditional Access, organizations can restrict access to approved (modern authentication capable) client apps.

本文介绍了两种方案,用于为 Microsoft 365、Exchange Online 和 SharePoint Online 等资源配置条件访问策略。This article presents two scenarios to configure Conditional Access policies for resources like Microsoft 365, Exchange Online, and SharePoint Online.

在条件访问中,此功能称为“需要批准的客户端应用”。In Conditional Access, this functionality is known as requiring an approved client app. 有关核准客户端应用程序的列表,请参阅核准客户端应用程序要求For a list of approved client apps, see approved client app requirement.

备注

为了要求 iOS 和 Android 设备使用经批准的客户端应用程序,必须首先在 Azure AD 中注册这些设备。In order to require approved client apps for iOS and Android devices, these devices must first register in Azure AD.

应用场景 1:Microsoft 365 应用需要批准的客户端应用Scenario 1: Microsoft 365 apps require an approved client app

在此方案中,Contoso 规定:使用移动设备的用户只要使用批准的客户端应用(如 Outlook 移动版、OneDrive 和 Microsoft Teams),就可以访问所有 Microsoft 365 服务。In this scenario, Contoso has decided that users using mobile devices can access all Microsoft 365 services as long as they use approved client apps, like Outlook mobile, OneDrive, and Microsoft Teams. 其所有用户已使用 Azure AD 凭据登录,并获得了分配的许可证,其中包括 Azure AD Premium P1 或 P2 以及 Microsoft Intune。All of their users already sign in with Azure AD credentials and have licenses assigned to them that include Azure AD Premium P1 or P2 and Microsoft Intune.

组织必须完成以下三个步骤才能要求在移动设备上使用批准的客户端应用。Organizations must complete the following three steps in order to require the use of an approved client app on mobile devices.

步骤 1:基于 Android 和 iOS 的新式身份验证客户端的策略,要求在访问 Exchange Online 时使用批准的客户端应用程序。Step 1: Policy for Android and iOS based modern authentication clients requiring the use of an approved client application when accessing Exchange Online.

  1. 以全局管理员、安全管理员或条件访问管理员的身份登录到 Azure 门户Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.
  2. 浏览到“Azure Active Directory” > “安全性” > “条件访问” 。Browse to Azure Active Directory > Security > Conditional Access .
  3. 选择“新策略” 。Select New policy .
  4. 为策略指定名称。Give your policy a name. 建议组织为其策略的名称创建有意义的标准。We recommend that organizations create a meaningful standard for the names of their policies.
  5. 在“分配” 下,选择“用户和组” Under Assignments , select Users and groups
    1. 在“包括”下选择“所有用户”,或选择你希望对其应用此策略的具体“用户和组”。 Under Include , select All users or the specific Users and groups you wish to apply this policy to.
    2. 选择“完成” 。Select Done .
  6. 在“云应用或操作” > “包括”下,选择“Office 365”。Under Cloud apps or actions > Include , select Office 365 .
  7. 在“条件”下,选择“设备平台”。 Under Conditions , select Device platforms .
    1. 将“配置”设置为“是”。 Set Configure to Yes .
    2. 包括 Android 和 iOS。 Include Android and iOS .
  8. 在“条件”下,选择“客户端应用(预览版)”。 Under Conditions , select Client apps (preview) .
    1. 将“配置”设置为“是”。 Set Configure to Yes .
    2. 选择“移动应用和桌面客户端”和“新式身份验证客户端”。 Select Mobile apps and desktop clients and Modern authentication clients .
  9. 在“访问控制” > “授予”下,依次选择“授予访问权限”、“需要批准的客户端应用”、“选择”。 Under Access controls > Grant , select Grant access , Require approved client app , and select Select .
  10. 确认设置,然后将“启用策略”设置为“打开”。 Confirm your settings and set Enable policy to On .
  11. 选择“创建” ,以便创建并启用策略。Select Create to create and enable your policy.

步骤 2:为 Exchange Online with ActiveSync (EAS) 配置 Azure AD 条件访问策略Step 2: Configure an Azure AD Conditional Access policy for Exchange Online with ActiveSync (EAS)

  1. 浏览到“Azure Active Directory” > “安全性” > “条件访问” 。Browse to Azure Active Directory > Security > Conditional Access .
  2. 选择“新策略” 。Select New policy .
  3. 为策略指定名称。Give your policy a name. 建议组织为其策略的名称创建有意义的标准。We recommend that organizations create a meaningful standard for the names of their policies.
  4. 在“分配” 下,选择“用户和组” Under Assignments , select Users and groups
    1. 在“包括”下选择“所有用户”,或选择你希望对其应用此策略的具体“用户和组”。 Under Include , select All users or the specific Users and groups you wish to apply this policy to.
    2. 选择“完成” 。Select Done .
  5. 在“云应用或操作” > “包括”下,选择“Office 365 Exchange Online”。 Under Cloud apps or actions > Include , select Office 365 Exchange Online .
  6. 在“条件” 下,执行以下操作:Under Conditions :
    1. 客户端应用(预览版) :Client apps (preview) :
      1. 将“配置”设置为“是”。 Set Configure to Yes .
      2. 选择“移动应用和桌面客户端”和“Exchange ActiveSync 客户端”。 Select Mobile apps and desktop clients and Exchange ActiveSync clients .
  7. 在“访问控制” > “授予”下,依次选择“授予访问权限”、“需要批准的客户端应用”、“选择”。 Under Access controls > Grant , select Grant access , Require approved client app , and select Select .
  8. 确认设置,然后将“启用策略”设置为“打开”。 Confirm your settings and set Enable policy to On .
  9. 选择“创建” ,以便创建并启用策略。Select Create to create and enable your policy.

步骤 3:为 iOS 和 Android 客户端应用程序配置 Intune 应用保护策略。Step 3: Configure Intune app protection policy for iOS and Android client applications.

查看如何创建和分配应用保护策略一文,了解为 Android 和 iOS 创建应用保护策略的步骤。Review the article How to create and assign app protection policies, for steps to create app protection policies for Android and iOS.

应用场景 2:Exchange Online 和 SharePoint Online 需要批准的客户端应用Scenario 2: Exchange Online and SharePoint Online require an approved client app

在此方案中,Contoso 规定:用户在使用批准的客户端应用(例如 Outlook 移动版)时,只能访问移动设备上的电子邮件和 SharePoint 数据。In this scenario, Contoso has decided that users may only access email and SharePoint data on mobile devices as long as they use an approved client app like Outlook mobile. 其所有用户已使用 Azure AD 凭据登录,并获得了分配的许可证,其中包括 Azure AD Premium P1 或 P2 以及 Microsoft Intune。All of their users already sign in with Azure AD credentials and have licenses assigned to them that include Azure AD Premium P1 or P2 and Microsoft Intune.

组织必须完成以下三个步骤才能要求在移动设备和 Exchange ActiveSync 客户端上使用批准的客户端应用。Organizations must complete the following three steps in order to require the use of an approved client app on mobile devices and Exchange ActiveSync clients.

步骤 1:基于 Android 和 iOS 的新式身份验证客户端的策略,要求在访问 Exchange Online 和 SharePoint Online 时使用批准的客户端应用程序。Step 1: Policy for Android and iOS based modern authentication clients requiring the use of an approved client application when accessing Exchange Online and SharePoint Online.

  1. 以全局管理员、安全管理员或条件访问管理员的身份登录到 Azure 门户Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.
  2. 浏览到“Azure Active Directory” > “安全性” > “条件访问” 。Browse to Azure Active Directory > Security > Conditional Access .
  3. 选择“新策略” 。Select New policy .
  4. 为策略指定名称。Give your policy a name. 建议组织为其策略的名称创建有意义的标准。We recommend that organizations create a meaningful standard for the names of their policies.
  5. 在“分配” 下,选择“用户和组” Under Assignments , select Users and groups
    1. 在“包括”下选择“所有用户”,或选择你希望对其应用此策略的具体“用户和组”。 Under Include , select All users or the specific Users and groups you wish to apply this policy to.
    2. 选择“完成” 。Select Done .
  6. 在“云应用或操作” > “包括”下,选择“Office 365 Exchange Online”和“Office 365 SharePoint Online” 。Under Cloud apps or actions > Include , select Office 365 Exchange Online and Office 365 SharePoint Online .
  7. 在“条件”下,选择“设备平台”。 Under Conditions , select Device platforms .
    1. 将“配置”设置为“是”。 Set Configure to Yes .
    2. 包括 Android 和 iOS。 Include Android and iOS .
  8. 在“条件”下,选择“客户端应用(预览版)”。 Under Conditions , select Client apps (preview) .
    1. 将“配置”设置为“是”。 Set Configure to Yes .
    2. 选择“移动应用和桌面客户端”和“新式身份验证客户端”。 Select Mobile apps and desktop clients and Modern authentication clients .
  9. 在“访问控制” > “授予”下,依次选择“授予访问权限”、“需要批准的客户端应用”、“选择”。 Under Access controls > Grant , select Grant access , Require approved client app , and select Select .
  10. 确认设置,然后将“启用策略”设置为“打开”。 Confirm your settings and set Enable policy to On .
  11. 选择“创建” ,以便创建并启用策略。Select Create to create and enable your policy.

步骤 2:Exchange ActiveSync 客户端的策略,要求使用批准的客户端应用。Step 2: Policy for Exchange ActiveSync clients requiring the use of an approved client app.

  1. 浏览到“Azure Active Directory” > “安全性” > “条件访问” 。Browse to Azure Active Directory > Security > Conditional Access .
  2. 选择“新策略” 。Select New policy .
  3. 为策略指定名称。Give your policy a name. 建议组织为其策略的名称创建有意义的标准。We recommend that organizations create a meaningful standard for the names of their policies.
  4. 在“分配” 下,选择“用户和组” Under Assignments , select Users and groups
    1. 在“包括”下选择“所有用户”,或选择你希望对其应用此策略的具体“用户和组”。 Under Include , select All users or the specific Users and groups you wish to apply this policy to.
    2. 选择“完成” 。Select Done .
  5. 在“云应用或操作” > “包括”下,选择“Office 365 Exchange Online”。 Under Cloud apps or actions > Include , select Office 365 Exchange Online .
  6. 在“条件” 下,执行以下操作:Under Conditions :
    1. 客户端应用(预览版) :Client apps (preview) :
      1. 将“配置”设置为“是”。 Set Configure to Yes .
      2. 选择“移动应用和桌面客户端”和“Exchange ActiveSync 客户端”。 Select Mobile apps and desktop clients and Exchange ActiveSync clients .
  7. 在“访问控制” > “授予”下,依次选择“授予访问权限”、“需要批准的客户端应用”、“选择”。 Under Access controls > Grant , select Grant access , Require approved client app , and select Select .
  8. 确认设置,然后将“启用策略”设置为“打开”。 Confirm your settings and set Enable policy to On .
  9. 选择“创建” ,以便创建并启用策略。Select Create to create and enable your policy.

步骤 3:为 iOS 和 Android 客户端应用程序配置 Intune 应用保护策略。Step 3: Configure Intune app protection policy for iOS and Android client applications.

查看如何创建和分配应用保护策略一文,了解为 Android 和 iOS 创建应用保护策略的步骤。Review the article How to create and assign app protection policies, for steps to create app protection policies for Android and iOS.

后续步骤Next steps

什么是条件访问?What is Conditional Access?

条件访问组件Conditional access components

常用条件访问策略Common Conditional Access policies