Azure Active Directory 中条件访问的最佳做法Best practices for Conditional Access in Azure Active Directory

使用 Azure Active Directory (Azure AD) 条件访问,可以控制授权用户访问云应用程序的方式。With Azure Active Directory (Azure AD) Conditional Access, you can control how authorized users access your cloud apps. 本文提供以下事项的信息:This article provides you with information about:

  • 应了解的内容Things you should know
  • 在配置条件访问策略时应避免的操作。What it is you should avoid doing when configuring Conditional Access policies.

本文假定你熟悉 Azure Active Directory 中的条件访问是什么?中所述的概念和术语This article assumes that you are familiar with the concepts and the terminology outlined in What is Conditional Access in Azure Active Directory?

使策略发挥作用需要什么?What's required to make a policy work?

新建策略时,未选择任何用户、组、应用或访问控制。When you create a new policy, there are no users, groups, apps, or access controls selected.


若要使策略发挥作用,必须进行下列配置:To make your policy work, you must configure:

对象What 方式How 原因Why
云应用Cloud apps 选择一个或多个应用。Select one or more apps. 条件访问策略的目标是使你能够控制已授权用户访问云应用的方式。The goal of a Conditional Access policy is to enable you to control how authorized users can access cloud apps.
用户和组 Users and groups 至少选择一个已经授权的用户或组来访问所选云应用。Select at least one user or group that is authorized to access your selected cloud apps. 未在其中分配任何用户和组的条件访问策略永远不会触发。A Conditional Access policy that has no users and groups assigned, is never triggered.
访问控制 Access controls 至少选择一个访问控制。Select at least one access control. 策略处理器需要知道条件满足时需要执行的操作。If your conditions are satisfied, your policy processor needs to know what to do.

要点What you should know

条件访问策略是如何应用的?How are Conditional Access policies applied?

访问云应用时,可能会应用多个条件访问策略。More than one Conditional Access policy may apply when you access a cloud app. 在这种情况下,必须满足所应用的所有策略。In this case, all policies that apply must be satisfied. 例如,如果一个策略需要多重身份验证 (MFA),另一个策略需要兼容的设备,则你必须完成 MFA 并使用兼容的设备。For example, if one policy requires multi-factor authentication (MFA) and another requires a compliant device, you must complete MFA, and use a compliant device.

所有策略都是在两个阶段中强制实施的:All policies are enforced in two phases:

  • 阶段 1:收集会话详细信息Phase 1: Collect session details
    • 收集会话详细信息,例如进行策略评估所需的用户位置和设备标识。Gather session details, like user location and device identity that will be necessary for policy evaluation.
    • 在此阶段,如果设备符合性是条件访问策略的一部分,用户可能会看到证书提示。During this phase, users may see a certificate prompt if device compliance is part of your Conditional Access policies. 如果设备操作系统不是 Windows 10,浏览器应用可能会显示此提示。This prompt may occur for browser apps when the device operating system is not Windows 10.
    • 针对已启用的策略和“仅限报告”模式下的策略执行策略评估的第 1 阶段。Phase 1 of policy evaluation occurs for enabled policies and policies in report-only mode.
  • 阶段 2:强制Phase 2: Enforcement
    • 使用在第 1 阶段收集的会话详细信息来识别尚未满足的任何要求。Use the session details gathered in phase 1 to identify any requirements that have not been met.
    • 如果有一个策略配置为阻止访问,则在使用阻止授权控制的情况下,将在此处停止强制,用户会被阻止。If there is a policy that is configured to block access, with the block grant control, enforcement will stop here and the user will be blocked.
    • 然后,系统会提示用户完成额外的授权控制要求(这些要求未在第 1 阶段按以下顺序满足),直到满足策略要求:The user will then be prompted to complete additional grant control requirements that have not been satisfied during phase 1 in the following order, until policy is satisfied:
      • 多重身份验证Multi-factor authentication
      • 批准的客户端应用/应用保护策略Approved client app/app protection policy
      • 受管理设备(合规或混合 Azure AD 加入)Managed device (compliant or hybrid Azure AD join)
      • 使用条款Terms of use
      • 自定义控件Custom controls
      • 在满足授权控制后应用会话控制(应用强制实施、Microsoft Cloud App Security 和令牌生存期)Once grant controls have been satisfied, apply session controls (App Enforced, Microsoft Cloud App Security, and token Lifetime)
    • 针对所有已启用的策略执行策略评估的第 2 阶段。Phase 2 of policy evaluation occurs for all enabled policies.

如何计算分配?How are assignments evaluated?

所有分配在逻辑上采用 AND 运算符。All assignments are logically ANDed. 如果配置了多个分配,则必须满足所有分配才能触发策略。If you have more than one assignment configured, all assignments must be satisfied to trigger a policy.

如果需要配置一个位置条件并将其应用到从组织网络外部进行的所有连接,则请执行以下操作:If you need to configure a location condition that applies to all connections made from outside your organization's network:

  • 包括所有位置Include All locations
  • 排除所有受信任的 IPExclude All trusted IPs

如果你被锁定在 Azure AD 管理门户之外,该怎么办?What to do if you are locked out of the Azure AD admin portal?

如果你因为条件访问策略中的设置不正确而被锁定在 Azure AD 门户之外,则请执行以下操作:If you are locked out of the Azure AD portal due to an incorrect setting in a Conditional Access policy:

  • 检查组织中是否有其他管理员尚未被阻止。Check is there are other administrators in your organization that aren't blocked yet. 具有 Azure 门户访问权限的管理员可以禁用影响你登录的策略。An administrator with access to the Azure portal can disable the policy that is impacting your sign-in.
  • 如果组织中没有管理员可以更新策略,则需提交支持请求。If none of the administrators in your organization can update the policy, you need to submit a support request. Microsoft 支持人员可以审核并更新妨碍访问的条件访问策略。Microsoft support can review and update Conditional Access policies that are preventing access.

如果在 Azure 经典门户和 Azure 门户中配置了策略,会发生什么情况?What happens if you have policies in the Azure classic portal and Azure portal configured?

仅当满足所有要求时,Azure Active Directory 才实施策略,用户才可获取访问权限。Both policies are enforced by Azure Active Directory and the user gets access only when all requirements are met.

如果在 Intune Silverlight 门户和 Azure 门户中配置了策略,会发生什么情况?What happens if you have policies in the Intune Silverlight portal and the Azure portal?

仅当满足所有要求时,Azure Active Directory 才实施策略,用户才可获取访问权限。Both policies are enforced by Azure Active Directory and the user gets access only when all requirements are met.

如果对同一个用户配置了多个策略,会发生什么情况?What happens if I have multiple policies for the same user configured?

每次登录时,Azure Active Directory 都会评估所有策略,确保只有满足所有要求,才向该用户授予访问权限。For every sign-in, Azure Active Directory evaluates all policies and ensures that all requirements are met before granted access to the user. 阻止访问优先于所有其他配置设置。Block access trumps all other configuration settings.

条件访问是否适用于 Exchange ActiveSync?Does Conditional Access work with Exchange ActiveSync?

适用,可以在条件访问策略中使用 Exchange ActiveSync。Yes, you can use Exchange ActiveSync in a Conditional Access policy.

某些云应用(如 SharePoint Online 和 Exchange Online)也支持旧式身份验证协议。Some cloud apps like SharePoint Online and Exchange Online also support legacy authentication protocols. 如果客户端应用可以使用旧式身份验证协议访问云应用,则 Azure AD 无法针对此访问尝试实施条件访问策略。When a client app can use a legacy authentication protocol to access a cloud app, Azure AD cannot enforce a Conditional Access policy on this access attempt. 为了防止客户端应用绕过策略的实施,应该检查它是否能够做到只对受影响的云应用启用新式身份验证。To prevent a client app from bypassing the enforcement of policies, you should check whether it is possible to only enable modern authentication on the affected cloud apps.

应如何使用 Office 365 应用配置条件访问?How should you configure Conditional Access with Office 365 apps?

由于 Office 365 应用是相互连接的,因此建议你在创建策略时将常用应用分配到一起。Because Office 365 apps are interconnected, we recommend assigning commonly used apps together when creating policies.

常见的相互连接的应用程序包括 Microsoft Flow、Microsoft Planner、Microsoft Teams、Office 365 Exchange Online、Office 365 SharePoint Online 和 Office 365 Yammer。Common interconnected applications include Microsoft Flow, Microsoft Planner, Microsoft Teams, Office 365 Exchange Online, Office 365 SharePoint Online, and Office 365 Yammer.

如果访问权限是在会话或任务的开始时控制的,则这对需要用户交互(例如多重身份验证)的策略来说很重要。It is important for policies that require user interactions, like multi-factor authentication, when access is controlled at the beginning of a session or task. 如果你不这样做,用户将无法完成应用中的某些任务。If you don't, users won't be able to complete some tasks within an app. 例如,如果你要求在非托管设备上访问 SharePoint 时进行多重身份验证,但不要求在访问电子邮件时这样做,则在电子邮件中工作的用户无法将 SharePoint 文件附加到邮件中。For example, if you require multi-factor authentication on unmanaged devices to access SharePoint but not to email, users working in their email won't be able to attach SharePoint files to a message. 有关详细信息,可参阅此文:Azure Active Directory 条件访问中的服务依赖项是什么?More information can be found in the article, What are service dependencies in Azure Active Directory Conditional Access?.

应避免的操作What you should avoid doing

条件访问框架提供了极大的配置灵活性。The Conditional Access framework provides you with a great configuration flexibility. 不过,极大的灵活性也意味着应先仔细检查每个配置策略,然后才能发布,以免产生不良结果。However, great flexibility also means that you should carefully review each configuration policy before releasing it to avoid undesirable results. 在这种情况下,应该特别注意影响完整集的任务,例如所有用户/组/云应用In this context, you should pay special attention to assignments affecting complete sets such as all users / groups / cloud apps.

在环境中,应避免以下配置:In your environment, you should avoid the following configurations:

对于所有用户、所有云应用:For all users, all cloud apps:

  • 阻止访问 - 此配置将阻止整个组织(这绝对不是一个好的选项)。Block access - This configuration blocks your entire organization, which is definitely not a good idea.
  • 需要符合的设备 - 对于尚未注册其设备的用户,此策略将阻止所有访问权限(包括对 Intune 门户的访问权限)。Require compliant device - For users that have not enrolled their devices yet, this policy blocks all access including access to the Intune portal. 如果是不具有注册设备的管理员,则此策略会阻止你回到 Azure 门户更改策略。If you are an administrator without an enrolled device, this policy blocks you from getting back into the Azure portal to change the policy.
  • 需要加入域 - 如果不具有加入域的设备,此阻止访问权限的策略还可能会阻止组织中所有用户的访问权限。Require domain join - This policy block access has also the potential to block access for all users in your organization if you don't have a domain-joined device yet.
  • 需要应用保护策略 - 如果没有 Intune 策略,此阻止访问权限的策略还可能会阻止组织中所有用户的访问权限。Require app protection policy - This policy block access has also the potential to block access for all users in your organization if you don't have an Intune policy. 如果你是管理员,没有设置了 Intune 应用保护策略的客户端应用程序,则此策略会阻止你返回到 Intune 和 Azure 之类的门户。If you are an administrator without a client application that has an Intune app protection policy, this policy blocks you from getting back into portals such as Intune and Azure.

对于所有用户、所有云应用、所有设备平台:For all users, all cloud apps, all device platforms:

  • 阻止访问 - 此配置将阻止整个组织(这绝对不是一个好的选项)。Block access - This configuration blocks your entire organization, which is definitely not a good idea.

应如何部署新的策略?How should you deploy a new policy?

第一步,应使用假设状况法对策略进行评估。As a first step, you should evaluate your policy using the what if tool.

当新策略针对你的环境准备就绪后,分阶段部署它们:When new policies are ready for your environment, deploy them in phases:

  1. 对一小组用户应用策略,验证策略的表现是否符合预期。Apply a policy to a small set of users and verify it behaves as expected.
  2. 当扩展策略以包括更多用户时,When you expand a policy to include more users. 继续从策略中排除所有管理员,以确保在需要进行更改时他们仍然具有访问权限且可以更新策略。Continue to exclude all administrators from the policy to ensure that they still have access and can update a policy if a change is required.
  3. 仅当必要时,才将策略应用于所有用户。Apply a policy to all users only if necessary.

最佳做法是创建一个符合以下条件的用户帐户:As a best practice, create a user account that is:

  • 专用于策略管理Dedicated to policy administration
  • 已从所有策略中排除Excluded from all your policies

策略迁移Policy migration

考虑迁移未在 Azure 门户中创建的策略,因为:Consider migrating the policies you have not created in the Azure portal because:

  • 现在可以解决以前无法处理的方案。You can now address scenarios you could not handle before.
  • 可以通过合并来减少需要管理的策略数。You can reduce the number of policies you have to manage by consolidating them.
  • 可以在一个中心位置管理所有条件访问策略。You can manage all your Conditional Access policies in one central location.
  • Azure 经典门户已停用。The Azure classic portal has been retired.

有关详细信息,请参阅在 Azure 门户中迁移经典策略For more information, see Migrate classic policies in the Azure portal.

后续步骤Next steps

如果希望了解:If you want to know: