条件访问:云应用或操作Conditional Access: Cloud apps or actions

云应用或操作是条件访问策略中的一个关键信号。Cloud apps or actions are a key signal in a Conditional Access policy. 管理员可以使用条件访问策略将控制措施分配给特定的应用程序或操作。Conditional Access policies allow administrators to assign controls to specific applications or actions.

  • 管理员可以从包含内置 Microsoft 应用程序和任何 Azure AD 集成应用程序的应用程序列表中进行选择。Administrators can choose from the list of applications that include built-in Microsoft applications and any Azure AD integrated applications.
  • 管理员可以选择定义一个并非基于云应用程序,而是基于用户操作的策略。Administrators may choose to define policy not based on a cloud application but on a user action. 唯一受支持的操作是注册安全信息(预览版),允许条件访问围绕组合的安全信息注册体验来强制实施控制。The only supported action is Register security information (preview), allowing Conditional Access to enforce controls around the combined security information registration experience.

定义条件访问策略并指定云应用

Azure 云应用程序Azure cloud applications

许多现有的 Azure 云应用程序都包含在你可以从中进行选择的应用程序列表中。Many of the existing Azure cloud applications are included in the list of applications you can select from.

管理员可以向 Microsoft 提供的以下云应用分配条件访问策略。Administrators can assign a Conditional Access policy to the following cloud apps from Microsoft. 某些应用(例如 Office 365 和 Azure 管理)包含多个相关的子应用或服务。Some apps like Office 365 and Azure Management include multiple related child apps or services. 以下列表并不完整,且随时可能会更改。The following list is not exhaustive and is subject to change.

  • Office 365Office 365
  • Azure Analysis ServicesAzure Analysis Services
  • Azure DevOpsAzure DevOps
  • Azure SQL 数据库和数据仓库Azure SQL Database and Data Warehouse
  • Dynamics CRM OnlineDynamics CRM Online
  • Microsoft Application Insights AnalyticsMicrosoft Application Insights Analytics
  • Azure 管理Azure Management
  • Azure 订阅管理Azure Subscription Management
  • Microsoft Cloud App SecurityMicrosoft Cloud App Security
  • Microsoft Commerce Tools 访问控制门户Microsoft Commerce Tools Access Control Portal
  • Microsoft Commerce Tools 身份验证服务Microsoft Commerce Tools Authentication Service
  • Microsoft FlowMicrosoft Flow
  • Microsoft FormsMicrosoft Forms
  • Microsoft IntuneMicrosoft Intune
  • Microsoft Intune 注册Microsoft Intune Enrollment
  • Microsoft PlannerMicrosoft Planner
  • Microsoft PowerAppsMicrosoft PowerApps
  • Microsoft 必应搜索Microsoft Search in Bing
  • Microsoft StaffHubMicrosoft StaffHub
  • Microsoft StreamMicrosoft Stream
  • Microsoft TeamsMicrosoft Teams
  • Exchange OnlineExchange Online
  • SharePointSharePoint
  • YammerYammer
  • Office DelveOffice Delve
  • Office SwayOffice Sway
  • Outlook GroupsOutlook Groups
  • Power BI 服务Power BI Service
  • Project OnlineProject Online
  • Skype for Business OnlineSkype for Business Online
  • 虚拟专用网络 (VPN)Virtual Private Network (VPN)
  • Windows Defender ATPWindows Defender ATP

Office 365Office 365

Microsoft 365 提供基于云的高效生产和协作服务,如 Exchange、SharePoint 和 Microsoft Teams。Microsoft 365 provides cloud-based productivity and collaboration services like Exchange, SharePoint, and Microsoft Teams. Microsoft 365 云服务已深度集成,以确保用户拥有顺畅的协作体验。Microsoft 365 cloud services are deeply integrated to ensure smooth and collaborative experiences. 在创建策略时,这种集成可能会造成混淆,因为某些应用(如 Microsoft Teams)依赖于 SharePoint 或 Exchange 等其他一些应用。This integration can cause confusion when creating policies as some apps such as Microsoft Teams have dependencies on others such as SharePoint or Exchange.

使用 Office 365 应用可以同时将这些服务作为目标。The Office 365 app makes it possible to target these services all at once. 建议使用新的 Office 365 应用,而不是以单个云应用作为目标,以避免服务依赖项出现问题。We recommend using the new Office 365 app, instead of targeting individual cloud apps to avoid issues with service dependencies. 将这一组应用程序作为目标有助于避免因策略和依赖关系不一致而导致的问题。Targeting this group of applications helps to avoid issues that may arise due to inconsistent policies and dependencies.

如果需要,管理员可以选择从策略中排除特定应用,方法是在策略中包括 Office 365 应用并排除所选的特定应用。Administrators can choose to exclude specific apps from policy if they wish by including the Office 365 app and excluding the specific apps of their choice in policy.

Office 365 客户端应用中包含的关键应用程序:Key applications that are included in the Office 365 client app:

  • Microsoft FlowMicrosoft Flow
  • Microsoft FormsMicrosoft Forms
  • Microsoft StreamMicrosoft Stream
  • 微软待办Microsoft To-Do
  • Microsoft TeamsMicrosoft Teams
  • Exchange OnlineExchange Online
  • SharePoint OnlineSharePoint Online
  • Microsoft 365 搜索服务Microsoft 365 Search Service
  • YammerYammer
  • Office DelveOffice Delve
  • Office OnlineOffice Online
  • Office.comOffice.com
  • OneDriveOneDrive
  • PowerAppsPowerApps
  • Skype for Business OnlineSkype for Business Online
  • SwaySway

Azure 管理Azure Management

Azure 管理应用程序包括多个基础服务。The Azure Management application includes multiple underlying services.

  • Azure 门户Azure portal
  • Azure 资源管理器提供程序Azure Resource Manager provider
  • 经典部署模型 APIClassic deployment model APIs
  • Azure PowerShellAzure PowerShell
  • Azure CLIAzure CLI
  • Visual Studio 订阅管理员门户Visual Studio subscriptions administrator portal
  • Azure DevOpsAzure DevOps
  • Azure 数据工厂门户Azure Data Factory portal

备注

Azure 管理应用程序适用于调用 Azure 资源管理器 API 的 Azure PowerShell。The Azure Management application applies to Azure PowerShell, which calls the Azure Resource Manager API. 它不适用于 Azure AD PowerShell,后者调用 Microsoft Graph。It does not apply to Azure AD PowerShell, which calls Microsoft Graph.

其他应用程序Other applications

除 Microsoft 应用以外,管理员还可以将任何已在 Azure AD 中注册的应用程序添加到条件访问策略。In addition to the Microsoft apps, administrators can add any Azure AD registered application to Conditional Access policies. 这些应用程序包括:These applications may include:

备注

由于条件访问策略设置了服务访问方面的要求,因此你无法将其应用于客户端(公共/本机)应用程序。Since Conditional Access policy sets the requirements for accessing a service you are not able to apply it to a client (public/native) application. 换句话说,该策略不是直接在客户端(公共/本机)应用程序上设置的,而是在客户端调用服务时应用的。Other words the policy is not set directly on a client (public/native) application, but is applied when a client calls a service. 例如,在 SharePoint 服务上设置的策略将应用于调用 SharePoint 的客户端。For example, a policy set on SharePoint service applies to the clients calling SharePoint. 在 Exchange 上设置的策略将应用于使用 Outlook 客户端访问电子邮件的尝试。A policy set on Exchange applies to the attempt to access the email using Outlook client. 正因如此,云应用选取器没有客户端(公共/本机)应用程序可供选择,并且在租户中注册的客户端(公共/本机)应用程序的应用程序设置中未提供条件访问选项。That is why client (public/native) applications are not available for selection in the Cloud Apps picker and Conditional Access option is not available in the application settings for the client (public/native) application registered in your tenant.

用户操作User actions

用户操作是可由用户执行的任务。User actions are tasks that can be performed by a user. 目前,条件访问支持两种用户操作:Currently, Conditional Access supports two user actions:

  • 注册安全信息:使用此用户操作,可以在启用了组合注册的用户尝试注册其安全信息时强制实施条件访问策略。Register security information: This user action allows Conditional Access policy to enforce when users who are enabled for combined registration attempt to register their security information.

  • 注册或加入设备(预览版) :使用此用户操作,管理员可以在用户向 Azure AD 注册加入设备时强制实施条件访问策略。Register or join devices (preview): This user action enables administrators to enforce Conditional Access policy when users register or join devices to Azure AD. 此用户操作有两点主要注意事项:There are two key considerations with this user action:

    • Require multi-factor authentication 是此用户操作唯一可用的访问控制,所有其他访问控制均处于禁用状态。Require multi-factor authentication is the only access control available with this user action and all others are disabled. 此限制可防止与依赖于 Azure AD 设备注册或不适用于 Azure AD 设备注册的访问控制发生冲突。This restriction prevents conflicts with access controls that are either dependent on Azure AD device registration or not applicable to Azure AD device registration.
    • 对此用户操作启用条件访问策略时,必须将“Azure Active Directory” > “设备” > “设备设置” - Devices to be Azure AD joined or Azure AD registered require Multi-Factor Authentication 设置为“否” 。When a Conditional Access policy is enabled with this user action, you must set Azure Active Directory > Devices > Device Settings - Devices to be Azure AD joined or Azure AD registered require Multi-Factor Authentication to No. 否则,将无法对此用户操作强制实施条件访问策略。Otherwise, Conditional Access policy with this user action is not properly enforced. 有关此设备设置的详细信息,请参阅配置设备设置More information regarding this device setting can found in Configure device settings. 通过此用户操作,可以灵活地要求多重身份验证,为特定用户和组或条件注册或加入设备,而不是在“设备”设置中使用租户范围的策略。This user action provides flexibility to require multi-factor authentication for registering or joining devices for specific users and groups or conditions instead of having a tenant-wide policy in Device settings.

后续步骤Next steps