条件访问:云应用或操作Conditional Access: Cloud apps or actions

云应用或操作是条件访问策略中的一个关键信号。Cloud apps or actions are a key signal in a Conditional Access policy. 管理员可以使用条件访问策略将控制措施分配给特定的应用程序或操作。Conditional Access policies allow administrators to assign controls to specific applications or actions.

  • 管理员可以从包含内置 Microsoft 应用程序和任何 Azure AD 集成应用程序的应用程序列表中进行选择。Administrators can choose from the list of applications that include built-in Microsoft applications and any Azure AD integrated applications.
  • 管理员可以选择定义一个并非基于云应用程序,而是基于用户操作的策略。Administrators may choose to define policy not based on a cloud application but on a user action. 唯一受支持的操作是注册安全信息(预览版),允许条件访问围绕组合的安全信息注册体验来强制实施控制。The only supported action is Register security information (preview), allowing Conditional Access to enforce controls around the combined security information registration experience.

定义条件访问策略并指定云应用

Azure 云应用程序Azure cloud applications

许多现有的 Azure 云应用程序都包含在你可以从中进行选择的应用程序列表中。Many of the existing Azure cloud applications are included in the list of applications you can select from.

管理员可以向 Microsoft 提供的以下云应用分配条件访问策略。Administrators can assign a Conditional Access policy to the following cloud apps from Microsoft. 某些应用(例如 Office 365(预览版)和 Azure 管理)包含多个相关的子应用或服务。Some apps like the Office 365 (preview) and Azure Management include multiple related child apps or services. 以下列表并不完整,且随时可能会更改。The following list is not exhaustive and is subject to change.

  • Office 365(预览版)Office 365 (preview)
  • Azure Analysis ServicesAzure Analysis Services
  • Azure DevOpsAzure DevOps
  • Azure SQL 数据库和数据仓库Azure SQL Database and Data Warehouse
  • Dynamics CRM OnlineDynamics CRM Online
  • Microsoft Application Insights AnalyticsMicrosoft Application Insights Analytics
  • Azure 管理Azure Management
  • Azure 订阅管理Azure Subscription Management
  • Microsoft Cloud App SecurityMicrosoft Cloud App Security
  • Microsoft Commerce Tools 访问控制门户Microsoft Commerce Tools Access Control Portal
  • Microsoft Commerce Tools 身份验证服务Microsoft Commerce Tools Authentication Service
  • Microsoft FlowMicrosoft Flow
  • Microsoft FormsMicrosoft Forms
  • Microsoft IntuneMicrosoft Intune
  • Microsoft Intune 注册Microsoft Intune Enrollment
  • Microsoft PlannerMicrosoft Planner
  • Microsoft PowerAppsMicrosoft PowerApps
  • Microsoft 必应搜索Microsoft Search in Bing
  • Microsoft StaffHubMicrosoft StaffHub
  • Microsoft StreamMicrosoft Stream
  • Microsoft TeamsMicrosoft Teams
  • Office 365 Exchange OnlineOffice 365 Exchange Online
  • Office 365 SharePoint OnlineOffice 365 SharePoint Online
  • Office 365 YammerOffice 365 Yammer
  • Office DelveOffice Delve
  • Office SwayOffice Sway
  • Outlook GroupsOutlook Groups
  • Power BI 服务Power BI Service
  • Project OnlineProject Online
  • Skype for Business OnlineSkype for Business Online
  • 虚拟专用网络 (VPN)Virtual Private Network (VPN)
  • Windows Defender ATPWindows Defender ATP

Office 365(预览版)Office 365 (preview)

Office 365 提供基于云的生产力和协作服务,如 Exchange、SharePoint 和 Microsoft Teams。Office 365 provides cloud-based productivity and collaboration services like Exchange, SharePoint, and Microsoft Teams. Office 365 云服务已深度集成,以确保提供顺利的协作体验。Office 365 cloud services are deeply integrated to ensure smooth and collaborative experiences. 在创建策略时,这种集成可能会造成混淆,因为某些应用(如 Microsoft Teams)依赖于 SharePoint 或 Exchange 等其他一些应用。This integration can cause confusion when creating policies as some apps such as Microsoft Teams have dependencies on others such as SharePoint or Exchange.

在 Office 365(预览版)应用中可以一次性将所有这些服务作为目标。The Office 365 (preview) app makes it possible to target these services all at once. 我们建议使用新的 Office 365(预览版)应用,而不要将单个云应用作为目标,以免服务依赖关系出现问题。We recommend using the new Office 365 (preview) app, instead of targeting individual cloud apps to avoid issues with service dependencies. 将这一组应用程序作为目标有助于避免因策略和依赖关系不一致而导致的问题。Targeting this group of applications helps to avoid issues that may arise due to inconsistent policies and dependencies.

如果需要,管理员可以选择从策略中排除特定的应用,只需在策略中包含 Office 365(预览版)应用,并排除所选的特定应用即可。Administrators can choose to exclude specific apps from policy if they wish by including the Office 365 (preview) app and excluding the specific apps of their choice in policy.

Office 365(预览版)客户端应用中包含的关键应用程序:Key applications that are included in the Office 365 (preview) client app:

  • Microsoft FlowMicrosoft Flow
  • Microsoft FormsMicrosoft Forms
  • Microsoft StreamMicrosoft Stream
  • 微软待办Microsoft To-Do
  • Microsoft TeamsMicrosoft Teams
  • Office 365 Exchange OnlineOffice 365 Exchange Online
  • Office 365 SharePoint OnlineOffice 365 SharePoint Online
  • Office 365 Search ServiceOffice 365 Search Service
  • Office 365 YammerOffice 365 Yammer
  • Office DelveOffice Delve
  • Office OnlineOffice Online
  • Office.comOffice.com
  • OneDriveOneDrive
  • PowerAppsPowerApps
  • Skype for Business OnlineSkype for Business Online
  • SwaySway

Azure 管理Azure Management

Azure 管理应用程序包括多个基础服务。The Azure Management application includes multiple underlying services.

  • Azure 门户Azure portal
  • Azure 资源管理器提供程序Azure Resource Manager provider
  • 经典部署模型 APIClassic deployment model APIs
  • Azure PowerShellAzure PowerShell
  • Visual Studio 订阅管理员门户Visual Studio subscriptions administrator portal
  • Azure DevOpsAzure DevOps
  • Azure 数据工厂门户Azure Data Factory portal

备注

Azure 管理应用程序适用于调用 Azure 资源管理器 API 的 Azure PowerShell。The Azure Management application applies to Azure PowerShell, which calls the Azure Resource Manager API. 它不适用于 Azure AD PowerShell,后者调用 Microsoft Graph。It does not apply to Azure AD PowerShell, which calls Microsoft Graph.

其他应用程序Other applications

除 Microsoft 应用以外,管理员还可以将任何已在 Azure AD 中注册的应用程序添加到条件访问策略。In addition to the Microsoft apps, administrators can add any Azure AD registered application to Conditional Access policies.

备注

由于条件访问策略规定了有关访问服务的要求,因此你无法将其应用于客户端(公共/本机)应用程序。Since Conditional access policy sets the requirements for accessing a service you are not able to apply it to a client (public/native) application. 换句话说,该策略不是直接在客户端(公共/本机)应用程序上设置的,而是在客户端调用服务时应用的。Other words the policy is not set directly on a client (public/native) application, but is applied when a client calls a service. 例如,在 SharePoint 服务上设置的策略将应用于调用 SharePoint 的客户端。For example, a policy set on SharePoint service applies to the clients calling SharePoint. 在 Exchange 上设置的策略将应用于使用 Outlook 客户端访问电子邮件的尝试。A policy set on Exchange applies to the attempt to access the email using Outlook client. 正因如此,云应用选取器没有客户端(公共/本机)应用程序可供选择,并且在租户中注册的客户端(公共/本机)应用程序的应用程序设置中未提供条件访问选项。That is why client (public/native) applications are not available for selection in the Cloud Apps picker and Conditional Access option is not available in the application settings for the client (public/native) application registered in your tenant.

用户操作User actions

用户操作是可由用户执行的任务。User actions are tasks that can be performed by a user. 目前唯一支持的操作是“注册安全信息”。当启用了组合注册功能的用户尝试注册其安全信息时,此操作允许条件访问策略来强制实施。The only currently supported action is Register security information, which allows Conditional Access policy to enforce when users who are enabled for combined registration attempt to register their security information.

后续步骤Next steps