条件访问:ConditionsConditional Access: Conditions

在条件访问策略中,管理员可以利用风险、设备平台或位置等条件的信号来增强其策略决策。Within a Conditional Access policy, an administrator can make use of signals from conditions like risk, device platform, or location to enhance their policy decisions.

定义条件访问策略并指定条件 Define a Conditional Access policy and specify conditions

可以结合多个条件来创建精细且具体的条件访问策略。Multiple conditions can be combined to create fine-grained and specific Conditional Access policies.

例如,在访问敏感应用程序时,管理员除了考虑其他控制措施(例如多重身份验证)以外,还可以在其访问决策中考虑到各个位置的登录风险信息。For example, when accessing a sensitive application an administrator may factor sign-in risk information from location into their access decision in addition to other controls like multi-factor authentication.

设备平台Device platforms

设备平台的特征根据设备上运行的操作系统而定。The device platform is characterized by the operating system that runs on a device. Azure AD 使用设备(例如用户代理字符串)提供的信息来标识平台。Azure AD identifies the platform by using information provided by the device, such as user agent strings. 由于用户代理字符串可修改,因此此信息未经验证。Since user agent strings can be modified, this information is unverified. 设备平台应与 Microsoft Intune 设备合规策略配合使用,或者作为块语句的一部分使用。Device platform should be used in concert with Microsoft Intune device compliance policies or as part of a block statement. 默认设置是将策略应用到所有设备平台。The default is to apply to all device platforms.

Azure AD 条件访问支持以下设备平台:Azure AD Conditional Access supports the following device platforms:

  • AndroidAndroid
  • iOSiOS
  • Windows PhoneWindows Phone
  • WindowsWindows
  • macOSmacOS

如果使用其他客户端条件来阻止旧身份验证,还可以设置设备平台条件。If you block legacy authentication using the Other clients condition, you can also set the device platform condition.

位置Locations

将位置配置为条件时,组织可以选择包含或排除位置。When configuring location as a condition, organizations can choose to include or exclude locations. 这些命名位置可以包含公共 IPv4 网络信息、国家或地区,甚至是不映射到特定国家或地区的未知区域。These named locations may include the public IPv4 network information, country or region, or even unknown areas that don't map to specific countries or regions. 只能将 IP 范围标记为受信任位置。Only IP ranges can be marked as a trusted location.

包含任何位置时,此选项将包含 Internet 上的任何 IP 地址,而不仅仅是包含配置的命名位置。When including any location, this option includes any IP address on the internet not just configured named locations. 选择任何位置时,管理员可以选择排除所有受信任的选定的位置。When selecting any location, administrators can choose to exclude all trusted or selected locations.

例如,某些组织在其用户连接到受信任位置(例如其总部的实际位置)的网络时,可能会选择不要求执行多重身份验证。For example, some organizations may choose to not require multi-factor authentication when their users are connected to the network in a trusted location such as their physical headquarters. 管理员可以创建一个包含任何位置,但排除选定总部网络位置的策略。Administrators could create a policy that includes any location but excludes the selected locations for their headquarters networks.

有关位置的详细信息,可参阅 Azure Active Directory 条件访问中的位置条件是什么一文。More information about locations can be found in the article, What is the location condition in Azure Active Directory Conditional Access.

客户端应用Client apps

默认情况下,所有新创建的条件访问策略都会应用到所有客户端应用类型,即使未配置客户端应用条件。By default, all newly created Conditional Access policies will apply to all client app types even if the client apps condition is not configured.

备注

已于 2020 年 8 月更新了客户端应用条件的行为。The behavior of the client apps condition was updated in August 2020. 如果你有现有的条件访问策略,这些策略将保持不变。If you have existing Conditional Access policies, they will remain unchanged. 但是,如果你单击某个现有策略,则会发现“配置”开关已被删除,且该策略所应用到的客户端应用处于选中状态。However, if you click on an existing policy, the configure toggle has been removed and the client apps the policy applies to are selected.

重要

旧身份验证客户端的登录不支持 MFA,不会将设备状态信息传递到 Azure AD,因此会被条件访问授权控制(例如需要 MFA 或合规设备)阻止。Sign-ins from legacy authentication clients don’t support MFA and don’t pass device state information to Azure AD, so they will be blocked by Conditional Access grant controls, like requiring MFA or compliant devices. 如果你的帐户必须使用旧身份验证,则必须从策略中排除这些帐户,或将策略配置为仅应用于新式身份验证客户端。If you have accounts which must use legacy authentication, you must either exclude those accounts from the policy, or configure the policy to only apply to modern authentication clients.

在设置为“是”时,“配置”开关适用于勾选的项;在设置为“否”时,该开关适用于所有客户端应用,包括新式的和旧式的身份验证客户端。 The Configure toggle when set to Yes applies to checked items, when set to No it applies to all client apps, including modern and legacy authentication clients. 此开关不显示在 2020 年 8 月之前创建的策略中。This toggle does not appear in policies created before August 2020.

  • 新式身份验证客户端Modern authentication clients
    • 浏览者Browser
      • 这包括使用 SAML、WS 联合身份验证、OpenID Connect 等协议的基于 Web 的应用程序,或注册为 OAuth 机密客户端的服务。These include web-based applications that use protocols like SAML, WS-Federation, OpenID Connect, or services registered as an OAuth confidential client.
    • 移动应用和桌面客户端Mobile apps and desktop clients
      • 此选项包括 Office 桌面和手机应用程序等应用程序。This option includes applications like the Office desktop and phone applications.
  • 旧式身份验证客户端Legacy authentication clients
    • Exchange ActiveSync 客户端Exchange ActiveSync clients
      • 这包括所有使用 Exchange ActiveSync (EAS) 协议的情况。This includes all use of the Exchange ActiveSync (EAS) protocol.
      • 当策略阻止使用 Exchange ActiveSync 时,受影响的用户将收到一封隔离电子邮件。When policy blocks the use of Exchange ActiveSync the affected user will receive a single quarantine email. 此电子邮件将提供受阻原因,并提供修正说明(如果可以修正)。This email with provide information on why they are blocked and include remediation instructions if able.
      • 管理员可以通过条件访问 MS Graph API 将策略仅应用到受支持的平台(例如 iOS、Android 和 Windows)。Administrators can apply policy only to supported platforms (such as iOS, Android, and Windows) through the Conditional Access MS Graph API.
    • 其他客户端Other clients
      • 此选项包括使用那些不支持新式身份验证的基本/旧式身份验证协议的客户端。This option includes clients that use basic/legacy authentication protocols that do not support modern authentication.
        • 经身份验证的 SMTP - 由 POP 和 IMAP 客户端用来发送电子邮件。Authenticated SMTP - Used by POP and IMAP client's to send email messages.
        • 自动发现 - 由 Outlook 和 EAS 客户端用来查找和连接 Exchange Online 中的邮箱。Autodiscover - Used by Outlook and EAS clients to find and connect to mailboxes in Exchange Online.
        • Exchange Online PowerShell - 用于通过远程 PowerShell 连接到 Exchange Online。Exchange Online PowerShell - Used to connect to Exchange Online with remote PowerShell. 如果阻止 Exchange Online PowerShell 的基本身份验证,则需使用 Exchange Online PowerShell 模块进行连接。If you block Basic authentication for Exchange Online PowerShell, you need to use the Exchange Online PowerShell Module to connect. 有关说明,请参阅使用多重身份验证连接到 Exchange Online PowerShellFor instructions, see Connect to Exchange Online PowerShell using multi-factor authentication.
        • Exchange Web 服务 (EWS) - Outlook、Outlook for Mac 和第三方应用使用的编程接口。Exchange Web Services (EWS) - A programming interface that's used by Outlook, Outlook for Mac, and third-party apps.
        • IMAP4 - 由 IMAP 电子邮件客户端使用。IMAP4 - Used by IMAP email clients.
        • 基于 HTTP 的 MAPI (MAPI/HTTP) - 由 Outlook 2010 及更高版本使用。MAPI over HTTP (MAPI/HTTP) - Used by Outlook 2010 and later.
        • 脱机通讯簿 (OAB) - 通过 Outlook 下载并使用的地址列表集合的副本。Offline Address Book (OAB) - A copy of address list collections that are downloaded and used by Outlook.
        • Outlook Anywhere(基于 HTTP 的 RPC)- 由 Outlook 2016 及更低版本使用。Outlook Anywhere (RPC over HTTP) - Used by Outlook 2016 and earlier.
        • Outlook 服务 - 由 Windows 10 的邮件和日历应用使用。Outlook Service - Used by the Mail and Calendar app for Windows 10.
        • POP3 - 由 POP 电子邮件客户端使用。POP3 - Used by POP email clients.
        • Reporting Web Services - 用于在 Exchange Online 中检索报表数据。Reporting Web Services - Used to retrieve report data in Exchange Online.

需要使用托管设备、阻止旧式身份验证,以及阻止 Web 应用程序但允许移动应用或桌面应用时,通常会使用这些条件。These conditions are commonly used when requiring a managed device, blocking legacy authentication, and blocking web applications but allowing mobile or desktop apps.

支持的浏览器Supported browsers

此设置适用于所有浏览器。This setting works with all browsers. 但是,若要符合设备策略(如兼容设备要求),支持以下操作系统和浏览器:However, to satisfy a device policy, like a compliant device requirement, the following operating systems and browsers are supported:

操作系统OS 浏览器Browsers
Windows 10Windows 10 Microsoft Edge、Internet Explorer、ChromeMicrosoft Edge, Internet Explorer, Chrome
Windows 8/8.1Windows 8 / 8.1 Internet Explorer、ChromeInternet Explorer, Chrome
Windows 7Windows 7 Internet Explorer、ChromeInternet Explorer, Chrome
iOSiOS Microsoft Edge、Intune Managed Browser、SafariMicrosoft Edge, Intune Managed Browser, Safari
AndroidAndroid Microsoft Edge、Intune Managed Browser、ChromeMicrosoft Edge, Intune Managed Browser, Chrome
Windows PhoneWindows Phone Microsoft Edge、Internet ExplorerMicrosoft Edge, Internet Explorer
Windows Server 2019Windows Server 2019 Microsoft Edge、Internet Explorer、ChromeMicrosoft Edge, Internet Explorer, Chrome
Windows Server 2016Windows Server 2016 Internet ExplorerInternet Explorer
Windows Server 2012 R2Windows Server 2012 R2 Internet ExplorerInternet Explorer
Windows Server 2008 R2Windows Server 2008 R2 Internet ExplorerInternet Explorer
macOSmacOS Chrome、SafariChrome, Safari

为何我在浏览器中看到证书提示Why do I see a certificate prompt in the browser

在 Windows 7、iOS、Android 和 macOS 上,Azure AD 使用客户端证书来标识设备,该证书是在将设备注册到 Azure AD 时预配的。On Windows 7, iOS, Android, and macOS Azure AD identifies the device using a client certificate that is provisioned when the device is registered with Azure AD. 用户首次通过浏览器登录时,系统会提示用户选择此证书。When a user first signs in through the browser the user is prompted to select the certificate. 用户必须在使用浏览器之前选择此证书。The user must select this certificate before using the browser.

Chrome 支持Chrome support

对于 Windows 10 Creators Update(版本 1703)或更高版本中的 Chrome 支持,请安装 Windows 10 Accounts extensionFor Chrome support in Windows 10 Creators Update (version 1703) or later, install the Windows 10 Accounts extension. 当条件访问策略需要特定于设备的详细信息时,此扩展是必需的。This extension is required when a Conditional Access policy requires device specific details.

若要自动将此扩展部署到 Chrome 浏览器,请创建以下注册表项:To automatically deploy this extension to Chrome browsers, create the following registry key:

  • Path HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallForcelistPath HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallForcelist
  • 名称 1Name 1
  • 类型 REG_SZ(字符串)Type REG_SZ (String)
  • Data ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crxData ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx

对于 Windows 8.1 和 7 中的 Chrome 支持,请创建以下注册表项:For Chrome support in Windows 8.1 and 7, create the following registry key:

  • Path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\AutoSelectCertificateForUrlsPath HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\AutoSelectCertificateForUrls
  • 名称 1Name 1
  • 类型 REG_SZ(字符串)Type REG_SZ (String)
  • Data {"pattern":"https://device.login.partner.microsoftonline.cn","filter":{"ISSUER":{"CN":"MS-Organization-Access"}}}Data {"pattern":"https://device.login.partner.microsoftonline.cn","filter":{"ISSUER":{"CN":"MS-Organization-Access"}}}

这些浏览器支持设备身份验证,允许根据策略对设备进行识别和验证。These browsers support device authentication, allowing the device to be identified and validated against a policy. 如果浏览器以专用模式运行,设备检查将失败。The device check fails if the browser is running in private mode.

支持的移动应用程序和桌面客户端Supported mobile applications and desktop clients

组织可以选择移动应用和桌面客户端作为客户端应用。Organizations can select Mobile apps and desktop clients as client app.

此设置会影响通过以下移动应用和桌面客户端做出的访问尝试:This setting has an impact on access attempts made from the following mobile apps and desktop clients:

客户端应用Client apps 目标服务Target Service 平台Platform
Dynamics CRM 应用Dynamics CRM app Dynamics CRMDynamics CRM Windows 10、Windows 8.1、iOS 和 AndroidWindows 10, Windows 8.1, iOS, and Android
“邮件/日历/联系人”应用、Outlook 2016、Outlook 2013(使用新式身份验证)Mail/Calendar/People app, Outlook 2016, Outlook 2013 (with modern authentication) Office 365 Exchange OnlineOffice 365 Exchange Online Windows 10Windows 10
用于应用的 MFA 和位置策略。MFA and location policy for apps. 不支持基于设备的策略。Device-based policies are not supported. 任何“我的应用”应用服务Any My Apps app service Android 和 iOSAndroid and iOS
Microsoft Teams 服务 - 控制支持 Microsoft Teams 及其所有客户端应用(Windows 桌面、iOS、Android、WP 和 Web 客户端)的所有服务Microsoft Teams Services - this controls all services that support Microsoft Teams and all its Client Apps - Windows Desktop, iOS, Android, WP, and web client Microsoft TeamsMicrosoft Teams Windows 10、Windows 8.1、Windows 7、iOS、Android 和 macOSWindows 10, Windows 8.1, Windows 7, iOS, Android, and macOS
Office 2016 应用、Office 2013(采用新式身份验证)、OneDrive 同步客户端Office 2016 apps, Office 2013 (with modern authentication), OneDrive sync client Office 365 SharePoint OnlineOffice 365 SharePoint Online Windows 8.1、Windows 7Windows 8.1, Windows 7
Office 2016 应用、通用 Office 应用、Office 2013(采用新式身份验证)、OneDrive 同步客户端Office 2016 apps, Universal Office apps, Office 2013 (with modern authentication), OneDrive sync client Office 365 SharePoint OnlineOffice 365 SharePoint Online Windows 10Windows 10
Office 2016(仅限 Word、Excel、PowerPoint、OneNote)。Office 2016 (Word, Excel, PowerPoint, OneNote only). Office 365 SharePoint OnlineOffice 365 SharePoint Online macOSmacOS
Office 2019Office 2019 Office 365 SharePoint OnlineOffice 365 SharePoint Online Windows 10、macOSWindows 10, macOS
Office 移动应用Office mobile apps Office 365 SharePoint OnlineOffice 365 SharePoint Online Android、iOSAndroid, iOS
Office Yammer 应用Office Yammer app Office 365 YammerOffice 365 Yammer Windows 10、iOS、AndroidWindows 10, iOS, Android
Outlook 2019Outlook 2019 Office 365 SharePoint OnlineOffice 365 SharePoint Online Windows 10、macOSWindows 10, macOS
Outlook 2016 (Office for macOS)Outlook 2016 (Office for macOS) Office 365 Exchange OnlineOffice 365 Exchange Online macOSmacOS
Outlook 2016、Outlook 2013(采用新式身份验证)、Skype for Business(采用新式身份验证)Outlook 2016, Outlook 2013 (with modern authentication), Skype for Business (with modern authentication) Office 365 Exchange OnlineOffice 365 Exchange Online Windows 8.1、Windows 7Windows 8.1, Windows 7
Outlook 移动应用Outlook mobile app Office 365 Exchange OnlineOffice 365 Exchange Online Android、iOSAndroid, iOS
Power BI 应用Power BI app Power BI 服务Power BI service Windows 10、Windows 8.1、Windows 7、Android 和 iOSWindows 10, Windows 8.1, Windows 7, Android, and iOS
Skype for BusinessSkype for Business Office 365 Exchange OnlineOffice 365 Exchange Online Android、iOSAndroid, iOS
Visual Studio Team Services 应用Visual Studio Team Services app Visual Studio Team ServicesVisual Studio Team Services Windows 10、Windows 8.1、Windows 7、iOS 和 AndroidWindows 10, Windows 8.1, Windows 7, iOS, and Android

Exchange ActiveSync 客户端Exchange ActiveSync clients

  • 组织在将策略分配给用户或组时,只能选择 Exchange ActiveSync 客户端。Organizations can only select Exchange ActiveSync clients when assigning policy to users or groups. 选择“所有用户”、“所有来宾和外部用户”或“目录角色”会导致所有用户遭到阻止。 Selecting All users, All guest and external users, or Directory roles will cause all users to become blocked.
  • 创建分配给 Exchange ActiveSync 客户端的策略时,Office 365 Exchange Online 是唯一可分配给该策略的云应用程序。When creating a policy assigned to Exchange ActiveSync clients, Office 365 Exchange Online should be the only cloud application assigned to the policy.
  • 组织可以使用“设备平台”条件将此策略的范围缩小为特定的平台。Organizations can narrow the scope of this policy to specific platforms using the Device platforms condition.

如果分配给策略的访问控制使用“需要已批准的客户端应用”,则会将用户定向到相应的位置让他们安装并使用 Outlook 移动客户端。If the access control assigned to the policy uses Require approved client app, the user is directed to install and use the Outlook mobile client. 如果需要多重身份验证,受影响的用户将被阻止,因为基本身份验证不支持多重身份验证。In the case that Multi-factor authentication is required, affected users are blocked, because basic authentication does not support multi-factor authentication.

有关详细信息,请参阅以下文章:For more information, see the following articles:

其他客户端Other clients

通过选择“其他客户端”,可以指定一个条件,该条件会影响通过邮件协议(如 IMAP、MAPI、POP、SMTP)使用基本身份验证的应用和不使用新式身份验证的旧版 Office 应用。By selecting Other clients, you can specify a condition that affects apps that use basic authentication with mail protocols like IMAP, MAPI, POP, SMTP, and older Office apps that don't use modern authentication.

设备状态(预览)Device state (preview)

设备状态条件可用于在组织的条件访问策略中,排除已加入混合 Azure AD 的设备和/或标记为符合 Microsoft Intune 合规策略的设备。The device state condition can be used to exclude devices that are hybrid Azure AD joined and/or devices marked as compliant with a Microsoft Intune compliance policy from an organization's Conditional Access policies.

例如,访问“Azure 管理”云应用的“所有用户”,包括“所有设备状态”,排除“已加入混合 Azure AD 的设备”和“标记为合规的设备”,“访问控制”为“阻止”。 For example, All users accessing the Azure Management cloud app including All device state excluding Device Hybrid Azure AD joined and Device marked as compliant and for Access controls, Block.

  • 此示例将创建一个仅允许从已加入混合 Azure AD 的设备和/或标记为合规的设备访问 Azure 管理的策略。This example would create a policy that only allows access to Azure Management from devices that are hybrid Azure AD joined and/or devices marked as compliant.

后续步骤Next steps