条件访问:授予Conditional Access: Grant

在条件访问策略中,管理员可以利用访问控制来授予或阻止对资源的访问权限。Within a Conditional Access policy, an administrator can make use of access controls to either grant or block access to resources.

包含授权控制且需要多重身份验证的条件访问策略

阻止访问Block access

阻止操作会考虑到任何分配,根据条件访问策略配置阻止访问。Block takes into account any assignments and prevents access based on the Conditional Access policy configuration.

阻止是一种强有力的控制,运用此项控制时,应具备相应的知识。Block is a powerful control that should be wielded with appropriate knowledge. 带有块语句的策略可能会产生意外的副作用。Policies with block statements can have unintended side effects. 在大规模启用之前,正确的测试和验证至关重要。Proper testing and validation are vital before enabling at scale. 进行更改时,管理员应使用条件访问中的 What If 工具之类的工具。Administrators should utilize tools such as the What If tool in Conditional Access when making changes.

授予访问权限Grant access

在授予访问权限时,管理员可以选择强制实施一项或多项控制。Administrators can choose to enforce one or more controls when granting access. 这些控制包括以下选项:These controls include the following options:

当管理员组合使用这些选项时,可以选择以下方法:When administrators choose to combine these options, they can choose the following methods:

  • 需要所有选定控制(控制控制)Require all the selected controls (control AND control)
  • 需要某一选定控制(控制控制)Require one of the selected controls (control OR control)

默认情况下,条件访问需要所有选定控制。By default Conditional Access requires all selected controls.

需要多重身份验证Require multi-factor authentication

选中此复选框会要求用户执行 Azure 多重身份验证。Selecting this checkbox will require users to perform Azure Multi-Factor Authentication. 规划基于云的 Azure 多重身份验证部署一文中可以找到有关部署 Azure 多重身份验证的详细信息。More information about deploying Azure Multi-Factor Authentication can be found in the article Planning a cloud-based Azure Multi-Factor Authentication deployment.

需要批准的客户端应用Require approved client app

组织可以要求只能尝试从已批准的客户端应用访问选定的云应用。Organizations can require that an access attempt to the selected cloud apps needs to be made from an approved client app. 这些已批准的客户端应用支持 Intune 应用保护策略,而不受任何移动设备管理 (MDM) 解决方案影响。These approved client apps support Intune app protection policies independent of any mobile-device management (MDM) solution.

为了利用此授权控制,条件访问要求在 Azure Active Directory 中注册设备,这需要使用代理应用。In order to leverage this grant control, Conditional Access requires that the device be registered in Azure Active Directory which requires the use of a broker app. 代理应用可以是适用于 iOS 的 Microsoft Authenticator,也可以是适用于 Android 设备的 Microsoft 公司门户。The broker app can be either the Microsoft Authenticator for iOS, or the Microsoft Company portal for Android devices. 如果用户尝试进行身份验证时设备上未安装代理应用,则会将用户重定向到应用商店来安装代理应用。If a broker app is not installed on the device when the user attempts to authenticate, the user gets redirected to the app store to install the broker app.

此设置适用于以下 iOS 和 Android 应用:This setting applies to the following iOS and Android apps:

  • Azure 信息保护Azure Information Protection
  • Microsoft BookingsMicrosoft Bookings
  • Microsoft CortanaMicrosoft Cortana
  • Microsoft Dynamics 365Microsoft Dynamics 365
  • Microsoft EdgeMicrosoft Edge
  • Microsoft ExcelMicrosoft Excel
  • Microsoft Power AutomateMicrosoft Power Automate
  • Microsoft InvoicingMicrosoft Invoicing
  • Microsoft KaizalaMicrosoft Kaizala
  • Microsoft LauncherMicrosoft Launcher
  • Microsoft OfficeMicrosoft Office
  • Microsoft OneDriveMicrosoft OneDrive
  • Microsoft OneNoteMicrosoft OneNote
  • Microsoft OutlookMicrosoft Outlook
  • Microsoft PlannerMicrosoft Planner
  • Microsoft PowerAppsMicrosoft PowerApps
  • Power BIPower BI
  • Microsoft PowerPointMicrosoft PowerPoint
  • Microsoft SharePointMicrosoft SharePoint
  • Microsoft Skype for BusinessMicrosoft Skype for Business
  • Microsoft StaffHubMicrosoft StaffHub
  • Microsoft StreamMicrosoft Stream
  • Microsoft TeamsMicrosoft Teams
  • 微软待办Microsoft To-Do
  • Microsoft VisioMicrosoft Visio
  • Microsoft WordMicrosoft Word
  • Microsoft YammerMicrosoft Yammer
  • Microsoft WhiteboardMicrosoft Whiteboard

备注Remarks

  • 批准的客户端应用支持 Intune 移动应用管理功能。The approved client apps support the Intune mobile application management feature.
  • “需要批准的客户端应用”要求:The Require approved client app requirement:
    • 仅支持 iOS 和 Android 作为设备平台条件。Only supports the iOS and Android for device platform condition.
    • 注册设备需要代理应用。A broker app is required to register the device. 在 iOS 上,代理应用是 Microsoft Authenticator;在 Android 上,代理应用是 Intune 公司门户应用。On iOS, the broker app is Microsoft Authenticator and on Android, it is Intune Company Portal app.
  • 条件访问无法将 InPrivate 模式下的 Microsoft Edge 视为已批准的客户端应用。Conditional Access cannot consider Microsoft Edge in InPrivate mode an approved client app.

请参阅文章如何:使用条件访问要求使用批准的设备应用访问云应用,以获取配置示例。See the article, How to: Require approved client apps for cloud app access with Conditional Access for configuration examples.

要求更改密码Require password change

如果检测到用户风险,则使用用户风险策略条件,管理员可以选择让用户通过 Azure AD 自助式密码重置来安全地更改密码。When user risk is detected, using the user risk policy conditions, administrators can choose to have the user securely change the password using Azure AD self-service password reset. 如果检测到用户风险,用户可以执行自助式密码重置进行自我修正,这将关闭用户风险事件,以避免为管理员带来不必要的干扰。If user risk is detected, users can perform a self-service password reset to self-remediate, this will close the user risk event to prevent unnecessary noise for administrators.

当系统提示用户更改其密码时,他们首先需要完成多重身份验证。When a user is prompted to change their password, they will first be required to complete multi-factor authentication. 你需要确保所有用户都已注册多重身份验证,为其帐户检测到风险做准备。You’ll want to make sure all of your users have registered for multi-factor authentication, so they are prepared in case risk is detected for their account.

警告

用户必须预先注册了自助式密码重置,然后才能触发用户风险策略。Users must have previously registered for self-service password reset before triggering the user risk policy.

使用密码更改控件来配置策略时,存在几个限制。There exist a couple restriction in place when you configure a policy using the password change control.

  1. 必须将策略分配到“所有云应用”。The policy must be assigned to ‘all cloud apps’. 这可以防止攻击者使用不同的应用更改用户的密码并重置帐户的风险,只需登录到不同的应用即可。This prevents an attacker from using a different app to change the user’s password and reset account risk, by simply signing into a different app.
  2. 要求密码更改不能与其他控件一起使用,例如,要求设备符合规范。Require password change cannot be used with other controls, like requiring a compliant device.
  3. 密码更改控件只能与用户和组分配条件、云应用分配条件(必须设置为“全部”)和用户风险条件一起使用。The password change control can only be used with the user and group assignment condition, cloud app assignment condition (which must be set to all) and user risk conditions.

使用条款Terms of use

如果你的组织已创建使用条款,则授权控制下可能会显示其他选项。If your organization has created terms of use, additional options may be visible under grant controls. 管理员可以通过这些选项要求用户确认使用条款,作为访问受策略保护的资源的条件。These options allow administrators to require acknowledgment of terms of use as a condition of accessing the resources protected by the policy.

后续步骤Next steps