条件访问:授予Conditional Access: Grant

在条件访问策略中,管理员可以利用访问控制来授予或阻止对资源的访问权限。Within a Conditional Access policy, an administrator can make use of access controls to either grant or block access to resources.

包含授权控制且需要多重身份验证的条件访问策略

阻止访问Block access

阻止操作会考虑到任何分配,根据条件访问策略配置阻止访问。Block takes into account any assignments and prevents access based on the Conditional Access policy configuration.

阻止是一种强有力的控制,运用此项控制时,应具备相应的知识。Block is a powerful control that should be wielded with appropriate knowledge. 带有块语句的策略可能会产生意外的副作用。Policies with block statements can have unintended side effects. 在大规模启用之前,正确的测试和验证至关重要。Proper testing and validation are vital before enabling at scale. 进行更改时,管理员应使用条件访问中的 What If 工具之类的工具。Administrators should utilize tools such as the What If tool in Conditional Access when making changes.

授予访问权限Grant access

在授予访问权限时,管理员可以选择强制实施一项或多项控制。Administrators can choose to enforce one or more controls when granting access. 这些控制包括以下选项:These controls include the following options:

当管理员组合使用这些选项时,可以选择以下方法:When administrators choose to combine these options, they can choose the following methods:

  • 需要所有选定控制(控制 控制)Require all the selected controls (control AND control)
  • 需要某一选定控制(控制 控制)Require one of the selected controls (control OR control)

默认情况下,条件访问需要所有选定控制。By default Conditional Access requires all selected controls.

需要多重身份验证Require multi-factor authentication

选中此复选框会要求用户执行 Azure AD 多重身份验证。Selecting this checkbox will require users to perform Azure AD Multi-Factor Authentication. 规划基于云的 Azure AD 多重身份验证部署一文中可以找到有关部署 Azure AD 多重身份验证的详细信息。More information about deploying Azure AD Multi-Factor Authentication can be found in the article Planning a cloud-based Azure AD Multi-Factor Authentication deployment.

要求将设备标记为合规Require device to be marked as compliant

部署了 Microsoft Intune 的组织可以根据从其设备返回的信息来识别符合具体合规要求的设备。Organizations who have deployed Microsoft Intune can use the information returned from their devices to identify devices that meet specific compliance requirements. 此策略合规性信息将从 Intune 转发到 Azure AD,其中的条件访问可以决定是要授予还是阻止对资源的访问。This policy compliance information is forwarded from Intune to Azure AD where Conditional Access can make decisions to grant or block access to resources. 有关合规性策略的详细信息,请参阅使用 Intune 在设备上设置规则以允许访问组织中的资源一文。For more information about compliance policies, see the article Set rules on devices to allow access to resources in your organization using Intune.

可以通过 Intune(适用于任何设备 OS)或通过适用于 Windows 10 设备的第三方 MDM 系统将设备标记为合规。A device can be marked as compliant by Intune (for any device OS) or by third-party MDM system for Windows 10 devices. Jamf pro 是唯一受支持的第三方 MDM 系统。Jamf pro is the only supported third-party MDM system. 有关集成的详细信息可在将 Jamf Pro 与 Intune 集成以实现符合性一文中找到。More information about integration can be found in the article, Integrate Jamf Pro with Intune for compliance.

设备必须在 Azure AD 中进行注册,然后才能标记为合规。Devices must be registered in Azure AD before they can be marked as compliant. 如需详细了解设备注册,请参阅什么是设备标识一文。More information about device registration can be found in the article, What is a device identity.

要求使用已建立混合 Azure AD 联接的设备Require hybrid Azure AD joined device

组织可以选择使用设备标识作为其条件访问策略的一部分。Organizations can choose to use the device identity as part of their Conditional Access policy. 组织可以使用此复选框要求设备是已加入混合 Azure AD 的设备。Organizations can require that devices are hybrid Azure AD joined using this checkbox. 如需详细了解设备标识,请参阅什么是设备标识?一文。For more information about device identities, see the article What is a device identity?.

使用设备代码 OAuth 流时,不支持要求受管理设备授权控制或设备状态条件。When using the device-code OAuth flow, the require managed device grant control or a device state condition are not supported. 这是因为执行身份验证的设备无法向提供代码的设备提供其设备状态,并且令牌中的设备状态会锁定到执行身份验证的设备。This is because the device performing authentication cannot provide its device state to the device providing a code and the device state in the token is locked to the device performing authentication. 请改用“需要多重身份验证授权控制”。Use the require multi-factor authentication grant control instead.

需要批准的客户端应用Require approved client app

组织可以要求只能尝试从已批准的客户端应用访问选定的云应用。Organizations can require that an access attempt to the selected cloud apps needs to be made from an approved client app. 这些已批准的客户端应用支持 Intune 应用保护策略,而不受任何移动设备管理 (MDM) 解决方案影响。These approved client apps support Intune app protection policies independent of any mobile-device management (MDM) solution.

为了利用此授权控制,条件访问要求在 Azure Active Directory 中注册设备,这需要使用代理应用。In order to leverage this grant control, Conditional Access requires that the device be registered in Azure Active Directory which requires the use of a broker app. 代理应用可以是适用于 iOS 的 Microsoft Authenticator,也可以是 Microsoft Authenticator 或适用于 Android 设备的 Microsoft 公司门户。The broker app can be the Microsoft Authenticator for iOS, or either the Microsoft Authenticator or Microsoft Company portal for Android devices. 如果用户尝试进行身份验证时设备上未安装代理应用,则会将用户重定向到相应的应用商店来安装所需的代理应用。If a broker app is not installed on the device when the user attempts to authenticate, the user gets redirected to the appropriate app store to install the required broker app.

此设置适用于以下 iOS 和 Android 应用:This setting applies to the following iOS and Android apps:

  • Azure 信息保护Azure Information Protection
  • Microsoft BookingsMicrosoft Bookings
  • Microsoft CortanaMicrosoft Cortana
  • Microsoft Dynamics 365Microsoft Dynamics 365
  • Microsoft EdgeMicrosoft Edge
  • Microsoft ExcelMicrosoft Excel
  • Microsoft Power AutomateMicrosoft Power Automate
  • Microsoft InvoicingMicrosoft Invoicing
  • Microsoft KaizalaMicrosoft Kaizala
  • Microsoft LauncherMicrosoft Launcher
  • Microsoft OfficeMicrosoft Office
  • Microsoft OneDriveMicrosoft OneDrive
  • Microsoft OneNoteMicrosoft OneNote
  • Microsoft OutlookMicrosoft Outlook
  • Microsoft PlannerMicrosoft Planner
  • Microsoft PowerAppsMicrosoft PowerApps
  • Power BIPower BI
  • Microsoft PowerPointMicrosoft PowerPoint
  • Microsoft SharePointMicrosoft SharePoint
  • Microsoft Skype for BusinessMicrosoft Skype for Business
  • Microsoft StaffHubMicrosoft StaffHub
  • Microsoft StreamMicrosoft Stream
  • Microsoft TeamsMicrosoft Teams
  • 微软待办Microsoft To-Do
  • Microsoft VisioMicrosoft Visio
  • Microsoft WordMicrosoft Word
  • Microsoft YammerMicrosoft Yammer
  • Microsoft WhiteboardMicrosoft Whiteboard
  • Microsoft 365 管理员Microsoft 365 Admin

备注Remarks

  • 批准的客户端应用支持 Intune 移动应用管理功能。The approved client apps support the Intune mobile application management feature.
  • “需要批准的客户端应用”要求:The Require approved client app requirement:
    • 仅支持 iOS 和 Android 作为设备平台条件。Only supports the iOS and Android for device platform condition.
    • 注册设备需要代理应用。A broker app is required to register the device. 代理应用可以是适用于 iOS 的 Microsoft Authenticator,也可以是 Microsoft Authenticator 或适用于 Android 设备的 Microsoft 公司门户。The broker app can be the Microsoft Authenticator for iOS, or either the Microsoft Authenticator or Microsoft Company portal for Android devices.
  • 条件访问无法将 InPrivate 模式下的 Microsoft Edge 视为已批准的客户端应用。Conditional Access cannot consider Microsoft Edge in InPrivate mode an approved client app.

请参阅文章如何:使用条件访问要求使用批准的设备应用访问云应用,以获取配置示例。See the article, How to: Require approved client apps for cloud app access with Conditional Access for configuration examples.

要求更改密码Require password change

如果检测到用户风险,则使用用户风险策略条件,管理员可以选择让用户通过 Azure AD 自助式密码重置来安全地更改密码。When user risk is detected, using the user risk policy conditions, administrators can choose to have the user securely change the password using Azure AD self-service password reset. 如果检测到用户风险,用户可以执行自助式密码重置进行自我修正,这将关闭用户风险事件,以避免为管理员带来不必要的干扰。If user risk is detected, users can perform a self-service password reset to self-remediate, this will close the user risk event to prevent unnecessary noise for administrators.

当系统提示用户更改其密码时,他们首先需要完成多重身份验证。When a user is prompted to change their password, they will first be required to complete multi-factor authentication. 你需要确保所有用户都已注册多重身份验证,为其帐户检测到风险做准备。You’ll want to make sure all of your users have registered for multi-factor authentication, so they are prepared in case risk is detected for their account.

警告

用户必须预先注册了自助式密码重置,然后才能触发用户风险策略。Users must have previously registered for self-service password reset before triggering the user risk policy.

使用密码更改控件来配置策略时,存在几个限制。There exist a couple restriction in place when you configure a policy using the password change control.

  1. 必须将策略分配到“所有云应用”。The policy must be assigned to ‘all cloud apps’. 这可以防止攻击者使用不同的应用更改用户的密码并重置帐户的风险,只需登录到不同的应用即可。This prevents an attacker from using a different app to change the user’s password and reset account risk, by simply signing into a different app.
  2. 要求密码更改不能与其他控件一起使用,例如,要求设备符合规范。Require password change cannot be used with other controls, like requiring a compliant device.
  3. 密码更改控件只能与用户和组分配条件、云应用分配条件(必须设置为“全部”)和用户风险条件一起使用。The password change control can only be used with the user and group assignment condition, cloud app assignment condition (which must be set to all) and user risk conditions.

使用条款Terms of use

如果你的组织已创建使用条款,则授权控制下可能会显示其他选项。If your organization has created terms of use, additional options may be visible under grant controls. 管理员可以通过这些选项要求用户确认使用条款,作为访问受策略保护的资源的条件。These options allow administrators to require acknowledgment of terms of use as a condition of accessing the resources protected by the policy.

后续步骤Next steps