生成条件访问策略Building a Conditional Access policy

什么是条件访问一文中所述,条件访问策略是一个关于 分配访问控制 的 if-then 语句。As explained in the article What is Conditional Access, a Conditional Access policy is an if-then statement, of Assignments and Access controls. 条件访问策略可统合信号,做出决策,并实施组织策略。A Conditional Access policy brings signals together, to make decisions, and enforce organizational policies.

组织如何创建这些策略?How does an organization create these policies? 需要执行哪些操作?What is required? 这些策略是如何应用的?How are they applied?

条件访问(信号 + 决策 + 实施 = 策略)

随时可能都会有多个条件访问策略应用于单个用户的情况。Multiple Conditional Access policies may apply to an individual user at any time. 在这种情况下,必须满足所应用的所有策略。In this case, all policies that apply must be satisfied. 例如,如果一个策略需要多重身份验证 (MFA),另一个策略需要兼容的设备,则你必须完成 MFA 并使用兼容的设备。For example, if one policy requires multi-factor authentication (MFA) and another requires a compliant device, you must complete MFA, and use a compliant device. 所有分配在逻辑上采用 AND 运算符。All assignments are logically ANDed. 如果配置了多个分配,则必须满足所有分配才能触发策略。If you have more than one assignment configured, all assignments must be satisfied to trigger a policy.

所有策略都是在两个阶段中强制实施的:All policies are enforced in two phases:

  • 阶段 1:收集会话详细信息Phase 1: Collect session details
    • 收集会话详细信息,例如进行策略评估所需的网络位置和设备标识。Gather session details, like network location and device identity that will be necessary for policy evaluation.
    • 针对已启用的策略和“仅限报告”模式下的策略执行策略评估的第 1 阶段。Phase 1 of policy evaluation occurs for enabled policies and policies in report-only mode.
  • 阶段 2:强制Phase 2: Enforcement
    • 使用在第 1 阶段收集的会话详细信息来识别尚未满足的任何要求。Use the session details gathered in phase 1 to identify any requirements that have not been met.
    • 如果有一个策略配置为阻止访问,则在使用阻止授权控制的情况下,将在此处停止强制,用户会被阻止。If there is a policy that is configured to block access, with the block grant control, enforcement will stop here and the user will be blocked.
    • 系统会提示用户完成更多的授权控制要求(这些要求未在第 1 阶段按以下顺序满足),直到策略要求已被满足:The user will be prompted to complete additional grant control requirements that were not satisfied during phase 1 in the following order, until policy is satisfied:
      • 多重身份验证Multi-factor authentication
      • 批准的客户端应用/应用保护策略Approved client app/app protection policy
      • 受管理设备(合规或混合 Azure AD 加入)Managed device (compliant or hybrid Azure AD join)
      • 使用条款Terms of use
      • 自定义控件Custom controls
    • 在满足所有授权控制后,请应用会话控制(应用强制实施的限制、Microsoft Cloud App Security 和令牌生存期)Once all grant controls have been satisfied, apply session controls (App Enforced, Microsoft Cloud App Security, and token Lifetime)
    • 针对所有已启用的策略执行策略评估的第 2 阶段。Phase 2 of policy evaluation occurs for all enabled policies.

分配Assignments

分配部分用于控制条件访问策略的对象、内容和位置。The assignments portion controls the who, what, and where of the Conditional Access policy.

用户和组Users and groups

用户和组指定该策略将包含或排除的对象。Users and groups assign who the policy will include or exclude. 该分配可以包括所有用户、特定的用户组、目录角色或外部来宾用户。This assignment can include all users, specific groups of users, directory roles, or external guest users.

云应用或操作Cloud apps or actions

云应用或操作可以包括或排除将受该策略约束的云应用程序或用户操作。Cloud apps or actions can include or exclude cloud applications or user actions that will be subject to the policy.

条件Conditions

一个策略可以包含多个条件A policy can contain multiple conditions.

设备平台Device platforms

具有多个设备操作系统平台的组织可能希望在不同的平台上实施特定的策略。Organizations with multiple device operating system platforms may wish to enforce specific policies on different platforms.

用于计算设备平台的信息来自未经验证的源,例如可以更改的用户代理字符串。The information used to calculate the device platform comes from unverified sources such as user agent strings that can be changed.

位置Locations

位置数据由 IP 地理位置数据提供。Location data is provided by IP geolocation data. 管理员可以选择定义位置,并选择将某些位置(例如其组织的网络位置)标记为受信任位置。Administrators can choose to define locations and choose to mark some as trusted like those for their organization's network locations.

客户端应用Client apps

默认情况下,条件访问策略适用于支持新式身份验证的浏览器应用、移动应用和桌面客户端。By default Conditional Access policies apply to browser apps, mobile apps, and desktop clients that support modern authentication.

此分配条件允许条件访问策略将不使用新式身份验证的特定客户端应用程序作为目标。This assignment condition allows Conditional Access policies to target specific client applications not using modern authentication. 这些应用程序包括 Exchange ActiveSync 客户端、不使用新式身份验证的旧版 Office 应用程序,以及 IMAP、MAPI、POP 和 SMTP 等邮件协议。These applications include Exchange ActiveSync clients, older Office applications that do not use modern authentication, and mail protocols like IMAP, MAPI, POP, and SMTP.

设备状态Device state

此控制条件用于排除已加入混合 Azure AD 或在 Intune 中标记为合规的设备。This control is used to exclude devices that are hybrid Azure AD joined, or marked a compliant in Intune. 可以通过此排除来阻止非托管设备。This exclusion can be done to block unmanaged devices.

访问控制Access controls

条件访问策略的访问控制部分用于控制策略的实施方式。The access controls portion of the Conditional Access policy controls how a policy is enforced.

授予Grant

授予为管理员提供了一种策略强制实施方法,使他们可以阻止访问或授予访问权限。Grant provides administrators with a means of policy enforcement where they can block or grant access.

阻止访问Block access

阻止访问只会阻止指定分配下的访问。Block access does just that, it will block access under the specified assignments. 阻止控制的功能十分强大,应对其有一定了解后再使用。The block control is powerful and should be wielded with the appropriate knowledge.

授予访问权限Grant access

授予控制可以触发一项或多项控制的实施。The grant control can trigger enforcement of one or more controls.

  • 要求进行多重身份验证(Azure 多重身份验证)Require multi-factor authentication (Azure Multi-Factor Authentication)
  • 要求将设备标记为合规 (Intune)Require device to be marked as compliant (Intune)
  • 要求使用加入混合 Azure AD 的设备Require Hybrid Azure AD joined device
  • 需要批准的客户端应用Require approved client app
  • 需要应用保护策略Require app protection policy

管理员可以使用以下选项选择是需要上述控制之一还是所有已选控制。Administrators can choose to require one of the previous controls or all selected controls using the following options. 多项控制的默认值为全部需要。The default for multiple controls is to require all.

  • 需要所有已选控制(控制和控制)Require all the selected controls (control and control)
  • 需要某一已选控制(控制或控制)Require one of the selected controls (control or control)

会话Session

会话控制可以限制体验Session controls can limit the experience

  • 使用应用所强制实施的限制Use app enforced restrictions
    • 目前仅适用于 Exchange Online 和 SharePoint Online。Currently works with Exchange Online and SharePoint Online only.
      • 传递设备信息,以允许控制授予完全访问权限或受限访问权限的体验。Passes device information to allow control of experience granting full or limited access.
  • 使用条件访问应用控制Use Conditional Access App Control
    • 使用 Microsoft Cloud App Security 发出的信号来执行以下操作:Uses signals from Microsoft Cloud App Security to do things like:
      • 阻止下载、剪切、复制和打印敏感文档。Block download, cut, copy, and print of sensitive documents.
      • 监视危险的会话行为。Monitor risky session behavior.
      • 需要标记敏感文件。Require labeling of sensitive files.
  • 登录频率Sign-in frequency
    • 能够更改新式身份验证的默认登录频率。Ability to change the default sign in frequency for modern authentication.
  • 持久性浏览器会话Persistent browser session
    • 可让用户在关闭再重新打开其浏览器窗口后保持登录状态。Allows users to remain signed in after closing and reopening their browser window.

简单策略Simple policies

条件访问策略必须至少包含以下内容才能实施:A Conditional Access policy must contain at minimum the following to be enforced:

  • 策略的 名称Name of the policy.
  • 分配Assignments
    • 要应用策略的 用户和/或组Users and/or groups to apply the policy to.
    • 要应用策略的 云应用或操作Cloud apps or actions to apply the policy to.
  • 访问控制 Access controls
    • 授予阻止 控制Grant or Block controls

空白条件访问策略

常用条件访问策略一文包含一些我们认为对大多数组织有用的策略。The article Common Conditional Access policies includes some policies that we think would be useful to most organizations.

后续步骤Next steps

创建条件访问策略Create a Conditional Access policy

使用条件访问 What If 工具模拟登录行为Simulate sign in behavior using the Conditional Access What If tool

规划基于云的 Azure 多重身份验证部署Planning a cloud-based Azure Multi-Factor Authentication deployment

使用 Intune 管理设备合规性Managing device compliance with Intune

Microsoft Cloud App Security 和条件访问Microsoft Cloud App Security and Conditional Access