条件访问:会话Conditional Access: Session

在条件访问策略中,管理员可以利用会话控制在特定的云应用程序中启用受限体验。Within a Conditional Access policy, an administrator can make use of session controls to enable limited experiences within specific cloud applications.

包含授权控制且需要多重身份验证的条件访问策略

应用程序强制实施的限制Application enforced restrictions

组织可以使用此控制要求 Azure AD 将设备信息传递给所选云应用。Organizations can use this control to require Azure AD to pass device information to the selected cloud apps. 设备信息使云应用能够知道连接是从兼容设备还是已加入域设备发起的。The device information enables the cloud apps to know whether a connection is initiated from a compliant or domain-joined device. 此控制仅支持将 SharePoint Online 和 Exchange Online 作为选定的云应用。This control only supports SharePoint Online and Exchange Online as selected cloud apps. 选择后,云应用会使用设备信息为用户提供有限或完整的体验,具体取决于设备状态。When selected, the cloud app uses the device information to provide users, depending on the device state, with a limited or full experience.

有关使用和配置应用强制实施的限制的详细信息,请参阅以下文章:For more information on the use and configuration of app enforced restrictions, see the following articles:

条件访问应用程序控制Conditional Access application control

条件访问应用控制使用反向代理体系结构,并以独特的方式与 Azure AD 条件访问相集成。Conditional Access App Control uses a reverse proxy architecture and is uniquely integrated with Azure AD Conditional Access. 使用 Azure AD 条件访问可以根据某些条件在组织的应用中强制实施访问控制。Azure AD Conditional Access allows you to enforce access controls on your organization’s apps based on certain conditions. 条件定义了要向谁(用户或用户组)、什么(哪些云应用)和哪里(哪些位置和网络)应用条件访问策略。The conditions define who (user or group of users) and what (which cloud apps) and where (which locations and networks) a Conditional Access policy is applied to. 确定条件后,可将用户路由到 Microsoft Cloud App Security,在其中,可以通过应用访问和会话控制,使用条件访问应用控制来保护数据。After you’ve determined the conditions, you can route users to Microsoft Cloud App Security where you can protect data with Conditional Access App Control by applying access and session controls.

借助条件访问应用控制,可以根据访问和会话策略实时监视与控制用户应用访问和会话。Conditional Access App Control enables user app access and sessions to be monitored and controlled in real time based on access and session policies. 在 Cloud App Security 门户中使用访问和会话策略,以进一步具体化筛选器,并设置要对用户执行的操作。Access and session policies are used within the Cloud App Security portal to further refine filters and set actions to be taken on a user. 使用访问和会话策略可以:With the access and session policies, you can:

  • 防止数据透露:例如,可以在非托管设备上阻止敏感文档的下载、剪切、复制和打印。Prevent data exfiltration: You can block the download, cut, copy, and print of sensitive documents on, for example, unmanaged devices.
  • 在下载时提供保护:如果不阻止敏感文档的下载,可以要求为文档添加标签并通过 Azure 信息保护进行保护。Protect on download: Instead of blocking the download of sensitive documents, you can require documents to be labeled and protected with Azure Information Protection. 此操作可确保文档受到保护,并在有潜在风险的会话中限制用户访问。This action ensures the document is protected and user access is restricted in a potentially risky session.
  • 阻止上传不带标签的文件:在其他人上传、分发和使用敏感文件之前,必须确保文件带有适当的标签并受保护。Prevent upload of unlabeled files: Before a sensitive file is uploaded, distributed, and used by others, it’s important to make sure that the file has the right label and protection. 在用户对内容进行分类之前,可以确保阻止上传包含敏感内容的不带标签的文件。You can ensure that unlabeled files with sensitive content are blocked from being uploaded until the user classifies the content.
  • 监视用户会话的合规性:风险用户在登录到应用时会受到监视,并从会话内部记录其操作。Monitor user sessions for compliance: Risky users are monitored when they sign into apps and their actions are logged from within the session. 可以调查和分析用户的行为,以了解将来应在何处、在何种条件下应用会话策略。You can investigate and analyze user behavior to understand where, and under what conditions, session policies should be applied in the future.
  • 阻止访问:可根据多种风险因素,以不同的粒度阻止特定应用和用户的访问。Block access: You can granularly block access for specific apps and users depending on several risk factors. 例如,如果应用和用户使用客户端证书作为设备管理形式,则可将其阻止。For example, you can block them if they are using client certificates as a form of device management.
  • 阻止自定义活动:某些应用的独特使用场景会带来风险,例如,在 Microsoft Teams 或 Slack 等应用中发送包含敏感内容的消息。Block custom activities: Some apps have unique scenarios that carry risk, for example, sending messages with sensitive content in apps like Microsoft Teams or Slack. 在此类场景中,可以扫描消息中的敏感内容并实时阻止。In these kinds of scenarios, you can scan messages for sensitive content and block them in real time.

有关详细信息,请参阅为特色应用部署条件访问应用控制一文。For more information, see the article Deploy Conditional Access App Control for featured apps.

登录频率(预览版)Sign-in frequency (Preview)

登录频率定义在用户尝试访问资源时,要求用户重新登录之前所要经过的时限。Sign-in frequency defines the time period before a user is asked to sign in again when attempting to access a resource.

登录频率设置适用于已根据标准实现了 OAUTH2 或 OIDC 协议的应用。Sign-in frequency setting works with apps that have implemented OAUTH2 or OIDC protocols according to the standards. 大多数适用于 Windows、Mac 和 Mobile 的 Microsoft 本机应用(包括以下 Web 应用程序)都符合该设置。Most Microsoft native apps for Windows, Mac, and Mobile including the following web applications comply with the setting.

  • Word、Excel、PowerPoint OnlineWord, Excel, PowerPoint Online
  • OneNote OnlineOneNote Online
  • Office.comOffice.com
  • O365 管理门户O365 Admin portal
  • Exchange OnlineExchange Online
  • SharePoint 和 OneDriveSharePoint and OneDrive
  • Teams Web 客户端Teams web client
  • Dynamics CRM OnlineDynamics CRM Online
  • Azure 门户Azure portal

永久性浏览器会话(预览版)Persistent browser session (Preview)

持久性浏览器会话可让用户在关闭再重新打开其浏览器窗口后保持登录状态。A persistent browser session allows users to remain signed in after closing and reopening their browser window.

后续步骤Next steps