连续访问评估Continuous access evaluation

令牌过期和刷新是业界的一种标准机制。Token expiration and refresh is a standard mechanism in the industry. 当客户端应用程序(如 Outlook)连接到服务(如 Exchange Online)时,API 请求通过 OAuth 2.0 访问令牌得到授权。When a client application like Outlook connects to a service like Exchange Online, the API requests are authorized using OAuth 2.0 access tokens. 默认情况下,这些访问令牌的有效期为一小时,超过此时间后,客户端会被重定向回 Azure AD 来刷新它们。By default, those access tokens are valid for one hour, when they expire, the client is redirected back to Azure AD to refresh them. 该刷新期间为重新评估用户访问策略提供了机会。That refresh period provides an opportunity to reevaluate policies for user access. 例如,我们可能会选择不刷新令牌,原因是存在条件访问策略,或是用户在目录中已被禁用。For example: we might choose not to refresh the token because of a Conditional Access policy, or because the user has been disabled in the directory.

用户的条件发生变化(例如网络位置变化或凭据被盗)后,系统需要过一段时间才会强制执行与该变化相关的策略,客户对这种时间延迟表示了担忧。Customers have expressed concerns about the lag between when conditions change for the user, like network location or credential theft, and when policies can be enforced related to that change. 我们已经尝试了降低令牌寿命的生硬方法,但发现这种方法会降低用户体验和可靠性,而不会消除风险。We have experimented with the “blunt object” approach of reduced token lifetimes but found they can degrade user experiences and reliability without eliminating risks.

对策略冲突或安全问题的及时响应实际上需要令牌颁发者(如 Azure AD)和依赖方(如 Exchange Online)之间进行“对话”。Timely response to policy violations or security issues really requires a “conversation” between the token issuer, like Azure AD, and the relying party, like Exchange Online. 这种双向对话提供了两项重要功能。This two-way conversation gives us two important capabilities. 信赖方可以注意到事情的变化(比如客户端来自一个新的位置),并通知令牌颁发者。The relying party can notice when things have changed, like a client coming from a new location, and tell the token issuer. 通过此对话,令牌颁发者也可通知信赖方由于帐户泄露、禁用或其他问题而停止遵从给定用户的令牌。It also gives the token issuer a way to tell the relying party to stop respecting tokens for a given user due to account compromise, disablement, or other concerns. 此对话的机制是连续访问评估 (CAE)。The mechanism for this conversation is continuous access evaluation (CAE). 虽然我们的目标是近乎实时地作出响应,但在某些情况下,由于事件传播时间的原因,延迟可能会长达 15 分钟。The goal is for response to be near real time, but in some cases latency of up to 15 minutes may be observed due to event propagation time.

连续访问评估的初始实现侧重于 Exchange、Teams 和 SharePoint Online。The initial implementation of continuous access evaluation focuses on Exchange, Teams, and SharePoint Online.

主要优点Key benefits

  • 用户终止或密码更改/重置:用户会话吊销将近乎实时地强制执行。User termination or password change/reset: User session revocation will be enforced in near real time.
  • 网络位置更改:条件访问位置策略将近乎实时地强制执行。Network location change: Conditional Access location policies will be enforced in near real time.
  • 可以使用条件访问位置策略阻止将令牌导出到受信任网络外部的计算机。Token export to a machine outside of a trusted network can be prevented with Conditional Access location policies.

方案Scenarios

可以通过两种方案进行连续访问评估、关键事件评估和条件访问策略评估。There are two scenarios that make up continuous access evaluation, critical event evaluation and Conditional Access policy evaluation.

关键事件评估Critical event evaluation

通过允许服务(例如 Exchange Online、SharePoint Online 和 Teams)订阅 Azure AD 中的关键事件来实现连续访问评估,从而可以近乎实时地评估和强制实施这些事件。Continuous access evaluation is implemented by enabling services, like Exchange Online, SharePoint Online, and Teams, to subscribe to critical events in Azure AD so that those events can be evaluated and enforced near real time. 关键事件评估不依赖于条件访问策略,因此可在任何租户中使用。Critical event evaluation does not rely on Conditional Access policies so is available in any tenant. 当前评估以下事件:The following events are currently evaluated:

  • 用户帐户已删除或禁用User Account is deleted or disabled
  • 用户的密码已更改或已重置Password for a user is changed or reset
  • 是否为用户启用了多重身份验证Multi-factor authentication is enabled for the user
  • 管理员显式撤销用户的所有刷新令牌Administrator explicitly revokes all refresh tokens for a user

此过程会导致用户在这些关键事件之一发生后的数分钟内失去对 Microsoft 365 客户端应用中的组织 SharePoint Online 文件、电子邮件、日历或任务和 Teams 的访问权限。This process enables the scenario where users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within mins after one of these critical events.

条件访问策略评估(预览版)Conditional Access policy evaluation (preview)

Exchange 和 SharePoint 能够同步关键的条件访问策略,因此可以在服务本身中对它们进行评估。Exchange and SharePoint are able to synchronize key Conditional Access policies so they can be evaluated within the service itself.

此过程会导致用户在网络位置发生更改后立即失去对 Microsoft 365 客户端应用或 SharePoint Online 中的组织文件、电子邮件、日历或任务的访问权限。This process enables the scenario where users lose access to organizational files, email, calendar, or tasks from Microsoft 365 client apps or SharePoint Online immediately after network location changes.

备注

并非所有应用和资源提供程序组合都受支持。Not all app and resource provider combination are supported. 请参阅下表。See table below. Office 指的是 Word、Excel 和 PowerPointOffice refers to Word, Excel, and PowerPoint

Outlook WebOutlook Web Outlook Win32Outlook Win32 Outlook iOSOutlook iOS Outlook AndroidOutlook Android Outlook MacOutlook Mac
SharePoint OnlineSharePoint Online 支持Supported 支持Supported 不支持Not Supported 不支持Not Supported 支持Supported
Exchange OnlineExchange Online 支持Supported 支持Supported 支持Supported 支持Supported 支持Supported
Office Web 应用Office web apps Office Win32 应用Office Win32 apps Office for iOSOffice for iOS Office for AndroidOffice for Android Office for MacOffice for Mac
SharePoint OnlineSharePoint Online 不支持Not Supported 支持Supported 支持Supported 支持Supported 支持Supported
Exchange OnlineExchange Online 不支持Not Supported 支持Supported 支持Supported 支持Supported 支持Supported

客户端声明质询Client-side claim challenge

在进行连续访问评估之前,只要访问令牌未过期,客户端将始终试图从其缓存中重播访问令牌。Before continuous access evaluation, clients would always try to replay the access token from its cache as long as it was not expired. 通过使用 CAE,我们引入了一种新的事例 - 即使令牌没有过期,资源提供程序也可以拒绝令牌。With CAE, we are introducing a new case that a resource provider can reject a token even when it is not expired. 为了在缓存的令牌尚未过期的情况下通知客户端绕过其缓存,我们引入了一种称为“声明质询”的机制,用来表明在令牌被拒绝的情况下需要由 Azure AD 颁发一个新的访问令牌。In order to inform clients to bypass their cache even though the cached tokens have not expired, we introduce a mechanism called claim challenge to indicate that the token was rejected and a new access token need to be issued by Azure AD. CAE 要求客户端更新以理解声明质询。CAE requires a client update to understand claim challenge. 以下应用程序的最新版本支持声明质询:The latest version of the following applications below support claim challenge:

  • Outlook WindowsOutlook Windows
  • Outlook iOSOutlook iOS
  • Outlook AndroidOutlook Android
  • Outlook MacOutlook Mac
  • Outlook Web AppOutlook Web App
  • Teams for Windows(仅适用于 Teams 资源)Teams for Windows (Only for Teams resource)
  • Teams iOS(仅适用于 Teams 资源)Teams iOS (Only for Teams resource)
  • Teams Android(仅适用于 Teams 资源)Teams Android (Only for Teams resource)
  • Teams Mac(仅适用于 Teams 资源)Teams Mac (Only for Teams resource)
  • Word/Excel/PowerPoint for WindowsWord/Excel/PowerPoint for Windows
  • Word/Excel/PowerPoint for iOSWord/Excel/PowerPoint for iOS
  • Word/Excel/PowerPoint for AndroidWord/Excel/PowerPoint for Android
  • Word/Excel/PowerPoint for MacWord/Excel/PowerPoint for Mac

令牌生存期Token lifetime

由于风险和策略是实时评估的,协商连续访问评估感知会话的客户端将依赖于 CAE,而不是现有的静态访问令牌生存期策略,这意味着协商 CAE 感知会话的支持 CAE 的客户端将不再遵守可配置令牌生存期策略。Because risk and policy are evaluated in real time, clients that negotiate continuous access evaluation aware sessions will rely on CAE instead of existing static access token lifetime policies, which means that configurable token lifetime policy will not be honored anymore for CAE-capable clients that negotiate CAE-aware sessions.

在 CAE 会话中,令牌生存期增加,可以长时间生存,最长为 28 小时。Token lifetime is increased to be long lived, up to 28 hours, in CAE sessions. 吊销是由关键事件和策略评估驱动的,并非可以随时吊销。Revocation is driven by critical events and policy evaluation, not just an arbitrary time period. 此更改提高了应用程序的稳定性,而不会影响安全状况。This change increases the stability of applications without affecting security posture.

如果你未使用支持 CAE 的客户端,则默认访问令牌生存期将保持为 1 小时,除非你已使用 Configurable Token Lifetime (CTL) 预览版功能配置了访问令牌生存期。If you are not using CAE-capable clients, your default access token lifetime will remain 1 hour unless you have configured your access token lifetime with the Configurable Token Lifetime (CTL) preview feature.

示例流Example flows

用户吊销事件流:User revocation event flow:

用户吊销事件流

  1. 支持 CAE 的客户端向 Azure AD 提供凭据或刷新令牌,要求获得某个资源的访问令牌。A CAE-capable client presents credentials or a refresh token to Azure AD asking for an access token for some resource.
  2. 访问令牌与其他项目一起返回到客户端。An access token is returned along with other artifacts to the client.
  3. 管理员显式地撤销用户的所有刷新令牌An Administrator explicitly revokes all refresh tokens for the user. 吊销事件将从 Azure AD 发送到资源提供程序。A revocation event will be sent to the resource provider from Azure AD.
  4. 向资源提供程序提供访问令牌。An access token is presented to the resource provider. 资源提供程序评估令牌的有效性,并检查用户是否存在任何吊销事件。The resource provider evaluates the validity of the token and checks whether there is any revocation event for the user. 资源提供程序使用此信息来决定是否授予对资源的访问权限。The resource provider uses this information to decide to grant access to the resource or not.
  5. 在这种情况下,资源提供程序会拒绝访问,并将 401+ 声明质询发送回客户端。In this case, the resource provider denies access, and sends a 401+ claim challenge back to the client.
  6. 支持 CAE 的客户端理解 401+ 声明质询。The CAE-capable client understands the 401+ claim challenge. 它绕过缓存并返回到步骤 1,将其刷新令牌和声明质询一起发送回 Azure AD。It bypasses the caches and goes back to step 1, sending its refresh token along with the claim challenge back to Azure AD. 然后在此情况下,Azure AD 将重新评估所有条件,并提示用户重新进行身份验证。Azure AD will then reevaluate all the conditions and prompt the user to reauthenticate in this case.

用户条件更改流(预览):User condition change flow (Preview):

在下面的示例中,条件访问管理员配置了一个基于位置的条件访问策略,仅允许来自特定 IP 范围的访问:In the following example, a Conditional Access administrator has configured a location based Conditional Access policy to only allow access from specific IP ranges:

用户条件事件流

  1. 支持 CAE 的客户端向 Azure AD 提供凭据或刷新令牌,要求获得某个资源的访问令牌。A CAE-capable client presents credentials or a refresh token to Azure AD asking for an access token for some resource.
  2. Azure AD 会评估所有条件访问策略,看用户和客户端是否满足条件。Azure AD evaluates all Conditional Access policies to see whether the user and client meet the conditions.
  3. 访问令牌与其他项目一起返回到客户端。An access token is returned along with other artifacts to the client.
  4. 用户从允许的 IP 范围移出User moves out of an allowed IP range
  5. 客户端从允许的 IP 范围之外向资源提供程序提供访问令牌。The client presents an access token to the resource provider from outside of an allowed IP range.
  6. 资源提供程序评估令牌的有效性,并检查从 Azure AD 同步的位置策略。The resource provider evaluates the validity of the token and checks the location policy synced from Azure AD.
  7. 在这种情况下,资源提供程序会拒绝访问,并将 401+ 声明质询发送回客户端,因为它不是来自允许的 IP 范围。In this case, the resource provider denies access, and sends a 401+ claim challenge back to the client because it is not coming from allowed IP range.
  8. 支持 CAE 的客户端理解 401+ 声明质询。The CAE-capable client understands the 401+ claim challenge. 它绕过缓存并返回到步骤 1,将其刷新令牌和声明质询一起发送回 Azure AD。It bypasses the caches and goes back to step 1, sending its refresh token along with the claim challenge back to Azure AD. 在这种情况下,Azure AD 会重新评估所有条件并拒绝访问。Azure AD reevaluates all the conditions and will deny access in this case.

启用或禁用 CAE(预览版)Enable or disable CAE (Preview)

  1. 以条件访问管理员、安全管理员或全局管理员的身份登录到 Azure 门户Sign in to the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator
  2. 浏览到“Azure Active Directory” > “安全性” > “连续访问评估” 。Browse to Azure Active Directory > Security > Continuous access evaluation .
  3. 选择“启用预览版”。Choose Enable preview .

在此页上,你可以选择对将受预览版限制的用户和组进行限制。From this page, you can optionally limit the users and groups that will be subject to the preview.

在 Azure 门户中启用 CAE 预览版

疑难解答Troubleshooting

支持的位置策略Supported location policies

对于 CAE,我们只了解基于命名 IP 的命名位置。For CAE, we only have insights into named IP-based named locations. 我们不了解其他位置设置,例如受 MFA 信任的 IP 或基于国家/地区的位置。We have no insights into other location settings like MFA trusted IPs or country-based locations. 如果用户来自受 MFA 信任的 IP 或来自受信任的位置(其中包含受 MFA 信任的 IP 或国家/地区位置),则在用户移到其他位置之后,将不会强制执行 CAE。When user comes from an MFA trusted IP or trusted locations that include MFA Trusted IPs or country location, CAE will not be enforced after user move to a different location. 在这些情况下,我们会颁发 1 小时 CAE 令牌,不进行即时 IP 强制检查。In those cases, we will issue a 1-hour CAE token without instant IP enforcement check.

重要

在配置连续访问评估的位置时,请仅使用基于 IP 的条件访问位置条件并配置所有 IP 地址(包括 IPv4 和 IPv6),这些地址可通过标识提供者和资源提供程序查看。When configuring locations for continuous access evaluation, use only the IP based Conditional Access location condition and configure all IP addresses, including both IPv4 and IPv6 , that can be seen by your identity provider and resources provider. 不要使用国家/地区位置条件,也不要使用 Azure 多重身份验证的服务设置页中提供的受信任的 IP 功能。Do not use country location conditions or the trusted ips feature that is available in Azure Multi-Factor Authentication's service settings page.

IP 地址配置IP address configuration

标识提供者和资源提供程序可能会看到不同的 IP 地址。Your identity provider and resource providers may see different IP addresses. 这种不匹配可能是由组织的网络代理实现导致的,或者是由标识提供者与资源提供程序之间不正确的 IPv4/IPv6 配置导致的。This mismatch may happen due to network proxy implementations in your organization or incorrect IPv4/IPv6 configurations between your identity provider and resource provider. 例如:For example:

  • 标识提供者看到了客户端的一个 IP 地址。Your identity provider sees one IP address from the client.
  • 资源提供程序通过代理后看到了客户端的另一个 IP 地址。Your resource provider sees a different IP address from the client after passing through a proxy.
  • 标识提供者所看到的 IP 地址是策略中允许的 IP 范围的一部分,但来自资源提供程序的 IP 地址不是。The IP address your identity provider sees is part of an allowed IP range in policy but the IP address from the resource provider is not.

如果你的环境中存在此方案,为避免无限循环,Azure AD 会颁发一个有效期为一小时的 CAE 令牌,但不会强制更改客户端位置。If this scenario exists in your environment to avoid infinite loops, Azure AD will issue a one hour CAE token and will not enforce client location change. 即使在这种情况下,与传统的一小时令牌相比,安全性也得到了提高,因为除了客户端位置更改事件之外,我们还评估其他事件Even in this case, security is improved compared to traditional one hour tokens since we are still evaluating the other events besides client location change events.

Office 和 Web 帐户管理器设置Office and Web Account Manager settings

Office 更新通道Office update channel DisableADALatopWAMOverrideDisableADALatopWAMOverride DisableAADWAMDisableAADWAM
半年企业频道Semi-Annual Enterprise Channel 如果设置为 enabled 或 1,则不支持 CAE。If set to enabled or 1, CAE is not be supported. 如果设置为 enabled 或 1,则不支持 CAE。If set to enabled or 1, CAE is not be supported.
当前频道Current Channel
oror
每月企业频道Monthly Enterprise Channel
无论设置如何,都支持 CAECAE is supported regardless of the setting 无论设置如何,都支持 CAECAE is supported regardless of the setting

有关 Office 更新通道的说明,请参阅 Microsoft 365 应用的更新通道概述For an explanation of the office update channels, see Overview of update channels for Microsoft 365 Apps. 建议组织不要禁用 Web 帐户管理器 (WAM)。It is recommended that organizations do not disable Web Account Manager (WAM).

策略更改计时Policy change timing

由于 Azure AD 与资源提供程序之间可能存在复制延迟,因此管理员所做的策略更改可能需要长达 2 小时的时间才能在 Exchange Online 上生效。Due to the potential of replication delay between Azure AD and resource providers, policy changes made by administrators could take up to 2 hours to be effective for Exchange Online.

示例:管理员添加了一个策略,用于阻止某个 IP 地址范围在上午 11:00 访问电子邮件,在此之前来自该 IP 范围的用户可以继续访问电子邮件,直到下午 1:00。Example: Administrator adds a policy to block a range of IP addresses from accessing email at 11:00 AM, a user who has come from that IP range before could possibly continue to access email until 1:00 PM.

Office 应用中的共同创作Coauthoring in Office apps

当多个用户同时在同一个文档上协作时,CAE 可能不会根据用户吊销或策略更改事件立即吊销用户对文档的访问权限。When multiple users are collaborating on the same document at the same time, the user’s access to the document may not be immediately revoked by CAE based on user revocation or policy change events. 在这种情况下,用户会在关闭文档、Word、Excel 或 PowerPoint 后或 10 小时后完全失去访问权限。In this case, the user loses access completely after, closing the document, closing Word, Excel, or PowerPoint, or after a period of 10 hours.

若要缩短这一时间,SharePoint 管理员可以通过在 SharePoint Online 中配置网络位置策略,来减少存储在 SharePoint Online 和 OneDrive for Business 中的文档的共同创作会话的最大生存期。To reduce this time a SharePoint Administrator can optionally reduce the maximum lifetime of coauthoring sessions for documents stored in SharePoint Online and OneDrive for Business, by configuring a network location policy in SharePoint Online. 更改此配置后,共同创作会话的最长生存期将缩短到 15 分钟,你可以使用 SharePoint Online PowerShell 命令“Set-SPOTenant -IPAddressWACTokenLifetime”进一步对其进行调整。Once this configuration is changed, the maximum lifetime of coauthoring sessions will be reduced to 15 minutes, and can be adjusted further using the SharePoint Online PowerShell command “Set-SPOTenant -IPAddressWACTokenLifetime"

在禁用用户后启用Enable after a user is disabled

如果在禁用用户权利后再将其启用,If you enable a user right after it is disabled. 则在可以启用帐户之前,可能会有一些延迟。There will be some latency before the account can be enabled. SPO 和 Teams 会有 15 分钟的延迟。SPO and Teams will have 15-mins delay. 对于 EXO,延迟为 35-40 分钟。The delay is 35-40 minutes for EXO.

常见问题解答FAQs

如何将 CAE 与登录频率一起使用?How will CAE work with Sign-in Frequency?

无论是否使用 CAE,登录频率都会得到遵循。Sign-in Frequency will be honored with or without CAE.

后续步骤Next steps

宣布连续访问评估Announcing continuous access evaluation