条件访问:阻止传统身份验证Conditional Access: Block legacy authentication

由于与旧身份验证协议相关的风险增加,Microsoft 建议组织阻止使用这些协议的身份验证请求,并要求使用新式身份验证。Due to the increased risk associated with legacy authentication protocols, Microsoft recommends that organizations block authentication requests using these protocols and require modern authentication.

创建条件访问策略Create a Conditional Access policy

以下步骤将帮助创建条件访问策略以阻止旧身份验证请求。The following steps will help create a Conditional Access policy to block legacy authentication requests. 此策略最初将置于“仅限报告”模式,以便管理员确定其对现有用户产生的影响。This policy is put in to Report-only mode to start so administrators can determine the impact they will have on existing users. 当管理员认为策略按预期方式应用时,可以通过添加特定组并排除其他组来切换到“开”或暂存部署。When administrators are comfortable that the policy applies as they intend, they can switch to On or stage the deployment by adding specific groups and excluding others.

  1. 以全局管理员、安全管理员或条件访问管理员的身份登录到 Azure 门户Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.
  2. 浏览到“Azure Active Directory” > “安全性” > “条件访问” 。Browse to Azure Active Directory > Security > Conditional Access.
  3. 选择“新策略” 。Select New policy.
  4. 为策略指定名称。Give your policy a name. 建议组织为其策略的名称创建有意义的标准。We recommend that organizations create a meaningful standard for the names of their policies.
  5. 在“分配” 下,选择“用户和组” Under Assignments, select Users and groups
    1. 在“包括”下,选择“所有用户”。 Under Include, select All users.
    2. 在“排除”下,选择“用户和组”,然后选择必须保留使用旧式身份验证功能的任何帐户。Under Exclude, select Users and groups and choose any accounts that must maintain the ability to use legacy authentication. 排除至少一个帐户以防止你被锁定。如果不排除任何帐户,将无法创建此策略。Exclude at least one account to prevent yourself from being locked out. If you do not exclude any account, you will not be able to create this policy.
    3. 选择“完成” 。Select Done.
  6. 在“云应用或操作”下,选择“所有云应用”。Under Cloud apps or actions, select All cloud apps.
    1. 选择“完成”。Select Done.
  7. 在“条件” > “客户端应用”下,将“配置”设置为“是” 。Under Conditions > Client apps, set Configure to Yes.
    1. 仅勾选“Exchange ActiveSync 客户端”和“其他客户端”框。 Check only the boxes Exchange ActiveSync clients and Other clients.
    2. 选择“完成”。Select Done.
  8. 在“访问控制” > “授予”下,选择“阻止访问”。Under Access controls > Grant, select Block access.
    1. 选择“选择”。Select Select.
  9. 确认设置,然后将“启用策略”设置为“仅限报告”。 Confirm your settings and set Enable policy to Report-only.
  10. 选择“创建” ,以便创建启用策略所需的项目。Select Create to create to enable your policy.

后续步骤Next steps

常用条件访问策略Conditional Access common policies

使用条件访问 What If 工具模拟登录行为Simulate sign in behavior using the Conditional Access What If tool

如何设置多功能设备或应用程序以使用 Microsoft 365 发送电子邮件How to set up a multifunction device or application to send email using Microsoft 365