条件访问:按位置阻止访问Conditional Access: Block access by location

在条件访问中使用位置条件,可以基于用户的网络位置来控制对云应用的访问。With the location condition in Conditional Access, you can control access to your cloud apps based on the network location of a user. 位置条件通常用于阻止来自组织已知不应有流量的国家/地区的访问。The location condition is commonly used to block access from countries/regions where your organization knows traffic should not come from.

定义位置Define locations

  1. 以全局管理员、安全管理员或条件访问管理员的身份登录到 Azure 门户。Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.
  2. 浏览到“Azure Active Directory” > “安全性” > “条件访问” > “命名位置”。Browse to Azure Active Directory > Security > Conditional Access > Named locations.
  3. 选择“新建位置”。Choose New location.
  4. 为位置命名。Give your location a name.
  5. 如果你知道构成该位置或“国家/地区”的特定外部可访问 IPv4 地址范围,请选择“IP 范围”。 Choose IP ranges if you know the specific externally accessible IPv4 address ranges that make up that location or Countries/Regions.
    1. 为要指定的位置提供“IP 范围”或选择“国家/地区”。 Provide the IP ranges or select the Countries/Regions for the location you are specifying.
      • 如果选择“国家/地区”,可以选择包含未知区域。If you choose Countries/Regions, you can optionally choose to include unknown areas.
  6. 选择“保存”Choose Save

可以在 Azure Active Directory 条件访问中的位置条件是什么一文中找到有关在条件访问中位置条件的详细信息More information about the location condition in Conditional Access can be found in the article, What is the location condition in Azure Active Directory Conditional Access

创建条件访问策略Create a Conditional Access policy

  1. 以全局管理员、安全管理员或条件访问管理员的身份登录到 Azure 门户。Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.
  2. 浏览到“Azure Active Directory” > “安全性” > “条件访问”。Browse to Azure Active Directory > Security > Conditional Access.
  3. 选择“新策略”。Select New policy.
  4. 为策略指定一个名称。Give your policy a name. 建议组织创建一个有意义的策略名称标准。We recommend that organizations create a meaningful standard for the names of their policies.
  5. 在“分配”下,选择“用户和组”Under Assignments, select Users and groups
    1. 在“包括”下,选择“所有用户”。Under Include, select All users.
  6. 在“云应用或操作” > “包括”下,选择“所有云应用”。Under Cloud apps or actions > Include, and select All cloud apps.
  7. 在“条件” > “位置”下方。Under Conditions > Location.
    1. 将“配置”设置为“是” Set Configure to Yes
    2. 在“包括”下,选择“选定位置” Under Include, select Selected locations
    3. 选择你为组织创建的阻止位置。Select the blocked location you created for your organization.
    4. 单击“选择”。Click Select.
  8. 在“访问控制”下,选择“阻止访问”,然后选择“选择”。 Under Access controls > select Block Access, and select Select.
  9. 确认设置,然后将“启用策略”设置为“打开”。 Confirm your settings and set Enable policy to On.
  10. 选择“创建”以创建条件访问策略。Select Create to create Conditional Access Policy.

后续步骤Next steps

条件访问常见策略Conditional Access common policies

使用条件访问 What If 工具模拟登录行为Simulate sign in behavior using the Conditional Access What If tool