在条件访问策略中使用位置条件Using the location condition in a Conditional Access policy

概述文章中所述,条件访问策略归根到底就是一个 if-then 语句,该语句用于组合信号、做出决策和强制实施组织策略。As explained in the overview article Conditional Access policies are at their most basic an if-then statement combining signals, to make decisions, and enforce organization policies. 可以引入到决策过程中的信号之一是网络位置。One of those signals that can be incorporated into the decision-making process is network location.

概念性条件信号加上要实施的决策

组织可以将此网络位置用于常见任务,例如:Organizations can use this network location for common tasks like:

  • 要求用户在企业网络外部访问服务时执行多重身份验证。Requiring multi-factor authentication for users accessing a service when they are off the corporate network.
  • 阻止特定国家或地区的用户访问服务。Blocking access for users accessing a service from specific countries or regions.

网络位置由客户端提供给 Azure Active Directory 的公共 IP 地址确定。The network location is determined by the public IP address a client provides to Azure Active Directory. 默认情况下,条件访问策略应用于所有 IPv4 和 IPv6 地址。Conditional Access policies by default apply to all IPv4 and IPv6 addresses.

提示

只有 命名位置(预览版) 接口中支持 IPv6 范围。IPv6 ranges are only supported in the Named location (preview) interface.

命名位置Named locations

位置在 Azure 门户中的“Azure Active Directory” > “安全性” > “条件访问” > “命名位置”下指定。Locations are designated in the Azure portal under Azure Active Directory > Security > Conditional Access > Named locations. 这些命名网络位置可能包括组织的总部网络范围、VPN 网络范围或你希望阻止的范围等位置。These named network locations may include locations like an organization's headquarters network ranges, VPN network ranges, or ranges that you wish to block.

Azure 门户中的命名位置

若要配置位置,至少需要提供名称和 IP 范围。To configure a location, you will need to provide at least a Name and the IP range.

可配置的已命名位置数受限于 Azure AD 中相关对象的大小。The number of named locations you can configure is constrained by the size of the related object in Azure AD. 可以根据以下限制来配置位置:You can configure locations based on of the following limitations:

  • 一个命名位置最多可以有 1200 个 IPv4 范围。One named location with up to 1200 IPv4 ranges.
  • 最多可有 90 个命名位置,其中每个都分配有一个 IP 范围。A maximum of 90 named locations with one IP range assigned to each of them.

提示

只有 命名位置(预览版) 接口中支持 IPv6 范围。IPv6 ranges are only supported in the Named location (preview) interface.

受信任位置Trusted locations

创建网络位置时,管理员可以选择将某个位置标记为受信任位置。When creating a network location, an administrator has the option to mark a location as a trusted location.

Azure 门户中的受信任位置

在条件访问策略中可以考虑此选项,例如,你可以要求从受信任的网络位置注册多重身份验证。This option can factor in to Conditional Access policies where you may, for example, require registration for multi-factor authentication from a trusted network location.

国家/地区和区域Countries and regions

某些组织可能会选择将整个国家/地区或区域 IP 边界定义为条件访问策略的命名位置。Some organizations may choose to define entire countries or regions IP boundaries as named locations for Conditional Access policies. 如果组织知道有效用户永远不会来自某个位置(例如朝鲜),则他们可以根据位置阻止不必要的流量。They may use these locations when blocking unnecessary traffic when they know valid users will never come from a location such as North Korea. IP 地址到国家/地区的这些映射会定期更新。These mappings of IP address to country are updated periodically.

备注

国家/地区不包含 IPv6 地址范围,仅包含已知的 IPv4 地址范围,不能将其标记为“可信”。Countries do not include IPv6 address ranges, only known IPv4 address ranges, and cannot be marked as trusted.

在 Azure 门户中创建新的基于国家/地区或区域的位置

包含未知区域Include unknown areas

某些 IP 地址未映射到特定的国家/地区或区域。Some IP addresses are not mapped to a specific country or region. 若要捕获这些 IP 位置,请在定义位置时选中“包含未知区域”复选框。To capture these IP locations, check the box Include unknown areas when defining a location. 使用此选项可以选择这些 IP 地址是否应包含在命名位置中。This option allows you to choose if these IP addresses should be included in the named location. 如果使用命名位置的策略需要应用到未知位置,则使用此设置。Use this setting when the policy using the named location should apply to unknown locations.

配置 MFA 受信任的 IPConfigure MFA trusted IPs

还可以在多重身份验证服务设置中配置 IP 地址范围,用于表示组织的本地 Intranet。You can also configure IP address ranges representing your organization's local intranet in the multi-factor authentication service settings. 使用此功能最多可以配置 50 个 IP 地址范围。This feature enables you to configure up to 50 IP address ranges. IP 地址范围采用 CIDR 格式。The IP address ranges are in CIDR format. 有关详细信息,请参阅受信任的 IPFor more information, see Trusted IPs.

如果已配置受信任的 IP,这些 IP 将作为“MFA 受信任的 IP”显示在位置条件的位置列表中。If you have Trusted IPs configured, they show up as MFA Trusted IPS in the list of locations for the location condition.

跳过多重身份验证Skipping multi-factor authentication

在多重身份验证服务设置页中,可以通过选择“跳过多重身份验证以适用于我的 Intranet 上的联合用户发出的请求”,来标识企业 Intranet 用户。On the multi-factor authentication service settings page, you can identify corporate intranet users by selecting Skip multi-factor authentication for requests from federated users on my intranet. 此设置指示 AD FS 颁发的内部企业网络声明应受信任,并且应该用于将用户标识为位于企业网络中。This setting indicates that the inside corporate network claim, which is issued by AD FS, should be trusted and used to identify the user as being on the corporate network. 有关详细信息,请参阅使用条件访问启用受信任的 IP 功能For more information, see Enable the Trusted IPs feature by using Conditional Access.

选中此选项之后,“MFA 受信任的 IP”(包括命名位置)将应用到已选择此选项的所有策略。After checking this option, including the named location MFA Trusted IPS will apply to any policies with this option selected.

对于会话生存期较长的移动和桌面应用程序,将定期重新评估条件访问。For mobile and desktop applications, which have long lived session lifetimes, Conditional Access is periodically reevaluated. 默认设置是一小时评估一次。The default is once an hour. 如果只在初始身份验证时才颁发内部企业网络声明,则 Azure AD 可能没有受信任的 IP 范围列表。When the inside corporate network claim is only issued at the time of the initial authentication, Azure AD may not have a list of trusted IP ranges. 在这种情况下,更难以确定用户是否仍在企业网络中:In this case, it is more difficult to determine if the user is still on the corporate network:

  1. 检查用户的 IP 地址是否在某个受信任的 IP 范围内。Check if the user’s IP address is in one of the trusted IP ranges.
  2. 检查用户 IP 地址的前三个八位字节是否匹配初始身份验证 IP 地址的前三个八位字节。Check whether the first three octets of the user’s IP address match the first three octets of the IP address of the initial authentication. 当内部企业网络声明最初是初次颁发且用户位置已经过验证时,IP 地址将与初始身份验证进行比较。The IP address is compared with the initial authentication when the inside corporate network claim was originally issued and the user location was validated.

如果这两个步骤均失败,则将用户视为不再位于受信任的 IP 中。If both steps fail, a user is considered to be no longer on a trusted IP.

预览功能Preview features

除了正式发布的命名位置功能之外,还有一个命名位置(预览版)。In addition to the generally available named location feature, there is also a named location (preview). 通过使用当前的命名位置边栏选项卡顶部的横幅,可以访问命名位置预览版。You can access the named location preview by using the banner at the top of the current named location blade.

试用命名位置预览版

使用命名位置预览版,你可以:With the named location preview, you are able to

  • 配置最多 195 个命名位置Configure up to 195 named locations
  • 为每个命名位置配置最多 2000 个 IP 范围Configure up to 2000 IP Ranges per named location
  • 将 IPv6 地址与 IPv4 地址一起配置Configure IPv6 addresses alongside IPv4 addresses

我们还添加了一些额外的检查,帮助你减少错误配置的更改。We’ve also added some additional checks to help reduce the change of misconfiguration.

  • 无法再配置专用 IP 范围Private IP ranges can no longer be configured
  • 范围中可以包含的 IP 地址数有限制。The number of IP addresses that can be included in a range are limited. 配置 IP 范围时只允许使用大于 /8 的 CIDR 掩码。Only CIDR masks greater than /8 will be allowed when configuring an IP range.

使用预览版,现在有两个创建选项:With the preview, there are now two create options:

  • 国家/地区位置Countries location
  • IP 范围位置IP ranges location

备注

国家/地区不包含 IPv6 地址范围,仅包含已知的 IPv4 地址范围,不能将其标记为“可信”。Countries do not include IPv6 address ranges, only known IPv4 address ranges, and cannot be marked as trusted.

命名位置预览版界面

策略中的位置条件Location condition in policy

配置位置条件时,可以选择区分:When you configure the location condition, you have the option to distinguish between:

  • 任何位置Any location
  • 所有受信任的位置All trusted locations
  • 选定的位置Selected locations

任何位置Any location

默认情况下,选择“任何位置”会将策略应用到所有 IP 地址,即 Internet 上的所有地址。By default, selecting Any location causes a policy to be applied to all IP addresses, which means any address on the Internet. 此设置不限于已配置为命名位置的 IP 地址。This setting is not limited to IP addresses you have configured as named location. 选择“任何位置”时,仍可从策略中排除特定位置。When you select Any location, you can still exclude specific locations from a policy. 例如,可将策略应用到除可信位置以外的所有位置,以将作用域设置为除企业网络以外的所有位置。For example, you can apply a policy to all locations except trusted locations to set the scope to all locations, except the corporate network.

所有受信任的位置All trusted locations

此选项将应用到:This option applies to:

  • 已标记为可信位置的所有位置All locations that have been marked as trusted location
  • MFA 受信任的 IP(如果已配置)MFA Trusted IPS (if configured)

选定的位置Selected locations

使用此选项可以选择一个或多个命名位置。With this option, you can select one or more named locations. 对于要应用此设置的策略,用户需要从任一选定位置建立连接。For a policy with this setting to apply, a user needs to connect from any of the selected locations. 单击“选择”时,将会打开显示命名网络列表的命名网络选择控件。When you click Select the named network selection control that shows the list of named networks opens. 此列表还显示网络位置是否已标记为可信。The list also shows if the network location has been marked as trusted. 名为“MFA 受信任的 IP”的命名位置用于包含可在多重身份验证服务设置页中配置的 IP 设置。The named location called MFA Trusted IPs is used to include the IP settings that can be configured in the multi-factor authentication service setting page.

IPv6 流量IPv6 traffic

默认情况下,条件访问策略将应用于所有 IPv6 流量。By default, Conditional Access policies will apply to all IPv6 traffic. 使用命名位置预览,可以从条件访问策略中排除特定的 IPv6 地址范围。With the named location preview, you can exclude specific IPv6 address ranges from a Conditional Access policy. 当不想针对特定 IPv6 范围强制执行策略时,此选项非常有用。This option is useful in cases where you don’t want policy to be enforced for specific IPv6 ranges. 例如,如果不想强制执行针对企业网络使用的策略,且企业网络托管在公共 IPv6 范围内。For example, if you want to not enforce a policy for uses on your corporate network, and your corporate network is hosted on public IPv6 ranges.

我的租户什么时候会有 IPv6 流量?When will my tenant have IPv6 traffic?

Azure Active Directory (Azure AD) 当前不支持使用 IPv6 的直接网络连接。Azure Active Directory (Azure AD) doesn’t currently support direct network connections that use IPv6. 但在某些情况下,身份验证流量是通过其他服务代理的。However, there are some cases that authentication traffic is proxied through another service. 在这些情况下,将在策略评估期间使用 IPv6 地址。In these cases, the IPv6 address will be used during policy evaluation.

通过代理发送到 Azure AD 的大多数 IPv6 流量来自 Microsoft Exchange Online。Most of the IPv6 traffic that gets proxied to Azure AD comes from Microsoft Exchange Online. 如果可行,Exchange 会首选 IPv6 连接。When available, Exchange will prefer IPv6 connections. 因此,如果你有针对特定 IPv4 范围配置的 Exchange 条件访问策略,需要确保你还添加了组织的 IPv6 范围。So if you have any Conditional Access policies for Exchange, that have been configured for specific IPv4 ranges, you’ll want to make sure you’ve also added your organizations IPv6 ranges. 如果不包含 IPv6 范围,会导致在以下两种情况下出现意外行为:Not including IPv6 ranges will cause unexpected behavior for the following two cases:

  • 使用邮件客户端通过旧版身份验证连接到 Exchange Online 时,Azure AD 可能会收到 IPv6 地址。When a mail client is used to connect to Exchange Online with legacy authentication, Azure AD may receive an IPv6 address. 初始身份验证请求转到 Exchange,然后通过代理发送到 Azure AD。The initial authentication request goes to Exchange and is then proxied to Azure AD.
  • 当在浏览器中使用 Outlook Web Access (OWA) 时,它将定期验证是否仍然满足所有条件访问策略。When Outlook Web Access (OWA) is used in the browser, it will periodically verify all Conditional Access policies continue to be satisfied. 此检查用于发现用户可能已从允许的 IP 地址移动到新位置(例如街上的咖啡店)的情况。This check is used to catch cases where a user may have moved from an allowed IP address to a new location, like the coffee shop down the street. 在这种情况下,如果使用的是 IPv6 地址并且 IPv6 地址不在配置的范围内,用户的会话可能会中断,并被定向回 Azure AD 进行重新验证。In this case, if an IPv6 address is used and if the IPv6 address is not in a configured range, the user may have their session interrupted and be directed back to Azure AD to reauthenticate.

这些是可能需要在命名位置配置 IPv6 范围的最常见原因。These are the most common reasons you may need to configure IPv6 ranges in your named locations. 另外,如果使用的是 Azure VNet,会收到来自 IPv6 地址的流量。In addition, if you are using Azure VNets, you will have traffic coming from an IPv6 address. 如果有条件访问策略阻止了 VNet 流量,请检查 Azure AD 登录日志。If you have VNet traffic blocked by a Conditional Access policy, check your Azure AD sign-in log. 识别流量后,就可以获取正在使用的 IPv6 地址,并将其从策略中排除。Once you’ve identified the traffic, you can get the IPv6 address being used and exclude it from your policy.

备注

如果要为单个地址指定 IP CIDR 范围,请应用 /32 位掩码。If you want to specify an IP CIDR range for a single address, apply the /32 bit mask. 如果 IPv6 地址是 2607:fb90:b27a:6f69:f8d5:dea0:fb39:74a,并想从地址范围中排除该单一地址,应使用 2607:fb90:b27a:6f69:f8d5:dea0:fb39:74a/32。If you say the IPv6 address 2607:fb90:b27a:6f69:f8d5:dea0:fb39:74a and wanted to exclude that single address as a range, you would use 2607:fb90:b27a:6f69:f8d5:dea0:fb39:74a/32.

在 Azure AD 登录活动报告中标识 IPv6 流量Identifying IPv6 traffic in the Azure AD Sign-in activity reports

可以通过转到 Azure AD 登录活动报告来发现租户中的 IPv6 流量。You can discover IPv6 traffic in your tenant by going the Azure AD sign-in activity reports. 打开活动报告后,添加“IP 地址”列。After you have the activity report open, add the “IP address” column. 可通过此列标识 IPv6 流量。This column will give you to identify the IPv6 traffic.

还可以通过单击报告中的行,然后转到登录活动详细信息中的“位置”选项卡来查找客户端 IP。You can also find the client IP by clicking a row in the report, and then going to the “Location” tab in the sign-in activity details.

要点What you should know

何时评估位置?When is a location evaluated?

条件访问策略的评估时机:Conditional Access policies are evaluated when:

  • 当用户最初登录到 Web 应用、移动应用或桌面应用程序时。A user initially signs in to a web app, mobile or desktop application.
  • 当使用新式身份验证的移动应用或桌面应用程序使用刷新令牌来获取新的访问令牌时。A mobile or desktop application that uses modern authentication, uses a refresh token to acquire a new access token. 默认情况下此检查一小时进行一次。By default this check is once an hour.

对于使用新式身份验证的移动应用和桌面应用程序,此检查意味着,在更改网络位置的一小时内会检测到位置更改。This check means for mobile and desktop applications using modern authentication, a change in location would be detected within an hour of changing the network location. 对于不使用新式身份验证的移动应用和桌面应用程序,此策略将应用于每个令牌请求。For mobile and desktop applications that don’t use modern authentication, the policy is applied on each token request. 请求的频率可能会因应用程序而异。The frequency of the request can vary based on the application. 同样,对于 Web 应用程序,此策略在初始登录时应用,并适合用于 Web 应用程序的会话生存期。Similarly, for web applications, the policy is applied at initial sign-in and is good for the lifetime of the session at the web application. 由于不同应用程序的会话生存期不同,因此策略评估间隔的时间也会有所不同。Due to differences in session lifetimes across applications, the time between policy evaluation will also vary. 每次应用程序请求新的登录令牌时,就会应用一次此策略。Each time the application requests a new sign-in token, the policy is applied.

默认情况下,Azure AD 每小时颁发一个令牌。By default, Azure AD issues a token on an hourly basis. 在移出企业网络后的一小时内,将使用新式身份验证对应用程序实施该策略。After moving off the corporate network, within an hour the policy is enforced for applications using modern authentication.

用户 IP 地址User IP address

在策略评估中使用的 IP 地址是用户的公共 IP 地址。The IP address that is used in policy evaluation is the public IP address of the user. 对于专用网络中的设备,此 IP 地址不是 Intranet 中用户设备的客户端 IP,而是专用网络连接到公共 Internet 时使用的地址。For devices on a private network, this IP address is not the client IP of the user’s device on the intranet, it is the address used by the network to connect to the public internet.

批量上传和下载命名位置Bulk uploading and downloading of named locations

创建或更新命名位置时,若要进行批量更新,可以上传或下载含 IP 范围的 CSV 文件。When you create or update named locations, for bulk updates, you can upload or download a CSV file with the IP ranges. 上传过程会将列表中的 IP 范围替换为该文件中的那些范围。An upload replaces the IP ranges in the list with those ranges from the file. 该文件的每行包含一个采用 CIDR 格式的 IP 地址范围。Each row of the file contains one IP Address range in CIDR format.

云代理和 VPNCloud proxies and VPNs

使用云托管代理或 VPN 解决方案时,Azure AD 在评估策略时使用的 IP 地址是该代理的 IP 地址。When you use a cloud hosted proxy or VPN solution, the IP address Azure AD uses while evaluating a policy is the IP address of the proxy. 不会使用包含用户公共 IP 地址的 X-Forwarded-For (XFF) 标头,因为没有任何机制验证该地址是否来自受信任的源,该标头可能提供了一种用于伪造 IP 地址的方法。The X-Forwarded-For (XFF) header that contains the user’s public IP address is not used because there is no validation that it comes from a trusted source, so would present a method for faking an IP address.

当云代理准备就绪时,可以使用一个策略来要求设备加入混合 Azure AD,或使用来自 AD FS 的公司网络内部的声明。When a cloud proxy is in place, a policy that is used to require a hybrid Azure AD joined device can be used, or the inside corpnet claim from AD FS.

API 支持和 PowerShellAPI support and PowerShell

命名位置的 Graph API 预览版本可用。有关详细信息,请参阅 namedLocation APIA preview version of the Graph API for named locations is available, for more information see the namedLocation API.

后续步骤Next steps