什么是条件访问？What is Conditional Access?

• 08/27/2020
• • 
  • 

新式安全外围网络现已超出组织网络的范围，其中涵盖了用户和设备标识。The modern security perimeter now extends beyond an organization's network to include user and device identity. 在做出访问控制决策过程中，组织可以利用这些标识信号。Organizations can utilize these identity signals as part of their access control decisions.

Azure Active Directory 使用条件访问作为一种工具来统合信号、做出决策，以及实施组织策略。Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. 条件访问是新的标识驱动控制平面的核心。Conditional Access is at the heart of the new identity driven control plane.

最简单地讲，条件访问策略是一些 if-then 语句：如果用户想要访问某个资源，则必须完成某个操作。Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. 示例：薪资管理人员想要访问薪资应用程序，而需要执行多重身份验证才能访问。Example: A payroll manager wants to access the payroll application and is required to perform multi-factor authentication to access it.

管理员面临着两个主要目标：Administrators are faced with two primary goals:

• 使用户能够随时随地保持高效的工作Empower users to be productive wherever and whenever
• 保护组织的资产Protect the organization's assets

使用条件访问策略，可以在必要时应用适当的访问控制来确保组织的安全，并在不必要应用这些控制时，避免为用户造成阻碍。By using Conditional Access policies, you can apply the right access controls when needed to keep your organization secure and stay out of your user's way when not needed.

常见信号Common signals

在做出策略方面的决策时，条件访问可以考虑的常见信号包括：Common signals that Conditional Access can take in to account when making a policy decision include the following signals:

• 用户或组成员身份User or group membership
  • 策略可以针对特定的用户和组，并为管理员提供精细的访问控制。Policies can be targeted to specific users and groups giving administrators fine-grained control over access.
• IP 定位信息IP Location information
  • 组织可以创建在做出策略决策时使用的受信任 IP 地址范围。Organizations can create trusted IP address ranges that can be used when making policy decisions.
  • 管理员可以指定要阻止或允许的整个流量来源国家/地区的 IP 范围。Administrators can specify entire countries/regions IP ranges to block or allow traffic from.
• 设备Device
  • 实施条件访问策略时，用户可以使用的装有特定平台或标有特定状态的设备。Users with devices of specific platforms or marked with a specific state can be used when enforcing Conditional Access policies.
• 应用程序Application
  • 尝试访问特定应用程序的用户可以触发不同的条件访问策略。Users attempting to access specific applications can trigger different Conditional Access policies.
• Microsoft Cloud App Security (MCAS)Microsoft Cloud App Security (MCAS)
  • 实时监视和控制用户应用程序的访问和会话，提高云环境中执行的访问和活动的透明度与控制度。Enables user application access and sessions to be monitored and controlled in real time, increasing visibility and control over access to and activities performed within your cloud environment.

常见决策Common decisions

• 阻止访问Block access
  • 最严格的决策Most restrictive decision
• 授予访问权限Grant access
  • 最不严格的决策仍可要求以下一个或多个选项：Least restrictive decision, can still require one or more of the following options:
    • 需要多重身份验证Require multi-factor authentication
    • 要求将设备标记为合规Require device to be marked as compliant
    • 要求使用加入混合 Azure AD 的设备Require Hybrid Azure AD joined device
    • 需要批准的客户端应用Require approved client app
    • 需要应用保护策略（预览版）Require app protection policy (preview)

经常应用的策略Commonly applied policies

许多组织都存在条件访问策略可以帮助解决的常见访问问题，例如：Many organizations have common access concerns that Conditional Access policies can help with such as:

• 要求具有管理角色的用户执行多重身份验证Requiring multi-factor authentication for users with administrative roles
• 要求在运行 Azure 管理任务时执行多重身份验证Requiring multi-factor authentication for Azure management tasks
• 阻止用户尝试使用旧式身份验证协议登录Blocking sign-ins for users attempting to use legacy authentication protocols
• 要求在受信任的位置注册 Azure 多重身份验证Requiring trusted locations for Azure Multi-Factor Authentication registration
• 阻止或允许来自特定位置的访问Blocking or granting access from specific locations
• 阻止有风险的登录行为Blocking risky sign-in behaviors
• 要求在组织管理的设备上使用特定的应用程序Requiring organization-managed devices for specific applications

客户案例研究Customer case studies

了解其他组织如何使用 Azure AD 条件访问来定义和实施自动化的访问控制决策。Discover how other organizations use Azure AD Conditional Access to define and implement automated access control decisions. 以下特选案例演示了如何解决这些客户需求。The following featured stories demonstrate how these customer needs are met.

• Wipro 使用 Azure 云安全工具提高移动工作效率，以提高客户参与度。Wipro drives mobile productivity with Azure cloud security tools to improve customer engagements. Azure AD 中的条件访问策略可让公司与受信任的外部实体（它们可以使用自己的凭据）共享文档、资源和应用程序，同时保留对自身企业数据的控制权。The Conditional Access policies in Azure AD have enabled the company to share documents, resources, and applications with trusted outside entities---who can use their own credentials---while maintaining control over its own corporate data.
• 跨国物流和运输公司 Aramex Delivery Limited 使用标识和访问管理解决方案设立了与云联网的办事处。Aramex delivery limited - Global logistics and transportation company creates cloud-connected office with identity and access management solution. 确保 Aramex 远程工作者的安全访问特别困难。Ensuring secure access was especially difficult with Aramex's remote employees. 该公司目前正在应用条件访问，使这些远程工作者能够从网络外部访问其 SaaS 应用程序。The company is now applying Conditional Access to let these remote employees access their SaaS applications from outside the network. 条件访问规则将确定是否强制实施多重身份验证，只向适当的人员提供适当的访问权限。The Conditional Access rule will decide whether to enforce Multi-Factor Authentication, giving only the right people the right access.

许可要求License requirements

使用此功能需要 Azure AD Premium P1 许可证。Using this feature requires an Azure AD Premium P1 license. 若要根据需要查找合适的许可证，请参阅 比较免费版、基本版和高级版的正式发布功能。To find the right license for your requirements, see Comparing generally available features of the Free, Basic, and Premium editions.

拥有 Microsoft 365 商业高级版许可证的客户也可以访问条件访问功能。Customers with Microsoft 365 Business Premium licenses also have access to Conditional Access features.

后续步骤Next steps

• 条件访问策略构建方法详解Building a Conditional Access policy piece by piece
• 计划条件访问部署Plan your Conditional Access deployment
• 了解 Microsoft Cloud App SecurityLearn about Microsoft Cloud App Security
• 了解 Microsoft IntuneLearn about Microsoft Intune