条件访问经典策略迁移Conditional Access classic policy migration

Azure Active Directory 使用条件访问作为一种工具来统合信号、做出决策,以及实施组织策略。Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. 条件访问是新的标识驱动控制平面的核心。Conditional Access is at the heart of the new identity driven control plane. 尽管此功能的用途仍未变化,但新版 Azure 门户在条件访问的工作原理方面引入了重大改进。While the purpose is still the same, the release of the new Azure portal has introduced significant improvements to how Conditional Access works.

考虑迁移未在 Azure 门户中创建的策略,因为:Consider migrating the policies you have not created in the Azure portal because:

  • 现在可以解决以前无法处理的方案。You can now address scenarios you could not handle before.
  • 可以通过合并来减少需要管理的策略数。You can reduce the number of policies you have to manage by consolidating them.
  • 可以在一个中心位置管理所有条件访问策略。You can manage all your Conditional Access policies in one central location.
  • Azure 经典门户即将停用。The Azure classic portal will be retired.

本文介绍在将现有条件访问策略迁移到新框架时所要了解的知识。This article explains what you need to know to migrate your existing Conditional Access policies to the new framework.

经典策略Classic policies

Azure 门户中,可以在“Azure Active Directory” > “安全性” > “条件访问” 下找到条件访问策略。In the Azure portal, Conditional Access policies can be found under Azure Active Directory > Security > Conditional Access . 组织还可能有不使用此页创建的较旧的条件访问策略。Your organization might also have older Conditional Access policies not created using this page. 这些策略称为“经典策略”。 These policies are known as classic policies . 经典策略是在以下位置创建的条件访问策略:Classic policies are Conditional Access policies, you have created in:

  • Azure 经典门户The Azure classic portal
  • Intune 经典门户The Intune classic portal
  • Intune 应用保护门户The Intune App Protection portal

在“条件访问”页上,可以通过单击“管理”部分中的“ 经典策略”来访问经典策略。 On the Conditional Access page, you can access your classic policies by clicking Classic policies in the Manage section.

Azure AD 中的条件访问,显示经典策略视图

“经典策略”视图提供了一个选项用于执行以下操作: The Classic policies view provides you with an option to:

  • 筛选经典策略。Filter your classic policies.

  • 禁用经典策略。Disable classic policies.

  • 查看经典策略的设置,将其禁用。Review the settings of a classic policy and disable it.

    经典策略详细信息,包括现有策略配置

警告

经典策略在禁用后将无法重新启用。Once disabled a classic policy can't be re-enabled.

经典策略的详细信息视图用于记录设置、修改包含或排除的组以及禁用策略。The details view of a classic policy allows you to document the settings, modify the included or excluded groups, and disable the policy.

策略详细信息 - 要包括或排除的组

通过更改选定的组或排除特定的组,可以在针对所有包含的用户和组禁用某个策略之前,针对少量测试用户来测试禁用该策略所产生的影响。By changing the selected groups or by excluding specific groups, you can test the effect of a disabled classic policy for a few test users before disabling the policy for all included users and groups.

迁移注意事项Migration considerations

在本文中,Azure AD 条件访问策略也称为“新策略”。 In this article, Azure AD Conditional Access policies are also referred to as new policies . 在禁用或删除经典策略之前,这些策略与新策略仍可同时运行。Your classic policies continue to work side by side with your new policies until you disable or delete them.

在策略整合的上下文中,必须注意以下几个方面:The following aspects are important in the context of a policy consolidation:

  • 尽管经典策略与特定的云应用相关联,但你可以根据需要在新策略中选择任意数量的云应用。While classic policies are tied to a specific cloud app, you can select as many cloud apps as you need to in a new policy.
  • 云应用的经典策略和新策略控制要求满足所有控制条件 ( AND )。Controls of a classic policy and a new policy for a cloud app require all controls ( AND ) to be fulfilled.
  • 在新策略中,可以:In a new policy, you can:
    • 根据方案的需要组合多个条件。Combine multiple conditions if required by your scenario.
    • 选择多个授予要求作为访问控制,并使用逻辑 OR (要求满足选定控制条件中的一个)或逻辑 AND (要求满足所有选定控制条件)来合并这些要求。Select several grant requirements as access control and combine them with a logical OR (require one of the selected controls) or with a logical AND (require all of the selected controls).

Exchange OnlineExchange online

若要迁移 Exchange Online 的经典策略,而这些策略包含用作客户端应用条件的 Exchange Active Sync,则可能无法将它们整合到一个新策略中。If you want to migrate classic policies for Exchange online that include Exchange Active Sync as client apps condition, you might not be able to consolidate them into one new policy.

例如,如果希望支持所有客户端应用类型,则无法进行这种整合。This is, for example, the case if you want to support all client app types. 在将 Exchange Active Sync 用作客户端应用条件的新策略中,无法选择其他客户端应用。In a new policy that has Exchange Active Sync as client apps condition, you can't select other client apps.

选择客户端应用的条件访问

如果经典策略包含多个条件,则也无法整合到一个新策略。A consolidation into one new policy is also not possible if your classic policies contain several conditions. 配置为将 Exchange Active Sync 用作客户端应用条件的新策略不支持其他条件:A new policy that has Exchange Active Sync as client apps condition configured does not support other conditions:

Exchange ActiveSync 不支持所选条件

如果某个新策略配置为将 Exchange Active Sync 用作客户端应用条件,需确保未配置其他所有条件。If you have a new policy that has Exchange Active Sync as client apps condition configured, you need to make sure that all other conditions are not configured.

条件访问条件

Exchange Online 的基于应用的经典策略(包括作为客户端应用条件的 Exchange Active Sync)允许受支持的和不受支持的设备平台。App-based classic policies for Exchange Online that include Exchange Active Sync as client apps condition allow supported and unsupported device platforms. 尽管无法在相关的新策略中配置单个设备平台,但可以将支持状态限制为受支持的设备平台While you can't configure individual device platforms in a related new policy, you can limit the support to supported device platforms only.

条件访问选择 Exchange ActiveSync

可以整合多个将 Exchange Active Sync 包含为客户端应用条件的经典策略,前提是这些策略:You can consolidate multiple classic policies that include Exchange Active Sync as client apps condition if they have:

  • 只将 Exchange Active Sync 用作条件Only Exchange Active Sync as condition
  • 针对授予访问权限配置了多项要求Several requirements for granting access configured

一种常见方案是整合:One common scenario is the consolidation of:

  • Intune 应用保护门户中基于应用的经典策略An app-based classic policy in the Intune app protection portal

在这种情况下,可将经典策略整合到一个已选择上述两项要求的新策略。In this case, you can consolidate your classic policies into one new policy that has both requirements selected.

条件访问授予控件

设备平台Device platforms

包含基于应用的控制的经典策略已预先配置为将 iOS 和 Android 作为设备平台条件。Classic policies with app-based controls are pre-configured with iOS and Android as the device platform condition.

在新策略中,需要选择希望单独支持的设备平台In a new policy, you need to select the device platforms you want to support individually.

条件访问设备平台选择

后续步骤Next steps