如何:通过条件访问要求使用受管理设备进行云应用访问How To: Require managed devices for cloud app access with Conditional Access

在移动优先、云优先的世界中,使用 Azure Active Directory (Azure AD) 可以实现从任意位置以单一登录方式登录到应用和服务。In a mobile-first, cloud-first world, Azure Active Directory (Azure AD) enables single sign-on to apps, and services from anywhere. 经授权的用户可以从一系列设备(包括移动设备和个人设备)访问云应用。Authorized users can access your cloud apps from a broad range of devices including mobile and also personal devices. 但是,许多环境中至少有几个应用会要求仅通过满足你的安全性和符合性标准的设备进行访问。However, many environments have at least a few apps that should only be accessed by devices that meet your standards for security and compliance. 这些设备也称为受管理设备。These devices are also known as managed devices.

本文介绍了如何配置条件访问策略来要求使用受管理设备访问环境中的特定云应用。This article explains how you can configure Conditional Access policies that require managed devices to access certain cloud apps in your environment.


要求使用受管理设备进行云应用访问就必须将 Azure AD 条件访问Azure AD 设备管理 结合在一起。Requiring managed devices for cloud app access ties Azure AD Conditional Access and Azure AD device management together. 如果尚不熟悉其中的某项功能,应该先阅读以下主题:If you are not familiar with one of these areas yet, you should read the following topics, first:

  • Azure Active Directory 中的条件访问 - 此文提供了条件访问的概念性概述和相关术语。Conditional Access in Azure Active Directory - This article provides you with a conceptual overview of Conditional Access and the related terminology.
  • Azure Active Directory 中的设备管理简介 - 此文章概述了可以用来将设备置于组织控制下的各种选项。Introduction to device management in Azure Active Directory - This article gives you an overview of the various options you have to get devices under organizational control.
  • 对于 Windows 10 Creators Update(版本 1703)或更高版本中的 Chrome 支持,请安装 Windows 10 Accounts extensionFor Chrome support in Windows 10 Creators Update (version 1703) or later, install the Windows 10 Accounts extension. 当条件访问策略需要特定于设备的详细信息时,此扩展是必需的。This extension is required when a Conditional Access policy requires device-specific details.


我们建议使用基于 Azure AD 设备的条件访问策略,在初始设备身份验证后获得最佳实施。We recommend using Azure AD device based Conditional Access policy to get the best enforcement after initial device authentication. 这包括在设备不符合合规性和设备代码流时关闭会话。This includes closing sessions if the device falls out of compliance and device code flow.

方案描述Scenario description

掌控安全性与工作效率之间的平衡是一个难题。Mastering the balance between security and productivity is a challenge. 扩大用来访问云资源的受支持设备的范围有助于提高用户的工作效率。The proliferation of supported devices to access your cloud resources helps to improve the productivity of your users. 另一方面,你可能不希望具有未知保护级别的设备访问你的环境中的某些资源。On the flip side, you probably don't want certain resources in your environment to be accessed by devices with an unknown protection level. 对于受影响的资源,你应当要求用户只能使用受管理设备访问它们。For the affected resources, you should require that users can only access them using a managed device.

使用 Azure AD 条件访问,可以通过进行授权的以下单个策略来解决此要求:With Azure AD Conditional Access, you can address this requirement with a single policy that grants access:

  • 授予对所选云应用的访问权限To selected cloud apps
  • 为所选用户和组授予权限For selected users and groups
  • 要求使用受管理设备Requiring a managed device

托管设备Managed devices

简而言之,受管理设备是指处于 某种 组织控制之下的设备。In simple terms, managed devices are devices that are under some sort of organizational control. 在 Azure AD 中,受管理设备的先决条件是它已向 Azure AD 注册。In Azure AD, the prerequisite for a managed device is that it has been registered with Azure AD. 注册设备时会以设备对象的形式为设备创建标识。Registering a device creates an identity for the device in form of a device object. Azure 使用此对象来跟踪设备的状态信息。This object is used by Azure to track status information about a device. 作为 Azure AD 管理员,你可以使用此对象切换(启用/禁用)设备状态。As an Azure AD administrator, you can already use this object to toggle (enable/disable) the state of a device.

Azure A D 中“设备”窗格的屏幕截图。突出显示了“启用”和“禁用”项。

若要向 Azure AD 注册设备,你有三种选择:To get a device registered with Azure AD, you have three options:

  • Azure AD 注册设备:向 Azure AD 注册个人设备Azure AD registered devices - to get a personal device registered with Azure AD
  • 加入 Azure AD 的设备 - 向 Azure AD 注册未加入本地 AD 的组织 Windows 10 设备。Azure AD joined devices - to get an organizational Windows 10 device that is not joined to an on-premises AD registered with Azure AD.
  • 加入混合 Azure AD 的设备 - 向 Azure AD 注册已加入本地 AD 的 Windows 10 或受支持的低级别设备。Hybrid Azure AD joined devices - to get a Windows 10 or supported down-level device that is joined to an on-premises AD registered with Azure AD.

什么是设备标识?一文中讨论了这三个选项These three options are discussed in the article What is a device identity?

若要成为受管理设备,注册设备必须是 加入混合 Azure AD 的设备 或者是 已标记为合规的设备To become a managed device, a registered device must be either a Hybrid Azure AD joined device or a device that has been marked as compliant.

“Azure A D 授权”窗格的屏幕截图。已选择“授予访问权限”,已选中设备需兼容且已加入混合 Azure A D 的复选框。

要求使用加入混合 Azure AD 的设备Require Hybrid Azure AD joined devices

在条件访问策略中,可以选择“要求使用加入混合 Azure AD 的设备”来声明只能使用受管理设备访问所选云应用。In your Conditional Access policy, you can select Require Hybrid Azure AD joined device to state that the selected cloud apps can only be accessed using a managed device.

“Azure A D 授权”窗格的屏幕截图。已选择“授予访问权限”。也已选中要求设备加入混合 Azure A D 的复选框。

此设置仅适用于已加入本地 AD 的 Windows 10 或低级别设备(例如 Windows 7 或 Windows 8)。This setting only applies to Windows 10 or down-level devices such as Windows 7 or Windows 8 that are joined to an on-premises AD. 你只能使用混合 Azure AD 加入功能向 Azure AD 注册这些设备,这是一种注册 Windows 10 设备的自动化过程You can only register these devices with Azure AD using a Hybrid Azure AD join, which is an automated process to get a Windows 10 device registered.

表列出设备的名称、启用状态、O S、版本、联接类型、所有者、M D M 和符合状态。符合状态为“否”。

怎样使加入混合 Azure AD 的设备成为受管理设备?What makes a Hybrid Azure AD joined device a managed device? 对于加入本地 AD 的设备,假定使用管理解决方案(如 Configuration Manager)或组策略 (GP) 对这些设备进行控制来管理它们 。For devices that are joined to an on-premises AD, it is assumed that the control over these devices is enforced using management solutions such as Configuration Manager or group policy (GP) to manage them. 由于 Azure AD 无法确定是否已向设备应用这些方法中的任何一种,因此,在要求使用受管理设备的情况下,要求使用加入混合 Azure AD 的设备是一种相对较弱的机制。Because there is no method for Azure AD to determine whether any of these methods has been applied to a device, requiring a hybrid Azure AD joined device is a relatively weak mechanism to require a managed device. 如果加入本地域的设备同时也是加入混合 Azure AD 的设备,则由管理员判断应用于此类设备的方法是否强大到足以使其成为受管理设备。It is up to you as an administrator to judge whether the methods that are applied to your on-premises domain-joined devices are strong enough to constitute a managed device if such a device is also a Hybrid Azure AD joined device.

要求将设备标记为合规Require device to be marked as compliant

“要求将设备标记为合规”选项是一种用于请求受管理设备的最强大的形式。The option to require a device to be marked as compliant is the strongest form to request a managed device.

“Azure A D 授权”窗格的屏幕截图。已选择“授予访问权限”。还选中了要求将设备标记为合规的复选框。

此选项要求向 Azure AD 注册设备,此外还要求通过以下方式将该设备标记为合规:This option requires a device to be registered with Azure AD, and also to be marked as compliant by:

  • IntuneIntune
  • 第三方移动设备管理 (MDM) 系统,该系统通过 Azure AD 集成管理 Windows 10 设备。A third-party mobile device management (MDM) system that manages Windows 10 devices via Azure AD integration. 不支持除 Windows 10 以外的设备 OS 类型的第三方 MDM 系统。Third-party MDM systems for device OS types other than Windows 10 are not supported.

表列出设备的名称、启用状态、O S、版本、联接类型、所有者、M D M 和符合状态。突出显示了符合状态。

对于标记为合规的设备,你可以假设:For a device that is marked as compliant, you can assume that:

  • 员工用来访问公司数据的移动设备是受管理设备The mobile devices your workforce uses to access company data are managed
  • 员工使用的移动应用是受管理应用Mobile apps your workforce uses are managed
  • 通过帮助控制员工访问和共享公司信息的方式,为公司信息提供保护Your company information is protected by helping to control the way your workforce accesses and shares it
  • 该设备及其应用符合公司安全要求The device and its apps are compliant with company security requirements

方案:需要 iOS 和 Android 设备的设备注册Scenario: Require device enrollment for iOS and Android devices

在这种情况下,Contoso 已决定对 Microsoft 365 资源的所有移动访问都必须使用已注册的设备。In this scenario, Contoso has decided that all mobile access to Microsoft 365 resources must use an enrolled device. 其所有用户已使用 Azure AD 凭据登录,并获得了分配的许可证,其中包括 Azure AD Premium P1 或 P2 以及 Microsoft Intune。All of their users already sign in with Azure AD credentials and have licenses assigned to them that include Azure AD Premium P1 or P2 and Microsoft Intune.

组织必须完成以下步骤才能要求使用已注册的移动设备。Organizations must complete the following steps in order to require the use of an enrolled mobile device.

  1. 以全局管理员、安全管理员或条件访问管理员的身份登录到 Azure 门户Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.
  2. 浏览到“Azure Active Directory” > “安全性” > “条件访问” 。Browse to Azure Active Directory > Security > Conditional Access.
  3. 选择“新策略” 。Select New policy.
  4. 为策略指定名称。Give your policy a name. 建议组织为其策略的名称创建有意义的标准。We recommend that organizations create a meaningful standard for the names of their policies.
  5. 在“分配” 下,选择“用户和组” Under Assignments, select Users and groups
    1. 在“包括”下选择“所有用户”,或选择你希望对其应用此策略的具体“用户和组”。 Under Include, select All users or the specific Users and groups you wish to apply this policy to.
    2. 选择“完成” 。Select Done.
  6. 在“云应用或操作” > “包括”下,选择“Office 365”。Under Cloud apps or actions > Include, select Office 365.
  7. 在“条件”下,选择“设备平台”。 Under Conditions, select Device platforms.
    1. 将“配置”设置为“是”。 Set Configure to Yes.
    2. 包括 Android 和 iOS。 Include Android and iOS.
  8. 在“访问控制” > “授予”下,选择以下选项:Under Access controls > Grant, select the following options:
    • 要求将设备标记为合规Require device to be marked as compliant
  9. 确认设置,然后将“启用策略”设置为“打开”。 Confirm your settings and set Enable policy to On.
  10. 选择“创建” ,以便创建并启用策略。Select Create to create and enable your policy.

已知行为Known behavior

使用设备代码 OAuth 流时,不支持要求受管理设备授予控制或设备状态条件。When using the device-code OAuth flow, the require managed device grant control or a device state condition are not supported. 这是因为执行身份验证的设备无法向提供代码的设备提供其设备状态,并且令牌中的设备状态锁定到执行身份验证的设备。This is because the device performing authentication cannot provide its device state to the device providing a code and the device state in the token is locked to the device performing authentication. 改为使用“需要多重身份验证授权控制”。Use the require multi-factor authentication grant control instead.

在 Windows 7、iOS、Android、macOS 和某些第三方 Web 浏览器上,Azure AD 使用客户端证书来标识设备,该证书是在向 Azure AD 注册设备时预配的。On Windows 7, iOS, Android, macOS, and some third-party web browsers Azure AD identifies the device using a client certificate that is provisioned when the device is registered with Azure AD. 用户首次通过浏览器登录时,系统会提示用户选择此证书。When a user first signs in through the browser the user is prompted to select the certificate. 最终用户必须选择此证书才能继续使用浏览器。The end user must select this certificate before they can continue to use the browser.