Azure Active Directory 条件访问中的服务依赖项是什么?What are service dependencies in Azure Active Directory Conditional Access?

使用条件访问策略时,可以指定网站和服务的访问要求。With Conditional Access policies, you can specify access requirements to websites and services. 例如,访问要求可以包括要求进行多重身份验证 (MFA)。For example, your access requirements can include requiring multi-factor authentication (MFA).

直接访问站点或服务时,通常容易评估相关策略的影响。When you access a site or service directly, the impact of a related policy is typically easy to assess. 例如,如果策略要求对配置的 SharePoint Online 进行 MFA,则每次登录到 SharePoint Web 门户时,都会强制执行 MFA。For example, if you have a policy that requires MFA for SharePoint Online configured, MFA is enforced for each sign-in to the SharePoint web portal. 但是,评估某项策略的影响并非始终是直截了当的,因为某些云应用依赖于其他云应用。However, it is not always straight-forward to assess the impact of a policy because there are cloud apps with dependencies to other cloud apps. 例如,可以通过 Microsoft Teams 访问 SharePoint Online 中的资源。For example, Microsoft Teams can provide access to resources in SharePoint Online. 因此,你在访问当前方案中的 Microsoft Teams 时,也会受 SharePoint MFA 策略的约束。So, when you access Microsoft Teams in our current scenario, you are also subject to the SharePoint MFA policy.

策略强制执行Policy enforcement

如果配置了服务依赖项,则可使用早期绑定或后期绑定强制来应用此策略。If you have a service dependency configured, the policy may be applied using early-bound or late-bound enforcement.

  • 早期绑定策略强制意味着用户必须在访问调用应用之前满足依赖的服务策略。Early-bound policy enforcement means a user must satisfy the dependent service policy before accessing the calling app. 例如,在登录 MS Teams 之前,用户必须满足 SharePoint 策略要求。For example, a user must satisfy SharePoint policy before signing into MS Teams.
  • 后期绑定策略强制发生在用户登录到调用应用以后。Late-bound policy enforcement occurs after the user signs into the calling app. 强制会延迟到调用应用请求时(下游服务的令牌)。Enforcement is deferred to when calling app requests, a token for the downstream service. 示例包括 MS Teams 访问 Planner,以及 Office.com 访问 SharePoint。Examples include MS Teams accessing Planner and Office.com accessing SharePoint.

下图演示了 MS Teams 服务依赖关系。The diagram below illustrates MS Teams service dependencies. Planner 的实线箭头表示早期绑定强制,虚线箭头表示后期绑定强制。Solid arrows indicate early-bound enforcement the dashed arrow for Planner indicates late-bound enforcement.

MS Teams 服务依赖关系

最佳做法是,尽可能跨相关的应用和服务设置常用策略。As a best practice, you should set common policies across related apps and services whenever possible. 安全态势一致可以为你提供最佳用户体验。Having a consistent security posture provides you with the best user experience. 例如,跨 Exchange Online、SharePoint Online、Microsoft Teams 和 Skype for Business 设置常用策略可以显著减少意外提示数(为下游服务应用不同策略时,可能会出现这些提示)。For example, setting a common policy across Exchange Online, SharePoint Online, Microsoft Teams, and Skype for business significantly reduces unexpected prompts that may arise from different policies being applied to downstream services.

下表列出了客户端应用必须满足的其他服务依赖项The below table lists additional service dependencies, where the client apps must satisfy

客户端应用Client apps 下游服务Downstream service 强制Enforcement
Microsoft ClassroomMicrosoft Classroom ExchangeExchange 早期绑定Early-bound
SharePointSharePoint 早期绑定Early-bound
Microsoft TeamsMicrosoft Teams ExchangeExchange 早期绑定Early-bound
MS PlannerMS Planner 后期绑定Late-bound
SharePointSharePoint 早期绑定Early-bound
Skype for Business OnlineSkype for Business Online 早期绑定Early-bound
Office 门户Office Portal ExchangeExchange 后期绑定Late-bound
SharePointSharePoint 后期绑定Late-bound
Outlook 组Outlook groups ExchangeExchange 早期绑定Early-bound
SharePointSharePoint 早期绑定Early-bound
Azure Active DirectoryAzure Active Directory 早期绑定Early-bound
ProjectProject Dynamics CRMDynamics CRM 早期绑定Early-bound
Skype for BusinessSkype for Business ExchangeExchange 早期绑定Early-bound
Visual StudioVisual Studio Azure 管理(门户和 API)Azure Management (portal and API) 早期绑定Early-bound
Microsoft FormsMicrosoft Forms ExchangeExchange 早期绑定Early-bound
SharePointSharePoint 早期绑定Early-bound
微软待办Microsoft To-Do ExchangeExchange 早期绑定Early-bound

后续步骤Next steps

若要了解如何在环境中实现条件访问,请参阅在 Azure Active Directory 中规划条件访问部署To learn how to implement Conditional Access in your environment, see Plan your Conditional Access deployment in Azure Active Directory.