使用 What If 工具对条件访问进行故障排除Troubleshooting Conditional Access using the What If tool

当试图了解为什么在特定情况下将策略应用于用户或未应用于用户时,或者策略将以已知状态应用时,条件访问中的 What If 工具非常有用。The What If tool in Conditional Access is powerful when trying to understand why a policy was or wasn't applied to a user in a specific circumstance or if a policy would apply in a known state.

What If 工具位于“Azure 门户” > “Azure Active Directory” > “条件访问” > “What If” 。The What If tool is located in the Azure portal > Azure Active Directory > Conditional Access > What If.

默认状态下的条件访问 What If 工具

备注

What If 工具当前不在“仅限报告”模式下评估策略。The What If tool currently does not evaluate policies in report-only mode.

收集信息Gathering information

What If 工具只需要一名用户即可开始使用。The What If tool requires only a User to get started.

以下附加信息是可选的,但将有助于缩小特定情况的范围。The following additional information is optional but will help to narrow the scope for specific cases.

  • 云应用或操作Cloud apps or actions
  • IP 地址IP address
  • 国家/地区Country/Region
  • 设备平台Device platform
  • 客户端应用(预览)Client apps (preview)
  • 设备状态(预览)Device state (preview)
  • 登录风险Sign-in risk

此信息可从用户、用户设备或 Azure AD 登录日志中收集。This information can be gathered from the user, their device, or the Azure AD sign-ins log.

生成结果Generating results

输入上一部分中收集的条件,然后选择“What If”以生成结果列表。Input the criteria gathered in the previous section and select What If to generate a list of results.

随时可以选择“重置”清除输入的所有条件并返回默认状态。At any point, you can select Reset to clear any criteria input and return to the default state.

评估结果Evaluating results

要应用的策略Policies that will apply

此列表将显示给定条件适用的条件访问策略。This list will show which Conditional Access policies would apply given the conditions. 此列表将包括适用的授权和会话控制。The list will include both the grant and session controls that apply. 例如,需要多重身份验证才能访问特定的应用程序。Examples include requiring multi-factor authentication to access a specific application.

不会应用的策略Policies that will not apply

此列表将显示在应用条件的情况下将不适用的条件访问策略。This list will show Conditional Access policies that wouldn't apply if the conditions applied. 此列表将包含任何策略和不适用的原因。The list will include any policies and the reason why they don't apply. 示例包括可从策略中排除的用户和组。Examples include users and groups that may be excluded from a policy.

用例Use case

许多组织都基于网络位置创建策略,允许受信任的位置并阻止无权访问的位置。Many organizations create policies based on network locations, permitting trusted locations and blocking locations where access should not occur.

若要验证是否已正确配置,管理员可以使用 What If 工具来模拟从应允许的位置和从应拒绝的位置进行的访问。To validate that a configuration has been made appropriately, an administrator could use the What If tool to mimic access, from a location that should be allowed and from a location that should be denied.

What If 工具显示带有“阻止访问”的结果 What If tool showing results with Block access

在这种情况下,由于 Contoso 已阻止从该位置进行访问,因此该用户在朝鲜旅行期间将被禁止访问任何云应用。In this instance, the user would be blocked from accessing any cloud app on their trip to North Korea as Contoso has blocked access from that location.

可以扩展此测试以合并其他数据点,从而缩小范围。This test could be expanded to incorporate other data points to narrow the scope.

后续步骤Next steps