使用条件访问策略管理外部访问Manage external access with Conditional Access policies

条件访问是 Azure AD 用于以下用途的工具:将信号放置在一起、强制实施策略、确定是否允许用户访问资源。Conditional Access is the tool Azure AD uses to bring together signals, enforce policies, and determine whether a user should be allowed access to resources. 若要详细了解如何创建和使用条件访问策略(条件访问策略),请参阅计划条件访问部署For detailed information on how to create and use Conditional Access policies (Conditional Access policies), see Plan a Conditional Access deployment.

条件访问信号和决策的示意图

本文讨论了如何向外部用户应用条件访问策略,并假设你无权访问权利管理功能。This article discusses applying Conditional Access policies to external users and assumes you don't have access to Entitlement Management functionality. 条件访问策略可以与权利管理一起使用,事实也是如此。Conditional Access policies can be and are used alongside Entitlement Management.

在本文档集的前面部分,你创建了一个安全计划,其中概述了以下内容:Earlier in this document set, you created a security plan that outlined:

  • 应用程序和资源具有相同的安全要求,可以组合在一起进行访问。Applications and resources have the same security requirements and can be grouped for access.

  • 对外部用户的登录要求。Sign-in requirements for external users.

你将使用该计划创建用于外部访问的条件访问策略。You will use that plan to create your Conditional Access policies for external access.

重要

创建几个外部用户测试帐户,以便在将所创建的策略应用于所有外部用户之前对其进行测试。Create a few external user test accounts so that you can test the policies you create before applying them to all external users.

用于外部访问的条件访问策略Conditional Access policies for external access

下面是与使用条件访问策略治理外部访问相关的最佳做法。The following are best practices related to governing external access with Conditional Access policies.

  • 如果你无法在权利管理中使用连接的组织,请为你使用的每个合作伙伴组织创建一个 Azure AD 安全组或 Microsoft 365 组。If you can't use connected organizations in Entitlement Management, create an Azure AD security group or Microsoft 365 group for each partner organization you work with. 将来自该合作伙伴的所有用户分配到该组。Assign all users from that partner to the group. 然后,你可以在条件访问策略中使用这些组。You may then use those groups in Conditional Access policies.

  • 创建尽可能少的条件访问策略。Create as few Conditional Access policies as possible. 对于具有相同访问需求的应用程序,请将它们全都添加到同一策略中。For applications that have the same access needs, add them all to the same policy.

    备注

    条件访问策略可以应用于最多 250 个应用程序。Conditional Access policies can apply to a maximum of 250 applications. 如果多于 250 个应用具有相同的访问需求,请创建重复的策略。If more than 250 Apps have the same access needs, create duplicate policies. 策略 A 将应用于应用 1-250,策略 B 将应用于应用 251-500,依此类推。Policy A will apply to apps 1-250, policy B will apply to apps 251-500, etc.

  • 使用一个命名约定清楚地为特定于外部访问的策略命名。Clearly name policies specific to external access with a naming convention. 一个命名约定是 ExternalAccess_actiontaken_AppGroup。One naming convention is ‎ExternalAccess_actiontaken_AppGroup. 例如 ExternalAccess_Block_FinanceApps。For example ExternalAccess_Block_FinanceApps.

阻止所有外部用户访问资源Block all external users from resources

你可以使用条件访问策略阻止外部用户访问特定的资源集。You can block external users from accessing specific sets of resources with Conditional Access policies. 确定要阻止访问的资源集后,创建一个策略。Once you've determined the set of resources to which you want to block access, create a policy.

若要创建一个阻止外部用户访问一组应用程序的策略,请执行以下操作:To create a policy that blocks access for external users to a set of applications:

  1. 访问 Azure 门户,然后依次选择“Azure Active Directory”、“安全性”、“条件访问”。Access the Azure portal, select Azure Active Directory, select Security, then select Conditional Access.

  2. 选择“新建策略”,并输入一个名称,例如 ExternalAccess_Block_FinanceAppsSelect New Policy, and enter a name, for example ExternalAccess_Block_FinanceApps

  3. 选择“用户和组”。Select Users and group s. 在“包括”选项卡上,选择“选择用户和组”,然后选择“所有来宾和外部用户” 。On the Include tab, choose Select users and groups, then select All guests and external users.

  4. 选择“排除”并输入你的管理员组和任何紧急访问(不受限)帐户。Select Exclude and enter your Administrator group(s) and any emergency access (break-glass) accounts.

  5. 选择“云应用或操作”,选择“选择应用”,选择要阻止外部访问的所有应用,然后选择“选择”。Select Cloud apps or actions, choose Select Apps, select all of the apps to which you want to block external access, then choose Select.

  6. 选择“条件”,选择“位置”,在“配置”下选择“是”,并选择“任何位置”。Select Conditions, select Locations, under Configure select Yes, and select Any location.

  7. 在“访问控制”下,选择“授权”,将开关切换到“阻止”,然后选择“选择”。Under Access controls, select Grant, change the toggle to Block, and choose Select.

  8. 确保“启用策略”设置设定为“仅限报告”,然后选择“创建”。Ensure that the Enable policy setting is set to Report only, then select Create.

阻止除特定外部用户外的所有外部用户的访问Block external access to all except specific external users

有时,你可能希望阻止除特定组外的外部用户。There may be times you want to block external users except a specific group. 例如,你可能希望在财务应用程序中阻止除那些为财务团队工作的用户之外的所有外部用户。For example, you may want to block all external users except those working for the finance team from the finance applications. 要执行此操作:To do this:

  1. 创建一个安全组来保存应当访问财务组的外部用户。Create a security group to hold the external users who should access the finance group.

  2. 按照上述阻止从外部访问资源的步骤中的第 1-3 步进行操作。Follow steps 1-3 in block external access from resources above.

  3. 在第 4 步中,添加在财务应用程序中进行阻止时要排除的安全组。In step 4, add the security group you want to exclude from being blocked from the finance apps.

  4. 执行剩余步骤。Perform the rest of the steps.

实施条件访问Implement Conditional Access

许多常用的条件访问策略已编制文档。Many common Conditional Access policies are documented. 请参阅你可以针对外部用户进行调整的下列策略。See the following which you can adapt for external users.

后续步骤Next steps

请参阅以下文章,了解如何保护对资源的外部访问。See the following articles on securing external access to resources. 建议你按列出顺序执行这些操作。We recommend you take the actions in the listed order.

  1. 确定外部访问所需的安全状况Determine your desired security posture for external access

  2. 了解当前状况Discover your current state

  3. 创建治理计划Create a governance plan

  4. 使用组以确保安全性Use groups for security

  5. 过渡到 Azure AD B2BTransition to Azure AD B2B

  6. 通过权利管理实现安全访问Secure access with Entitlement Management

  7. 通过条件访问策略实现安全访问(本文)Secure access with Conditional Access policies (You are here)

  8. 通过敏感度标签实现安全访问Secure access with Sensitivity labels

  9. 实现对 Microsoft Teams、OneDrive 和 SharePoint 的安全访问Secure access to Microsoft Teams, OneDrive, and SharePoint