通过使用连续访问评估来构建复原能力Build resilience by using Continuous Access Evaluation

利用连续访问评估 (CAE),Azure AD 应用程序可以订阅严重事件,然后,这些事件可以被评估,并且相应的措施可以被强制执行。Continuous Access Evaluation (CAE) allows Azure AD applications to subscribe to critical events that can then be evaluated and enforced. 其中包括对以下事件进行评估:This includes evaluation of the following events:

  • 删除或禁用用户帐户The user account being deleted or disabled

  • 更改用户的密码Password for a user is changed

  • 为用户启用 MFA。MFA is enabled for the user.

  • 管理员显式撤销令牌。Administrator explicitly revokes a token.

  • 检测到用户风险提升。Elevated user risk is detected.

因此,应用程序可以根据 Azure AD 为其发出信号的事件来拒绝尚未过期的令牌,如下图中所示。As a result, applications can reject unexpired tokens based on the events signaled by Azure AD, as depicted in the following diagram.

CAE 的概念图

CAE 如何提供帮助?How does CAE help?

此机制允许 Azure AD 颁发生存期较长的令牌,同时使应用程序能够只在需要时才撤销访问权限并强制重新进行身份验证。This mechanism allows Azure AD to issue longer-lived tokens, while enabling applications a way to revoke access and force re-authentication only when needed. 此模式的最终结果是减少了用于获取令牌的调用,这就意味着端到端流会更具复原能力。The net result of this pattern is fewer calls to acquire tokens, which means that the end-to-end flow is more resilient.

若要使用 CAE,服务和客户端必须都支持 CAE。To use CAE, both the service and the client must be CAE-capable. Microsoft 365 服务(如 Exchange Online、Teams 和 SharePoint Online)支持 CAE。Microsoft 365 services such as Exchange Online, Teams, and SharePoint Online support CAE. 在客户端,使用这些 Office 365 服务的基于浏览器的体验(例如 Outlook Web 应用)和 Office 365 本机客户端的特定版本支持 CAE。On the client side, browser-based experiences that use these Office 365 services (e.g. Outlook Web App) and specific versions of Office 365 native clients are CAE-capable. 更多的 Azure 云服务将会支持 CAE。More Azure cloud services will become CAE-capable.

Microsoft 正在与业界合作构建标准,这些标准将允许第三方应用程序使用此功能。Microsoft is working with the industry to build standards that will allow third party applications to use this capability. 你也可以开发支持 CAE 的应用程序。You can also develop applications that are CAE-capable. 有关详细信息,请参阅“如何在应用程序中构建复原能力”。See How to build resilience in your application for more information.

如何实现 CAE?How do I implement CAE?

  • 在 Azure AD 安全配置中启用 CAEEnable CAE in the Azure AD Security Configuration.

  • 请确保你的组织使用的是 Microsoft Office 本机应用程序的兼容版本Ensure that your organization is using compatible versions of Microsoft Office native applications.

后续步骤Next steps

面向管理员和架构师的复原能力资源Resilience resources for administrators and architects

适用于开发人员的复原能力资源Resilience resources for developers