使用设备状态构建复原能力Build resilience with device states

通过在 Azure AD 中启用设备状态,管理员可以创建根据设备状态控制应用程序访问权限的条件访问策略。By enabling device states with Azure AD, administrators can author Conditional Access policies that control access to applications based on device state. 设备的额外好处是,它满足了访问资源时的强身份验证要求,因而减少了额外的 MFA 身份验证请求并提高了复原能力。The added benefit of devices is that it satisfies strong authentication requirements for access to resources thus reducing additional MFA authentication requests and improving resiliency.

下面的流程图显示了在 Azure AD 中加入启用设备状态的设备的不同方法。The following flow chart presents the different ways to onboard devices in Azure AD that enable device states. 你可以在你的组织中使用多种方法。You can use more than one in your organization.

选择设备状态的流程图

当你使用设备状态时,用户在多数情况下都可通过主刷新令牌 (PRT) 单一登录到资源。When you use device states, users will in most cases experience single sign-on to resources through a Primary Refresh Token (PRT). PRT 包含有关用户和设备的声明,并且可用于获取从设备访问应用程序所用的身份验证令牌。The PRT contains claims about the user and the device and can be used to get authentication tokens to access applications from the device. PRT 的有效期为 14 天,只要用户经常使用该设备,就会持续续订,为用户提供可复原的体验。The PRT is valid for 14 days and is continuously renewed as long as the user actively uses the device, providing users a resilient experience. PRT 也可以通过多种方式获取多重身份验证声明。A PRT can also get a multi-factor authentication claim in several ways. 有关详细信息,请参阅 PRT 何时获取 MFA 声明For more information, see When does a PRT get an MFA claim.

设备状态有何作用?How do device states help?

使用 PRT 请求访问某个应用程序时,Azure AD 会信任 PRT 的设备、会话和 MFA 声明。When a PRT is used to request access to an application, its device, session, and MFA claims are trusted by Azure AD. 当管理员创建需要基于设备的控制或多重身份验证控制的策略时,可以通过设备状态来满足策略要求,而无需尝试多重身份验证。When administrators create policies that requires either a device-based control or a Multi-factor authentication control, then the policy requirement can be met through its device state without attempting Multi-factor authentication. 用户在同一设备上不会另外看到多重身份验证提示。Users will not see additional Multi-factor authentication prompts on the same device. 这会增强抵御 Azure MFA 服务或其依赖方(例如本地电信提供商)服务中断的复原能力。This increases resilience to a disruption of the Azure MFA service, or its dependencies like local telecom providers.

如何实现实现设备状态?How do I implement device states?

  • 为公司拥有的 Windows 设备启用已建立混合 Azure AD 联接Azure AD 联接,并在可能的情况下要求设备建立联接。Enable hybrid Azure AD Joined and Azure AD Join for company owned Windows devices, and require they be joined if possible. 如果无法实现,则要求设备进行注册。If not possible, require they be registered.

    如果组织中有设备使用较早版本的 Windows,请将这些设备升级为使用 Windows 10。If there are older versions of Windows in your organization, upgrade those devices to use Windows 10.

  • 将用户访问网页的浏览器统一为 Microsoft Edge 或 Google Chrome,这些浏览器带有支持的扩展,可以让用户使用 PRT 无缝单一登录到 Web 应用程序。Standardize user browser access to use either Microsoft Edge or Google Chrome with supported extensions that enabled seamless SSO to web applications using the PRT.

  • 对于个人或公司拥有的 iOS 和 Android 设备,请部署 Microsoft Authenticator 应用。For personal or company owned iOS and Android devices deploy the Microsoft Authenticator App. 除多重身份验证和无密码登录功能外,Microsoft Authenticator 应用还可以通过中介身份验证实现各本机应用程序的单一登录,同时减少最终用户收到身份验证提示的次数。In addition to the Multi-factor authentication and password-less sign in capabilities, the Microsoft Authenticator app will enable single sign across native application through brokered authentication with fewer authentication prompts for end users.

  • 对于个人或公司拥有的 iOS 和 Android 设备,请使用移动应用管理来安全访问公司资源,该方法可以减少身份验证请求次数。For personal or company owned iOS and Android devices use mobile application management to securely access company resources with fewer authentication requests.

  • 使用适用于 Apple 设备的 Microsoft 企业 SSO 插件(预览版)Use the Microsoft Enterprise SSO plug-in for Apple devices (preview). 该插件可以注册设备,并提供各浏览器和本机 Azure AD 应用程序的 SSO。This registers the device and provides SSO across browser and native Azure AD applications.

后续步骤Next steps

面向管理员和架构师的复原能力资源Resilience resources for administrators and architects

适用于开发人员的复原能力资源Resilience resources for developers