使用 Azure AD 访问评审管理已从条件访问策略中排除的用户Use Azure AD access reviews to manage users excluded from Conditional Access policies

在理想情况下,所有用户都会遵循访问策略来保护对组织资源的访问。In an ideal world, all users follow the access policies to secure access to your organization's resources. 但是,有时,某些业务案例要求例外处理。However, sometimes there are business cases that require you to make exceptions. 本文提供了一些可能需要排除项的示例。This article goes over some examples of situations where exclusions may be necessary. IT 管理员可以管理此任务,避免监督从策略中排除的用户,并向审核员证明已使用 Azure Active Directory (Azure AD) 访问评审定期评审这些已排除的用户。You, as the IT administrator, can manage this task, avoid oversight of policy exceptions, and provide auditors with proof that these exceptions are reviewed regularly using Azure Active Directory (Azure AD) access reviews.

备注

使用 Azure AD 访问评审需要有效的 Azure AD Premium P2、企业移动性 + 安全性 E5 付费版或试用版许可证。A valid Azure AD Premium P2, Enterprise Mobility + Security E5 paid, or trial license is required to use Azure AD access reviews. 有关详细信息,请参阅 Azure Active Directory 版本For more information, see Azure Active Directory editions.

为何要从策略中排除用户?Why would you exclude users from policies?

假设你是管理员并决定使用 Azure AD 条件访问来要求进行多重身份验证 (MFA) 并将身份验证请求限制到特定的网络或设备。Let's say that as the administrator, you decide to use Azure AD Conditional Access to require multi-factor authentication (MFA) and limit authentication requests to specific networks or devices. 在部署计划期间,你认识到并非所有用户都满足这些要求。During deployment planning, you realize that not all users can meet these requirements. 例如,你的用户可能从远程办公室办公,不在内部网络中。For example, you may have users who work from remote offices, not part of your internal network. 你还可能需要在等待更换不受支持的设备时允许用户使用这些设备进行连接。You may also have to accommodate users connecting using unsupported devices while waiting for those devices to be replaced. 简而言之,企业需要这些用户登录并执行其作业,因此需要将他们从条件访问策略中排除。In short, the business needs these users to sign in and do their job so you exclude them from Conditional Access policies.

另举一例,你可能在条件访问中使用命名位置来配置一组国家和地区,你不希望该国家/地区的用户访问他们的租户。As another example, you may be using named locations in Conditional Access to specify a set of countries and regions from which you don't want to allow users to access their tenant.

条件访问中的命名位置

遗憾的是,某些用户可能仍有正当理由从这些已阻止的国家/地区登录。Unfortunately, some users may still have a valid reason to sign in from these blocked countries/regions. 例如,用户因公事出差,并需要访问公司资源。For example, users could be traveling for work and need to access corporate resources. 在这种情况下,阻止这些国家/地区的条件访问策略可对已从策略中排除的用户使用云安全组。In this case, the Conditional Access policy to block these countries/regions could use a cloud security group for the excluded users from the policy. 在旅行期间需要进行访问的用户可以使用 Azure AD 自助服务组管理将自己添加到该组。Users who need access while traveling, can add themselves to the group using Azure AD self-service Group management.

另举一例,某个条件访问策略可能会阻止大多数用户的旧式身份验证Another example might be that you have a Conditional Access policy blocking legacy authentication for the vast majority of your users. 但是,如果某些用户需要使用旧式身份验证方法通过 Office 2010 或基于 IMAP/SMTP/POP 的客户端来访问你的资源,则你可以从阻止旧式身份验证方法的策略中排除这些用户。However, if you have some users that need to use legacy authentication methods to access your resources via Office 2010 or IMAP/SMTP/POP based clients, then you can exclude these users from the policy that blocks legacy authentication methods.

备注

Microsoft 强烈建议在租户中阻止使用旧式协议,以提高安全状态。Microsoft strongly recommends that you block the use of legacy protocols in your tenant to improve your security posture.

为何排除项会带来挑战?Why are exclusions challenging?

在 Azure AD 中,可将条件访问策略限定为一组用户。In Azure AD, you can scope a Conditional Access policy to a set of users. 还可以通过选择 Azure AD 角色、单个用户或来宾来配置排除项。You can also configure exclusions by selecting Azure AD roles, individual users, or guests. 请记住,在配置排除项后,不能对已排除的用户强制执行策略意向。You should keep in mind that when exclusions are configured, the policy intent can't be enforced on excluded users. 如果使用用户列表或旧式本地安全组来配置排除项,则不会看到排除项。If exclusions are configured using a list of users or using legacy on-premises security groups, you will have limited visibility into the exclusions. 因此:As a result:

  • 用户可能不知道他们已被排除。Users may not know that they are excluded.

  • 用户可以通过加入安全组来绕过策略。Users can join the security group to bypass the policy.

  • 已排除的用户可能在之前需要排除,但现在不再需要排除。Excluded users may have qualified for the exclusion before but may no longer qualify for it.

通常,在首次配置排除项时,绕过策略的用户列表很短。Frequently, when you first configure an exclusion, there is a shortlist of users who bypass the policy. 随着时间的推移,越来越多的用户将添加到排除项中,列表也会增长。Over time, more and more users get added to the exclusion, and the list grows. 有时,你需要审查该列表,并确认是否仍然应该排除其中的每个用户。At some point, you need to review the list and confirm that each of these users is still eligible for exclusion. 从技术角度讲,管理排除列表可能相对容易,但谁是业务决策人?如何确保该列表完全可审核?Managing the exclusion list, from a technical point of view, can be relatively easy, but who makes the business decisions, and how do you make sure it is all auditable? 但是,如果使用 Azure AD 组配置排除项,则可以使用访问评审作为互补性的控制措施来提高可见性,并减少已排除用户的数量。However, if you configure the exclusion using an Azure AD group, you can use access reviews as a compensating control, to drive visibility, and reduce the number of excluded users.

如何在条件访问策略中创建排除组How to create an exclusion group in a Conditional Access policy

请遵循以下步骤创建新的 Azure AD 组,以及不会应用到该组的条件访问策略。Follow these steps to create a new Azure AD group and a Conditional Access policy that does not apply to that group.

创建排除组Create an exclusion group

  1. 登录到 Azure 门户。Sign in to the Azure portal.

  2. 在左侧导航栏中,依次单击“Azure Active Directory”、“组” 。In the left navigation, click Azure Active Directory and then click Groups.

  3. 在顶部菜单中,单击“新建组”打开“组”窗格。On the top menu, click New Group to open the group pane.

  4. 在“组类型”列表中,选择“安全性”。 In the Group type list, select Security. 指定名称和说明。Specify a name and description.

  5. 请务必将“成员身份”类型设置为“已分配”。 Make sure to set the Membership type to Assigned.

  6. 选择应包含在此排除组中的用户,然后单击“创建”。Select the users that should be part of this exclusion group and then click Create.

Azure Active Directory 中的“新建组”窗格

创建排除该组的条件访问策略Create a Conditional Access policy that excludes the group

现在,可以创建使用此排除组的条件访问策略。Now you can create a Conditional Access policy that uses this exclusion group.

  1. 在左侧导航栏中,单击 Azure Active Directory,然后单击“条件访问”,打开“策略”边栏选项卡 。In the left navigation, click Azure Active Directory and then click Conditional Access to open the Policies blade.

  2. 单击“新建策略”打开“新建”窗格。 Click New policy to open the New pane.

  3. 指定名称。Specify a name.

  4. 在“分配”下,单击“用户和组”。Under Assignments click Users and groups.

  5. 在“包括”选项卡上,选择“所有用户”。 On the Include tab, select All Users.

  6. 在“排除”选项卡上,勾选“用户和组”,然后单击“选择要排除的用户” 。On the Exclude tab, add a checkmark to Users and groups and then click Select excluded users.

  7. 选择创建的排除组。Select the exclusion group you created.

    备注

    作为最佳做法,我们建议在测试时至少从策略中排除一个管理员帐户,以确保不会将你锁在租户之外。As a best practice, it is recommended to exclude at least one administrator account from the policy when testing to make sure you are not locked out of your tenant.

  8. 根据组织的要求继续设置条件访问策略。Continue with setting up the Conditional Access policy based on your organizational requirements.

条件访问中的“选择要排除的用户”窗格

让我们通过两个示例来了解可在哪种情况下使用访问评审管理条件访问策略中的排除项。Let's cover two examples where you can use access reviews to manage exclusions in Conditional Access policies.

示例 1:对从已阻止国家/地区访问的用户进行访问评审Example 1: Access review for users accessing from blocked countries/regions

假设某个条件访问策略会阻止来自特定国家/地区的访问。Let's say you have a Conditional Access policy that blocks access from certain countries/regions. 该策略排除了某个组。It includes a group that is excluded from the policy. 下面是评审该组成员的建议访问评审方法。Here is a recommended access review where members of the group are reviewed.

备注

创建访问评审需要全局管理员或用户管理员角色。A Global administrator or User administrator role is required to create access reviews.

  1. 评审每周进行一次。The review will happen every week.

  2. 评审永远不会结束,以确保将此排除组保持最新状态。Will never end in order to make sure you're keeping this exclusion group the most up to date.

  3. 此组的所有成员在评审范围内。All members of this group will be in scope for the review.

  4. 每个用户必须自我证明他们仍需从这些已阻止国家/地区进行访问,因此他们仍需是该组的成员。Each user will need to self-attest that they still need access from these blocked countries/regions, therefore they still need to be a member of the group.

  5. 如果用户未对评审请求作出响应,则会自动将他们从该组中删除,因此,在这些国家/地区出差时,他们不再能够访问租户。If the user doesn't respond to the review request, they will be automatically removed from the group, and they will no longer have access to the tenant while traveling to these countries/regions.

  6. 启用邮件通知,让用户知道访问评审的开始和完成时间。Enable email notifications to let users know about the start and completion of the access review.

    示例 1 的“创建访问评审”窗格

示例 2:对使用旧式身份验证进行访问的用户进行访问评审Example 2: Access review for users accessing with legacy authentication

假设某个条件访问策略会阻止使用旧式身份验证和旧客户端版本的用户进行访问,并包括已从策略中排除的组。Let's say you have a Conditional Access policy that blocks access for users using legacy authentication and older client versions and it includes a group that is excluded from the policy. 下面是评审该组成员的建议访问评审方法。Here is a recommended access review where members of the group are reviewed.

  1. 此项评审需是定期评审。This review would need to be a recurring review.

  2. 该组中的每个人都需要接受评审。Everyone in the group would need to be reviewed.

  3. 评审可配置为将业务部门主管列作选定的评审者。It could be configured to list the business unit owners as the selected reviewers.

  4. 自动应用结果并删除未经批准的用户,让他们继续使用旧式身份验证方法。Auto-apply the results and remove users that have not been approved to continue using legacy authentication methods.

  5. 启用建议可以帮助大型组的评审者轻松做出决策。It might be beneficial to enable recommendations so reviewers of large groups can easily make their decisions.

  6. 启用邮件通知,让用户知道访问评审的开始和完成时间。Enable mail notifications so users are notified about the start and completion of the access review.

    示例 2 的“创建访问评审”窗格

重要

如果你有许多的排除组,因此需要创建多个访问评审,现在可以使用 Microsoft Graph 测试版终结点中的某个 API 以编程方式创建和管理访问评审。If you have many exclusion groups and therefore need to create multiple access reviews, we now have an API in the Microsoft Graph beta endpoint that allows you to create and manage them programmatically. 若要开始,请参阅 Azure AD 访问评审 API 参考通过 Microsoft Graph 检索 Azure AD 访问评审的示例To get started, see the Azure AD access reviews API reference and Example of retrieving Azure AD access reviews via Microsoft Graph.

访问评审结果和审核日志Access review results and audit logs

做好组、条件访问策略和访问评审方面的一切准备工作后,可以监视和跟踪这些评审的结果。Now that you have everything in place, group, Conditional Access policy, and access reviews, it is time to monitor and track the results of these reviews.

  1. 在 Azure 门户中,打开“访问评审”边栏选项卡。In the Azure portal, open the Access reviews blade.

  2. 打开创建用于管理排除组的控制措施和程序。Open the control and program you have created for managing the exclusion group.

  3. 单击“结果”查看已批准哪些人保留在该列表中,以及删除了哪些人。Click Results to see who was approved to stay on the list and who was removed.

    访问评审结果,显示谁已获批准

  4. 然后单击“审核日志”查看评审期间执行的操作。Then click Audit logs to see the actions that were taken during this review.

    访问评审审核日志列表操作

IT 管理员知道,管理策略的排除组有时不可避免。As an IT administrator, you know that managing exclusion groups to your policies is sometimes inevitable. 但是,如果使用 Azure AD 访问评审,则业务主管或用户自己可以更轻松维护这些组、定期评审这些组以及审核所做的更改。However, maintaining these groups, reviewing them on a regular basis by the business owner or the users themselves, and auditing these changes can be made easier with Azure AD access reviews.

后续步骤Next steps