配置最终用户如何对应用程序表示同意Configure how end-users consent to applications

你可以将应用程序与 Microsoft 标识平台集成,以允许用户使用其工作或学校帐户登录和访问你组织的数据,从而提供丰富的数据驱动体验。You can integrate your applications with the Microsoft identity platform to allow users to sign in with their work or school account and access your organization's data to deliver rich data-driven experiences.

用户必须先授权应用程序访问,然后应用程序才可访问你组织的数据。Before an application can access your organization's data, a user must grant the application permissions to do so. 权限不同,访问级别就不同。Different permissions allow different levels of access. 默认情况下,允许所有用户同意应用程序获取无需管理员同意的权限。By default, all users are allowed to consent to applications for permissions that don't require administrator consent. 例如,默认情况下,用户可同意允许应用访问其邮箱,但无法同意允许应用具有不受限制的访问权限来读写你组织中的所有文件。For example, by default, a user can consent to allow an app to access their mailbox but can't consent to allow an app unfettered access to read and write to all files in your organization.

通过允许用户向应用授予对数据的访问权限,用户可轻松获取有用的应用程序并提高工作效率。By allowing users to grant apps access to data, users can easily acquire useful applications and be productive. 但在某些情况下,如果不仔细监视和控制,该配置可能会带来风险。However, in some situations this configuration can represent a risk if it's not monitored and controlled carefully.

重要

为了降低恶意应用程序企图欺骗用户向其授予对你组织数据的访问权限的风险,我们建议仅允许用户同意已验证的发布者发布的应用程序。To reduce the risk of malicious applications attempting to trick users into granting them access to your organization's data, we recommend that you allow user consent only for applications that have been published by a verified publisher.

应用同意策略描述了在可以同意应用之前该应用必须满足的条件。App consent policies describe conditions which must be met before an app can be consented to. 这些策略可以包括针对请求访问权限的应用的条件,以及该应用请求的权限。These policies may include conditions on the app requesting access, as well as the permissions the app is requesting.

通过选择哪些应用同意策略适用于所有用户,可以设置限制来规定何时允许最终用户向应用授予同意,以及他们何时需要请求管理员审查和批准:By choosing which app consent policies apply for all users, you can set limits on when end-users are allowed to grant consent to apps, and when they will be required to request administrator review and approval:

  • 禁止用户同意 - 用户无法向应用程序授予权限。Disable user consent - Users cannot grant permissions to applications. 用户可继续登录到他们之前同意或管理员代表他们同意的应用,但不可自行同意新权限或新应用。Users can continue to sign in to apps they had previously consented to or which are consented to by administrators on their behalf, but they will not be allowed to consent to new permissions or to new apps on their own. 仅当用户被授予了目录角色并且该角色有权授予同意时,这些用户才能同意新应用。Only users who have been granted a directory role that includes the permission to grant consent will be able to consent to new apps.

  • 用户可以同意已验证的发布者或你的组织提供的应用,但仅限于同意其拥有你选择的权限 - 所有用户只能同意由已验证的发布者发布的应用以及在你的租户中注册的应用。Users can consent to apps from verified publishers or your organization, but only for permissions you select - All users can only consent to apps that were published by a verified publisher and apps that are registered in your tenant. 用户只能同意已分类为“影响较低”的权限。Users can only consent to the permissions you have classified as "low impact". 你必须对权限进行分类,以选择允许用户同意哪些权限。You must classify permissions to select which permissions users are allowed to consent to.

  • 用户可以同意所有应用 - 此选项允许所有用户同意任何应用程序的无需管理员同意的任何权限。Users can consent to all apps - This option allows all users to consent to any permission which doesn't require admin consent, for any application.

  • 自定义应用同意策略 - 为了获取更多选项来制定有关管理用户何时同意的条件,可以创建自定义应用同意策略,并配置这些策略以应用于用户同意。Custom app consent policy - For even more options over the conditions governing when user consent, you can create custom app consent policy, and configure those to apply for user consent.

若要通过 Azure 门户配置用户同意设置:To configure user consent settings through the Azure portal:

  1. 全局管理员的身份登录 Azure 门户Sign in to the Azure portal as a Global Administrator.
  2. 选择“Azure Active Directory” > “企业应用程序” > “同意和权限” > “用户同意设置” 。Select Azure Active Directory > Enterprise applications > Consent and permissions > User consent settings.
  3. 在“针对应用程序的用户同意”下,选择想要为所有用户配置的同意设置。Under User consent for applications , select which consent setting you'd like to configure for all users.
  4. 选择“保存”以保存设置。Select Save to save your settings.

用户同意设置