使用条件访问管理对 Azure 管理的访问权限Manage access to Azure management with Conditional Access

注意

在设置策略以管理对 Azure 管理的访问权限之前,请确保了解条件访问的工作原理。Make sure you understand how Conditional Access works before setting up a policy to manage access to Azure management. 请确保不创建可能会阻止自己访问门户的条件。Make sure you don't create conditions that could block your own access to the portal.

Azure Active Directory (Azure AD) 中的条件访问基于你指定的具体条件控制对云应用的访问权限。Conditional Access in Azure Active Directory (Azure AD) controls access to cloud apps based on specific conditions that you specify. 若要允许访问,可创建条件访问策略,根据是否满足策略中的要求来允许或阻止访问。To allow access, you create Conditional Access policies that allow or block access based on whether or not the requirements in the policy are met.

通常,使用条件访问来控制对云应用的访问权限。Typically, you use Conditional Access to control access to your cloud apps. 此外,还可以设置策略来基于某些条件(如登录风险、位置或设备)控制对 Azure 管理的访问权限并强制实施多重身份验证等要求。You can also set up policies to control access to Azure management based on certain conditions (such as sign-in risk, location, or device) and to enforce requirements like multi-factor authentication.

若要创建用于 Azure 管理的策略,请在选择要应用该策略的应用时,选择“云应用”**** 下的“Azure 管理”****。To create a policy for Azure management, you select Azure Management under Cloud apps when choosing the app to which to apply the policy.

用于 Azure 管理的条件访问

创建的策略适用于所有 Azure 管理终结点,包括以下项:The policy you create applies to all Azure management endpoints, including the following:

  • Azure 门户Azure portal
  • Azure 资源管理器提供程序Azure Resource Manager provider
  • 经典服务管理 APIClassic Service Management APIs
  • Azure PowerShellAzure PowerShell
  • Visual Studio 订阅管理员门户Visual Studio subscriptions administrator portal
  • Azure DevOpsAzure DevOps
  • Azure 数据工厂门户Azure Data Factory portal

请注意,该策略适用于调用 Azure 资源管理器 API 的 Azure PowerShell。Note that the policy applies to Azure PowerShell, which calls the Azure Resource Manager API. 它不适用于调用 Microsoft Graph 的 Azure AD PowerShellIt does not apply to Azure AD PowerShell, which calls Microsoft Graph.

有关如何设置示例策略以便为 Azure 管理启用条件访问的详细信息,请参阅文章条件访问:要求将 MFA 用于 Azure 管理For more information on how to set up a sample policy to enable Conditional Access for Azure management, see the article Conditional Access: Require MFA for Azure management.