Azure 多重身份验证的功能和许可证Features and licenses for Azure Multi-Factor Authentication

若要保护组织中的用户帐户,应使用多重身份验证。To protect user accounts in your organization, multi-factor authentication should be used. 对资源拥有访问特权的帐户尤其需要此功能。This feature is especially important for accounts that have privileged access to resources. 基本多重身份验证功能适用于 Office 365 和 Azure Active Directory (Azure AD) 管理员,不收取额外的费用。Basic multi-factor authentication features are available to Office 365 and Azure Active Directory (Azure AD) administrators for no extra cost. 如果想要升级管理员的功能,或者将多重身份验证扩展到其他用户,可通过多种方式购买 Azure 多重身份验证。If you want to upgrade the features for your admins or extend multi-factor authentication to the rest of your users, you can purchase Azure Multi-Factor Authentication in several ways.


本文详细说明 Azure 多重身份验证的不同许可和使用方式。This article details the different ways that Azure Multi-Factor Authentication can be licensed and used. 有关定价和计费的具体详细信息,请参阅 Azure 多重身份验证定价页For specific details about pricing and billing, see the Azure Multi-Factor Authentication pricing page.

可用的 Azure 多重身份验证版本Available versions of Azure Multi-Factor Authentication

可以根据组织的需求,以几种不同的方式使用和许可 Azure 多重身份验证。Azure Multi-Factor Authentication can be used, and licensed, in a few different ways depending on your organization's needs. 根据你当前拥有的 Azure AD、Office 365、EMS 或 Microsoft 365 许可证,你可能已有权使用 Azure 多重身份验证。You may already be entitled to use Azure Multi-Factor Authentication depending on the Azure AD, Office 365, EMS, or Microsoft 365 license you currently have. 下表详细说明了获取 Azure 多重身份验证和某些功能的不同方式,以及每种方式的用例。The following table details the different ways to get Azure Multi-Factor Authentication and some of the features and use cases for each.

如果你是以下产品的用户If you're a user of 功能和用例Capabilities and use cases
EMS 或 Microsoft 365 E3 和 E5EMS or Microsoft 365 E3 and E5 EMS E3 或 Microsoft 365 E3(包括 EMS 和 Office 365)包括 Azure AD Premium P1。EMS E3 or Microsoft 365 E3 (that includes EMS and Office 365), includes Azure AD Premium P1. EMS E5 或 Microsoft 365 E5 包括 Azure AD Premium P2。EMS E5 or Microsoft 365 E5 includes Azure AD Premium P2. 可使用以下部分所述的相同条件访问功能向用户提供多重身份验证。You can use the same Conditional Access features noted in the following sections to provide multi-factor authentication to users.
Azure AD Premium P1Azure AD Premium P1 在特定的方案中或者在发生特定的事件期间,可以根据业务要求使用 Azure AD 条件访问来提示用户完成多重身份验证。You can use Azure AD Conditional Access to prompt users for multi-factor authentication during certain scenarios or events to fit your business requirements.
Azure AD Premium P2Azure AD Premium P2 提供最强的安全形势和改进的用户体验。Provides the strongest security position and improved user experience. 将基于风险的条件访问添加到 Azure AD Premium P1 功能,可适应用户的模式,并尽量减少多重身份验证提示。Adds risk-based Conditional Access to the Azure AD Premium P1 features that adapts to user's patterns and minimizes multi-factor authentication prompts.
Office 365 商业高级版 E3 或 E5Office 365 Business Premium, E3, or E5 针对所有用户的所有登录事件启用或禁用 Azure 多重身份验证。Azure Multi-Factor Authentication is either enabled or disabled for all users, for all sign-in events. 不能只为一部分用户或者只是在特定的方案中启用多重身份验证。There is no ability to only enable multi-factor authentication for a subset of users, or only under certain scenarios. 通过 Office 365 门户进行管理。Management is through the Office 365 portal. 若要改进用户体验,请升级到 Azure AD Premium P1 或 P2 并使用条件访问。For an improved user experience, upgrade to Azure AD Premium P1 or P2 and use Conditional Access. 有关详细信息,请参阅使用多重身份验证保护 Office 365 资源For more information, see secure Office 365 resources with multi-factor authentication.
Azure AD 免费版Azure AD free 每次发出身份验证请求时,都可以使用安全默认值为所有用户启用多重身份验证。You can use security defaults to enable multi-factor authentication for all users, every time an authentication request is made. 无法精细控制已启用多重身份验证的用户或方案,但此版本确实提供附加的安全措施。You don't have granular control of enabled users or scenarios, but it does provide that additional security step.
即使不使用安全默认值来为每个人启用多重身份验证,也可以将分配有“Azure AD 全局管理员”角色的用户配置为使用多重身份验证。 Even when security defaults aren't used to enable multi-factor authentication for everyone, users assigned the Azure AD Global Administrator role can be configured to use multi-factor authentication. 此免费层功能确保关键的管理员帐户受到多重身份验证的保护。This feature of the free tier makes sure the critical administrator accounts are protected by multi-factor authentication.

版本功能比较Feature comparison of versions

下表提供了 Azure 多重身份验证的各个版本中可用的功能列表。The following table provides a list of the features that are available in the various versions of Azure Multi-Factor Authentication. 规划保护用户身份验证的需求,然后确定哪种方法符合这些要求。Plan out your needs for securing user authentication, then determine which approach meets those requirements. 例如,尽管 Azure AD Free 提供安全默认值来实现 Azure 多重身份验证,但只能通过手机验证器应用显示身份验证提示,而不能通过电话呼叫或短信来显示。For example, although Azure AD Free provides security defaults that provide Azure Multi-Factor Authentication, only the mobile authenticator app can be used for the authentication prompt, not a phone call or SMS. 如果无法确保将手机身份验证应用安装到用户的个人设备上,此方法可能存在限制。This approach may be a limitation if you can't ensure the mobile authentication app is installed on a user's personal device.

功能Feature Azure AD Free - 安全默认值Azure AD Free - Security defaults Azure AD Free - Azure AD 全局管理员Azure AD Free - Azure AD Global Administrators Office 365 商业高级版 E3 或 E5Office 365 Business Premium, E3, or E5 Azure AD Premium P1 或 P2Azure AD Premium P1 or P2
使用 MFA 保护 Azure AD 租户管理员帐户Protect Azure AD tenant admin accounts with MFA ●(仅限“Azure AD 全局管理员”帐户) ● (Azure AD Global Administrator accounts only)
将移动应用用作第二个因素Mobile app as a second factor
将电话呼叫用作第二个因素Phone call as a second factor
将短信用作第二个因素SMS as a second factor
管理员控制验证方法Admin control over verification methods
欺诈警报Fraud alert
MFA 报告MFA Reports
通话的自定义问候语Custom greetings for phone calls
通话的自定义呼叫方 IDCustom caller ID for phone calls
受信任的 IPTrusted IPs
记住受信任的设备的 MFARemember MFA for trusted devices
适用于本地应用程序的 MFAMFA for on-premises applications


从 2019 年 3 月起,电话呼叫选项不再适用于 Azure AD Free/试用版租户中的 Azure 多重身份验证和 Azure 自助式密码重置用户。As of March of 2019, phone call options are no longer available to Azure Multi-Factor Authentication and Azure Self-Service Password Reset users in Azure AD Free / trial tenants. 短信不受此项更改的影响。SMS messages aren't impacted by this change. 电话呼叫仍旧适用于 Azure AD Premium P1 或 P2 租户中的用户,或者 Office 365 商业高级版 E3 或 E5 用户。Phone calls continue to be available to users in Azure AD Premium P1 or P2 tenants or uses or Office 365 Business Premium, E3, or E5.

购买和启用 Azure 多重身份验证Purchase and enable Azure Multi-Factor Authentication

若要使用 Azure 多重身份验证,请注册或购买符合条件的 Azure AD 层。To use Azure Multi-Factor Authentication, register for or purchase an eligible Azure AD tier. Azure AD 提供四个版本:免费版、Office 365 应用版(适用于 Office 365 商业高级版 E3 或 E5 客户)、Premium P1 和 Premium P2。Azure AD comes in four editions — Free, Office 365 apps edition (for Office 365 Business Premium E3, or E5 customers), Premium P1, and Premium P2.

Free 版本随附在 Azure 订阅中。The Free edition is included with an Azure subscription. 有关如何使用安全默认值或者使用“Azure AD 全局管理员”角色保护帐户的信息,请参阅下面的部分See the section below for information on how to use security defaults or protect accounts with the Azure AD Global Administrator role.

Azure AD Premium 版本通过 Microsoft 代表、开放批量许可计划云解决方案提供商计划提供。The Azure AD Premium editions are available through your Microsoft representative, the Open Volume License Program, and the Cloud Solution Providers program. Azure 和 Office 365 订阅者还可以在线购买 Azure Active Directory Premium P1 和 P2。Azure and Office 365 subscribers can also buy Azure Active Directory Premium P1 and P2 online.


从 2018 年 9 月 1 日起,新客户不再可以使用基于消耗量的许可。Consumption-based licensing is no longer available to new customers effective September 1, 2018. 使用基于消耗量的模型的现有客户可以继续使用按启用用户或按身份验证的计费。Existing customers using the consumption-based model can continue to use either per enabled user or per authentication billing.

购买所需的 Azure AD 层后,请规划并部署 Azure 多重身份验证After you have purchased the required Azure AD tier, plan and deploy Azure Multi-Factor Authentication.

Azure AD Free 层Azure AD Free tier

Azure AD Free 租户中的所有用户都可以通过安全默认值来使用 Azure 多重身份验证。All users in an Azure AD Free tenant can use Azure Multi-Factor authentication through the use of security defaults. 每次用户登录时,这些安全默认值将为这些用户启用 Azure 多重身份验证。These security defaults enable Azure Multi-Factor authentication for all users, every time they sign in. 使用 Azure AD Free 安全默认值时,只能使用手机身份验证应用来完成 Azure 多重身份验证。The mobile authentication app is the only method that can be used for Azure Multi-Factor Authentication when using Azure AD Free security defaults.

如果你不想要为所有用户和每个登录事件启用 Azure 多重身份验证,可以选择仅使用“Azure AD 全局管理员”角色来保护用户帐户。 If you don't want to enable Azure Multi-Factor Authentication for all users and every sign-in event, you can instead choose to only protect user accounts with the Azure AD Global Administrator role. 此方法针对关键的管理员帐户提供更多的身份验证提示。This approach provides additional authentication prompts for critical administrator accounts. 可以通过以下方式之一启用 Azure 多重身份验证,具体取决于所使用的帐户类型:You enable Azure Multi-Factor Authentication in one of the following ways, depending on the type of account you use:

后续步骤Next steps

有关成本的详细信息,请参阅 Azure 多重身份验证定价For more information on costs, see Azure Multi-Factor Authentication pricing.