Azure AD 多重身份验证的功能和许可证Features and licenses for Azure AD Multi-Factor Authentication

若要保护组织中的用户帐户,应使用多重身份验证。To protect user accounts in your organization, multi-factor authentication should be used. 对资源拥有访问特权的帐户尤其需要此功能。This feature is especially important for accounts that have privileged access to resources. 基本多重身份验证功能适用于 Microsoft 365 和 Azure Active Directory (Azure AD) 管理员,不收取额外的费用。Basic multi-factor authentication features are available to Microsoft 365 and Azure Active Directory (Azure AD) administrators for no extra cost. 如果想要升级管理员的功能,或者将多重身份验证扩展到其他用户,可通过多种方式购买 Azure AD 多重身份验证。If you want to upgrade the features for your admins or extend multi-factor authentication to the rest of your users, you can purchase Azure AD Multi-Factor Authentication in several ways.


本文详细说明 Azure AD 多重身份验证的不同许可和使用方式。This article details the different ways that Azure AD Multi-Factor Authentication can be licensed and used. 有关定价和计费的具体详细信息,请参阅 Azure AD 多重身份验证定价页For specific details about pricing and billing, see the Azure AD Multi-Factor Authentication pricing page.

可用的 Azure AD 多重身份验证版本Available versions of Azure AD Multi-Factor Authentication

可以根据组织的需求,以几种不同的方式使用和许可 Azure AD 多重身份验证。Azure AD Multi-Factor Authentication can be used, and licensed, in a few different ways depending on your organization's needs. 根据你当前拥有的 Azure AD、EMS 或 Microsoft 365 许可证,你可能已有权使用 Azure AD 多重身份验证。You may already be entitled to use Azure AD Multi-Factor Authentication depending on the Azure AD, EMS, or Microsoft 365 license you currently have. 下表详细说明了获取 Azure AD 多重身份验证和某些功能的不同方式,以及每种方式的用例。The following table details the different ways to get Azure AD Multi-Factor Authentication and some of the features and use cases for each.

如果你是以下产品的用户If you're a user of 功能和用例Capabilities and use cases
Microsoft 365 商业高级版和 EMS 或 Microsoft 365 E3 和 E5Microsoft 365 Business Premium and EMS or Microsoft 365 E3 and E5 EMS E3、Microsoft 365 E3 和 Microsoft 365 商业高级版包括 Azure AD 高级版 P1。EMS E3, Microsoft 365 E3, and Microsoft 365 Business Premium includes Azure AD Premium P1. EMS E5 或 Microsoft 365 E5 包括 Azure AD Premium P2。EMS E5 or Microsoft 365 E5 includes Azure AD Premium P2. 可使用以下部分所述的相同条件访问功能向用户提供多重身份验证。You can use the same Conditional Access features noted in the following sections to provide multi-factor authentication to users.
Azure AD Premium P1Azure AD Premium P1 在特定的情况下或者发生适合业务要求的事件时,使用 Azure AD 条件访问提示用户执行多重身份验证。You can use Azure AD Conditional Access to prompt users for multi-factor authentication during certain scenarios or events to fit your business requirements.
Azure AD Premium P2Azure AD Premium P2 提供最强的安全形势和改进的用户体验。Provides the strongest security position and improved user experience. 将基于风险的条件访问添加到 Azure AD Premium P1 功能,可适应用户的模式,并尽量减少多重身份验证提示。Adds risk-based Conditional Access to the Azure AD Premium P1 features that adapts to user's patterns and minimizes multi-factor authentication prompts.
所有 Microsoft 365 计划All Microsoft 365 plans 可以基于每个用户启用 Azure AD 多重身份验证,也可以使用安全默认值为所有用户启用或禁用 Azure 多重身份验证。Azure AD Multi-Factor Authentication can be enabled on a per-user basis, or enabled or disabled for all users using security defaults. Azure AD 多重身份验证的管理通过 Microsoft 365 门户进行。Management of Azure AD Multi-Factor Authentication is through the Microsoft 365 portal. 若要改进用户体验,请升级到 Azure AD Premium P1 或 P2 并使用条件访问。For an improved user experience, upgrade to Azure AD Premium P1 or P2 and use Conditional Access. 有关详细信息,请参阅使用多重身份验证保护 Microsoft 365 资源For more information, see secure Microsoft 365 resources with multi-factor authentication.
Azure AD 免费版Azure AD free 可以使用安全默认值为所有用户启用多重身份验证。You can use security defaults to enable multi-factor authentication for all users. 无法精细控制已启用多重身份验证的用户或方案,但此版本确实提供附加的安全措施。You don't have granular control of enabled users or scenarios, but it does provide that additional security step.
即使不使用安全默认值来为每个人启用多重身份验证,也可以将分配有“Azure AD 全局管理员”角色的用户配置为使用多重身份验证。Even when security defaults aren't used to enable multi-factor authentication for everyone, users assigned the Azure AD Global Administrator role can be configured to use multi-factor authentication. 此免费层功能确保关键的管理员帐户受到多重身份验证的保护。This feature of the free tier makes sure the critical administrator accounts are protected by multi-factor authentication.

版本功能比较Feature comparison of versions

下表提供了 Azure AD 多重身份验证的各个版本中可用的功能列表。The following table provides a list of the features that are available in the various versions of Azure AD Multi-Factor Authentication. 规划保护用户身份验证的需求,然后确定哪种方法符合这些要求。Plan out your needs for securing user authentication, then determine which approach meets those requirements. 例如,尽管 Azure AD Free 提供安全默认值来实现 Azure AD 多重身份验证,但只能通过手机验证器应用显示身份验证提示,而不能通过电话呼叫或短信来显示。For example, although Azure AD Free provides security defaults that provide Azure AD Multi-Factor Authentication, only the mobile authenticator app can be used for the authentication prompt, not a phone call or SMS. 如果无法确保将手机身份验证应用安装到用户的个人设备上,此方法可能存在限制。This approach may be a limitation if you can't ensure the mobile authentication app is installed on a user's personal device.

功能Feature Azure AD Free - 安全默认值Azure AD Free - Security defaults Azure AD Free - Azure AD 全局管理员Azure AD Free - Azure AD Global Administrators Microsoft 365 应用Microsoft 365 apps Azure AD Premium P1 或 P2Azure AD Premium P1 or P2
使用 MFA 保护 Azure AD 租户管理员帐户Protect Azure AD tenant admin accounts with MFA ●(仅限“Azure AD 全局管理员”帐户)● (Azure AD Global Administrator accounts only)
将移动应用用作第二个因素Mobile app as a second factor
将电话呼叫用作第二个因素Phone call as a second factor
将短信用作第二个因素SMS as a second factor
管理员控制验证方法Admin control over verification methods

购买和启用 Azure AD 多重身份验证Purchase and enable Azure AD Multi-Factor Authentication

若要使用 Azure AD 多重身份验证,请注册或购买符合条件的 Azure AD 层。To use Azure AD Multi-Factor Authentication, register for or purchase an eligible Azure AD tier. Azure AD 提供四个版本:免费版、Microsoft 365 应用、高级版 P1 和高级版 P2。Azure AD comes in four editions — Free, Microsoft 365 apps, Premium P1, and Premium P2.

Free 版本随附在 Azure 订阅中。The Free edition is included with an Azure subscription. 有关如何使用安全默认值或者使用“Azure AD 全局管理员”角色保护帐户的信息,请参阅下面的部分See the section below for information on how to use security defaults or protect accounts with the Azure AD Global Administrator role.

Azure AD Premium 版本通过 Microsoft 代表、开放批量许可计划云解决方案提供商计划提供。The Azure AD Premium editions are available through your Microsoft representative, the Open Volume License Program, and the Cloud Solution Providers program. Azure 和 Microsoft 365 订阅者还可以在线购买 Azure Active Directory 高级版 P1 和 P2。Azure and Microsoft 365 subscribers can also buy Azure Active Directory Premium P1 and P2 online.

购买所需的 Azure AD 层后,请规划并部署 Azure AD 多重身份验证After you have purchased the required Azure AD tier, plan and deploy Azure AD Multi-Factor Authentication.

Azure AD Free 层Azure AD Free tier

Azure AD Free 租户中的所有用户都可以通过安全默认值来使用 Azure AD 多重身份验证。All users in an Azure AD Free tenant can use Azure AD Multi-Factor Authentication through the use of security defaults. 使用 Azure AD Free 安全默认值时,只能使用手机身份验证应用来完成 Azure AD 多重身份验证。The mobile authentication app is the only method that can be used for Azure AD Multi-Factor Authentication when using Azure AD Free security defaults.

如果不希望为所有用户启用 Azure AD 多重身份验证,可以改为选择仅使用“Azure AD 全局管理员”角色来保护用户帐户。If you don't want to enable Azure AD Multi-Factor Authentication for all users, you can instead choose to only protect user accounts with the Azure AD Global Administrator role. 此方法为关键管理员帐户提供了其他身份验证提示。This approach provides additional authentication prompts for critical administrator accounts. 可以通过以下方式之一启用 Azure AD 多重身份验证,具体取决于所使用的帐户类型:You enable Azure AD Multi-Factor Authentication in one of the following ways, depending on the type of account you use:

后续步骤Next steps