如何要求对用户进行双重验证How to require two-step verification for a user

通过更改用户状态启用 - 这是需要进行双重验证的传统方法,本文将对此进行讨论。Enabled by changing user state - This is the traditional method for requiring two-step verification and is discussed in this article. 它与云中的 Azure MFA 配合工作。It works with Azure MFA in the cloud. 使用此方法要求用户每次登录时都执行双重验证。Using this method requires users to perform two-step verification every time they sign in.

通过更改用户状态启用 Azure MFAEnable Azure MFA by changing user status

Azure 多重身份验证中的用户帐户具有以下三种不同状态:User accounts in Azure Multi-Factor Authentication have the following three distinct states:

状态Status 说明Description 受影响的非浏览器应用Non-browser apps affected 受影响的浏览器应用Browser apps affected 新式身份验证受影响Modern authentication affected
已禁用Disabled 没有在 Azure MFA 中注册某个新用户的默认状态。The default state for a new user not enrolled in Azure MFA. No No No
EnabledEnabled 用户已加入 Azure MFA 但尚未注册。The user has been enrolled in Azure MFA, but has not registered. 在用户下次登录时会提示他们进行注册。They receive a prompt to register the next time they sign in. 否。No. 它们继续工作,直到注册过程完成。They continue to work until the registration process is completed. 是的。Yes. 会话过期后,会要求进行 Azure MFA 注册。After the session expires, Azure MFA registration is required. 是的。Yes. 访问令牌过期后,会要求进行 Azure MFA 注册。After the access token expires, Azure MFA registration is required.
强制Enforced 用户已登记,并已完成 Azure MFA 的注册过程。The user has been enrolled and has completed the registration process for Azure MFA. 是的。Yes. 应用需要应用密码。Apps require app passwords. 是的。Yes. 在登录时会要求进行 Azure MFA。Azure MFA is required at login. 是的。Yes. 在登录时会要求进行 Azure MFA。Azure MFA is required at login.

用户的状态反映管理员是否已在 Azure MFA 中登记用户以及用户是否已完成注册过程。A user's state reflects whether an admin has enrolled them in Azure MFA, and whether they completed the registration process.

所有用户的初始状态均为“已禁用”。All users start out Disabled. 在 Azure MFA 中注册用户后,用户的状态将更改为“已启用”。When you enroll users in Azure MFA, their state changes to Enabled. 当已启用的用户登录并完成注册过程后,用户的状态将更改为“强制”。When enabled users sign in and complete the registration process, their state changes to Enforced.

查看用户状态View the status for a user

使用以下步骤来访问可在其中查看和管理用户状态的页面:Use the following steps to access the page where you can view and manage user states:

  1. 以管理员身份登录到 Azure 门户Sign in to the Azure portal as an administrator.
  2. 转到“Azure Active Directory” > “用户和组” > “所有用户”。Go to Azure Active Directory > Users and groups > All users.
  3. 选择“多重身份验证”。Select Multi-Factor Authentication. 选择“多重身份验证”
  4. 此时会打开一个新页面,其中显示了用户状态。A new page that displays the user states opens. 多重身份验证用户状态 - 屏幕截图

更改用户状态Change the status for a user

  1. 使用前文的步骤访问 Azure 多重身份验证“用户”页面。Use the preceding steps to get to the Azure Multi-Factor Authentication users page.

  2. 找到希望对其启用 Azure MFA 的用户。Find the user you want to enable for Azure MFA. 可能需要在顶部更改视图。You might need to change the view at the top. 从“用户”选项卡选择要更改状态的用户

  3. 勾选用户名旁边的框。Check the box next to their name.

  4. 在右侧,在“快速步骤”下,选择“启用”或“禁用”。On the right, under quick steps, choose Enable or Disable. 通过在快速步骤菜单上单击“启用”来启用所选用户

    Tip

    “已启用”的用户在注册 Azure MFA 后会自动切换到“强制”。Enabled users are automatically switched to Enforced when they register for Azure MFA. 不应手动将用户状态更改为“强制”。Do not manually change the user state to Enforced.

  5. 在打开的弹出窗口中确认你的选择。Confirm your selection in the pop-up window that opens.

启用用户后,通过电子邮件通知他们。After you enable users, notify them via email. 告诉他们将需要在下次登录时进行注册。Tell them that they'll be asked to register the next time they sign in. 还可以包括指向 Azure MFA 最终用户指南的链接,以便帮助他们上手。You can also include a link to the Azure MFA end-user guide to help them get started.

使用 PowerShellUse PowerShell

若要使用 Azure AD PowerShell 更改用户状态,请更改 $st.StateTo change the user state by using Azure AD PowerShell, change $st.State. 有三种可能的状态:There are three possible states:

  • EnabledEnabled
  • 强制Enforced
  • 已禁用Disabled

不要直接将用户移动到“强制”状态。Don't move users directly to the Enforced state. 如果这样做了,则非基于浏览器的应用将停止工作,因为用户尚未完成 Azure MFA 注册并获得应用密码If you do, non-browser-based apps stop working because the user has not gone through Azure MFA registration and obtained an app password.

先使用以下命令安装模块:Install the Module first, using:

Install-Module MSOnline

Tip

不要忘记先使用 Connect-MsolService -AzureEnvironment AzureChinaCloud 进行连接Don't forget to connect first using Connect-MsolService -AzureEnvironment AzureChinaCloud

此示例 PowerShell 脚本为单个用户启用 MFA:This example PowerShell script enables MFA for an individual user:

Import-Module MSOnline
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
Set-MsolUser -UserPrincipalName bsimon@contoso.com -StrongAuthenticationRequirements $sta

当需要批量启用用户时,使用 PowerShell 是一个不错的选择。Using PowerShell is a good option when you need to bulk enable users. 例如,以下脚本循环访问用户列表并在其帐户上启用 MFA:As an example, the following script loops through a list of users and enables MFA on their accounts:

$users = "bsimon@contoso.com","jsmith@contoso.com","ljacobson@contoso.com"
foreach ($user in $users)
{
    $st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
    $st.RelyingParty = "*"
    $st.State = "Enabled"
    $sta = @($st)
    Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta
}

若要禁用 MFA,请使用此脚本:To disable MFA, use this script:

Get-MsolUser -UserPrincipalName user@domain.com | Set-MsolUser -StrongAuthenticationRequirements @()

该脚本还可缩写为:which can also be shortened to:

Set-MsolUser -UserPrincipalName user@domain.com -StrongAuthenticationRequirements @()

后续步骤Next steps