启用按用户的 Azure 多重身份验证来保护登录事件Enable per-user Azure Multi-Factor Authentication to secure sign-in events

若要保护 Azure AD 中的用户登录事件,你可要求进行多重身份验证 (MFA)。To secure user sign-in events in Azure AD, you can require multi-factor authentication (MFA). 建议的方法是使用条件访问策略启用 Azure 多重身份验证,以保护用户。Enabling Azure Multi-Factor Authentication using Conditional Access policies is the recommended approach to protect users. 条件访问是 Azure AD Premium P1 或 P2 的功能,使你可在某些情况下根据需要应用要求 MFA 的规则。Conditional Access is an Azure AD Premium P1 or P2 feature that lets you apply rules to require MFA as needed in certain scenarios. 若要开始使用条件访问,请参阅教程:使用 Azure 多重身份验证保护用户登录事件To get started using Conditional Access, see Tutorial: Secure user sign-in events with Azure Multi-Factor Authentication.

对于不带条件访问的 Azure AD 免费租户,你可以使用安全默认值来保护用户For Azure AD free tenants without Conditional Access, you can use security defaults to protect users. 系统会根据需要提示用户进行 MFA,但你无法定义自己的规则来控制行为。Users are prompted for MFA as needed, but you can't define your own rules to control the behavior.

如果需要,你可转而使每个帐户进行每用户 Azure 多重身份验证。If needed, you can instead enable each account for per-user Azure Multi-Factor Authentication. 逐个为用户启用此功能后,他们每次登录时都会执行多重身份验证(有一些例外情况,例如,当他们从受信任的 IP 地址登录时,或者开启了“记住受信任设备上的 MFA”功能时)。When users are enabled individually, they perform multi-factor authentication each time they sign in (with some exceptions, such as when they sign in from trusted IP addresses or when the remember MFA on trusted devices feature is turned on).

如果 Azure AD 许可证不包括条件访问,并且你不想使用安全默认值,则建议更改用户状态。Changing user states isn't recommended unless your Azure AD licenses don't include Conditional Access and you don't want to use security defaults. 有关启用 MFA 的不同方法的详细信息,请参阅 Azure 多重身份验证的功能和许可证For more information on the different ways to enable MFA, see Features and licenses for Azure Multi-Factor Authentication.

重要

本文详细介绍了如何查看和更改每用户 Azure 多重身份验证的状态。This article details how to view and change the status for per-user Azure Multi-Factor Authentication. 如果你使用条件访问或安全默认值,则请勿使用以下步骤查看或启用用户帐户。If you use Conditional Access or security defaults, you don't review or enable user accounts using these steps.

通过条件访问策略启用 Azure 多重身份验证不会更改用户的状态。Enabling Azure Multi-Factor Authentication through a Conditional Access policy doesn't change the state of the user. 如果用户看似已被禁用,请不要担心。Don't be alarmed if users appear disabled. 条件访问不会更改状态。Conditional Access doesn't change the state.

如果你使用条件访问策略,则请勿启用或强制执行每用户 Azure 多重身份验证。Don't enable or enforce per-user Azure Multi-Factor Authentication if you use Conditional Access policies.

Azure 多重身份验证用户状态Azure Multi-Factor Authentication user states

用户的状态反映管理员是否已在每用户 Azure 多重身份验证中登记用户。A user's state reflects whether an admin has enrolled them in per-user Azure Multi-Factor Authentication. Azure 多重身份验证中的用户帐户具有以下三种不同状态:User accounts in Azure Multi-Factor Authentication have the following three distinct states:

状态State 描述Description 旧式身份验证受影响Legacy authentication affected 受影响的浏览器应用Browser apps affected 新式身份验证受影响Modern authentication affected
已禁用Disabled 未在每用户 Azure 多重身份验证中登记的用户的默认状态。The default state for a user not enrolled in per-user Azure Multi-Factor Authentication. No No No
已启用Enabled 用户已在每用户 Azure 多重身份验证中登记,但仍可使用其密码进行旧式身份验证。The user is enrolled in per-user Azure Multi-Factor Authentication, but can still use their password for legacy authentication. 如果用户尚未注册 MFA 身份验证方法,则将在下次使用新式身份验证(例如通过 Web 浏览器)登录时收到注册提示。If the user hasn't yet registered MFA authentication methods, they receive a prompt to register the next time they sign in using modern authentication (such as via a web browser). 否。No. 旧式身份验证继续工作,直到注册过程完成。Legacy authentication continues to work until the registration process is completed. 是的。Yes. 会话过期后,需要进行 Azure 多重身份验证注册。After the session expires, Azure Multi-Factor Authentication registration is required. 是的。Yes. 访问令牌过期后,需要进行 Azure 多重身份验证注册。After the access token expires, Azure Multi-Factor Authentication registration is required.
强制Enforced 用户已在每用户 Azure 多重身份验证中登记。The user is enrolled per-user in Azure Multi-Factor Authentication. 如果用户尚未注册身份验证方法,则将在下次使用新式身份验证(例如通过 Web 浏览器)登录时收到注册提示。If the user hasn't yet registered authentication methods, they receive a prompt to register the next time they sign in using modern authentication (such as via a web browser). 在“已启用”状态下完成注册的用户将自动更改为“已强制执行”状态 。Users who complete registration while in the Enabled state are automatically moved to the Enforced state. 是的。Yes. 应用需要应用密码。Apps require app passwords. 是的。Yes. 登录时需要执行 Azure 多重身份验证。Azure Multi-Factor Authentication is required at sign-in. 可以。Yes. 登录时需要执行 Azure 多重身份验证。Azure Multi-Factor Authentication is required at sign-in.

所有用户的初始状态均为“已禁用”。All users start out Disabled. 在每用户 Azure 多重身份验证中登记用户后,其状态将更改为“已启用”。When you enroll users in per-user Azure Multi-Factor Authentication, their state changes to Enabled. 当已启用的用户登录并完成注册过程后,用户的状态将更改为“强制”。When enabled users sign in and complete the registration process, their state changes to Enforced. 管理员可以为用户切换状态,包括从“已强制执行”到“已启用”或“已禁用” 。Administrators may move users between states, including from Enforced to Enabled or Disabled.

备注

如果对某用户重新启用了每用户 MFA,且该用户不重新注册,其 MFA 状态在 MFA 管理 UI 中不会从“已启用”转换为“已强制执行” 。If per-user MFA is re-enabled on a user and the user doesn't re-register, their MFA state doesn't transition from Enabled to Enforced in MFA management UI. 管理员必须将用户的状态直接切换为“已强制执行”。The administrator must move the user directly to Enforced.

查看用户状态View the status for a user

若要查看和管理用户状态,请完成以下步骤以访问 Azure 门户页:To view and manage user states, complete the following steps to access the Azure portal page:

  1. 以管理员身份登录到 Azure 门户Sign in to the Azure portal as an administrator.
  2. 搜索并选择“Azure Active Directory”,然后选择“用户” > “所有用户” 。Search for and select Azure Active Directory, then select Users > All users.
  3. 选择“多重身份验证”。Select Multi-Factor Authentication. 可能需要向右滚动才能看到此菜单选项。You may need to scroll to the right to see this menu option. 选择以下示例屏幕截图,以查看完整的 Azure 门户窗口和菜单位置:在 Azure AD 的“用户”窗口中选择“多重身份验证”。Select the example screenshot below to see the full Azure portal window and menu location: Select Multi-Factor Authentication from the Users window in Azure AD.
  4. 此时会打开一个显示用户状态的新页,如以下示例中所示。A new page opens that displays the user state, as shown in the following example. 显示了 Azure 多重身份验证的示例用户状态信息的屏幕截图Screenshot that shows example user state information for Azure Multi-Factor Authentication

更改用户状态Change the status for a user

若要为用户更改每用户 Azure 多重身份验证状态,请完成以下步骤:To change the per-user Azure Multi-Factor Authentication state for a user, complete the following steps:

  1. 使用前文查看用户的状态中的步骤访问 Azure 多重身份验证“用户”页。Use the previous steps to view the status for a user to get to the Azure Multi-Factor Authentication users page.

  2. 找到要为其启用每用户 Azure 多重身份验证的用户。Find the user you want to enable for per-user Azure Multi-Factor Authentication. 可能需要在顶部将视图更改为“用户”。You might need to change the view at the top to users. 从用户选项卡中选择要更改其状态的用户Select the user to change status for from the users tab

  3. 选中要更改其状态的用户的名称旁边的框。Check the box next to the name(s) of the user(s) to change the state for.

  4. 在右侧的“快速步骤”下,选择“启用”或“禁用” 。On the right-hand side, under quick steps, choose Enable or Disable. 在以下示例中,用户 John Smith 的名称旁边有一个勾选标记,表示将为该用户启用:通过单击快速步骤菜单上的“启用”来启用选定用户In the following example, the user John Smith has a check next to their name and is being enabled for use: Enable selected user by clicking Enable on the quick steps menu

    提示

    “已启用”的用户在注册 Azure 多重身份验证后会自动切换为“已强制”。Enabled users are automatically switched to Enforced when they register for Azure Multi-Factor Authentication. 如果用户已经注册,或者用户不接受连接旧式身份验证协议时发生中断,请将用户状态手动更改为“已强制执行”。Don't manually change the user state to Enforced unless the user is already registered or if it is acceptable for the user to experience interruption in connections to legacy authentication protocols.

  5. 在打开的弹出窗口中确认你的选择。Confirm your selection in the pop-up window that opens.

启用用户后,通过电子邮件通知他们。After you enable users, notify them via email. 告诉用户显示了提示,要求他们在下次登录时注册。Tell the users that a prompt is displayed to ask them to register the next time they sign in. 此外,如果你的组织使用不支持新式身份验证的非浏览器应用,则他们需要创建应用密码。Also, if your organization uses non-browser apps that don't support modern authentication, they need to create app passwords. 请参阅 Azure 多重身份验证最终用户指南来了解详细信息以帮助他们开始使用。For more information, see the Azure Multi-Factor Authentication end-user guide to help them get started.

使用 PowerShell 更改状态Change state using PowerShell

若要使用 Azure AD PowerShell 更改用户状态,请更改用户帐户的 $st.State 参数。To change the user state by using Azure AD PowerShell, you change the $st.State parameter for a user account. 用户帐户有三种可能的状态:There are three possible states for a user account:

  • EnabledEnabled
  • 已强制Enforced
  • 已禁用Disabled

通常,如果用户已注册 MFA,请将其状态直接切换为“已强制执行”状态。In general, don't move users directly to the Enforced state unless they are already registered for MFA. 如果这样做了,则旧式身份验证应用将停止工作,因为用户尚未完成 Azure 多重身份验证注册并获得应用密码。If you do so, legacy authentication apps stop working because the user hasn't gone through Azure Multi-Factor Authentication registration and obtained an app password. 在某些情况下,此行为可能是理想的,但在用户完成注册前,这会影响用户的体验。In some cases this behavior may be desired, but impacts user experience until the user registers.

若要开始,请按如下所示使用 Install-Module 安装 MSOnline 模块:To get started, install the MSOnline module using Install-Module as follows:

Install-Module MSOnline

接下来,使用 Connect-MsolService 进行连接:Next, connect using Connect-MsolService:

Connect-MsolService -AzureEnvironment AzureChinaCloud

以下示例 PowerShell 脚本为名为 *bsimon@contoso.com* 的个人用户启用 MFA:The following example PowerShell script enables MFA for an individual user named *bsimon@contoso.com*:

$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)

# Change the following UserPrincipalName to the user you wish to change state
Set-MsolUser -UserPrincipalName bsimon@contoso.com -StrongAuthenticationRequirements $sta

当需要批量启用用户时,使用 PowerShell 是一个不错的选择。Using PowerShell is a good option when you need to bulk enable users. 以下脚本循环访问用户列表并在其帐户上启用 MFA。The following script loops through a list of users and enables MFA on their accounts. 定义用户帐户,并在 $users 的第一行中对其进行设置,如下所示:Define the user accounts set it in the first line for $users as follows:

# Define your list of users to update state in bulk
$users = "bsimon@contoso.com","jsmith@contoso.com","ljacobson@contoso.com"

foreach ($user in $users)
{
    $st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
    $st.RelyingParty = "*"
    $st.State = "Enabled"
    $sta = @($st)
    Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta
}

为禁用 MFA,以下示例使用 Get-MsolUser 获取用户,然后使用 Set-MsolUser 删除为所定义的用户设置的任何 StrongAuthenticationRequirements:To disable MFA, the following example gets a user with Get-MsolUser, then removes any StrongAuthenticationRequirements set for the defined user using Set-MsolUser:

Get-MsolUser -UserPrincipalName bsimon@contoso.com | Set-MsolUser -StrongAuthenticationRequirements @()

还可以使用 Set-MsolUser 直接为用户禁用 MFA,如下所示:You could also directly disable MFA for a user using Set-MsolUser as follows:

Set-MsolUser -UserPrincipalName bsimon@contoso.com -StrongAuthenticationRequirements @()

将用户从每用户 MFA 转换为条件访问Convert users from per-user MFA to Conditional Access

以下 PowerShell 可帮助你转换到基于条件访问的 Azure 多重身份验证。The following PowerShell can assist you in making the conversion to Conditional Access based Azure Multi-Factor Authentication.

# Sets the MFA requirement state
function Set-MfaState {

    [CmdletBinding()]
    param(
        [Parameter(ValueFromPipelineByPropertyName=$True)]
        $ObjectId,
        [Parameter(ValueFromPipelineByPropertyName=$True)]
        $UserPrincipalName,
        [ValidateSet("Disabled","Enabled","Enforced")]
        $State
    )

    Process {
        Write-Verbose ("Setting MFA state for user '{0}' to '{1}'." -f $ObjectId, $State)
        $Requirements = @()
        if ($State -ne "Disabled") {
            $Requirement =
                [Microsoft.Online.Administration.StrongAuthenticationRequirement]::new()
            $Requirement.RelyingParty = "*"
            $Requirement.State = $State
            $Requirements += $Requirement
        }

        Set-MsolUser -ObjectId $ObjectId -UserPrincipalName $UserPrincipalName `
                     -StrongAuthenticationRequirements $Requirements
    }
}

# Disable MFA for all users
Get-MsolUser -All | Set-MfaState -State Disabled

备注

如果对某用户重新启用了 MFA,且该用户不重新注册,其 MFA 状态在 MFA 管理 UI 中不会从“已启用”转换为“已强制执行” 。If MFA is re-enabled on a user and the user doesn't re-register, their MFA state doesn't transition from Enabled to Enforced in MFA management UI. 在这种情况下,管理员必须将用户的状态直接切换为“已强制执行”。In this case, the administrator must move the user directly to Enforced.

后续步骤Next steps

若要配置 Azure 多重身份验证设置,请参阅配置 Azure 多重身份验证设置To configure Azure Multi-Factor Authentication settings, see Configure Azure Multi-Factor Authentication settings.

若要管理 Azure 多重身份验证的用户设置,请参阅管理 Azure 多重身份验证的用户设置To manage user settings for Azure Multi-Factor Authentication, see Manage user settings with Azure Multi-Factor Authentication.