启用按用户的 Azure 多重身份验证来保护登录事件Enable per-user Azure Multi-Factor Authentication to secure sign-in events

可以通过两种方式要求在 Azure AD 中执行多重身份验证,以保护用户登录事件。There are two ways to secure user sign-in events by requiring multi-factor authentication in Azure AD. 第一种做法(也是首选做法)是设置条件访问策略,要求在特定的情况下执行多重身份验证。The first, and preferred, option is to set up a Conditional Access policy that requires multi-factor authentication under certain conditions. 另一种做法是为每个用户启用 Azure 多重身份验证。The second option is to enable each user for Azure Multi-Factor Authentication. 逐个为用户启用此功能后,他们每次登录时都会执行多重身份验证(有一些例外情况,例如,当他们从受信任的 IP 地址登录时,或者开启了“记忆的设备”功能时)。When users are enabled individually, they perform multi-factor authentication each time they sign in (with some exceptions, such as when they sign in from trusted IP addresses or when the remembered devices feature is turned on).

备注

建议的方法是使用条件访问策略启用 Azure 多重身份验证。Enabling Azure Multi-Factor Authentication using Conditional Access policies is the recommended approach. 除非许可证不包含条件访问,否则我们不再建议更改用户状态,因为这要求用户每次登录时都执行 MFA。Changing user states is no longer recommended unless your licenses don't include Conditional Access as it requires users to perform MFA every time they sign in. 若要开始使用条件访问,请参阅教程:使用 Azure 多重身份验证保护用户登录事件To get started using Conditional Access, see Tutorial: Secure user sign-in events with Azure Multi-Factor Authentication.

Azure 多重身份验证用户状态Azure Multi-Factor Authentication user states

Azure 多重身份验证中的用户帐户具有以下三种不同状态:User accounts in Azure Multi-Factor Authentication have the following three distinct states:

重要

通过条件访问策略启用 Azure 多重身份验证不会更改用户的状态。Enabling Azure Multi-Factor Authentication through a Conditional Access policy doesn't change the state of the user. 如果用户看似已被禁用,请不要担心。Don't be alarmed if users appear disabled. 条件访问不会更改状态。Conditional Access doesn't change the state.

如果使用条件访问策略,则不应启用或强制用户。You shouldn't enable or enforce users if you're using Conditional Access policies.

状态Status 说明Description 受影响的非浏览器应用Non-browser apps affected 受影响的浏览器应用Browser apps affected 新式身份验证受影响Modern authentication affected
已禁用Disabled 未在 Azure 多重身份验证中登记的新用户的默认状态。The default state for a new user not enrolled in Azure Multi-Factor Authentication. No No No
EnabledEnabled 用户已在 Azure 多重身份验证中登记,但尚未注册身份验证方法。The user has been enrolled in Azure Multi-Factor Authentication, but hasn't registered authentication methods. 在用户下次登录时会提示他们进行注册。They receive a prompt to register the next time they sign in. 否。No. 它们继续工作,直到注册过程完成。They continue to work until the registration process is completed. 是的。Yes. 会话过期后,需要进行 Azure 多重身份验证注册。After the session expires, Azure Multi-Factor Authentication registration is required. 是的。Yes. 访问令牌过期后,需要进行 Azure 多重身份验证注册。After the access token expires, Azure Multi-Factor Authentication registration is required.
强制Enforced 用户已登记,并已完成 Azure 多重身份验证的注册过程。The user has been enrolled and has completed the registration process for Azure Multi-Factor Authentication. 是的。Yes. 应用需要应用密码。Apps require app passwords. 是的。Yes. 登录时需要执行 Azure 多重身份验证。Azure Multi-Factor Authentication is required at login. 是的。Yes. 登录时需要执行 Azure 多重身份验证。Azure Multi-Factor Authentication is required at login.

用户的状态反映管理员是否已在 Azure 多重身份验证中登记用户以及用户是否已完成注册过程。A user's state reflects whether an admin has enrolled them in Azure Multi-Factor Authentication, and whether they completed the registration process.

所有用户的初始状态均为“已禁用”。All users start out Disabled. 在 Azure 多重身份验证中登记用户后,其状态将更改为“已启用”。When you enroll users in Azure Multi-Factor Authentication, their state changes to Enabled. 当已启用的用户登录并完成注册过程后,用户的状态将更改为“强制”。When enabled users sign in and complete the registration process, their state changes to Enforced.

备注

如果在已有注册详细信息(如电话号码或电子邮件)的用户对象上重新启用 MFA,则管理员需要通过 Azure 门户或 PowerShell 重新注册 MFA。If MFA is re-enabled on a user object that already has registration details, such as phone or email, then administrators need to have that user re-register MFA via Azure portal or PowerShell. 如果用户不重新注册,其 MFA 状态在 MFA 管理 UI 中不会从“已启用”转换为“已强制” 。If the user doesn't re-register, their MFA state doesn't transition from Enabled to Enforced in MFA management UI.

查看用户状态View the status for a user

使用以下步骤来访问可在其中查看和管理用户状态的 Azure 门户页:Use the following steps to access the Azure portal page where you can view and manage user states:

  1. 以管理员身份登录到 Azure 门户Sign in to the Azure portal as an administrator.
  2. 搜索并选择“Azure Active Directory”,然后选择“用户” > “所有用户” 。Search for and select Azure Active Directory, then select Users > All users.
  3. 选择“多重身份验证”。Select Multi-Factor Authentication. 可能需要向右滚动才能看到此菜单选项。You may need to scroll to the right to see this menu option. 选择以下示例屏幕截图中所示的选项,以查看完整的 Azure 门户窗口和菜单位置:Select the example screenshot below to see the full Azure portal window and menu location:
  4. 此时会打开一个显示用户状态的新页,如以下示例中所示。A new page opens that displays the user state, as shown in the following example. 显示了 Azure 多重身份验证的示例用户状态信息的屏幕截图Screenshot that shows example user state information for Azure Multi-Factor Authentication

更改用户状态Change the status for a user

若要更改用户的 Azure 多重身份验证状态,请完成以下步骤:To change the Azure Multi-Factor Authentication state for a user, complete the following steps:

  1. 使用前文的步骤访问 Azure 多重身份验证“用户”页面。Use the preceding steps to get to the Azure Multi-Factor Authentication users page.

  2. 找到要为其启用 Azure 多重身份验证的用户。Find the user you want to enable for Azure Multi-Factor Authentication. 可能需要在顶部将视图更改为“用户”。You might need to change the view at the top to users. 从用户选项卡中选择要更改其状态的用户Select the user to change status for from the users tab

  3. 选中要更改其状态的用户的名称旁边的框。Check the box next to the name(s) of the user(s) to change the state for.

  4. 在右侧的“快速步骤”下,选择“启用”或“禁用” 。On the right-hand side, under quick steps, choose Enable or Disable. 在以下示例中,用户 John Smith 的名称旁边有一个勾选标记,表示将为该用户启用:通过单击快速步骤菜单上的“启用”来启用选定用户In the following example, the user John Smith has a check next to their name and is being enabled for use: Enable selected user by clicking Enable on the quick steps menu

    提示

    “已启用”的用户在注册 Azure 多重身份验证后会自动切换为“已强制”。Enabled users are automatically switched to Enforced when they register for Azure Multi-Factor Authentication. 不要手动将用户状态更改为“已强制”。Don't manually change the user state to Enforced.

  5. 在打开的弹出窗口中确认你的选择。Confirm your selection in the pop-up window that opens.

启用用户后,通过电子邮件通知他们。After you enable users, notify them via email. 告诉用户显示了提示,要求他们在下次登录时注册。Tell the users that a prompt is displayed to ask them to register the next time they sign in. 此外,如果你的组织使用不支持新式身份验证的非浏览器应用,则他们需要创建应用密码。Also, if your organization uses non-browser apps that don't support modern authentication, they need to create app passwords. 请参阅 Azure 多重身份验证最终用户指南来了解详细信息以帮助他们开始使用。For more information, see the Azure Multi-Factor Authentication end-user guide to help them get started.

使用 PowerShell 更改状态Change state using PowerShell

若要使用 Azure AD PowerShell 更改用户状态,请更改用户帐户的 $st.State 参数。To change the user state by using Azure AD PowerShell, you change the $st.State parameter for a user account. 用户帐户有三种可能的状态:There are three possible states for a user account:

  • EnabledEnabled
  • 已强制Enforced
  • 已禁用Disabled

不要直接将用户移动到“强制”状态。Don't move users directly to the Enforced state. 如果这样做,则非基于浏览器的应用将停止运行,因为用户尚未进行 Azure 多重身份验证注册。If you do so, non-browser-based apps stop working because the user hasn't gone through Azure Multi-Factor Authentication registration.

若要开始,请按如下所示使用 Install-Module 安装 MSOnline 模块:To get started, install the MSOnline module using Install-Module as follows:

Install-Module MSOnline

接下来,使用 Connect-MsolService 进行连接:Next, connect using Connect-MsolService:

Connect-MsolService -AzureEnvironment AzureChinaCloud

以下示例 PowerShell 脚本为名为 *bsimon@contoso.com* 的个人用户启用 MFA:The following example PowerShell script enables MFA for an individual user named *bsimon@contoso.com*:

$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)

# Change the following UserPrincipalName to the user you wish to change state
Set-MsolUser -UserPrincipalName bsimon@contoso.com -StrongAuthenticationRequirements $sta

当需要批量启用用户时,使用 PowerShell 是一个不错的选择。Using PowerShell is a good option when you need to bulk enable users. 以下脚本循环访问用户列表并在其帐户上启用 MFA。The following script loops through a list of users and enables MFA on their accounts. 定义用户帐户,并在 $users 的第一行中对其进行设置,如下所示:Define the user accounts set it in the first line for $users as follows:

# Define your list of users to update state in bulk
$users = "bsimon@contoso.com","jsmith@contoso.com","ljacobson@contoso.com"

foreach ($user in $users)
{
    $st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
    $st.RelyingParty = "*"
    $st.State = "Enabled"
    $sta = @($st)
    Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta
}

为禁用 MFA,以下示例使用 Get-MsolUser 获取用户,然后使用 Set-MsolUser 删除为所定义的用户设置的任何 StrongAuthenticationRequirements:To disable MFA, the following example gets a user with Get-MsolUser, then removes any StrongAuthenticationRequirements set for the defined user using Set-MsolUser:

Get-MsolUser -UserPrincipalName bsimon@contoso.com | Set-MsolUser -StrongAuthenticationRequirements @()

还可以使用 Set-MsolUser 直接为用户禁用 MFA,如下所示:You could also directly disable MFA for a user using Set-MsolUser as follows:

Set-MsolUser -UserPrincipalName bsimon@contoso.com -StrongAuthenticationRequirements @()

将用户从按用户的 MFA 转换为基于条件访问的 MFAConvert users from per-user MFA to Conditional Access based MFA

以下 PowerShell 可帮助你转换到基于条件访问的 Azure 多重身份验证。The following PowerShell can assist you in making the conversion to Conditional Access based Azure Multi-Factor Authentication.

# Sets the MFA requirement state
function Set-MfaState {

    [CmdletBinding()]
    param(
        [Parameter(ValueFromPipelineByPropertyName=$True)]
        $ObjectId,
        [Parameter(ValueFromPipelineByPropertyName=$True)]
        $UserPrincipalName,
        [ValidateSet("Disabled","Enabled","Enforced")]
        $State
    )

    Process {
        Write-Verbose ("Setting MFA state for user '{0}' to '{1}'." -f $ObjectId, $State)
        $Requirements = @()
        if ($State -ne "Disabled") {
            $Requirement =
                [Microsoft.Online.Administration.StrongAuthenticationRequirement]::new()
            $Requirement.RelyingParty = "*"
            $Requirement.State = $State
            $Requirements += $Requirement
        }

        Set-MsolUser -ObjectId $ObjectId -UserPrincipalName $UserPrincipalName `
                     -StrongAuthenticationRequirements $Requirements
    }
}

# Disable MFA for all users
Get-MsolUser -All | Set-MfaState -State Disabled

备注

我们最近更改了该行为和此 PowerShell 脚本。We recently changed the behavior and this PowerShell script. 以前,该脚本会保存 MFA 方法、禁用 MFA 和还原这些方法。Previously, the script saved off the MFA methods, disabled MFA, and restored the methods. 现在这些操作已不再需要,因为默认的禁用行为不会清除方法。This is no longer necessary now that the default behavior for disable doesn't clear the methods.

如果在已有注册详细信息(如电话号码或电子邮件)的用户对象上重新启用 MFA,则管理员需要通过 Azure 门户或 PowerShell 重新注册 MFA。If MFA is re-enabled on a user object that already has registration details, such as phone or email, then administrators need to have that user re-register MFA via Azure portal or PowerShell. 如果用户不重新注册,其 MFA 状态在 MFA 管理 UI 中不会从“已启用”转换为“已强制” 。If the user doesn't re-register, their MFA state doesn't transition from Enabled to Enforced in MFA management UI.

后续步骤Next steps

若要配置 Azure 多重身份验证设置(例如受信任的 IP、自定义语音消息和欺诈警报),请参阅配置 Azure 多重身份验证设置To configure Azure Multi-Factor Authentication settings like trusted IPs, custom voice messages, and fraud alerts, see Configure Azure Multi-Factor Authentication settings. 若要管理 Azure 多重身份验证的用户设置,请参阅管理 Azure 多重身份验证的用户设置To manage user settings for Azure Multi-Factor Authentication, see Manage user settings with Azure Multi-Factor Authentication.