Azure Active Directory 身份验证是什么?What is Azure Active Directory authentication?

标识平台的主要功能之一就是在用户登录到设备、应用程序或服务时,对凭据进行验证或身份验证 。One of the main features of an identity platform is to verify, or authenticate, credentials when a user signs in to a device, application, or service. 在 Azure Active Directory (Azure AD) 中,身份验证不仅仅涉及对用户名和密码的验证。In Azure Active Directory (Azure AD), authentication involves more than just the verification of a username and password. Azure AD 身份验证包括以下组件,用于提高安全性并降低对技术人员帮助的需求:To improve security and reduce the need for help desk assistance, Azure AD authentication includes the following components:

  • 自助式密码重置Self-service password reset
  • Azure 多重身份验证Azure Multi-Factor Authentication
  • 用于将密码更改写回到本地环境的混合集成Hybrid integration to write password changes back to on-premises environment
  • 用于对本地环境强制实施密码保护策略的混合集成Hybrid integration to enforce password protection policies for an on-premises environment
  • 无密码身份验证Passwordless authentication

改善最终用户体验Improve the end-user experience

Azure AD 有助于保护用户的身份并简化其登录体验。Azure AD helps to protect a user's identity and simplify their sign-in experience. 自助式密码重置等功能允许用户从任何设备使用 Web 浏览器更新或更改密码。Features like self-service password reset let users update or change their passwords using a web browser from any device. 如果用户忘记了密码或帐户被锁定,此功能尤其有用。This feature is especially useful when the user has forgotten their password or their account is locked. 在不等待支持人员或管理员提供支持的情况下,用户可以取消对自己的阻止,继续工作。Without waiting for a helpdesk or administrator to provide support, a user can unblock themselves and continue to work.

Azure 多重身份验证可以让用户在登录期间选择其他形式的身份验证,如电话呼叫或移动应用通知。Azure Multi-Factor Authentication lets users choose an additional form of authentication during sign-in, such as a phone call or mobile app notification. 此功能减少了单一、固定形式的辅助身份验证(如硬件令牌)的要求。This ability reduces the requirement for a single, fixed form of secondary authentication like a hardware token. 如果用户当前没有一种形式的附加身份验证,则可选择其他方法,继续工作。If the user doesn't currently have one form of additional authentication, they can choose a different method and continue to work.

登录屏幕上使用的身份验证方法

无密码身份验证根本不需要用户创建并记住安全密码。Passwordless authentication removes the need for the user to create and remember a secure password at all. Windows Hello 企业版或 FIDO2 安全密钥等功能让用户无需密码即可登录到设备或应用程序。Capabilities like Windows Hello for Business or FIDO2 security keys let users sign in to a device or application without a password. 此功能可以降低跨不同环境管理密码的复杂性。This ability can reduce the complexity of managing passwords across different environments.

自助式密码重置Self-service password reset

自助式密码重置使用户能够更改或重置其密码,而不需要管理员或支持人员。Self-service password reset gives users the ability to change or reset their password, with no administrator or help desk involvement. 如果用户的帐户被锁定或用户忘记了自己的密码,他们可以按照提示取消对自己的阻止,回到工作状态。If a user's account is locked or they forget their password, they can follow prompts to unblock themselves and get back to work. 当用户无法登录到其设备或应用程序时,此功能可减少呼叫支持人员的次数,降低生产力损失。This ability reduces help desk calls and loss of productivity when a user can't sign in to their device or an application.

自助式密码重置适用于以下情况:Self-service password reset works in the following scenarios:

  • 密码更改 - 用户知道自己的密码,但想要将其更改为新的。Password change - when a user knows their password but wants to change it to something new.
  • 密码重置 - 用户无法登录(例如,忘记了密码),但想要重置其密码。Password reset - when a user can't sign in, such as when they forgot password, and want to reset their password.
  • 帐户解锁 - 用户因其帐户被锁定而无法登录,但想要解锁其帐户。Account unlock - when a user can't sign in because their account is locked out and want to unlock their account.

当用户使用自助式密码重置更新或重置其密码时,也可将该密码写回到本地 Active Directory 环境。When a user updates or resets their password using self-service password reset, that password can also be written back to an on-premises Active Directory environment. 密码写回可确保用户能够立即在本地设备和应用程序中使用更新的凭据。Password writeback makes sure that a user can immediately use their updated credentials with on-premises devices and applications.

Azure 多重身份验证Azure Multi-Factor Authentication

多重身份验证是一种过程。在该过程中,系统会在用户登录时提示其输入其他形式的标识,例如在其手机上输入代码或提供指纹扫描。Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan.

如果只使用密码对用户进行身份验证,则会留下不安全的矢量,容易受到攻击。If you only use a password to authenticate a user, it leaves an insecure vector for attack. 如果密码弱或者已在其他位置公开,那么如何确定是该用户在使用用户名和密码登录,还是攻击者在登录?If the password is weak or has been exposed elsewhere, is it really the user signing in with the username and password, or is it an attacker? 需要另一种形式的身份验证时,会提高安全性,因为攻击者并不容易获取或复制进行多重身份验证所需的额外内容。When you require a second form of authentication, security is increased as this additional factor isn't something that's easy for an attacker to obtain or duplicate.

不同形式的多重身份验证的概念图

Azure 多重身份验证需要以下身份验证方法中的两种或更多种才能运作:Azure Multi-Factor Authentication works by requiring two or more of the following authentication methods:

  • 你知道的某样东西,通常为密码。Something you know, typically a password.
  • 你有的某样东西,例如无法轻易复制的可信设备,如电话或硬件密钥。Something you have, such as a trusted device that is not easily duplicated, like a phone or hardware key.
  • 自身的特征 - 生物识别,如指纹或面部扫描。Something you are - biometrics like a fingerprint or face scan.

用户只需执行一个步骤即可自行注册自助式密码重置和 Azure 多重身份验证,这样可以简化加入体验。Users can register themselves for both self-service password reset and Azure Multi-Factor Authentication in one step to simplify the on-boarding experience. 管理员可以定义能够使用的辅助身份验证形式。Administrators can define what forms of secondary authentication can be used. 当用户执行自助式密码重置以进一步保护该过程时,也可能需要 Azure 多重身份验证。Azure Multi-Factor Authentication can also be required when users perform a self-service password reset to further secure that process.

密码保护Password protection

默认情况下,Azure AD 会阻止弱密码,如 Password1By default, Azure AD blocks weak passwords such as Password1. 全局禁止的密码列表会自动更新并强制实施,其中包含已知弱密码。A global banned password list is automatically updated and enforced that includes known weak passwords. 如果 Azure AD 用户尝试将其密码设置为这些弱密码之一,则会收到要求他们选择更安全密码的通知。If an Azure AD user tries to set their password to one of these weak passwords, they receive a notification to choose a more secure password.

若要提高安全性,可以定义自定义密码保护策略。To increase security, you can define custom password protection policies. 这些策略可以使用筛选器来阻止包含名称(例如 Contoso)或位置(例如伦敦)的密码的任何变体。These policies can use filters to block any variation of a password containing a name such as Contoso or a location like London, for example.

为确保混合安全性,可以将 Azure AD 密码保护与本地 Active Directory 环境集成。For hybrid security, you can integrate Azure AD password protection with an on-premises Active Directory environment. 在本地环境中安装的组件会接收 Azure AD 的全局禁止密码列表和自定义密码保护策略,而域控制器则会使用它们来处理密码更改事件。A component installed in the on-prem environment receives the global banned password list and custom password protection policies from Azure AD, and domain controllers use them to process password change events. 这种混合方法可确保无论用户如何更改其凭据或在什么位置更改其凭据,都可以强制使用强密码。This hybrid approach makes sure that no matter how or where a user changes their credentials, you enforce the use of strong passwords.

无密码身份验证Passwordless authentication

许多环境的最终目标是在登录事件中杜绝密码的使用。The end-goal for many environments is to remove the use of passwords as part of sign-in events. Azure 密码保护或 Azure 多重身份验证之类的功能有助于提高安全性,但用户名和密码仍然是一种弱的身份验证形式,可能会泄露或受到强力攻击。Features like Azure password protection or Azure Multi-Factor Authentication help improve security, but a username and password remains a weak form of authentication that can be exposed or brute-force attacked.

导致无密码的身份验证过程的安全性和便利性

使用无密码方法登录时,会通过使用 Windows Hello 企业版的生物识别或 FIDO2 安全密钥等方法来提供凭据。When you sign in with a passwordless method, credentials are provided through the use of methods like biometrics with Windows Hello for Business, or a FIDO2 security key. 攻击者无法轻松地复制这些身份验证方法。These authentication methods can't be easily duplicated by an attacker.

可以通过 Azure AD 使用无密码方法进行本机身份验证,简化用户的登录体验并降低受到攻击的风险。Azure AD provides ways to natively authenticate using passwordless methods to simplify the sign-in experience for users and reduce the risk of attacks.

后续步骤Next steps

若要开始,请参阅自助式密码重置 (SSPR) 的教程Azure 多重身份验证To get started, see the tutorial for self-service password reset (SSPR) and Azure Multi-Factor Authentication.

若要详细了解自助式密码重置概念,请参阅 Azure AD 自助式密码重置的工作原理To learn more about self-service password reset concepts, see How Azure AD self-service password reset works.

若要详细了解多重身份验证概念,请参阅 Azure 多重身份验证的工作原理To learn more about multi-factor authentication concepts, see How Azure Multi-Factor Authentication works.