教程:使用 Azure 多重身份验证保护用户登录事件Tutorial: Secure user sign-in events with Azure Multi-Factor Authentication

多重身份验证 (MFA) 是在登录事件期间提示用户完成其他形式的身份识别的过程。Multi-factor authentication (MFA) is a process where a user is prompted during a sign-in event for additional forms of identification. 此提示可以是让用户在手机上输入某个代码,或提供指纹扫描。This prompt could be to enter a code on their cellphone or to provide a fingerprint scan. 需要另一种形式的身份验证时,会提高安全性,因为攻击者并不容易获取或复制进行多重身份验证所需的额外内容。When you require a second form of authentication, security is increased as this additional factor isn't something that's easy for an attacker to obtain or duplicate.

在特定的登录事件期间,可以通过 Azure 多重身份验证和条件访问策略来灵活地为用户启用 MFA。Azure Multi-Factor Authentication and Conditional Access policies give the flexibility to enable MFA for users during specific sign-in events.

重要

本教程向管理员展示如何启用 Azure 多重身份验证。This tutorial shows an administrator how to enable Azure Multi-Factor Authentication.

如果 IT 团队尚未启用使用 Azure 多重身份验证的功能,或者你在登录过程中遇到问题,请联系支持人员获得更多帮助。If your IT team hasn't enabled the ability to use Azure Multi-Factor Authentication or you have problems during sign-in, reach out to your helpdesk for additional assistance.

本教程介绍如何执行下列操作:In this tutorial you learn how to:

  • 创建条件访问策略以便为一组用户启用 Azure 多重身份验证Create a Conditional Access policy to enable Azure Multi-Factor Authentication for a group of users
  • 配置提示执行 MFA 的策略条件Configure the policy conditions that prompt for MFA
  • 以用户身份测试 MFA 过程Test the MFA process as a user

先决条件Prerequisites

需有以下资源和特权才能完成本教程:To complete this tutorial, you need the following resources and privileges:

  • 一个至少启用了 Azure AD Premium P1 或试用版许可证的有效 Azure AD 租户。A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled.
  • 一个拥有全局管理员特权的帐户。An account with global administrator privileges.
  • 你知道其密码的非管理员测试用户,例如 testuserA non-administrator user with a password you know, such as testuser. 本教程将使用此帐户测试最终用户的 Azure 多重身份验证体验。You test the end-user Azure Multi-Factor Authentication experience using this account in this tutorial.
  • 该非管理员用户所属的组,例如 MFA-Test-GroupA group that the non-administrator user is a member of, such as MFA-Test-Group. 本教程将为此组启用 Azure 多重身份验证。You enable Azure Multi-Factor Authentication for this group in this tutorial.

创建条件访问策略Create a Conditional Access policy

建议通过条件访问策略来启用和使用 Azure 多重身份验证。The recommended way to enable and use Azure Multi-Factor Authentication is with Conditional Access policies. 使用条件访问可以创建和定义策略,用于对登录事件做出反应,并在向用户授予对应用程序或服务的访问权限之前请求更多的操作。Conditional Access lets you create and define policies that react to sign in events and request additional actions before a user is granted access to an application or service.

有关条件访问如何保护登录过程的概览图

条件访问策略可以做到精细且具体,其目标是使用户能够随时随地保持工作效率,同时为组织提供保护。Conditional Access policies can be granular and specific, with the goal to empower users to be productive wherever and whenever, but also protect your organization. 本教程将创建一个基本的条件访问策略,以便在用户登录到 Azure 门户时提示其执行 MFA。In this tutorial, let's create a basic Conditional Access policy to prompt for MFA when a user signs in to the Azure portal. 在本教程系列的后面某篇文章中,你将使用基于风险的条件访问策略来配置 Azure 多重身份验证。In a later tutorial in this series, you configure Azure Multi-Factor Authentication using a risk-based Conditional Access policy.

首先,按如下所述创建一个条件访问策略,并分配测试用户组:First, create a Conditional Access policy and assign your test group of users as follows:

  1. 使用拥有全局管理员权限的帐户登录到 Azure 门户Sign in to the Azure portal using an account with global administrator permissions.

  2. 搜索并选择“Azure Active Directory”,然后从左侧菜单中选择“安全性”。Search for and select Azure Active Directory, then choose Security from the menu on the left-hand side.

  3. 依次选择“条件访问”、“+ 新建策略”。Select Conditional Access, then choose + New policy.

  4. 输入策略的名称,例如“MFA 试验”。Enter a name for the policy, such as MFA Pilot.

  5. 在“分配”下选择“用户和组”,然后选中“选择用户和组”单选按钮。Under Assignments, choose Users and groups, then the Select users and groups radio button.

  6. 选中“用户和组”对应的框,然后选择“选择”以浏览可用的 Azure AD 用户和组。Check the box for Users and groups, then Select to browse the available Azure AD users and groups.

  7. 浏览并选择 Azure AD 组(例如 MFA-Test-Group),然后选择“选择”。Browse for and select your Azure AD group, such as MFA-Test-Group, then choose Select.

    选择要与条件访问策略配合使用的 Azure AD 组 Select your Azure AD group to use with the Conditional Access policy

  8. 若要对该组应用条件访问策略,请选择“完成”。To apply the Conditional Access policy for the group, select Done.

配置多重身份验证的条件Configure the conditions for multi-factor authentication

创建条件访问策略并分配测试用户组后,接下来请定义触发该策略的云应用或操作。With the Conditional Access policy created and a test group of users assigned, now define the cloud apps or actions that trigger the policy. 这些云应用或操作是你确定需要进一步处理的方案,例如,提示执行 MFA。These cloud apps or actions are the scenarios you decide require additional processing, such as to prompt for MFA. 例如,可以要求在访问某个财务应用程序或管理工具时发出附加的验证提示。For example, you could decide that access to a financial application or use of management tools requires as an additional verification prompt.

对于本教程,请将条件访问策略配置为在用户登录到 Azure 门户时要求执行 MFA。For this tutorial, configure the Conditional Access policy to require MFA when a user signs in to the Azure portal.

  1. 选择“云应用或操作”。Select Cloud apps or actions. 可以选择将条件访问策略应用到“所有云应用”,也可以“选择应用”。You can choose to apply the Conditional Access policy to All cloud apps or Select apps. 为了提供灵活性,还可以从策略中排除某些应用。To provide flexibility, you can also exclude certain apps from the policy.

    对于本教程,请在“包括”页上,选中“选择应用”单选按钮。For this tutorial, on the Include page, choose the Select apps radio button.

  2. 选择“选择”,然后浏览可用的登录事件列表。Choose Select, then browse the list of available sign-in events that can be used.

    对于本教程,请选择“Azure 管理”,以便将策略应用到 Azure 门户登录事件。 For this tutorial, choose Azure Management so the policy applies to sign-in events to the Azure portal.

  3. 若要将策略应用到选定的应用,请依次选择“选择”、“完成”。 To apply the select apps, choose Select, then Done.

    选择要包含在条件访问策略中的 Azure 管理应用

使用访问控制可以定义授予用户访问权限所要满足的要求,例如,需要一个已批准的客户端应用,或使用已加入混合 Azure AD 的设备。Access controls let you define the requirements for a user to be granted access, such as needing an approved client app or using a device that's Hybrid Azure AD joined. 在本教程中,请将访问控制配置为在 Azure 门户登录事件期间要求执行 MFA。In this tutorial, configure the access controls to require MFA during a sign-in event to the Azure portal.

  1. 在“访问控制”下选择“授予”,并确保已选中“授予访问权限”单选按钮。Under Access controls, choose Grant, then make sure the Grant access radio button is selected.
  2. 选中“需要多重身份验证”对应的复选框,然后选择“选择”。Check the box for Require multi-factor authentication, then choose Select.

若要查看配置对用户产生的影响,可将条件访问策略设置为“仅限报告”;如果不想要立即使用策略,则可将其设置为“关闭”。Conditional Access policies can be set to Report-only if you want to see how the configuration would impact users, or Off if you don't want to the use policy right now. 由于已经为本教程指定了目标测试用户组,因此让我们启用该策略,然后测试 Azure 多重身份验证。As a test group of users was targeted for this tutorial, lets enable the policy and then test Azure Multi-Factor Authentication.

  1. 将“启用策略” 开关设置为“开” 。Set the Enable policy toggle to On.
  2. 若要应用条件访问策略,请选择“创建”。To apply the Conditional Access policy, select Create.

测试 Azure 多重身份验证Test Azure Multi-Factor Authentication

让我们看看该条件访问策略和 Azure 多重身份验证的运作方式。Let's see your Conditional Access policy and Azure Multi-Factor Authentication in action. 首先,登录到不要求执行 MFA 的资源,如下所述:First, sign in to a resource that doesn't require MFA as follows:

  1. 在 InPrivate 或 incognito 模式下打开新的浏览器窗口并浏览到 https://account.activedirectory.windowsazure.cnOpen a new browser window in InPrivate or incognito mode and browse to https://account.activedirectory.windowsazure.cn
  2. 以非管理员测试用户(例如 testuser)的身份登录。Sign in with your non-administrator test user, such as testuser. 系统不会提示完成 MFA。There's no prompt for you to complete MFA.
  3. 关闭浏览器窗口。Close the browser window.

现在登录到 Azure 门户。Now sign in to the Azure portal. 由于已在条件访问策略中将 Azure 门户配置为要求执行额外的验证,因此会出现 Azure 多重身份验证提示。As the Azure portal was configured in the Conditional Access policy to require additional verification, you get an Azure Multi-Factor Authentication prompt.

  1. 在 InPrivate 或 incognito 模式下打开新的浏览器窗口并浏览到 https://portal.azure.cnOpen a new browser window in InPrivate or incognito mode and browse to https://portal.azure.cn.

  2. 以非管理员测试用户(例如 testuser)的身份登录。Sign in with your non-administrator test user, such as testuser. 需要注册并使用 Azure 多重身份验证。You're required to register for and use Azure Multi-Factor Authentication. 按照提示完成该过程,并验证是否可成功登录到 Azure 门户。Follow the prompts to complete the process and verify you successfully sign in to the Azure portal.

    按照浏览器中的提示操作,并在出现已注册多重身份验证的提示后登录

  3. 关闭浏览器窗口。Close the browser window.

清理资源Clean up resources

如果你不再想要使用条件访问策略来启用本教程中配置的 Azure 多重身份验证,请使用以下步骤删除该策略:If you no longer want to use the Conditional Access policy to enable Azure Multi-Factor Authentication configured as part of this tutorial, delete the policy using the following steps:

  1. 登录到 Azure 门户Sign in to the Azure portal.
  2. 搜索并选择“Azure Active Directory”,然后从左侧菜单中选择“安全性”。Search for and select Azure Active Directory, then choose Security from the menu on the left-hand side.
  3. 选择“条件访问”,然后选择创建的策略,例如“MFA 试验”Select Conditional access, then choose the policy you created, such as MFA Pilot
  4. 选择“删除”,然后确认删除该策略。Choose Delete, then confirm you wish to delete the policy.

后续步骤Next steps

在本教程中,你已使用条件访问策略为选定的用户组启用了 Azure 多重身份验证。In this tutorial, you enabled Azure Multi-Factor Authentication using Conditional Access policies for a selected group of users. 你已了解如何:You learned how to:

  • 创建条件访问策略,以便为一组 Azure AD 用户启用 Azure 多重身份验证Create a Conditional Access policy to enable Azure Multi-Factor Authentication for a group of Azure AD users
  • 配置提示执行 MFA 的策略条件Configure the policy conditions that prompt for MFA
  • 以用户身份测试 MFA 过程Test the MFA process as a user