如何:使用条件访问阻止向 Azure AD 进行旧身份验证How to: Block legacy authentication to Azure AD with Conditional Access

为了让用户轻松访问云应用程序,Azure Active Directory (Azure AD) 支持各种身份验证协议,包括旧身份验证。To give your users easy access to your cloud apps, Azure Active Directory (Azure AD) supports a broad variety of authentication protocols including legacy authentication. 但是,旧协议不支持多重身份验证 (MFA)。However, legacy protocols don't support multi-factor authentication (MFA). 许多环境通常都会要求使用 MFA,以解决身份盗用的情况。MFA is in many environments a common requirement to address identity theft.

Microsoft 身份安全主管 Alex Weinert 在其 2020 年 3 月 12 日的博客文章 New tools to block legacy authentication in your organization(阻止组织中旧式身份验证的新工具)中强调了为什么组织应该阻止旧式身份验证,以及 Microsoft 提供了哪些其他工具来完成此任务:Alex Weinert, Director of Identity Security at Microsoft, in his March 12, 2020 blog post New tools to block legacy authentication in your organization emphasizes why organizations should block legacy authentication and what additional tools Microsoft provides to accomplish this task:

要使 MFA 生效,还需要阻止旧式身份验证。For MFA to be effective, you also need to block legacy authentication. 这是因为旧式身份验证协议(例如 POP、SMTP、IMAP 和 MAPI)不能强制实施 MFA,这使其成为攻击者对组织发起进攻的首选入口点。This is because legacy authentication protocols like POP, SMTP, IMAP, and MAPI can't enforce MFA, making them preferred entry points for adversaries attacking your organization...

对 Azure Active Directory (Azure AD) 流量的分析表明,有关旧式身份验证的数字非常严峻:...The numbers on legacy authentication from an analysis of Azure Active Directory (Azure AD) traffic are stark:

  • 超过 99% 的密码喷射攻击使用旧式身份验证协议More than 99 percent of password spray attacks use legacy authentication protocols
  • 超过 97% 的凭据填充攻击使用旧式身份验证More than 97 percent of credential stuffing attacks use legacy authentication
  • 与启用了旧式身份验证的组织相比,在禁用了旧式统身份验证的组织中,Azure AD 帐户受到的危害降低了 67%Azure AD accounts in organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled

如果环境已准备好阻止旧式身份验证以提高对租户的保护,则可以使用条件访问来实现此目标。If your environment is ready to block legacy authentication to improve your tenant's protection, you can accomplish this goal with Conditional Access. 本文介绍如何配置条件访问策略来阻止对租户的旧身份验证。This article explains how you can configure Conditional Access policies that block legacy authentication for your tenant.

先决条件Prerequisites

本文假设你熟悉 Azure AD 条件访问的基本概念This article assumes that you are familiar with the basic concepts of Azure AD Conditional Access.

方案描述Scenario description

Azure AD 支持多个最广泛使用的身份验证和授权协议,包括旧身份验证。Azure AD supports several of the most widely used authentication and authorization protocols including legacy authentication. 旧身份验证是指使用基本身份验证的协议。Legacy authentication refers to protocols that use basic authentication. 通常,这些协议不能强制执行任何类型的第二因素身份验证。Typically, these protocols can't enforce any type of second factor authentication. 基于旧身份验证的应用程序示例包括:Examples for apps that are based on legacy authentication are:

  • 旧版 Microsoft Office 应用Older Microsoft Office apps
  • 使用邮件协议的应用,如 POP、IMAP 和 SMTPApps using mail protocols like POP, IMAP, and SMTP

如今,使用单因素身份验证(例如,用户名和密码)还不够安全。Single factor authentication (for example, username and password) is not enough these days. 使用密码也不安全,因为它们很容易被猜测到,我们并不擅长选择好密码。Passwords are bad as they are easy to guess and we (humans) are bad at choosing good passwords. 密码也容易受到各种攻击,如网络钓鱼和密码破解。Passwords are also vulnerable to a variety of attacks like phishing and password spray. 防范密码威胁的最简单措施之一是实现多重身份验证 (MFA)。One of the easiest things you can do to protect against password threats is to implement multi-factor authentication (MFA). 使用 MFA,即使攻击者拥有用户密码,仅凭密码也不足以成功验证和访问数据。With MFA, even if an attacker gets in possession of a user's password, the password alone is not sufficient to successfully authenticate and access the data.

如何阻止使用旧身份验证的应用访问租户的资源?How can you prevent apps using legacy authentication from accessing your tenant's resources? 建议只使用条件访问策略阻止它们。The recommendation is to just block them with a Conditional Access policy. 如有必要,只允许某些用户和特定网络位置使用基于旧身份验证的应用程序。If necessary, you allow only certain users and specific network locations to use apps that are based on legacy authentication.

完成第一因素身份验证后将强制执行条件访问策略。Conditional Access policies are enforced after the first-factor authentication has been completed. 因此,条件访问并不是针对拒绝服务 (DoS) 攻击等情况的第一道防线,而是可以利用来自这些事件的信号(例如,登录风险级别、请求的位置等)来确定访问权限。Therefore, Conditional Access is not intended as a first line defense for scenarios like denial-of-service (DoS) attacks, but can utilize signals from these events (for example, the sign-in risk level, location of the request, and so on) to determine access.

实现Implementation

本节介绍如何配置条件访问策略以阻止旧式身份验证。This section explains how to configure a Conditional Access policy to block legacy authentication.

旧式身份验证协议Legacy authentication protocols

以下选项被视为旧身份验证协议The following options are considered legacy authentication protocols

  • 经过身份验证的 SMTP - 由 POP 和 IMAP 客户端用于发送电子邮件。Authenticated SMTP - Used by POP and IMAP clients to send email messages.
  • 自动发现 - 由 Outlook 和 EAS 客户端用来查找和连接 Exchange Online 中的邮箱。Autodiscover - Used by Outlook and EAS clients to find and connect to mailboxes in Exchange Online.
  • Exchange ActiveSync (EAS) - 用于连接到 Exchange Online 中的邮箱。Exchange ActiveSync (EAS) - Used to connect to mailboxes in Exchange Online.
  • Exchange Online PowerShell - 用于通过远程 PowerShell 连接到 Exchange Online。Exchange Online PowerShell - Used to connect to Exchange Online with remote PowerShell. 如果阻止 Exchange Online PowerShell 的基本身份验证,则需使用 Exchange Online PowerShell 模块进行连接。If you block Basic authentication for Exchange Online PowerShell, you need to use the Exchange Online PowerShell Module to connect. 有关说明,请参阅使用多重身份验证连接到 Exchange Online PowerShellFor instructions, see Connect to Exchange Online PowerShell using multi-factor authentication.
  • Exchange Web 服务 (EWS) - Outlook、Outlook for Mac 和第三方应用使用的编程接口。Exchange Web Services (EWS) - A programming interface that's used by Outlook, Outlook for Mac, and third-party apps.
  • IMAP4 - 由 IMAP 电子邮件客户端使用。IMAP4 - Used by IMAP email clients.
  • 基于 HTTP 的 MAPI (MAPI/HTTP) - 由 Outlook 2010 及更高版本使用。MAPI over HTTP (MAPI/HTTP) - Used by Outlook 2010 and later.
  • 脱机通讯簿 (OAB) - 通过 Outlook 下载并使用的地址列表集合的副本。Offline Address Book (OAB) - A copy of address list collections that are downloaded and used by Outlook.
  • Outlook Anywhere(基于 HTTP 的 RPC)- 由 Outlook 2016 及更低版本使用。Outlook Anywhere (RPC over HTTP) - Used by Outlook 2016 and earlier.
  • Outlook 服务 - 由 Windows 10 的邮件和日历应用使用。Outlook Service - Used by the Mail and Calendar app for Windows 10.
  • POP3 - 由 POP 电子邮件客户端使用。POP3 - Used by POP email clients.
  • Reporting Web Services - 用于在 Exchange Online 中检索报表数据。Reporting Web Services - Used to retrieve report data in Exchange Online.
  • 其他客户端 - 标识为使用旧式身份验证的其他协议。Other clients - Other protocols identified as utilizing legacy authentication.

有关这些身份验证协议和服务的详细信息,请参阅 Azure Active Directory 门户中的登录活动报告For more information about these authentication protocols and services, see Sign-in activity reports in the Azure Active Directory portal.

识别旧式身份验证的用法Identify legacy authentication use

在目录中阻止旧式身份验证之前,需要先了解用户是否有使用旧式身份验证的应用,以及它如何影响整个目录。Before you can block legacy authentication in your directory, you need to first understand if your users have apps that use legacy authentication and how it affects your overall directory. 可以使用 Azure AD 登录日志来了解是否正在使用旧式身份验证。Azure AD sign-in logs can be used to understand if you're using legacy authentication.

  1. 导航到“Azure 门户” > “Azure Active Directory” > “登录”。 Navigate to the Azure portal > Azure Active Directory > Sign-ins.
  2. 如果未显示“客户端应用”列,请单击“列” > “客户端应用”添加该列。 Add the Client App column if it is not shown by clicking on Columns > Client App.
  3. “添加筛选器” > “客户端应用”> 选择所有旧式身份验证协议 。Add filters > Client App > select all of the legacy authentication protocols. 在筛选对话框外选择,以应用所选项并关闭该对话框。Select outside the filtering dialog box to apply your selections and close the dialog box.

筛选将仅显示通过旧式身份验证协议进行的登录尝试。Filtering will only show you sign-in attempts that were made by legacy authentication protocols. 单击每个单独的登录尝试将显示其他详细信息。Clicking on each individual sign-in attempt will show you additional details. “基本信息”选项卡下的“客户端应用”字段将指示使用了哪个旧式身份验证协议。The Client App field under the Basic Info tab will indicate which legacy authentication protocol was used.

这些日志将指示哪些用户仍然依赖于旧身份验证,以及哪些应用程序使用旧协议发出身份验证请求。These logs will indicate which users are still depending on legacy authentication and which applications are using legacy protocols to make authentication requests. 对于未出现在这些日志中且已确认不使用旧身份验证的用户,请仅为这些用户实施条件访问策略。For users that do not appear in these logs and are confirmed to not be using legacy authentication, implement a Conditional Access policy for these users only.

阻止传统身份验证Block legacy authentication

使用条件访问策略来阻止旧式身份验证的方式有两种。There are two ways to use Conditional Access policies to block legacy authentication.

直接阻止旧式身份验证Directly blocking legacy authentication

在整个组织中阻止旧式身份验证的最简单方法是配置条件访问策略,该策略专门应用于旧式身份验证客户端并阻止访问。The easiest way to block legacy authentication across your entire organization is by configuring a Conditional Access policy that applies specifically to legacy authentication clients and blocks access. 在将用户和应用程序分配到该策略时,请确保排除仍需使用旧式身份验证进行登录的用户和服务帐户。When assigning users and applications to the policy, make sure to exclude users and service accounts that still need to sign in using legacy authentication. 请通过选择“Exchange ActiveSync 客户端”和“其他客户端”来配置客户端应用条件 。Configure the client apps condition by selecting Exchange ActiveSync clients and Other clients. 若要阻止对这些客户端应用的访问,请将访问控制配置为“阻止访问”。To block access for these client apps, configure the access controls to Block access.

配置为阻止旧式身份验证的客户端应用条件

间接阻止旧式身份验证Indirectly blocking legacy authentication

即使组织尚未准备好在整个组织中阻止旧式身份验证,也应确保使用旧式身份验证的登录不会绕开要求授权控制(例如要求多重身份验证或合规/已加入混合 Azure AD 的设备)的策略。Even if your organization isn’t ready to block legacy authentication across the entire organization, you should ensure that sign-ins using legacy authentication aren’t bypassing policies that require grant controls such as requiring multi-factor authentication or compliant/hybrid Azure AD joined devices. 在身份验证过程中,旧式身份验证客户端不支持将 MFA、设备合规性或加入状态信息发送到 Azure AD。During authentication, legacy authentication clients do not support sending MFA, device compliance, or join state information to Azure AD. 因此,请将具有授权控制的策略应用于所有客户端应用程序,以便阻止无法满足授权控制要求的基于旧式身份验证的登录。Therefore, apply policies with grant controls to all client applications so that legacy authentication based sign-ins that cannot satisfy the grant controls are blocked. 随着客户端应用条件在 2020 年 8 月正式发布,新创建的条件访问策略会默认应用于所有客户端应用。With the general availability of the client apps condition in August 2020, newly created Conditional Access policies apply to all client apps by default.

客户端应用条件默认配置

要点What you should know

阻止使用其他客户端的访问也会阻止使用基本身份验证的 Exchange Online PowerShell 和 Dynamics 365。Blocking access using Other clients also blocks Exchange Online PowerShell and Dynamics 365 using basic auth.

为“其他客户端”配置策略导致整个组织无法与 SPConnect 之类的特定客户端通信。Configuring a policy for Other clients blocks the entire organization from certain clients like SPConnect. 之所以发生这种阻止,是因为旧式客户端使用非预期的方式进行身份验证。This block happens because older clients authenticate in unexpected ways. 此问题不存在于主要的 Office 应用程序(例如旧式 Office 客户端)中。The issue doesn't apply to major Office applications like the older Office clients.

策略生效可能需要长达 24 小时的时间。It can take up to 24 hours for the policy to go into effect.

可为 其他客户端 条件选择所有可用的授权控件;但是,最终用户体验始终是相同的 - 阻止访问。You can select all available grant controls for the Other clients condition; however, the end-user experience is always the same - blocked access.

SharePoint Online 和 B2B 来宾用户SharePoint Online and B2B guest users

若要阻止 B2B 用户通过旧式身份验证访问 SharePoint Online,组织必须使用 Set-SPOTenant PowerShell 命令并将 -LegacyAuthProtocolsEnabled 参数设置为 $false,以在 SharePoint 上禁用旧式身份验证。To block B2B user access via legacy authentication to SharePoint Online, organizations must disable legacy authentication on SharePoint using the Set-SPOTenant PowerShell command and setting the -LegacyAuthProtocolsEnabled parameter to $false. 有关设置此参数的详细信息,请参阅有关 Set-SPOTenant 的 SharePoint PowerShell 参考文档More information about setting this parameter can be found in the SharePoint PowerShell reference document regarding Set-SPOTenant

后续步骤Next steps