常用条件访问策略Common Conditional Access policies
安全默认值适用于某些组织,但是许多组织需要的灵活性超出了这些策略能提供的灵活性。Security defaults are great for some but many organizations need more flexibility than they offer. 例如,许多组织都需要能够从需要多重身份验证的条件访问策略中排除特定帐户,如其紧急访问帐户或不受限管理帐户。For example, many organizations need the ability to exclude specific accounts like their emergency access or break-glass administration accounts from Conditional Access policies requiring multi-factor authentication. 对于这些组织,可以使用本文中提到的常用策略。For those organizations, the common policies referenced in this article can be of use.
紧急访问帐户Emergency access accounts
有关紧急访问帐户及其重要原因的详细信息,请参阅以下文章:More information about emergency access accounts and why they are important can be found in the following articles:
组织部署的典型策略Typical policies deployed by organizations
- 阻止旧式身份验证*Block legacy authentication*
- 要求对管理员执行 MFA*Require MFA for administrators*
- 要求将 MFA 用于 Azure 管理*Require MFA for Azure management*
- 要求对所有用户进行 MFA*Require MFA for all users*
* 这四个策略一起配置时可模拟安全默认值启用的功能。* These four policies when configured together, mimic functionality enabled by security defaults.
其他策略Additional policies
- 按位置阻止访问Block access by location
- 需要兼容设备Require compliant device
- 阻止访问,但特定应用除外Block access except specific apps