条件访问:要求对管理员执行 MFAConditional Access: Require MFA for administrators

分配了管理权限的帐户是攻击者的目标。Accounts that are assigned administrative rights are targeted by attackers. 要求在这些帐户上进行多重身份验证 (MFA) 后,就可以轻松降低这些帐户受攻击的风险。Requiring multi-factor authentication (MFA) on those accounts is an easy way to reduce the risk of those accounts being compromised.

Microsoft 建议你至少要求对以下角色进行 MFA:Microsoft recommends you require MFA on the following roles at a minimum:

  • 计费管理员Billing administrator
  • 条件访问管理员Conditional Access administrator
  • Exchange 管理员Exchange administrator
  • 全局管理员Global administrator
  • 支持(密码)管理员Helpdesk (Password) administrator
  • 密码管理员Password administrator
  • 安全管理员Security administrator
  • SharePoint 管理员SharePoint administrator
  • 用户管理员User administrator

组织可以根据情况选择包括或排除角色。Organizations can choose to include or exclude roles as they see fit.

排除用户User exclusions

条件访问策略是强大的工具,建议从策略中排除以下帐户:Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policy:

  • 紧急访问帐户或不受限帐户,用于防止租户范围的帐户锁定 。Emergency access or break-glass accounts to prevent tenant-wide account lockout. 在极少数情况下,所有管理员都被锁定在租户之外,此时可以使用紧急访问管理帐户登录到租户,采取相关步骤来恢复访问权限。In the unlikely scenario all administrators are locked out of your tenant, your emergency-access administrative account can be used to log into the tenant take steps to recover access.
  • 服务帐户服务主体,例如 Azure AD Connect 同步帐户。Service accounts and service principals, such as the Azure AD Connect Sync Account. 服务帐户是非交互性帐户,不绑定到任何特定用户。Service accounts are non-interactive accounts that are not tied to any particular user. 它们通常由允许对应用程序进行编程访问的后端服务使用,但也用于出于管理目的登录到系统。They are normally used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. 应该排除这样的服务帐户,因为无法以编程方式完成 MFA。Service accounts like these should be excluded since MFA can't be completed programmatically. 服务主体进行的调用不被条件访问阻止。Calls made by service principals are not blocked by Conditional Access.
    • 如果组织在脚本或代码中使用这些帐户,请考虑将其替换为托管标识If your organization has these accounts in use in scripts or code, consider replacing them with managed identities. 作为临时解决方法,可以从基线策略中排除这些特定的帐户。As a temporary workaround, you can exclude these specific accounts from the baseline policy.

创建条件访问策略Create a Conditional Access policy

以下步骤将有助于创建条件访问策略,该策略要求那些分配的管理角色执行多重身份验证。The following steps will help create a Conditional Access policy to require those assigned administrative roles to perform multi-factor authentication.

  1. 以全局管理员、安全管理员或条件访问管理员的身份登录到 Azure 门户Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.
  2. 浏览到“Azure Active Directory” > “安全性” > “条件访问” 。Browse to Azure Active Directory > Security > Conditional Access.
  3. 选择“新策略” 。Select New policy.
  4. 为策略指定名称。Give your policy a name. 建议组织为其策略的名称创建有意义的标准。We recommend that organizations create a meaningful standard for the names of their policies.
  5. 在“分配” 下,选择“用户和组” Under Assignments, select Users and groups
    1. 在“包括”下选择“目录角色(预览)”, 然后至少选择以下角色:Under Include, select Directory roles (preview) and choose the following roles at a minimum:

      • 身份验证管理员Authentication Administrator
      • 计费管理员Billing administrator
      • 条件访问管理员Conditional Access administrator
      • Exchange 管理员Exchange administrator
      • 全局管理员Global administrator
      • 支持管理员Helpdesk administrator
      • 密码管理员Password administrator
      • 安全管理员Security administrator
      • SharePoint 管理员SharePoint administrator
      • 用户管理员User administrator

      警告

      条件访问策略不支持为用户分配范围为管理单元的目录角色或范围直接为对象的目录角色(例如通过自定义角色)。Conditional Access policies do not support users assigned a directory role scoped to an administrative unit or directory roles scoped directly to an object, like through custom roles.

    2. 在“排除”下选择“用户和组”,然后选择组织的紧急访问帐户或不受限帐户。Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.

    3. 选择“完成” 。Select Done.

  6. 在“云应用或操作” > “包含”下方,选择“所有云应用” ,然后选择“完成”。Under Cloud apps or actions > Include, select All cloud apps, and select Done.
  7. 在“条件” > “客户端应用(预览版)”下,在“选择适用于该策略的客户端应用”下保留选择的所有默认值,然后选择“完成” 。Under Conditions > Client apps (Preview), under Select the client apps this policy will apply to leave all defaults selected and select Done.
  8. 在“访问控制” > “授予”下,依次选择“授予访问权限”、“需要多重身份验证”、“选择”。 Under Access controls > Grant, select Grant access, Require multi-factor authentication, and select Select.
  9. 确认设置,然后将“启用策略”设置为“打开”。 Confirm your settings and set Enable policy to On.
  10. 选择“创建”,以便创建启用策略所需的项目。Select Create to create to enable your policy.

后续步骤Next steps

条件访问常见策略Conditional Access common policies

使用条件访问 What If 工具模拟登录行为Simulate sign in behavior using the Conditional Access What If tool