条件访问:要求所有用户执行 MFAConditional Access: Require MFA for all users

正如 Microsoft 标识安全负责人 Alex Weinert 在其博客文章 Your Pa$$word doesn't matter(《你的密码无关紧要》)中提到的一样:As Alex Weinert, the Directory of Identity Security at Microsoft, mentions in his blog post Your Pa$$word doesn't matter:

你的密码无关紧要,但 MFA 很重要!Your password doesn't matter, but MFA does! 根据我们的调查,如果使用 MFA,帐户遭到入侵的可能性将降低 99.9% 以上。Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.

本文中的指导有助于你的组织为你的环境创建一个平衡的 MFA 策略。The guidance in this article will help your organization create a balanced MFA policy for your environment.

排除用户User exclusions

条件访问策略是强大的工具,建议从策略中排除以下帐户:Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policy:

  • 紧急访问帐户或不受限帐户,用于防止租户范围的帐户锁定 。Emergency access or break-glass accounts to prevent tenant-wide account lockout. 在极少数情况下,所有管理员都被锁定在租户之外,此时可以使用紧急访问管理帐户登录到租户,采取相关步骤来恢复访问权限。In the unlikely scenario all administrators are locked out of your tenant, your emergency-access administrative account can be used to log into the tenant take steps to recover access.
  • 服务帐户服务主体,例如 Azure AD Connect 同步帐户。Service accounts and service principals, such as the Azure AD Connect Sync Account. 服务帐户是非交互性帐户,不绑定到任何特定用户。Service accounts are non-interactive accounts that are not tied to any particular user. 它们通常由允许对应用程序进行编程访问的后端服务使用,但也用于出于管理目的登录到系统。They are normally used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. 应该排除这样的服务帐户,因为无法以编程方式完成 MFA。Service accounts like these should be excluded since MFA can't be completed programmatically. 服务主体进行的调用不被条件访问阻止。Calls made by service principals are not blocked by Conditional Access.
    • 如果组织在脚本或代码中使用这些帐户,请考虑将其替换为托管标识If your organization has these accounts in use in scripts or code, consider replacing them with managed identities. 作为临时解决方法,可以从基线策略中排除这些特定的帐户。As a temporary workaround, you can exclude these specific accounts from the baseline policy.

应用程序排除Application exclusions

组织可能正在使用许多云应用程序。Organizations may have many cloud applications in use. 并非所有云应用程序都需要同等的安全性。Not all of those applications may require equal security. 例如,工资和出勤应用程序可能需要 MFA,但这自助食堂应用程序可能不需要。For example, the payroll and attendance applications may require MFA but the cafeteria probably doesn't. 管理员可以选择从其策略中排除特定的应用程序。Administrators can choose to exclude specific applications from their policy.

创建条件访问策略Create a Conditional Access policy

以下步骤将有助于创建条件访问策略,该策略要求所有用户都执行多重身份验证。The following steps will help create a Conditional Access policy to require All users to perform multi-factor authentication.

  1. 以全局管理员、安全管理员或条件访问管理员的身份登录到 Azure 门户Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.
  2. 浏览到“Azure Active Directory” > “安全性” > “条件访问” 。Browse to Azure Active Directory > Security > Conditional Access.
  3. 选择“新策略” 。Select New policy.
  4. 为策略指定名称。Give your policy a name. 建议组织为其策略的名称创建有意义的标准。We recommend that organizations create a meaningful standard for the names of their policies.
  5. 在“分配” 下,选择“用户和组” Under Assignments, select Users and groups
    1. 在“包括”下,选择“所有用户” Under Include, select All users
    2. 在“排除”下 选择“用户和组” ,然后选择组织的紧急访问帐户或不受限帐户。Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
    3. 选择“完成” 。Select Done.
  6. 在“云应用或操作” > “包括”下,选择“所有云应用”。 Under Cloud apps or actions > Include, select All cloud apps.
    1. 在“排除” 下,选择任何不需要多重身份验证的应用程序。Under Exclude, select any applications that do not require multi-factor authentication.
  7. 在“条件” > “客户端应用(预览)”下,将“配置”设置为“是”,然后选择“完成”。 Under Conditions > Client apps (Preview), set Configure to Yes, and select Done.
  8. 在“访问控制” > “授予”下,依次选择“授予访问权限”、“需要多重身份验证”、“选择”。 Under Access controls > Grant, select Grant access, Require multi-factor authentication, and select Select.
  9. 确认设置,然后将“启用策略”设置为“打开”。 Confirm your settings and set Enable policy to On.
  10. 选择“创建” ,以便创建启用策略所需的项目。Select Create to create to enable your policy.

命名位置Named locations

组织可以选择将已知的网络位置(称为“命名位置” )纳入其条件访问策略。Organizations may choose to incorporate known network locations known as Named locations to their Conditional Access policies. 这些命名位置可能包含受信任的 IPv4 网络,例如用于主要办公位置的网络。These named locations may include trusted IPv4 networks like those for a main office location. 有关配置命名位置的详细信息,请参阅文章 Azure Active Directory 条件访问中的位置条件是什么?For more information about configuring named locations, see the article What is the location condition in Azure Active Directory Conditional Access?

在上述示例策略中,如果从组织的企业网络访问云应用,组织可以选择不要求进行多重身份验证。In the example policy above, an organization may choose to not require multi-factor authentication if accessing a cloud app from their corporate network. 在这种情况下,组织可以将以下配置添加到策略中:In this case they could add the following configuration to the policy:

  1. 在“分配”下,选择“条件” > “位置” 。Under Assignments, select Conditions > Locations.
    1. 配置:“是” 。Configure Yes.
    2. 包括:“任何位置” 。Include Any location.
    3. 排除:“所有受信任的位置” 。Exclude All trusted locations.
    4. 选择“完成” 。Select Done.
  2. 选择“完成” 。Select Done.
  3. 保存策略更改 。Save your policy changes.

后续步骤Next steps

条件访问常见策略Conditional Access common policies

使用条件访问 What If 工具模拟登录行为Simulate sign in behavior using the Conditional Access What If tool