如何:使用条件访问要求来自不受信任网络的访问进行 MFAHow to: Require MFA for access from untrusted networks with Conditional Access

Azure Active Directory (Azure AD) 允许从任何位置以单一登录方式登录到设备、应用和服务。Azure Active Directory (Azure AD) enables single sign-on to devices, apps, and services from anywhere. 用户不但可以从组织的网络访问云应用,而且可以从任何不受信任的 Internet 位置访问云应用。Your users can access your cloud apps not only from your organization's network, but also from any untrusted Internet location. 对于来自不受信任网络的访问,常见的最佳做法是要求其进行多重身份验证 (MFA)。A common best practice for access from untrusted networks is to require multi-factor authentication (MFA).

本文提供了在配置条件访问策略以要求来自不受信任网络的访问进行 MFA 时需要的信息。This article gives you the information you need to configure a Conditional Access policy that requires MFA for access from untrusted networks.

先决条件Prerequisites

本文假设你熟悉条件访问的基本概念This article assumes that you are familiar with the basic concepts of Conditional Access.

方案描述Scenario description

为掌控安全性与工作效率之间的平衡,对于你来说,对于来自你的组织网络的登录,只需要要求其提供密码可能就足够了。To master the balance between security and productivity, it might be sufficient for you to only require a password for sign-ins from your organization's network. 但是,对于来自不受信任网络位置的访问,登录不是由合法用户执行的这一风险会增大。However, for access from an untrusted network location, there is an increased risk that sign-ins are not performed by legitimate users. 要解决此顾虑,可以阻止来自不受信任网络的访问。To address this concern, you can block access from untrusted networks. 另外,还可以要求进行多重身份验证 (MFA) 来获得额外的保证,以确保访问尝试是由该帐户的合法所有者执行的。Alternatively, you can also require multi-factor authentication (MFA) to gain back additional assurance that an attempt was made by the legitimate owner of the account.

使用 Azure AD 条件访问,可以通过进行授权的以下单个策略来解决此要求:With Azure AD Conditional Access, you can address this requirement with a single policy that grants access:

  • 授予对所选云应用的访问权限To selected cloud apps
  • 为所选用户和组授予权限For selected users and groups
  • 要求进行多重身份验证Requiring multi-factor authentication
  • 当访问来自:When access is originated from:
    • 不受信任的位置A location that is not trusted

实现Implementation

此场景的挑战在于将“来自不受信任网络位置的访问”转换为条件访问条件。The challenge of this scenario is to translate access from an untrusted network location into a Conditional Access condition. 在条件访问策略中,可以配置位置条件来应对与网络位置相关的场景。In a Conditional Access policy, you can configure the locations condition to address scenarios that are related to network locations. 使用位置条件,你可以选择已命名位置,这些位置是 IP 地址范围、国家和地区的逻辑分组。The locations condition enables you to select named locations, which are logical groupings of IP address ranges, countries and regions.

通常,你的组织拥有一个或多个地址范围,例如 199.30.16.0 - 199.30.16.15。Typically, your organization owns one or more address ranges, for example, 199.30.16.0 - 199.30.16.15. 可以通过以下方式配置命名位置:You can configure a named location by:

  • 指定此范围 (199.30.16.0/28)Specifying this range (199.30.16.0/28)
  • 分配一个描述性名称,例如 公司网络Assigning a descriptive name such as Corporate Network

可以选择以下选项,而不是尝试定义不受信任的所有位置:Instead of trying to define what all locations are that are not trusted, you can:

  • 包括任何位置Include any location

    “Azure AD 位置”窗格的屏幕截图,其中的“配置”设置为“是”,“包括”选项卡可见,并且“任意位置”选项已选中并突出显示。

  • 排除所有受信任的位置Exclude all trusted locations

    “Azure AD 位置”窗格的屏幕截图,其中的“配置”设置为“是”,“排除”选项卡可见,并且“所有受信任的位置”选项已选中。

策略部署Policy deployment

使用本文中概述的方法,你现在可以针对不受信任位置配置条件访问策略。With the approach outlined in this article, you can now configure a Conditional Access policy for untrusted locations. 若要确保你的策略按预期工作,建议的最佳做法是在将其推广到生产环境之前对其进行测试。To make sure that your policy works as expected, the recommended best practice is to test it before rolling it out into production. 理想情况下,使用一个测试租户来验证新策略是否按预期方式工作。Ideally, use a test tenant to verify whether your new policy works as intended.

后续步骤Next steps

若要了解有关条件访问的详细信息,请参阅什么是 Azure Active Directory 中的条件访问?If you would like to learn more about Conditional Access, see What is Conditional Access in Azure Active Directory?