在 Azure Active Directory 中撤销用户访问Revoke user access in Azure Active Directory

可能需要管理员撤销用户的所有访问权限的情况包括已泄露帐户、员工离职和其他内部威胁。Among the scenarios that could require an administrator to revoke all access for a user include compromised accounts, employee termination, and other insider threats. 根据环境的复杂性,管理员可以采取几个步骤来确保访问被撤销。Depending on the complexity of the environment, administrators can take several steps to ensure access is revoked. 在某些情况下,从开始撤销访问到有效撤销访问之间可能有一段时间。In some scenarios, there could be a period between initiation of access revocation and when access is effectively revoked.

若要缓解此风险,必须了解令牌的工作原理。To mitigate the risks, you must understand how tokens work. 令牌有很多种类型,属于以下各节所述的模式之一。There are many kinds of tokens, which fall into one of the patterns mentioned in the sections below.

访问令牌和刷新令牌Access tokens and refresh tokens

访问令牌和刷新令牌经常用于胖客户端应用程序,也用于基于浏览器的应用程序(例如单页应用)。Access tokens and refresh tokens are frequently used with thick client applications, and also used in browser-based applications such as single page apps.

  • 当用户对 Azure AD 进行身份验证时,将评估授权策略,以确定是否可以授予用户访问特定资源的权限。When users authenticate to Azure AD, authorization policies are evaluated to determine if the user can be granted access to a specific resource.

  • 如果获得授权,Azure AD 将为资源颁发访问令牌和刷新令牌。If authorized, Azure AD issues an access token and a refresh token for the resource.

  • 默认情况下,Azure AD 颁发的访问令牌持续 1 小时。Access tokens issued by Azure AD by default last for 1 hour. 如果身份验证协议允许,当访问令牌过期时,应用程序可以通过将刷新令牌传递给 Azure AD 来无提示地重新对用户进行身份验证。If the authentication protocol allows, the app can silently reauthenticate the user by passing the refresh token to the Azure AD when the access token expires.

然后 Azure AD 重新评估其授权策略。Azure AD then reevaluates its authorization policies. 如果用户仍获得授权,则 Azure AD 将发布新的访问令牌和刷新令牌。If the user is still authorized, Azure AD issues a new access token and refresh token.

如果必须在短于令牌的生存期(通常为一小时左右)内撤销访问,则访问令牌可能是一个安全问题。Access tokens can be a security concern if access must be revoked within a time that is shorter than the lifetime of the token, which is usually around an hour. 出于这个原因,Microsoft 正在积极努力将连续访问评估引入 Microsoft 365 应用程序,这有助于确保访问令牌以近实时方式失效。For this reason, Microsoft is actively working to bring continuous access evaluation to Microsoft 365 applications, which helps ensure invalidation of access tokens in near real time.

会话令牌 (cookies)Session tokens (cookies)

大多数基于浏览器的应用程序使用会话令牌,而不是访问和刷新令牌。Most browser-based applications use session tokens instead of access and refresh tokens.

  • 当用户打开浏览器并通过 Azure AD 对应用程序进行身份验证时,用户将收到两个会话令牌。When a user opens a browser and authenticates to an application via Azure AD, the user receives two session tokens. 一个来自 Azure AD,另一个来自应用程序。One from Azure AD and another from the application.

  • 应用程序发出自己的会话令牌后,对该应用程序的访问将由应用程序的会话控制。Once an application issues its own session token, access to the application is governed by the application’s session. 此时,用户只受应用程序能够识别的授权策略的影响。At this point, the user is affected by only the authorization policies that the application is aware of.

  • 当应用程序将用户发送回 Azure AD 时,会经常重新评估 Azure AD 的授权策略。The authorization policies of Azure AD are reevaluated as often as the application sends the user back to Azure AD. 重估通常会以无提示方式发生,但频率取决于应用程序的配置方式。Reevaluation usually happens silently, though the frequency depends on how the application is configured. 只要会话令牌有效,应用程序可能永远不会将用户发送回 Azure AD。It's possible that the app may never send the user back to Azure AD as long as the session token is valid.

  • 对于要撤销的会话令牌,应用程序必须基于其自身的授权策略来撤消访问。For a session token to be revoked, the application must revoke access based on its own authorization policies. Azure AD 无法直接撤销应用程序颁发的会话令牌。Azure AD can’t directly revoke a session token issued by an application.

撤消对混合环境中用户的访问权限Revoke access for a user in the hybrid environment

对于使用本地 Active Directory 与 Azure Active Directory 同步的混合环境,Microsoft 建议 IT 管理员采取以下操作。For a hybrid environment with on-premises Active Directory synchronized with Azure Active Directory, Microsoft recommends IT admins to take the following actions.

本地 Active Directory 环境On-premises Active Directory environment

作为 Active Directory 中的管理员,请连接到本地网络,打开 PowerShell,然后执行以下操作:As an admin in the Active Directory, connect to your on-premises network, open PowerShell, and take the following actions:

  1. 禁用 Active Directory 中的用户。Disable the user in Active Directory. 请参阅 Disable-ADAccountRefer to Disable-ADAccount.

    Disable-ADAccount -Identity johndoe  
    
  2. 在 Active Directory 中重置用户密码两次。Reset the user’s password twice in the Active Directory. 请参阅 Set-ADAccountPasswordRefer to Set-ADAccountPassword.

    备注

    更改用户密码两次的原因是为了降低传递哈希的风险,尤其是在本地密码复制出现延迟的情况下。The reason for changing a user’s password twice is to mitigate the risk of pass-the-hash, especially if there are delays in on-premises password replication. 如果你可以安全地假设此帐户没有遭到泄露,则只能重置密码一次。If you can safely assume this account isn't compromised, you may reset the password only once.

    重要

    不要在以下 cmdlet 中使用示例密码。Don't use the example passwords in the following cmdlets. 请确保将密码更改为随机字符串。Be sure to change the passwords to a random string.

    Set-ADAccountPassword -Identity johndoe -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd1" -Force)
    Set-ADAccountPassword -Identity johndoe -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd2" -Force)
    

Azure Active Directory 环境Azure Active Directory environment

作为 Azure Active Directory 中的管理员,打开 PowerShell,运行 Connect-AzureAD,然后执行以下操作:As an administrator in Azure Active Directory, open PowerShell, run Connect-AzureAD, and take the following actions:

  1. 禁用 Azure AD 中的用户。Disable the user in Azure AD. 请参阅 Set-AzureADUserRefer to Set-AzureADUser.

    Set-AzureADUser -ObjectId johndoe@contoso.com -AccountEnabled $false
    
  2. 撤消用户的 Azure AD 刷新令牌。Revoke the user’s Azure AD refresh tokens. 请参阅 Revoke-AzureADUserAllRefreshTokenRefer to Revoke-AzureADUserAllRefreshToken.

    Revoke-AzureADUserAllRefreshToken -ObjectId johndoe@contoso.com
    
  3. 禁用用户的设备。Disable the user’s devices. 请参阅 Get-AzureADUserRegisteredDeviceRefer to Get-AzureADUserRegisteredDevice.

    Get-AzureADUserRegisteredDevice -ObjectId johndoe@contoso.com | Set-AzureADDevice -AccountEnabled $false
    

可选步骤Optional steps

备注

擦除后无法恢复设备上的数据。Data on the device cannot be recovered after a wipe.

访问已撤消时When access is revoked

管理员完成上述步骤后,用户将无法为任何绑定到 Azure Active Directory 的应用程序获得新的令牌。Once admins have taken the above steps, the user can't gain new tokens for any application tied to Azure Active Directory. 吊销和用户失去访问权限之间的时间取决于应用程序授予访问权限的方式:The elapsed time between revocation and the user losing their access depends on how the application is granting access:

  • 对于使用访问令牌的应用程序,当访问令牌过期时,用户将失去访问权限。For applications using access tokens , the user loses access when the access token expires.

  • 对于使用会话令牌的应用程序,现有会话在令牌过期后立即结束。For applications that use session tokens , the existing sessions end as soon as the token expires. 如果用户的禁用状态与应用程序同步,则应用程序可以自动撤销用户的现有会话(如果配置为这样做的话)。If the disabled state of the user is synchronized to the application, the application can automatically revoke the user’s existing sessions if it's configured to do so. 所需时间取决于应用程序和 Azure AD 之间的同步频率。The time it takes depends on the frequency of synchronization between the application and Azure AD.

后续步骤Next steps