教程:对 B2B 用户强制执行多重身份验证Tutorial: Enforce multi-factor authentication for B2B guest users

在与 B2B 来宾用户协作时,最好使用多重身份验证 (MFA) 策略保护你的应用。When collaborating with external B2B guest users, it’s a good idea to protect your apps with multi-factor authentication (MFA) policies. 实施后,用户在访问你的资源时,不仅仅是要提供用户名和密码。Then external users will need more than just a user name and password to access your resources. 在 Azure Active Directory (Azure AD) 中,可通过要求 MFA 访问验证的条件访问策略实现此目标。In Azure Active Directory (Azure AD), you can accomplish this goal with a Conditional Access policy that requires MFA for access. 可在租户、应用或个人来宾用户级别上强制实施 MFA 策略,操作方式与为你自己的组织成员启用这些策略的方式相同。MFA policies can be enforced at the tenant, app, or individual guest user level, the same way that they are enabled for members of your own organization.

示例:Example:

显示登录到公司应用的来宾用户的示意图

  1. 公司 A 的某位管理员或员工邀请一名来宾用户使用云或本地应用程序,而此程序被配置为要求进行 MFA 访问验证。An admin or employee at Company A invites a guest user to use a cloud or on-premises application that is configured to require MFA for access.
  2. 该来宾用户使用其自己的工作或学校标识进行登录。The guest user signs in with their own work or school identity.
  3. 系统要求该用户完成 MFA 验证。The user is asked to complete an MFA challenge.
  4. 该用户向公司 A 设置 MFA,并选择其 MFA 选项。The user sets up MFA with Company A and chooses their MFA option. 该用户获准访问此应用程序。The user is allowed access to the application.

在本教程中,你将:In this tutorial, you will:

  • 在 MFA 设置之前测试登录体验。Test the sign-in experience before MFA setup.
  • 创建一个条件访问策略,它要求用户通过 MFA 才可访问你环境中的云应用。Create a Conditional Access policy that requires MFA for access to a cloud app in your environment. 在本教程中,我们将使用 Azure 管理应用来演示此过程。In this tutorial, we’ll use the Azure Management app to illustrate the process.
  • 使用 What If 工具来模拟 MFA 登录情形。Use the What If tool to simulate MFA sign-in.
  • 测试条件访问策略。Test your Conditional Access policy.
  • 清理测试用户和策略。Clean up the test user and policy.

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don’t have an Azure subscription, create a Trial before you begin.

先决条件Prerequisites

若要完成本教程中的方案,需要:To complete the scenario in this tutorial, you need:

  • 对 Azure AD Premium 版本的访问权限,它包含条件访问策略功能。Access to Azure AD Premium edition, which includes Conditional Access policy capabilities. 若要强制实施 MFA,需要创建 Azure AD 条件访问策略。To enforce MFA, you need to create an Azure AD Conditional Access policy. 请注意,始终在你的组织强制实施 MFA 策略,无论合作伙伴是否具有 MFA 功能。Note that MFA policies are always enforced at your organization, regardless of whether the partner has MFA capabilities. 如果为你的组织设置 MFA,你将需要确保具有足够的 Azure AD Premium 许可证供来宾用户使用。If you set up MFA for your organization, you’ll need to make sure you have sufficient Azure AD Premium licenses for your guest users.
  • 有效的外部电子邮件帐户,该帐户可作为来宾用户添加到租户目录中并可在登录时使用。A valid external email account that you can add to your tenant directory as a guest user and use to sign in. 如果不知道如何创建来宾帐户,请参阅在 Azure 门户中添加 B2B 来宾用户If you don't know how to create a guest account, see Add a B2B guest user in the Azure portal.

在 Azure AD 中创建测试来宾用户Create a test guest user in Azure AD

  1. 以 Azure AD 管理员身份登录到 Azure 门户Sign in to the Azure portal as an Azure AD administrator.

  2. 在左窗格中选择“Azure Active Directory”。In the left pane, select Azure Active Directory.

  3. 在“管理”下,选择“用户” 。Under Manage, select Users.

  4. 选择“新来宾用户”。Select New guest user.

    显示选择“新来宾用户”选项的位置的屏幕截图

  5. 在“用户名”下,输入外部用户的电子邮件地址。Under User name, enter the email address of the external user. (可选)包含一条欢迎消息。Optionally, include a welcome message.

    显示输入来宾邀请消息的位置的屏幕截图

  6. 选择“邀请”,以自动向来宾用户发送邀请。Select Invite to automatically send the invitation to the guest user. 随即显示“已成功邀请用户”消息。A Successfully invited user message appears.

  7. 发送邀请后,该用户帐户将以来宾的形式自动添加到目录。After you send the invitation, the user account is automatically added to the directory as a guest.

在 MFA 设置之前测试登录体验Test the sign-in experience before MFA setup

  1. 使用测试用户名称和密码登录到 Azure 门户Use your test user name and password to sign in to your Azure portal.
  2. 请注意,只需使用登录凭据即可访问 Azure 门户。Note that you’re able to access the Azure portal using just your sign-in credentials. 无需进行其他身份验证。No additional authentication is required.
  3. 注销。Sign out.

创建需要 MFA 的条件访问策略Create a Conditional Access policy that requires MFA

  1. 以安全管理员或条件访问管理员的身份登录到 Azure 门户Sign in to your Azure portal as a security administrator or a Conditional Access administrator.

  2. 在 Azure 门户中,选择“Azure Active Directory”。In the Azure portal, select Azure Active Directory.

  3. 在 Azure Active Directory 页的“安全性”部分中,选择“条件访问” 。On the Azure Active Directory page, in the Security section, select Conditional Access.

  4. 在“条件访问”页面顶部的工具栏中,选择“新建策略” 。On the Conditional Access page, in the toolbar on the top, select New policy.

  5. 在“新建”页面的“名称”文本框中,键入“需要 MFA 才能访问 B2B 门户” 。On the New page, in the Name textbox, type Require MFA for B2B portal access.

  6. 在“分配”部分中,选择“用户和组”。 In the Assignments section, select Users and groups.

  7. 在“用户和组”页面上,选中“选择用户和组”,然后选择“所有来宾用户(预览版)” 。On the Users and groups page, choose Select users and groups, and then select All guest users (preview).

    显示选择所有来宾用户的屏幕截图

  8. 选择“完成” 。Select Done.

  9. 在“新建”页面的“分配”部分中,选择“云应用” 。On the New page, in the Assignments section, select Cloud apps.

  10. 在“云应用”页面上,选中“选择应用”,然后勾选“选择” 。On the Cloud apps page, choose Select apps, and then choose Select.

    显示“云应用”页和“选择”选项的屏幕截图

  11. 在“选择”页上,选择“Azure 管理”,然后选择“选择” 。On the Select page, choose Azure Management, and then choose Select.

    显示已选中 Azure 管理应用的屏幕截图

  12. 在“云应用”页面上,选择“完成” 。On the Cloud apps page, select Done.

  13. 在“新建”页面的“访问控制”部分中,选择“授权” 。On the New page, in the Access controls section, select Grant.

  14. 在“授权”页面上,选择“授予访问权限”,然后选择“需要多重身份验证”复选框和“选择” 。On the Grant page, choose Grant access, select the Require multi-factor authentication check box, and then choose Select.

    显示“要求多重身份验证”选项的屏幕截图

  15. 在“启用策略”下,选择“开” 。Under Enable policy, select On.

    显示将“启用”策略选项设置为“开”的屏幕截图

  16. 选择“创建” 。Select Create.

使用 What If 选项来模拟登录情形Use the What If option to simulate sign-in

  1. 在“条件访问 - 策略”页上,选择“What If” 。On the Conditional Access - Policies page, select What If.

    显示选择“What if”选项的位置的屏幕截图

  2. 依次选择“用户”和测试来宾用户,然后选中“选择” 。Select User, choose your test guest user, and then choose Select.

    显示已选中一个来宾用户的屏幕截图

  3. 选择“云应用”。Select Cloud apps.

  4. 在“云应用”页面上,选中“选择应用”,然后单击“选择” 。On the Cloud apps page, choose Select apps and then click Select. 在应用程序列表中,选择“Azure 管理”,然后单击“选择” 。In the applications list, select Azure Management, and then click Select.

    显示已选中 Azure 管理应用的屏幕截图

  5. 在“云应用”页面上,选择“完成” 。On the Cloud apps page, select Done.

  6. 选择 What If,然后验证确保“要应用的策略”选项卡的“评估结果”下显示了新策略 。Select What If, and verify that your new policy appears under Evaluation results on the Policies that will apply tab.

    显示选择“What if”选项的位置的屏幕截图

测试条件访问策略Test your Conditional Access policy

  1. 使用测试用户名称和密码登录到 Azure 门户Use your test user name and password to sign in to your Azure portal.

  2. 应会看到有关其他身份验证方法的请求。You should see a request for additional authentication methods. 请注意,此策略可能一段时间后才会生效。Note that it could take some time for the policy to take effect.

    显示“请提供更多信息”消息的屏幕截图

  3. 注销。Sign out.

清理资源Clean up resources

不再需要测试用户和测试条件访问策略时,请将其删除。When no longer needed, remove the test user and the test Conditional Access policy.

  1. 以 Azure AD 管理员身份登录到 Azure 门户Sign in to the Azure portal as an Azure AD administrator.
  2. 在左窗格中选择“Azure Active Directory”。In the left pane, select Azure Active Directory.
  3. 在“管理”下,选择“用户” 。Under Manage, select Users.
  4. 选择测试用户,然后选择“删除用户”。Select the test user, and then select Delete user.
  5. 在左窗格中选择“Azure Active Directory”。In the left pane, select Azure Active Directory.
  6. 在“安全性”下,选择“条件访问” 。Under Security, select Conditional Access.
  7. 在“策略名称”列表中,为测试策略选择上下文菜单 (…),然后选择“删除” 。In the Policy Name list, select the context menu (…) for your test policy, and then select Delete. 请选择“是”以确认。Select Yes to confirm.

后续步骤Next steps

在本教程中,你创建了一个条件访问策略,它要求来宾用户在登录你的某个云应用时使用 MFA。In this tutorial, you’ve created a Conditional Access policy that requires guest users to use MFA when signing in to one of your cloud apps. 要详细了解如何添加来宾用户进行协作,请参阅在 Azure 门户中添加 Azure Active Directory B2B 协作用户To learn more about adding guest users for collaboration, see Add Azure Active Directory B2B collaboration users in the Azure portal.