Azure Active Directory 功能部署指南Azure Active Directory feature deployment guide

为组织部署 Azure Active Directory (Azure AD) 并确保其安全,这似乎令人望而生畏。It can seem daunting to deploy Azure Active Directory (Azure AD) for your organization and keep it secure. 本文列出了一些常见任务,如果客户在 30、60、90 天或更长时间内分阶段完成这些任务,则有助于增强其安全态势。This article identifies common tasks that customers find helpful to complete in phases, over the course of 30, 60, 90 days, or more, to enhance their security posture. 即使已部署 Azure AD 的组织也可以使用本指南来确保从投资中获得最大的收益。Even organizations who have already deployed Azure AD can use this guide to ensure they are getting the most out of their investment.

精心规划和得到良好执行的标识基础结构为使生产力工作负荷与数据仅供已知用户和设备进行安全访问铺平了道路。A well-planned and executed identity infrastructure paves the way for secure access to your productivity workloads and data by known users and devices only.


可以使用 Azure AD Free 实施本指南中所述的许多建议,完全没有许可证也可以实施。Many of the recommendations in this guide can be implemented with Azure AD Free or no license at all. 如果需要许可证,本指南会指出完成相应任务最起码需要哪种许可证。Where licenses are required we state which license is required at minimum to accomplish the task.

可在以下页面上找到有关许可的更多信息:Additional information about licensing can be found on the following pages:

阶段 1:构建安全基础Phase 1: Build a foundation of security

在此阶段,管理员启用基准安全功能,以便在 Azure AD 中创建更安全且易用的基础,然后我们导入或创建普通用户帐户。In this phase, administrators enable baseline security features to create a more secure and easy to use foundation in Azure AD before we import or create normal user accounts. 此基础阶段确保你从一开始就处于一种更安全的状态,并且只需向最终用户介绍新的概念一次。This foundational phase ensures you are in a more secure state from the start and that your end-users only have to be introduced to new concepts one time.

任务Task 详细信息Detail 所需的许可证Required license
指定多个全局管理员Designate more than one global administrator 至少分配两个仅限云的永久性全局管理员帐户,以便在紧急情况下使用。Assign at least two cloud-only permanent global administrator accounts for use if there is an emergency. 这些帐户不是每日使用,应该具有复杂的长密码。These accounts are not be used daily and should have long and complex passwords. Azure AD FreeAzure AD Free
尽可能使用非全局管理角色Use non-global administrative roles where possible 只为管理员分配他们必须访问的区域的访问权限。Give your administrators only the access they need to only the areas they need access to. 并非所有管理员都需要是全局管理员。Not all administrators need to be global administrators. Azure AD FreeAzure AD Free
启用 Privileged Identity Management 以跟踪管理员角色的用途Enable Privileged Identity Management for tracking admin role use 启用 Privileged Identity Management 以开始跟踪管理角色的用途。Enable Privileged Identity Management to start tracking administrative role usage. Azure AD Premium P2Azure AD Premium P2
推广自助式密码重置Roll out self-service password reset 让员工使用管理员控制的策略重置自己的密码,减少支持台收到的密码重置呼叫次数。Reduce helpdesk calls for password resets by allowing staff to reset their own passwords using policies you as an administrator control.
启用 Microsoft 的密码指导Enable Microsoft's password guidance 停止要求用户按照设置的计划更改其密码,禁用复杂性要求,用户更倾向于记住他们习惯的密码,并妥善保管其密码。Stop requiring users to change their password on a set schedule, disable complexity requirements, and your users are more apt to remember their passwords and keep them something that is secure. Azure AD FreeAzure AD Free
对基于云的用户帐户禁用定期密码重置Disable periodic password resets for cloud-based user accounts 定期密码重置会促使用户增加其现有密码。Periodic password resets encourage your users to increment their existing passwords. 使用 Microsoft 密码指导文档中的指导原则,并将相同的本地策略运用到仅限云的用户。Use the guidelines in Microsoft's password guidance doc and mirror your on-premises policy to cloud-only users. Azure AD FreeAzure AD Free
为 AD FS 启用 Extranet 智能锁定Enable Extranet Smart Lockout for AD FS AD FS Extranet 锁定可以防范暴力密码猜测攻击,同时可让有效的 AD FS 用户继续使用其帐户。AD FS extranet lockout protects against brute force password guessing attacks, while letting valid AD FS users continue to use their accounts.
使用条件访问阻止向 Azure AD 进行旧身份验证Block legacy authentication to Azure AD with Conditional Access 阻止旧式身份验证协议(例如 POP、SMTP、IMAP 和 MAPI),这些协议不能强制实施多重身份验证,因此成为攻击者的首选入口点。Block legacy authentication protocols like POP, SMTP, IMAP, and MAPI that can't enforce Multi-Factor Authentication, making them a preferred entry point for adversaries. Azure AD Premium P1Azure AD Premium P1
使用条件访问策略部署 Azure AD 多重身份验证Deploy Azure AD Multi-Factor Authentication using Conditional Access policies 要求用户在使用条件访问策略访问敏感应用程序时执行双重验证。Require users to perform two-step verification when accessing sensitive applications using Conditional Access policies. Azure AD Premium P1Azure AD Premium P1

阶段 2:导入用户、启用同步和管理设备Phase 2: Import users, enable synchronization, and manage devices

接下来,我们通过导入用户、启用同步、规划来宾访问权限并准备支持其他功能,来对阶段 1 中的基础做出补充。Next, we add to the foundation laid in phase 1 by importing our users and enabling synchronization, planning for guest access, and preparing to support additional functionality.

任务Task 详细信息Detail 所需的许可证Required license
安装 Azure AD ConnectInstall Azure AD Connect 准备将现有本地目录中的用户同步到云。Prepare to synchronize users from your existing on-premises directory to the cloud. Azure AD FreeAzure AD Free
实现密码哈希同步Implement Password Hash Sync 同步密码哈希,以便能够复制密码更改、检测并补救错误密码,以及报告已泄漏的凭据。Synchronize password hashes to allow password changes to be replicated, bad password detection and remediation, and leaked credential reporting. Azure AD FreeAzure AD Free
实现密码写回Implement Password Writeback 允许将云中的密码更改写回到本地 Windows Server Active Directory 环境。Allow password changes in the cloud to be written back to an on-premises Windows Server Active Directory environment. Azure AD Premium P1Azure AD Premium P1
按 Azure Active Directory 中的组成员资格将许可证分配给用户Assign licenses to users by group membership in Azure Active Directory 创建许可组来按组启用或禁用功能,而无需按用户进行设置,这样可以节省时间和精力。Save time and effort by creating licensing groups that enable or disable features by group instead of setting per user.
针对来宾用户访问权限创建计划Create a plan for guest user access 让来宾用户使用其自己的工作、学校或社交标识登录到你的应用和服务,借此来与他们协作。Collaborate with guest users by letting them sign in to your apps and services with their own work, school, or social identities. Azure AD 外部标识定价Azure AD External Identities pricing

阶段 3:审核特权标识、完成访问评审和管理用户生命周期Phase 3: Audit privileged identities, complete an access review, and manage user lifecycle

在第 3 阶段,管理员针对管理工作强制实施最低特权原则,完成首次访问评审,并启用常见用户生命周期任务的自动化。Phase 3 sees administrators enforcing least privilege principles for administration, completing their first access reviews, and enabling automation of common user lifecycle tasks.

任务Task 详细信息Detail 所需的许可证Required license
强制使用 Privileged Identity ManagementEnforce the use of Privileged Identity Management 删除普通日常用户帐户的管理角色。Remove administrative roles from normal day to day user accounts. 使管理用户能够在成功完成多重身份验证检查、提供业务理由或请求指定的审批者批准之后使用其角色。Make administrative users eligible to use their role after succeeding a multi-factor authentication check, providing a business justification, or requesting approval from designated approvers. Azure AD Premium P2Azure AD Premium P2
在 PIM 中完成 Azure AD 目录角色的访问评审Complete an access review for Azure AD directory roles in PIM 与安全和领导团队协作创建访问评审策略,以根据组织的策略评审管理访问权限。Work with your security and leadership teams to create an access review policy to review administrative access based on your organization's policies. Azure AD Premium P2Azure AD Premium P2

后续步骤Next steps

Azure AD 许可和定价详细信息Azure AD licensing and pricing details

标识和设备访问权限配置Identity and device access configurations

常见的推荐标识和设备访问策略Common recommended identity and device access policies