通过凭据管理来构建复原能力Build resilience with credential management

在令牌请求中向 Azure AD 提供凭据时,有多个依赖项必须可供验证。When a credential is presented to Azure AD in a token request, there are multiple dependencies that must be available for validation. 第一种身份验证因素依赖于 Azure AD 身份验证,在某些情况下还依赖于本地基础结构。The first authentication factor relies on Azure AD authentication, and in some cases on on-premises infrastructure. 有关混合身份验证体系结构的详细信息,请参阅在混合基础结构中构建复原能力For more information on hybrid authentication architectures, see Build resilience in your hybrid infrastructure.

如果实现第二种因素,则会将第二种因素的依赖项添加到第一种因素的依赖项。If you implement a second factor, the dependencies for the second factor are added to the dependencies for the first. 例如,如果第一种因素是通过 PTA,第二种因素是短信,则依赖项是:For example, if your first factor is via PTA, and your second factor is SMS, your dependencies are:

  • Azure AD 身份验证服务Azure AD authentication services

  • Azure MFA 服务Azure MFA service

  • 本地基础结构On-premises infrastructure

  • 电话运营商Phone carrier

  • 用户的设备(未绘出)The user’s device (not pictured)

身份验证方法和依赖项的插图

凭据策略应考虑每种身份验证类型的依赖项,并预配避免单点故障的方法。Your credential strategy should consider the dependencies of each authentication type, and provision methods that avoid a single point of failure.

由于身份验证方法具有不同的依赖项,因此最好允许用户注册尽可能多的第二因素选项。Because authentication methods have different dependencies, it’s a good idea to enable users to register for as many second-factor options as possible. 如果可能,请确保包含带有不同依赖项的第二种因素。Be sure to include second factors with different dependencies if possible. 例如,作为第二种因素的语音呼叫和短信共享相同的依赖项,因此将它们作为仅有的选项不会降低风险。For example, Voice call and SMS as second factors share the same dependencies, so having them as the only options does not mitigate risk.

最具复原能力的凭据策略是使用无密码身份验证。The most resilient credential strategy is to use passwordless authentication. Windows Hello 企业版和 FIDO 2.0 安全密钥的依赖项少于采用两种不同因素的强身份验证的依赖项。Windows Hello for Business and FIDO 2.0 security keys have fewer dependencies than strong authentication with two separate factors. Microsoft Authenticator 应用、Windows Hello 企业版和 Fido 2.0 安全密钥是最安全的。The Microsoft Authenticator app, Windows Hello for Business and Fido 2.0 security keys are the most secure.

对于第二种因素,使用基于时间的一次性密码 (TOTP) 或 OATH 硬件令牌的 Microsoft Authenticator 应用或其他验证器应用具有最少的依赖项,并且因此更具复原能力。For second factors, the Microsoft Authenticator app or other authenticator apps using time-based one time passcode (TOTP) or OATH hardware tokens have the fewest dependencies, and are therefore more resilient.

多个凭据如何帮助复原?How do multiple credentials help resilience?

预配多个凭据类型可为用户提供适合其首选项和环境约束的选择。Provisioning multiple credential types gives users options that accommodate their preferences and environmental constraints. 因此,对于在请求时不可用的特定依赖项,提示用户进行多重身份验证的交互式身份验证将更具复原能力。As a result, interactive authentication where users are prompted for Multi-factor authentication will be more resilient to specific dependencies being unavailable at the time of the request.

除了上面所述的单个用户复原能力外,企业还应针对引入错误配置的操作错误、自然灾害或本地联合身份验证服务(尤其是在用于多重身份验证时)的企业级资源中断等大规模中断做出应变计划。In addition to individual user resiliency described above, enterprises should plan contingencies for large-scale disruptions such as operational errors that introduce a misconfiguration, a natural disaster, or an enterprise-wide resource outage to an on-premises federation service (especially when used for Multi-factor authentication).

如何实现实现具有复原能力的凭据?How do I implement resilient credentials?

后续步骤Next steps

适用于管理员和架构师的复原能力资源Resilience resources for administrators and architects

适用于开发人员的复原能力资源Resilience resources for developers