在 Privileged Identity Management 中为 Azure AD 角色配置安全警报Configure security alerts for Azure AD roles in Privileged Identity Management

当 Azure Active Directory (Azure AD) 组织中存在可疑或不安全活动时,Privileged Identity Management (PIM) 会生成警报。Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in your Azure Active Directory (Azure AD) organization. 触发警报时,它显示在 Privileged Identity Management 仪表板上。When an alert is triggered, it shows up on the Privileged Identity Management dashboard. 选择警报以查看列出了已触发该警报的用户或角色的报告。Select the alert to see a report that lists the users or roles that triggered the alert.

确定 PIM 版本Determine your version of PIM

从 2019 年 11 月开始,Privileged Identity Management 的 Azure AD 角色部分将更新为与 Azure 资源角色的体验相匹配的新版本。Beginning in November 2019, the Azure AD roles portion of Privileged Identity Management is being updated to a new version that matches the experiences for Azure resource roles. 这将创建附加功能以及对现有 API 的更改This creates additional features as well as changes to the existing API. 虽然推出了新版本,但你在本文中遵循的过程取决于你当前拥有的 Privileged Identity Management 版本。While the new version is being rolled out, which procedures that you follow in this article depend on the version of Privileged Identity Management you currently have. 按照本部分中的步骤确定所拥有的 Privileged Identity Management 的版本。Follow the steps in this section to determine which version of Privileged Identity Management you have. 了解 Privileged Identity Management 版本之后,可以选择本文中与该版本匹配的过程。After you know your version of Privileged Identity Management, you can select the procedures in this article that match that version.

  1. 以具有特权角色管理员角色的用户身份登录到 Azure 门户Sign in to the Azure portal with a user who is in the Privileged role administrator role.
  2. 打开“Azure AD Privileged Identity Management”。 Open Azure AD Privileged Identity Management. 如果在概述页的顶部有横幅,请按照本文“新版本”选项卡中的说明进行操作 。If you have a banner on the top of the overview page, follow the instructions in the New version tab of this article. 否则,请按照“先前版本”选项卡中的说明操作 。Otherwise, follow the instructions in the Previous version tab.

选择“Azure AD”>“Privileged Identity Management”。Select Azure AD > Privileged Identity Management.

按照本文中的步骤,调查 Azure AD 角色的安全警报。Follow the steps in this article to investigate security alerts for Azure AD roles.

显示包含警报及其严重性列表的“警报”页面的屏幕截图。

安全警报Security alerts

本部分列出 Azure AD 角色的所有安全警报,以及如何修复和防止这些警报。This section lists all the security alerts for Azure AD roles, along with how to fix and how to prevent. 严重性的含义如下:Severity has the following meaning:

  • :因策略冲突需要立即采取措施。High : Requires immediate action because of a policy violation.
  • :不需要立即采取措施但有潜在的策略冲突。Medium : Does not require immediate action but signals a potential policy violation.
  • :不需要立即采取措施,但建议考虑可取的策略更改。Low : Does not require immediate action but suggests a preferable policy change.

管理员不使用其特权角色Administrators aren't using their privileged roles

严重性Severity Low
为何收到此警报?Why do I get this alert? 为用户分配他们不需要的特权角色会增大受攻击的可能性。Users that have been assigned privileged roles they don't need increases the chance of an attack. 攻击者更容易忽略不经常使用的帐户。It is also easier for attackers to remain unnoticed in accounts that are not actively being used.
如何修复?How to fix? 查看列表中的用户,将其从不需要的特权角色中删除。Review the users in the list and remove them from privileged roles that they do not need.
防护Prevention 特权角色只分配给有业务需要的用户。Assign privileged roles only to users who have a business justification.
安排定期的访问评审,以确认用户是否仍需要访问权限。Schedule regular access reviews to verify that users still need their access.
门户中的缓解措施In-portal mitigation action 从用户的特权角色中删除其帐户。Removes the account from their privileged role.
触发器Trigger 如果用户在指定天数过后未激活角色,将触发此警报。Triggered if a user goes over a specified number of days without activating a role.
天数Number of days 此设置指定用户可以不激活角色的最大天数(0 到 100)。This setting specifies the maximum number of days, from 0 to 100, that a user can go without activating a role.

角色无需多重身份验证进行激活Roles don't require multi-factor authentication for activation

严重性Severity Low
为何收到此警报?Why do I get this alert? 如果不执行多重身份验证,则遭到入侵的用户可以激活特权角色。Without multi-factor authentication, compromised users can activate privileged roles.
如何修复?How to fix? 查看角色列表,要求执行多重身份验证(针对每个角色)。Review the list of roles and require multi-factor authentication for every role.
防护Prevention 针对每个角色要求执行 MFARequire MFA for every role.
门户中的缓解措施In-portal mitigation action 要求在激活特权角色时执行多重身份验证。Makes multi-factor authentication required for activation of the privileged role.

组织没有 Azure AD Premium P2The organization doesn't have Azure AD Premium P2

严重性Severity Low
为何收到此警报?Why do I get this alert? 当前 Azure AD 组织没有 Azure AD Premium P2。The current Azure AD organization does not have Azure AD Premium P2.
如何修复?How to fix? 查看有关 Azure AD 版本的信息。Review information about Azure AD editions. 升级到 Azure AD Premium P2。Upgrade to Azure AD Premium P2.

可能有过时的帐户充当特权角色Potential stale accounts in a privileged role

严重性Severity Medium
为何收到此警报?Why do I get this alert? 具有特权角色的帐户在过去 90 天内未更改密码。Accounts in a privileged role have not changed their password in the past 90 days. 这些帐户可能是未维护且易受攻击者攻击的服务帐户或共享帐户。These accounts might be service or shared accounts that aren't being maintained and are vulnerable to attackers.
如何修复?How to fix? 请检查列表中的帐户。Review the accounts in the list. 如果它们不再需要访问权限,请将其从特权角色中删除。If they no longer need access, remove them from their privileged roles.
防护Prevention 确保当知道密码的用户有变化时,共享的帐户会轮换使用强密码。Ensure that accounts that are shared are rotating strong passwords when there is a change in the users that know the password.
使用访问评审定期审查具有特权角色的帐户,并删除不再需要的角色分配。Regularly review accounts with privileged roles using access reviews and remove role assignments that are no longer needed.
门户中的缓解措施In-portal mitigation action 从用户的特权角色中删除其帐户。Removes the account from their privileged role.
最佳实践Best practices 使用密码进行身份验证并分配给高特权管理角色(如全局管理员或安全管理员)的共享帐户、服务帐户和紧急访问帐户应针对以下情况轮换其密码:Shared, service, and emergency access accounts that authenticate using a password and are assigned to highly privileged administrative roles such as Global administrator or Security administrator should have their passwords rotated for the following cases:
  • 发生涉及误用或泄露管理访问权限的安全事件后After a security incident involving misuse or compromise of administrative access rights
  • 任何用户的权限被更改而导致他们不再是管理员之后(例如,一名曾是管理员的员工离开了 IT 或组织)After any user's privileges are changed so that they are no longer an administrator (for example, after an employee who was an administrator leaves IT or leaves the organization)
  • 固定时间间隔(例如,每季度或每年),即使没有任何已知的安全漏洞或 IT 人员变动At regular intervals (for example, quarterly or yearly), even if there was no known breach or change to IT staffing
由于多个用户有权限访问这些帐户的凭据,因此应轮换这些凭据以确保已失去其角色的人员无法再访问帐户。Since multiple people have access to these accounts' credentials, the credentials should be rotated to ensure that people that have left their roles can no longer access the accounts.

在 Privileged Identity Management 之外分配角色Roles are being assigned outside of Privileged Identity Management

严重性Severity High
为何收到此警报?Why do I get this alert? 在 Privileged Identity Management 外部进行的特权角色分配未受到正确的监视,可能表示正遭到攻击。Privileged role assignments made outside of Privileged Identity Management are not properly monitored and may indicate an active attack.
如何修复?How to fix? 查看列表中的用户,将其从 Privileged Identity Management 外部分配的特权角色中删除。Review the users in the list and remove them from privileged roles assigned outside of Privileged Identity Management.
防护Prevention 调查在 Privileged Identity Management 外部的哪个位置为用户分配了特权角色,禁止将来在该位置进行分配。Investigate where users are being assigned privileged roles outside of Privileged Identity Management and prohibit future assignments from there.
门户中的缓解措施In-portal mitigation action 从用户的特权角色中删除用户。Removes the user from their privileged role.

全局管理员过多There are too many global administrators

严重性Severity Low
为何收到此警报?Why do I get this alert? 全局管理员是特权最高的角色。Global administrator is the highest privileged role. 如果全局管理员遭到入侵,则攻击者可以获取其所有访问权限,使整个系统面临风险。If a Global Administrator is compromised, the attacker gains access to all of their permissions, which puts your whole system at risk.
如何修复?How to fix? 查看列表中的用户,删除不是绝对需要“全局管理员”角色的所有用户。Review the users in the list and remove any that do not absolutely need the Global administrator role.
改为这些用户分配特权更低的角色。Assign lower privileged roles to these users instead.
防护Prevention 为用户分配他们所需的最低特权角色。Assign users the least privileged role they need.
门户中的缓解措施In-portal mitigation action 从用户的特权角色中删除其帐户。Removes the account from their privileged role.
触发器Trigger 如果满足两个不同的条件并且可以同时配置这两个条件,将触发此警报。Triggered if two different criteria are met, and you can configure both of them. 首先,需要达到全局管理员角色分配的某个特定阈值。First, you need to reach a certain threshold of Global administrator role assignments. 其次,总角色分配的特定百分比必须是全局管理员。Second, a certain percentage of your total role assignments must be Global administrators. 如果只满足其中一个度量,不会显示该警报。If you only meet one of these measurements, the alert does not appear.
全局管理员的最少数目Minimum number of Global Administrators 此设置指定的全局管理员角色分配数量(2 到 100)你认为对你的 Azure AD 组织来说太少。This setting specifies the number of Global Administrator role assignments, from 2 to 100, that you consider to be too few for your Azure AD organization.
全局管理员百分比Percentage of Global Administrators 此设置指定属于全局管理员的管理员的最小百分比(0% 到 100%),你不希望你的 Azure AD 组织降到该值之下。This setting specifies the minimum percentage of administrators who are Global administrators, from 0% to 100%, below which you do not want your Azure AD organization to dip.

角色激活过于频繁Roles are being activated too frequently

严重性Severity Low
为何收到此警报?Why do I get this alert? 同一用户多次激活同一特权角色是受到攻击的迹象。Multiple activations to the same privileged role by the same user is a sign of an attack.
如何修复?How to fix? 检查列表中的用户,并确保用户特权角色的激活持续时间设置得足够长,使他们能够执行任务。Review the users in the list and ensure that the activation duration for their privileged role is set long enough for them to perform their tasks.
防护Prevention 确保特权角色的激活持续时间设置得足够长,使用户能够执行其任务。Ensure that the activation duration for privileged roles is set long enough for users to perform their tasks.
针对其帐户由多个管理员共享的特权角色要求执行多重身份验证Require multi-factor authentication for privileged roles that have accounts shared by multiple administrators.
门户中的缓解措施In-portal mitigation action 不适用N/A
触发器Trigger 如果用户在指定期限内多次激活同一特权角色,将触发此警报。Triggered if a user activates the same privileged role multiple times within a specified period. 可以同时配置时间段和激活次数。You can configure both the time period and the number of activations.
激活续订时间范围Activation renewal timeframe 此设置以天、小时、分钟和秒为单位指定要用于跟踪可疑续订的时间段。This setting specifies in days, hours, minutes, and second the time period you want to use to track suspicious renewals.
激活续订次数Number of activation renewals 此设置指定你希望在所选时间范围内获得通知的激活次数(2 到 100)。This setting specifies the number of activations, from 2 to 100, at which you would like to be notified, within the timeframe you chose. 可通过移动滑块或在文本框中键入数字更改此设置。You can change this setting by moving the slider, or typing a number in the text box.

自定义安全警报设置Customize security alert settings

在“警报”页上选择“设置” 。On the Alerts page, select Settings.

突出显示了“设置”的“警报”页

在各个警报上自定义设置以适应你的环境和安全目标。Customize settings on the different alerts to work with your environment and security goals.

警报的“设置”页,用于启用和配置设置

后续步骤Next steps