多重身份验证 (MFA) 和 PIMMulti-factor authentication (MFA) and PIM

我们建议要求所有管理员使用多重身份验证 (MFA)。We recommend that you require multi-factor authentication (MFA) for all your administrators. 这可降低因密码泄露而受到攻击的风险。This reduces the risk of an attack due to a compromised password.

可以请求用户在登录后完成 MFA 质询。You can require that users complete an MFA challenge when they sign in. 还可以要求用户在 Azure Active Directory (Azure AD) Privileged Identity Management (PIM) 中激活角色后完成 MFA 质询。You can also require that users complete an MFA challenge when they activate a role in Azure Active Directory (Azure AD) Privileged Identity Management (PIM). 这样一来,如果用户在登录后未完成 MFA 质询,PIM 会提示他们完成此操作。This way, if the user didn't complete an MFA challenge when they signed in, they will be prompted to do so by PIM.

Important

目前,Azure MFA 仅适用于工作或学校帐户,不适用于 Microsoft 帐户(通常用于登录 Skype、Xbox、Outlook.com 等 Microsoft 服务的个人帐户)。Right now, Azure MFA only works with work or school accounts, not Microsoft accounts (usually a personal account that's used to sign in to Microsoft services like Skype, Xbox, Outlook.com, etc.). 因此,使用 Microsoft 帐户的任何人都不是符合条件的管理员,因为他们无法使用 MFA 激活其角色。Because of this, anyone using a Microsoft account can't be an eligible administrator because they can't use MFA to activate their roles. 如果这些用户需要继续使用 Microsoft 帐户管理工作负荷,请立即将其提升到永久管理员。If these users need to continue managing workloads using a Microsoft account, elevate them to permanent administrators for now.

PIM 如何验证 MFAHow PIM validates MFA

当用户激活角色时,有一个选项可用于验证 MFA。There are one options for validating MFA when a user activates a role.

最简单的选项是依赖于正在激活特权角色的用户的 Azure MFA。The simplest option is to rely on Azure MFA for users who are activating a privileged role. 若要执行此操作,首先检查这些用户是否已获得许可(如有必要),并且是否已注册 Azure MFA。To do this, first check that those users are licensed, if necessary, and have registered for Azure MFA. 有关如何部署 Azure MFA 的详细信息,请参阅部署基于云的 Azure 多重身份验证For more information about how to deploy Azure MFA, see Deploy cloud-based Azure Multi-Factor Authentication. 建议将 Azure AD 配置为在用户登录后针对这些用户强制执行 MFA。It is recommended, but not required, that you configure Azure AD to enforce MFA for these users when they sign in. 这是因为 MFA 检查由 PIM 本身执行。This is because the MFA checks will be made by PIM itself.

后续步骤Next steps