多重身份验证和 Privileged Identity ManagementMulti-factor authentication and Privileged Identity Management

我们建议要求所有管理员使用多重身份验证 (MFA)。We recommend that you require multi-factor authentication (MFA) for all your administrators. 这可降低因密码泄露而受到攻击的风险。This reduces the risk of an attack due to a compromised password.

可以要求用户在登录时完成多重身份验证质询。You can require that users complete a multi-factor authentication challenge when they sign in. 还可以要求用户在 Azure Active Directory (Azure AD) Privileged Identity Management (PIM) 中激活角色时完成多重身份验证质询。You can also require that users complete a multi-factor authentication challenge when they activate a role in Azure Active Directory (Azure AD) Privileged Identity Management (PIM). 这样一来,如果用户在登录时未完成多重身份验证质询,Privileged Identity Management 会提示他们完成此操作。This way, if the user didn't complete a multi-factor authentication challenge when they signed in, they will be prompted to do so by Privileged Identity Management.

Important

目前,Azure 多重身份验证仅适用于工作或学校帐户,不适用于 Microsoft 个人帐户(通常是用于登录 Skype、Xbox 或 Outlook.com 等 Microsoft 服务的个人帐户)。Right now, Azure Multi-Factor Authentication only works with work or school accounts, not Microsoft personal accounts (usually a personal account that's used to sign in to Microsoft services such as Skype, Xbox, or Outlook.com). 因此,使用个人帐户的任何人都不是符合条件的管理员,因为他们无法使用多重身份验证激活其角色。Because of this, anyone using a personal account can't be an eligible administrator because they can't use multi-factor authentication to activate their roles. 如果这些用户需要继续使用 Microsoft 帐户管理工作负荷,请立即将其提升到永久管理员。If these users need to continue managing workloads using a Microsoft account, elevate them to permanent administrators for now.

PIM 如何验证 MFAHow PIM validates MFA

当用户激活角色时,有两个选项可用于验证多重身份验证。There are two options for validating multi-factor authentication when a user activates a role.

最简单的选项是对激活特权角色的用户使用 Azure 多重身份验证。The simplest option is to rely on Azure Multi-Factor Authentication for users who are activating a privileged role. 为此,请首先检查这些用户是否已获得许可(如有必要),并且是否已注册 Azure 多重身份验证。To do this, first check that those users are licensed, if necessary, and have registered for Azure Multi-Factor Authentication. 有关如何部署 Azure 多重身份验证的详细信息,请参阅部署基于云的 Azure 多重身份验证For more information about how to deploy Azure Multi-Factor Authentication, see Deploy cloud-based Azure Multi-Factor Authentication. 建议(但不是必需)将 Azure AD 配置为在用户登录时针对这些用户强制执行多重身份验证。It is recommended, but not required, that you configure Azure AD to enforce multi-factor authentication for these users when they sign in. 这是因为多重身份验证检查将由 Privileged Identity Management 本身进行。This is because the multi-factor authentication checks will be made by Privileged Identity Management itself.

后续步骤Next steps