Azure AD 角色的最佳做法Best practices for Azure AD roles

本文介绍了使用 Azure Active Directory 基于角色的访问控制 (Azure AD RBAC) 的一些最佳做法。This article describes some of the best practices for using Azure Active Directory role-based access control (Azure AD RBAC). 这些最佳做法源自我们的 Azure AD RBAC 经验和客户经验。These best practices are derived from our experience with Azure AD RBAC and the experiences of customers like yourself. 建议同时阅读确保 Azure AD 中混合部署和云部署的特权访问安全性中的详细安全指南。We encourage you to also read our detailed security guidance at Securing privileged access for hybrid and cloud deployments in Azure AD.

1. 争取最小特权1. Manage to least privilege

规划访问控制策略时,最佳做法是争取最小特权。When planning your access control strategy, it's a best practice to manage to least privilege. 最小特权是指向管理员授予恰好完成其工作所需的权限。Least privilege means you grant your administrators exactly the permission they need to do their job. 向管理员分配角色时,需要考虑三个方面:一组特定的权限、在特定的范围内、在特定的时间段内。There are three aspects to consider when you assign a role to your administrators: a specific set of permissions, over a specific scope, for a specific period of time. 即使最初看起来更方便操作,也应避免在更广泛的范围内分配更广泛的角色。Avoid assigning broader roles at broader scopes even if it initially seems more convenient to do so. 通过限制角色和范围,可以对在安全主体受到入侵的情况下会面临风险的具体资源进行限制。By limiting roles and scopes, you limit what resources are at risk if the security principal is ever compromised. Azure AD RBAC 支持超过 65 个内置角色Azure AD RBAC supports over 65 built-in roles. 有用于管理目录对象(例如用户、组和应用程序)的 Azure AD 角色,也有用于管理 Microsoft 365 服务(例如 Exchange、SharePoint 和 Intune)的 Azure AD 角色。There are Azure AD roles to manage directory objects like users, groups, and applications, and also to manage Microsoft 365 services like Exchange, SharePoint, and Intune. 若要更好地了解 Azure AD 内置角色,请参阅了解 Azure Active Directory 中的角色To better understand Azure AD built-in roles, see Understand roles in Azure Active Directory. 如果没有满足你的需求的内置角色,可以创建自己的自定义角色If there isn't a built-in role that meets your need, you can create your own custom roles.

查找适当的角色Finding the right roles

遵循以下步骤可帮助你找到适当的角色。Follow these steps to help you find the right role.

  1. 在 Azure 门户中,打开角色和管理员,查看 Azure AD 角色的列表。In the Azure portal, open Roles and administrators to see the list of Azure AD roles.

  2. 使用“服务”筛选器缩小角色列表的范围。Use the Service filter to narrow down the list of roles.

    Azure AD 中的“角色和管理员”页,其中“服务”筛选器处于打开状态

  3. 请参阅 Azure AD 内置角色文档。Refer to the Azure AD built-in roles documentation. 与每个角色相关联的权限将一起列出,以提高可读性。Permissions associated with each role are listed together for better readability. 若要了解角色权限的结构和含义,请参阅如何理解角色权限To understand the structure and meaning of role permissions, see How to understand role permissions.

  4. 请参阅任务的最小特权角色文档。Refer to the Least privileged role by task documentation.

2. 使用 Privileged Identity Management 授予实时访问权限2. Use Privileged Identity Management to grant just-in-time access

最小特权原则之一是仅应在特定时间段内授予访问权限。One of the principles of least privilege is that access should be granted only for a specific period of time. 通过 Azure AD Privileged Identity Management (PIM) 可以向管理员授予实时访问权限。Azure AD Privileged Identity Management (PIM) lets you grant just-in-time access to your administrators. Microsoft 建议在 Azure AD 中启用 PIM。Microsoft recommends that you enable PIM in Azure AD. 使用 PIM,可以使用户成为 Azure AD 角色的合格成员。Using PIM, a user can be made an eligible member of an Azure AD role. 然后,在有限时间范围内,他们可以在每次需要使用该角色时激活该角色。The can then activate their role for a limited timeframe every time the needs to use it. 该时间范围到期后,将自动删除特权访问。Privileged access is automatically removed when the timeframe expires. 还可以配置 PIM 设置以便在用户需要激活其角色分配时要求审批或接收通知电子邮件。You can also configure PIM settings to require approval or receive notification emails when someone activates their role assignment. 向高特权角色添加新用户时,通知会发出警报。Notifications provide an alert when new users are added to highly privileged roles.

3. 为所有管理员帐户启用多重身份验证3. Turn on multi-factor authentication for all your administrator accounts

根据我们的调查,如果使用多重身份验证 (MFA),有 99.9% 的概率可避免帐户信息泄露。Based on our studies, your account is 99.9% less likely to be compromised if you use multi-factor authentication (MFA).

可以使用两种方法为 Azure AD 角色启用 MFA:You can enable MFA on Azure AD roles using two methods:

4. 配置重复访问评审,以随时间推移撤销不需要的权限4. Configure recurring access reviews to revoke unneeded permissions over time

“访问评审”使组织能够定期评审管理员的访问权限,以确保只有正确的人员才能继续访问。Access reviews enable organizations to review administrator's access regularly to make sure only the right people have continued access. 定期审核管理员至关重要,原因如下:Regular auditing your administrators is crucial because of following reasons:

  • 恶意参与者可能会入侵帐户。A malicious actor can compromise an account.
  • 人员在公司内移动团队。People move teams within a company. 如果不进行审核,随时间推移,他们可能会进行许多不必要的访问。If there is no auditing, they can amass unnecessary access over time.

有关角色的访问评审的信息,请参阅在 PIM 中创建 Azure AD 角色的访问评审For information about access reviews for roles, see Create an access review of Azure AD roles in PIM. 有关分配了角色的组的访问评审的信息,请参阅在 Azure AD 访问评审中创建组和应用程序的访问评审For information about access reviews of groups that are assigned roles, see Create an access review of groups and applications in Azure AD access reviews.

5. 将全局管理员的数量限制为少于 55. Limit the number of Global Administrators to less than 5

Microsoft 建议将全局管理员角色分配给组织中五个以下的人员,这是最佳做法。As a best practice, Microsoft recommends that you assign the Global Administrator role to fewer than five people in your organization. 全局管理员持整个组织范围的权限,因此出于利益考虑有必要将攻击面保持在较低水平。Global Administrators hold keys to the kingdom, and it is in your best interest to keep the attack surface low. 如前所述,所有这些帐户都应通过多重身份验证进行保护。As stated previously, all of these accounts should be protected with multi-factor authentication.

默认情况下,当用户注册 Azure 云服务时,会创建一个 Azure AD 租户,并使该用户成为全局管理员角色的成员。By default, when a user signs up for a Azure cloud service, an Azure AD tenant is created and the user is made a member of the Global Administrators role. 已分配有全局管理员角色的用户可以读取和修改 Azure AD 组织中的每项管理设置。Users who are assigned the Global Administrator role can read and modify every administrative setting in your Azure AD organization. 除少数例外,全局管理员还可以读取和修改 Microsoft 365 组织中的所有配置设置。With a few exceptions, Global Administrators can also read and modify all configuration settings in your Microsoft 365 organization. 全局管理员还可以提升其对读取数据的访问权限。Global Administrators also have the ability to elevate their access to read data.

Microsoft 建议保留两个永久分配给全局管理员角色的紧急访问帐户。Microsoft recommends that you keep two break glass accounts that are permanently assigned to the Global Administrator role. 请确保这些帐户不需要使用与普通管理帐户相同的多重身份验证机制进行登录,如在 Azure AD 中管理紧急访问帐户中所述。Make sure that these accounts don't require the same multi-factor authentication mechanism as your normal administrative accounts to sign in, as described in Manage emergency access accounts in Azure AD.

6. 将组用于 Azure AD 角色分配并委派角色分配6. Use groups for Azure AD role assignments and delegate the role assignment

如果你有一个利用组的外部治理系统,应考虑将角色分配给 Azure AD 组,而不是单个用户。If you have an external governance system that takes advantage of groups, then you should consider assigning roles to Azure AD groups, instead of individual users. 还可以在 PIM 中管理可接受角色分配的组,以确保这些特权组中不存在长期所有者或成员。You can also manage role-assignable groups in PIM to ensure that there are no standing owners or members in these privileged groups. 有关详细信息,请参阅特权访问 Azure AD 组的管理功能For more information, see Management capabilities for privileged access Azure AD groups.

可以将所有者分配给角色可分配的组。You can assign an owner to role-assignable groups. 该所有者可决定要添加到组中或从组中删除的人员,因此可间接决定谁将获取角色分配。That owner decides who is added to or removed from the group, so indirectly, decides who gets the role assignment. 通过这种方式,全局管理员或特权角色管理员可以通过使用组按角色委托角色管理。In this way, a Global Administrator or Privileged Role Administrator can delegate role management on a per-role basis by using groups. 有关详细信息,请参阅使用云组来管理 Azure Active Directory 中的角色分配For more information, see Use cloud groups to manage role assignments in Azure Active Directory.

7. 使用特权访问组一次性激活多个角色7. Activate multiple roles at once using privileged access groups

可能存在这样一种情况,一个人通过 PIM 具有五到六个有效分配的 Azure AD 角色。It may be the case that an individual has five or six eligible assignments to Azure AD roles through PIM. 他们将不得不单独激活每个角色,这会降低工作效率。They will have to activate each role individually, which can reduce productivity. 更糟糕的是,他们还可能为这些角色分配数十或数百个 Azure 资源,这会使问题更加严重。Worse still, they can also have tens or hundreds of Azure resources assigned to them, which aggravates the problem.

在这种情况下,应使用特权访问组In this case, you should use privileged access groups. 创建特权访问组,并向其授予对多个角色(Azure AD 和/或 Azure)的永久访问权限。Create a privileged access group and grant it permanent access to multiple roles (Azure AD and/or Azure). 使该用户成为此组的合格成员或所有者。Make that user an eligible member or owner of this group. 只需一次激活,他们就可访问所有链接的资源。With just one activation, they will have access to all the linked resources.

显示同时激活多个角色的特权访问组关系图

8. 将云本机帐户用于 Azure AD 角色8. Use cloud native accounts for Azure AD roles

避免将本地同步帐户用于 Azure AD 角色分配。Avoid using on-premises synced accounts for Azure AD role assignments. 如果本地帐户遭到入侵,则还可能会入侵 Azure AD 资源。If your on-premises account is compromised, it can compromise your Azure AD resources as well.

后续步骤Next steps