在 Azure AD 中管理紧急访问帐户Manage emergency access accounts in Azure AD

必须防止意外地被锁在 Azure Active Directory (Azure AD) 组织之外,因为在这种情况下,无法以管理员的身份登录或激活其他用户帐户。It is important that you prevent being accidentally locked out of your Azure Active Directory (Azure AD) organization because you can't sign in or activate another user's account as an administrator. 可在组织中创建两个或更多个紧急访问帐户,缓解意外丧失管理访问权限造成的影响。You can mitigate the impact of accidental lack of administrative access by creating two or more emergency access accounts in your organization.

紧急访问帐户拥有较高的特权,因此请不要将其分配给特定的个人。Emergency access accounts are highly privileged, and they are not assigned to specific individuals. 紧急访问帐户只能用于“不受限”紧急情况,即不能使用正常管理帐户的情况。Emergency access accounts are limited to emergency or "break glass"' scenarios where normal administrative accounts can't be used. 建议你始终以将紧急帐户的使用限于绝对必要情况为目标。We recommend that you maintain a goal of restricting emergency account use to only the times when it is absolutely necessary.

本文提供有关在 Azure AD 中管理紧急访问帐户的指导。This article provides guidelines for managing emergency access accounts in Azure AD.

为何使用紧急访问帐户Why use an emergency access account

在以下情况下,组织可能需要使用紧急访问帐户:An organization might need to use an emergency access account in the following situations:

  • 用户帐户进行了联合,且由于手机网络中断或标识提供程序服务中断,联合身份验证当前不可用。The user accounts are federated, and federation is currently unavailable because of a cell-network break or an identity-provider outage. 例如,如果在你的环境中的标识提供者主机停运,则当 Azure AD 重定向到其标识提供者时,用户可能无法登录。For example, if the identity provider host in your environment has gone down, users might be unable to sign in when Azure AD redirects to their identity provider.
  • 管理员通过 Azure 多重身份验证注册,而其每个设备或服务都不可用。The administrators are registered through Azure Multi-Factor Authentication, and all their individual devices are unavailable or the service is unavailable. 用户可能无法完成多重身份验证以激活角色。Users might be unable to complete Multi-Factor Authentication to activate a role. 例如,手机网络中断让用户无法应答电话呼叫或接收短信,而这是他们为其设备注册的仅有的两种身份验证机制。For example, a cell network outage is preventing them from answering phone calls or receiving text messages, the only two authentication mechanisms that they registered for their device.
  • 具有最新全局管理访问权限的人员离开了组织。The person with the most recent Global Administrator access has left the organization. Azure AD 将阻止删除最后一个全局管理员帐户,但它不会阻止从本地删除或禁用该帐户。Azure AD prevents the last Global Administrator account from being deleted, but it does not prevent the account from being deleted or disabled on-premises. 这两种情况都可能使组织无法恢复帐户。Either situation might make the organization unable to recover the account.
  • 出现自然灾害等不可预见的紧急情况,导致手机或其他网络不可用。Unforeseen circumstances such as a natural disaster emergency, during which a mobile phone or other networks might be unavailable.

创建紧急访问帐户Create emergency access accounts

创建两个或多个紧急访问帐户。Create two or more emergency access accounts. 这些帐户应是仅限云帐户,使用 *.partner.onmschina.cn 域且未与本地环境联合或同步。These accounts should be cloud-only accounts that use the *.partner.onmschina.cn domain and that are not federated or synchronized from an on-premises environment.

配置这些帐户时,必须满足以下要求:When configuring these accounts, the following requirements must be met:

  • 紧急访问帐户不应与组织中的任何单个用户相关联。The emergency access accounts should not be associated with any individual user in the organization. 确保帐户未关联到任何员工提供的移动电话、会随单个员工流动的硬件令牌或其他特定于员工的凭据。Make sure that your accounts are not connected with any employee-supplied mobile phones, hardware tokens that travel with individual employees, or other employee-specific credentials. 此预防措施介绍需要凭据而无法找到某个拥有凭据的员工时的情况。This precaution covers instances where an individual employee is unreachable when the credential is needed. 请务必确保将任何已注册设备保存在与 Azure AD 有多种通信方式的已知安全位置。It is important to ensure that any registered devices are kept in a known, secure location that has multiple means of communicating with Azure AD.
  • 紧急访问帐户使用的身份验证机制应该不同于其他管理帐户(包括其他紧急访问帐户)使用的机制。The authentication mechanism used for an emergency access account should be distinct from that used by your other administrative accounts, including other emergency access accounts. 例如,如果管理员通过本地 MFA 正常登录,则 Azure MFA 是不同的机制。For example, if your normal administrator sign-in is via on-premises MFA, then Azure MFA would be a different mechanism. 但是,如果 Azure MFA 是管理帐户的主要身份验证部分,请考虑对这些帐户使用不同的方法,例如,通过自定义控件结合第三方 MFA 提供程序使用条件访问。However if Azure MFA is your primary part of authentication for your administrative accounts, then consider a different approach for these, such as using Conditional Access with a third-party MFA provider via Custom controls.
  • 设备或凭据不得过期,或者由于使用次数不多而划归到自动清理的范围内。The device or credential must not expire or be in scope of automated cleanup due to lack of use.
  • 应将全局管理员角色分配设为紧急访问帐户的永久角色。You should make the Global Administrator role assignment permanent for your emergency access accounts.

从基于电话的多重身份验证中排除至少一个帐户Exclude at least one account from phone-based multi-factor authentication

为降低泄露密码所致攻击的风险,Azure AD 建议要求所有用户使用多重身份验证。To reduce the risk of an attack resulting from a compromised password, Azure AD recommends that you require multi-factor authentication for all individual users. 此组包括管理员和被盗帐户将产生重大影响的其他所有用户(例如财务)。This group includes administrators and all others (for example, financial officers) whose compromised account would have a significant impact.

但是,至少应有一个紧急访问帐户的多重身份验证机制与其他非紧急帐户不同。However, at least one of your emergency access accounts should not have the same multi-factor authentication mechanism as your other non-emergency accounts. 这包括第三方多重身份验证解决方案。This includes third-party multi-factor authentication solutions. 如果条件访问策略要求每个管理员针对 Azure AD 执行多重身份验证,则应从此要求中排除紧急访问帐户,并改而配置其他机制。If you have a Conditional Access policy to require multi-factor authentication for every administrator for Azure AD, you should exclude emergency access accounts from this requirement, and configure a different mechanism instead. 此外,应确保这些帐户不使用按用户的多重身份验证策略。Additionally, you should make sure the accounts do not have a per-user multi-factor authentication policy.

从条件访问策略中排除至少一个帐户Exclude at least one account from Conditional Access policies

在紧急情况下,你不希望某个策略阻止你进行访问以解决问题。During an emergency, you do not want a policy to potentially block your access to fix an issue. 应从所有条件访问策略中排除至少一个紧急访问帐户。At least one emergency access account should be excluded from all Conditional Access policies.

联合身份验证指南Federation guidance

对于使用 AD 域服务和 ADFS 或类似标识提供者联合到 Azure AD 的组织,另一种做法是配置一个可由该标识提供者提供 MFA 声明的紧急访问帐户。An additional option for organizations that use AD Domain Services and ADFS or similar identity provider to federate to Azure AD, is to configure an emergency access account whose MFA claim could be supplied by that identity provider. 例如,紧急访问帐户可由证书和密钥对(例如,存储在智能卡上)提供安全保障。For example, the emergency access account could be backed by a certificate and key pair such as one stored on a smartcard. 当该用户在 AD 中进行身份验证时,ADFS 可向 Azure AD 提供声明,指示该用户满足 MFA 要求。When that user is authenticated to AD, ADFS can supply a claim to Azure AD indicating that the user has met MFA requirements. 即使使用此方法,组织也仍需要提供基于云的紧急访问帐户,否则无法建立联合。Even with this approach, organizations must still have cloud-based emergency access accounts in case federation cannot be established.

安全地存储帐户凭据Store account credentials safely

组织需要确保紧急访问帐户的凭据始终安全且仅为有权使用它们的用户所知。Organizations need to ensure that the credentials for emergency access accounts are kept secure and known only to individuals who are authorized to use them. 有些客户使用智能卡,有些客户使用密码。Some customers use a smartcard and others use passwords. 紧急访问帐户的密码通常分为两到三个部分,分开写在纸上,存储在安全独立位置中的防火保险柜中。A password for an emergency access account is usually separated into two or three parts, written on separate pieces of paper, and stored in secure, fireproof safes that are in secure, separate locations.

如果使用密码,请确保为帐户使用不会过期的强密码。If using passwords, make sure the accounts have strong passwords that do not expire the password. 密码最好是至少包含 16 个字符,且随机生成。Ideally, the passwords should be at least 16 characters long and randomly generated.

监视登录和审核日志Monitor sign-in and audit logs

组织应该监视紧急帐户的登录和审核日志活动,并触发目标为其他管理员的通知。Organizations should monitor sign-in and audit log activity from the emergency accounts and trigger notifications to other administrators. 监视不受限帐户的活动时,可以验证这些帐户是仅用于测试,还是用于真实的紧急情况。When you monitor the activity on break glass accounts, you can verify these accounts are only used for testing or actual emergencies. 可以使用 Azure Log Analytics 监视登录日志,在不受限帐户登录时触发接收人为管理员的电子邮件和短信警报。You can use Azure Log Analytics to monitor the sign-in logs and trigger email and SMS alerts to your admins whenever break glass accounts sign in.

先决条件Prerequisites

  1. 向 Azure Monitor 发送 Azure AD 登录日志Send Azure AD sign-in logs to Azure Monitor.

获取破窗式帐户的对象 IDObtain Object IDs of the break glass accounts

  1. 使用分配给“用户管理员”角色的帐户登录到 Azure 门户Sign in to the Azure portal with an account assigned to the User administrator role.
  2. 选择“Azure Active Directory” > “用户”。 Select Azure Active Directory > Users.
  3. 搜索破窗式帐户并选择用户的名称。Search for the break-glass account and select the user’s name.
  4. 复制并保存“对象 ID”属性,以便以后可以使用。Copy and save the Object ID attribute so that you can use it later.
  5. 对另一个破窗式帐户重复前面的步骤。Repeat previous steps for second break-glass account.

创建警报规则Create an alert rule

  1. 使用 Azure Monitor 中分配给“监视参与者”角色的帐户登录到 Azure 门户Sign in to the Azure portal with an account assigned to the Monitoring Contributor role in Azure Monitor.
  2. 选择“所有服务”,在“搜索”中输入“log analytics”,然后选择“Log Analytics 工作区”。 Select All services", enter "log analytics" in Search and then select Log Analytics workspaces.
  3. 选择工作区。Select a workspace.
  4. 在工作区中,选择“警报” > “新建警报规则”。 In your workspace, select Alerts > New alert rule.
    1. 在“资源”下,验证订阅是否与警报规则关联。Under Resource, verify that the subscription is the one with which you want to associate the alert rule.

    2. 在“条件”下,选择“添加”。 Under Condition, select Add.

    3. 在“信号名称”下选择“自定义日志搜索”。 Select Custom log search under Signal name.

    4. 在“搜索查询”下,输入以下查询,插入两个破窗式帐户的对象 ID。Under Search query, enter the following query, inserting the object IDs of the two break glass accounts.

      备注

      对于要包含的每个附加破窗式帐户,请向查询中添加另一个“or UserId == "ObjectGuid"”。For each additional break glass account you want to include, add another "or UserId == "ObjectGuid"" to the query.

      将破窗式帐户的对象 ID 添加到警报规则

    5. 在“警报逻辑”下,输入以下内容:Under Alert logic, enter the following:

      • 依据:结果数Based on: Number of results
      • 运算符:大于Operator: Greater than
      • 阈值:0Threshold value: 0
    6. 在“计算基于”下,选择“期限(以分钟为单位)”(希望查询运行的时长)和“频率(以分钟为单位)”(希望查询运行的频率)。 Under Evaluated based on, select the Period (in minutes) for how long you want the query to run, and the Frequency (in minutes) for how often you want the query to run. 频率应小于或等于期限。The frequency should be less than or equal to the period.

      警报逻辑

    7. 选择“完成”。Select Done. 现在可以查看此警报的每月预估成本。You may now view the estimated monthly cost of this alert.

  5. 选择警报要通知的用户操作组。Select an action group of users to be notified by the alert. 若要创建一个操作组,请参阅创建操作组If you want to create one, see Create an action group.
  6. 若要自定义发送给操作组成员的电子邮件通知,请选择“自定义操作”下的“操作”。To customize the email notification sent to the members of the action group, select actions under Customize Actions.
  7. 在“警报详细信息”下,指定警报规则名称并添加可选说明。Under Alert Details, specify the alert rule name and add an optional description.
  8. 设置事件的“严重级别”。Set the Severity level of the event. 建议将其设置为“关键(严重性 0)。We recommend that you set it to Critical(Sev 0).
  9. 在“创建后启用规则”下,将其设置为“是”。 Under Enable rule upon creation, leave it set as yes.
  10. 若要关闭警报一段时间,请选中“阻止警报”复选框,并输入再次发出警报之前的等待持续时间,然后选择“保存”。 To turn off alerts for a while, select the Suppress Alerts check box and enter the wait duration before alerting again, and then select Save.
  11. 单击“创建警报规则”。Click Create alert rule.

创建操作组Create an action group

  1. 选择“创建操作组”。Select Create an action group.

    为通知操作创建操作组

  2. 输入操作组名称和短名称。Enter the action group name and a short name.

  3. 验证订阅和资源组。Verify the subscription and resource group.

  4. 在操作类型下,选择“电子邮件/短信/推送/语音”。Under action type, select Email/SMS/Push/Voice.

  5. 输入操作名称,如“通知全局管理员”。Enter an action name such as Notify global admin.

  6. 将“操作类型”选择为“电子邮件/短信/推送/语音”。 Select the Action Type as Email/SMS/Push/Voice.

  7. 选择“编辑详细信息”以选择要配置的通知方法,输入所需的联系信息,然后选择“确定”以保存详细信息。 Select Edit details to select the notification methods you want to configure and enter the required contact information, and then select Ok to save the details.

  8. 添加要触发的任何其他操作。Add any additional actions you want to trigger.

  9. 选择“确定”。Select OK.

定期验证帐户Validate accounts regularly

为员工培训紧急访问帐户的用法和验证紧急访问帐户时,至少应定期执行以下步骤:When you train staff members to use emergency access accounts and validate the emergency access accounts, at minimum do the following steps at regular intervals:

  • 确保安全监视人员了解正在进行帐户检查活动。Ensure that security-monitoring staff are aware that the account-check activity is ongoing.
  • 确保使用这些帐户的紧急破窗流程有文档记录,且是最新的流程。Ensure that the emergency break glass process to use these accounts is documented and current.
  • 确保在紧急情况下可能需要执行这些步骤的管理员和保安员接受了该流程的培训。Ensure that administrators and security officers who might need to perform these steps during an emergency are trained on the process.
  • 更新紧急访问帐户的帐户凭据,尤其是所有密码,然后验证紧急访问帐户是否可以登录并执行管理任务。Update the account credentials, in particular any passwords, for your emergency access accounts, and then validate that the emergency access accounts can sign-in and perform administrative tasks.
  • 确保用户未对任何个人用户设备或个人详细信息注册多重身份验证或自助服务密码重置 (SSPR)。Ensure that users have not registered Multi-Factor Authentication or self-service password reset (SSPR) to any individual user’s device or personal details.
  • 如果帐户已注册为通过多重身份验证登录到设备,以便在登录或角色激活期间使用,请确保需在紧急情况下使用该设备的所有管理员都可访问该设备。If the accounts are registered for Multi-Factor Authentication to a device, for use during sign-in or role activation, ensure that the device is accessible to all administrators who might need to use it during an emergency. 另请验证设备是否可以通过不存在共同故障模式的至少两条网络路径进行通信。Also verify that the device can communicate through at least two network paths that do not share a common failure mode. 例如,设备可通过公司无线网络和移动网络提供商网络与 Internet 通信。For example, the device can communicate to the internet through both a facility's wireless network and a cell provider network.

应定期执行以下步骤,进行重大更改后也应执行这些步骤:These steps should be performed at regular intervals and for key changes:

  • 每隔 90 天至少执行一次At least every 90 days
  • IT 员工中最近有变动时(如工作变动、离职或入职)When there has been a recent change in IT staff, such as a job change, a departure, or a new hire
  • 组织中的 Azure AD 订阅发生更改时When the Azure AD subscriptions in the organization have changed

后续步骤Next steps