管理订阅上的多重身份验证 (MFA) 实施Manage multi-factor authentication (MFA) enforcement on your subscriptions

如果只使用密码来对用户进行身份验证,则意味着打开了一条攻击途径。If you're only using passwords to authenticate your users, you're leaving an attack vector open. 用户经常使用弱密码或对多个服务重用密码。Users often use weak passwords or reuse them for multiple services. 启用 MFA 后,帐户将更安全,并且用户仍然可以通过单一登录 (SSO) 向几乎所有应用程序验证身份。With MFA enabled, your accounts are more secure, and users can still authenticate to almost any application with single sign-on (SSO).

可以通过多种方式基于你的组织拥有的许可证为 Azure Active Directory (AD) 用户启用 MFA。There are multiple ways to enable MFA for your Azure Active Directory (AD) users based on the licenses that your organization owns. 本页提供 Azure 安全中心上下文中每个方式的详细信息。This page provides the details for each in the context of Azure Security Center.

MFA 和安全中心MFA and Security Center

安全中心高度重视 MFA。Security Center places a high value on MFA. 为安全功能评分作出最大贡献的安全控制措施是“启用 MFA”。The security control that contributes the most to your secure score is Enable MFA.

“启用 MFA”控制措施中的建议确保你满足订阅用户的建议做法:The recommendations in the Enable MFA control ensure you're meeting the recommended practices for users of your subscriptions:

  • 应在对订阅拥有所有者权限的帐户上启用 MFAMFA should be enabled on accounts with owner permissions on your subscription
  • 应在对订阅拥有写入权限的帐户上启用 MFAMFA should be enabled on accounts with write permissions on your subscription

可以通过三种方法来启用 MFA,并符合安全中心的两个建议:安全默认值、每用户分配、条件访问 (CA) 策略。There are three ways to enable MFA and be compliant with the two recommendations in Security Center: security defaults, per-user assignment, conditional access (CA) policy. 以下介绍了每个选项。Each of these options is explained below.

免费选项 - 安全默认值Free option - security defaults

如果你使用的是免费版本的 Azure AD,请使用安全默认值在租户上启用多重身份验证。If you're using the free edition of Azure AD, use security defaults to enable multi-factor authentication on your tenant.

适用于 Microsoft 365 商业版、E3 或 E5 客户的 MFAMFA for Microsoft 365 Business, E3, or E5 customers

拥有 Microsoft 365 的客户可以使用每用户分配。Customers with Microsoft 365 can use Per-user assignment. 在此情景中,针对所有用户的所有登录事件启用或禁用 Azure AD MFA。In this scenario, Azure AD MFA is either enabled or disabled for all users, for all sign-in events. 不能仅为一部分用户或在特定情况下启用多重身份验证,管理通过 Office 365 门户进行。There is no ability to enable multi-factor authentication for a subset of users, or under certain scenarios, and management is through the Office 365 portal.

适用于 Azure AD Premium 客户的 MFAMFA for Azure AD Premium customers

若要获得更好的用户体验,请升级到 Azure AD Premium P1 以使用条件访问 (CA) 策略选项。For an improved user experience, upgrade to Azure AD Premium P1 for conditional access (CA) policy options. 若要配置 CA 策略,需要 Azure Active Directory (AD) 租户权限To configure a CA policy, you'll need Azure Active Directory (AD) tenant permissions.

CA 策略必须:Your CA policy must:

  • 强制执行 MFAenforce MFA
  • 包含 Azure 管理应用 ID (797f4846-ba00-4fd7-ba43-dac1f8f63013) 或所有应用include the Azure Management app ID (797f4846-ba00-4fd7-ba43-dac1f8f63013) or all apps
  • 不排除 Azure 管理应用 IDnot exclude the Azure Management app ID

在特定的情况下或者发生适合业务要求的事件时,Azure AD Premium P1 客户可以使用 Azure AD CA 提示用户执行多重身份验证。Azure AD Premium P1 customers can use Azure AD CA to prompt users for multi-factor authentication during certain scenarios or events to fit your business requirements. 包含此功能的其他许可证:企业移动性 + 安全性 E3、Microsoft 365 F1 和 Microsoft 365 E3。Other licenses that include this functionality: Enterprise Mobility + Security E3, Microsoft 365 F1, and Microsoft 365 E3.

Azure 条件访问文档中了解详细信息。Learn more in the Azure Conditional Access documentation.

标识未启用多重身份验证 (MFA) 的帐户Identify accounts without multi-factor authentication (MFA) enabled

可以从安全中心“建议详细信息”页面或使用 Azure Resource Graph 查看未启用 MFA 的用户帐户列表。You can view the list of user accounts without MFA enabled from either the Security Center recommendations details page, or using Azure Resource Graph.

查看 Azure 门户中未启用 MFA 的帐户View the accounts without MFA enabled in the Azure portal

在“建议详细信息”页中,从“运行不正常的资源”列表中选择订阅,或选择“执行操作”,这时将显示该列表 。From the recommendation details page, select a subscription from the Unhealthy resources list or select Take action and the list will be displayed.

使用 Azure Resource Graph 查看未启用 MFA 的帐户View the accounts without MFA enabled using Azure Resource Graph

若要查看未启用 MFA 的帐户,请使用以下 Azure Resource Graph 查询。To see which accounts don't have MFA enabled, use the following Azure Resource Graph query. 该查询返回建议“应对拥有订阅所有者权限的帐户启用 MFA”的所有运行不正常的资源 - 帐户。The query returns all unhealthy resources - accounts - of the recommendation "MFA should be enabled on accounts with owner permissions on your subscription".

  1. 打开“Azure Resource Graph 资源管理器”。Open Azure Resource Graph Explorer.

    启动 Azure Resource Graph Explorer 建议页面

  2. 输入以下查询并选择“运行查询”。Enter the following query and select Run query.

    securityresources
     | where type == "microsoft.security/assessments"
     | where properties.displayName == "MFA should be enabled on accounts with owner permissions on your subscription"
     | where properties.status.code == "Unhealthy"
    
  3. additionalData 属性显示未强制启用 MFA 的帐户的帐户对象 ID 列表。The additionalData property reveals the list of account object IDs for accounts that don't have MFA enforced.

    备注

    这些帐户显示为对象 ID 而不是帐户名称,以保护帐户持有者的隐私。The accounts are shown as object IDs rather than account names to protect the privacy of the account holders.

提示

或者,可以使用安全中心的 REST API 方法评估 - 获取Alternatively, you can use Security Center's REST API method Assessments - Get.

常见问题解答 - 安全中心中的 MFAFAQ - MFA in Security Center

我们已经在使用 CA 策略来强制执行 MFA。We're already using CA policy to enforce MFA. 为什么我们仍会获得安全中心建议?Why do we still get the Security Center recommendations?

若要调查为何仍在生成建议,请验证 MFA CA 策略中的以下配置选项:To investigate why the recommendations are still being generated, verify the following configuration options in your MFA CA policy:

  • 已将帐户包含在 MFA CA 策略的“用户”部分(或“组”部分中的一个组)中 You've included the accounts in the Users section of your MFA CA policy (or one of the groups in the Groups section)
  • MFA CA 策略的“应用”部分包含 Azure 管理应用 ID (797f4846-ba00-4fd7-ba43-dac1f8f63013) 或所有应用The Azure Management app ID (797f4846-ba00-4fd7-ba43-dac1f8f63013), or all apps, are included in the Apps section of your MFA CA policy
  • MFA CA 策略的“应用”部分未排除 Azure 管理应用 IDThe Azure Management app ID isn't excluded in the Apps section of your MFA CA policy

我们正在使用第三方 MFA 工具强制执行 MFA。We're using a third-party MFA tool to enforce MFA. 为什么我们仍会获得安全中心建议?Why do we still get the Security Center recommendations?

安全中心的 MFA 建议不支持第三方 MFA 工具(例如 DUO)。Security Center's MFA recommendations don't support third-party MFA tools (for example, DUO).

如果建议与组织无关,也可以禁用建议If the recommendations are irrelevant for your organization, you can also disable a recommendation.

为什么安全中心将没有订阅权限的用户帐户显示为“需要 MFA”?Why does Security Center show user accounts without permissions on the subscription as "requiring MFA"?

安全中心的 MFA 建议指的是 Azure RBAC 角色Azure 经典订阅管理员角色。Security Center's MFA recommendations refer to Azure RBAC roles and the Azure classic subscription administrators role. 验证是否所有帐户都没有此类角色。Verify that none of the accounts have such roles.

我们正在通过 PIM 强制执行 MFA。We're enforcing MFA with PIM. 为什么 PIM 帐户显示为不合规?Why are PIM accounts shown as noncompliant?

安全中心的 MFA 建议目前不支持 PIM 帐户。Security Center's MFA recommendations currently don't support PIM accounts. 可以将这些帐户添加到 CA 策略的“用户/组”部分。You can add these accounts to a CA Policy in the Users/Group section.

是否可以免除或关闭某些帐户?Can I exempt or dismiss some of the accounts?

目前不支持免除某些不使用 MFA 的帐户的功能。The capability to exempt some accounts that don't use MFA isn't currently supported.

安全中心的标识和访问保护是否有任何限制?Are there any limitations to Security Center's identity and access protections?

安全中心的标识和访问保护存在一些限制:There are some limitations to Security Center's identity and access protections:

  • 标识建议不适用于拥有超过 600 个帐户的订阅。Identity recommendations aren't available for subscriptions with more than 600 accounts. 在这种情况下,这些建议将在“不可用的评估”下列出。In such cases, these recommendations will be listed under "unavailable assessments".
  • 标识建议不适用于云解决方案提供商 (CSP) 合作伙伴的管理代理。Identity recommendations aren't available for Cloud Solution Provider (CSP) partner's admin agents.
  • 标识建议不标识使用 Privileged Identity Management (PIM) 系统管理的帐户。Identity recommendations don't identify accounts that are managed with a privileged identity management (PIM) system. 如果使用的是 PIM 工具,则可能会在“管理访问和权限”控件中看到不准确的结果。If you're using a PIM tool, you might see inaccurate results in the Manage access and permissions control.

后续步骤Next steps

若要详细了解适用于其他 Azure 资源类型的建议,请参阅以下文章:To learn more about recommendations that apply to other Azure resource types, see the following article: