监视标识和访问Monitor identity and access

Tip

从 2020 年 3 月起,免费定价层上的所有订阅均包括 Azure 安全中心的标识和访问建议。From March 2020, Azure Security Center's identity and access recommendations are included in all subscriptions on the free pricing tier. 如果你在免费层上拥有订阅,则其安全功能分数将受到影响,因为之前未对其标识和访问安全性进行评估。If you have subscriptions on the free tier, their Secure Score will be affected as they were not previously assessed for their identity and access security.

在安全中心识别出潜在的安全漏洞时,它会创建一些建议,指导完成配置所需控件以强化和保护资源的过程。When Security Center identifies potential security vulnerabilities, it creates recommendations that guide you through the process of configuring the needed controls to harden and protect your resources.

安全边界已从网络边界演进成标识边界。The security perimeter has evolved from a network perimeter to an identity perimeter. 安全性越来越少地与如何保护网络相关,而更多地与如何保护数据,以及如何管理应用和用户的安全性相关。Security becomes less about defending your network and more about defending your data, as well as managing the security of your apps and users. 而现在,随着越来越多的数据和应用移到云中,标识成为新的外围。Nowadays, with more data and more apps moving to the cloud, identity becomes the new perimeter.

通过监视标识活动,可在事件发生前主动采取措施,或事后采取针对性措施来阻止攻击尝试。By monitoring identity activities, you can take proactive actions before an incident takes place, or reactive actions to stop an attack attempt. 例如,安全中心可能会标记已弃用的帐户(不再需要的帐户以及被 Azure Active Directory 阻止登录的帐户),以便删除。For example, Security Center might flag deprecated accounts (accounts that are no longer needed, and blocked from signing in by Azure Active Directory) for removal.

你可能会在 Azure 安全中心的“标识和访问”资源安全部分看到的建议示例包括:Examples of recommendations you might see on the Identity and access resource security section of Azure Security Center include:

  • 应在对订阅拥有所有者权限的帐户上启用 MFAMFA should be enabled on accounts with owner permissions on your subscription
  • 只多只为订阅指定 3 个所有者A maximum of 3 owners should be designated for your subscription
  • 应从订阅中删除拥有读取权限的外部帐户External accounts with read permissions should be removed from your subscription
  • 应从订阅中删除弃用的帐户Deprecated accounts should be removed from your subscription

有关这些建议的详细信息以及你可能在此处看到的建议的完整列表,请参阅标识和访问建议For more information about these recommendations as well as a full list of the recommendations you might see here, see Identity and Access recommendations.

Note

如果订阅包含 600 多个帐户,则安全中心无法针对订阅运行标识建议。If your subscription has more than 600 accounts, Security Center is unable to run the Identity recommendations against your subscription. 未运行的建议列在以下的“不可用的评估”下面。Recommendations that are not run are listed under "unavailable assessments" below. 安全中心无法针对云解决方案提供商 (CSP) 合作伙伴的管理代理运行标识建议。Security Center is unable to run the Identity recommendations against a Cloud Solution Provider (CSP) partner's admin agents.

所有标识和访问建议在“建议”页面的两个安全控件中均可用:All of the identity and access recommendations are available within two security controls in the Recommendations page:

  • 管理访问和权限Manage access and permissions
  • 启用 MFAEnable MFA

与标识和访问相关的建议的两个安全控件

启用多重身份验证 (MFA)Enable multi-factor authentication (MFA)

启用 MFA 需要 Azure Active Directory (AD) 租户权限Enabling MFA requires Azure Active Directory (AD) tenant permissions.

后续步骤Next steps

若要详细了解适用于其他 Azure 资源类型的建议,请参阅以下文章:To learn more about recommendations that apply to other Azure resource types, see the following articles: