Azure 标识管理和访问控制安全最佳实践Azure Identity Management and access control security best practices

本文介绍一系列 Azure 标识管理和访问控制安全最佳实践。In this article, we discuss a collection of Azure identity management and access control security best practices. 这些最佳做法衍生自我们的 Azure AD 经验和客户经验。These best practices are derived from our experience with Azure AD and the experiences of customers like yourself.

对于每项最佳做法,本文将说明:For each best practice, we explain:

  • 最佳实践是什么What the best practice is
  • 为何要启用该最佳实践Why you want to enable that best practice
  • 如果无法启用该最佳实践,可能的结果是什么What might be the result if you fail to enable the best practice
  • 最佳实践的可能替代方案Possible alternatives to the best practice
  • 如何学习启用最佳实践How you can learn to enable the best practice

这篇 Azure 标识管理和访问控制安全最佳实践以共识以及 Azure 平台功能和特性集(因为在编写本文时已存在)为基础。This Azure identity management and access control security best practices article is based on a consensus opinion and Azure platform capabilities and feature sets, as they exist at the time this article was written.

看法和技术将随着时间改变,本文会定期更新以反映这些更改。Opinions and technologies change over time and this article will be updated on a regular basis to reflect those changes.

本文中介绍的 Azure 标识管理和访问控制安全最佳实践包括:Azure identity management and access control security best practices discussed in this article include:

  • 将标识视为主要安全边界Treat identity as the primary security perimeter
  • 集中化标识管理Centralize identity management
  • 管理连接的租户Manage connected tenants
  • 规划例行的安全改进Plan for routine security improvements
  • 启用密码管理Enable password management
  • 对用户强制执行多重身份验证Enforce multi-factor verification for users
  • 使用基于角色的访问控制Use role-based access control
  • 控制资源所在的位置Control locations where resources are located
  • 使用 Azure AD 进行存储身份验证Use Azure AD for storage authentication

将标识视为主要安全边界Treat identity as the primary security perimeter

许多人认为标识是主要安全边界。Many consider identity to be the primary perimeter for security. 这与以网络安全为重点的传统做法不同。This is a shift from the traditional focus on network security. 网络边界出现越来越多的漏洞,在 BYOD 设备和云应用程序激增之前相比,边界防御不再那样有效。Network perimeters keep getting more porous, and that perimeter defense can’t be as effective as it was before the explosion of BYOD devices and cloud applications.

Azure Active Directory (Azure AD) 是用于标识和访问管理的 Azure 解决方案。Azure Active Directory (Azure AD) is the Azure solution for identity and access management. Azure AD 是 Microsoft 提供的多租户、基于云的目录和标识管理服务。Azure AD is a multitenant, cloud-based directory and identity management service from Microsoft. 它将核心目录服务、应用程序访问管理和标识保护融入一个解决方案中。It combines core directory services, application access management, and identity protection into a single solution.

以下部分列出了使用 Azure AD 实现标识和访问安全性的最佳做法。The following sections list best practices for identity and access security using Azure AD.

最佳做法:围绕用户和服务标识进行安全控制和检测。Best practice: Center security controls and detections around user and service identities. 详细信息:使用 Azure AD 并置控制和标识。Detail: Use Azure AD to collocate controls and identities.

集中化标识管理Centralize identity management

混合标识方案中,我们建议集成本地目录和云目录。In a hybrid identity scenario we recommend that you integrate your on-premises and cloud directories. 通过集成,IT 团队可以在一个位置集中管理帐户,而不管帐户是在哪里创建的。Integration enables your IT team to manage accounts from one location, regardless of where an account is created. 集成还通过提供用于访问云和本地资源的通用标识,从而帮助用户提高工作效率。Integration also helps your users be more productive by providing a common identity for accessing both cloud and on-premises resources.

最佳做法:建立一个 Azure AD 实例。Best practice: Establish a single Azure AD instance. 一致性和一个权威源不仅会提高简明性,还会减少人为错误和配置复杂性带来的安全风险。Consistency and a single authoritative sources will increase clarity and reduce security risks from human errors and configuration complexity. 详细信息:指定一个 Azure AD 目录作为企业帐户和组织帐户的权威源。Detail: Designate a single Azure AD directory as the authoritative source for corporate and organizational accounts.

最佳做法:将本地目录与 Azure AD 进行集成。Best practice: Integrate your on-premises directories with Azure AD.
详细信息:使用 Azure AD Connect 将本地目录与云目录同步。Detail: Use Azure AD Connect to synchronize your on-premises directory with your cloud directory.


存在影响 Azure AD Connect 性能的因素There are factors that affect the performance of Azure AD Connect. 确保 Azure AD Connect 有足够的容量来防止性能不佳的系统影响安全性和工作效率。Ensure Azure AD Connect has enough capacity to keep underperforming systems from impeding security and productivity. 大型或复杂的组织(预配超过 10 万个对象的组织)应遵循建议来优化其 Azure AD Connect 实现。Large or complex organizations (organizations provisioning more than 100,000 objects) should follow the recommendations to optimize their Azure AD Connect implementation.

最佳做法:不要将现有 Active Directory 实例中权限高的帐户同步到 Azure AD。Best practice: Don't synchronize accounts to Azure AD that have high privileges in your existing Active Directory instance. 详细信息:请勿更改已筛选掉这些帐户的默认 Azure AD Connect 配置Detail: Don't change the default Azure AD Connect configuration that filters out these accounts. 此配置降低了攻击者从云透视到本地资源(这可能会造成重大事件)的风险。This configuration mitigates the risk of adversaries pivoting from cloud to on-premises assets (which could create a major incident).

最佳做法:启用密码哈希同步。Best practice: Turn on password hash synchronization.
详细信息:密码哈希同步是用于将用户密码哈希从本地 Active Directory 实例同步到基于云的 Azure AD 实例的功能。Detail: Password hash synchronization is a feature used to synch user password hashes from an on-premises Active Directory instance to a cloud-based Azure AD instance. 此同步有助于防止重放先前攻击中泄露的凭据。This sync helps to protect against leaked credentials being replayed from previous attacks.

即使决定使用 Active Directory 联合身份验证服务 (AD FS) 或其他标识提供者进行联合身份验证,也可以选择性地设置密码哈希同步作为备用机制,以应对本地服务器发生故障或临时不可用的情况。Even if you decide to use federation with Active Directory Federation Services (AD FS) or other identity providers, you can optionally set up password hash synchronization as a backup in case your on-premises servers fail or become temporarily unavailable. 借助此同步,用户可以使用与登录本地 Active Directory 实例相同的密码来登录服务。This sync enables users to sign in to the service by using the same password that they use to sign in to their on-premises Active Directory instance. 如果用户对其他未连接到 Azure AD 的服务使用过相同的电子邮件地址和密码,此同步还可便于标识保护将同步的密码哈希与已知被盗用的密码进行比较,从而检测被盗用的凭据。It also allows Identity Protection to detect compromised credentials by comparing synchronized password hashes with passwords known to be compromised, if a user has used the same email address and password on other services that aren't connected to Azure AD.

有关详细信息,请参阅使用 Azure AD Connect 同步实现密码哈希同步For more information, see Implement password hash synchronization with Azure AD Connect sync.

最佳做法:对于新的应用开发,使用 Azure AD 进行身份验证。Best practice: For new application development, use Azure AD for authentication. 详细信息:使用正确的功能来支持身份验证:Detail: Use the correct capabilities to support authentication:

  • 面向员工的 Azure ADAzure AD for employees
  • 面向来宾用户和外部合作伙伴的 Azure AD B2BAzure AD B2B for guest users and external partners
  • 用于控制客户在使用应用时如何注册、登录和管理配置文件的 Azure AD B2CAzure AD B2C to control how customers sign up, sign in, and manage their profiles when they use your applications

未将其本地标识与云标识集成的组织在管理帐户方面可能开销更大。Organizations that don't integrate their on-premises identity with their cloud identity can have more overhead in managing accounts. 这种开销增加了出错和安全漏洞的可能性。This overhead increases the likelihood of mistakes and security breaches.


你需要选择关键帐户将驻留在哪些目录中,以及所使用的管理工作站是由新的云服务托管,还是由现有进程托管。You need to choose which directories critical accounts will reside in and whether the admin workstation used is managed by new cloud services or existing processes. 使用现有的管理和标识预配流程可以降低一些风险,但也可能会造成攻击者入侵本地帐户并转向云的风险。Using existing management and identity provisioning processes can decrease some risks but can also create the risk of an attacker compromising an on-premises account and pivoting to the cloud. 不妨对不同的角色(例如,IT 管理员与业务部门管理员)使用不同的策略。You might want to use a different strategy for different roles (for example, IT admins vs. business unit admins). 可以使用两个选项。You have two options. 第一个选项是创建不与本地 Active Directory 实例同步的 Azure AD 帐户。First option is to create Azure AD Accounts that aren't synchronized with your on-premises Active Directory instance. 将你的管理工作站加入到 Azure AD,你可以使用 Microsoft Intune 对其进行管理和修补。Join your admin workstation to Azure AD, which you can manage and patch by using Microsoft Intune. 第二种选择是,通过同步到本地 Active Directory 实例来使用现有的管理员帐户。Second option is to use existing admin accounts by synchronizing to your on-premises Active Directory instance. 使用 Active Directory 域中的现有工作站来实现管理和安全性。Use existing workstations in your Active Directory domain for management and security.

管理已连接的租户Manage connected tenants

你的安全组织需要能够查看订阅来评估风险,并确定是否遵循了组织的策略和任何法规要求。Your security organization needs visibility to assess risk and to determine whether the policies of your organization, and any regulatory requirements, are being followed. 你应确保安全组织能够查看所有(通过 Azure ExpressRoute站点到站点 VPN)连接到生产环境和网络的订阅。You should ensure that your security organization has visibility into all subscriptions connected to your production environment and network (via Azure ExpressRoute or site-to-site VPN). Azure AD 中的全局管理员/公司管理员可以将自己的访问权限提升为用户访问管理员角色,并查看所有连接到环境的订阅和管理组。A Global Administrator/Company Administrator in Azure AD can elevate their access to the User Access Administrator role and see all subscriptions and managed groups connected to your environment.

请参阅提升访问权限以管理所有 Azure 订阅和管理组,以确保你和你的安全组可以查看连接到你的环境的所有订阅或管理组。See elevate access to manage all Azure subscriptions and management groups to ensure that you and your security group can view all subscriptions or management groups connected to your environment. 评估风险后,应删除此提升的访问权限。You should remove this elevated access after you've assessed risks.

启用条件访问Turn on Conditional Access

用户可能会从任意位置使用各种设备和应用访问组织的资源。Users can access your organization's resources by using a variety of devices and apps from anywhere. 作为一名 IT 管理员,你需要确保这些设备符合安全性和符合性标准。As an IT admin, you want to make sure that these devices meet your standards for security and compliance. 仅关注谁可以访问资源不再能满足需求。Just focusing on who can access a resource is not sufficient anymore.

为了平衡安全性与工作效率,在做出访问控制决策之前,需要考虑如何访问资源。To balance security and productivity, you need to think about how a resource is accessed before you can make a decision about access control. 使用 Azure AD 条件访问,可以满足这一需求。With Azure AD Conditional Access, you can address this requirement. 使用条件访问,可以根据访问云应用的条件做出自动访问控制决策。With Conditional Access, you can make automated access control decisions based on conditions for accessing your cloud apps.

最佳做法:管理和控制对公司资源的访问。Best practice: Manage and control access to corporate resources.
详细信息:根据 SaaS 应用和 Azure AD 连接的应用的组、位置和应用敏感度,配置通用 Azure AD 条件访问策略Detail: Configure common Azure AD Conditional Access policies based on a group, location, and application sensitivity for SaaS apps and Azure AD-connected apps.

最佳做法:阻止旧身份验证协议。Best practice: Block legacy authentication protocols. 详细信息:攻击者每天都在利用旧协议中的弱点,尤其是密码喷射攻击。Detail: Attackers exploit weaknesses in older protocols every day, particularly for password spray attacks. 配置条件访问来阻止旧协议Configure Conditional Access to block legacy protocols.

计划例程安全改进Plan for routine security improvements

安全性一直在不断发展,在云和标识管理框架中构建一种定期显示安全性发展并发现保护环境的新方法是很重要的。Security is always evolving, and it is important to build into your cloud and identity management framework a way to regularly show growth and discover new ways to secure your environment.

标识安全分数是 Microsoft 发布的一组建议的安全控制,旨在为你提供一个数字分数,以便客观地度量你的安全状况,并帮助计划未来的安全改进。Identity Secure Score is a set of recommended security controls that Microsoft publishes that works to provide you a numerical score to objectively measure your security posture and help plan future security improvements. 你还可以查看你的分数与其他行业分数的比较,以及你自己的分数在一段时间内的趋势。You can also view your score in comparison to those in other industries as well as your own trends over time.

最佳做法:根据你所在行业的最佳做法来计划例程安全评审和改进。Best practice: Plan routine security reviews and improvements based on best practices in your industry. 详细信息:使用标识安全分数功能对你在一段时间内的改进进行排名。Detail: Use the Identity Secure Score feature to rank your improvements over time.

启用密码管理Enable password management

如果有多个租户或者你想要允许用户重置自己的密码,则必须使用适当的安全策略来防止滥用。If you have multiple tenants or you want to enable users to reset their own passwords, it's important that you use appropriate security policies to prevent abuse.

最佳做法:为用户设置自助式密码重置 (SSPR)。Best practice: Set up self-service password reset (SSPR) for your users.
详细信息:使用 Azure AD 自助式密码重置功能。Detail: Use the Azure AD self-service password reset feature.

最佳做法:监视是否在使用 SSPR 及其使用情况。Best practice: Monitor how or if SSPR is really being used.
详细信息:通过使用 Azure AD 密码重置注册活动报表监视正在注册的用户。Detail: Monitor the users who are registering by using the Azure AD Password Reset Registration Activity report. Azure AD 提供的报表功能可帮助使用预生成的报表来回答问题。The reporting feature that Azure AD provides helps you answer questions by using prebuilt reports. 如果有相应的授权,还可以创建自定义查询。If you're appropriately licensed, you can also create custom queries.

对用户强制执行多重身份验证Enforce multi-factor verification for users

建议对所有用户要求进行双重验证。We recommend that you require two-step verification for all of your users. 这包括组织中的管理员和其他人员,如果他们的帐户泄露,可能会产生重大影响(例如,财务官员)。This includes administrators and others in your organization who can have a significant impact if their account is compromised (for example, financial officers).

要求双重验证有多种选项。There are multiple options for requiring two-step verification. 最佳选项取决于你的目标、正在运行的 Azure AD 版本以及许可计划。The best option for you depends on your goals, the Azure AD edition you’re running, and your licensing program. 请参阅如何要求对用户进行双重验证了解最佳选项。See How to require two-step verification for a user to determine the best option for you. 有关许可和定价的详细信息,请参阅 Azure ADAzure AD 多重身份验证定价页。See the Azure AD and Azure AD Multi-Factor Authentication pricing pages for more information about licenses and pricing.

以下是启用双重验证的选项和优势:Following are options and benefits for enabling two-step verification:

选项 1:使用 Azure AD 安全默认值为所有用户和登录方法启用 MFA 优势:借助此选项,可以轻松、快速地为环境中的所有用户强制执行 MFA,同时采用严格的策略来执行以下操作:Option 1: Enable MFA for all users and login methods with Azure AD Security Defaults Benefit: This option enables you to easily and quickly enforce MFA for all users in your environment with a stringent policy to:

  • 质询管理帐户和管理登录机制Challenge administrative accounts and administrative logon mechanisms
  • 要求通过 Microsoft Authenticator 对所有用户进行 MFA 质询Require MFA challenge via Microsoft Authenticator for all users
  • 限制旧身份验证协议。Restrict legacy authentication protocols.

此方法可用于所有许可层,但不能与现有的条件访问策略混合使用。This method is available to all licensing tiers but is not able to be mixed with existing Conditional Access policies. 你可以在 Azure AD 安全默认值中找到更多信息You can find more information in Azure AD Security Defaults

使用基于角色的访问控制Use role-based access control

对于任何使用云的组织而言,云资源的访问管理至关重要。Access management for cloud resources is critical for any organization that uses the cloud. Azure 基于角色的访问控制 (Azure RBAC) 可帮助你管理谁有权访问 Azure 资源、他们可以对这些资源执行哪些操作以及他们有权访问哪些区域。Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

在 Azure 中指定负责特定功能的组或单个角色有助于避免混乱,从而避免可能会导致安全风险的人为错误和自动化错误。Designating groups or individual roles responsible for specific functions in Azure helps avoid confusion that can lead to human and automation errors that create security risks. 对于想要实施数据访问安全策略的组织而言,必须根据“需要知道”和“最低权限”安全原则限制访问权限。Restricting access based on the need to know and least privilege security principles is imperative for organizations that want to enforce security policies for data access.

你的安全团队需要能够洞察你的 Azure 资源,以便评估并修正风险。Your security team needs visibility into your Azure resources in order to assess and remediate risk. 如果安全团队具有运营职责,则需要额外的权限来完成他们的作业。If the security team has operational responsibilities, they need additional permissions to do their jobs.

可以使用 Azure RBAC 向特定范围的用户、组和应用程序分配权限。You can use Azure RBAC to assign permissions to users, groups, and applications at a certain scope. 角色分配的范围可以是订阅、资源组或单个资源。The scope of a role assignment can be a subscription, a resource group, or a single resource.

最佳做法:在团队中分离职责,只向用户授予执行作业所需的访问权限。Best practice: Segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. 只允许在特定范围内执行特定操作,而不要在 Azure 订阅或资源中向每个人都授予无限制权限。Instead of giving everybody unrestricted permissions in your Azure subscription or resources, allow only certain actions at a particular scope. 详细信息:使用 Azure 中的 Azure 内置角色向用户分配权限。Detail: Use Azure built-in roles in Azure to assign privileges to users.


特定的权限会造成不必要的复杂性和混乱,累积成一个“遗留”配置,难以在不担心破坏某些东西的情况下修复。Specific permissions create unneeded complexity and confusion, accumulating into a “legacy” configuration that's difficult to fix without fear of breaking something. 避免特定于资源的权限。Avoid resource-specific permissions. 而是将管理组用于企业范围内的权限,并将资源组用于订阅中的权限。Instead, use management groups for enterprise-wide permissions and resource groups for permissions within subscriptions. 避免用户特定的权限。Avoid user-specific permissions. 而是向 Azure AD 中的组分配权限。Instead, assign access to groups in Azure AD.

最佳做法:向具有 Azure 职责的安全团队授予对 Azure 资源的访问权限,以便他们可以评估和修正风险。Best practice: Grant security teams with Azure responsibilities access to see Azure resources so they can assess and remediate risk. 详细信息:向安全团队授予 Azure RBAC 安全读取者角色。Detail: Grant security teams the Azure RBAC Security Reader role. 可以使用根管理组或段管理组,具体视职责范围而定:You can use the root management group or the segment management group, depending on the scope of responsibilities:

  • 根管理组:用于负责所有企业资源的团队Root management group for teams responsible for all enterprise resources
  • 段管理组:用于范围有限的团队(通常是由于法规或其他组织边界所致)Segment management group for teams with limited scope (commonly because of regulatory or other organizational boundaries)

最佳做法:向具有直接运营职责的安全团队授予适当的权限。Best practice: Grant the appropriate permissions to security teams that have direct operational responsibilities. 详细信息:查看 Azure 内置角色以进行合适的角色分配。Detail: Review the Azure built-in roles for the appropriate role assignment. 如果内置角色不能满足组织的具体需求,则可以创建 Azure 自定义角色If the built-in roles don't meet the specific needs of your organization, you can create Azure custom roles. 与内置角色一样,可以在订阅、资源组和资源范围内向用户、组和服务主体分配自定义角色。As with built-in roles, you can assign custom roles to users, groups, and service principals at subscription, resource group, and resource scopes.

最佳做法:向需要的安全角色授予 Azure 安全中心访问权限。Best practices: Grant Azure Security Center access to security roles that need it. 使用安全中心,安全团队可以快速发现和修正风险。Security Center allows security teams to quickly identify and remediate risks. 详细信息:将具有这些需求的安全团队添加到 Azure RBAC 安全管理员角色,以便他们可以查看安全策略、查看安全状态、编辑安全策略、查看警报和建议,以及关闭警报和建议。Detail: Add security teams with these needs to the Azure RBAC Security Admin role so they can view security policies, view security states, edit security policies, view alerts and recommendations, and dismiss alerts and recommendations. 你可以使用根管理组或段管理组来执行此操作,具体取决于职责范围。You can do this by using the root management group or the segment management group, depending on the scope of responsibilities.

未使用 Azure RBAC 之类的功能实施数据访问控制的组织可能会给其用户分配不必要的权限。Organizations that don't enforce data access control by using capabilities like Azure RBAC might be giving more privileges than necessary to their users. 允许用户访问他们不应该有权访问的数据类型(例如,对业务有重大影响的数据)可能会导致数据泄露。This can lead to data compromise by allowing users to access types of data (for example, high business impact) that they shouldn’t have.

控制创建资源的位置Control locations where resources are created

非常重要的一点是,既要允许云操作员执行任务,同时又要防止他们违反管理组织资源所需的惯例。Enabling cloud operators to perform tasks while preventing them from breaking conventions that are needed to manage your organization's resources is very important. 想要控制创建资源的位置的组织应该对这些位置进行硬编码。Organizations that want to control the locations where resources are created should hard code these locations.

可以使用 Azure 资源管理器创建安全策略,其中的定义描述了会明确遭到拒绝的操作或资源。You can use Azure Resource Manager to create security policies whose definitions describe the actions or resources that are specifically denied. 可以在所需范围(例如订阅、资源组或是单个资源)分配这些策略定义。You assign those policy definitions at the desired scope, such as the subscription, the resource group, or an individual resource.


安全策略与 Azure RBAC 不同。Security policies are not the same as Azure RBAC. 它们实际上使用 Azure RBAC 来授权用户创建这些资源。They actually use Azure RBAC to authorize users to create those resources.

无法控制资源创建方式的组织更容易因用户创建的资源超过所需数目,而产生滥用服务的情况。Organizations that are not controlling how resources are created are more susceptible to users who might abuse the service by creating more resources than they need. 强化资源创建过程是保护多租户方案的重要步骤。Hardening the resource creation process is an important step to securing a multitenant scenario.

使用 Azure AD 进行存储身份验证Use Azure AD for storage authentication

Azure 存储支持使用 Azure AD 对 Blob 存储和队列存储进行身份验证和授权。Azure Storage supports authentication and authorization with Azure AD for Blob storage and Queue storage. 借助 Azure AD 身份验证,可以使用基于 Azure 角色的访问控制向用户、组和应用(一直到各个 Blob 容器或队列的范围)授予特定权限。With Azure AD authentication, you can use the Azure role-based access control to grant specific permissions to users, groups, and applications down to the scope of an individual blob container or queue.

建议使用 Azure AD 验证对存储的访问We recommend that you use Azure AD for authenticating access to storage.

后续步骤Next step

有关通过 Azure 设计、部署和管理云解决方案时可以使用的更多安全最佳做法,请参阅 Azure 安全最佳做法和模式See Azure security best practices and patterns for more security best practices to use when you're designing, deploying, and managing your cloud solutions by using Azure.