Azure 标识管理安全概述Azure identity management security overview

标识管理是对安全主体进行身份验证和授权的过程。Identity management is the process of authenticating and authorizing security principals. 它还包括控制有关这些主体(标识)的信息。It also involves controlling information about those principals (identities). 安全主体(标识)可能包括服务、应用程序、用户和组等等。Microsoft 标识和访问管理解决方案可帮助 IT 部门保护对企业数据中心和云中的应用程序和资源的访问。Security principals (identities) may include services, applications, users, groups, etc. Microsoft identity and access management solutions help IT protect access to applications and resources across the corporate datacenter and into the cloud. 此类保护支持附加的验证级别,比如多重身份验证和条件访问策略。Such protection enables additional levels of validation, such as Multi-Factor Authentication and Conditional Access policies. 通过高级安全报告、审核和警报来监视可疑活动,以便减少潜在的安全问题。Monitoring suspicious activity through advanced security reporting, auditing, and alerting helps mitigate potential security issues. Azure Active Directory Premium 向数千个云软件即服务 (SaaS) 应用提供单一登录 (SSO),并且可以用来访问在本地运行的 Web 应用。Azure Active Directory Premium provides single sign-on (SSO) to thousands of cloud software as a service (SaaS) apps and access to web apps that you run on-premises.

利用 Azure Active Directory (Azure AD) 的安全优势,可以实现以下目的:By taking advantage of the security benefits of Azure Active Directory (Azure AD), you can:

  • 为混合企业中的每个用户创建和管理单一标识,从而保持用户、组和设备同步。Create and manage a single identity for each user across your hybrid enterprise, keeping users, groups, and devices in sync.
  • 提供对应用程序(包括数千个预先集成的 SaaS 应用)的 SSO 访问。Provide SSO access to your applications, including thousands of pre-integrated SaaS apps.
  • 通过对本地应用程序和云应用程序实施基于规则的多重身份验证,启用应用程序访问安全措施。Enable application access security by enforcing rules-based Multi-Factor Authentication for both on-premises and cloud applications.
  • 通过 Azure AD 应用程序代理预配对本地 Web 应用程序的安全远程访问。Provision secure remote access to on-premises web applications through Azure AD Application Proxy.

本文旨在概述可帮助进行标识管理的核心 Azure 安全功能。The goal of this article is to provide an overview of the core Azure security features that help with identity management. 此外还提供了文章链接,更详细说明每项功能。We also provide links to articles that give details of each feature so you can learn more.

本文重点介绍以下核心 Azure 标识管理功能︰The article focuses on the following core Azure Identity management capabilities:

  • 多重身份验证Multi-Factor Authentication
  • Azure 基于角色的访问控制 (Azure RBAC)Azure role-based access control (Azure RBAC)
  • 安全监控、警报和基于机器学习的报告Security monitoring, alerts, and machine learning-based reports
  • 消费者标识和访问管理Consumer identity and access management
  • Privileged identity managementPrivileged identity management
  • 标识保护Identity protection
  • 混合标识管理/Azure AD ConnectHybrid identity management/Azure AD connect
  • Azure AD 访问评审Azure AD access reviews

多重身份验证Multi-Factor Authentication

Azure AD 多重身份验证是需要使用多种验证方法的身份验证方法,为用户登录和事务又增加了一层至关重要的安全保障。Azure AD Multi-Factor Authentication is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user sign-ins and transactions. 多重身份验证可帮助保护对数据和应用程序的访问,同时可以满足用户对简单登录过程的需求。Multi-Factor Authentication helps safeguard access to data and applications while meeting user demand for a simple sign-in process. 它通过各种验证选项(例如电话、短信、移动应用通知或验证码以及第三方 OAuth 令牌)来提供强身份验证。It delivers strong authentication via a range of verification options: phone calls, text messages, or mobile app notifications or verification codes and third-party OAuth tokens.

了解详细信息:Learn more:

Azure RBACAzure RBAC

Azure RBAC 是在 Azure 资源管理器基础上构建的授权系统,针对 Azure 中的资源提供精细的访问权限管理。Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of resources in Azure. 可以通过 Azure RBAC 精确控制用户具有的访问权限级别。Azure RBAC allows you to granularly control the level of access that users have. 例如,可以限制一位用户仅管理虚拟网络,限制另一位用户管理资源组中的所有资源。For example, you can limit a user to only manage virtual networks and another user to manage all resources in a resource group. Azure 包含多个可用的内置角色。Azure includes several built-in roles that you can use. 下面列出了四个基本的内置角色。The following lists four fundamental built-in roles. 前三个角色适用于所有资源类型。The first three apply to all resource types.

  • 所有者 - 拥有对所有资源的完全访问权限,包括将访问权限委派给其他用户的权限。Owner - Has full access to all resources including the right to delegate access to others.
  • 参与者 - 可以创建和管理所有类型的 Azure 资源,但无法将访问权限授予其他用户。Contributor - Can create and manage all types of Azure resources but can't grant access to others.
  • 读取者 - 可以查看现有的 Azure 资源。Reader - Can view existing Azure resources.
  • 用户访问管理员 - 可以管理用户对 Azure 资源的访问。User Access Administrator - Lets you manage user access to Azure resources.

了解详细信息:Learn more:

安全监控、警报和基于机器学习的报告Security monitoring, alerts, and machine learning-based reports

安全监控、警报和基于机器学习的报告(用于标识不一致的访问模式)可以帮助保护业务。Security monitoring, alerts, and machine learning-based reports that identify inconsistent access patterns can help you protect your business. 可以使用 Azure AD 的访问和使用情况报告来监控组织目录的完整性和安全性。You can use Azure AD access and usage reports to gain visibility into the integrity and security of your organization’s directory. 使用此信息,目录管理员可以更好地确定哪里可能存在安全风险,以便制定相应的计划来降低这些风险。With this information, a directory administrator can better determine where possible security risks might lie so that they can adequately plan to mitigate those risks.

在 Azure 门户中,报告分为以下类别:In the Azure portal, reports fall into the following categories:

  • 异常报告:包含我们发现存在异常的登录事件。Anomaly reports: Contain sign-in events that we found to be anomalous. 我们的目标是让你知道这类活动,并让你能够确定事件是否可疑。Our goal is to make you aware of such activity and enable you to determine whether an event is suspicious.
  • 集成式应用程序报告:就组织如何使用云应用程序提供见解。Integrated Application reports: Provide insights into how cloud applications are being used in your organization. Azure AD 提供与数千个云应用程序的集成。Azure AD offers integration with thousands of cloud applications.
  • 错误报告:指示在为外部应用程序预配帐户时可能发生的错误。Error reports: Indicate errors that might occur when you provision accounts to external applications.
  • 用户特定的报告:显示特定用户的设备登录活动数据。User-specific reports: Display device sign-in activity data for a specific user.
  • 活动日志:包含过去 24 小时、过去 7 天或过去 30 天内的所有已审核事件的记录,以及组活动更改记录、密码重置和注册活动记录。Activity logs: Contain a record of all audited events within the last 24 hours, last 7 days, or last 30 days, and group activity changes and password reset and registration activity.

了解详细信息:Learn more:

消费者标识和访问管理Consumer identity and access management

Azure AD B2C 是一项高度可用的全局性标识管理服务,适用于面向用户且可通过缩放来处理数亿标识的应用程序。Azure AD B2C is a highly available, global, identity management service for consumer-facing applications that scales to hundreds of millions of identities. 它可以跨移动平台和 Web 平台进行集成。It can be integrated across mobile and web platforms. 使用者只需使用现有社交帐户或创建新凭据,即可通过可自定义的体验登录到所有应用程序。Your consumers can sign in to all your applications through customizable experiences by using their existing social accounts or by creating new credentials.

过去,想要在自己的应用程序中注册客户并使其登录的应用程序开发人员会编写自己的代码。In the past, application developers who wanted to sign up customers and sign them in to their applications would have written their own code. 他们使用本地数据库或系统存储用户名和密码。And they would have used on-premises databases or systems to store usernames and passwords. Azure AD B2C 通过基于标准的安全平台和大量的可扩展策略,向组织提供一种更好的方式将用户标识管理集成到应用程序中。Azure AD B2C offers your organization a better way to integrate consumer identity management into applications with the help of a secure, standards-based platform and a large set of extensible policies.

当你使用 Azure AD B2C 时,你的用户可通过使用其现有的社交帐户或通过创建新的凭据(电子邮件地址和密码,或者用户名和密码)来注册应用程序。When you use Azure AD B2C, your consumers can sign up for your applications by using their existing social accounts or by creating new credentials (email address and password, or username and password).

了解详细信息:Learn more:

Privileged identity managementPrivileged identity management

利用 Azure AD Privileged Identity Management,你可以管理、控制和监视特权标识以及对 Azure AD 和其他 Microsoft Online Services(如 Microsoft 365 和 Microsoft Intune)中的资源的访问。With Azure AD Privileged Identity Management, you can manage, control, and monitor your privileged identities and access to resources in Azure AD as well as other Microsoft online services, such as Microsoft 365 and Microsoft Intune.

用户有时候需要在 Azure 或 Microsoft 365 资源或者其他 SaaS 应用中执行特权操作。Users sometimes need to carry out privileged operations in Azure or Microsoft 365 resources, or in other SaaS apps. 这种需要通常意味着,组织必须授予用户永久的 Azure AD 访问特权。This need often means that organizations have to give users permanent privileged access in Azure AD. 此类访问会给云中托管的资源不断增大安全风险,因为组织无法充分监视这些用户正在使用管理员特权执行哪些操作。Such access is a growing security risk for cloud-hosted resources, because organizations can't sufficiently monitor what the users are doing with their administrator privileges. 此外,如果有访问特权的用户帐户被泄露,此安全漏洞可能会影响组织的总体云安全性。Additionally, if a user account with privileged access is compromised, that one breach could affect the organization's overall cloud security. Azure AD Privileged Identity Management 可帮助解决这一风险。Azure AD Privileged Identity Management helps to mitigate this risk.

使用 Azure AD Privileged Identity Management 可执行以下操作:With Azure AD Privileged Identity Management, you can:

  • 查看哪些用户是 Azure AD 管理员。See which users are Azure AD administrators.
  • 按需启用对 Microsoft 365 和 Intune 等 Microsoft 服务的实时 (JIT) 管理访问权限。Enable on-demand, just-in-time (JIT) administrative access to Microsoft services such as Microsoft 365 and Intune.
  • 获取有关管理员访问历史记录以及管理员分配更改的报告。Get reports about administrator access history and changes in administrator assignments.
  • 获取有关访问特权角色的警报。Get alerts about access to a privileged role.

了解详细信息:Learn more:

标识保护Identity protection

Azure AD 标识保护是一种安全服务,它提供一个综合视图,你可以在其中查看影响组织标识的风险检测和潜在漏洞。Azure AD Identity Protection is a security service that provides a consolidated view into risk detections and potential vulnerabilities that affect your organization’s identities. “标识保护”使用现有的 Azure AD 异常检测功能,该功能可通过 Azure AD 异常活动报告得到。Identity Protection takes advantage of existing Azure AD anomaly-detection capabilities, which are available through Azure AD Anomalous Activity reports. “标识保护”还引入了新的可以实时检测异常的风险检测类型。Identity Protection also introduces new risk detection types that can detect anomalies in real time.

混合标识管理/Azure AD ConnectHybrid identity management/Azure AD connect

Microsoft 的标识解决方案跨越本地和基于云的功能,创建单一用户标识对所有资源进行身份验证和授权,而不考虑其位置。Microsoft’s identity solutions span on-premises and cloud-based capabilities, creating a single user identity for authentication and authorization to all resources, regardless of location. 我们称此为混合标识。We call this hybrid identity. Azure AD Connect 专用于满足和完成混合标识目标的 Microsoft 工具。Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals. 这样,便可为集成到 Azure AD 的 Microsoft 365、Azure 和 SaaS 应用程序的用户提供一个通用标识。This allows you to provide a common identity for your users for Microsoft 365, Azure, and SaaS applications integrated with Azure AD. 它提供以下功能:It provides the following features:

  • 同步Synchronization
  • AD FS 和联合集成AD FS and federation integration
  • 直通身份验证Pass through authentication
  • 运行状况监视Health Monitoring

了解详细信息:Learn more:

Azure AD 访问评审Azure AD access reviews

Azure Active Directory (Azure AD) 访问评审可以使组织有效地管理组成员身份、对企业应用程序的访问权限,以及特权角色分配。Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and privileged role assignments.

了解详细信息:Learn more: