您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

如何:阻止旧身份验证使用条件性访问 Azure ADHow to: Block legacy authentication to Azure AD with Conditional Access

为了让用户轻松访问云应用程序,Azure Active Directory (Azure AD) 支持各种身份验证协议,包括旧身份验证。To give your users easy access to your cloud apps, Azure Active Directory (Azure AD) supports a broad variety of authentication protocols including legacy authentication. 但是,旧协议不支持多重身份验证 (MFA)。However, legacy protocols don’t support multi-factor authentication (MFA). 许多环境通常都会要求使用 MFA,以解决身份盗用的情况。MFA is in many environments a common requirement to address identity theft.

如果环境已准备好阻止旧身份验证以提高对租户的保护,则可以使用条件访问来实现此目标。If your environment is ready to block legacy authentication to improve your tenant's protection, you can accomplish this goal with Conditional Access. 本文介绍如何配置条件访问策略来阻止对租户的旧身份验证。This article explains how you can configure Conditional Access policies that block legacy authentication for your tenant.

先决条件Prerequisites

本文假定你熟悉以下内容:This article assumes that you are familiar with:

方案描述Scenario description

Azure AD 支持多个最广泛使用的身份验证和授权协议,包括旧身份验证。Azure AD supports several of the most widely used authentication and authorization protocols including legacy authentication. 旧身份验证是指使用基本身份验证的协议。Legacy authentication refers to protocols that use basic authentication. 通常,这些协议不能强制执行任何类型的第二因素身份验证。Typically, these protocols can't enforce any type of second factor authentication. 基于旧身份验证的应用程序示例包括:Examples for apps that are based on legacy authentication are:

  • 旧版 Microsoft Office 应用Older Microsoft Office apps
  • 使用邮件协议的应用,如 POP、IMAP 和 SMTPApps using mail protocols like POP, IMAP, and SMTP

如今,使用单因素身份验证(例如,用户名和密码)还不够安全。Single factor authentication (for example, username and password) is not enough these days. 使用密码也不安全,因为它们很容易被猜测到,我们并不擅长选择好密码。Passwords are bad as they are easy to guess and we (humans) are bad at choosing good passwords. 密码也容易受到各种攻击,如网络钓鱼和密码破解。Passwords are also vulnerable to a variety of attacks like phishing and password spray. 要防止密码威胁,可以做的最简单的事情之一就是实现 MFA。One of the easiest things you can do to protect against password threats is to implement MFA. 使用 MFA,即使攻击者拥有用户密码,仅凭密码也不足以成功验证和访问数据。With MFA, even if an attacker gets in possession of a user's password, the password alone is not sufficient to successfully authenticate and access the data.

如何阻止使用旧身份验证的应用访问租户的资源?How can you prevent apps using legacy authentication from accessing your tenant's resources? 建议只使用条件访问策略阻止它们。The recommendation is to just block them with a Conditional Access policy. 如有必要,只允许某些用户和特定网络位置使用基于旧身份验证的应用程序。If necessary, you allow only certain users and specific network locations to use apps that are based on legacy authentication.

完成第一因素身份验证后将强制执行条件访问策略。Conditional Access policies are enforced after the first-factor authentication has been completed. 因此,条件访问并不是针对拒绝服务 (DoS) 攻击等情况的第一道防线,而是可以利用来自这些事件的信号(例如,登录风险级别、请求的位置等)来确定访问权限。Therefore, Conditional Access is not intended as a first line defense for scenarios like denial-of-service (DoS) attacks, but can utilize signals from these events (for example, the sign-in risk level, location of the request, and so on) to determine access.

实现Implementation

本部分介绍如何配置条件访问策略以阻止旧身份验证。This section explains how to configure a Conditional Access policy to block legacy authentication.

确定旧身份验证使用情况Identify legacy authentication use

需要先了解用户是否有使用旧式身份验证的应用,以及它如何影响整个目录,然后才能在目录中阻止旧式身份验证。Before you can block legacy authentication in your directory, you need to first understand if your users have apps that use legacy authentication and how it affects your overall directory. 可以使用 Azure AD 登录日志来了解是否正在使用旧式身份验证。Azure AD sign-in logs can be used to understand if you’re using legacy authentication.

  1. 导航到“Azure 门户” > “Azure Active Directory” > “登录”。Navigate to the Azure portal > Azure Active Directory > Sign-ins.
  2. 单击“列” > “客户端应用”添加“客户端应用”列(如果未显示)。Add the Client App column if it is not shown by clicking on Columns > Client App.
  3. 单击“添加筛选器” > “客户端应用”> 选择“其他客户端”的所有选项,然后单击“应用”。Add filters > Client App > select all of the options for Other clients and click Apply.

筛选将仅显示旧式身份验证协议进行的登录尝试。Filtering will only show you sign-in attempts that were made by legacy authentication protocols. 单击每个单独的登录尝试将显示其他详细信息。Clicking on each individual sign-in attempt will show you additional details. “基本信息”选项卡下的“客户端应用”字段将指示使用了哪个旧式身份验证协议。The Client App field under the Basic Info tab will indicate which legacy authentication protocol was used.

这些日志将指示哪些用户仍然依赖于旧身份验证,以及哪些应用程序使用旧协议发出身份验证请求。These logs will indicate which users are still depending on legacy authentication and which applications are using legacy protocols to make authentication requests. 对于未出现在这些日志中且已确认不使用旧身份验证的用户,请仅为这些用户实施条件访问策略。For users that do not appear in these logs and are confirmed to not be using legacy authentication, implement a Conditional Access policy for these users only.

阻止传统身份验证Block legacy authentication

在条件访问策略中,可设置与用于访问资源的客户端应用程序绑定的条件。In a Conditional Access policy, you can set a condition that is tied to the client apps that are used to access your resources. 客户端应用条件使你可以通过为“移动应用和桌面客户端”选择“其他客户端”,将范围缩小到使用旧身份验证的应用程序。The client apps condition enables you to narrow down the scope to apps using legacy authentication by selecting Other clients for Mobile apps and desktop clients.

其他客户端

若要阻止对这些应用的访问,你需要选择“阻止访问”。To block access for these apps, you need to select Block access.

阻止访问

选择用户和云应用Select users and cloud apps

如果要阻止组织的旧身份验证,你可能认为可以通过选择以下内容来完成此操作:If you want to block legacy authentication for your organization, you probably think that you can accomplish this by selecting:

  • 所有用户All users
  • 所有云应用All cloud apps
  • 阻止访问Block access

分配

Azure 具有一项安全功能,可阻止你创建此类策略,因为此配置违反了条件访问策略的最佳做法Azure has a safety feature that prevents you from creating a policy like this because this configuration violates the best practices for Conditional Access policies.

不支持策略配置

安全功能是必需的,因为“阻止所有用户和所有云应用程序”有可能阻止整个组织向租户注册。The safety feature is necessary because block all users and all cloud apps has the potential to block your entire organization from signing on to your tenant. 必须至少排除一个用户才能满足最佳做法要求的最低限度。You must exclude at least one user to satisfy the minimal best practice requirement. 还可以排除目录角色。You could also exclude a directory role.

不支持策略配置

可通过将一个用户排除在策略之外来满足此安全功能。You can satisfy this safety feature by excluding one user from your policy. 理想情况下,应定义几个在 Azure AD 中紧急访问管理帐户,并将其从策略中排除。Ideally, you should define a few emergency-access administrative accounts in Azure AD and exclude them from your policy.

策略部署Policy deployment

在将策略投入生产之前,请注意以下几点:Before you put your policy into production, take care of:

  • 服务帐户 - 确定用作服务帐户或设备的用户帐户,例如会议室电话。Service accounts - Identify user accounts that are used as service accounts or by devices, like conference room phones. 确保这些帐户具有强密码并将其添加到排除的组。Make sure these accounts have strong passwords and add them to an excluded group.
  • 登录报告 - 查看登录报告并查找“其他客户端”流量。Sign-in reports - Review the sign-in report and look for other client traffic. 确认最常使用情况,并调查使用原因。Identify top usage and investigate why it is in use. 通常,流量由不使用现代身份验证的旧 Office 客户端或某些第三方邮件应用程序生成。Usually, the traffic is generated by older Office clients that do not use modern authentication, or some third-party mail apps. 制定计划以将使用情况从这些应用中移除,或者如果影响较小,请通知用户,他们不再能够使用这些应用。Make a plan to move usage away from these apps, or if the impact is low, notify your users that they can't use these apps anymore.

有关详细信息,请参阅应如何部署新策略?For more information, see How should you deploy a new policy?.

要点What you should know

阻止使用其他客户端的访问还会阻止 Exchange Online PowerShell 和 Dynamics 365 (使用基本身份验证)。Blocking access using Other clients also blocks Exchange Online PowerShell and Dynamics 365 using basic auth.

为“其他客户端”配置策略导致整个组织无法与 SPConnect 之类的特定客户端通信。Configuring a policy for Other clients blocks the entire organization from certain clients like SPConnect. 之所以发生这种阻止,是因为旧式客户端使用非预期的方式进行身份验证。This block happens because older clients authenticate in unexpected ways. 此问题不存在于主要的 Office 应用程序(例如旧式 Office 客户端)中。The issue doesn't apply to major Office applications like the older Office clients.

策略生效可能需要长达 24 小时的时间。It can take up to 24 hours for the policy to go into effect.

可为其他客户端条件选择所有可用的授权控件;但是,最终用户体验始终是相同的 - 阻止访问。You can select all available grant controls for the Other clients condition; however, the end-user experience is always the same - blocked access.

如果使用其他客户端条件来阻止旧身份验证,还可以设置设备平台和位置条件。If you block legacy authentication using the Other clients condition, you can also set the device platform and location condition. 例如,如果只想阻止移动设备的旧式身份验证,请通过选择以下项来设置设备平台条件:For example, if you only want to block legacy authentication for mobile devices, set the device platforms condition by selecting:

  • AndroidAndroid
  • iOSiOS
  • Windows PhoneWindows Phone

不支持策略配置

后续步骤Next steps