您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure Active Directory 功能部署指南Azure Active Directory feature deployment guide

为组织部署 Azure Active Directory (Azure AD) 并确保其安全,这似乎令人望而生畏。It can seem daunting to deploy Azure Active Directory (Azure AD) for your organization and keep it secure. 本文列出了一些常见任务,如果客户在 30、60、90 天或更长时间内分阶段完成这些任务,则有助于增强其安全态势。This article identifies common tasks that customers find helpful to complete in phases, over the course of 30, 60, 90 days, or more, to enhance their security posture. 即使已部署 Azure AD 的组织也可以使用本指南来确保从投资中获得最大的收益。Even organizations who have already deployed Azure AD can use this guide to ensure they are getting the most out of their investment.

精心规划和得到良好执行的标识基础结构为使生产力工作负荷与数据仅供已知用户和设备进行安全访问铺平了道路。A well-planned and executed identity infrastructure paves the way for secure access to your productivity workloads and data by known users and devices only.

此外,客户可以检查其标识安全评分,以确定他们与 Microsoft 最佳做法的相符程度。Additionally customers can check their identity secure score to see how aligned they are to Microsoft best practices. 请在实施这些建议之前和之后检查安全评分,以确定你与同行业中的其他公司或者与同等规模的其他组织之间的优劣。Check your secure score before and after implementing these recommendations to see how well you are doing compared to others in your industry and to other organizations of your size.

必备组件Prerequisites

可以使用 Azure AD Free、Basic 实施本指南中所述的许多建议,完全没有许可证也可以实施。Many of the recommendations in this guide can be implemented with Azure AD Free, Basic, or no license at all. 如果需要许可证,本指南会指出完成相应任务最起码需要哪种许可证。Where licenses are required we state which license is required at minimum to accomplish the task.

可在以下页面上找到有关许可的更多信息:Additional information about licensing can be found on the following pages:

阶段 1:构建安全基础Phase 1: Build a foundation of security

在此阶段,管理员启用基准安全功能,以便在 Azure AD 中创建更安全且易用的基础,然后我们导入或创建普通用户帐户。In this phase, administrators enable baseline security features to create a more secure and easy to use foundation in Azure AD before we import or create normal user accounts. 此基础阶段确保你从一开始就处于一种更安全的状态,并且只需向最终用户介绍新的概念一次。This foundational phase ensures you are in a more secure state from the start and that your end-users only have to be introduced to new concepts one time.

任务Task DetailDetail 所需的许可证Required license
指定多个全局管理员Designate more than one global administrator 至少分配两个仅限云的永久性全局管理员帐户,以便在紧急情况下使用。Assign at least two cloud-only permanent global administrator accounts for use if there is an emergency. 这些帐户不是每日使用,应该具有复杂的长密码。These accounts are not be used daily and should have long and complex passwords. Azure AD FreeAzure AD Free
尽可能使用非全局管理角色Use non-global administrative roles where possible 只为管理员分配他们必须访问的区域的访问权限。Give your administrators only the access they need to only the areas they need access to. 并非所有管理员都需要是全局管理员。Not all administrators need to be global administrators. Azure AD FreeAzure AD Free
启用 Privileged Identity Management 以跟踪管理员角色的用途Enable Privileged Identity Management for tracking admin role use 启用 Privileged Identity Management 以开始跟踪管理角色的用途。Enable Privileged Identity Management to start tracking administrative role usage. Azure AD Premium P2Azure AD Premium P2
推广自助服务密码重置Roll out self-service password reset 让员工使用管理员控制的策略重置自己的密码,减少支持台收到的密码重置呼叫次数。Reduce helpdesk calls for password resets by allowing staff to reset their own passwords using policies you as an administrator control. Azure AD BasicAzure AD Basic
创建组织特定自定义受禁的密码列表Create an organization specific custom banned password list 防止用户创建包含你所在组织或区域中常用单词或短语的密码。Prevent users from creating passwords that include common words or phrases from your organization or area. Azure AD BasicAzure AD Basic
启用与 Azure AD 密码保护的本地集成Enable on-premises integration with Azure AD password protection 将受禁密码列表扩展到本地目录,以确保本地设置的密码也符合全局和特定于租户的受禁密码列表。Extend the banned password list to your on-premises directory, to ensure passwords set on-premises are also in compliance with the global and tenant-specific banned password lists. Azure AD Premium P1Azure AD Premium P1
启用 Microsoft 的密码指导Enable Microsoft's password guidance 停止要求用户按照设置的计划更改其密码,禁用复杂性要求,用户更倾向于记住他们习惯的密码,并妥善保管其密码。Stop requiring users to change their password on a set schedule, disable complexity requirements, and your users are more apt to remember their passwords and keep them something that is secure. Azure AD FreeAzure AD Free
对基于云的用户帐户禁用定期密码重置Disable periodic password resets for cloud-based user accounts 定期密码重置会促使用户增加其现有密码。Periodic password resets encourage your users to increment their existing passwords. 使用 Microsoft 密码指导文档中的指导原则,并将相同的本地策略运用到仅限云的用户。Use the guidelines in Microsoft's password guidance doc and mirror your on-premises policy to cloud-only users. Azure AD FreeAzure AD Free
自定义 Azure Active Directory 智能锁定Customize Azure Active Directory smart lockout 停止锁定从基于云的用户复制到本地 Active Directory 用户Stop lockouts from cloud-based users from being replicated to on-premises Active Directory users Azure AD BasicAzure AD Basic
为 AD FS 启用 Extranet 智能锁定Enable Extranet Smart Lockout for AD FS AD FS Extranet 锁定可以防范暴力密码猜测攻击,同时可让有效的 AD FS 用户继续使用其帐户。AD FS extranet lockout protects against brute force password guessing attacks, while letting valid AD FS users continue to use their accounts.
部署使用条件性访问策略的 Azure AD 多重身份验证Deploy Azure AD Multi-Factor Authentication using Conditional Access policies 要求用户访问敏感应用程序使用条件性访问策略时执行双重验证。Require users to perform two-step verification when accessing sensitive applications using Conditional Access policies. Azure AD Premium P1Azure AD Premium P1
Azure Active Directory Identity ProtectionEnable Azure Active Directory Identity Protection 针对组织中的用户启用有风险登录和已泄密凭据的跟踪。Enable tracking of risky sign-ins and compromised credentials for users in your organization. Azure AD Premium P2Azure AD Premium P2
使用风险事件触发多重身份验证和密码更改Use risk events to trigger multi-factor authentication and password changes 启用可以触发多重身份验证、密码重置和基于风险阻止登录等事件的自动化功能。Enable automation that can trigger events such as multi-factor authentication, password reset, and blocking of sign-ins based on risk. Azure AD Premium P2Azure AD Premium P2
启用自助密码重置和 Azure AD 多重身份验证的聚合注册(预览版)Enable converged registration for self-service password reset and Azure AD Multi-Factor Authentication (preview) 允许用户从 Azure 多重身份验证和自助式密码重置的一个常用体验进行注册。Allow your users to register from one common experience for both Azure Multi-Factor Authentication and self-service password reset. Azure AD Premium P1Azure AD Premium P1

阶段 2:导入用户、启用同步和管理设备Phase 2: Import users, enable synchronization, and manage devices

接下来,我们通过导入用户、启用同步、规划来宾访问权限并准备支持其他功能,来对阶段 1 中的基础做出补充。Next, we add to the foundation laid in phase 1 by importing our users and enabling synchronization, planning for guest access, and preparing to support additional functionality.

任务Task DetailDetail 所需的许可证Required license
安装 Azure AD ConnectInstall Azure AD Connect 准备将现有本地目录中的用户同步到云。Prepare to synchronize users from your existing on-premises directory to the cloud. Azure AD FreeAzure AD Free
实现密码哈希同步Implement Password Hash Sync 同步密码哈希,以便能够复制密码更改、检测并补救错误密码,以及报告已泄漏的凭据。Synchronize password hashes to allow password changes to be replicated, bad password detection and remediation, and leaked credential reporting. Azure AD FreeAzure AD Free
实现密码写回Implement Password Writeback 允许将云中的密码更改写回到本地 Windows Server Active Directory 环境。Allow password changes in the cloud to be written back to an on-premises Windows Server Active Directory environment. Azure AD Premium P1Azure AD Premium P1
实现 Azure AD Connect HealthImplement Azure AD Connect Health 为 Azure AD Connect 服务器、AD FS 服务器和域控制器启用关键运行状况统计信息的监视。Enable monitoring of key health statistics for your Azure AD Connect servers, AD FS servers, and domain controllers. Azure AD Premium P1Azure AD Premium P1
按 Azure Active Directory 中的组成员资格将许可证分配给用户Assign licenses to users by group membership in Azure Active Directory 创建许可组来按组启用或禁用功能,而无需按用户进行设置,这样可以节省时间和精力。Save time and effort by creating licensing groups that enable or disable features by group instead of setting per user.
针对来宾用户访问权限创建计划Create a plan for guest user access 让来宾用户使用其自己的工作、学校或社交标识登录到你的应用和服务,借此来与他们协作。Collaborate with guest users by letting them sign in to your apps and services with their own work, school, or social identities. Azure AD B2B 许可指南Azure AD B2B licensing guidance
决定设备管理策略Decide on device management strategy 决定组织允许在设备上执行哪些操作。Decide what your organization allows regarding devices. 这包括在自带设备与公司提供的设备上执行注册与加入操作。Registering vs joining, Bring Your Own Device vs company provided.
在组织中部署 Windows Hello for BusinessDeploy Windows Hello for Business in your organization 使用 Windows Hello 准备无密码身份验证Prepare for password-less authentication using Windows Hello

阶段 3:管理应用程序Phase 3: Manage applications

在前几个阶段中持续构建环境的过程中,我们识别了适合迁移并与 Azure AD 集成的应用程序,并完成了这些应用程序的设置。As we continue to build on the previous phases, we identify candidate applications for migration and integration with Azure AD and complete the setup of those applications.

任务Task DetailDetail 所需的许可证Required license
识别应用程序Identify your applications 识别组织中正在使用的应用程序:本地应用程序、云中的 SaaS 应用程序和其他业务线应用程序。Identify applications in use in your organization: on-premises, SaaS applications in the cloud, and other line-of-business applications. 确定这些应用程序是否可以,以及是否应该由 Azure AD 进行管理。Determine if these applications can and should be managed with Azure AD. 无需许可证No license required
集成库中的受支持 SaaS 应用程序Integrate supported SaaS applications in the gallery Azure AD 的某个库包含数千个预先集成的应用程序。Azure AD has a gallery that contains thousands of pre-integrated applications. 组织使用的某些应用程序可能就在该库中。可通过 Azure 门户直接访问该库。Some of the applications your organization uses are probably in the gallery accessible directly from the Azure portal. Azure AD FreeAzure AD Free
使用应用程序代理集成本地应用程序Use Application Proxy to integrate on-premises applications 应用程序代理可让用户在使用其 Azure AD 帐户登录后访问本地应用程序。Application Proxy enables users to access on-premises applications by signing in with their Azure AD account. Azure AD BasicAzure AD Basic

阶段 4:审核特权标识、完成访问评审和管理用户生命周期Phase 4: Audit privileged identities, complete an access review, and manage user lifecycle

在第 4 阶段,管理员针对管理工作强制实施最低特权原则,完成首次访问评审,并启用常见用户生命周期任务的自动化。Phase 4 sees administrators enforcing least privilege principles for administration, completing their first access reviews, and enabling automation of common user lifecycle tasks.

任务Task DetailDetail 所需的许可证Required license
强制使用 Privileged Identity ManagementEnforce the use of Privileged Identity Management 删除普通日常用户帐户的管理角色。Remove administrative roles from normal day to day user accounts. 使管理用户能够在成功完成多重身份验证检查、提供业务理由或请求指定的审批者批准之后使用其角色。Make administrative users eligible to use their role after succeeding a multi-factor authentication check, providing a business justification, or requesting approval from designated approvers. Azure AD Premium P2Azure AD Premium P2
在 PIM 中完成 Azure AD 目录角色的访问评审Complete an access review for Azure AD directory roles in PIM 与安全和领导团队协作创建访问评审策略,以根据组织的策略评审管理访问权限。Work with your security and leadership teams to create an access review policy to review administrative access based on your organization's policies. Azure AD Premium P2Azure AD Premium P2
实施动态组成员资格策略Implement dynamic group membership policies 使用动态组根据来自人力资源(或真实来源)的属性(例如部门、职位、区域和其他属性)自动向组分配用户。Use dynamic groups to automatically assign users to groups based on their attributes from HR (or your source of truth), such as department, title, region, and other attributes.
实施基于组的应用程序预配Implement group based application provisioning 使用基于组的访问管理预配为 SaaS 应用程序自动预配用户。Use group-based access management provisioning to automatically provision users for SaaS applications.
自动用户预配和取消预配Automate user provisioning and deprovisioning 从员工帐户生命周期中删除手动步骤,以防止未经授权的访问。Remove manual steps from your employee account lifecycle to prevent unauthorized access. 将真实来源(HR 系统)中的标识同步到 Azure AD。Synchronize identities from your source of truth (HR System) to Azure AD.

后续步骤Next steps

Azure AD 许可和定价详细信息Azure AD licensing and pricing details

标识和设备访问权限配置Identity and device access configurations

常见的推荐标识和设备访问策略Common recommended identity and device access policies