您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure Active Directory 身份验证管理操作参考指南Azure Active Directory Authentication management operations reference guide

本部分的 Azure AD 操作参考指南 介绍了在保护和管理凭据时应该采取的检查和操作、定义身份验证体验、委派分配、衡量使用量,以及基于企业安全状况定义访问策略。This section of the Azure AD operations reference guide describes the checks and actions you should take to secure and manage credentials, define authentication experience, delegate assignment, measure usage, and define access policies based on enterprise security posture.

备注

这些建议是发布日期之后的最新建议,但会随时间变化。These recommendations are current as of the date of publishing but can change over time. 组织应持续评估其身份实践,因为 Microsoft 产品和服务随时间推移而发展。Organizations should continuously evaluate their identity practices as Microsoft products and services evolve over time.

关键操作过程Key operational processes

将所有者分配到关键任务Assign owners to key tasks

管理 Azure Active Directory 需要持续执行关键操作任务和进程,这可能不是一个部署项目的一部分。Managing Azure Active Directory requires the continuous execution of key operational tasks and processes, which may not be part of a rollout project. 设置这些任务以优化环境仍非常重要。It is still important you set up these tasks to optimize your environment. 关键任务及其建议所有者包括:The key tasks and their recommended owners include:

任务Task 所有者Owner
管理 Azure AD 中 (SSO) 配置的单一登录生命周期Manage lifecycle of single sign-on (SSO) configuration in Azure AD IAM 操作团队IAM Operations Team
为 Azure AD 应用程序设计条件性访问策略Design conditional access policies for Azure AD applications InfoSec 体系结构团队InfoSec Architecture Team
存档 SIEM 系统中的登录活动Archive sign-in activity in a SIEM system InfoSec 运营团队InfoSec Operations Team
存档 SIEM 系统中的风险事件Archive risk events in a SIEM system InfoSec 运营团队InfoSec Operations Team
会审和调查安全报告Triage and investigate security reports InfoSec 运营团队InfoSec Operations Team
会审和调查风险事件Triage and investigate risk events InfoSec 运营团队InfoSec Operations Team
会审和调查标记为有风险的用户和漏洞报告 Azure AD Identity ProtectionTriage and investigate users flagged for risk and vulnerability reports from Azure AD Identity Protection InfoSec 运营团队InfoSec Operations Team

备注

Azure AD Identity Protection 要求 Azure AD Premium P2 许可证。Azure AD Identity Protection requires an Azure AD Premium P2 license. 若要根据需要查找正确的许可证,请参阅 比较 Azure AD Free 和 Azure AD Premium 版本的一般可用功能To find the right license for your requirements, see Comparing generally available features of the Azure AD Free and Azure AD Premium editions.

查看列表时,可能会发现需要为缺少所有者的任务分配所有者,或使用与上述建议不符的所有者来调整任务的所有权。As you review your list, you may find you need to either assign an owner for tasks that are missing an owner or adjust ownership for tasks with owners that aren't aligned with the recommendations above.

凭据管理Credentials management

密码策略Password policies

安全地管理密码是身份和访问管理中最重要的部分,通常是攻击的最大目标之一。Managing passwords securely is one of the most critical parts of identity and access management and often the biggest target of attacks. Azure AD 支持多种功能,这些功能可帮助防止攻击得逞。Azure AD supports several features that can help prevent an attack from being successful.

使用下表查找用于缓解需要解决的问题的建议解决方案:Use the table below to find the recommended solution for mitigating the issue that needs to be addressed:

问题Issue 建议Recommendation
无机制来防范弱密码No mechanism to protect against weak passwords 启用 Azure AD 自助服务密码重置 (SSPR) 密码保护Enable Azure AD self-service password reset (SSPR) and password protection
没有用于检测泄漏的密码的机制No mechanism to detect leaked passwords 启用 密码哈希同步 (PHS) 以获取见解Enable password hash sync (PHS) to gain insights
使用 AD FS 并且无法移动到托管身份验证Using AD FS and unable to move to managed authentication 启用 AD FS Extranet 智能锁定 和/或 Azure AD 智能锁定Enable AD FS Extranet Smart Lockout and / or Azure AD Smart Lockout
密码策略使用基于复杂性的规则,例如长度、多个字符集或过期时间Password policy uses complexity-based rules such as length, multiple character sets, or expiration 请考虑 使用 Microsoft 推荐的做法 ,并将方法切换到密码管理,并部署 Azure AD 密码保护Reconsider in favor of Microsoft Recommended Practices and switch your approach to password management and deploy Azure AD password protection.
用户未注册使用多重身份验证 (MFA) Users aren't registered to use multi-factor authentication (MFA) 注册所有用户的安全信息 ,以便将其用作验证用户标识及其密码的机制Register all user's security information so it can be used as a mechanism to verify the user's identity along with their password
不会根据用户风险吊销密码There is no revocation of passwords based on user risk 部署 Azure AD Identity Protection 用户风险策略 ,以使用 SSPR 强制对泄露的凭据进行密码更改Deploy Azure AD Identity Protection user risk policies to force password changes on leaked credentials using SSPR
没有智能锁定机制可防止恶意身份验证来自标识的 IP 地址的不良参与者There is no smart lockout mechanism to protect malicious authentication from bad actors coming from identified IP addresses 使用密码哈希同步或 传递身份验证 (PTA) 部署云托管的身份验证Deploy cloud-managed authentication with either password hash sync or pass-through authentication (PTA)

启用自助服务密码重置和密码保护Enable self-service password reset and password protection

需要更改或重置其密码的用户是最大数量的资源和支持人员的呼叫成本。Users needing to change or reset their passwords is one of the biggest sources of volume and cost of help desk calls. 除了成本之外,将密码更改为缓解用户风险的工具是提高组织的安全状况的基本步骤。In addition to cost, changing the password as a tool to mitigate a user risk is a fundamental step in improving the security posture of your organization.

至少,建议部署 Azure AD 自助服务密码重置 (SSPR) 和本地 密码保护 才能完成:At a minimum, it is recommended you deploy Azure AD self-service password reset (SSPR) and on-premises password protection to accomplish:

  • 转移咨询台呼叫。Deflect help desk calls.
  • 替换使用临时密码。Replace the use of temporary passwords.
  • 替换依赖于本地解决方案的任何现有自助服务密码管理解决方案。Replace any existing self-service password management solution that relies on an on-premises solution.
  • 消除你的组织中的弱密码Eliminate weak passwords in your organization.

备注

对于具有 Azure AD Premium P2 订阅的组织,建议部署 SSPR,并将其用作 Identity Protection 用户风险策略的一部分。For organizations with an Azure AD Premium P2 subscription, it is recommended to deploy SSPR and use it as part of an Identity Protection User Risk Policy.

强凭据管理Strong credential management

密码本身不太安全,无法防止不良的执行组件获取对你的环境的访问权限。Passwords by themselves aren't secure enough to prevent bad actors from gaining access to your environment. 必须至少为具有特权帐户的任何用户启用多重身份验证, (MFA) 。At a minimum, any user with a privileged account must be enabled for multi-factor authentication (MFA). 理想情况下,应启用 组合注册 ,并要求所有用户使用 组合注册体验注册 MFA 和 SSPR。Ideally, you should enable combined registration and require all users to register for MFA and SSPR using the combined registration experience. 最终,我们建议采用一种策略来 提供复原能力 ,以降低由于不可预见的情况而导致锁定的风险。Eventually, we recommend you adopt a strategy to provide resilience to reduce the risk of lockout due to unforeseen circumstances.

组合用户体验流程

本地中断身份验证复原On-premises outage authentication resiliency

除了简单的优点和启用泄漏的凭据检测以外,Azure AD 密码哈希同步 (PHS) 和 Azure AD MFA 允许用户访问 SaaS 应用程序和 Microsoft 365,这是因为网络攻击(如 NotPetya)导致的本地中断。In addition to the benefits of simplicity and enabling leaked credential detection, Azure AD Password Hash Sync (PHS) and Azure AD MFA allow users to access SaaS applications and Microsoft 365 in spite of on-premises outages due to cyberattacks such as NotPetya. 同时,还可以使用联合身份验证来启用 PHS。It is also possible to enable PHS while in conjunction with federation. 启用 PHS 允许在联合身份验证服务不可用时回退身份验证。Enabling PHS allows a fallback of authentication when federation services aren't available.

如果本地组织缺乏中断复原策略,或者有一个未与 Azure AD 集成的策略,则应该部署 Azure AD PHS 并定义包含 PHS 的灾难恢复计划。If your on-premises organization is lacking an outage resiliency strategy or has one that isn't integrated with Azure AD, you should deploy Azure AD PHS and define a disaster recovery plan that includes PHS. 启用 Azure AD PHS 将允许用户在本地 Active Directory 不可用时,对 Azure AD 进行身份验证。Enabling Azure AD PHS will allow users to authenticate against Azure AD should your on-premises Active Directory be unavailable.

密码哈希同步流

若要更好地了解身份验证选项,请参阅 为 Azure Active Directory 混合标识解决方案选择正确的身份验证方法To better understand your authentication options, see Choose the right authentication method for your Azure Active Directory hybrid identity solution.

凭据的编程使用情况Programmatic usage of credentials

使用 PowerShell 或使用 Microsoft Graph API 的应用程序 Azure AD 脚本需要安全身份验证。Azure AD scripts using PowerShell or applications using the Microsoft Graph API require secure authentication. 执行这些脚本和工具的凭据管理不当会增加凭据被盗的风险。Poor credential management executing those scripts and tools increase the risk of credential theft. 如果你使用的脚本或应用程序依赖于硬编码的密码或密码提示,你应该首先查看配置文件或源代码中的密码,然后替换这些依赖项并使用 Azure 托管标识、Integrated-Windows 身份验证或 证书If you are using scripts or applications that rely on hard-coded passwords or password prompts you should first review passwords in config files or source code, then replace those dependencies and use Azure Managed Identities, Integrated-Windows Authentication, or certificates whenever possible. 对于之前的解决方案无法实现的应用程序,请考虑使用 Azure Key VaultFor applications where the previous solutions aren't possible, consider using Azure Key Vault.

如果确定有具有密码凭据的服务主体,并且不确定这些密码凭据如何由脚本或应用程序保护,请与应用程序所有者联系,以便更好地了解使用模式。If you determine that there are service principals with password credentials and you're unsure how those password credentials are secured by scripts or applications, contact the owner of the application to better understand usage patterns.

如果有具有密码凭据的服务主体,Microsoft 还建议联系应用程序所有者来了解使用模式。Microsoft also recommends you contact application owners to understand usage patterns if there are service principals with password credentials.

身份验证体验Authentication experience

本地身份验证On-premises authentication

使用集成的 Windows 身份验证的联合身份验证 (IWA) 或无缝单一 Sign-On (SSO) 使用密码哈希同步或直通身份验证的托管身份验证在公司网络内部的域控制器到本地域控制器时,最好的用户体验。Federated Authentication with Integrated Windows Authentication (IWA) or Seamless Single Sign-On (SSO) managed authentication with password hash sync or pass-through authentication is the best user experience when inside the corporate network with line-of-sight to on-premises domain controllers. 它最大程度地减少了凭据提示疲劳并降低了用户遭受成为牺牲品攻击的风险。It minimizes credential prompt fatigue and reduces the risk of users falling prey to phishing attacks. 如果已在 PHS 或 PTA 中使用云托管的身份验证,但用户在本地进行身份验证时仍需要键入密码,则应立即 部署无缝 SSOIf you are already using cloud-managed authentication with PHS or PTA, but users still need to type in their password when authenticating on-premises, then you should immediately deploy Seamless SSO. 另一方面,如果你当前已与计划最终迁移到云托管的身份验证,则应将无缝 SSO 作为迁移项目的一部分实现。On the other hand, if you are currently federated with plans to eventually migrate to cloud-managed authentication, then you should implement Seamless SSO as part of the migration project.

设备信任访问策略Device trust access policies

与组织中的用户一样,设备也是要保护的核心标识。Like a user in your organization, a device is a core identity you want to protect. 可以使用设备标识随时随地保护你的资源。You can use a device's identity to protect your resources at any time and from any location. 对设备和其信任类型的记帐进行身份验证可通过以下方式改善你的安全状况和可用性:Authenticating the device and accounting for its trust type improves your security posture and usability by:

可以通过使用以下方法之一在 Azure AD 中引入设备标识并对其进行管理,从而执行此目标:You can carry out this goal by bringing device identities and managing them in Azure AD by using one of the following methods:

  • 组织可以使用 Microsoft Intune 来管理设备并强制实施符合性策略、证明设备运行状况,并根据设备是否符合来设置条件性访问策略。Organizations can use Microsoft Intune to manage the device and enforce compliance policies, attest device health, and set conditional access policies based on whether the device is compliant. Microsoft Intune 可以通过 JAMF 集成) 、Windows 桌面 (以本机方式使用适用于 Windows 10 的移动设备管理以及与 Microsoft 终结点 Configuration Manager) 和 Android 移动设备的共同管理,来管理 iOS 设备、Mac 桌面 (。Microsoft Intune can manage iOS devices, Mac desktops (Via JAMF integration), Windows desktops (natively using Mobile Device Management for Windows 10, and co-management with Microsoft Endpoint Configuration Manager) and Android mobile devices.
  • 混合 Azure AD 联接 在具有 Active Directory 加入域的计算机设备的环境中,通过组策略或 Microsoft 终结点 Configuration Manager 提供管理。Hybrid Azure AD join provides management with Group Policies or Microsoft Endpoint Configuration Manager in an environment with Active Directory domain-joined computers devices. 组织可以通过无缝 SSO 的 PHS 或 PTA 部署托管环境。Organizations can deploy a managed environment either through PHS or PTA with Seamless SSO. 通过使你的设备 Azure AD 跨云和本地资源的 SSO 提高用户工作效率,同时使你能够使用 条件访问 同时保护对云和本地资源的访问。Bringing your devices to Azure AD maximizes user productivity through SSO across your cloud and on-premises resources while enabling you to secure access to your cloud and on-premises resources with Conditional Access at the same time.

如果已加入域且未在云中注册的 Windows 设备或在云中注册但没有条件访问策略的已加入域的 Windows 设备,则应注册未注册的设备,并且在任一情况下,都应 使用混合 Azure AD 联接作为 条件性访问策略中的控件。If you have domain-joined Windows devices that aren't registered in the cloud, or domain-joined Windows devices that are registered in the cloud but without conditional access policies, then you should register the unregistered devices and, in either case, use Hybrid Azure AD join as a control in your conditional access policies.

需要混合设备的条件访问策略中的授权的屏幕截图

如果你正在使用 MDM 或 Microsoft Intune 管理设备,但没有在条件访问策略中使用设备控制,则建议在这些策略中使用 " 要求设备标记为合规 " 作为控件。If you are managing devices with MDM or Microsoft Intune, but not using device controls in your conditional access policies, then we recommend using Require device to be marked as compliant as a control in those policies.

要求设备符合性的条件访问策略中的授权的屏幕截图

Windows Hello 企业版Windows Hello for Business

在 Windows 10 中, Windows Hello 企业版 将密码替换为 pc 上的强双重身份验证。In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs. Windows Hello 企业版可为用户提供更简单的 MFA 体验,并减少对密码的依赖。Windows Hello for Business enables a more streamlined MFA experience for users and reduces your dependency on passwords. 如果尚未开始推出 Windows 10 设备,或仅部分部署了 Windows 10 设备,则建议升级到 Windows 10,并在所有设备上 启用 Windows Hello For BusinessIf you haven't begun rolling out Windows 10 devices, or have only partially deployed them, we recommend you upgrade to Windows 10 and enable Windows Hello for Business on all devices.

如果要了解有关无密码 authentication 的详细信息,请参阅 没有密码的世界 Azure Active DirectoryIf you would like to learn more about passwordless authentication, see A world without passwords with Azure Active Directory.

应用程序身份验证和分配Application authentication and assignment

应用的单一登录Single sign-on for apps

为整个企业提供标准化的单一登录机制对于获得最佳用户体验、降低风险、报告和管理能力至关重要。Providing a standardized single sign-on mechanism to the entire enterprise is crucial for best user experience, reduction of risk, ability to report, and governance. 如果你使用的应用程序支持使用 SSO 的 Azure AD 但当前配置为使用本地帐户,则应重新配置这些应用程序,以将 SSO 与 Azure AD 结合使用。If you are using applications that support SSO with Azure AD but are currently configured to use local accounts, you should reconfigure those applications to use SSO with Azure AD. 同样,如果你正在使用支持 SSO 的任何应用程序 Azure AD 但使用的是其他标识提供者,则应重新配置这些应用程序,以将 SSO 与 Azure AD 结合使用。Likewise, if you are using any applications that support SSO with Azure AD but are using another Identity Provider, you should reconfigure those applications to use SSO with Azure AD as well. 对于不支持联合身份验证的应用程序,但支持基于窗体的身份验证,我们建议你将应用程序配置为使用 Azure AD 应用程序代理的 密码保管For applications that don't support federation protocols but do support forms-based authentication, we recommend you configure the application to use password vaulting with Azure AD Application Proxy.

AppProxy 基于密码的登录

备注

如果没有一种机制来发现组织中的非托管应用程序,我们建议使用云访问安全代理解决方案来实现发现过程 (CASB) 例如 Microsoft Cloud App SecurityIf you don't have a mechanism to discover unmanaged applications in your organization, we recommend implementing a discovery process using a cloud access security broker solution (CASB) such as Microsoft Cloud App Security.

最后,如果你有 Azure AD 应用库并使用支持 SSO 与 Azure AD 的应用程序,我们建议你 在应用程序库中列出应用程序Finally, if you have an Azure AD app gallery and use applications that support SSO with Azure AD, we recommend listing the application in the app gallery.

将 AD FS 应用程序迁移到 Azure ADMigration of AD FS applications to Azure AD

将应用从 AD FS 迁移到 Azure AD 可实现更高的安全性、更一致的可管理性和更好的协作体验。Migrating apps from AD FS to Azure AD enables additional capabilities on security, more consistent manageability, and a better collaboration experience. 如果在 AD FS 中配置了支持 SSO 与 Azure AD 的应用程序,则应重新配置这些应用程序以将 SSO 与 Azure AD 结合使用。If you have applications configured in AD FS that support SSO with Azure AD, then you should reconfigure those applications to use SSO with Azure AD. 如果在 AD FS 中配置了应用程序,但 Azure AD 不支持不常见的配置,则应联系应用程序所有者了解特殊配置是否是应用程序的绝对要求。If you have applications configured in AD FS with uncommon configurations unsupported by Azure AD, you should contact the app owners to understand if the special configuration is an absolute requirement of the application. 如果不是必需的,则应重新配置应用程序以将 SSO 与 Azure AD 一起使用。If it isn't required, then you should reconfigure the application to use SSO with Azure AD.

作为主要标识提供者 Azure AD

备注

可以使用ADFS Azure AD Connect Health来收集有关可能迁移到 Azure AD 的每个应用程序的配置详细信息。Azure AD Connect Health for ADFS can be used to collect configuration details about each application that can potentially be migrated to Azure AD.

将用户分配到应用程序Assign users to applications

用户分配到应用程序最好是使用组进行映射,因为它们允许更大的灵活性和大规模管理。Assigning users to applications is best mapped by using groups because they allow greater flexibility and ability to manage at scale. 使用组的优点包括 基于属性的动态组成员身份应用所有者的委派The benefits of using groups include attribute-based dynamic group membership and delegation to app owners. 因此,如果你已在使用和管理组,则建议你采取以下措施来改进大规模管理:Therefore, if you are already using and managing groups, we recommend you take the following actions to improve management at scale:

  • 向应用程序所有者委派组管理和管理。Delegate group management and governance to application owners.
  • 允许对应用程序进行自助访问。Allow self-service access to the application.
  • 定义动态组(如果用户属性可以一致地确定对应用程序的访问权限)。Define dynamic groups if user attributes can consistently determine access to applications.
  • 使用 Azure AD 访问评审将证明实施到用于应用程序访问的组。Implement attestation to groups used for application access using Azure AD access reviews.

另一方面,如果找到已分配给单个用户的应用程序,请务必围绕这些应用程序实施 管理On the other hand, if you find applications that have assignment to individual users, be sure to implement governance around those applications.

访问策略Access policies

命名位置Named locations

在 Azure AD 中的 命名位置 ,可以标记组织中受信任的 IP 地址范围。With named locations in Azure AD, you can label trusted IP address ranges in your organization. Azure AD 使用命名位置以:Azure AD uses named locations to:

命名位置

根据优先级,使用下表找到最符合组织需求的推荐解决方案:Based on priority, use the table below to find the recommended solution that best meets your organization's needs:

PriorityPriority 方案Scenario 建议Recommendation
11 如果你使用的是 PHS 或 PTA,但未定义已命名的位置If you use PHS or PTA and named locations haven't been defined 定义已命名位置以提高风险事件的检测Define named locations to improve detection of risk events
22 如果你是联合的并且未使用 "insideCorporateNetwork" 声明和命名位置,If you are federated and don't use "insideCorporateNetwork" claim and named locations haven't been defined 定义已命名位置以提高风险事件的检测Define named locations to improve detection of risk events
33 如果不在条件访问策略中使用命名位置,并且条件访问策略中没有任何风险或设备控制If you don't use named locations in conditional access policies and there is no risk or device controls in conditional access policies 配置条件访问策略以包含命名位置Configure the conditional access policy to include named locations
44 如果你是联合的并且使用的是 "insideCorporateNetwork" 声明,并且尚未定义已命名的位置If you are federated and do use "insideCorporateNetwork" claim and named locations haven't been defined 定义已命名位置以提高风险事件的检测Define named locations to improve detection of risk events
55 如果你使用的是受信任的 IP 地址而不是命名位置,并将其标记为受信任If you are using trusted IP addresses with MFA rather than named locations and marking them as trusted 定义命名位置,并将其标记为受信任,以改善风险事件的检测Define named locations and mark them as trusted to improve detection of risk events

基于风险的访问策略Risk-based access policies

Azure AD 可以计算每个登录和每个用户的风险。Azure AD can calculate the risk for every sign-in and every user. 使用风险作为访问策略中的条件可以提供更好的用户体验(例如,较少的身份验证提示)和更好的安全性,例如,仅在需要时提示用户,并自动执行响应和修正。Using risk as a criterion in access policies can provide a better user experience, for example, fewer authentication prompts, and better security, for example, only prompt users when they are needed, and automate the response and remediation.

登录风险策略

如果你已拥有支持在访问策略中使用风险的 Azure AD Premium P2 许可证,但未使用这些许可证,我们强烈建议将风险添加到安全状况。If you already own Azure AD Premium P2 licenses that support using risk in access policies, but they aren't being used, we highly recommend adding risk to your security posture.

客户端应用程序访问策略Client application access policies

Microsoft Intune 应用管理 (MAM) 提供将数据保护控制(如存储加密、PIN、远程存储清理等)推送到兼容的客户端移动应用程序(例如 Outlook Mobile)的功能。Microsoft Intune Application Management (MAM) provides the ability to push data protection controls such as storage encryption, PIN, remote storage cleanup, etc. to compatible client mobile applications such as Outlook Mobile. 此外,还可以创建条件访问策略,以 限制 从批准或兼容的应用访问 Exchange Online 等云服务。In addition, conditional access policies can be created to restrict access to cloud services such as Exchange Online from approved or compatible apps.

如果你的员工安装支持 MAM 的应用程序(如 Office 移动应用程序)来访问公司资源(如 Exchange Online 或 SharePoint Online),并且你还支持 BYOD (自带设备) ,我们建议你在不使用 MDM 注册的情况下部署应用程序 MAM 策略以管理个人拥有的设备中的应用程序If your employees install MAM-capable applications such as Office mobile apps to access corporate resources such as Exchange Online or SharePoint Online, and you also support BYOD (bring your own device), we recommend you deploy application MAM policies to manage the application configuration in personally owned devices without MDM enrollment and then update your conditional access policies to only allow access from MAM-capable clients.

条件访问授权控制

如果员工在 Intune 托管设备上安装支持 MAM 的应用程序,而访问权限受到限制,则应考虑部署应用程序 MAM 策略来管理个人设备的应用程序配置,并更新条件性访问策略以仅允许从支持 MAM 的客户端进行访问。Should employees install MAM-capable applications against corporate resources and access is restricted on Intune Managed devices, then you should consider deploying application MAM policies to manage the application configuration for personal devices, and update Conditional Access policies to only allow access from MAM capable clients.

条件访问实现Conditional Access implementation

条件性访问是提高组织的安全状况的重要工具。Conditional Access is an essential tool for improving the security posture of your organization. 因此,请务必遵循以下最佳做法:Therefore, it is important you follow these best practices:

  • 确保所有 SaaS 应用程序都至少应用了一个策略Ensure that all SaaS applications have at least one policy applied
  • 避免将 " 所有应用 " 筛选器与 block 控件合并,以避免锁定风险Avoid combining the All apps filter with the block control to avoid lockout risk
  • 避免将 所有用户 用作筛选器,不小心添加 来宾Avoid using the All users as a filter and inadvertently adding Guests
  • 将所有 "旧版" 策略迁移到 Azure 门户Migrate all "legacy" policies to the Azure portal
  • 捕获用户、设备和应用程序的所有条件Catch all criteria for users, devices, and applications
  • 使用条件性访问策略来 实现 MFA,而不是使用 基于用户的 mfaUse Conditional Access policies to implement MFA, rather than using a per-user MFA
  • 具有一小部分可应用于多个应用程序的核心策略Have a small set of core policies that can apply to multiple applications
  • 定义空的异常组,并将它们添加到策略中以获得异常策略Define empty exception groups and add them to the policies to have an exception strategy
  • 规划 中断玻璃 帐户,无 MFA 控制Plan for break glass accounts without MFA controls
  • 通过对 Exchange Online 和 Sharepoint Online 等服务实现一组相同的控件,确保在 Microsoft 365 的客户端应用程序(例如团队、OneDrive、) Outlook 等)上保持一致的体验Ensure a consistent experience across Microsoft 365 client applications, for example, Teams, OneDrive, Outlook, etc.) by implementing the same set of controls for services such as Exchange Online and Sharepoint Online
  • 应通过组而不是个体来实现策略的分配Assignment to policies should be implemented through groups, not individuals
  • 定期检查策略中使用的异常组,以限制用户超出安全状态的时间。Do regular reviews of the exception groups used in policies to limit the time users are out of the security posture. 如果你拥有 Azure AD P2,则可以使用访问评审来自动执行此过程If you own Azure AD P2, then you can use access reviews to automate the process

访问外围应用Access surface area

旧式身份验证Legacy authentication

强凭据(如 MFA)无法使用旧式身份验证协议保护应用,这使其成为恶意执行组件的首选攻击向量。Strong credentials such as MFA cannot protect apps using legacy authentication protocols, which make it the preferred attack vector by malicious actors. 锁定旧身份验证对于改善访问安全状况至关重要。Locking down legacy authentication is crucial to improve the access security posture.

旧身份验证是指应用使用的身份验证协议,例如:Legacy authentication is a term that refers to authentication protocols used by apps like:

  • 不使用新式身份验证的旧版 Office 客户端 (例如,Office 2010 客户端) Older Office clients that don't use modern authentication (for example, Office 2010 client)
  • 使用 IMAP/SMTP/POP 等邮件协议的客户端Clients that use mail protocols such as IMAP/SMTP/POP

攻击者强烈倾向于使用这些协议-事实上,几乎 100% 的密码喷涂攻击 使用旧的身份验证协议!Attackers strongly prefer these protocols - in fact, nearly 100% of password spray attacks use legacy authentication protocols! 黑客使用旧的身份验证协议,因为它们不支持交互式登录,这是其他安全挑战(如多重身份验证和设备身份验证)所需要的。Hackers use legacy authentication protocols, because they don't support interactive sign-in, which is needed for additional security challenges like multi-factor authentication and device authentication.

如果你的环境中广泛使用了旧身份验证,则应计划尽快将旧客户端迁移到支持 新式身份验证 的客户端。If legacy authentication is widely used in your environment, you should plan to migrate legacy clients to clients that support modern authentication as soon as possible. 在同一标记中,如果某些用户已在使用新式身份验证,但其他用户仍使用旧身份验证,则应执行以下步骤来锁定旧版身份验证客户端:In the same token, if you have some users already using modern authentication but others that still use legacy authentication, you should take the following steps to lock down legacy authentication clients:

  1. 使用 登录活动报告 来识别仍在使用旧身份验证和计划修正的用户:Use Sign-In Activity reports to identify users who are still using legacy authentication and plan remediation:

    a.a. 升级到受影响用户的支持新式身份验证的客户端。Upgrade to modern authentication capable clients to affected users.

    b.b. 计划转换时间范围,按以下步骤进行锁定。Plan a cutover timeframe to lock down per steps below.

    c.c. 确定哪些旧应用程序对旧式身份验证有硬依赖关系。Identify what legacy applications have a hard dependency on legacy authentication. 请参阅下面的步骤3。See step 3 below.

  2. 在源 (禁用旧协议,例如 Exchange 邮箱) ,适用于不使用旧身份验证的用户,以免出现更多的风险。Disable legacy protocols at the source (for example Exchange Mailbox) for users who aren't using legacy auth to avoid more exposure.

  3. 对于其他帐户 (理想的非人身份(如服务帐户) ),使用 条件访问限制旧协议 后的身份验证。For the remaining accounts (ideally non-human identities such as service accounts), use conditional access to restrict legacy protocols post-authentication.

在违法许可授权攻击中,攻击者将创建一个 Azure AD 注册的应用程序,该应用程序请求访问数据(如联系信息、电子邮件或文档)。In an illicit consent grant attack, the attacker creates an Azure AD-registered application that requests access to data such as contact information, email, or documents. 当登陆到恶意网站时,用户可能会通过网络钓鱼攻击向恶意应用程序授予许可。Users might be granting consent to malicious applications via phishing attacks when landing on malicious websites.

下面列出了你可能想要通过 Microsoft 云服务进行查看的权限:Below are a list of apps with permissions you might want to scrutinize for Microsoft cloud services:

  • 应用或委托应用 * 。ReadWrite 权限Apps with app or delegated *.ReadWrite Permissions
  • 具有委托权限的应用可以代表用户读取、发送或管理电子邮件Apps with delegated permissions can read, send, or manage email on behalf of the user
  • 向授予的应用使用以下权限:Apps that are granted the using the following permissions:
资源Resource 权限Permission
Exchange OnlineExchange Online EAS.AccessAsUserEAS.AccessAsUser.All
EWS.AccessAsUserEWS.AccessAsUser.All
Mail.ReadMail.Read
Microsoft Graph APIMicrosoft Graph API Mail.ReadMail.Read
Mail. Read. SharedMail.Read.Shared
Node.jsMail.ReadWrite
  • 已授予已登录用户的完全用户模拟的应用。Apps granted full user impersonation of the signed-in user. 例如:For example:
资源Resource 权限Permission
Microsoft Graph APIMicrosoft Graph API Directory.AccessAsUser.AllDirectory.AccessAsUser.All
Azure REST APIAzure REST API user_impersonationuser_impersonation

若要避免这种情况,应参阅 Office 365 中的 "检测和修正违法许可授权 ",以识别和修复具有违法授权的任何应用程序或具有超过所需的授权的应用程序。To avoid this scenario, you should refer to detect and remediate illicit consent grants in Office 365 to identify and fix any applications with illicit grants or applications that have more grants than are necessary. 接下来, 删除自助服务建立管理过程Next, remove self-service altogether and establish governance procedures. 最后,计划应用权限的定期审查,并在不需要时删除它们。Finally, schedule regular reviews of app permissions and remove them when they are not needed.

用户和组设置User and group settings

如果没有明确的业务需求,则可以锁定以下用户和组设置:Below are the user and group settings that can be locked down if there isn't an explicit business need:

用户设置User settings

  • 外部用户 -企业中可能会有机外部协作,其中包含团队、Power BI、Sharepoint Online 和 Azure 信息保护等服务。External Users - external collaboration can happen organically in the enterprise with services like Teams, Power BI, Sharepoint Online, and Azure Information Protection. 如果你有显式约束来控制用户启动的外部协作,则建议你通过使用 Azure AD 的权利管理 或受控操作(如通过技术支持)来启用外部用户。If you have explicit constraints to control user-initiated external collaboration, it is recommended you enable external users by using Azure AD Entitlement management or a controlled operation such as through your help desk. 如果你不希望为服务提供随机外部协作,则可以 阻止成员完全邀请外部用户If you don't want to allow organic external collaboration for services, you can block members from inviting external users completely. 此外,也可以在外部用户邀请中 允许或阻止特定域Alternatively, you can also allow or block specific domains in external user invitations.
  • 应用注册 -启用应用注册后,最终用户可以将应用程序自行加入并向其授予对数据的访问权限。App Registrations - when App registrations are enabled, end users can onboard applications themselves and grant access to their data. 应用注册的一个典型示例是用户启用 Outlook 插件或语音助手(如 Alexa 和 Siri),以读取其电子邮件和日历或代表他们发送电子邮件。A typical example of App registration is users enabling Outlook plug-ins, or voice assistants such as Alexa and Siri to read their email and calendar or send emails on their behalf. 如果客户决定关闭应用注册,则必须将 InfoSec 和 IAM 团队纳入 (根据业务需求) 需要的应用注册,因为他们需要使用管理员帐户注册应用程序,并且很可能需要设计一个过程来操作该过程。If the customer decides to turn off App registration, the InfoSec and IAM teams must be involved in the management of exceptions (app registrations that are needed based on business requirements), as they would need to register the applications with an admin account, and most likely require designing a process to operationalize the process.
  • 管理门户 -组织可以锁定 Azure 门户中的 Azure AD 边栏选项卡,这样,非管理员就不能访问 Azure 门户中的 Azure AD 管理,因此不会造成混淆。Administration Portal - organizations can lock down the Azure AD blade in the Azure portal so that non-administrators can't access Azure AD management in the Azure portal and get confused. 在 Azure AD 管理门户中转到 "用户设置" 以限制访问:Go to the user settings in the Azure AD management portal to restrict access:

管理门户限制访问

备注

非管理员仍可通过命令行和其他编程接口访问 Azure AD 管理接口。Non-adminstrators can still access to the Azure AD management interfaces via command-line and other programmatic interfaces.

组设置Group settings

自助服务组管理/用户可以创建安全组/Microsoft 365 组。Self-Service Group Management / Users can create Security groups / Microsoft 365 groups. 如果云中没有适用于组的当前自助服务计划,客户可以决定将其关闭,直到它们准备好使用此功能。If there is no current self-service initiative for groups in the cloud, customers might decide to turn it off until they are ready to use this capability.

来自意外位置的流量Traffic from unexpected locations

攻击者来自世界各地的各个部分。Attackers originate from various parts of the world. 使用条件性访问策略和位置作为条件来管理此风险。Manage this risk by using conditional access policies with location as the condition. 使用条件性访问策略的 位置条件 ,你可以阻止从其登录的位置到的位置的访问。The location condition of a Conditional Access policy enables you to block access for locations from where there is no business reason to sign in from.

创建新命名位置

如果可用,请使用安全信息和事件管理 (SIEM) 解决方案来分析和查找跨区域访问的模式。If available, use a security information and event management (SIEM) solution to analyze and find patterns of access across regions. 如果不使用 SIEM 产品,或者它不引入 Azure AD 中的身份验证信息,我们建议你使用 Azure Monitor 来确定跨区域的访问模式。If you don't use a SIEM product, or it isn't ingesting authentication information from Azure AD, we recommend you use Azure Monitor to identify patterns of access across regions.

访问使用情况Access usage

Azure AD 日志存档并与事件响应计划集成Azure AD logs archived and integrated with incident response plans

有权访问登录活动、Azure AD 的审核和风险事件对于故障排除、使用情况分析和取证调查至关重要。Having access to sign-in activity, audits and risk events for Azure AD is crucial for troubleshooting, usage analytics, and forensics investigations. Azure AD 通过具有有限保留期的 REST Api 提供对这些源的访问。Azure AD provides access to these sources through REST APIs that have a limited retention period. 安全信息和事件管理 (SIEM) 系统或等效的存档技术,是长期存储审核和可支持性的关键。A security information and event management (SIEM) system, or equivalent archival technology, is key for long-term storage of audits and supportability. 若要启用 Azure AD 日志的长期存储,则必须将其添加到现有的 SIEM 解决方案中或使用 Azure MonitorTo enable long-term storage of Azure AD Logs, you must either add them to your existing SIEM solution or use Azure Monitor. 存档日志,可作为事件响应计划和调查的一部分使用。Archive logs that can be used as part of your incident response plans and investigations.

摘要Summary

安全标识基础结构有12个方面。There are 12 aspects to a secure Identity infrastructure. 此列表将帮助你进一步保护和管理凭据、定义身份验证体验、委派分配、衡量使用情况,并根据企业安全状况定义访问策略。This list will help you further secure and manage credentials, define authentication experience, delegate assignment, measure usage, and define access policies based on enterprise security posture.

  • 将所有者分配给关键任务。Assign owners to key tasks.
  • 实施解决方案来检测薄弱密码或泄漏的密码,提高密码管理和保护,并进一步确保用户对资源的访问权限。Implement solutions to detect weak or leaked passwords, improve password management and protection, and further secure user access to resources.
  • 管理设备的标识,以便随时和从任何位置保护资源。Manage the identity of devices to protect your resources at any time and from any location.
  • 实现无密码 authentication。Implement passwordless authentication.
  • 在整个组织中提供标准化的单一登录机制。Provide a standardized single sign-on mechanism across the organization.
  • 将应用从 AD FS 迁移到 Azure AD,以实现更好的安全性和更一致的可管理性。Migrate apps from AD FS to Azure AD to enable better security and more consistent manageability.
  • 使用组将用户分配到应用程序,以允许更大的灵活性和大规模管理。Assign users to applications by using groups to allow greater flexibility and ability to manage at scale.
  • 配置基于风险的访问策略。Configure risk-based access policies.
  • 锁定旧的身份验证协议。Lock down legacy authentication protocols.
  • 检测并修正违法许可授予。Detect and remediate illicit consent grants.
  • 锁定用户和组设置。Lock down user and group settings.
  • 支持长期存储 Azure AD 日志,以便进行故障排除、使用情况分析和取证调查。Enable long-term storage of Azure AD logs for troubleshooting, usage analytics, and forensics investigations.

后续步骤Next steps

开始处理 身份管理操作检查和操作Get started with the Identity governance operational checks and actions.