您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

标识和访问管理Identity and access management

标识提供了很大的安全保障百分比。Identity provides the basis of a large percentage of security assurance. 它支持基于云服务中的标识身份验证和授权控制进行访问,以保护数据和资源,并决定应允许哪些请求。It enables access based on identity authentication and authorization controls in cloud services to protect data and resources and to decide which requests should be permitted.

标识和访问管理 (IAM) 是公有云中的安全边界。Identity and access management (IAM) is boundary security in the public cloud. 必须将其视为所有完全兼容的安全公有云体系结构的基础。It must be treated as the foundation of any secure and fully compliant public cloud architecture. Azure 提供了一套全面的服务、工具和参考体系结构,使组织能够在此处提供高度安全的有效环境。Azure offers a comprehensive set of services, tools, and reference architectures to enable organizations to make highly secure, operationally efficient environments as outlined here.

本部分介绍与企业环境中的 IAM 相关的设计注意事项和建议。This section examines design considerations and recommendations related to IAM in an enterprise environment.

为什么需要标识和访问管理Why we need identity and access management

企业中的技术形势越来越复杂。The technological landscape in the enterprise is becoming complex and heterogenous. 为了管理此环境的相容性和安全性,IAM 使适当的人员能够在适当的时间访问正确的资源,因为这是正确的原因。To manage compliance and security for this environment, IAM enables the right individuals to access the right resources at the right time for the right reasons.

计划标识和访问管理Plan for identity and access management

企业组织通常使用最小特权方法来进行操作访问。Enterprise organizations typically follow a least-privileged approach to operational access. 应将此模型扩展为考虑 Azure Azure Active Directory (Azure AD) 、基于角色的访问控制 (Azure RBAC) 和自定义角色定义。This model should be expanded to consider Azure through Azure Active Directory (Azure AD), Azure role-based access control (Azure RBAC), and custom role definitions. 规划如何控制对 Azure 中资源的控制和数据平面访问很重要。It's critical to plan how to govern control- and data-plane access to resources in Azure. IAM 和 Azure RBAC 的任何设计都必须满足法规、安全性和运营要求,才能接受。Any design for IAM and Azure RBAC must meet regulatory, security, and operational requirements before it can be accepted.

标识和访问管理是一个包含多个步骤的过程,需要仔细计划标识集成和其他安全注意事项(例如阻止旧式身份验证和计划新式密码)。Identity and access management is a multistep process that involves careful planning for identity integration and other security considerations, such as blocking legacy authentication and planning for modern passwords. 过渡计划还涉及如何选择企业对企业或企业对消费者的标识和访问管理。Staging planning also involves selection of business-to-business or business-to-consumer identity and access management. 尽管这些要求有所不同,但对于企业登陆区域,需要考虑一些常见设计注意事项和建议。While these requirements vary, there are common design considerations and recommendations to consider for an enterprise landing zone.


图1:标识和访问管理。Figure 1: Identity and access management.

设计注意事项:Design considerations:

  • 围绕 IAM 和治理制定框架时,必须考虑对自定义角色和角色分配的数量限制。There are limits around the number of custom roles and role assignments that must be considered when you lay down a framework around IAM and governance. 有关详细信息,请参阅 AZURE RBAC 服务限制For more information, see Azure RBAC service limits.
  • 每个订阅的角色分配数限制为2000。There's a limit of 2,000 role assignments per subscription.
  • 每个管理组的角色分配数限制为500。There's a limit of 500 role assignments per management group.
  • 集中式与联合资源所有权:Centralized versus federated resource ownership:
    • 必须集中管理共享资源或者可实现或强制执行安全边界的环境(例如网络)的任何方面。Shared resources or any aspect of the environment that implements or enforces a security boundary, such as the network, must be managed centrally. 此要求是许多法规框架的一部分。This requirement is part of many regulatory frameworks. 对于允许或拒绝访问机密或关键业务资源的任意组织来说,这是标准做法。It's standard practice for any organization that grants or denies access to confidential or critical business resources.
    • 对于不违反安全边界以及维护安全与合规性所需的其他方面的应用程序资源,可以将其管理工作委托给应用程序团队。Managing application resources that don't violate security boundaries or other aspects required to maintain security and compliance can be delegated to application teams. 如果允许用户在安全托管环境中预配资源,则组织可以充分利用云的敏捷性,同时防止违反任何关键安全或治理边界。Allowing users to provision resources within a securely managed environment allows organizations to take advantage of the agile nature of the cloud while preventing the violation of any critical security or governance boundary.

设计建议:Design recommendations:

  • 使用 AZURE RBAC 管理对资源的数据平面访问(如果可能)。Use Azure RBAC to manage data-plane access to resources, where possible. 例如 Azure Key Vault、存储帐户或 SQL 数据库。Examples are Azure Key Vault, a storage account, or a SQL database.
  • 为有权访问 Azure 环境的所有用户部署 Azure AD 条件访问策略。Deploy Azure AD conditional-access policies for any user with rights to Azure environments. 这样做提供了另一种机制,可帮助保护受控的 Azure 环境免遭未经授权的访问。Doing so provides another mechanism to help protect a controlled Azure environment from unauthorized access.
  • 为具有 Azure 环境权限的任何用户强制执行多重身份验证。Enforce multi-factor authentication for any user with rights to the Azure environments. 强制执行多重身份验证是许多合规性框架的要求。Multi-factor authentication enforcement is a requirement of many compliance frameworks. 它大大降低了凭据被盗和受未经授权的访问的风险。It greatly lowers the risk of credential theft and unauthorized access.
  • 使用 Azure AD Privileged Identity Management (PIM) 建立零的访问权限和最小特权。Use Azure AD Privileged Identity Management (PIM) to establish zero standing access and least privilege. 将组织的角色映射到所需的最低访问级别。Map your organization's roles to the minimum level of access needed. Azure AD PIM 可以是现有工具和进程的扩展,可以使用所述的 Azure 本机工具,也可以在需要时使用两者。Azure AD PIM can either be an extension of existing tools and processes, use Azure native tools as outlined, or use both as needed.
  • 授予对资源的访问权限时,请对 Azure AD PIM 中的 Azure 控制平面资源使用仅 Azure AD 组。Use Azure-AD-only groups for Azure control-plane resources in Azure AD PIM when you grant access to resources.
    • 如果已有组管理系统,请将本地组添加到仅 Azure AD 组。Add on-premises groups to the Azure-AD-only group if a group management system is already in place.
  • 使用 Azure AD PIM 访问评审定期验证资源权利。Use Azure AD PIM access reviews to periodically validate resource entitlements. 访问评审是许多合规性框架的一部分。Access reviews are part of many compliance frameworks. 因此,许多组织都已准备好处理此要求的过程。As a result, many organizations will already have a process in place to address this requirement.
  • 将 Azure AD 日志与平台中心 Azure Monitor集成。Integrate Azure AD logs with the platform-central Azure Monitor. Azure Monitor 允许在 Azure 中使用有关日志和监视数据的单一可信源,这为组织提供了云原生选项,以满足有关日志收集和保留的要求。Azure Monitor allows for a single source of truth around log and monitoring data in Azure, which gives organizations cloud-native options to meet requirements around log collection and retention.
  • 如果存在任何数据主权要求,可以部署自定义用户策略并强制执行这些策略。If any data sovereignty requirements exist, custom user policies can be deployed to enforce them.
  • 在 Azure AD 租户中使用自定义角色定义,同时考虑以下关键角色:Use custom role definitions within the Azure AD tenant while you consider the following key roles:
角色Role 使用情况Usage 操作Actions 无操作No actions
Azure 平台所有者 (例如内置所有者角色) Azure platform owner (such as the built-in Owner role) 管理组和订阅生命周期管理Management group and subscription lifecycle management *
网络管理 (NetOps) Network management (NetOps) 平台范围内的全球连接性管理:虚拟网络、Udr、Nsg、Nva、VPN、Azure ExpressRoute 等Platform-wide global connectivity management: Virtual networks, UDRs, NSGs, NVAs, VPN, Azure ExpressRoute, and others */read, Microsoft.Network/vpnGateways/*, Microsoft.Network/expressRouteCircuits/*, Microsoft.Network/routeTables/write, Microsoft.Network/vpnSites/**/read, Microsoft.Network/vpnGateways/*, Microsoft.Network/expressRouteCircuits/*, Microsoft.Network/routeTables/write, Microsoft.Network/vpnSites/*
(SecOps 的安全操作) Security operations (SecOps) 整个 Azure 场所的水平视图和 Azure Key Vault 清除策略的安全管理员角色Security administrator role with a horizontal view across the entire Azure estate and the Azure Key Vault purge policy */read, */register/action, Microsoft.KeyVault/locations/deletedVaults/purge/action, Microsoft.Insights/alertRules/*, Microsoft.Authorization/policyDefinitions/*, Microsoft.Authorization/policyAssignments/*, Microsoft.Authorization/policySetDefinitions/*, Microsoft.PolicyInsights/*, Microsoft.Security/**/read, */register/action, Microsoft.KeyVault/locations/deletedVaults/purge/action, Microsoft.Insights/alertRules/*, Microsoft.Authorization/policyDefinitions/*, Microsoft.Authorization/policyAssignments/*, Microsoft.Authorization/policySetDefinitions/*, Microsoft.PolicyInsights/*, Microsoft.Security/*
订阅所有者Subscription owner 从订阅所有者角色派生的订阅所有者的委托角色Delegated role for subscription owner derived from subscription Owner role * Microsoft.Authorization/*/write, Microsoft.Network/vpnGateways/*, Microsoft.Network/expressRouteCircuits/*, Microsoft.Network/routeTables/write, Microsoft.Network/vpnSites/*Microsoft.Authorization/*/write, Microsoft.Network/vpnGateways/*, Microsoft.Network/expressRouteCircuits/*, Microsoft.Network/routeTables/write, Microsoft.Network/vpnSites/*
应用程序所有者 (DevOps/AppOps) Application owners (DevOps/AppOps) 在资源组级别为应用程序/操作团队授予的参与者角色Contributor role granted for application/operations team at resource group level * Microsoft.Authorization/*/write, Microsoft.Network/publicIPAddresses/write, Microsoft.Network/virtualNetworks/write, Microsoft.KeyVault/locations/deletedVaults/purge/actionMicrosoft.Authorization/*/write, Microsoft.Network/publicIPAddresses/write, Microsoft.Network/virtualNetworks/write, Microsoft.KeyVault/locations/deletedVaults/purge/action
  • 对所有基础结构即服务 (IaaS) 资源使用 Azure 安全中心实时访问,以便为用户对 IaaS 虚拟机的临时访问启用网络级保护。Use Azure Security Center just-in-time access for all infrastructure as a service (IaaS) resources to enable network-level protection for ephemeral user access to IaaS virtual machines.
  • 对 Azure 资源使用 Azure AD 托管标识,以避免基于用户名和密码进行身份验证。Use Azure AD managed identities for Azure resources to avoid authentication based on user names and passwords. 由于公有云资源的许多安全漏洞源自代码或其他文本源中嵌入的凭据被盗,因此强制执行托管标识来进行程序访问大大降低了凭据被盗的风险。Because many security breaches of public cloud resources originate with credential theft embedded in code or other text sources, enforcing managed identities for programmatic access greatly reduces the risk of credential theft.
  • 对需要提升访问权限的自动化 Runbook 使用特权标识。Use privileged identities for automation runbooks that require elevated access permissions. 违反关键安全边界的自动工作流应由相同的工具和具有等效权限的用户来控制。Automated workflows that violate critical security boundaries should be governed by the same tools and policies users of equivalent privilege are.
  • 请勿直接将用户添加到 Azure 资源作用域。Don't add users directly to Azure resource scopes. 而是将用户添加到定义的角色,然后将这些角色分配给资源范围。Instead add users to defined roles, which are then assigned to resource scopes. 直接用户分配会绕过集中管理,大大提高了阻止对受限制的数据进行未经授权的访问所需的管理。Direct user assignments circumvent centralized management, greatly increasing the management required to prevent unauthorized access to restricted data.

计划登陆区域内的身份验证Plan for authentication inside a landing zone

企业组织在采用 Azure 时必须做出的一个关键设计决策是:是将现有本地标识域扩展到 Azure,还是创建全新的本地标识域。A critical design decision that an enterprise organization must make when adopting Azure is whether to extend an existing on-premises identity domain into Azure or to create a brand new one. 应全面评估登陆区域内的身份验证要求,并将其纳入计划,以便在 Windows Server 和/或 Azure AD 域服务 (Azure AD DS) 中部署 Active Directory 域服务 (AD DS)。Requirements for authentication inside the landing zone should be thoroughly assessed and incorporated into plans to deploy Active Directory Domain Services (AD DS) in Windows Server, Azure AD Domain Services (Azure AD DS), or both. 大多数 Azure 环境将至少使用 Azure AD 进行 Azure 结构身份验证、AD DS 本地主机身份验证和组策略管理。Most Azure environments will use at least Azure AD for Azure fabric authentication and AD DS local host authentication and group policy management.

设计注意事项:Design considerations:

  • 考虑使用集中式责任和委托责任来管理登陆区域内部署的资源。Consider centralized and delegated responsibilities to manage resources deployed inside the landing zone.
  • 依赖于域服务并使用较旧协议的应用程序可以使用 AZURE AD DSApplications that rely on domain services and use older protocols can use Azure AD DS.

设计建议:Design recommendations:

  • 使用集中式责任和委托责任来根据角色和安全要求管理登陆区域内部署的资源。Use centralized and delegated responsibilities to manage resources deployed inside the landing zone based on role and security requirements.
  • 创建服务主体对象、在 Azure AD 中注册应用程序,以及获取和处理证书或通配符证书等特权操作需要特殊权限。Privileged operations such as creating service principal objects, registering applications in Azure AD, and procuring and handling certificates or wildcard certificates require special permissions. 考虑哪些用户将处理此类请求,以及如何以所需的工作量来保护和监视其帐户。Consider which users will be handling such requests and how to secure and monitor their accounts with the degree of diligence required.
  • 如果组织的方案中必须通过 Azure AD 远程访问使用集成 Windows 身份验证的应用程序,请考虑使用 Azure AD 应用程序代理If an organization has a scenario where an application that uses integrated Windows authentication must be accessed remotely through Azure AD, consider using Azure AD Application Proxy.
  • Azure AD、Azure AD DS 和 Windows Server 上运行的 AD DS 之间存在差异。There's a difference between Azure AD, Azure AD DS, and AD DS running on Windows Server. 评估应用程序需求,然后了解并记录每个应用程序将使用的身份验证提供程序。Evaluate your application needs, and understand and document the authentication provider that each one will be using. 针对所有应用程序进行相应的计划。Plan accordingly for all applications.
  • 评估适用于 Windows Server AD DS 和 Azure AD DS 的工作负载的兼容性。Evaluate the compatibility of workloads for AD DS on Windows Server and for Azure AD DS.
  • 确保你的网络设计允许需要在 Windows Server 上 AD DS 的资源进行本地身份验证和管理以访问适当的域控制器。Ensure your network design allows resources that require AD DS on Windows Server for local authentication and management to access the appropriate domain controllers.
    • 对于 Windows Server AD DS,请考虑在较大的企业范围网络环境中可提供本地身份验证和主机管理的共享服务环境。For AD DS on Windows Server, consider shared services environments that offer local authentication and host management in a larger enterprise-wide network context.
  • 在主区域内部署 Azure AD DS,因为该服务只能投射到一个订阅中。Deploy Azure AD DS within the primary region because this service can only be projected into one subscription.
  • 使用托管标识而不是服务主体来对 Azure 服务进行身份验证。Use managed identities instead of service principals for authentication to Azure services. 此方法可降低凭据被盗的风险。This approach reduces exposure to credential theft.