您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

对订阅管理员实施多重身份验证 (MFA)Enforce multi-factor authentication (MFA) for subscription administrators

创建管理员(包括全局管理员帐户)时,使用强大的身份验证方法极为重要。When you create your administrators, including your global administrator account, it is essential that you use very strong authentication methods.

可以根据需要,通过为 IT 员工用户帐户分配特定管理员角色(例如 Exchange 管理员或密码管理员)来执行日常管理。You can perform day-to-day administration by assigning specific administrator roles—such as Exchange administrator or Password administrator—to user accounts of IT staff as needed. 此外,对管理员启用 Azure 多重身份验证 (MFA)可提升用户登录和事务的安全层级。Additionally, enabling Azure Multi-factor Authentication (MFA) for your administrators adds a second layer of security to user sign-ins and transactions. Azure MFA 还可帮助 IT 部门减少使用透露的凭据访问企业数据的可能性。Azure MFA also helps IT reduce the likelihood that a compromised credential will have access to organization’s data.

例如:为你的用户强制实施 Azure MFA,并将其配置为使用电话呼叫或短信作为验证。For example: You enforce Azure MFA for your users and configure it to use a phone call or text message as verification. 如果用户的凭据被透露,攻击者将无法访问任何资源,因为他们将无权访问用户的电话。If the user’s credentials are compromised, the attacker won’t be able to access any resource since they will not have access to user’s phone. 未添加额外标识保护层的组织将更容易受到凭据窃取攻击,从而导致数据泄漏。Organizations that do not add extra layers of identity protection are more susceptible for credential theft attack, which may lead to data compromise.

想要保留完整本地身份验证控制权的组织可使用替代方法:使用 Azure 多重身份验证服务器(也称为“本地 MFA”)。One alternative for organizations that want to keep the entire authentication control on-premises is to use Azure Multi-Factor Authentication Server, also called "MFA on-premises". 使用此方法仍可实施多重身份验证,同时本地保留 MFA 服务器。By using this method, you will still be able to enforce multi-factor authentication, while keeping the MFA server on-premises.

若要查看组织中具有管理权限的人员,可使用如下 Microsoft Azure AD V2 PowerShell 命令进行确证:To check who in your organization has administrative privileges you can verify by using the following Microsoft Azure AD V2 PowerShell command:

Get-AzureADDirectoryRole | Where { $_.DisplayName -eq "Company Administrator" } | Get-AzureADDirectoryRoleMember | Ft DisplayName

启用 MFAEnabling MFA

请先查看 MFA 运行原理,然后继续。Review how MFA operates before you proceed.

只要用户的许可证包含 Azure 多重身份验证,则不需执行任何操作来启用 Azure MFA。As long as your users have licenses that include Azure Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. 可以在单个用户的基础上,开始要求进行双重验证。You can start requiring two-step verification on an individual user basis. 启用 Azure MFA 的许可证是:The licenses that enable Azure MFA are:

  • Azure 多重身份验证Azure Multi-Factor Authentication
  • Azure Active Directory PremiumAzure Active Directory Premium
  • 企业移动性 + 安全性Enterprise Mobility + Security

为用户开启双重验证Turn on two-step verification for users

执行如何要求对用户或组进行双重验证中列出的某个过程,开始使用 Azure MFA。Use one of the procedures listed in How to require two-step verification for a user or group to start using Azure MFA. 您可以选择强制所有登录名的双重验证,或者可以创建条件性访问策略,以要求进行双重验证,仅当它对于您很重要。You can choose to enforce two-step verification for all sign-ins, or you can create Conditional Access policies to require two-step verification only when it matters to you.