您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure 标识管理和访问控制安全最佳实践Azure Identity Management and access control security best practices

本文介绍一系列 Azure 标识管理和访问控制安全最佳实践。In this article, we discuss a collection of Azure identity management and access control security best practices. 这些最佳做法衍生自我们的 Azure AD 经验和客户经验。These best practices are derived from our experience with Azure AD and the experiences of customers like yourself.

对于每项最佳做法,本文将说明:For each best practice, we explain:

  • 最佳实践是什么What the best practice is
  • 为何要启用该最佳实践Why you want to enable that best practice
  • 如果无法启用该最佳实践,可能的结果是什么What might be the result if you fail to enable the best practice
  • 最佳实践的可能替代方案Possible alternatives to the best practice
  • 如何学习启用最佳实践How you can learn to enable the best practice

这篇 Azure 标识管理和访问控制安全最佳实践以共识以及 Azure 平台功能和特性集(因为在编写本文时已存在)为基础。This Azure identity management and access control security best practices article is based on a consensus opinion and Azure platform capabilities and feature sets, as they exist at the time this article was written. 看法和技术将随着时间改变,本文会定期更新以反映这些更改。Opinions and technologies change over time and this article will be updated on a regular basis to reflect those changes.

本文中介绍的 Azure 标识管理和访问控制安全最佳实践包括:Azure identity management and access control security best practices discussed in this article include:

  • 将标识视为主要安全边界Treat identity as the primary security perimeter
  • 集中化标识管理Centralize identity management
  • 管理已连接的租户Manage connected tenants
  • 启用单一登录Enable single sign-on
  • 启用条件性访问Turn on Conditional Access
  • 启用密码管理Enable password management
  • 对用户强制执行多重身份验证Enforce multi-factor verification for users
  • 使用基于角色的访问控制Use role-based access control
  • 降低特权帐户的泄露风险Lower exposure of privileged accounts
  • 控制资源所在的位置Control locations where resources are located
  • 使用 Azure AD 进行存储身份验证Use Azure AD for storage authentication

将标识视为主要安全边界Treat identity as the primary security perimeter

许多人认为标识是主要安全边界。Many consider identity to be the primary perimeter for security. 这与以网络安全为重点的传统做法不同。This is a shift from the traditional focus on network security. 网络边界出现越来越多的漏洞,在 BYOD 设备和云应用程序激增之前,该边界防御不似之前那样有效。Network perimeters keep getting more porous, and that perimeter defense can’t be as effective as it was before the explosion of BYOD devices and cloud applications.

Azure Active Directory (Azure AD) 是用于标识和访问管理的 Azure 解决方案。Azure Active Directory (Azure AD) is the Azure solution for identity and access management. Azure AD 是 Microsoft 提供的多租户、基于云的目录和标识管理服务。Azure AD is a multitenant, cloud-based directory and identity management service from Microsoft. 它将核心目录服务、应用程序访问管理和标识保护融入一个解决方案中。It combines core directory services, application access management, and identity protection into a single solution.

以下部分列出了使用 Azure AD 实现标识和访问安全性的最佳做法。The following sections list best practices for identity and access security using Azure AD.

集中化标识管理Centralize identity management

混合标识方案中,我们建议集成本地目录和云目录。In a hybrid identity scenario we recommend that you integrate your on-premises and cloud directories. 集成使你的 IT 团队管理从一个位置,而不考虑创建一个帐户的帐户。Integration enables your IT team to manage accounts from one location, regardless of where an account is created. 集成还可帮助用户通过提供一个通用标识用于访问在本地和云资源来提高工作效率。Integration also helps your users be more productive by providing a common identity for accessing both cloud and on-premises resources.

最佳做法:建立一个 Azure AD 实例。Best practice: Establish a single Azure AD instance. 一致性和单个权威源将提高清晰度,并从人为失误和配置的复杂性,降低安全风险。Consistency and a single authoritative sources will increase clarity and reduce security risks from human errors and configuration complexity. 详细信息:指定单个 Azure AD 目录视为企业和组织帐户的权威来源。Detail: Designate a single Azure AD directory as the authoritative source for corporate and organizational accounts.

最佳做法:将本地目录与 Azure AD 进行集成。Best practice: Integrate your on-premises directories with Azure AD.
详细信息:使用 Azure AD Connect 将本地目录与云目录同步。Detail: Use Azure AD Connect to synchronize your on-premises directory with your cloud directory.


因素会影响性能的 Azure AD ConnectThere are factors that affect the performance of Azure AD Connect. 请确保 Azure AD Connect 具有足够的容量来保持系统的阻碍安全性和工作效率的绩效不佳。Ensure Azure AD Connect has enough capacity to keep underperforming systems from impeding security and productivity. 大型或复杂的组织 (组织预配 100,000 多个对象) 应遵循建议来优化其 Azure AD Connect 实现。Large or complex organizations (organizations provisioning more than 100,000 objects) should follow the recommendations to optimize their Azure AD Connect implementation.

最佳做法:不要同步到 Azure AD 在现有的 Active Directory 实例中具有高权限的帐户。Best practice: Don’t synchronize accounts to Azure AD that have high privileges in your existing Active Directory instance. 详细信息:不要更改默认值Azure AD Connect 配置会筛选掉这些帐户。Detail: Don’t change the default Azure AD Connect configuration that filters out these accounts. 此配置应从云正在切换到本地资产 (这可能会产生重大事件) 的攻击者的风险。This configuration mitigates the risk of adversaries pivoting from cloud to on-premises assets (which could create a major incident).

最佳做法:启用密码哈希同步。Best practice: Turn on password hash synchronization.
详细信息:密码哈希同步是一项功能用来同步用户密码的哈希从本地 Active Directory 实例与基于云的 Azure AD 实例。Detail: Password hash synchronization is a feature used to synch user password hashes from an on-premises Active Directory instance to a cloud-based Azure AD instance. 此同步帮助防范泄漏的凭据在重播从先前的攻击。This sync helps to protect against leaked credentials being replayed from previous attacks.

即使决定使用 Active Directory 联合身份验证服务 (AD FS) 或其他标识提供者进行联合身份验证,也可以选择性地设置密码哈希同步作为备用机制,以应对本地服务器发生故障或临时不可用的情况。Even if you decide to use federation with Active Directory Federation Services (AD FS) or other identity providers, you can optionally set up password hash synchronization as a backup in case your on-premises servers fail or become temporarily unavailable. 此同步使用户能够使用他们用于登录到其本地 Active Directory 实例的同一密码登录到该服务。This sync enables users to sign in to the service by using the same password that they use to sign in to their on-premises Active Directory instance. 它还允许 Identity Protection 检测通过比较已同步的密码哈希与已知遭到入侵,如果用户未连接到 Azure AD 的其他服务中使用的同一电子邮件地址和密码的密码已泄露的凭据。It also allows Identity Protection to detect compromised credentials by comparing synchronized password hashes with passwords known to be compromised, if a user has used the same email address and password on other services that aren't connected to Azure AD.

有关详细信息,请参阅使用 Azure AD Connect 同步实现密码哈希同步For more information, see Implement password hash synchronization with Azure AD Connect sync.

最佳做法:开发新的应用程序使用 Azure AD 进行身份验证。Best practice: For new application development, use Azure AD for authentication. 详细信息:使用正确的功能来支持身份验证:Detail: Use the correct capabilities to support authentication:

  • Azure AD 的员工Azure AD for employees
  • Azure AD B2B对来宾用户和外部合作伙伴Azure AD B2B for guest users and external partners
  • Azure AD B2C来控制客户如何进行注册,登录并在使用您的应用程序时管理其配置文件Azure AD B2C to control how customers sign up, sign in, and manage their profiles when they use your applications

未将其本地标识与云标识集成的组织在管理帐户方面可能开销更大。Organizations that don’t integrate their on-premises identity with their cloud identity can have more overhead in managing accounts. 这种开销增加了出错和安全漏洞的可能性。This overhead increases the likelihood of mistakes and security breaches.


需要选择哪些帐户将位于并使用管理工作站是通过新的云服务托管的或现有处理关键的目录。You need to choose which directories critical accounts will reside in and whether the admin workstation used is managed by new cloud services or existing processes. 使用现有的管理和标识预配进程可能会降低一些风险,但也可以创建攻击者破坏的本地帐户,并切换到云的风险。Using existing management and identity provisioning processes can decrease some risks but can also create the risk of an attacker compromising an on-premises account and pivoting to the cloud. 您可能想要对不同的角色 (例如,业务单元管理员与 IT 管理员) 使用不同的策略。You might want to use a different strategy for different roles (for example, IT admins vs. business unit admins). 可以使用两个选项。You have two options. 第一个选项是创建未与你的本地 Active Directory 实例同步的 Azure AD 帐户。First option is to create Azure AD Accounts that aren’t synchronized with your on-premises Active Directory instance. 将管理工作站加入到 Azure AD 中,你可以管理和使用 Microsoft Intune 的修补程序。Join your admin workstation to Azure AD, which you can manage and patch by using Microsoft Intune. 第二个选项是使用现有的管理员帐户通过与你的本地 Active Directory 实例同步。Second option is to use existing admin accounts by synchronizing to your on-premises Active Directory instance. 使用 Active Directory 域中的现有工作站,管理和安全。Use existing workstations in your Active Directory domain for management and security.

管理已连接的租户Manage connected tenants

组织安全需要来评估风险并确定你的组织和任何法规要求的策略是否也要遵循的可见性。Your security organization needs visibility to assess risk and to determine whether the policies of your organization, and any regulatory requirements, are being followed. 您应确保组织安全具有可见性连接到你的生产环境和网络的所有订阅 (通过Azure ExpressRoute站点到站点 VPN)。You should ensure that your security organization has visibility into all subscriptions connected to your production environment and network (via Azure ExpressRoute or site-to-site VPN). 一个全局管理员/公司管理员在 Azure AD 中可以提升到其访问权限用户访问管理员角色并查看所有订阅和管理的组连接到你的环境。A Global Administrator/Company Administrator in Azure AD can elevate their access to the User Access Administrator role and see all subscriptions and managed groups connected to your environment.

请参阅提升访问权限来管理所有 Azure 订阅和管理组以确保您和您的安全组可以查看所有订阅或管理组连接到你的环境。See elevate access to manage all Azure subscriptions and management groups to ensure that you and your security group can view all subscriptions or management groups connected to your environment. 评估风险后,应删除此提升的访问权限。You should remove this elevated access after you’ve assessed risks.

启用单一登录Enable single sign-on

在移动优先、云优先的世界中,你希望能够从任意位置实现对设备、应用和服务的单一登录 (SSO),以便你的用户随时随地都能高效工作。In a mobile-first, cloud-first world, you want to enable single sign-on (SSO) to devices, apps, and services from anywhere so your users can be productive wherever and whenever. 如果要管理多个标识解决方案,则不仅会给 IT 人员造成管理问题,而且用户还必须记住多个密码。When you have multiple identity solutions to manage, this becomes an administrative problem not only for IT but also for users who have to remember multiple passwords.

通过对所有应用和资源使用相同的标识解决方案,可以实现 SSO。By using the same identity solution for all your apps and resources, you can achieve SSO. 并且不论资源是位于本地还是云中,用户均可以使用相同凭据集登录和访问所需资源。And your users can use the same set of credentials to sign in and access the resources that they need, whether the resources are located on-premises or in the cloud.

最佳做法:启用 SSO。Best practice: Enable SSO.
详细信息:Azure AD 将本地 Active Directory 扩展到云。Detail: Azure AD extends on-premises Active Directory to the cloud. 用户可以将他们的主要工作或学校帐户用于他们加入域的设备、公司资源以及完成工作所需的所有 Web 和 SaaS 应用程序。Users can use their primary work or school account for their domain-joined devices, company resources, and all of the web and SaaS applications that they need to get their jobs done. 用户无需记住多组用户名和密码,系统会根据组织的组成员身份和员工身份的状态,自动预配(或取消设置)应用程序访问权限。Users don’t have to remember multiple sets of usernames and passwords, and their application access can be automatically provisioned (or deprovisioned) based on their organization group memberships and their status as an employee. 可以针对库应用或者通过 Azure AD 应用程序代理自行开发和发布的本地应用控制访问权限。And you can control that access for gallery apps or for your own on-premises apps that you’ve developed and published through the Azure AD Application Proxy.

用户可使用 SSO 基于 Azure AD 中的工作或学校帐户访问 SaaS 应用程序Use SSO to enable users to access their SaaS applications based on their work or school account in Azure AD. 这不仅适用于 Microsoft SaaS 应用,还适用于其他应用,例如 Google AppsSalesforceThis is applicable not only for Microsoft SaaS apps, but also other apps, such as Google Apps and Salesforce. 应用程序可配置为使用 Azure AD 作为基于 SAML 的标识提供者。You can configure your application to use Azure AD as a SAML-based identity provider. 作为安全控制机制,Azure AD 不会发出允许用户登录应用程序的令牌,除非用户已通过 Azure AD 获取了访问权限。As a security control, Azure AD does not issue a token that allows users to sign in to the application unless they have been granted access through Azure AD. 可以直接或者通过用户所属的组授予访问权限。You can grant access directly, or through a group that users are a member of.

如果组织没有通过创建通用标识来为用户和应用程序实现 SSO,那么用户拥有多个密码的情况就更容易出现。Organizations that don’t create a common identity to establish SSO for their users and applications are more exposed to scenarios where users have multiple passwords. 这种情况增加了用户重复使用同一密码或使用弱密码的可能性。These scenarios increase the likelihood of users reusing passwords or using weak passwords.

启用条件性访问Turn on Conditional Access

用户可能会从任意位置使用各种设备和应用访问组织的资源。Users can access your organization's resources by using a variety of devices and apps from anywhere. 作为 IT 管理员,你想要确保这些设备符合标准的安全性和符合性。As an IT admin, you want to make sure that these devices meet your standards for security and compliance. 仅关注谁可以访问资源不再能满足需求。Just focusing on who can access a resource is not sufficient anymore.

若要平衡安全性和工作效率,您需要考虑之前您可以决定如何对访问控制访问资源的方式。To balance security and productivity, you need to think about how a resource is accessed before you can make a decision about access control. 使用 Azure AD 条件性访问可以解决这一要求。With Azure AD Conditional Access, you can address this requirement. 使用条件性访问,可以根据用于访问你的云应用的条件自动的访问控制决策。With Conditional Access, you can make automated access control decisions based on conditions for accessing your cloud apps.

最佳做法:管理和控制对公司资源的访问。Best practice: Manage and control access to corporate resources.
详细信息:配置 Azure AD条件性访问基于组、 位置和应用程序敏感性为 SaaS 应用和 Azure AD 连接应用程序。Detail: Configure Azure AD Conditional Access based on a group, location, and application sensitivity for SaaS apps and Azure AD–connected apps.

最佳做法:阻止旧式身份验证协议。Best practice: Block legacy authentication protocols. 详细信息:攻击者利用较旧的协议中的弱点每日,特别是对于密码喷射攻击。Detail: Attackers exploit weaknesses in older protocols every day, particularly for password spray attacks. 配置条件访问阻止旧版协议。Configure Conditional Access to block legacy protocols. 请观看视频Azure AD:注意事项有关详细信息。See the video Azure AD: Do’s and Don’ts for more information.

启用密码管理Enable password management

如果有多个租户或者你想要允许用户重置自己的密码,则必须使用适当的安全策略来防止滥用。If you have multiple tenants or you want to enable users to reset their own passwords, it’s important that you use appropriate security policies to prevent abuse.

最佳做法:为用户设置自助式密码重置 (SSPR)。Best practice: Set up self-service password reset (SSPR) for your users.
详细信息:使用 Azure AD 自助式密码重置功能。Detail: Use the Azure AD self-service password reset feature.

最佳做法:监视是否在使用 SSPR 及其使用情况。Best practice: Monitor how or if SSPR is really being used.
详细信息:通过使用 Azure AD 密码重置注册活动报表监视正在注册的用户。Detail: Monitor the users who are registering by using the Azure AD Password Reset Registration Activity report. Azure AD 提供的报表功能可帮助使用预生成的报表来回答问题。The reporting feature that Azure AD provides helps you answer questions by using prebuilt reports. 如果有相应的授权,还可以创建自定义查询。If you're appropriately licensed, you can also create custom queries.

最佳做法:扩展到你的本地基础结构的基于云的密码策略。Best practice: Extend cloud-based password policies to your on-premises infrastructure. 详细信息:通过像对基于云的密码更改的本地密码更改执行相同检查增强你的组织中的密码策略。Detail: Enhance password policies in your organization by performing the same checks for on-premises password changes as you do for cloud-based password changes. 安装Azure AD 密码保护为 Windows Server Active Directory 代理在本地扩展到现有基础结构的阻止的密码列表。Install Azure AD password protection for Windows Server Active Directory agents on-premises to extend banned password lists to your existing infrastructure. 用户和管理员更改,请设置,或重置的密码的本地所需遵循仅限云的用户相同的密码策略。Users and admins who change, set, or reset passwords on-premises are required to comply with the same password policy as cloud-only users.

对用户强制执行多重身份验证Enforce multi-factor verification for users

建议对所有用户要求进行双重验证。We recommend that you require two-step verification for all of your users. 这包括组织中的管理员和其他人员,如果他们的帐户泄露,可能会产生重大影响(例如,财务官员)。This includes administrators and others in your organization who can have a significant impact if their account is compromised (for example, financial officers).

要求双重验证有多种选项。There are multiple options for requiring two-step verification. 最佳选项取决于你的目标、正在运行的 Azure AD 版本以及许可计划。The best option for you depends on your goals, the Azure AD edition you’re running, and your licensing program. 请参阅如何要求对用户进行双重验证了解最佳选项。See How to require two-step verification for a user to determine the best option for you. 有关许可和定价的详细信息,请参阅 Azure ADAzure 多重身份验证定价页。See the Azure AD and Azure Multi-Factor Authentication pricing pages for more information about licenses and pricing.

以下是启用双重验证的选项和优势:Following are options and benefits for enabling two-step verification:

选项 1通过更改用户状态启用多重身份验证Option 1: Enable Multi-Factor Authentication by changing user state.
优势:这是要求进行双重验证的传统方法。Benefit: This is the traditional method for requiring two-step verification. 它适用于云中的 Azure 多重身份验证和 Azure 多重身份验证服务器It works with both Azure Multi-Factor Authentication in the cloud and Azure Multi-Factor Authentication Server. 使用此方法要求用户每次登录时执行双重验证,并且替代条件性访问策略。Using this method requires users to perform two-step verification every time they sign in and overrides Conditional Access policies.

若要确定需要启用多因素身份验证,请参阅最适合我的组织是哪个版本的 Azure MFA?To determine where Multi-Factor Authentication needs to be enabled, see Which version of Azure MFA is right for my organization?.

选项 2使用条件性访问策略启用多重身份验证Option 2: Enable Multi-Factor Authentication with Conditional Access policy. 优势:此选项允许你通过使用提示输入在特定条件下的双重验证条件性访问Benefit: This option allows you to prompt for two-step verification under specific conditions by using Conditional Access. 特定条件可以是用户从不同位置、不受信任的设备或你认为存在风险的应用程序登录。Specific conditions can be user sign-in from different locations, untrusted devices, or applications that you consider risky. 定义要求双重验证的特定条件可以避免不断提示用户这种令人不快的用户体验。Defining specific conditions where you require two-step verification enables you to avoid constant prompting for your users, which can be an unpleasant user experience.

这是为用户启用双重验证最灵活的方式。This is the most flexible way to enable two-step verification for your users. 启用条件性访问策略仅适用于在云中 Azure 多重身份验证,Azure AD 的一项高级功能。Enabling a Conditional Access policy works only for Azure Multi-Factor Authentication in the cloud and is a premium feature of Azure AD. 有关此方法的详细信息,请参阅部署基于云的 Azure 多重身份验证You can find more information on this method in Deploy cloud-based Azure Multi-Factor Authentication.

选项 3:使用条件性访问策略中启用多重身份验证,通过计算的用户和登录风险Azure AD Identity ProtectionOption 3: Enable Multi-Factor Authentication with Conditional Access policies by evaluating user and sign-in risk of Azure AD Identity Protection.
优势:此选项使你能够:Benefit: This option enables you to:

  • 检测影响组织标识的潜在漏洞。Detect potential vulnerabilities that affect your organization’s identities.
  • 配置自动响应与组织标识相关的可疑操作。Configure automated responses to detected suspicious actions that are related to your organization’s identities.
  • 调查可疑事件,并采取适当的措施进行解决。Investigate suspicious incidents and take appropriate action to resolve them.

此方法使用“Azure AD 标识保护”风险评估来确定是否需要基于所有云应用程序的用户和登录风险进行双重验证。This method uses the Azure AD Identity Protection risk evaluation to determine if two-step verification is required based on user and sign-in risk for all cloud applications. 此方法需要 Azure Active Directory P2 授权。This method requires Azure Active Directory P2 licensing. 有关此方法的详细信息,请参阅 Azure Active Directory 标识保护You can find more information on this method in Azure Active Directory Identity Protection.


选项 1,通过更改用户状态,启用多重身份验证可以覆盖条件性访问策略。Option 1, enabling Multi-Factor Authentication by changing the user state, overrides Conditional Access policies. 选项 2 和 3 使用条件性访问策略,因为您不能与它们使用选项 1。Because options 2 and 3 use Conditional Access policies, you cannot use option 1 with them.

未添加额外标识保护层(如双重验证)的组织将更容易受到凭据窃取攻击。Organizations that don’t add extra layers of identity protection, such as two-step verification, are more susceptible for credential theft attack. 凭据窃取攻击可能导致数据泄漏。A credential theft attack can lead to data compromise.

使用基于角色的访问控制Use role-based access control

云资源的访问管理的组织,使用云至关重要。Access management for cloud resources is critical for any organization that uses the cloud. 基于角色的访问控制 (RBAC)可帮助你管理谁有权访问 Azure 资源、 他们可以对这些资源执行哪些操作和他们有权访问哪些领域。Role-based access control (RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

指定组或单个角色负责在 Azure 中的特定功能有助于避免混淆,可能会导致人为和创建的安全风险的自动化错误。Designating groups or individual roles responsible for specific functions in Azure helps avoid confusion that can lead to human and automation errors that create security risks. 对于想要实施数据访问安全策略的组织而言,必须根据需要知道最低权限安全策略限制访问权限。Restricting access based on the need to know and least privilege security principles is imperative for organizations that want to enforce security policies for data access.

安全团队需要 Azure 资源以评估和修正风险的可见性。Your security team needs visibility into your Azure resources in order to assess and remediate risk. 如果安全团队具有的运行责任,他们需要其他权限完成其工作。If the security team has operational responsibilities, they need additional permissions to do their jobs.

可以使用RBAC将权限分配给用户、 组和特定范围内的应用程序。You can use RBAC to assign permissions to users, groups, and applications at a certain scope. 角色分配的范围可以是订阅、资源组或单个资源。The scope of a role assignment can be a subscription, a resource group, or a single resource.

最佳做法:对在团队中的职责进行分配,并向执行其作业所需的用户授予的访问量。Best practice: Segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. 而不是向每个人提供 Azure 订阅或资源中不受限制的权限仅允许某些操作在特定范围内。Instead of giving everybody unrestricted permissions in your Azure subscription or resources, allow only certain actions at a particular scope. 详细信息:使用内置 RBAC 角色在 Azure 中向用户分配权限。Detail: Use built-in RBAC roles in Azure to assign privileges to users.


特定权限创建不必要的复杂性和混淆,累积到很难修复而无需担心弄坏东西"传统"配置。Specific permissions create unneeded complexity and confusion, accumulating into a “legacy” configuration that’s difficult to fix without fear of breaking something. 避免特定于资源的权限。Avoid resource-specific permissions. 相反,使用管理组的企业级权限和资源组以获取订阅中的权限。Instead, use management groups for enterprise-wide permissions and resource groups for permissions within subscriptions. 避免特定于用户的权限。Avoid user-specific permissions. 相反,在 Azure AD 中向组分配访问权限。Instead, assign access to groups in Azure AD.

最佳做法:授予安全团队与 Azure 的责任以便它们可以评估和修正风险,请参阅 Azure 资源的访问权限。Best practice: Grant security teams with Azure responsibilities access to see Azure resources so they can assess and remediate risk. 详细信息:向安全团队授予 RBAC安全读取者角色。Detail: Grant security teams the RBAC Security Reader role. 可以使用根管理组或段管理组,具体取决于的职责范围:You can use the root management group or the segment management group, depending on the scope of responsibilities:

  • 根管理组团队负责所有企业资源Root management group for teams responsible for all enterprise resources
  • 分段管理组的团队 (通常由于法规或其他组织边界) 限制的作用域Segment management group for teams with limited scope (commonly because of regulatory or other organizational boundaries)

最佳做法:授予安全团队拥有直接操作职责到适当的权限。Best practice: Grant the appropriate permissions to security teams that have direct operational responsibilities. 详细信息:查看相应的角色分配的 RBAC 内置角色。Detail: Review the RBAC built-in roles for the appropriate role assignment. 如果内置角色无法满足你的组织的特定需求,可以创建Azure 资源的自定义角色If the built-in roles don't meet the specific needs of your organization, you can create custom roles for Azure resources. 如使用内置角色中,您可以将自定义角色分配到用户、 组和订阅、 资源组和资源范围内的服务主体。As with built-in roles, you can assign custom roles to users, groups, and service principals at subscription, resource group, and resource scopes.

最佳做法:授予 Azure 安全中心需要它的安全角色的访问。Best practices: Grant Azure Security Center access to security roles that need it. 安全中心,让安全团队能够快速识别和修正风险。Security Center allows security teams to quickly identify and remediate risks. 详细信息:将这些需求的安全团队添加到 RBAC安全管理员角色以便他们可以查看安全策略、 查看安全状态、 编辑安全策略、 查看警报和建议,并关闭警报和建议。Detail: Add security teams with these needs to the RBAC Security Admin role so they can view security policies, view security states, edit security policies, view alerts and recommendations, and dismiss alerts and recommendations. 您可以使用根管理组或段管理组,具体取决于的职责范围来执行此操作。You can do this by using the root management group or the segment management group, depending on the scope of responsibilities.

通过使用功能等 RBAC 可能会给分配超过需要它们的用户权限的组织未强制执行数据访问控制。Organizations that don’t enforce data access control by using capabilities like RBAC might be giving more privileges than necessary to their users. 这可能会导致数据泄漏通过允许用户访问他们不应有的数据 (例如,高业务影响) 的类型。This can lead to data compromise by allowing users to access types of data (for example, high business impact) that they shouldn’t have.

降低特权帐户的泄露风险Lower exposure of privileged accounts

保护特权访问是保护业务资产的首要步骤。Securing privileged access is a critical first step to protecting business assets. 减少拥有访问权限的人员以保护信息或资源安全,这样可以减小恶意用户获得访问权限,或者已授权用户无意中影响敏感资源的可能性。Minimizing the number of people who have access to secure information or resources reduces the chance of a malicious user getting access, or an authorized user inadvertently affecting a sensitive resource.

特权帐户是指掌控和管理 IT 系统的帐户。Privileged accounts are accounts that administer and manage IT systems. 网络攻击者会攻击这些帐户来获取组织数据和系统的访问权限。Cyber attackers target these accounts to gain access to an organization’s data and systems. 为了保护特权访问,应隔离此类帐户和系统,使其免受恶意用户的威胁。To secure privileged access, you should isolate the accounts and systems from the risk of being exposed to a malicious user.

建议制定并遵循一个路线图,防止特权访问受到网络攻击者的攻击。We recommend that you develop and follow a roadmap to secure privileged access against cyber attackers. 有关创建详细路线图以保护在 Azure AD、Microsoft Azure、Office 365 和其他云服务中托管或报告的标识和访问的信息,请查看确保 Azure AD 中混合部署和云部署的特权访问安全性For information about creating a detailed roadmap to secure identities and access that are managed or reported in Azure AD, Microsoft Azure, Office 365, and other cloud services, review Securing privileged access for hybrid and cloud deployments in Azure AD.

以下内容总结了确保 Azure AD 中混合部署和云部署的特权访问安全性中介绍的最佳做法:The following summarizes the best practices found in Securing privileged access for hybrid and cloud deployments in Azure AD:

最佳做法:管理、控制和监视对特权帐户的访问。Best practice: Manage, control, and monitor access to privileged accounts.
详细信息:启用 Azure AD Privileged Identity ManagementDetail: Turn on Azure AD Privileged Identity Management. 启用 Privileged Identity Management 以后,会收到有关特权访问角色更改的通知电子邮件。After you turn on Privileged Identity Management, you’ll receive notification email messages for privileged access role changes. 向目录中的高特权角色添加更多用户时,这些通知相当于早期警告。These notifications provide early warning when additional users are added to highly privileged roles in your directory.

最佳做法:请确保所有关键的管理帐户管理 Azure AD 帐户。Best practice: Ensure all critical admin accounts are managed Azure AD accounts. 详细信息:从关键管理员角色 (例如,hotmail.com、 live.com 和 outlook.com 等 Microsoft 帐户) 中删除任何使用者帐户。Detail: Remove any consumer accounts from critical admin roles (for example, Microsoft accounts like hotmail.com, live.com, and outlook.com).

最佳做法:请确保所有关键的管理员角色可以用于管理任务的单独帐户以避免网络钓鱼和其他攻击破坏管理权限。Best practice: Ensure all critical admin roles have a separate account for administrative tasks in order to avoid phishing and other attacks to compromise administrative privileges. 详细信息:创建单独的管理员帐户分配执行管理任务所需的权限。Detail: Create a separate admin account that’s assigned the privileges needed to perform the administrative tasks. 阻止这些管理帐户用于每日的工作效率工具,例如 Microsoft Office 365 电子邮件或任意 web 浏览。Block the use of these administrative accounts for daily productivity tools like Microsoft Office 365 email or arbitrary web browsing.

最佳做法:对特许权限高的角色中的帐户进行标识和分类。Best practice: Identify and categorize accounts that are in highly privileged roles.
详细信息:启用 Azure AD Privileged Identity Management 后,请查看角色为全局管理员、特权角色管理员和其他高特权角色的用户。Detail: After turning on Azure AD Privileged Identity Management, view the users who are in the global administrator, privileged role administrator, and other highly privileged roles. 请删除在这些角色中不再需要的任何帐户,并对剩余的分配给管理员角色的帐户分类:Remove any accounts that are no longer needed in those roles, and categorize the remaining accounts that are assigned to admin roles:

  • 单独分配给管理用户,可用于非管理性目的(例如,个人电子邮件)Individually assigned to administrative users, and can be used for non-administrative purposes (for example, personal email)
  • 单独分配给管理用户,按规定只能用于管理目的Individually assigned to administrative users and designated for administrative purposes only
  • 跨多个用户共享Shared across multiple users
  • 适用于紧急访问情况For emergency access scenarios
  • 适用于自动化脚本For automated scripts
  • 适用于外部用户For external users

最佳做法:实行“实时”(JIT) 访问可进一步降低特权的曝光时间,并提高对特权帐户使用情况的可见性。Best practice: Implement “just in time” (JIT) access to further lower the exposure time of privileges and increase your visibility into the use of privileged accounts.
详细信息:利用 Azure AD Privileged Identity Management,可以:Detail: Azure AD Privileged Identity Management lets you:

  • 限制用户只接受他们的权限 JIT。Limit users to only taking on their privileges JIT.
  • 分配时限更短的角色,确信权限会自动撤消。Assign roles for a shortened duration with confidence that the privileges are revoked automatically.

最佳做法:定义至少两个紧急访问帐户。Best practice: Define at least two emergency access accounts.
详细信息:可以使用紧急访问帐户来帮助组织限制现有 Azure Active Directory 环境中的特权访问。Detail: Emergency access accounts help organizations restrict privileged access in an existing Azure Active Directory environment. 这些帐户拥有极高的特权,不要将其分配给特定的个人。These accounts are highly privileged and are not assigned to specific individuals. 紧急访问帐户只能用于不能使用正常管理帐户的情况。Emergency access accounts are limited to scenarios where normal administrative accounts can’t be used. 组织必须将紧急账户的使用限制在必要时间范围内。Organizations must limit the emergency account's usage to only the necessary amount of time.

评估已经获得或有资格获得全局管理员角色的帐户。Evaluate the accounts that are assigned or eligible for the global admin role. 如果使用 *.onmicrosoft.com 域(用于紧急访问)看不到任何仅限云的帐户,请创建此类帐户。If you don’t see any cloud-only accounts by using the *.onmicrosoft.com domain (intended for emergency access), create them. 有关详细信息,请参阅在 Azure AD 中管理紧急访问管理帐户For more information, see Managing emergency access administrative accounts in Azure AD.

最佳做法:在发生紧急情况下时的位置具有"不受限"过程。Best practice: Have a “break glass" process in place in case of an emergency. 详细信息:按照中的步骤保护特权访问在 Azure AD 中混合和云部署Detail: Follow the steps in Securing privileged access for hybrid and cloud deployments in Azure AD.

最佳做法:需要为无密码的所有关键的管理员帐户 (首选),或需要多重身份验证。Best practice: Require all critical admin accounts to be password-less (preferred), or require Multi-Factor Authentication. 详细信息:使用Microsoft Authenticator 应用而无需使用密码登录到任何 Azure AD 帐户。Detail: Use the Microsoft Authenticator app to sign in to any Azure AD account without using a password. Windows hello 企业版,Microsoft 验证器使用基于密钥的身份验证来启用它绑定到设备,并使用生物识别身份验证或 PIN 的用户凭据。Like Windows Hello for Business, the Microsoft Authenticator uses key-based authentication to enable a user credential that’s tied to a device and uses biometric authentication or a PIN.

需要在登录的所有单个用户永久分配给一个或多个 Azure AD 管理员角色的 Azure 多重身份验证:全局管理员、 特权角色管理员、 Exchange Online 管理员和 SharePoint Online 管理员。Require Azure Multi-Factor Authentication at sign-in for all individual users who are permanently assigned to one or more of the Azure AD admin roles: Global Administrator, Privileged Role Administrator, Exchange Online Administrator, and SharePoint Online Administrator. 启用针对管理员帐户的多重身份验证并确保管理员帐户用户都已注册。Enable Multi-Factor Authentication for your admin accounts and ensure that admin account users have registered.

最佳做法:对于关键的管理员帐户,具有管理工作站的生产任务不允许 (适用于示例、 浏览和电子邮件)。Best practice: For critical admin accounts, have an admin workstation where production tasks aren’t allowed (for example, browsing and email). 这将从使用浏览和电子邮件,并显著降低出现重大事件的风险的攻击手段来保护管理员帐户。This will protect your admin accounts from attack vectors that use browsing and email and significantly lower your risk of a major incident. 详细信息:使用管理工作站。Detail: Use an admin workstation. 选择工作站安全的级别:Choose a level of workstation security:

  • 高度安全的工作效率的设备提供用于浏览的高级的安全性和工作效率的其他任务。Highly secure productivity devices provide advanced security for browsing and other productivity tasks.
  • 特权访问工作站 (Paw)提供专用的操作系统免受 internet 攻击和威胁向量为敏感任务。Privileged Access Workstations (PAWs) provide a dedicated operating system that’s protected from internet attacks and threat vectors for sensitive tasks.

最佳做法:当员工离开组织时,取消设置管理员帐户。Best practice: Deprovision admin accounts when employees leave your organization. 详细信息:在禁用或当员工离开组织时删除管理员帐户的位置有一个进程。Detail: Have a process in place that disables or deletes admin accounts when employees leave your organization.

最佳做法:使用当前的攻击技术,定期测试管理员帐户。Best practice: Regularly test admin accounts by using current attack techniques. 详细信息:使用 Office 365 攻击模拟器或第三方产品/服务来运行你的组织中的实际攻击方案。Detail: Use Office 365 Attack Simulator or a third-party offering to run realistic attack scenarios in your organization. 这可以帮助您找到易受攻击用户实际攻击发生之前。This can help you find vulnerable users before a real attack occurs.

最佳做法:采取措施来缓解最常用的攻击技术的冲击。Best practice: Take steps to mitigate the most frequently used attacked techniques.
详细信息确定管理角色中那些需要切换到工作或学校帐户的 Microsoft 帐户Detail: Identify Microsoft accounts in administrative roles that need to be switched to work or school accounts

对于全局管理员帐户,请确保使用单独的用户帐户和邮件转发功能Ensure separate user accounts and mail forwarding for global administrator accounts

确保最近更改过管理帐户的密码Ensure that the passwords of administrative accounts have recently changed

启用密码哈希同步Turn on password hash synchronization

要求对所有特权角色用户和公开的用户进行多重身份验证Require Multi-Factor Authentication for users in all privileged roles as well as exposed users

获取 Office 365 安全功能分数(如果使用 Office 365)Obtain your Office 365 Secure Score (if using Office 365)

查看 Office 365 安全性和符合性指南(如果使用 Office 365)Review the Office 365 security and compliance guidance (if using Office 365)

配置 Office 365 活动监视(如果使用 Office 365)Configure Office 365 Activity Monitoring (if using Office 365)

确定事件/紧急情况响应计划所有者Establish incident/emergency response plan owners

保护本地特权管理帐户Secure on-premises privileged administrative accounts

如果不保护特权访问,你可能会拥有过多高特权角色用户,并且更易受到攻击。If you don’t secure privileged access, you might find that you have too many users in highly privileged roles and are more vulnerable to attacks. 恶意操作者(包括网络攻击者)通常会以管理员帐户和特权访问的其他元素为目标,通过凭据窃取获得敏感数据和系统的访问权限。Malicious actors, including cyber attackers, often target admin accounts and other elements of privileged access to gain access to sensitive data and systems by using credential theft.

控制创建资源的位置Control locations where resources are created

非常重要的一点是,既要允许云操作员执行任务,同时又要防止他们违反管理组织资源所需的惯例。Enabling cloud operators to perform tasks while preventing them from breaking conventions that are needed to manage your organization's resources is very important. 想要控制创建资源的位置的组织应该对这些位置进行硬编码。Organizations that want to control the locations where resources are created should hard code these locations.

可以使用 Azure 资源管理器创建安全策略,其中的定义描述了会明确遭到拒绝的操作或资源。You can use Azure Resource Manager to create security policies whose definitions describe the actions or resources that are specifically denied. 可以在所需范围(例如订阅、资源组或是单个资源)分配这些策略定义。You assign those policy definitions at the desired scope, such as the subscription, the resource group, or an individual resource.


安全策略与 RBAC 不同。Security policies are not the same as RBAC. 它们实际上使用 RBAC 授权用户来创建这些资源。They actually use RBAC to authorize users to create those resources.

无法控制资源创建方式的组织更容易因用户创建的资源超过所需数目,而产生滥用服务的情况。Organizations that are not controlling how resources are created are more susceptible to users who might abuse the service by creating more resources than they need. 强化资源创建过程是保护多租户方案的重要步骤。Hardening the resource creation process is an important step to securing a multitenant scenario.

主动监视可疑活动Actively monitor for suspicious activities

主动身份监视系统可以快速检测可疑行为并触发警报以进行进一步调查。An active identity monitoring system can quickly detect suspicious behavior and trigger an alert for further investigation. 下表列出了两个可帮助组织监视其标识的 Azure AD 功能:The following table lists two Azure AD capabilities that can help organizations monitor their identities:

最佳做法:采用一种方法来确定:Best practice: Have a method to identify:

详细信息:使用 Azure AD Premium 异常报告Detail: Use Azure AD Premium anomaly reports. 制定相应的流程和过程,使 IT 管理员每天或按需(通常在事件响应方案中)运行这些报告。Have processes and procedures in place for IT admins to run these reports on a daily basis or on demand (usually in an incident response scenario).

最佳做法:安装一个主动监视系统,用于通知风险,并且可以根据业务需求调整风险等级(高、中或低)。Best practice: Have an active monitoring system that notifies you of risks and can adjust risk level (high, medium, or low) to your business requirements.
详细信息:使用 Azure AD 标识保护,它会在自己的仪表板上标记当前风险并通过电子邮件发送每日摘要通知。Detail: Use Azure AD Identity Protection, which flags the current risks on its own dashboard and sends daily summary notifications via email. 要帮助保护组织的标识,可以配置基于风险的策略,该策略可在达到指定风险级别时自动响应检测到的问题。To help protect your organization's identities, you can configure risk-based policies that automatically respond to detected issues when a specified risk level is reached.

不主动监视其标识系统的组织将面临用户凭据泄露的风险。Organizations that don’t actively monitor their identity systems are at risk of having user credentials compromised. 如果不知道有人通过这些凭据实施可疑活动,组织就无法缓解这种类型的威胁。Without knowledge that suspicious activities are taking place through these credentials, organizations can’t mitigate this type of threat.

使用 Azure AD 进行存储身份验证Use Azure AD for storage authentication

Azure 存储支持 Blob 存储和队列存储的身份验证和授权与 Azure AD。Azure Storage supports authentication and authorization with Azure AD for Blob storage and Queue storage. Azure AD 身份验证,可以使用 Azure 基于角色的访问控制向用户、 组和单个 blob 容器或队列的作用域下的应用程序授予特定权限。With Azure AD authentication, you can use the Azure role-based access control to grant specific permissions to users, groups, and applications down to the scope of an individual blob container or queue.

我们建议你使用Azure AD 进行身份验证访问存储We recommend that you use Azure AD for authenticating access to storage.

后续步骤Next step

有关通过 Azure 设计、部署和管理云解决方案时可以使用的更多安全最佳做法,请参阅 Azure 安全最佳做法和模式See Azure security best practices and patterns for more security best practices to use when you’re designing, deploying, and managing your cloud solutions by using Azure.