您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure 标识管理和访问控制安全最佳实践Azure Identity Management and access control security best practices

本文介绍一系列 Azure 标识管理和访问控制安全最佳实践。In this article, we discuss a collection of Azure identity management and access control security best practices. 这些最佳做法衍生自我们的 Azure AD 经验和客户经验。These best practices are derived from our experience with Azure AD and the experiences of customers like yourself.

对于每项最佳做法,本文将说明:For each best practice, we explain:

  • 最佳实践是什么What the best practice is
  • 为何要启用该最佳实践Why you want to enable that best practice
  • 如果无法启用该最佳实践,可能的结果是什么What might be the result if you fail to enable the best practice
  • 最佳实践的可能替代方案Possible alternatives to the best practice
  • 如何学习启用最佳实践How you can learn to enable the best practice

这篇 Azure 标识管理和访问控制安全最佳实践以共识以及 Azure 平台功能和特性集(因为在编写本文时已存在)为基础。This Azure identity management and access control security best practices article is based on a consensus opinion and Azure platform capabilities and feature sets, as they exist at the time this article was written.

撰写本文的目的是,以引导你了解我们的一些核心功能和服务的“保护标识基础结构的 5 个步骤”清单为指导,提供在部署后实现更可靠的安全状况的总体路线图。The intention in writing this article is to provide a general roadmap to a more robust security posture after deployment guided by our “5 steps to securing your identity infrastructure” checklist, which walks you through some of our core features and services.

看法和技术将随着时间改变,本文会定期更新以反映这些更改。Opinions and technologies change over time and this article will be updated on a regular basis to reflect those changes.

本文中介绍的 Azure 标识管理和访问控制安全最佳实践包括:Azure identity management and access control security best practices discussed in this article include:

  • 将标识视为主要安全边界Treat identity as the primary security perimeter
  • 集中化标识管理Centralize identity management
  • 管理已连接的租户Manage connected tenants
  • 启用单一登录Enable single sign-on
  • 启用条件访问Turn on Conditional Access
  • 计划例程安全改进Plan for routine security improvements
  • 启用密码管理Enable password management
  • 对用户强制执行多重身份验证Enforce multi-factor verification for users
  • 使用基于角色的访问控制Use role-based access control
  • 降低特权帐户的泄露风险Lower exposure of privileged accounts
  • 控制资源所在的位置Control locations where resources are located
  • 使用 Azure AD 进行存储身份验证Use Azure AD for storage authentication

将标识视为主要安全边界Treat identity as the primary security perimeter

许多人认为标识是主要安全边界。Many consider identity to be the primary perimeter for security. 这与以网络安全为重点的传统做法不同。This is a shift from the traditional focus on network security. 网络边界出现越来越多的漏洞,在 BYOD 设备和云应用程序激增之前相比,边界防御不再那样有效。Network perimeters keep getting more porous, and that perimeter defense can’t be as effective as it was before the explosion of BYOD devices and cloud applications.

Azure Active Directory (Azure AD) 是用于标识和访问管理的 Azure 解决方案。Azure Active Directory (Azure AD) is the Azure solution for identity and access management. Azure AD 是 Microsoft 提供的多租户、基于云的目录和标识管理服务。Azure AD is a multitenant, cloud-based directory and identity management service from Microsoft. 它将核心目录服务、应用程序访问管理和标识保护融入一个解决方案中。It combines core directory services, application access management, and identity protection into a single solution.

以下部分列出了使用 Azure AD 实现标识和访问安全性的最佳做法。The following sections list best practices for identity and access security using Azure AD.

最佳做法:围绕用户和服务标识进行安全控制和检测。Best practice: Center security controls and detections around user and service identities. 详细信息:使用 Azure AD 并置控制和标识。Detail: Use Azure AD to collocate controls and identities.

集中化标识管理Centralize identity management

混合标识方案中,我们建议集成本地目录和云目录。In a hybrid identity scenario we recommend that you integrate your on-premises and cloud directories. 通过集成,IT 团队可以在一个位置集中管理帐户,而不管帐户是在哪里创建的。Integration enables your IT team to manage accounts from one location, regardless of where an account is created. 集成还通过提供用于访问云和本地资源的通用标识,从而帮助用户提高工作效率。Integration also helps your users be more productive by providing a common identity for accessing both cloud and on-premises resources.

最佳做法:建立一个 Azure AD 实例。Best practice: Establish a single Azure AD instance. 一致性和一个权威源不仅会提高简明性,还会减少人为错误和配置复杂性带来的安全风险。Consistency and a single authoritative sources will increase clarity and reduce security risks from human errors and configuration complexity. 详细信息:指定一个 Azure AD 目录作为企业帐户和组织帐户的权威源。Detail: Designate a single Azure AD directory as the authoritative source for corporate and organizational accounts.

最佳做法:将本地目录与 Azure AD 进行集成。Best practice: Integrate your on-premises directories with Azure AD.
详细信息:使用 Azure AD Connect 将本地目录与云目录同步。Detail: Use Azure AD Connect to synchronize your on-premises directory with your cloud directory.


存在影响 Azure AD Connect 性能的因素There are factors that affect the performance of Azure AD Connect. 确保 Azure AD Connect 有足够的容量来防止性能不佳的系统影响安全性和工作效率。Ensure Azure AD Connect has enough capacity to keep underperforming systems from impeding security and productivity. 大型或复杂的组织(预配超过 100,000 个对象的组织)应遵循建议来优化其 Azure AD Connect 实现。Large or complex organizations (organizations provisioning more than 100,000 objects) should follow the recommendations to optimize their Azure AD Connect implementation.

最佳做法:不要将现有 Active Directory 实例中拥有高权限的帐户同步到 Azure AD。Best practice: Don’t synchronize accounts to Azure AD that have high privileges in your existing Active Directory instance. 详细信息:不要更改用于筛选掉这些帐户的默认 Azure AD Connect 配置Detail: Don’t change the default Azure AD Connect configuration that filters out these accounts. 这种配置降低了对手从云转向本地资产的风险(这可能引发重大事件)。This configuration mitigates the risk of adversaries pivoting from cloud to on-premises assets (which could create a major incident).

最佳做法:启用密码哈希同步。Best practice: Turn on password hash synchronization.
详细信息:密码哈希同步是用于将用户密码哈希从本地 Active Directory 实例同步到基于云的 Azure AD 实例的功能。Detail: Password hash synchronization is a feature used to synch user password hashes from an on-premises Active Directory instance to a cloud-based Azure AD instance. 此同步有助于防止重放先前攻击中泄露的凭据。This sync helps to protect against leaked credentials being replayed from previous attacks.

即使决定使用 Active Directory 联合身份验证服务 (AD FS) 或其他标识提供者进行联合身份验证,也可以选择性地设置密码哈希同步作为备用机制,以应对本地服务器发生故障或临时不可用的情况。Even if you decide to use federation with Active Directory Federation Services (AD FS) or other identity providers, you can optionally set up password hash synchronization as a backup in case your on-premises servers fail or become temporarily unavailable. 借助此同步,用户可以使用与登录本地 Active Directory 实例相同的密码来登录服务。This sync enables users to sign in to the service by using the same password that they use to sign in to their on-premises Active Directory instance. 如果用户对其他未连接到 Azure AD 的服务使用过相同的电子邮件地址和密码,此同步还可便于标识保护将同步的密码哈希与已知被盗用的密码进行比较,从而检测被盗用的凭据。It also allows Identity Protection to detect compromised credentials by comparing synchronized password hashes with passwords known to be compromised, if a user has used the same email address and password on other services that aren't connected to Azure AD.

有关详细信息,请参阅使用 Azure AD Connect 同步实现密码哈希同步For more information, see Implement password hash synchronization with Azure AD Connect sync.

最佳做法:对于新的应用开发,使用 Azure AD 进行身份验证。Best practice: For new application development, use Azure AD for authentication. 详细信息:使用正确的功能来支持身份验证:Detail: Use the correct capabilities to support authentication:

  • 面向员工的 Azure ADAzure AD for employees
  • 面向来宾用户和外部合作伙伴的 Azure AD B2BAzure AD B2B for guest users and external partners
  • 用于控制客户在使用应用时如何注册、登录和管理配置文件的 Azure AD B2CAzure AD B2C to control how customers sign up, sign in, and manage their profiles when they use your applications

未将其本地标识与云标识集成的组织在管理帐户方面可能开销更大。Organizations that don’t integrate their on-premises identity with their cloud identity can have more overhead in managing accounts. 这种开销增加了出错和安全漏洞的可能性。This overhead increases the likelihood of mistakes and security breaches.


你需要选择关键帐户将驻留在哪些目录中,以及所使用的管理工作站是由新的云服务托管,还是由现有进程托管。You need to choose which directories critical accounts will reside in and whether the admin workstation used is managed by new cloud services or existing processes. 使用现有的管理和标识预配流程可以降低一些风险,但也可能会造成攻击者入侵本地帐户并转向云的风险。Using existing management and identity provisioning processes can decrease some risks but can also create the risk of an attacker compromising an on-premises account and pivoting to the cloud. 不妨对不同的角色(例如,IT 管理员与业务部门管理员)使用不同的策略。You might want to use a different strategy for different roles (for example, IT admins vs. business unit admins). 您有两种选择:You have two options. 第一种选择是,创建不与本地 Active Directory 实例同步的 Azure AD 帐户。First option is to create Azure AD Accounts that aren’t synchronized with your on-premises Active Directory instance. 将管理工作站加入到 Azure AD,这样可以使用 Microsoft Intune 进行管理和修补。Join your admin workstation to Azure AD, which you can manage and patch by using Microsoft Intune. 第二种选择是,通过同步到本地 Active Directory 实例来使用现有的管理员帐户。Second option is to use existing admin accounts by synchronizing to your on-premises Active Directory instance. 使用 Active Directory 域中的现有工作站来实现管理和安全性。Use existing workstations in your Active Directory domain for management and security.

管理已连接的租户Manage connected tenants

你的安全组织需要能够查看订阅来评估风险,并确定是否遵循了组织的策略和任何法规要求。Your security organization needs visibility to assess risk and to determine whether the policies of your organization, and any regulatory requirements, are being followed. 你应确保安全组织能够查看所有(通过 Azure ExpressRoute站点到站点 VPN)连接到生产环境和网络的订阅。You should ensure that your security organization has visibility into all subscriptions connected to your production environment and network (via Azure ExpressRoute or site-to-site VPN). Azure AD 中的全局管理员/公司管理员可以将自己的访问权限提升为用户访问管理员角色,并查看所有连接到环境的订阅和管理组。A Global Administrator/Company Administrator in Azure AD can elevate their access to the User Access Administrator role and see all subscriptions and managed groups connected to your environment.

请参阅提升访问权限以管理所有 Azure 订阅和管理组,以确保你和你的安全组可以查看所有连接到环境的订阅或管理组。See elevate access to manage all Azure subscriptions and management groups to ensure that you and your security group can view all subscriptions or management groups connected to your environment. 你应该在评估风险后撤消此提升的访问权限。You should remove this elevated access after you’ve assessed risks.

启用单一登录Enable single sign-on

在移动优先、云优先的世界中,你希望能够从任意位置实现对设备、应用和服务的单一登录 (SSO),以便你的用户随时随地都能高效工作。In a mobile-first, cloud-first world, you want to enable single sign-on (SSO) to devices, apps, and services from anywhere so your users can be productive wherever and whenever. 如果要管理多个标识解决方案,则不仅会给 IT 人员造成管理问题,而且用户还必须记住多个密码。When you have multiple identity solutions to manage, this becomes an administrative problem not only for IT but also for users who have to remember multiple passwords.

通过对所有应用和资源使用相同的标识解决方案,可以实现 SSO。By using the same identity solution for all your apps and resources, you can achieve SSO. 并且不论资源是位于本地还是云中,用户均可以使用相同凭据集登录和访问所需资源。And your users can use the same set of credentials to sign in and access the resources that they need, whether the resources are located on-premises or in the cloud.

最佳做法:启用 SSO。Best practice: Enable SSO.
详细信息:Azure AD 将本地 Active Directory 扩展到云。Detail: Azure AD extends on-premises Active Directory to the cloud. 用户可以将他们的主要工作或学校帐户用于他们加入域的设备、公司资源以及完成工作所需的所有 Web 和 SaaS 应用程序。Users can use their primary work or school account for their domain-joined devices, company resources, and all of the web and SaaS applications that they need to get their jobs done. 用户无需记住多组用户名和密码,系统会根据组织的组成员身份和员工身份的状态,自动预配(或取消设置)应用程序访问权限。Users don’t have to remember multiple sets of usernames and passwords, and their application access can be automatically provisioned (or deprovisioned) based on their organization group memberships and their status as an employee. 可以针对库应用或者通过 Azure AD 应用程序代理自行开发和发布的本地应用控制访问权限。And you can control that access for gallery apps or for your own on-premises apps that you’ve developed and published through the Azure AD Application Proxy.

用户可使用 SSO 基于 Azure AD 中的工作或学校帐户访问 SaaS 应用程序Use SSO to enable users to access their SaaS applications based on their work or school account in Azure AD. 这不仅适用于 Microsoft SaaS 应用,还适用于其他应用,例如 Google AppsSalesforceThis is applicable not only for Microsoft SaaS apps, but also other apps, such as Google Apps and Salesforce. 应用程序可配置为使用 Azure AD 作为基于 SAML 的标识提供者。You can configure your application to use Azure AD as a SAML-based identity provider. 作为安全控制机制,Azure AD 不会发出允许用户登录应用程序的令牌,除非用户已通过 Azure AD 获取了访问权限。As a security control, Azure AD does not issue a token that allows users to sign in to the application unless they have been granted access through Azure AD. 可以直接或者通过用户所属的组授予访问权限。You can grant access directly, or through a group that users are a member of.

如果组织没有通过创建通用标识来为用户和应用程序实现 SSO,那么用户拥有多个密码的情况就更容易出现。Organizations that don’t create a common identity to establish SSO for their users and applications are more exposed to scenarios where users have multiple passwords. 这种情况增加了用户重复使用同一密码或使用弱密码的可能性。These scenarios increase the likelihood of users reusing passwords or using weak passwords.

启用条件访问Turn on Conditional Access

用户可能会从任意位置使用各种设备和应用访问组织的资源。Users can access your organization's resources by using a variety of devices and apps from anywhere. 作为一名 IT 管理员,你需要确保这些设备符合安全性和符合性标准。As an IT admin, you want to make sure that these devices meet your standards for security and compliance. 仅关注谁可以访问资源不再能满足需求。Just focusing on who can access a resource is not sufficient anymore.

为了平衡安全性与工作效率,在做出访问控制决策之前,需要考虑如何访问资源。To balance security and productivity, you need to think about how a resource is accessed before you can make a decision about access control. 使用 Azure AD 条件访问,可以满足这一需求。With Azure AD Conditional Access, you can address this requirement. 使用条件访问,可以根据访问云应用的条件做出自动访问控制决策。With Conditional Access, you can make automated access control decisions based on conditions for accessing your cloud apps.

最佳做法:管理和控制对公司资源的访问。Best practice: Manage and control access to corporate resources.
详细信息:根据 SaaS 应用和 Azure AD 连接的应用的组、位置和应用敏感度,配置通用 Azure AD 条件访问策略Detail: Configure common Azure AD Conditional Access policies based on a group, location, and application sensitivity for SaaS apps and Azure AD–connected apps.

最佳做法:阻止旧身份验证协议。Best practice: Block legacy authentication protocols. 详细信息:攻击者每天都在利用旧协议中的弱点,尤其是密码喷射攻击。Detail: Attackers exploit weaknesses in older protocols every day, particularly for password spray attacks. 配置条件访问来阻止旧协议Configure Conditional Access to block legacy protocols.

计划例程安全改进Plan for routine security improvements

安全性一直在不断发展,在云和标识管理框架中构建一种定期显示安全性发展并发现保护环境的新方法是很重要的。Security is always evolving, and it is important to build into your cloud and identity management framework a way to regularly show growth and discover new ways to secure your environment.

标识安全分数是 Microsoft 发布的一组建议的安全控制,旨在为你提供一个数字分数,以便客观地度量你的安全状况,并帮助计划未来的安全改进。Identity Secure Score is a set of recommended security controls that Microsoft publishes that works to provide you a numerical score to objectively measure your security posture and help plan future security improvements. 你还可以查看你的分数与其他行业分数的比较,以及你自己的分数在一段时间内的趋势。You can also view your score in comparison to those in other industries as well as your own trends over time.

最佳做法:根据你所在行业的最佳做法来计划例程安全评审和改进。Best practice: Plan routine security reviews and improvements based on best practices in your industry. 详细信息:使用标识安全分数功能对你在一段时间内的改进进行排名。Detail: Use the Identity Secure Score feature to rank your improvements over time.

启用密码管理Enable password management

如果有多个租户或者你想要允许用户重置自己的密码,则必须使用适当的安全策略来防止滥用。If you have multiple tenants or you want to enable users to reset their own passwords, it’s important that you use appropriate security policies to prevent abuse.

最佳做法:为用户设置自助式密码重置 (SSPR)。Best practice: Set up self-service password reset (SSPR) for your users.
详细信息:使用 Azure AD 自助式密码重置功能。Detail: Use the Azure AD self-service password reset feature.

最佳做法:监视是否在使用 SSPR 及其使用情况。Best practice: Monitor how or if SSPR is really being used.
详细信息:通过使用 Azure AD 密码重置注册活动报表监视正在注册的用户。Detail: Monitor the users who are registering by using the Azure AD Password Reset Registration Activity report. Azure AD 提供的报表功能可帮助使用预生成的报表来回答问题。The reporting feature that Azure AD provides helps you answer questions by using prebuilt reports. 如果有相应的授权,还可以创建自定义查询。If you're appropriately licensed, you can also create custom queries.

最佳做法:将基于云的密码策略扩展到本地基础结构。Best practice: Extend cloud-based password policies to your on-premises infrastructure. 详细信息:通过对本地密码更改执行与对基于云的密码更改执行的相同检查,增强组织中的密码策略。Detail: Enhance password policies in your organization by performing the same checks for on-premises password changes as you do for cloud-based password changes. 为本地 Windows Server Active Directory 代理安装 Azure AD 密码保护,以将禁止的密码列表扩展到现有基础结构。Install Azure AD password protection for Windows Server Active Directory agents on-premises to extend banned password lists to your existing infrastructure. 更改、设置或重置本地密码的用户或管理员必须与仅限云的用户遵循相同的密码策略。Users and admins who change, set, or reset passwords on-premises are required to comply with the same password policy as cloud-only users.

对用户强制执行多重身份验证Enforce multi-factor verification for users

建议对所有用户要求进行双重验证。We recommend that you require two-step verification for all of your users. 这包括组织中的管理员和其他人员,如果他们的帐户泄露,可能会产生重大影响(例如,财务官员)。This includes administrators and others in your organization who can have a significant impact if their account is compromised (for example, financial officers).

要求双重验证有多种选项。There are multiple options for requiring two-step verification. 最佳选项取决于你的目标、正在运行的 Azure AD 版本以及许可计划。The best option for you depends on your goals, the Azure AD edition you’re running, and your licensing program. 请参阅如何要求对用户进行双重验证了解最佳选项。See How to require two-step verification for a user to determine the best option for you. 有关许可和定价的详细信息,请参阅 Azure ADAzure 多重身份验证定价页。See the Azure AD and Azure Multi-Factor Authentication pricing pages for more information about licenses and pricing.

以下是启用双重验证的选项和优势:Following are options and benefits for enabling two-step verification:

选项 1:使用 Azure AD 安全默认值为所有用户和登录方法启用 MFA 优势:借助此选项,可以轻松、快速地为环境中的所有用户强制执行 MFA,同时采用严格的策略来执行以下操作:Option 1: Enable MFA for all users and login methods with Azure AD Security Defaults Benefit: This option enables you to easily and quickly enforce MFA for all users in your environment with a stringent policy to:

  • 质询管理帐户和管理登录机制Challenge administrative accounts and administrative logon mechanisms
  • 要求通过 Microsoft Authenticator 对所有用户进行 MFA 质询Require MFA challenge via Microsoft Authenticator for all users
  • 限制旧身份验证协议。Restrict legacy authentication protocols.

此方法可用于所有许可层,但不能与现有的条件访问策略混合使用。This method is available to all licensing tiers but is not able to be mixed with existing Conditional Access policies. 你可以在Azure AD 安全默认值中查找详细信息You can find more information in Azure AD Security Defaults

选项 2通过更改用户状态启用多重身份验证Option 2: Enable Multi-Factor Authentication by changing user state.
优势:这是要求进行双重验证的传统方法。Benefit: This is the traditional method for requiring two-step verification. 它适用于云中的 Azure 多重身份验证和 Azure 多重身份验证服务器It works with both Azure Multi-Factor Authentication in the cloud and Azure Multi-Factor Authentication Server. 使用此方法要求用户在每次登录时都执行双重验证,并且会替代条件访问策略。Using this method requires users to perform two-step verification every time they sign in and overrides Conditional Access policies.

若要确定需要在哪里启用多重身份验证,请参阅 Azure MFA 的哪个版本适合我的组织?To determine where Multi-Factor Authentication needs to be enabled, see Which version of Azure MFA is right for my organization?.

选项 3使用条件访问策略启用多重身份验证Option 3: Enable Multi-Factor Authentication with Conditional Access policy. 优势:借助此选项,可以使用条件访问在特定条件下提示进行双重验证。Benefit: This option allows you to prompt for two-step verification under specific conditions by using Conditional Access. 特定条件可以是用户从不同位置、不受信任的设备或你认为存在风险的应用程序登录。Specific conditions can be user sign-in from different locations, untrusted devices, or applications that you consider risky. 定义要求双重验证的特定条件可以避免不断提示用户这种令人不快的用户体验。Defining specific conditions where you require two-step verification enables you to avoid constant prompting for your users, which can be an unpleasant user experience.

这是为用户启用双重验证最灵活的方式。This is the most flexible way to enable two-step verification for your users. 启用条件访问策略只适用于云中的 Azure 多重身份验证,这是 Azure AD 的一项高级功能。Enabling a Conditional Access policy works only for Azure Multi-Factor Authentication in the cloud and is a premium feature of Azure AD. 有关此方法的详细信息,请参阅部署基于云的 Azure 多重身份验证You can find more information on this method in Deploy cloud-based Azure Multi-Factor Authentication.

选项 4:通过评估基于风险的条件访问策略,使用条件访问策略启用多重身份验证。Option 4: Enable Multi-Factor Authentication with Conditional Access policies by evaluating Risk-based Conditional Access policies.
优势:此选项使你能够:Benefit: This option enables you to:

  • 检测影响组织标识的潜在漏洞。Detect potential vulnerabilities that affect your organization’s identities.
  • 配置自动响应与组织标识相关的可疑操作。Configure automated responses to detected suspicious actions that are related to your organization’s identities.
  • 调查可疑事件,并采取适当的措施进行解决。Investigate suspicious incidents and take appropriate action to resolve them.

此方法使用“Azure AD 标识保护”风险评估来确定是否需要基于所有云应用程序的用户和登录风险进行双重验证。This method uses the Azure AD Identity Protection risk evaluation to determine if two-step verification is required based on user and sign-in risk for all cloud applications. 此方法需要 Azure Active Directory P2 授权。This method requires Azure Active Directory P2 licensing. 有关此方法的详细信息,请参阅 Azure Active Directory 标识保护You can find more information on this method in Azure Active Directory Identity Protection.


选项2,通过更改用户状态启用多重身份验证会替代条件访问策略。Option 2, enabling Multi-Factor Authentication by changing the user state, overrides Conditional Access policies. 由于选项3和4使用条件性访问策略,因此不能将选项2与它们一起使用。Because options 3 and 4 use Conditional Access policies, you cannot use option 2 with them.

未添加额外标识保护层(如双重验证)的组织将更容易受到凭据窃取攻击。Organizations that don’t add extra layers of identity protection, such as two-step verification, are more susceptible for credential theft attack. 凭据窃取攻击可能导致数据泄漏。A credential theft attack can lead to data compromise.

使用基于角色的访问控制Use role-based access control

对于任何使用云的组织而言,云资源的访问管理至关重要。Access management for cloud resources is critical for any organization that uses the cloud. Azure RBAC) 的基于角色的访问控制 (可帮助你管理有权访问 Azure 资源的人员、他们可以对这些资源执行哪些操作以及他们有权访问哪些区域。Azure role-based access control (Azure RBAC)helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

在 Azure 中指定负责特定职能的组或各个角色有助于避免混乱,这些混乱可能会导致造成安全风险的人为错误和自动化错误。Designating groups or individual roles responsible for specific functions in Azure helps avoid confusion that can lead to human and automation errors that create security risks. 对于想要实施数据访问安全策略的组织而言,必须根据需要知道最低权限安全策略限制访问权限。Restricting access based on the need to know and least privilege security principles is imperative for organizations that want to enforce security policies for data access.

你的安全团队需要能够查看 Azure 资源,以便评估和修正风险。Your security team needs visibility into your Azure resources in order to assess and remediate risk. 如果安全团队具有运营职责,则需要额外的权限来完成他们的作业。If the security team has operational responsibilities, they need additional permissions to do their jobs.

可以使用 RBAC 在一定范围内向用户、组和应用分配权限。You can use RBAC to assign permissions to users, groups, and applications at a certain scope. 角色分配的范围可以是订阅、资源组或单个资源。The scope of a role assignment can be a subscription, a resource group, or a single resource.

最佳做法:在团队中分离职责,只向用户授予执行作业所需的访问权限。Best practice: Segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. 只允许在特定范围内执行特定操作,而不要在 Azure 订阅或资源中向每个人都授予无限制权限。Instead of giving everybody unrestricted permissions in your Azure subscription or resources, allow only certain actions at a particular scope. 详细信息:使用 azure 中的 azure 内置角色 向用户分配权限。Detail: Use Azure built-in roles in Azure to assign privileges to users.


特定的权限会造成不必要的复杂性和混乱,进而积累为很难在不担心造成破坏的情况下进行修复的“旧”配置。Specific permissions create unneeded complexity and confusion, accumulating into a “legacy” configuration that’s difficult to fix without fear of breaking something. 避免特定于资源的权限。Avoid resource-specific permissions. 而是将管理组用于企业范围内的权限,并将资源组用于订阅中的权限。Instead, use management groups for enterprise-wide permissions and resource groups for permissions within subscriptions. 避免用户特定的权限。Avoid user-specific permissions. 而是向 Azure AD 中的组分配权限。Instead, assign access to groups in Azure AD.

最佳做法:向具有 Azure 职责的安全团队授予对 Azure 资源的访问权限,以便他们可以评估和修正风险。Best practice: Grant security teams with Azure responsibilities access to see Azure resources so they can assess and remediate risk. 详细信息:向安全团队授予 RBAC 安全读取者角色。Detail: Grant security teams the RBAC Security Reader role. 可以使用根管理组或段管理组,具体视职责范围而定:You can use the root management group or the segment management group, depending on the scope of responsibilities:

  • 根管理组:用于负责所有企业资源的团队Root management group for teams responsible for all enterprise resources
  • 段管理组:用于范围有限的团队(通常是由于法规或其他组织边界所致)Segment management group for teams with limited scope (commonly because of regulatory or other organizational boundaries)

最佳做法:向具有直接运营职责的安全团队授予适当的权限。Best practice: Grant the appropriate permissions to security teams that have direct operational responsibilities. 详细信息:审阅 RBAC 内置角色,以进行适当的角色分配。Detail: Review the RBAC built-in roles for the appropriate role assignment. 如果内置角色不满足组织的特定需求,则可以创建 Azure 自定义角色If the built-in roles don't meet the specific needs of your organization, you can create Azure custom roles. 与内置角色一样,可以在订阅、资源组和资源范围内向用户、组和服务主体分配自定义角色。As with built-in roles, you can assign custom roles to users, groups, and service principals at subscription, resource group, and resource scopes.

最佳做法:向需要的安全角色授予 Azure 安全中心访问权限。Best practices: Grant Azure Security Center access to security roles that need it. 使用安全中心,安全团队可以快速发现和修正风险。Security Center allows security teams to quickly identify and remediate risks. 详细信息:将具有这些需求的安全团队添加到 RBAC 安全管理员角色,这样他们就可以查看安全策略、查看安全状态、编辑安全策略、查看警报和建议,并能消除警报和建议。Detail: Add security teams with these needs to the RBAC Security Admin role so they can view security policies, view security states, edit security policies, view alerts and recommendations, and dismiss alerts and recommendations. 为此,可以使用根管理组或段管理组,具体视职责范围而定。You can do this by using the root management group or the segment management group, depending on the scope of responsibilities.

如果组织没有使用 RBAC 等功能强制执行数据访问控制,可能会向用户分配不必要的权限。Organizations that don’t enforce data access control by using capabilities like RBAC might be giving more privileges than necessary to their users. 允许用户访问他们不应该有权访问的数据类型(例如,对业务有重大影响的数据)可能会导致数据泄露。This can lead to data compromise by allowing users to access types of data (for example, high business impact) that they shouldn’t have.

降低特权帐户的泄露风险Lower exposure of privileged accounts

保护特权访问是保护业务资产的首要步骤。Securing privileged access is a critical first step to protecting business assets. 减少拥有访问权限的人员以保护信息或资源安全,这样可以减小恶意用户获得访问权限,或者已授权用户无意中影响敏感资源的可能性。Minimizing the number of people who have access to secure information or resources reduces the chance of a malicious user getting access, or an authorized user inadvertently affecting a sensitive resource.

特权帐户是指掌控和管理 IT 系统的帐户。Privileged accounts are accounts that administer and manage IT systems. 网络攻击者会攻击这些帐户来获取组织数据和系统的访问权限。Cyber attackers target these accounts to gain access to an organization’s data and systems. 为了保护特权访问,应隔离此类帐户和系统,使其免受恶意用户的威胁。To secure privileged access, you should isolate the accounts and systems from the risk of being exposed to a malicious user.

建议制定并遵循一个路线图,防止特权访问受到网络攻击者的攻击。We recommend that you develop and follow a roadmap to secure privileged access against cyber attackers. 若要详细了解如何在 Azure AD、Microsoft Azure、Microsoft 365 和其他云服务中管理或报告的安全身份和访问,请参阅 Azure AD 中的保护混合和云部署的特权访问For information about creating a detailed roadmap to secure identities and access that are managed or reported in Azure AD, Microsoft Azure, Microsoft 365, and other cloud services, review Securing privileged access for hybrid and cloud deployments in Azure AD.

以下内容总结了确保 Azure AD 中混合部署和云部署的特权访问安全性中介绍的最佳做法:The following summarizes the best practices found in Securing privileged access for hybrid and cloud deployments in Azure AD:

最佳做法:管理、控制和监视对特权帐户的访问。Best practice: Manage, control, and monitor access to privileged accounts.
详细信息:启用 Azure AD Privileged Identity ManagementDetail: Turn on Azure AD Privileged Identity Management. 启用 Privileged Identity Management 以后,会收到有关特权访问角色更改的通知电子邮件。After you turn on Privileged Identity Management, you’ll receive notification email messages for privileged access role changes. 向目录中的高特权角色添加更多用户时,这些通知相当于早期警告。These notifications provide early warning when additional users are added to highly privileged roles in your directory.

最佳做法:确保所有关键管理员帐户都是托管的 Azure AD 帐户。Best practice: Ensure all critical admin accounts are managed Azure AD accounts. 详细信息:从关键管理员角色中删除所有使用者帐户(例如,hotmail.com、live.com 和 outlook.com 等 Microsoft 帐户)。Detail: Remove any consumer accounts from critical admin roles (for example, Microsoft accounts like hotmail.com, live.com, and outlook.com).

最佳做法:确保所有关键管理员角色都有一个单独的帐户来执行管理任务,以免发生网络钓鱼和其他入侵管理权限的攻击。Best practice: Ensure all critical admin roles have a separate account for administrative tasks in order to avoid phishing and other attacks to compromise administrative privileges. 详细信息:创建一个单独的管理员帐户,向其分配执行管理任务所需的权限。Detail: Create a separate admin account that’s assigned the privileges needed to perform the administrative tasks. 阻止使用这些管理帐户进行 Microsoft 365 电子邮件或任意 web 浏览等日常生产力工具。Block the use of these administrative accounts for daily productivity tools like Microsoft 365 email or arbitrary web browsing.

最佳做法:对特许权限高的角色中的帐户进行标识和分类。Best practice: Identify and categorize accounts that are in highly privileged roles.
详细信息:启用 Azure AD Privileged Identity Management 后,请查看角色为全局管理员、特权角色管理员和其他高特权角色的用户。Detail: After turning on Azure AD Privileged Identity Management, view the users who are in the global administrator, privileged role administrator, and other highly privileged roles. 请删除在这些角色中不再需要的任何帐户,并对剩余的分配给管理员角色的帐户分类:Remove any accounts that are no longer needed in those roles, and categorize the remaining accounts that are assigned to admin roles:

  • 单独分配给管理用户,可用于非管理性目的(例如,个人电子邮件)Individually assigned to administrative users, and can be used for non-administrative purposes (for example, personal email)
  • 单独分配给管理用户,按规定只能用于管理目的Individually assigned to administrative users and designated for administrative purposes only
  • 跨多个用户共享Shared across multiple users
  • 适用于紧急访问情况For emergency access scenarios
  • 适用于自动化脚本For automated scripts
  • 适用于外部用户For external users

最佳做法:实行“实时”(JIT) 访问可进一步降低特权的曝光时间,并提高对特权帐户使用情况的可见性。Best practice: Implement “just in time” (JIT) access to further lower the exposure time of privileges and increase your visibility into the use of privileged accounts.
详细信息:利用 Azure AD Privileged Identity Management,可以:Detail: Azure AD Privileged Identity Management lets you:

  • 限制用户只接受他们的权限 JIT。Limit users to only taking on their privileges JIT.
  • 分配时限更短的角色,确信权限会自动撤消。Assign roles for a shortened duration with confidence that the privileges are revoked automatically.

最佳做法:定义至少两个紧急访问帐户。Best practice: Define at least two emergency access accounts.
详细信息:可以使用紧急访问帐户来帮助组织限制现有 Azure Active Directory 环境中的特权访问。Detail: Emergency access accounts help organizations restrict privileged access in an existing Azure Active Directory environment. 这些帐户拥有极高的特权,不要将其分配给特定的个人。These accounts are highly privileged and are not assigned to specific individuals. 紧急访问帐户只能用于不能使用正常管理帐户的情况。Emergency access accounts are limited to scenarios where normal administrative accounts can’t be used. 组织必须将紧急账户的使用限制在必要时间范围内。Organizations must limit the emergency account's usage to only the necessary amount of time.

评估已经获得或有资格获得全局管理员角色的帐户。Evaluate the accounts that are assigned or eligible for the global admin role. 如果使用 *.onmicrosoft.com 域(用于紧急访问)看不到任何仅限云的帐户,请创建此类帐户。If you don’t see any cloud-only accounts by using the *.onmicrosoft.com domain (intended for emergency access), create them. 有关详细信息,请参阅在 Azure AD 中管理紧急访问管理帐户For more information, see Managing emergency access administrative accounts in Azure AD.

最佳做法:准备“破窗”流程,以备紧急情况时使用。Best practice: Have a “break glass" process in place in case of an emergency. 详细信息:按照确保 Azure AD 中混合部署和云部署的特权访问安全性中的步骤操作。Detail: Follow the steps in Securing privileged access for hybrid and cloud deployments in Azure AD.

最佳做法:要求所有关键管理员帐户都是无密码的(首选),或要求进行多重身份验证。Best practice: Require all critical admin accounts to be password-less (preferred), or require Multi-Factor Authentication. 详细信息:使用 Microsoft Authenticator 应用登录任何 Azure AD 帐户,而不需要使用密码。Detail: Use the Microsoft Authenticator app to sign in to any Azure AD account without using a password. Windows Hello for Business 一样,Microsoft Authenticator 使用基于密钥的身份验证来启用与设备绑定的用户凭据,并使用生物识别身份验证或 PIN。Like Windows Hello for Business, the Microsoft Authenticator uses key-based authentication to enable a user credential that’s tied to a device and uses biometric authentication or a PIN.

对于永久分配给一个或多个 Azure AD 管理员角色的所有个人用户,要求其在登录时进行多重身份验证:全局管理员、特权角色管理员、Exchange Online 管理员和 SharePoint Online 管理员。Require Azure Multi-Factor Authentication at sign-in for all individual users who are permanently assigned to one or more of the Azure AD admin roles: Global Administrator, Privileged Role Administrator, Exchange Online Administrator, and SharePoint Online Administrator. 为管理员帐户启用多重身份验证,并确保管理员帐户用户已注册。Enable Multi-Factor Authentication for your admin accounts and ensure that admin account users have registered.

最佳做法:对于关键管理员帐户,需要有不允许执行生产任务(例如,浏览和电子邮件)的管理工作站。Best practice: For critical admin accounts, have an admin workstation where production tasks aren’t allowed (for example, browsing and email). 这会保护你的管理员帐户免受使用浏览和电子邮件的攻击途径的侵害,并大大降低发生重大事件的风险。This will protect your admin accounts from attack vectors that use browsing and email and significantly lower your risk of a major incident. 详细信息:使用管理工作站。Detail: Use an admin workstation. 选择工作站安全级别:Choose a level of workstation security:

  • 高度安全的效率提升设备为浏览和其他效率提升任务提供高级安全性。Highly secure productivity devices provide advanced security for browsing and other productivity tasks.
  • 特权访问工作站 (PAW) 为敏感任务提供免受 Internet 攻击和威胁攻击途径侵害的专用操作系统。Privileged Access Workstations (PAWs) provide a dedicated operating system that’s protected from internet attacks and threat vectors for sensitive tasks.

最佳做法:在员工离开组织时,取消设置管理员帐户。Best practice: Deprovision admin accounts when employees leave your organization. 详细信息:准备一个流程,在员工离开组织时禁用或删除管理员帐户。Detail: Have a process in place that disables or deletes admin accounts when employees leave your organization.

最佳做法:使用最新的攻击技术定期测试管理员帐户。Best practice: Regularly test admin accounts by using current attack techniques. 详细信息:使用 Microsoft 365 攻击模拟器或第三方产品/服务在你的组织中运行现实的攻击方案。Detail: Use Microsoft 365 Attack Simulator or a third-party offering to run realistic attack scenarios in your organization. 这样有助于在真正攻击发生之前发现易受攻击的用户。This can help you find vulnerable users before a real attack occurs.

最佳做法:采取措施来缓解最常用的攻击技术的冲击。Best practice: Take steps to mitigate the most frequently used attacked techniques.
详细信息确定管理角色中那些需要切换到工作或学校帐户的 Microsoft 帐户Detail: Identify Microsoft accounts in administrative roles that need to be switched to work or school accounts

对于全局管理员帐户,请确保使用单独的用户帐户和邮件转发功能Ensure separate user accounts and mail forwarding for global administrator accounts

确保最近更改过管理帐户的密码Ensure that the passwords of administrative accounts have recently changed

启用密码哈希同步Turn on password hash synchronization

要求对所有特权角色用户和公开的用户进行多重身份验证Require Multi-Factor Authentication for users in all privileged roles as well as exposed users

获取 Microsoft 365 安全分数 (如果使用 Microsoft 365) Obtain your Microsoft 365 Secure Score (if using Microsoft 365)

查看 Microsoft 365 安全指导 (如果使用 Microsoft 365) Review the Microsoft 365 security guidance (if using Microsoft 365)

如果使用 Microsoft 365,则配置 Microsoft 365 活动监视 () Configure Microsoft 365 Activity Monitoring (if using Microsoft 365)

确定事件/紧急情况响应计划所有者Establish incident/emergency response plan owners

保护本地特权管理帐户Secure on-premises privileged administrative accounts

如果不保护特权访问,你可能会拥有过多高特权角色用户,并且更易受到攻击。If you don’t secure privileged access, you might find that you have too many users in highly privileged roles and are more vulnerable to attacks. 恶意操作者(包括网络攻击者)通常会以管理员帐户和特权访问的其他元素为目标,通过凭据窃取获得敏感数据和系统的访问权限。Malicious actors, including cyber attackers, often target admin accounts and other elements of privileged access to gain access to sensitive data and systems by using credential theft.

控制创建资源的位置Control locations where resources are created

非常重要的一点是,既要允许云操作员执行任务,同时又要防止他们违反管理组织资源所需的惯例。Enabling cloud operators to perform tasks while preventing them from breaking conventions that are needed to manage your organization's resources is very important. 想要控制创建资源的位置的组织应该对这些位置进行硬编码。Organizations that want to control the locations where resources are created should hard code these locations.

可以使用 Azure 资源管理器创建安全策略,其中的定义描述了会明确遭到拒绝的操作或资源。You can use Azure Resource Manager to create security policies whose definitions describe the actions or resources that are specifically denied. 可以在所需范围(例如订阅、资源组或是单个资源)分配这些策略定义。You assign those policy definitions at the desired scope, such as the subscription, the resource group, or an individual resource.


安全策略与 RBAC 不同。Security policies are not the same as RBAC. 它们实际上使用 RBAC 授权用户来创建这些资源。They actually use RBAC to authorize users to create those resources.

无法控制资源创建方式的组织更容易因用户创建的资源超过所需数目,而产生滥用服务的情况。Organizations that are not controlling how resources are created are more susceptible to users who might abuse the service by creating more resources than they need. 强化资源创建过程是保护多租户方案的重要步骤。Hardening the resource creation process is an important step to securing a multitenant scenario.

主动监视可疑活动Actively monitor for suspicious activities

主动身份监视系统可以快速检测可疑行为并触发警报以进行进一步调查。An active identity monitoring system can quickly detect suspicious behavior and trigger an alert for further investigation. 下表列出了两个可帮助组织监视其标识的 Azure AD 功能:The following table lists two Azure AD capabilities that can help organizations monitor their identities:

最佳做法:采用一种方法来确定:Best practice: Have a method to identify:

详细信息:使用 Azure AD Premium 异常报告Detail: Use Azure AD Premium anomaly reports. 制定相应的流程和过程,使 IT 管理员每天或按需(通常在事件响应方案中)运行这些报告。Have processes and procedures in place for IT admins to run these reports on a daily basis or on demand (usually in an incident response scenario).

最佳做法:安装一个主动监视系统,用于通知风险,并且可以根据业务需求调整风险等级(高、中或低)。Best practice: Have an active monitoring system that notifies you of risks and can adjust risk level (high, medium, or low) to your business requirements.
详细信息:使用 Azure AD 标识保护,它会在自己的仪表板上标记当前风险并通过电子邮件发送每日摘要通知。Detail: Use Azure AD Identity Protection, which flags the current risks on its own dashboard and sends daily summary notifications via email. 要帮助保护组织的标识,可以配置基于风险的策略,该策略可在达到指定风险级别时自动响应检测到的问题。To help protect your organization's identities, you can configure risk-based policies that automatically respond to detected issues when a specified risk level is reached.

不主动监视其标识系统的组织将面临用户凭据泄露的风险。Organizations that don’t actively monitor their identity systems are at risk of having user credentials compromised. 如果不知道有人通过这些凭据实施可疑活动,组织就无法缓解这种类型的威胁。Without knowledge that suspicious activities are taking place through these credentials, organizations can’t mitigate this type of threat.

使用 Azure AD 进行存储身份验证Use Azure AD for storage authentication

Azure 存储支持使用 Azure AD 对 Blob 存储和队列存储进行身份验证和授权。Azure Storage supports authentication and authorization with Azure AD for Blob storage and Queue storage. 借助 Azure AD 身份验证,可以使用基于 Azure 角色的访问控制向用户、组和应用(一直到各个 Blob 容器或队列的范围)授予特定权限。With Azure AD authentication, you can use the Azure role-based access control to grant specific permissions to users, groups, and applications down to the scope of an individual blob container or queue.

建议使用 Azure AD 验证对存储的访问We recommend that you use Azure AD for authenticating access to storage.

后续步骤Next step

有关通过 Azure 设计、部署和管理云解决方案时可以使用的更多安全最佳做法,请参阅 Azure 安全最佳做法和模式See Azure security best practices and patterns for more security best practices to use when you’re designing, deploying, and managing your cloud solutions by using Azure.