由云支持的保护Cloud-powered protection

Microsoft 保护基于云的标识已超过十年,借助 Azure Active directory,Microsoft 向企业客户提供相同的保护系统,以确保用户和管理员能通过更高的安全性和更好的管理履行各自的职责。Microsoft has been securing cloud-based identities for over a decade, and with Azure Active directory, Microsoft is making these same protection systems available to enterprise customers, to ensure users' and administrators' accountability with better security and governance.

企业移动性 + 安全性可提供哪些帮助?How can Enterprise Mobility + Security help you?

企业移动性 + 安全性 (EMS) 是一个不仅从设备自身本机保护公司数据,还采用身份、设备、应用和数据这四个保护层提供更多保护的综合云解决方案。Enterprise Mobility + Security (EMS) is the only comprehensive cloud solution that natively protects corporate data on the device itself, and beyond with four layers of protection across identities, devices, apps, and data. EMS 可帮助解决移动优先、云优先世界中的一个重大难题 - 如何提供一组全面的安全工具,以帮助在组织中主动识别安全威胁并做出响应:EMS helps you solve one of the key challenges in the mobile-first, cloud-first world – how to provide a comprehensive set of security tools to proactively help identity, and respond to security threats at your organization:

  • 控制对资源的访问Control access to resources
  • 保护用户身份验证Safeguard user authentication
  • 使用基于风险的策略和监视对高级威胁做出响应Respond to advanced threats with risk-based policies and monitoring
  • 降低管理风险Mitigate administrative risks
  • 管理本地和云标识Governance of on-premises and cloud identities

Azure Active Directory Identity Protection 是独一无二的。Azure Active Directory Identity Protection is unique. 它使用计算机学习每天分析超过 10 TB 的行为和上下文数据,使用户能够发现可疑活动,并在必要时立即采取行动。It uses machine learning to analyze more than 10TB of behavioral and contextual data every day, which provides visibility over suspicious activity, and allows you to take immediate action if necessary.

此外,Azure AD 条件性访问规则允许客户基于属性(如设备合规性或网络位置)控制对联机服务的访问。In addition, Azure AD conditional access rules allows customers to control access to online services, based on attributes such as device compliance or network location. 可能会有以下区分:The following may be distinguished:

  • Azure AD 基于 MFA 的条件性访问Azure AD MFA-based conditional access
  • Azure AD 基于位置的条件性访问Azure AD Location-based conditional access
  • Azure AD 基于设备的条件性访问Azure AD Device-based conditional access

Azure Active Directory Identity ProtectionAzure Active Directory identity protection

Azure AD Identity Protection 是一种安全服务,可让用户对影响组织标识的风险事件和潜在漏洞有一个综合全面的了解:Azure AD Identity Protection is a security service that provides a consolidated view into risk events and potential vulnerabilities affecting your organization’s identities:

  • 使用基于风险的策略和监视对高级威胁做出响应 (Azure AD Identity Protection)Respond to Advanced Threats with Risk Based Policies and Monitoring (Azure AD Identity Protection)
  • 降低管理风险(特权标识)Mitigate Admin Risk (Privileged Identity)
  • 标识管理Governance of Identity

在标识盗窃事件不断增加、不良参与方持续涌现和安全漏洞频繁出现的当今世界,Azure Active Directory Identity Protection 必不可少。In a world of increasing identity theft incidents, persistent bad actors and frequent security breaches, Azure Active Directory Identity Protection is a must-have.

Azure AD Identity Protection 仪表板支持访问报表,以了解用户标记的风险、风险事件和漏洞。The Azure AD Identity Protection dashboard gives you access to reports like users flagged for risk, risk events and vulnerabilities. 它还提供一些设置,如安全策略、通知和多重身份验证注册的配置。It also provides settings like the configuration of your security policies, notifications and multi-factor authentication registration.

Azure AD 条件性访问Azure AD conditional access

随着移动到云服务和对移动性需求的不断增加,组织开始寻找既能保护数据又能提高用户效率和设备灵活性的解决方案。The move to cloud services and an always increasing need for mobility are driving organizations to look for solutions that protect data while enhancing user productivity and device flexibility. 客户需要能够根据不同属性(如网络位置或 MFA 强制)来控制对 Office 365 的访问。Customers require the ability to control access to Office 365 based on various attributes such as network location or MFA enforcement. 这对监管客户(如政府)或金融类客户尤为重要。This is particularly important for regulated customers such as government or financial customers.

在网络外围保护数据已不足以满足要求,组织还需要能够根据其他因素(如设备合规性)控制用户的访问。Since protecting data at the network perimeter is no longer sufficient, organizations also require the ability to control user access based on other factors such as device compliance.

Azure AD 条件性访问规则按应用程序进行应用,并且可供客户基于不同条件控制访问。Azure AD conditional access rules are applied per-application and are available for customers to control access based on different conditions. 客户使用适用于 Office 365 或 Intune 的移动设备管理 (MDM) 时,对 Office 365 的访问必须仅限于使用公司设备或已注册个人设备进行管理的用户。Using Mobile Device Management (MDM) for Office 365 or Intune, customers must be able to restrict access to Office 365 to only those users who are using a company device or who have enrolled their personal device for management.

例如,客户可以配置条件性访问规则,以强制进行控制,如:For example, customers may configure conditional access rules to enforce controls such as:

  • 仅允许已加入域和合规的设备进行访问Only allow access from devices that are domain joined or compliant
  • 对所有 Exchange Online 服务访问强制实施 MFAEnforce MFA for all access to Exchange Online services
  • 阻止企业网络外部的客户端访问 SharePoint Online。Prevent access to SharePoint Online, for client outside of the corporate network.

如何实现这些解决方案?How to implement these solutions?

接下来讨论开始使用 Azure AD Identity Protection 和条件性访问时的必要步骤。Let’s talk about the necessary steps to start using Azure AD Identity Protection, and Conditional Access. 本部分还提供操作指南文章,这些文章介绍特定步骤的详细信息。This section also provides how-to articles which will provide more details for specific steps.

Azure AD Identity ProtectionAzure AD Identity Protection

Azure AD 高级版 2 产品中提供 Azure AD Identity Protection,可与 Azure AD Privileged Identity Management 结合使用,以提供无缝条件性访问策略功能。Azure AD Identity Protection is available with Azure AD premium 2 offering, in combination with Azure AD privileged identity management to provide seamlessly conditional access policy capabilities.

可通过转到 Azure 应用商店,并搜索“Identity Protection”,来启用 Azure AD Identity Protection,然后可单击“Azure AD Identity Protection”磁贴,随即将会打开仪表板,显示租户风险数据的综合视图。You can enable Azure AD identity protection by going to the Azure Marketplace, and searching for: “identity protection”, then you can click on Azure AD identity protection tile, which will open the dashboard with a consolidated view of risk data for your tenant. 接下来重点了解几个关于 Identity Protection 如何帮助组织应对帐户安全威胁的示例。Let’s highlight a few examples of how identity protection can help your organization with account security threats.

风险事件Risk events

风险事件是指由 Identity Protection 标记为可疑的事件,表示标识可能已泄露。Risk events are events that were flagged as suspicious by the identity protection, and indicate that an identity may have been compromised.

Microsoft 仍在继续对这一领域进行投入,并计划持续改进当前风险事件的检测准确性,并在现有基础上增加新的风险事件类型。Microsoft is continuing to invest in this space, and plans to continuously improve the detection accuracy of existing risk events and add new risk event types on an ongoing basis. 例如,使用户能调查“无法实现的行程”风险事件。For example, let’s you can investigate the Impossible travels risk event.

有关详细信息,请参阅 Azure AD Identity 操作手册You can find more details on the Azure AD Identity playbook.

下面是 Identity Protection 仪表板上几个风险事件的示例:Here’s an example of a few risk events at the identity protection dashboard:

屏幕截图:显示 Azure AD Identity Protection 仪表板上列出的一些风险事件。

“无法实现的行程”风险Impossible travels risk

在“无法实现的行程”边栏选项卡内,第一个和第二个登录位置会显示标记的所有事件和每次登录的时间。Within the Impossible travel blade, all flagged incidents are displayed by 1st and 2nd login locations and time of each login occurred.

屏幕截图:Azure AD Identity Protection 仪表板显示“无法实现的行程”风险事件的位置。

有关详细信息,请参阅 Azure Active Directory Identity Protection 检测到的风险事件类型You can find more details on the types of risk events detected by Azure Active Directory Identity Protection.

补救Remediation

除了基于单个事件的寻址事件外,Azure AD Identity Protection 支持通过配置用户风险修正策略这一主动方法来解决潜在的问题。Aside from addressing incidents on an individual incident basis, Azure AD identity protection gives you the capability to address possible issues through a proactive approach by configuring a User risk remediation policy. 在策略设置中,可以将单个用户、群组或所有用户作为目标。Within the policy settings, you have the ability to target individual users, groups or all users. 还可以设置触发此策略的特定条件。You also are able to set the specific condition (s), that will trigger the policy.

屏幕截图:显示如何直接从 Azure AD Identity Protection 仪表板修正风险事件。

最后,可以选择完全阻止访问或允许接受以下操作的访问:Lastly, you have the option of either blocking access entirely or allowing access but with the requirement(s) of:

  • 多重身份验证Multi-factor authentication
  • Azure MFA 注册Azure MFA registration
  • 更改密码A password change

有关详细信息,请参阅 Azure AD Identity Protection 和此企业移动性和安全性博客文章You can find more details on Azure AD Identity protection, and on this Enterprise mobility and security blog post.

Azure AD 条件性访问Azure AD conditional access

下面的链接提供基于多重身份验证 (MFA)、位置和设备策略使用 Azure AD 条件性访问的信息。The links below provide you information to use Azure AD conditional access based on Multi-factor authentication (MFA), location, and device policies.