常规标识和设备访问策略建议General identity and device access policy recommendations

本文介绍了通用的建议策略,这些策略可帮助保护 Microsoft 365 企业版。This article describes the common recommended policies to help you secure Microsoft 365 Enterprise. 此外,还介绍了我们为了向用户提供最佳 SSO 体验而推荐的默认平台客户端配置,以及条件访问的技术先决条件。Also discussed are the default platform client configurations we recommend to provide the best SSO experience to your users, as well as the technical pre-requisites for conditional access.

本指南讨论如何在新预配的环境中部署推荐的策略。This guidance discusses how to deploy the recommended policies in a newly provisioned environment. 通过在单独的实验室环境中设置这些策略,可以先了解和评估推荐的策略,然后再分阶段推出到预生产和生产环境。Setting up these policies in a separate lab environment allows you to understand and evaluate the recommended policies before staging the rollout to your pre-production and production environments. 新预配的环境可能仅限云,也可能是混合环境。Your newly provisioned environment may be cloud-only or Hybrid.

要成功部署推荐的策略,需要在 Azure 门户进行操作,满足前面介绍的先决条件。To successfully deploy the recommended polices, you need to take actions in the Azure portal to meet the prerequisites stated earlier. 具体而言,需要:Specifically, you need to:

  • 配置命名网络,确保 Azure Identity Protection 可以正确生成风险评分Configure named networks, to ensure Azure Identity Protection can properly generate a risk score
  • 要求所有用户注册多重身份验证 (MFA)Require all users to register for multi-factor authentication (MFA)
  • 配置密码哈希同步和自助式密码重置,以便用户能够自行重置密码Configure Password Hash Sync and self-service password reset to enable users to be able to reset passwords themselves

可以使 Azure AD 和 Intune 策略都面向特定用户组。You can target both Azure AD and Intune policies towards specific groups of users. 建议分阶段推出先前定义的策略。We suggest rolling out the policies defined earlier in a staged way. 这样,可增量验证策略和与策略相关的支持团队的性能。This way you can validate the performance of the policies and your support teams relative to the policy incrementally.

先决条件Prerequisites

要实现本文档剩余部分所述的策略,组织必须满足多个先决条件:Before implementing the policies described in the remainder of this document, there are several prerequisites that your organization must meet:

  • 配置密码哈希同步。必须启用此功能,才能检测泄漏的凭据,并对它们采取措施,从而实现基于风险的条件访问。Configure Password Hash Sync. This must be enabled to detect leaked credentials and to act on them for risk based Conditional Access. 注意:必须这样做,无论组织使用的是托管身份验证(如直通身份验证 (PTA)),还是联合身份验证。Note: This is required, regardless of whether your organization use managed, like Pass Through Authentication (PTA), or federated authentication.
  • 配置命名网络Configure named networks. Azure AD Identity Protection 收集并分析所有可用的会话数据,以生成风险评分。Azure AD Identity Protection collects and analyzes all available session data to generate a risk score. 建议在 Azure AD 命名网络配置中为网络指定组织的公共 IP 范围。We recommend that you specify your organization's public IP ranges for your network in the Azure AD named networks configuration. 来自这些范围内的流量获得的风险评分较低,而来自公司外部环境的流量获得的风险评分较高。Traffic coming from these ranges is given a reduced risk score, so traffic from outside the corporate environment is treated as higher risk score.
  • 要求所有用户注册多重身份验证 (MFA)Register all users with multi-factor authentication (MFA). Azure AD Identity Protection 利用 Azure MFA 来执行其他安全性验证。Azure AD Identity Protection makes use of Azure MFA to perform additional security verification. 建议让所有用户提前注册 Azure MFA。We recommend that you require all users to register for Azure MFA ahead of time.
  • 启用已加入域的 Windows 计算机的自动注册Enable automatic device registration of domain joined Windows computers. 条件访问可确保连接到服务的设备已加入域或是兼容设备。Conditional access can ensure the device connecting to the service is a domain joined or compliant device. 要在 Windows 计算机上支持此操作,必须已向 Azure AD 注册设备。To support this on Windows computers, the device must be registered with Azure AD. 本文介绍了如何配置自动设备注册。This article discusses how to configure automatic device registration.
  • 准备支持团队Prepare your support team. 为无法完成 MFA 的用户制定计划。Have a plan in place for users that cannot complete MFA. 例如,将他们添加到策略排除组,或为它们注册新 MFA 信息。This can be adding them to a policy exclusion group, or registering new MFA info for them. 在对上述任何安全敏感问题作出更改之前,请先确保实际用户正在发出请求。Before making either of these security sensitive changes, you need to ensure the actual user is making the request. 请求用户的管理人员来帮助审批是一个有效的步骤。Requiring users' managers to help with the approval is an effective step.
  • 配置密码写回到本地 ADConfigure password writeback to on-premises AD. 当检测到高风险的帐户泄漏时,密码写回允许 Azure AD 要求用户更改其本地密码。Password Writeback allows Azure AD to require that users change their on-premises passwords when there has been a high risk of account compromise detected. 可使用 Azure AD Connect 通过以下两种方法之一来启用此功能。You can enable this feature using Azure AD Connect in one of two ways. 可以在 Azure AD Connect 设置向导的可选功能屏幕中启用密码写回,也可以通过 Windows PowerShell 启用。You can either enable Password Writeback in the optional features screen of the Azure AD Connect setup wizard, or you can enable it via Windows PowerShell.
  • 启用新式身份验证保护旧版终结点Enable modern authentication and protect legacy endpoints. 条件访问对使用新式身份验证的移动和桌面应用程序都适用。Conditional access works both with mobile and desktop applications that use modern authentication. 如果应用程序使用旧版身份验证协议,则在应用条件时,仍有可能获得访问权限。If the application uses legacy authentication protocols, it may gain access despite the conditions being applied. 必须知道哪些应用程序可使用条件访问规则,并了解保护其他应用程序入口点必须采取的步骤。It is important to know which applications can use conditional access rules and the steps that you need to take to secure other application entry points.
  • 通过激活 Rights Management 启用 Azure 信息保护Enable Azure Information Protection by activating Rights Management. 对电子邮件使用 Azure 信息保护,开始对电子邮件分类。Use Azure Information Protection with email to start with classification of emails. 按照快速入门教程自定义和发布策略。Follow the quick start tutorial to customize and publish policy.

下列电子邮件客户端支持新式身份验证和条件访问。The following email clients support Modern Authentication and Conditional Access. Azure 信息保护尚不对所有客户端都适用。Azure Information Protection is not yet available for all clients.

平台Platform 客户端Client 版本/说明Version/Notes Azure 信息保护Azure Information Protection
WindowsWindows OutlookOutlook 2016、2013 启用新式身份验证2016, 2013 Enable Modern Auth Yes
iOSiOS OutlookOutlook 最新版本Latest No
AndroidAndroid OutlookOutlook 最新版本Latest No
macOSmacOS 公共预览版Public preview No
LinuxLinux 不支持Not supported No

要访问通过 Azure 信息保护进行保护的文档,可能还需要其他软件。In order to access Azure Information Protection protected documents additional software may be required. 请确保使用支持的软件和文档格式创建和查看使用 Azure 信息保护的受保护文档。Be sure that you are using supported software and document formats to create and view protected documents with Azure Information Protection.

应用安全文档策略时,建议使用以下客户端。The following clients are recommended when a Secure Documents policy has been applied.

平台Platform Word/Excel/PowerPointWord/Excel/PowerPoint OneNoteOneNote OneDrive 应用OneDrive App SharePoint 应用SharePoint App OneDrive 同步客户端OneDrive Sync Client
Windows 7Windows 7 支持Supported 支持Supported 不适用N/A 不适用N/A 预览Preview
Windows 8.1Windows 8.1 支持Supported 支持Supported 不适用N/A 不适用N/A 预览Preview
Windows 10Windows 10 支持Supported 支持Supported 不适用N/A 不适用N/A 预览Preview
Windows Phone 10Windows Phone 10 不支持Not supported 不支持Not supported 支持Supported 支持Supported 不适用N/A
AndroidAndroid 支持Supported 支持Supported 支持Supported 支持Supported 不适用N/A
iOSiOS 支持Supported 支持Supported 支持Supported 支持Supported 不适用N/A
macOSmacOS 公共预览版Public Preview 公共预览版Public Preview 不适用N/A 不适用N/A 不支持Not supported
LinuxLinux 不支持Not supported 不支持Not supported 不支持Not supported 不支持Not supported 不支持Not supported

详细了解 OneDrive 同步客户端预览版 Learn more about the OneDrive Sync Client Preview.

备注

以下建议基于电子邮件的三个不同安全和保护层,用户可以根据自身的需求粒度来应用这些层:基线、敏感数据和高度管控。The following recommendations are based on three different tiers of security and protection for your email that can be applied based on the granularity of your needs: baseline, sensitive, and highly regulated. 有关这些建议引用的安全层和推荐客户端操作系统的详细信息,请参阅推荐的安全策略和配置说明You can learn more about these security tiers, and the recommended client operating systems, referenced by these recommendations in the recommended security policies and configurations introduction.

BaselineBaseline

本部分介绍针对数据、标识和设备保护的基线层的建议。This section describes the recommendations for the baseline tier of data, identity, and device protection. 这些建议可满足许多组织的默认保护需求。These recommendations should meet the default protection needs of many organizations.

备注

以下各策略是相辅相成的。The policies below are additive and build upon each other. 每部分仅介绍每个层应用的策略。Each section describes only the additions applied to each tier.

条件访问策略设置Conditional access policy settings

标识保护Identity protection

如前所述,可为用户提供单一登录 (SSO) 体验。You can give users single sign-on (SSO) experience as described in earlier sections. 仅需根据风险事件在必要时介入。You only need to intervene when necessary based on risk events.

  • 要求在具有中级或以上登录风险时执行 MFARequire MFA based on medium or above sign-in risk
  • 要求为高风险用户进行安全密码更改Require secure password change for high risk users

重要

此策略建议需要密码同步自助服务密码重置Password synchronization and self-service password reset are required for this policy recommendation.

数据丢失防护Data loss prevention

设备和应用管理策略专用于在设备丢失或被盗时防止数据丢失。The goal for your device and app management policies is to protect data loss in the event of a lost or stolen device. 要实现此目标,请确保对数据的访问权限受 PIN 保护、设备上的数据已加密,且设备未被损害。You can do this by ensuring that access to data is protected by a PIN, that the data is encrypted on the device, and that the device is not compromised.

策略建议Policy recommendation 描述Description
要求用户进行电脑管理Require user PC management 要求用户将其 Windows 电脑加入 Active Directory 域,或使用 Microsoft Intune 或 System Center Configuration Manager 向管理系统注册其电脑。Require users to join their Windows PCs to an Active Directory Domain or enroll their PCs into management with Microsoft Intune or System Center Configuration Manager.
通过组策略对象 (GPO) 或已加入域的电脑的 Configuration Manager 策略来应用安全设置Apply security settings via group policy objects (GPO) or Configuration Manager policies for domain joined PCs 部署用于配置托管电脑的策略,以启用 BitLocker、防病毒软件和防火墙。Deploy policies that configure managed PCs to enable BitLocker, enable anti-virus, and enable firewall.
要求用户进行移动设备管理Require user mobile device management 用于访问电子邮件的用户设备必须由 Intune 管理,或仅允许通过受 Intune 应用保护策略保护的移动电子邮件应用(例如 Outlook Mobile)访问公司电子邮件。Require that user devices used to access email are managed by Intune or company email is accessed only through mobile email apps protected by Intune App Protection policies such as Outlook Mobile.
在托管设备上应用 Intune 设备符合性策略Apply an Intune Device Compliance Policy on managed devices 要为托管的公司移动设备和由 Intune 管理的电脑应用 Intune 设备符合性策略,需要:最小长度为 6 的 PIN、设备加密、正常运行的设备(没有越狱、没有取得 root 权限、通过运行状况证明),并且要求由 Lookout 或 SkyCure 等第三方 MTP 确定的设备风险级别为低(如果可用)。Apply an Intune Device Compliance Policy for managed corporate mobile devices and Intune-managed PCs that requires: a PIN with minimum length 6, device encryption, a healthy device (is not jailbroken, rooted; passes health attestation), and, if available, require devices that are low risk as determined by a third-party MTP like Lookout or SkyCure.
将 Intune 应用保护策略应用于在非托管设备上运行的托管应用Apply an Intune App Protection Policy for managed apps running on unmanaged devices 要将 Intune 应用保护策略应用于在非托管个人移动设备上运行的托管应用,需要:最小长度为 6 的 PIN、设备加密以及运行正常的设备(没有越狱、没有取得 root 权限;通过运行状况证明)。Apply an Intune App Protection Policy for managed apps running on unmanaged, personal mobile devices to require: a PIN with minimum length 6, device encryption, and that the device is healthy (is not jailbroken, rooted; passes health attestation).

用户影响User impact

对于大多数组织,必须能够设置用户需要登录 Office 365 才可访问其电子邮件的时间和状况。For most organizations, it is important to be able to set user expectations around when and for which conditions they will be expected to sign into Office 365 to access their email.

用户通常可受益于单一登录 (SSO),但下列情形除外:Users typically benefit from single sign-on (SSO) except during the following situations:

  • 为 Exchange Online 请求身份验证令牌时:When requesting authentication tokens for Exchange Online:
    • 每当检测到中级或以上的登录风险,且用户尚未在当前会话中执行 MFA 时,系统可能会要求用户执行 MFA。Users may be asked to MFA whenever a medium or above sign-in risk is detected and users has not yet performed MFA in their current sessions.
    • 用户需要使用支持 Intune 应用保护 SDK 的电子邮件应用,或从 Intune 兼容设备或已加入 AD 域的设备访问电子邮件。Users will be required to either use email apps that support the Intune App Protection SDK or access emails from Intune compliant or AD domain-joined devices.
  • 如果用户登录存在风险,且已成功完成 MFA,系统会要求其更改密码。When users at risk sign-in, and successfully complete MFA, they will be asked to change their password.

敏感Sensitive

本部分介绍针对数据、标识和设备保护的敏感层的建议。This section describes the recommendations for the sensitive tier of data, identity, and device protection. 这些建议适用于以下客户:其部分数据必须受到较高级别的保护,或者其所有数据都需要较高级别的保护。These recommendations are for customers who have a subset of data that must be protected at higher levels or require all data to be protected at these higher levels.

可对 Office 365 环境中的所有或特定数据集应用增强的保护。You can apply increased protection to all or specific data sets in your Office 365 environment. 例如,可通过应用相关策略来确保仅在受保护的应用之间共享敏感数据,防止数据丢失。For example, you can apply policies to ensure sensitive data is only shared between protected apps to prevent data loss. 建议以与安全性相当的级别保护访问敏感数据的标识和设备。We recommend protecting identities and devices that access sensitive data with comparable levels of security.

条件访问策略设置Conditional access policy settings

标识保护Identity protection

如前所述,可为用户提供单一登录 (SSO) 体验。You can give users single sign-on (SSO) experience as described in earlier sections. 仅需根据风险事件在必要时介入。You only need to intervene when necessary based on risk events.

  • 要求为具有低级或以上风险的会话执行 MFARequire MFA on low or above risk sessions
  • 要求为高风险用户进行安全密码更改Require secure password change for high risk users

重要

此策略建议需要密码同步自助服务密码重置Password synchronization and self-service password reset are required for this policy recommendation.

数据丢失防护Data loss prevention

这些设备和应用管理策略专用于在设备丢失或被盗时防止数据丢失。The goal for these device and app management policies is to protect data loss in the event of a lost or stolen device. 要实现此目标,请确保对数据的访问权限受 PIN 保护、设备上的数据已加密,且设备未被损害。You can do this by ensuring that access to data is protected by a PIN, that the data is encrypted on the device, and that the device is not compromised.

策略建议Policy recommendation 描述Description
要求用户进行电脑管理Require user PC management 要求用户将其电脑加入 Active Directory 域,或使用 Intune 或 Configuration Manager 向管理系统注册其电脑,并在允许电子邮件访问前确保这些设备符合策略要求。Require users to join their PCs to an Active Directory Domain or enroll their PCs into management with Intune or Configuration Manager and ensure those devices are compliant with policies before allowing email access.
通过组策略对象 (GPO) 或已加入域的电脑的 Configuration Manager 策略来应用安全设置Apply security settings via group policy objects (GPO) or Configuration Manager policies for domain joined PCs 部署用于配置托管电脑的策略,以启用 BitLocker、防病毒软件和防火墙。Deploy policies that configure managed PCs to enable BitLocker, enable anti-virus, and enable firewall.
要求用户进行移动设备管理Require user mobile device management 用于访问电子邮件的用户设备必须由 Intune 管理,或仅允许通过受 Intune 应用保护策略保护的移动电子邮件应用(例如 Outlook Mobile)访问公司电子邮件。Require that user devices used to access email are managed by Intune or company email is accessed only through mobile email apps protected by Intune App Protection policies such as Outlook Mobile.
在托管设备上应用 Intune 设备符合性策略Apply an Intune Device Compliance Policy on managed devices 要为托管的公司移动设备和由 Intune 管理的电脑应用 Intune 设备符合性策略,需要:最小长度为 6 的 PIN、设备加密、正常运行的设备(没有越狱、没有取得 root 权限、通过运行状况证明),并且要求由 Lookout 或 SkyCure 等第三方 MTP 确定的设备风险级别为低(如果可用)。Apply an Intune Device Compliance Policy for managed corporate mobile devices and Intune-managed PCs that requires: a PIN with minimum length 6, device encryption, a healthy device (is not jailbroken, rooted; passes health attestation), and if available, require devices that are low risk as determined by a third-party MTP like Lookout or SkyCure.
将 Intune 应用保护策略应用于在非托管设备上运行的托管应用Apply an Intune App Protection Policy for managed apps running on unmanaged devices 要将 Intune 应用保护策略应用于在非托管个人移动设备上运行的托管应用,需要:最小长度为 6 的 PIN、设备加密以及运行正常的设备(没有越狱、没有取得 root 权限;通过运行状况证明)。Apply an Intune App Protection Policy for managed apps running on unmanaged, personal mobile devices to require: a PIN with minimum length 6, device encryption, and that the device is healthy (is not jailbroken, rooted; passes health attestation).

用户影响User impact

对于大多数组织,必须能够设置用户需要登录 Office 365 电子邮件的特定时间和状况。For most organizations, it is important to be able to set expectations for users specific to when and under what conditions they will be expected to sign into Office 365 email.

用户通常可受益于单一登录 (SSO),但下列情形除外:Users typically benefit from single sign-on (SSO) except under the following situations:

  • 为 Exchange Online 请求身份验证令牌时:When requesting authentication tokens for Exchange Online:
    • 每当检测到低级或以上的登录风险,且用户尚未在当前会话中执行 MFA 时,系统会要求用户执行 MFA。Users will be asked to MFA whenever a low or above sign-in risk is detected and users has not yet performed MFA in their current sessions.
    • 用户需要使用支持 Intune 应用保护 SDK 的电子邮件应用,或从 Intune 兼容设备或已加入 AD 域的设备访问电子邮件。Users will be required to either use email apps that support the Intune App Protection SDK or access emails from Intune compliant or AD domain-joined devices.
  • 如果用户登录存在风险,且已成功完成 MFA,系统会要求其更改密码。When users at risk sign-in, and successfully complete MFA, they will be asked to change their password.

高度管控Highly regulated

本部分介绍针对数据、标识和设备保护的高度管控层的建议。This section describes the recommendations for the highly regulated tier of data, identity, and device protection. 某些建议适用于有极少量数据属于高度机密、商业机密或监管数据的客户。These recommendations are for customers who may have a very small amount of data that is highly classified, trade secret, or regulated data. Microsoft 提供多种功能,帮助组织满足相关要求,包括为标识和设备添加保护。Microsoft provides capabilities to help organizations meet these requirements, including added protection for identities and devices.

条件访问策略设置Conditional access policy settings

标识保护Identity protection

对于高度管控层,Microsoft 建议对所有新会话强制执行 MFA。For the highly regulated tier Microsoft recommends enforcing MFA for all new sessions.

  • 要求对所有新会话执行 MFARequire MFA for all new sessions
  • 要求为高风险用户进行安全密码更改Require secure password change for high risk users

重要

此策略建议需要密码同步自助服务密码重置Password synchronization and self-service password reset are required for this policy recommendation.

数据丢失防护Data Loss Prevention

这些设备和应用管理策略专用于在设备丢失或被盗时防止数据丢失。The goal for these device and app management policies is to prevent data loss in the event of a lost or stolen device. 要实现此目标,请确保对数据的访问权限受 PIN 保护、设备上的数据已加密,且设备未被损害。This is done by ensuring that access to data is protected by a PIN, that the data is encrypted on the device, and that the device is not compromised.

对于高度管控层,建议要求支持 Intune 应用保护策略的应用仅在 Intune 兼容设备或已加入域的设备上运行。For the highly regulated tier, we recommend requiring apps that support Intune App Protection policy running only on Intune compliant or domain-joined devices.

策略建议Policy recommendation 描述Description
要求用户进行电脑管理Require user PC management 要求用户将其 Windows 电脑加入 Active Directory 域,或使用 Intune 或 Configuration Manager 向管理系统注册其电脑,并在允许电子邮件访问前确保这些设备符合策略要求。Require users to join their Windows PCs to an Active Directory Domain, or enroll their PCs into management with Intune or Configuration Manager and ensure those devices are compliant with policies before allowing email access.
通过组策略对象 (GPO) 或已加入域的电脑的 Configuration Manager 策略来应用安全设置Apply security settings via group policy objects (GPO) or Configuration Manager policies for domain joined PCs 部署用于配置托管电脑的策略,以启用 BitLocker、防病毒软件和防火墙。Deploy policies that configure managed PCs to enable BitLocker, enable anti-virus, and enable firewall.
要求用户进行移动设备管理Require user mobile device management 用于访问 Office 365 电子邮件和文件的设备必须由 Intune 管理,或仅允许通过受 Intune 应用保护策略保护的移动电子邮件应用(例如 Outlook Mobile)访问公司电子邮件。Require that devices used to access Office 365 email and files are managed by Intune or company email is accessed only through mobile email apps protected by Intune App Protection policies such as Outlook Mobile.
在托管设备上应用 Intune 设备符合性策略Apply an Intune Device Compliance Policy on managed devices 要为托管的公司移动设备和由 Intune 管理的电脑应用 Intune 设备符合性策略,需要:最小长度为 6 的 PIN、设备加密、正常运行的设备(没有越狱、没有取得 root 权限、通过运行状况证明),并且要求由 Lookout 或 SkyCure 等第三方 MTP 确定的设备风险级别为低(如果可用)。Apply an Intune Device Compliance Policy for managed corporate mobile devices and Intune-managed PCs that requires: a PIN with minimum length 6, device encryption, a healthy device (is not jailbroken, rooted; passes health attestation), and, if available, require devices that are Low risk as determined by a third-party MTP like Lookout or SkyCure.

用户影响User impact

对于大多数组织,必须能够设置用户需要登录 Office 365 文件的特定时间和状况。For most organizations, it is important to be able to set expectations for users specific to when and under what conditions they will be expected to sign into Office 365 files.

  • 会话过期后,配置为高度监管的用户需要通过 MFA 重新进行身份验证。Users configured as highly regulated will be required to re-authenticate with MFA after their session expires.
  • 如果用户登录存在风险,则在完成 MFA 后,系统会要求其更改密码。When users at risk sign-in they will be asked to change their password after completing MFA.
  • 为 Exchange Online 请求身份验证令牌时:When requesting authentication tokens for Exchange Online:
    • 无论何时开始新会话,系统都会要求用户执行 MFA。Users will be asked to perform MFA whenever they begin a new session.
    • 用户需要使用支持 Intune 应用保护 SDK 的电子邮件应用Users will be required to use email apps that support the Intune App Protection SDK
    • 用户需要从 Intune 兼容设备或已加入 AD 域的设备访问电子邮件。Users will be required to access emails from Intune compliant or AD domain-joined devices.

后续步骤Next steps

了解有关用于保护电子邮件的策略建议Learn about policy recommendations for securing email