保护管理员帐户Protect your administrator accounts

由于管理员帐户具有提升的特权,因此它们是黑客和网络犯罪有价值的目标。Because admin accounts come with elevated privileges, they're valuable targets for hackers and cyber criminals. 本文内容:This article describes:

  • 如何为紧急情况设置其他管理员帐户。How to set up an additional administrator account for emergencies.
  • 如何保护这些帐户。How to protect these accounts.

当你注册 Microsoft 365 并输入你的信息时,将自动成为全局管理员。全局管理员对 Microsoft 管理中心中的用户帐户和所有其他设置具有最终控制权,但有很多不同类型的管理员帐户具有不同的访问权限。When you sign up for Microsoft 365 and enter your information, you automatically become the Global admin. A Global admin has the ultimate control of user accounts and all the other settings in the Microsoft admin center, but there are many different kinds of admin accounts with varying degrees of access. 有关 每种管理员角色 的不同访问级别的信息,请参阅有关管理员角色的信息。See about admin roles for information about the different access levels for each kind of admin role.

创建其他管理员帐户Create additional admin accounts

仅将管理员帐户用于管理。Use admin accounts only for administration. 管理员应具有一个单独的用户帐户,用于定期使用 Office 应用,并且仅在管理帐户和设备时以及处理其他管理功能时,才使用其管理帐户。Admins should have a separate user account for regular use of Office apps and only use their administrative account when necessary to manage accounts and devices, and while working on other admin functions. 此外,从管理员帐户中删除 Microsoft 365 许可证也是一个好主意,这样你不必支付这些许可证费用。It's also a good idea to remove the Microsoft 365 license from the admin accounts so you don't have to pay for them.

你需要设置至少一个额外的全局管理员帐户,以向另一个受信任员工授予管理员访问权限。You'll want to set up at least one additional Global admin account to give admin access to another trusted employee. 还可以为用户管理创建单独的管理员帐户 (此角色称为用户 管理管理员) 。You can also create separate admin accounts for user management (this role is called User management administrator). 有关详细信息,请参阅 管理员角色For more information, see about admin roles.

创建其他管理员帐户:To create additional admin accounts:

  1. 转到管理 中心,然后选择左侧导航 > 中的"用户"" 活动用户"。Go to the admin center and then choose Users > Active users in the left nav.

    选择"用户",然后选择左侧导航中的"活动用户"

  2. "活动用户"页上,选择页面顶部的"添加用户",在"新建用户"面板中,输入名称和其他信息。On the Active users page, select Add a user at the top of the page, and on the New user panel, enter the name and other information.

  3. 展开" 角色" 部分,然后选择" 全局管理员 "为此用户授予全局管理员访问权限。Expand the Roles section, and choose Global administrator to give this user global admin access. 还可以选择" 自定义管理员" 并选择显示的任何角色。You can also choose Customized administrator and choose any of the roles that are displayed.

    在"备用电子邮件地址" 文本框中输入备用 电子邮件。Enter an alternate email in the Alternative email address text box. 如果锁定,可以使用此地址恢复密码信息。对于全局管理员,帐单也会发送到此地址。You can use this address to recover your password information if you get locked out. For Global admins, a billing statement will also be sent to this address.

    选择管理员角色

  4. 在"产品许可证" 部分,将 "Microsoft 365 商业 版"的选择器移到 " 关闭",将"创建 没有 产品许可证的用户"移动到 "开"。In the Product licenses section, move the selector for Microsoft 365 Business to Off and the Create user without product license to On.

    选择产品许可证

创建紧急管理员帐户Create an emergency admin account

您还应该创建一个未设置多重身份验证 (MFA) 的备份帐户,以便不会意外锁定 (例如,如果你丢失了用作第二种验证) 形式的手机。You should also create a backup account that isn't set up with multi-factor authentication (MFA) so you don't accidentally lock yourself out (for example if you lose your phone that you're using as a second form of verification). 确保此帐户的密码是短语或至少 16 个字符长。Make sure that the password for this account is a phrase or at least 16 characters long. 这通常称为"中断式帐户"。This is often referred to as a "break-glass account."

为自己创建用户帐户Create a user account for yourself

使用用户帐户与组织协作,包括检查邮件。Use your user account to participate in collaboration with your organization, including checking mail. 这意味着你的管理员凭据可能类似于 *Alice.Chavez @Contoso.org* 并且你的常规用户帐户可能类似于 *Alice @Contoso.com*。This means your admin credentials might be similar to Alice.Chavez @Contoso.org and your regular user account might be similar to Alice@Contoso.com.

创建新用户帐户:To create a new user account:

  1. 转到管理 中心,然后选择左侧导航 > 中的"用户"" 活动用户"。Go to the admin center and then choose Users > Active users in the left nav.
  2. "活动用户"页上,选择页面顶部的"添加用户",在"新建用户"面板中,输入名称和其他信息。On the Active users page, select Add a user at the top of the page, and on the New user panel, enter the name and other information.
  3. 展开"角色" 部分,然后选择" (没有管理访问权限) 。Expand the Roles section, and choose User (no administrative access).
  4. 在"产品许可证" 部分,将 "Microsoft 365 商业版"的选择器移动到****"打开"。In the Product licenses section, move the selector for Microsoft 365 Business to On.

打开安全默认值Turn on security defaults

安全默认值通过提供 Microsoft 代表组织管理的预配置安全设置来帮助保护组织免受与标识相关的攻击。Security defaults help protect your organization from identity-related attacks by providing preconfigured security settings that Microsoft manages on behalf of your organization. 这些设置包括在所有管理员和用户帐户 (MFA) 多重身份验证。These settings include enabling multi-factor authentication (MFA) for all admins and user accounts. 有关安全默认值和如何启用安全默认值的信息,请参阅 启用安全默认值For more information about security defaults and to learn how to enable them on, see Turn on security defaults.

其他建议Additional recommendations

  • 使用管理员帐户之前,请关闭所有不相关的浏览器会话和应用,包括个人电子邮件帐户。Before using admin accounts, close out all unrelated browser sessions and apps, including personal email accounts. 还可以在专用或隐身浏览器窗口中使用。You can also use in private, or incognito browser windows.
  • 完成管理员任务后,请务必注销浏览器会话。After completing admin tasks, be sure to sign out of the browser session.