了解特权访问管理Learn about privileged access management

特权访问管理允许对 Office 365 中的特权管理任务进行精细的访问控制。Privileged access management allows granular access control over privileged admin tasks in Office 365. 它可以帮助保护组织免受使用现有特权管理员帐户的漏洞,这些帐户具有对敏感数据的常访问权或关键配置设置的访问权限。It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. 特权访问管理要求用户请求实时访问权限,以通过范围和时间限制较高的审批工作流完成提升的特权任务。Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. 此配置使用户能够具有足够的访问权限来执行当前任务,而不会面临敏感数据或关键配置设置泄露的风险。This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings. 在 Microsoft 365 中启用特权访问管理后,你的组织可以零长期特权运行,并提供一层防御长期管理访问漏洞的防御层。Enabling privileged access management in Microsoft 365 allows your organization to operate with zero standing privileges and provide a layer of defense against standing administrative access vulnerabilities.

有关集成的客户密码箱和特权访问管理工作流的快速概述,请参阅此客户密码箱和 特权访问管理视频For a quick overview of the integrated Customer Lockbox and privileged access management workflow, see this Customer Lockbox and privileged access management video.

保护层Layers of protection

特权访问管理补充了 Microsoft 365 安全体系结构内的其他数据和访问功能保护。Privileged access management complements other data and access feature protections within the Microsoft 365 security architecture. 将特权访问管理作为集成和分层安全方法的一部分提供一种安全模型,可最大限度地保护敏感信息和 Microsoft 365 配置设置。Including privileged access management as part of an integrated and layered approach to security provides a security model that maximizes protection of sensitive information and Microsoft 365 configuration settings. 如图所示,特权访问管理基于 Microsoft 365 数据的本机加密提供的保护以及 Microsoft 365 服务的基于角色的访问控制安全模型。As shown in the diagram, privileged access management builds on the protection provided with native encryption of Microsoft 365 data and the role-based access control security model of Microsoft 365 services. 当与 Azure AD Privileged Identity Management一起使用时,这两项功能为访问控制提供不同范围的实时访问权限。When used with Azure AD Privileged Identity Management, these two features provide access control with just-in-time access at different scopes.

Microsoft 365 中的分层保护

特权访问管理在任务级别定义和作用域,而Azure AD Privileged Identity Management 在角色级别应用保护,能够执行多个任务。Privileged access management is defined and scoped at the task level, while Azure AD Privileged Identity Management applies protection at the role level with the ability to execute multiple tasks. Azure AD Privileged Identity Management 主要允许管理 AD 角色和角色组的访问权限,而 Microsoft 365 中的特权访问管理仅适用于任务级别。Azure AD Privileged Identity Management primarily allows managing accesses for AD roles and role groups, while privileged access management in Microsoft 365 applies only at the task level.

  • 在已使用 Azure AD Privileged Identity Management 的同时启用特权访问管理:添加特权访问管理为特权访问 Microsoft 365 数据提供了另一层精细的保护和审核功能。Enabling privileged access management while already using Azure AD Privileged Identity Management: Adding privileged access management provides another granular layer of protection and audit capabilities for privileged access to Microsoft 365 data.

  • 在 Office 365 中已使用特权访问管理的同时启用 Azure AD Privileged Identity Management: 将 Azure AD Privileged Identity Management 添加到特权访问管理可以扩展对 Microsoft 365 外部数据的特权访问,这些数据主要由用户角色或标识定义。Enabling Azure AD Privileged Identity Management while already using privileged access management in Office 365: Adding Azure AD Privileged Identity Management to privileged access management can extend privileged access to data outside of Microsoft 365 that's primarily defined by user roles or identity.

特权访问管理体系结构和流程Privileged access management architecture and process flow

以下每个流程流概述了特权访问的体系结构及其与 Microsoft 365 底层、审核和 Exchange 管理运行空间的交互方式。Each of the following process flows outline the architecture of privileged access and how it interacts with the Microsoft 365 substrate, auditing, and the Exchange Management runspace.

步骤 1:配置特权访问策略Step 1: Configure a privileged access policy

使用 Microsoft 365 管理中心或 Exchange 管理 PowerShell 配置特权访问策略时,在 Microsoft 365 底层中定义策略、特权访问功能进程和策略属性。When you configure a privileged access policy with the Microsoft 365 admin center or the Exchange Management PowerShell, you define the policy and the privileged access feature processes and the policy attributes in the Microsoft 365 substrate. 这些活动记录在安全合规 & 中心。The activities are logged in the Security & Compliance Center. 该策略现已启用,并已准备好处理传入的审批请求。The policy is now enabled and ready to handle incoming requests for approvals.

步骤 1:策略创建

步骤 2:访问请求Step 2: Access request

Microsoft 365 管理 中心或 Exchange 管理 PowerShell 中,用户可以请求对提升或特权任务的访问权限。In the Microsoft 365 admin center or with the Exchange Management PowerShell, users can request access to elevated or privileged tasks. 特权访问功能将请求发送到 Microsoft 365 底层,以根据配置的权限访问策略进行处理,并将活动记录在安全 & 合规中心日志中。The privileged access feature sends the request to the Microsoft 365 substrate for processing against the configured privilege access policy and records the Activity in the Security & Compliance Center logs.

步骤 2:访问请求

步骤 3:访问审批Step 3: Access approval

将生成审批请求,并通过电子邮件将待处理的请求通知通过电子邮件发送给审批者。An approval request is generated and the pending request notification is emailed to approvers. 如果获得批准,特权访问请求将处理为审批,并且任务已准备好完成。If approved, the privileged access request is processed as an approval and the task is ready to be completed. 如果拒绝,则阻止该任务,并且不会向请求者授予任何访问权限。If denied, the task is blocked and no access is granted to the requestor. 通过电子邮件向请求者通知请求审批或拒绝。The requestor is notified of the request approval or denial via email message.

步骤 3:访问审批

步骤 4:访问处理Step 4: Access processing

对于已批准的请求,任务由 Exchange 管理运行空间处理。For an approved request, the task is processed by the Exchange Management runspace. 根据特权访问策略检查批准,由 Microsoft 365 底层处理。The approval is checked against the privileged access policy and processed by the Microsoft 365 substrate. 任务的所有活动都记录在安全合规 & 中心。All activity for the task is logged in the Security & Compliance Center.

步骤 4:访问处理

常见问题解答Frequently asked questions

哪些 SUS 可以在 Office 365 中使用特权访问?What SKUs can use privileged access in Office 365?

特权访问管理适用于各种 Microsoft 365 和 Office 365 订阅和加载项的客户。Privileged access management is available for customers for a wide selection of Microsoft 365 and Office 365 subscriptions and add-ons. 有关详细信息 ,请参阅特权访问管理 入门。See Get started with privileged access management for details.

特权访问何时将支持 Exchange 之外的 Office 365 工作负载?When will privileged access support Office 365 workloads beyond Exchange?

特权访问管理将很快在其他 Office 365 工作负载中提供。Privileged access management will be available in other Office 365 workloads soon. 有关详细信息,请访问 Microsoft 365 路线图。Visit the Microsoft 365 Roadmap for more details.

我的组织需要 30 多个特权访问策略,是否将提高此限制?My organization needs more than 30 privileged access policies, will this limit be increased?

是的,提升每个组织当前 30 个特权访问策略的限制取决于功能路线图。Yes, raising the current limit of 30 privileged access policies per organization is on the feature roadmap.

是否需要成为全局管理员才能管理 Office 365 中的特权访问?Do I need to be a Global Admin to manage privileged access in Office 365?

不需要,您需要为管理 Office 365 中的特权访问的帐户分配 Exchange 角色管理角色。No, you need the Exchange Role Management role assigned to accounts that manage privileged access in Office 365. 如果不想将角色管理角色配置为独立帐户权限,则默认情况下全局管理员角色包括此角色,并可以管理特权访问。If you don't want to configure the Role Management role as a stand-alone account permission, the Global Administrator role includes this role by default and can manage privileged access. 审批者组中包含的用户无需是全局管理员或分配有角色管理角色,即使用 PowerShell 审阅和批准请求。Users included in an approvers' group don't need to be a Global Admin or have the Role Management role assigned to review and approve requests with PowerShell.

当 Microsoft 访问数据时,客户密码箱允许组织进行一级访问控制。Customer Lockbox allows a level of access control for organizations when Microsoft accesses data. 特权访问管理允许对组织中所有 Microsoft 365 特权任务进行精细访问控制。Privileged access management allows granular access control within an organization for all Microsoft 365 privileged tasks.

准备好开始了吗?Ready to get started?

开始 为组织配置特权访问管理Start configuring your organization for privileged access management.

了解更多Learn more

交互式指南:使用特权访问管理监视和控制管理员任务Interactive guide: Monitor and control administrator tasks with privileged access management