安全地让用户登录到 Microsoft 365 租户Secure user sign-ins to your Microsoft 365 tenant

若要增强用户登录的安全性,请执行以下操作:To increase the security of user sign-ins:

  • 使用 Windows Hello 企业版Use Windows Hello for Business
  • 使用 Azure Active Directory (Azure AD) 密码保护Use Azure Active Directory (Azure AD) Password Protection
  • 使用多重身份验证 (MFA)Use multi-factor authentication (MFA)
  • 部署标识和设备访问配置Deploy identity and device access configurations
  • 通过 Azure AD 标识保护防止凭据泄露Protect against credential compromise with Azure AD Identity Protection

Windows Hello 企业版Windows Hello for Business

Windows 10 企业版中的 Windows Hello 企业版在 Windows 设备上签名时,会将密码替换为强双因素身份验证。Windows Hello for Business in Windows 10 Enterprise replaces passwords with strong two-factor authentication when signing on a Windows device. 这两个因素是一种与设备和生物识别或 PIN 相关联的新型用户凭据。The two factors are a new type of user credential that is tied to a device and a biometric or PIN.

有关详细信息,请参阅 Windows Hello 企业版概述For more information, see Windows Hello for Business Overview.

Azure AD 密码保护Azure AD Password Protection

Azure AD 密码保护会检测并阻止已知的弱密码及其变体,还会阻止特定于你组织的额外弱项。Azure AD Password Protection detects and blocks known weak passwords and their variants and can also block additional weak terms that are specific to your organization. 默认全局禁止使用的密码列表将自动应用于 Azure AD 租户中的所有用户。Default global banned password lists are automatically applied to all users in an Azure AD tenant. 可在自定义禁止密码列表中定义额外条目。You can define additional entries in a custom banned password list. 用户更改或重置其密码时,将检查这些禁止的密码列表,强制使用强密码。When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.

有关详细信息,请参阅“配置 Azure AD 密码保护”。For more information, see Configure Azure AD password protection.

MFAMFA

MFA 要求用户登录受用户帐户密码之外的其他验证约束。MFA requires that user sign-ins be subject to an additional verification beyond the user account password. 即使恶意用户确定了用户帐户密码,还必须能够响应其他验证(如发送到智能手机的短信)才能获得访问权限。Even if a malicious user determines a user account password, they must also be able to respond to an additional verification, such as a text message sent to a smartphone before access is granted.

正确的密码和其他验证会导致登录成功

使用 MFA 的第一步是 对所有管理员帐户要求使用 MFA,这些帐户也被称为特权帐户。Your first step in using MFA is to require it for all administrator accounts, also known as privileged accounts.

比第一步更好的是,Microsoft 建议对所有用户要求使用 MFA。Beyond this first step, Microsoft recommends MFA For all users.

根据 Microsoft 365 套餐,可通过三种方式要求你的管理员或用户使用 MFA。There are three ways to require your administrators or users to use MFA based on your Microsoft 365 plan.

计划Plan 建议Recommendation
所有 Microsoft 365 套餐(无 Azure AD Premium P1 或 P2 许可证)All Microsoft 365 plans (without Azure AD Premium P1 or P2 licenses) 在 Azure AD 中启用安全性默认值Enable Security defaults in Azure AD. Azure AD 中的安全性默认值于用户和管理员的 MFA。Security defaults in Azure AD include MFA for users and administrators.
Microsoft 365 E3 (包括 Azure AD Premium P1 许可证)Microsoft 365 E3 (includes Azure AD Premium P1 licenses) 使用常用条件访问策略配置以下策略:Use Common Conditional Access policies to configure the following policies:
- 要求对管理员执行 MFA- Require MFA for administrators
- 要求对所有用户执行 MFA- Require MFA for all users
- 阻止传统身份验证- Block legacy authentication
Microsoft 365 E5 (包括 Azure AD Premium P2 许可证)Microsoft 365 E5 (includes Azure AD Premium P2 licenses) 利用 Azure AD 标识保护,通过创建以下两个策略开始实施 Microsoft 推荐的一组条件访问和相关策略Taking advantage of Azure AD Identity Protection, begin to implement Microsoft's recommended set of conditional access and related policies by creating these two policies:
- 要求在登录风险为“中等”或“高”时执行 MFA- Require MFA when sign-in risk is medium or high
- 高风险用户必须更改密码- High risk users must change password

安全性默认值Security defaults

安全性默认值是在 2019 年 10 月 21 日之后创建的 Microsoft 365 和 Office 365 付费或试用版订阅的一项新功能。Security defaults is a new feature for Microsoft 365 and Office 365 paid or trial subscriptions created after October 21, 2019. 这些订阅启用了安全性默认值,这 要求所有用户将 MFA 与 Microsoft Authenticator 应用配合使用These subscriptions have security defaults turned on, which requires all of your users to use MFA with the Microsoft Authenticator app.

用户有 14 天的时间从其智能手机中通过 Microsoft Authenticator 应用登录 MFA,自启用安全性默认值后首次登录起计。Users have 14 days to register for MFA with the Microsoft Authenticator app from their smart phones, which begins from the first time they sign in after security defaults has been enabled. 14 天后,除非 MFA 注册完成,否则用户将无法登录。After 14 days have passed, the user won't be able to sign in until MFA registration is completed.

安全性默认值可确保所有组织均对默认启用的用户登录具有基本的安全级别。Security defaults ensure that all organizations have a basic level of security for user sign-in that is enabled by default. 可使用条件访问策略或针对个别帐户禁用安全性默认值,以支持 MFA。You can disable security defaults in favor of MFA with Conditional Access policies or for individual accounts.

有关详细信息,请参阅安全性默认值概述For more information, see the overview of security defaults.

条件访问策略Conditional Access policies

条件访问策略是一组规则,指定评估登录和授予访问的条件。Conditional Access policies are a set of rules that specify the conditions under which sign-ins are evaluated and access is granted. 例如,你可以创建一个条件访问策略,指明:For example, you can create a Conditional Access policy that states:

  • 如果用户帐户名是分配了 Exchange、用户、密码、安全性、SharePoint 或全局管理员角色的用户组的成员,则需要先进行 MFA,然后才能允许访问。If the user account name is a member of a group for users that are assigned the Exchange, user, password, security, SharePoint, or global administrator roles, require MFA before allowing access.

通过此策略,当为用户分配或取消分配了上述管理员角色时,你可以根据其组成员身份要求进行 MFA,而不是针对单个用户帐户进行 MFA 配置。This policy allows you to require MFA based on group membership, rather than trying to configure individual user accounts for MFA when they are assigned or unassigned from these administrator roles.

你还可以使用条件访问策略来实现更高级的功能,例如,要求从合规设备(例如运行 Windows 10 的电脑)完成登录。You can also use Conditional Access policies for more advanced capabilities, such as requiring that the sign-in is done from a compliant device, such as your laptop running Windows 10.

条件访问需要 Microsoft 365 E3 和 E5 随附的 Azure AD Premium P1 许可证。Conditional Access requires Azure AD Premium P1 licenses, which are included with Microsoft 365 E3 and E5.

有关详细信息,请参阅条件访问概述For more information, see the overview of Conditional Access.

结合使用这些方法Using these methods together

请注意以下几点:Keep the following in mind:

  • 如果启用了任何条件访问策略,则无法启用安全性默认值。You cannot enable security defaults if you have any Conditional Access policies enabled.
  • 如果启用了安全性默认值,则无法启用任何条件访问策略。You cannot enable any Conditional Access policies if you have security defaults enabled.

如果启用了安全性默认值,系统将提示所有新用户进行 MFA 注册并使用 Microsoft Authenticator 应用。If security defaults are enabled, all new users are prompted for MFA registration and the use of the Microsoft Authenticator app.

下表显示了通过安全性默认值和条件访问策略启用 MFA 的结果。This table shows the results of enabling MFA with security defaults and Conditional Access policies.

方法Method 已启用Enabled 禁用Disabled 其他身份验证方法Additional authentication method
安全性默认值Security defaults 无法使用条件访问策略Can’t use Conditional Access policies 可以使用条件访问策略Can use Conditional Access policies Microsoft Authenticator 应用Microsoft Authenticator app
条件访问策略Conditional Access policies 如果已启用任何条件访问策略,则无法启用安全性默认值If any are enabled, you can’t enable security defaults 如果已禁用所有条件访问策略,则可以启用安全性默认值If all are disabled, you can enable security defaults 由用户在 MFA 注册期间指定User specifies during MFA registration

标识和设备访问配置Identity and device access configurations

标识和设备访问设置和策略是推荐的必备功能,而且它们的设置与用于确定是否应授予给定的访问请求,以及在何种情况下授予请求的“条件访问”、Intune 和 Azure AD 标识保护策略结合在了一起。Identity and device access settings and policies are recommended prerequisite features and their settings combined with Conditional Access, Intune, and Azure AD Identity Protection policies that determine whether a given access request should be granted and under what conditions. 这种决定是基于登录的用户帐户、正在使用的设备、用户为获得访问权限而正在使用的应用程序、创建访问请求的位置,以及对请求风险的评估。This determination is based on the user account of the sign-in, the device being used, the app the user is using for access, the location from which the access request is made, and an assessment of the risk of the request. 这个功能有助于确保只有经过批准的用户和设备才能访问关键的公司资源。This capability helps ensure that only approved users and devices can access your critical resources.

备注

Azure AD 标识保护需要 Microsoft 365 E5 随附的 Azure AD Premium P2 许可证。Azure AD Identity Protection requires Azure AD Premium P2 licenses, which are included with Microsoft 365 E5.

标识和设备访问策略被定义以用于三种层级:Identity and device access policies are defined to be used in three tiers:

  • 对于访问应用和数据的身份和设备,基线保护是最低级别的安全性。Baseline protection is a minimum level of security for your identities and devices that access your apps and data.
  • 敏感保护提供针对特定数据的额外安全性。Sensitive protection provides additional security for specific data. 标识和设备遵循更高级别的安全性和设备运行状况要求。Identities and devices are subject to higher levels of security and device health requirements.
  • 对具有高度管控或分类数据的环境的保护仅用于高度分类、包含商业机密或遵守数据法规的一般少量数据。Protection for environments with highly regulated or classified data is for typically small amounts of data that are highly classified, contain trade secrets, or is subject to data regulations. 标识和设备遵循非常高级别的安全性和设备运行状况要求。Identities and devices are subject to much higher levels of security and device health requirements.

这些层及其相应的配置会跨数据、标识和设备,提供一致级别的保护。These tiers and their corresponding configurations provide consistent levels of protection across your data, identities, and devices.

Microsoft 强烈建议在组织中配置和推出标识和设备访问策略,包括 Microsoft Teams、Exchange Online 和 SharePoint 的特定设置。Microsoft highly recommends configuring and rolling out identity and device access policies in your organization, including specific settings for Microsoft Teams, Exchange Online, and SharePoint. 有关详细信息,请参阅“标识和设备访问配置”。For more information, see Identity and device access configurations.

Azure AD 标识保护Azure AD Identity Protection

在此部分中,将了解如何配置策略,以防止凭据泄露(攻击者可以通过确定用户帐户名称和密码来获取访问组织的云服务和数据的权限)。In this section, you'll learn how to configure policies that protect against credential compromise, where an attacker determines a user’s account name and password to gain access to an organization’s cloud services and data. Azure AD Identity Protection 可提供多种方式来帮助阻止攻击者破坏用户帐户的凭据。Azure AD Identity Protection provides a number of ways to help prevent an attacker from compromising a user account's credentials.

使用 Azure AD Identity Protection,可以:With Azure AD Identity Protection, you can:

功能Capability DescriptionDescription
确定并解决组织身份中的潜在漏洞Determine and address potential vulnerabilities in your organization’s identities Azure AD 使用机器学习功能检测不正常和可疑活动,如登录和登录后活动。Azure AD uses machine learning to detect anomalies and suspicious activity, such as sign-ins and post-sign-in activities. 通过使用此数据,Azure AD Identity Protection 会生成报告和警报,帮助你评估问题并执行操作。Using this data, Azure AD Identity Protection generates reports and alerts that help you evaluate the issues and take action.
检测与组织身份相关的可疑操作并自动对其响应Detect suspicious actions that are related to your organization’s identities and respond to them automatically 可以配置基于风险的策略,该策略可在达到指定风险级别时自动响应检测到的问题。You can configure risk-based policies that automatically respond to detected issues when a specified risk level has been reached. 除了 Azure AD 与 Microsoft Intune 提供的其他条件性访问控制以外,这些策略也可以自动阻止访问或采取纠正措施,包括密码重置和要求后续登录的 Azure AD 多因素身份验证。These policies, in addition to other Conditional Access controls provided by Azure AD and Microsoft Intune, can either automatically block access or take corrective actions, including password resets and requiring Azure AD Multi-Factor Authentication for subsequent sign-ins.
调查可疑事件并使用管理操作加以解决Investigate suspicious incidents and resolve them with administrative actions 可以使用有关安全事件的信息来调查风险事件。提供的基本工作流可用于跟踪调查和启动修正操作(如密码重置)。You can investigate risk events using information about the security incident. Basic workflows are available to track investigations and initiate remediation actions, such as password resets.

请参阅有关 Azure AD Identity Protection 的详细信息See more information about Azure AD Identity Protection.

请参阅启用 Azure AD Identity Protection 的步骤See the steps to enable Azure AD Identity Protection.

用于 MFA 和身份验证的管理员技术资源Admin technical resources for MFA and secure sign-ins

后续步骤Next step

管理用户帐户Manage your user accounts