适用于 Microsoft 365 企业版测试环境的多重身份验证Multi-factor authentication for your Microsoft 365 for enterprise test environment

此测试实验室指南可用于 Microsoft 365 企业版和 Office 365 企业版测试环境。This Test Lab Guide can be used for both Microsoft 365 for enterprise and Office 365 Enterprise test environments.

若要为登录 Microsoft 365 或为订阅使用 Azure AD 租户的任何服务或应用程序启用其他安全级别,可以启用 Azure AD 多重身份验证,该身份验证不仅需要用户名和密码来验证帐户。For an additional level of security for signing in to Microsoft 365 or any service or application that uses the Azure AD tenant for your subscription, you can enable Azure AD multi-factor authentication, which requires more than just a username and password to verify an account.

使用多重身份验证,用户必须确认电话呼叫、键入短信中发送的验证码,或在正确输入密码后验证智能手机上的应用是否进行身份验证。With multi-factor authentication, users are required to acknowledge a phone call, type a verification code sent in a text message, or verify the authentication with an app on their smart phones after correctly entering their passwords. 只有在满足第二个身份验证因素后,他们才能登录。They can sign in only after this second authentication factor is satisfied.

本文介绍如何为特定用户帐户启用和测试基于短信的身份验证。This article describes how to enable and test text message-based authentication for a specific user account.

在 Microsoft 365 企业版测试环境中为帐户设置多重身份验证包括两个阶段和第三个可选阶段:Setting up multi-factor authentication for an account in your Microsoft 365 for enterprise test environment involves two phases and a third optional phase:

Microsoft 云测试实验室指南

提示

有关 Microsoft 365 企业版测试实验室指南堆栈中所有文章的直观地图,请转到 Microsoft 365 企业版测试实验室指南堆栈For a visual map to all the articles in the Microsoft 365 for enterprise Test Lab Guide stack, go to Microsoft 365 for enterprise Test Lab Guide Stack.

第 1 阶段:构建 Microsoft 365 企业版测试环境Phase 1: Build out your Microsoft 365 for enterprise test environment

如果你只想以最低要求的轻型方式测试多重身份验证,请按照轻型基本配置 中的说明进行操作If you just want to test multi-factor authentication in a lightweight way with the minimum requirements, follow the instructions in Lightweight base configuration.

如果要在模拟的企业中测试多重身份验证,请按照传递身份验证 中的说明操作If you want to test multi-factor authentication in a simulated enterprise, follow the instructions in Pass-through authentication.

备注

测试多重身份验证不需要模拟的企业测试环境,该环境包括连接到 Internet 的模拟 Intranet 和 Active Directory 域服务 (AD DS) 同步。Testing multi-factor authentication does not require the simulated enterprise test environment, which includes a simulated intranet connected to the internet and directory synchronization for an Active Directory Domain Services (AD DS) forest. 它在此处作为一个选项提供,以便你可以测试多重身份验证,并在代表典型组织的环境中对其进行试验。It is provided here as an option so that you can test multi-factor authentication and experiment with it in an environment that represents a typical organization.

阶段 2:启用和测试 User 2 帐户的多重身份验证Phase 2: Enable and test multi-factor authentication for the User 2 account

通过以下步骤为 User 2 帐户启用多重身份验证:Enable multi-factor authentication for the User 2 account with these steps:

  1. 打开浏览器的单独专用实例,转到 Microsoft 365 管理中心 () ,然后使用全局管理员 https://portal.microsoft.com 帐户登录。Open a separate, private instance of your browser, go to the Microsoft 365 admin center (https://portal.microsoft.com), and then sign in with your global administrator account.

  2. 在左侧导航栏中,选择"用户 > ""活动用户"。In the left navigation, select Users > Active users.

  3. 在"活动用户"窗格中,选择 "多重身份验证"。In the Active users pane, select Multi-factor authentication.

  4. 在列表中,选择 "用户 2" 帐户。In the list, select the User 2 account.

  5. 在"用户 2" 部分中的"快速步骤"下,选择"启用"。In the User 2 section, under Quick steps, select Enable.

  6. "关于启用多重 身份验证"对话框中,选择"启用多重身份验证"。In the About enabling multi-factor auth dialog box, select Enable multi-factor auth.

  7. 在"更新成功" 对话框中,选择"关闭 "。In the Updates successful dialog box, select Close.

  8. "Microsoft 365 管理中心"选项卡上,选择右上角的用户帐户图标,然后选择"注销"。On the Microsoft 365 admin center tab, select the user account icon in the upper right, and then select Sign out.

  9. 关闭浏览器实例。Close your browser instance.

完成 User 2 帐户的配置,通过以下步骤,使用短信对其进行验证和测试:Complete the configuration for the User 2 account to use a text message for validation and test it with these steps:

  1. 打开浏览器的新专用实例。Open a new, private instance of your browser.

  2. 转到 Microsoft 365 管理 中心,然后使用用户 2 帐户名称和密码登录。Go to the Microsoft 365 admin center and sign in with the User 2 account name and password.

  3. 登录后,系统将提示你设置帐户,了解详细信息。After signing in, you are prompted to set up the account for more information. 选择“下一步”。Select Next.

  4. 在“其他安全性验证”页上: On the Additional security verification page:

    • 选择你所在的国家或地区。Select your country or region.

    • 输入将接收短信的智能手机的电话号码。Enter the phone number of the smart phone that will receive text messages.

    • "方法"中 ,选择"通过短信向我发送代码"。In Method, select Send me a code by text message.

  5. 选择“下一步”。Select Next.

  6. 输入智能手机上收到的短信中的验证码,然后选择"验证 "。Enter the verification code from the text message received on your smart phone, and then select Verify.

  7. 在"步骤 3: 保留现有应用程序"页上,选择"完成 "。On the Step 3: Keep your existing applications page, select Done.

  8. 如果这是你第一次使用 User 2 帐户登录,那么系统将提示你更改密码。If this is the first time you signed in with the User 2 account, you are prompted to change the password. 输入原始密码和新密码两次,然后选择更新 密码并登录Enter the original password and a new password twice, and then select Update password and sign in. 将新密码记录在安全位置。Record the new password in a secure location.

    您应该在浏览器的"主页"选项卡上Microsoft Office 用户 2 的 Office 门户。You should see the Office portal for User 2 on the Microsoft Office Home tab of your browser.

阶段 3:使用条件访问策略启用和测试多重身份验证Phase 3: Enable and test multi-factor authentication with a conditional access policy

此阶段只能用于 Microsoft 365 企业版测试环境。This phase can only be used for a Microsoft 365 for enterprise test environment.

在此阶段,使用组和条件访问策略为用户 3 帐户启用多重身份验证。In this phase, you enable multi-factor authentication for the User 3 account using a group and a conditional access policy.

接下来,创建一个名为 MFAUsers 的新组,并添加 User 3 帐户。Next, create a new group named MFAUsers and add the User 3 account to it.

  1. "Microsoft 365 管理中心"选项卡 上,选择左侧导航栏中的"组",然后选择"组 "。 On the Microsoft 365 admin center tab, select Groups in the left navigation, and then select Groups.
  2. 选择 "添加组"。Select Add a group.
  3. 在"选择组类型"窗格中,选择"安全性", 然后选择"下一 步"。In the Choose a group type pane, select Security, and then select Next.
  4. 在"设置基础知识"窗格中,选择"创建组",然后选择"关闭 "。In the Set up the basics pane, select Create group, and then select Close.
  5. 在"查看并完成添加组"窗格中,输入 "MFAUsers", 然后选择"下一 步"。In the Review and finish adding group pane, enter MFAUsers, and then select Next.
  6. 在组列表中,选择 MFAUsers 组。In the list of groups, select the MFAUsers group.
  7. "MFAUsers" 窗格中,选择"成员", 然后选择"查看所有和管理成员"。In the MFAUsers pane, select Members, and then select View all and manage members.
  8. "MFAUsers" 窗格中,选择"添加 成员",选择 "用户 3" 帐户,然后选择"保存 > 关闭 > 关闭"。In the MFAUsers pane, select Add members, select the User 3 account, and then select Save > Close > Close.

接下来,创建条件访问策略,要求 MFAUsers 组的成员进行多重身份验证。Next, create a conditional access policy to require multifactor authentication for members of the MFAUsers group.

  1. 在浏览器的新选项卡中,转到 https://portal.azure.comIn a new tab of your browser, go to https://portal.azure.com.
  2. 选择 "Azure Active Directory > 安全 > 条件访问"。Select Azure Active Directory > Security > Conditional Access.
  3. 在"条件访问 – 策略" 窗格中,选择"新建策略"。In the Conditional access – Policies pane, select New policy.
  4. 在"新建"窗格中,在"名称"框中输入用户帐户的 MFA。 In the New pane, enter MFA for user accounts in the Name box.
  5. 在"分配" 部分,选择"用户和组"。In the Assignments section, select Users and groups.
  6. 在"用户和 组"窗格 的"包含"选项卡上,选择 "选择用户和组 > 用户和组 > "选择On the Include tab of the Users and groups pane, select Select users and groups > Users and groups > Select.
  7. 在"选择"窗格中,选择 "MFAUsers" 组,然后选择"选择完成 > "。In the Select pane, select the MFAUsers group, and then select Select > Done.
  8. 在"新建"窗格 的"访问控制"部分,选择"授予 "。In the Access controls section of the New pane, select Grant.
  9. 在"授予" 窗格中,选择 "需要多重身份验证", 然后选择"选择 "。In the Grant pane, select Require multi-factor authentication, and then select Select.
  10. 在"新建" 窗格中,为"启用策略"选择 "打开****", 然后选择"创建 "。In the New pane, select On for Enable policy, and then select Create.
  11. 关闭 Azure 门户和 Microsoft 365 管理中心 选项卡。Close the Azure portal and Microsoft 365 admin center tabs.

若要测试此策略,请注销,然后使用 User 3 帐户登录。To test this policy, sign out and sign in with the User 3 account. 系统将提示你配置 MFA。You should be prompted to configure MFA. 这演示了正在应用 MFAUsers 策略。This demonstrates that the MFAUsers policy is being applied.

后续步骤Next step

在测试环境中探索其他标识特性和功能。Explore additional identity features and capabilities in your test environment.

另请参阅See also

标识路线图Identity roadmap

Microsoft 365 企业版测试实验室指南Microsoft 365 for enterprise Test Lab Guides

Microsoft 365 企业版概述Microsoft 365 for enterprise overview

适用于企业的 Microsoft 365 文档Microsoft 365 for enterprise documentation