保护 Microsoft 365 企业版测试环境中全局管理员帐户Protect global administrator accounts in your Microsoft 365 for enterprise test environment

本测试实验室指南仅适用于 Microsoft 365 企业版测试环境。This Test Lab Guide can only be used for Microsoft 365 for enterprise test environments.

您可以通过确保管理员帐户尽可能安全来防止对组织的数字攻击。You can prevent digital attacks on your organization by ensuring that your administrator accounts are as secure as possible.

本文介绍如何使用 Azure Active Directory (Azure AD) 条件访问策略来保护全局管理员帐户。This article describes how to use Azure Active Directory (Azure AD) conditional access policies to protect global administrator accounts.

在 Microsoft 365 企业版测试环境中保护全局管理员帐户包括两个阶段:Protecting global administrator accounts in your Microsoft 365 for enterprise test environment involves two phases:

Microsoft 云测试实验室指南

提示

有关 Microsoft 365 企业版测试实验室指南堆栈中所有文章的直观地图,请转到 Microsoft 365 企业版测试实验室指南堆栈For a visual map to all the articles in the Microsoft 365 for enterprise Test Lab Guide stack, go to Microsoft 365 for enterprise Test Lab Guide Stack.

第 1 阶段:构建 Microsoft 365 企业版测试环境Phase 1: Build out your Microsoft 365 for enterprise test environment

如果要使用最低要求的轻型方式测试全局管理员帐户保护,请按照轻型基本配置 中的说明进行操作If you want to test global administrator account protection in a lightweight way with the minimum requirements, follow the instructions in Lightweight base configuration.

如果要在模拟的企业中测试全局管理员帐户保护,请按照传递 身份验证 中的说明操作If you want to test global administrator account protection in a simulated enterprise, follow the instructions in Pass-through authentication.

备注

测试全局管理员帐户保护不需要模拟的企业测试环境,该环境中包括连接到 Internet 的模拟 Intranet 和 Active Directory 域服务 (AD DS) 。Testing global administrator account protection does not require the simulated enterprise test environment, which includes a simulated intranet connected to the internet and directory synchronization for an Active Directory Domain Services (AD DS). 它在此处作为一个选项提供,以便你可以测试全局管理员帐户保护,在代表典型组织的环境中试验它。It is provided here as an option so that you can test global administrator account protection and experiment with it in an environment that represents a typical organization.

阶段 2:配置条件访问策略Phase 2: Configure conditional access policies

首先,创建一个新的用户帐户作为专用全局管理员。First, create a new user account as a dedicated global administrator.

  1. 在单独的选项卡上,打开 Microsoft 365 管理中心On a separate tab, open the Microsoft 365 admin center.
  2. 选择 "用户 > "" 活动用户",然后选择"添加用户"。Select Users > Active users, and then select Add a user.
  3. 在"添加用户" 窗格中,在"名字"、"显示名称"和"用户名"框中输入 DedicatedAdmin。 In the Add user pane, enter DedicatedAdmin in the First name, Display name, and Username boxes.
  4. 选择 "密码****",选择"允许我创建密码",然后输入强密码。Select Password, select Let me create the password, and then enter a strong password. 在安全位置记录此新帐户的密码。Record the password for this new account in a secure location.
  5. 选择“下一步”。Select Next.
  6. 在"分配产品许可证"窗格中,选择 "Microsoft 365 E5", 然后选择"下一 步"。In the Assign product licenses pane, select Microsoft 365 E5, and then select Next.
  7. 在"可选设置"窗格中,选择"角色 > ""管理中心""访问 > 全局管理员""下一 > 步"。In the Optional settings pane, select Roles > Admin center access > Global admin > Next.
  8. 在"你已完成"窗格中,选择"完成添加", 然后选择"关闭 "。On the You're almost done pane, select Finish adding, and then select Close.

接下来,创建一个名为 GlobalAdmins 的新组,并添加 DedicatedAdmin 帐户。Next, create a new group named GlobalAdmins and add the DedicatedAdmin account to it.

  1. "Microsoft 365 管理中心"选项卡 上,选择左侧导航栏中的"组",然后选择"组 "。 On the Microsoft 365 admin center tab, select Groups in the left navigation, and then select Groups.
  2. 选择 "添加组"。Select Add a group.
  3. 在"选择组类型"窗格中,选择"安全性", 然后选择"下一 步"。In the Choose a group type pane, select Security, and then select Next.
  4. 在"设置基础知识"窗格中,选择"创建组",然后选择"关闭 "。In the Set up the basics pane, select Create group, and then select Close.
  5. 在"查看并完成添加组"窗格中,输入 GlobalAdmins, 然后选择"下一 步"。In the Review and finish adding group pane, enter GlobalAdmins, and then select Next.
  6. 在组列表中,选择 GlobalAdmins 组。In the list of groups, select the GlobalAdmins group.
  7. 在"全局管理"窗格中,选择"成员 ", 然后选择"查看所有和管理成员"。In the GlobalAdmins pane, select Members, and then select View all and manage members.
  8. GlobalAdmins 窗格中,选择"添加 成员",选择 DedicatedAdmin 帐户和全局管理员帐户,然后选择 "保存 > 关闭关闭 > "。In the GlobalAdmins pane, select Add members, select the DedicatedAdmin account and your global admin account, and then select Save > Close > Close.

接下来,创建条件访问策略,要求对全局管理员帐户进行多重身份验证,如果登录风险为中或高,则拒绝身份验证。Next, create conditional access policies to require multi-factor authentication for global administrator accounts and to deny authentication if the sign-in risk is medium or high.

此第一个策略要求所有全局管理员帐户都使用 MFA。This first policy requires that all global administrator accounts use MFA.

  1. 在浏览器的新选项卡中,转到 https://portal.azure.comIn a new tab of your browser, go to https://portal.azure.com.
  2. 单击 "Azure Active Directory > 安全 > 条件访问"。Click Azure Active Directory > Security > Conditional Access.
  3. 在"条件访问 – 策略" 窗格中,选择"基线策略: 要求管理员使用 MFA (预览) "。In the Conditional access – Policies pane, select Baseline policy: Require MFA for admins (preview).
  4. 在"基线策略" 窗格中,选择"立即 使用策略>保存"。In the Baseline policy pane, select Use policy immediately > Save.

当登录风险为中或高时,第二个策略将阻止访问全局管理员帐户身份验证。This second policy blocks access to global administrator account authentication when the sign-in risk is medium or high.

  1. 在"条件访问 – 策略" 窗格中,选择"新建策略"。In the Conditional access – Policies pane, select New policy.
  2. 在"新建" 窗格中,在"名称"中输入"全局****管理员"。In the New pane, enter Global administrators in Name.
  3. 在"分配" 部分,选择"用户和组"。In the Assignments section, select Users and groups.
  4. 在"用户和 组"窗格 的"包含"选项卡上,选择 "选择用户和组 > 用户和组 > "选择On the Include tab of the Users and groups pane, select Select users and groups > Users and groups > Select.
  5. 在"选择"窗格中,选择 "GlobalAdmins" 组,然后选择"选择完成 > "。In the Select pane, select the GlobalAdmins group, and then select Select > Done.
  6. 在"分配" 部分,选择"条件 "。In the Assignments section, select Conditions.
  7. 在"条件" 窗格中,选择"登录风险",为"配置"选择"是",选择"高"和"中等",然后选择"选择完成"。 In the Conditions pane, select Sign-in risk, select Yes for Configure, select High and Medium, and then select Select and Done.
  8. 在"新建"窗格 的"访问控制"部分,选择"授予 "。In the Access controls section of the New pane, select Grant.
  9. 在"授予"窗格中,选择 "阻止访问",然后选择"选择 "。In the Grant pane, select Block access, and then select Select.
  10. 在"新建" 窗格中,为"启用策略"选择 "打开****", 然后选择"创建 "。In the New pane, select On for Enable policy, and then select Create.
  11. 关闭 Azure 门户和 Microsoft 365 管理中心 选项卡。Close the Azure portal and Microsoft 365 admin center tabs.

若要测试第一个策略,请注销,然后使用 DedicatedAdmin 帐户登录。To test the first policy, sign out and sign in with the DedicatedAdmin account. 系统将提示你配置 MFA。You should be prompted to configure MFA. 这演示了正在应用第一个策略。This demonstrates that the first policy is being applied.

后续步骤Next step

在测试环境中探索其他标识特性和功能。Explore additional identity features and capabilities in your test environment.

另请参阅See also

标识路线图Identity roadmap

Microsoft 365 企业版测试实验室指南Microsoft 365 for enterprise Test Lab Guides

Microsoft 365 企业版概述Microsoft 365 for enterprise overview

适用于企业的 Microsoft 365 文档Microsoft 365 for enterprise documentation