提供托管安全服务提供程序 (MSSP) 访问Provide managed security service provider (MSSP) access

重要

改进的 Microsoft 365 安全中心现在可用。The improved Microsoft 365 security center is now available. 此新体验将 Defender for Endpoint、Defender for Office、365 Microsoft 365 Defender 等引入了 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新增功能Learn what's new.

重要

某些信息与预发布的产品有关,在商业发布之前可能有重大修改。Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft 对此处所提供的信息不作任何明示或默示的保证。Microsoft makes no warranties, express or implied, with respect to the information provided here.

适用于:Applies to:

若要实现多租户委派访问解决方案,请执行以下步骤:To implement a multi-tenant delegated access solution, take the following steps:

  1. Microsoft 365 安全中心的 Defender for Endpoint 中启用基于角色的访问控制,并与 Azure Active Directory (Azure AD) 连接。Enable role-based access control in Defender for Endpoint in Microsoft 365 security center and connect with Azure Active Directory (Azure AD) groups.

  2. 配置 用于访问请求 和预配的治理访问包。Configure Governance Access Packages for access request and provisioning.

  3. Microsoft Myaccess 中管理访问请求和审核Manage access requests and audits in Microsoft Myaccess.

在 Microsoft 365 安全中心的 Microsoft Defender for Endpoint 中启用基于角色的访问控制Enable role-based access controls in Microsoft Defender for Endpoint in Microsoft 365 security center

  1. 为客户 AAD 中的 MSSP 资源创建访问组:组Create access groups for MSSP resources in Customer AAD: Groups

    这些组将链接到你在 Microsoft 365 安全中心的 Defender for Endpoint 中创建的角色。These groups will be linked to the Roles you create in Defender for Endpoint in Microsoft 365 security center. 为此,在客户 AD 租户中,创建三个组。To do so, in the customer AD tenant, create three groups. 在我们的示例方法中,我们将创建以下组:In our example approach, we create the following groups:

    • 第 1 层分析员Tier 1 Analyst
    • 第 2 层分析员Tier 2 Analyst
    • MSSP 分析员审批者MSSP Analyst Approvers
  2. 在 Microsoft 365 安全中心角色和组的客户 Defender for Endpoint 中为相应的访问级别创建适用于终结点的 Defender 角色。Create Defender for Endpoint roles for appropriate access levels in Customer Defender for Endpoint in Microsoft 365 security center roles and groups.

    若要在客户 Microsoft 365 安全中心中启用 RBAC,请通过具有全局管理员或安全管理员权限的用户帐户访问权限 > 终结点角色 & 组 > 角色To enable RBAC in the customer Microsoft 365 security center, access Permissions > Endpoints roles & groups > Roles with a user account with Global Administrator or Security Administrator rights.

    MSSP 访问的图像

    然后,创建 RBAC 角色以满足 MSSP SOC 层需求。Then, create RBAC roles to meet MSSP SOC Tier needs. 通过"分配的用户组"将这些角色链接到已创建的用户组。Link these roles to the created user groups via "Assigned user groups".

    两个可能的角色:Two possible roles:

    • 第 1 层分析员Tier 1 Analysts
      执行除实时响应以外的所有操作并管理安全设置。Perform all actions except for live response and manage security settings.

    • 第 2 层分析员Tier 2 Analysts
      第 1 层功能以及实时 响应Tier 1 capabilities with the addition to live response

    有关详细信息,请参阅使用 基于角色的访问控制For more information, see Use role-based access control.

配置治理访问包Configure Governance Access Packages

  1. 在客户 AAD 中添加 MSSP 作为连接组织:标识治理Add MSSP as Connected Organization in Customer AAD: Identity Governance

    将 MSSP 添加为连接的组织将允许 MSSP 请求并设置访问权限。Adding the MSSP as a connected organization will allow the MSSP to request and have accesses provisioned.

    为此,在客户 AD 租户中,访问标识治理:已连接组织。To do so, in the customer AD tenant, access Identity Governance: Connected organization. 添加新组织,然后通过租户 ID 或域搜索 MSSP 分析员租户。Add a new organization and search for your MSSP Analyst tenant via Tenant ID or Domain. 建议为 MSSP 分析员创建单独的 AD 租户。We suggest creating a separate AD tenant for your MSSP Analysts.

  2. 在客户 AAD:标识治理中创建资源目录Create a resource catalog in Customer AAD: Identity Governance

    资源目录是在客户 AD 租户中创建的访问包的逻辑集合。Resource catalogs are a logical collection of access packages, created in the customer AD tenant.

    为此,在客户 AD 租户中,访问 Identity Governance: Catalogs,并添加新 目录To do so, in the customer AD tenant, access Identity Governance: Catalogs, and add New Catalog. 在我们的示例中,我们将它称为 MSSP AccessesIn our example, we will call it MSSP Accesses.

    新目录的图像

    有关详细信息,请参阅创建 资源目录Further more information, see Create a catalog of resources.

  3. 为 MSSP 资源创建访问包客户 AAD:标识治理Create access packages for MSSP resources Customer AAD: Identity Governance

    访问包是请求者在审批时将授予的权限和访问权限的集合。Access packages are the collection of rights and accesses that a requestor will be granted upon approval.

    为此,在客户 AD 租户中,访问标识治理:访问程序包,并添加新 的访问包To do so, in the customer AD tenant, access Identity Governance: Access Packages, and add New Access Package. 为 MSSP 审批者以及每个分析员层创建一个访问包。Create an access package for the MSSP approvers and each analyst tier. 例如,以下第 1 层分析员配置将创建一个访问包:For example, the following Tier 1 Analyst configuration creates an access package that:

    • 需要 AD 组 MSSP 分析员审批者 的成员来授权新请求Requires a member of the AD group MSSP Analyst Approvers to authorize new requests
    • 每年进行一次访问评审,SOC 分析师可在其中请求访问扩展Has annual access reviews, where the SOC analysts can request an access extension
    • 只能由 MSSP SOC 租户中的用户请求Can only be requested by users in the MSSP SOC Tenant
    • Access 自动在 365 天后过期Access auto expires after 365 days

    新访问包的图像

    有关详细信息,请参阅 创建新的访问包For more information, see Create a new access package.

  4. 从客户 AAD 提供 MSSP 资源的访问请求链接:标识治理Provide access request link to MSSP resources from Customer AAD: Identity Governance

    MSSP SOC 分析员使用"我的访问门户"链接通过创建的访问包请求访问。The My Access portal link is used by MSSP SOC analysts to request access via the access packages created. 该链接是持久链接,这意味着随着时间的推移,新分析师可能会使用相同的链接。The link is durable, meaning the same link may be used over time for new analysts. 分析员请求会进入一个队列,等待 MSSP 分析员审批者审批The analyst request goes into a queue for approval by the MSSP Analyst Approvers.

    访问属性的图像

    链接位于每个访问包的概述页面上。The link is located on the overview page of each access package.

管理访问权限Manage access

  1. 查看和授权客户和/或 MSSP myaccess 中的访问请求。Review and authorize access requests in Customer and/or MSSP myaccess.

    访问请求在客户 My Access 中由 MSSP 分析员审批者组的成员进行管理。Access requests are managed in the customer My Access, by members of the MSSP Analyst Approvers group.

    为此,请通过使用:访问客户的 myaccess。 https://myaccess.microsoft.com/@<Customer Domain >To do so, access the customer's myaccess using: https://myaccess.microsoft.com/@<Customer Domain >.

    示例: https://myaccess.microsoft.com/@M365x440XXX.onmicrosoft.com#/Example: https://myaccess.microsoft.com/@M365x440XXX.onmicrosoft.com#/

  2. 在 UI 的" 审批"部分批准 或拒绝请求。Approve or deny requests in the Approvals section of the UI.

    此时,已预配分析师访问权限,并且每个分析师应能够访问客户的 Microsoft 365 安全中心:At this point, analyst access has been provisioned, and each analyst should be able to access the customer's Microsoft 365 Security Center:

    https://security.microsoft.com/?tid=<CustomerTenantId> 具有分配的权限和角色。https://security.microsoft.com/?tid=<CustomerTenantId> with the permissions and roles they were assigned.

重要

Microsoft 365 安全中心内 Microsoft Defender 终结点的委派访问权限当前允许每个浏览器窗口访问单个租户。Delegated access to Microsoft Defender for Endpoint in the Microsoft 365 security center currently allows access to a single tenant per browser window.