步骤 1.Step 1. 为具有 MFA 的混合工作者提高登录安全性Increase sign-in security for hybrid workers with MFA

要提高远程工作者的登录安全性,请使用多重身份验证 (MFA)。To increase the security of sign-ins of your hybrid workers, use multi-factor authentication (MFA). MFA 要求用户登录受用户帐户密码之外的其他验证约束。MFA requires that user sign-ins be subject to an additional verification beyond the user account password. 即使恶意用户确定了用户帐户密码,还必须能够响应其他验证(如发送到智能手机的短信)才能获得访问权限。Even if a malicious user determines a user account password, they must also be able to respond to an additional verification, such as a text message sent to a smartphone before access is granted.

正确的密码和其他验证会导致登录成功

对于所有用户(包括远程工作者,特别是管理员),Microsoft 强烈建议实施 MFA。For all users, including hybrid workers and especially admins, Microsoft strongly recommends MFA.

根据 Microsoft 365 套餐,可通过三种方式要求你的用户使用 MFA。There are three ways to require your users to use MFA based on your Microsoft 365 plan.

套餐Plan 建议Recommendation
所有 Microsoft 365 套餐(无 Azure AD Premium P1 或 P2 许可证)All Microsoft 365 plans (without Azure AD Premium P1 or P2 licenses) 在 Azure AD 中启用安全性默认值Enable Security defaults in Azure AD. Azure AD 中的安全性默认值于用户和管理员的 MFA。Security defaults in Azure AD include MFA for users and administrators.
Microsoft 365 E3 (包括 Azure AD Premium P1 许可证)Microsoft 365 E3 (includes Azure AD Premium P1 licenses) 使用常用条件访问策略配置以下策略:Use Common Conditional Access policies to configure the following policies:
- 要求对管理员执行 MFA- Require MFA for administrators
- 要求对所有用户执行 MFA- Require MFA for all users
- 阻止传统身份验证- Block legacy authentication
Microsoft 365 E5 (包括 Azure AD Premium P2 许可证)Microsoft 365 E5 (includes Azure AD Premium P2 licenses) 借助 Azure AD 标识保护,创建以下策略来开始实施 Microsoft 推荐的一组条件访问和相关策略Taking advantage of Azure AD Identity Protection, begin to implement Microsoft's recommended set of Conditional Access and related policies by creating these policies:
- 要求在登录风险为“中等”或“高”时执行 MFA- Require MFA when sign-in risk is medium or high
- 阻止不支持新式身份验证的客户端- Block clients that don't support modern authentication
- 高风险用户必须更改密码- High risk users must change password

安全性默认值Security defaults

安全性默认值是在 2019 年 10 月 21 日之后创建的 Microsoft 365 和 Office 365 付费或试用版订阅的一项新功能。Security defaults is a new feature for Microsoft 365 and Office 365 paid or trial subscriptions created after October 21, 2019. 这些订阅启用了安全性默认值,这 要求所有用户将 MFA 与 Microsoft Authenticator 应用配合使用These subscriptions have security defaults turned on, which requires all of your users to use MFA with the Microsoft Authenticator app.

用户有 14 天的时间从其智能手机中通过 Microsoft Authenticator 应用登录 MFA,自启用安全性默认值后首次登录起计。Users have 14 days to register for MFA with the Microsoft Authenticator app from their smart phones, which begins from the first time they sign in after security defaults has been enabled. 14 天后,除非 MFA 注册完成,否则用户将无法登录。After 14 days have passed, the user won't be able to sign in until MFA registration is completed.

安全性默认值可确保所有组织均对默认启用的用户登录具有基本的安全级别。Security defaults ensure that all organizations have a basic level of security for user sign-in that is enabled by default. 可使用条件访问策略或针对个别帐户禁用安全性默认值,以支持 MFA。You can disable security defaults in favor of MFA with Conditional Access policies or for individual accounts.

有关详细信息,请参阅此安全性默认值概述For more information, see this overview of security defaults.

条件访问策略Conditional Access policies

条件访问策略是一组规则,指定评估和允许登录的条件。Conditional Access policies are a set of rules that specify the conditions under which sign-ins are evaluated and allowed. 例如,你可以创建一个条件访问策略,指明:For example, you can create a Conditional Access policy that states:

  • 如果用户帐户名是分配了 Exchange、用户、密码、安全性、SharePoint 或全局管理员角色的用户组的成员,则需要先进行 MFA,然后才能允许访问。If the user account name is a member of a group for users that are assigned the Exchange, user, password, security, SharePoint, or global administrator roles, require MFA before allowing access.

通过此策略,当为用户分配或取消分配了上述管理员角色时,你可以根据其组成员身份要求进行 MFA,而不是针对单个用户帐户进行 MFA 配置。This policy allows you to require MFA based on group membership, rather than trying to configure individual user accounts for MFA when they are assigned or unassigned from these administrator roles.

你还可以使用条件访问策略来实现更高级的功能,例如,要求从合规设备(例如运行 Windows 10 的电脑)完成登录。You can also use Conditional Access policies for more advanced capabilities, such as requiring that the sign-in is done from a compliant device, such as your laptop running Windows 10.

条件访问需要 Microsoft 365 E3 和 E5 随附的 Azure AD Premium P1 许可证。Conditional Access requires Azure AD Premium P1 licenses, which are included with Microsoft 365 E3 and E5.

有关详细信息,请参阅此条件访问概述For more information, see this overview of Conditional Access.

Azure AD 标识保护支持Azure AD Identity Protection support

借助 Azure AD 标识保护,你可以创建其他条件访问策略,该策略规定:With Azure AD Identity Protection, you can create an additional Conditional Access policy that states:

  • 如果登录风险确定为中等或高风险,则必须进行 MFA。If the risk of the sign-in is determined to be medium or high, require MFA.

Azure AD 标识保护需要 Microsoft 365 E5 随附的 Azure AD Premium P2 许可证。Azure AD Identity Protection requires Azure AD Premium P2 licenses, which are included with Microsoft 365 E5.

有关详细信息,请参阅基于风险的条件访问For more information, see Risk-based Conditional Access.

借助 Azure Active Directory 标识保护,你还可创建一个策略来要求用户注册 MFA。With Azure AD Identity Protection, you can also create a policy to require your users to register for MFA. 有关详细信息,请参阅配置 Azure 多重身份验证注册策略For more information, see Configure the Azure AD Multi-Factor Authentication registration policy

结合使用这些方法Using these methods together

请注意以下几点:Keep the following in mind:

  • 如果启用了任何条件访问策略,则无法启用安全性默认值。You cannot enable security defaults if you have any Conditional Access policies enabled.
  • 如果启用了安全性默认值,则无法启用任何条件访问策略。You cannot enable any Conditional Access policies if you have security defaults enabled.

如果启用了安全性默认值,系统将提示所有新用户进行 MFA 注册并使用 Microsoft Authenticator 应用。If security defaults are enabled, all new users are prompted for MFA registration and the use of the Microsoft Authenticator app.

下表显示了通过安全性默认值和条件访问策略启用 MFA 的结果。This table shows the results of enabling MFA with security defaults and Conditional Access policies.

方法Method 已启用Enabled 禁用Disabled 其他身份验证方法Additional authentication method
安全性默认值Security defaults 无法使用条件访问策略Can’t use Conditional Access policies 可以使用条件访问策略Can use Conditional Access policies Microsoft Authenticator 应用Microsoft Authenticator app
条件访问策略Conditional Access policies 如果已启用任何条件访问策略,则无法启用安全性默认值If any are enabled, you can’t enable security defaults 如果已禁用所有条件访问策略,则可以启用安全性默认值If all are disabled, you can enable security defaults 由用户在 MFA 注册期间指定User specifies during MFA registration

允许用户重置自己的密码Let your users reset their own passwords

自助密码重置 (SSPR) 使用户可以重置自己的密码,而不会影响 IT 人员。Self-Service Password Reset (SSPR) enables users to reset their own passwords without impacting IT staff. 用户可随时随地快速重置其密码。Users can quickly reset their passwords at any time and from any place. 有关详细信息,请查阅计划 Azure AD 自助服务密码重置部署For more information, see Plan an Azure AD self-service password reset deployment.

使用 Azure AD 登录 SaaS 应用Sign in to SaaS apps with Azure AD

除了为用户提供云身份验证之外,Azure AD 还可以是保护所有应用(无论是本地、Microsoft 云中还是其他云中的应用)的主要方法。In addition to providing cloud authentication for users, Azure AD can also be your central way to secure all your apps, whether they’re on-premises, in Microsoft’s cloud, or in another cloud. 通过将应用集成到 Azure AD 中,你可以轻松地帮助远程工作者发现他们所需的应用程序并进行安全登录。By integrating your apps into Azure AD, you can make it easy for hybrid workers to discover the applications they need and sign into them securely.

用于 MFA 和身份验证的管理员技术资源Admin technical resources for MFA and identity

步骤 1 的结果Results of Step 1

部署 MFA 之后,用户:After deployment of MFA, your users:

  • 需要使用 MFA 进行登录。Are required to use MFA for sign-ins.
  • 已完成 MFA 注册流程,并将使用 MFA 进行所有登录。Have completed the MFA registration process and are using MFA for all sign-ins.
  • 可以使用 SSPR 重置他们自己的密码。Can use SSPR to reset their own passwords.

后续步骤Next step

步骤 2:提供对本地应用和服务的远程访问权限Step 2: Provide remote access to on-premises apps and services

继续执行步骤 2,提供对本地应用和服务的远程访问权限。Continue with Step 2 to provide remote access to on-premises apps and services.