设置多重身份验证Set up multi-factor authentication

本文介绍了如何为 Office 365 用户设置多重身份验证 (MFA)。This article describes how to set up multi-factor authentication (MFA) for Office 365 users. 有关 MFA 的详细信息, 请参阅Azure 多重因素身份验证的工作原理For more information about MFA, see How Azure multi-factor authentication works.

Office 365 商业版订阅提供 Azure 多重身份验证的免费版本。有关你的 Office 365 版本中所包含功能的列表,请参阅如何获取 Azure 多重身份验证You get a free version of Azure multi-factor authentication as part of your Office 365 for business subscription. For a list of features included in your version of Office 365, see How to get Azure Multi-Factor Authentication.

备注

您必须是 Office 365 全局管理员才能设置或修改多重身份验证。You must be an Office 365 global admin to set up or modify multi-factor authentication.

为你的组织启用多重身份验证Enable multi-factor authentication for your organization

所有 Office 2016 客户端应用程序均通过使用 Active Directory 身份验证库 (ADAL) 支持 MFA。All Office 2016 client applications support MFA through the use of the Active Directory Authentication Library (ADAL). 这意味着 Office 2016 客户端无需应用密码。This means that app passwords aren't required for Office 2016 clients. 但是, 您需要确保为您的 Office 365 订阅启用 ADAL 或新式验证。However, you need to make sure your Office 365 subscription is enabled for ADAL, or modern authentication.

  1. 若要启用新式验证, 请在管理中心打开新管理中心, 方法是在主页顶部选择 "尝试新管理中心" 切换。To enable modern authentication, from the admin center, turn on the new admin center by selecting Try the new admin center toggle located at the top of the Home page.

  2. 选择 "设置 > 服务 & 外接程序", 然后从列表中选择 "新式验证"。Select Settings > Services & add-ins and then choose Modern authentication from the list.

  3. 选中新式验证面板中的 "启用新式身份验证" 框。Check the Enable modern authentication box in the Modern authentication panel.

    已选中 "启用" 复选框的新式验证面板。

在新 Microsoft 365 管理中心中设置多重身份验证Set up multi-factor authentication in the new Microsoft 365 admin center

  1. 管理中心中, 通过选择位于主页顶部的 "尝试新管理中心" 切换来打开新的管理中心。In the admin center, turn on the new admin center by selecting the Try the new admin center toggle located at the top of the Home page.

  2. 在右侧导航窗格中, 选择 "设置"。In the right navigation pane, select Setup.

  3. 在 "启用多重身份验证 (MFA) " 卡上, 选择 "查看"。On the Turn on multi-factor authentication (MFA) card, select View.

  4. 选择 "开始"。Select Get started.

  5. 选中 "要求多重身份验证, 并要求用户注册多重身份验证, 并在检测到风险时阻止访问" 复选框。Select the Require multi-factor authentication and Require users to register for multi-factor authentication and block access if risk is detected check boxes.

  6. 在 "是否要从这些策略中排除任何人" 下, 从下拉列表框中选择要排除的任何用户。Under Do you want to exclude anyone from these policies, select any users that you want to exclude from the drop-down list box.

  7. 选择 "选择策略"。Select Choose policy. 您将返回到 "多重身份验证 (MFA) " 页面, 该页面现在将指示 "已完成"。You will return to the Multi-factor authentication (MFA) page, which will now say Completed.

为组织设置多重身份验证后, 用户将需要在其设备上设置两步验证。After you set up multi-factor authentication for your organization, your users will be required to set up two-step verification on their devices. 有关详细信息, 请参阅为 Office 365 设置2步验证For more information, see Set up 2-step verification for Office 365.

在新 Microsoft 365 管理中心中管理 MFA 设置Manage MFA settings in the new Microsoft 365 admin center

  1. 管理中心中, 通过选择 "尝试新管理中心" 切换 (位于主页顶部) 打开新的管理中心。In the admin center, turn on the new admin center by selecting Try the new admin center toggle located at the top of the Home page.

  2. 在右侧导航窗格中, 选择 "设置"。In the right navigation pane, select Setup.

  3. 启用多重身份验证 (MFA) 卡后, 它将假定为 "已完成"。On the Turn on multi-factor authentication (MFA) card, it will say Completed. 选择 "查看"。Select View.

  4. 在 "启用多重身份验证 (MFA) " 页上, 选择 "管理"。On the Turn on multi-factor authentication (MFA) page, select Manage.

  5. 将显示 " Azure 门户条件访问-策略" 页。The Azure portal Conditional Access - Policies page will appear. 若要打开或关闭多重身份验证, 请执行以下操作:To turn multi-factor authentication on or off:

    1. 选择基准策略: 最终用户保护 (预览), 然后打开或关闭启用切换。Select Baseline policy: End user protection (Preview), and turn the Enable toggle on or off.

    2. 选择基准策略: 要求对管理员进行 MFA (预览), 然后打开或关闭启用切换。Select Baseline policy: Require MFA for admins (Preview), and turn the Enable toggle on or off.

    备注

    若要从策略中排除用户, 请选择 "特定用户排除 > 的选择排除的用户", 从列表中选择用户, 然后选择 "选择"。To exclude users from a policy, select specific users excluded > Select excluded users, select the users from the list, and then choose Select.

在旧 Microsoft 365 管理中心中设置多重身份验证Set up multi-factor authentication in the old Microsoft 365 admin center

  1. 在管理中心中, 转到 "用户 > 活动用户"。In the admin center, go to Users > Active users.

  2. 重要说明: 在选择用户之前, 请从用户列表上方的下拉列表中选择 "多重身份验证"。IMPORTANT: BEFORE you select a user, select Multi-factor authentication from the drop-down list above the list of users.

    备注

    如果看不到多重身份验证选项, 则表示你不是订阅的全局管理员。If you don't see the Multi-factor authentication option, then you aren't a global admin for your subscription. 只有全局管理员才能启用或禁用 MFA。Only global admins can enable or disable MFA.

  3. 在 "多重身份验证" 页上, 找到要为其启用 MFA 的人员。On the multi-factor authentication page, find the people for whom you want to enable MFA. 为了显示所有人员,可能需要更改顶部的" 多重身份验证状态"视图。In order to see everyone, you might need to change the Multi-Factor Auth status view at the top.

    根据用户的 MFA 状态,该视图具有以下值:The views have the following values, based on the MFA state of the users:

  • 任何显示所有用户。这是默认状态。Any Displays all users. This is the default state.

  • 启用用户已在 MFA 中进行注册,但尚未完成注册过程。系统将在这些用户下次登录时提示其完成此注册过程。Enabled The person has been enrolled in MFA, but has not completed the registration process. They will be prompted to complete the process the next time they sign in.

  • 强制用户可能已完成或未完成注册。Enforced The person may or may not have completed registration. 如果他们已完成注册过程,则他们正在使用 MFA。If they have completed the registration process, then they are using MFA. 否则, 系统将在用户下次登录时提示他们完成此过程。Otherwise, they will be prompted to complete the process the next time they sign in.

  1. 选择要为其启用 MFA 的人员旁边的复选框。Select the check box next to the people for whom you want to enable MFA.

  2. 在右侧的" 快速步骤"下,可以看到" 启用"和" 管理用户设置"。On the right, under quick steps, you'll see Enable and Manage user settings. 选择 "启用"。Select Enable.

  3. 在打开的对话框中, 选择 "启用多重身份验证"。In the dialog box that opens, select enable multi-factor auth.

允许 MFA 用户为 Office 客户端应用程序创建应用密码Allow MFA users to create app passwords for Office client apps

较旧的电子邮件应用程序 (如 Office 2013) 需要应用密码。Older email applications like Office 2013 need app passwords. 下面介绍了如何允许用户创建它们:Here's how to allow your users to create them:

  1. 在管理中心中, 转到 "用户 > 活动用户"。In the admin center, go to Users > Active users.

  2. 重要说明: 在选择用户之前, 请选择用户列表上方的多重身份验证IMPORTANT: BEFORE you select a user, select Multi-factor authentication above the list of users.

提示

如果看不到多重身份验证选项, 则表示你不是订阅的全局管理员。If you don't see the Multi-factor authentication option, then you aren't a global admin for your subscription. 只有全局管理员才能启用或禁用 MFA。Only global admins can enable or disable MFA.

  1. 在 "多因素身份验证" 页上, 选择 "服务设置"。On the multi-factor authentication page, select service settings.

    The multi-factor authentication page with a hand pointing to the service settings link.

  2. 在 "应用密码" 下, 选择 "允许用户创建应用密码以登录到非浏览器应用程序"。Under app passwords, select Allow users to create app passwords to sign into non-browser apps. 然后,用户可在创建新密码后使用客户端 Office 应用。People can then use client Office apps after they create a new password.

  3. 依次选择 "保存" 和 "关闭"。Select Save, then Close.

备注

通过设置几个注册表项, 可以为 Office 2013 启用新式验证。Modern authentication can be enabled for Office 2013 by setting a few registry keys. 有关详细信息, 请参阅在 Windows 设备上为 Office 2013 启用新式验证For more information, see Enable Modern Authentication for Office 2013 on Windows devices.

在旧版 Microsoft 365 管理中心中管理 MFA 用户设置Manage MFA user settings in the old Microsoft 365 admin center

  1. On the multi-factor authentication page, select the check box next to the people you want to manage.On the multi-factor authentication page, select the check box next to the people you want to manage.

  2. 在右侧的 "快速步骤" 下, 选择 "管理用户设置"。On the right, under quick steps, select Manage user settings.

  3. 在" 管理用户设置"对话框中,选择一个或多个以下选项:In the Manage user settings dialog box, select one or more of the following options:

  • 要求选定用户重新提供联系方式Require selected users to provide contact methods again

  • 删除选定用户生成的所有现有应用密码Delete all existing app passwords generated by the selected users

  • 在所有记住的设备上还原多重身份验证Restore multi-factor authentication on all remembered devices

  1. 依次选择 "保存" 和 "关闭"。Select Save, then Close.

在旧版 Microsoft 365 管理中心中批量更新 MFA 中的用户Bulk update users in MFA in the old Microsoft 365 admin center

可使用 CSV 文件批量更新现有用户的状态。CSV 文件仅用于基于文件中存在的用户名启用或禁用 MFA。该文件不用于创建新用户。You can bulk update the status for existing people by using a CSV file. The CSV file is used only for enabling or disabling MFA, based on the user names present in the file. It is not used to create new users.

  1. 在 "多因素身份验证" 页上, 选择 "批量更新"。On the multi-factor authentication page, select bulk update.

  2. 在 "选择 CSV 文件" 对话框中, 选择 "浏览文件"。In the Select a CSV file dialog box, select Browse for file.

  3. 浏览包含更新的文件, 然后选择 "打开"。Browse for the file that contains the updates, then select Open. 文件中的列标题必须匹配下例中的列标题:The column headings in your file must match the column headings in the following example:

    bulk update CSV sample file

  4. 选择 "下一步" 箭头。Select the Next arrow.

  5. 验证文件后, 选择 "下一步" 箭头更新帐户。After the file is verified, select the Next arrow to update the accounts.

  6. 完成该过程后, 选择 "完成" 复选标记。When the process is finished, select the Done checkmark.

面向用户的说明(设置 MFA 之后)Instructions for your users after MFA is set up

在租户上启用 MFA 之后,向用户提供以下说明,用来设置其第二种用于 Office 365 的登录方法:After you enable MFA on your tenant, give the following instructions to people to set up their second sign-in method for Office 365: