運作方式:Azure Multi-Factor AuthenticationHow it works: Azure Multi-Factor Authentication

雙步驟驗證的安全性仰賴其分層方法。The security of two-step verification lies in its layered approach. 使用多重驗證因素會為攻擊者帶來相當程度的挑戰。Compromising multiple authentication factors presents a significant challenge for attackers. 即使攻擊者試圖打探使用者的密碼,在不持有額外驗證方法的情況下便沒有任何意義。Even if an attacker manages to learn the user's password, it is useless without also having possession of the additional authentication method. 其運作方式需要下列二個以上的驗證方法:It works by requiring two or more of the following authentication methods:

  • 您知道的某些資訊 (通常是密碼)Something you know (typically a password)
  • 您擁有的某些東西 (不容易輕易複製的信任裝置,例如電話)Something you have (a trusted device that is not easily duplicated, like a phone)
  • 您身上的某些特徵 (生物識別技術)Something you are (biometrics)

概念驗證方法的映像

Conceptual authentication methods image

Azure Multi-Factor Authentication (MFA) 有助於保護對資料與應用程式的存取,同時讓使用者能夠方便使用。Azure Multi-Factor Authentication (MFA) helps safeguard access to data and applications while maintaining simplicity for users. 它藉由要求第二種形式的驗證來提供額外的安全性,並透過一系列易於使用的驗證方法來提供增強式驗證。It provides additional security by requiring a second form of authentication and delivers strong authentication via a range of easy to use authentication methods. 因管理員所做的設定決定不同,使用者可能必須也可能無須通過 MFA。Users may or may not be challenged for MFA based on configuration decisions that an administrator makes.

如何取得 Multi-Factor Authentication?How to get Multi-Factor Authentication?

Multi-Factor Authentication 隨附於下列供應項目:Multi-Factor Authentication comes as part of the following offerings:

  • Azure Active Directory Premium或是Microsoft 365 商務版-使用 Azure Multi-factor Authentication,並使用條件式存取原則以要求多重要素驗證功能齊全。Azure Active Directory Premium or Microsoft 365 Business - Full featured use of Azure Multi-Factor Authentication using Conditional Access policies to require multi-factor authentication.

  • Azure AD FreeAzure AD Basic,或獨立Office 365授權-使用預先建立條件式存取基準保護原則要求您的使用者和系統管理員的 multi-factor authentication。Azure AD Free, Azure AD Basic, or standalone Office 365 licenses - Use pre-created Conditional Access baseline protection policies to require multi-factor authentication for your users and administrators.

  • Azure Active Directory 全域管理員 - Azure Multi-Factor Authentication 功能子集可用來作為保護全域管理員帳戶的方法。Azure Active Directory Global Administrators - A subset of Azure Multi-Factor Authentication capabilities are available as a means to protect global administrator accounts.

注意

自 2018 年 9 月 1 日起,新客戶無法再將 Azure Multi-Factor Authentication 當做獨立供應項目購買。New customers may no longer purchase Azure Multi-Factor Authentication as a standalone offering effective September 1st, 2018. 多重要素驗證將繼續為 Azure AD Premium 授權中的可用功能。Multi-factor authentication will continue to be an available feature in Azure AD Premium licenses.

支援能力Supportability

因為大多數使用者都已習慣僅使用密碼來驗證,所以您的組織務必要與所有使用者溝通此程序。Since most users are accustomed to using only passwords to authenticate, it is important that your organization communicates to all users regarding this process. 這番了解可以避免使用者因為 MFA 的小問題就連絡技術人員。Awareness can reduce the likelihood that users call your help desk for minor issues related to MFA. 不過,有一些案例是需要暫時停用 MFA。However, there are some scenarios where temporarily disabling MFA is necessary. 使用下列指導方針了解如何處理這些案例:Use the following guidelines to understand how to handle those scenarios:

  • 訓練您的支援人員來處理使用者因無權存取其驗證方法或其無法正常運作而無法登入的案例。Train your support staff to handle scenarios where the user can't sign in because they do not have access to their authentication methods or they are not working correctly.
    • 使用 Azure MFA 服務的條件式存取原則,您的支援人員就可以將使用者新增至群組時,會排除原則,要求 MFA。Using Conditional Access policies for Azure MFA Service, your support staff can add a user to a group that is excluded from a policy requiring MFA.
  • 請考慮使用具名位置最小化雙步驟驗證的方式提示的條件式存取。Consider using Conditional Access named locations as a way to minimize two-step verification prompts. 透過這項功能,系統管理員可以略過雙步驟驗證的安全信任的網路位置,例如網路從登入的使用者使用新的使用者上架的區段。With this functionality, administrators can bypass two-step verification for users that are signing in from a secure trusted network location such as a network segment used for new user onboarding.
  • 部署 Azure AD Identity Protection,並根據風險事件觸發雙步驟驗證。Deploy Azure AD Identity Protection and trigger two-step verification based on risk events.

後續步驟Next steps