運作方式:Azure Multi-Factor AuthenticationHow it works: Azure Multi-Factor Authentication

雙步驟驗證的安全性仰賴其分層方法。The security of two-step verification lies in its layered approach. 使用多重驗證因素會為攻擊者帶來相當程度的挑戰。Compromising multiple authentication factors presents a significant challenge for attackers. 即使攻擊者試圖打探使用者的密碼,在不持有額外驗證方法的情況下便沒有任何意義。Even if an attacker manages to learn the user's password, it is useless without also having possession of the additional authentication method. 其運作方式需要下列二個以上的驗證方法:It works by requiring two or more of the following authentication methods:

  • 您知道的某些資訊 (通常是密碼)Something you know (typically a password)
  • 您擁有的某些東西 (不容易輕易複製的信任裝置,例如電話)Something you have (a trusted device that is not easily duplicated, like a phone)
  • 您身上的某些特徵 (生物識別技術)Something you are (biometrics)

概念驗證方法影像

Conceptual authentication methods image

Azure Multi-Factor Authentication (MFA) 有助於保護對資料與應用程式的存取,同時讓使用者能夠方便使用。Azure Multi-Factor Authentication (MFA) helps safeguard access to data and applications while maintaining simplicity for users. 它藉由要求第二種形式的驗證來提供額外的安全性,並透過一系列易於使用的驗證方法來提供增強式驗證。It provides additional security by requiring a second form of authentication and delivers strong authentication via a range of easy to use authentication methods. 因管理員所做的設定決定不同,使用者可能必須也可能無須通過 MFA。Users may or may not be challenged for MFA based on configuration decisions that an administrator makes.

如何取得 Multi-Factor Authentication?How to get Multi-Factor Authentication?

Multi-Factor Authentication 隨附於下列供應項目:Multi-Factor Authentication comes as part of the following offerings:

  • Azure Active Directory PremiumMicrosoft 365 商務版-使用條件式存取原則進行 Azure 多因素驗證的完整功能使用, 以要求多重要素驗證。Azure Active Directory Premium or Microsoft 365 Business - Full featured use of Azure Multi-Factor Authentication using Conditional Access policies to require multi-factor authentication.

  • Azure AD Free或獨立Office 365授權-使用預先建立的條件式存取基準保護原則, 為您的使用者和系統管理員要求多重要素驗證。Azure AD Free or standalone Office 365 licenses - Use pre-created Conditional Access baseline protection policies to require multi-factor authentication for your users and administrators.

  • Azure Active Directory 全域管理員 - Azure Multi-Factor Authentication 功能子集可用來作為保護全域管理員帳戶的方法。Azure Active Directory Global Administrators - A subset of Azure Multi-Factor Authentication capabilities are available as a means to protect global administrator accounts.

注意

自 2018 年 9 月 1 日起,新客戶無法再將 Azure Multi-Factor Authentication 當做獨立供應項目購買。New customers may no longer purchase Azure Multi-Factor Authentication as a standalone offering effective September 1st, 2018. 多重要素驗證將繼續為 Azure AD Premium 授權中的可用功能。Multi-factor authentication will continue to be an available feature in Azure AD Premium licenses.

支援能力Supportability

因為大多數使用者都已習慣僅使用密碼來驗證,所以您的組織務必要與所有使用者溝通此程序。Since most users are accustomed to using only passwords to authenticate, it is important that your organization communicates to all users regarding this process. 這番了解可以避免使用者因為 MFA 的小問題就連絡技術人員。Awareness can reduce the likelihood that users call your help desk for minor issues related to MFA. 不過,有一些案例是需要暫時停用 MFA。However, there are some scenarios where temporarily disabling MFA is necessary. 使用下列指導方針了解如何處理這些案例:Use the following guidelines to understand how to handle those scenarios:

  • 訓練您的支援人員來處理使用者因無權存取其驗證方法或其無法正常運作而無法登入的案例。Train your support staff to handle scenarios where the user can't sign in because they do not have access to their authentication methods or they are not working correctly.
    • 使用 Azure MFA 服務的條件式存取原則, 您的支援人員可以將使用者新增至從要求 MFA 的原則中排除的群組。Using Conditional Access policies for Azure MFA Service, your support staff can add a user to a group that is excluded from a policy requiring MFA.
  • 請考慮使用名為「位置」的條件式存取, 將雙步驟驗證提示減到最少。Consider using Conditional Access named locations as a way to minimize two-step verification prompts. 有了這項功能, 系統管理員可以針對從安全信任的網路位置 (例如用於新使用者上線的網路區段) 登入的使用者略過雙步驟驗證。With this functionality, administrators can bypass two-step verification for users that are signing in from a secure trusted network location such as a network segment used for new user onboarding.
  • 部署 Azure AD Identity Protection,並根據風險事件觸發雙步驟驗證。Deploy Azure AD Identity Protection and trigger two-step verification based on risk events.

後續步驟Next steps