啟用每個使用者 Azure AD Multi-Factor Authentication 來保護登入事件Enable per-user Azure AD Multi-Factor Authentication to secure sign-in events

若要保護 Azure AD 中的使用者登入事件,您可以要求 (MFA) 的多重要素驗證。To secure user sign-in events in Azure AD, you can require multi-factor authentication (MFA). 使用條件式存取原則來啟用 Azure AD Multi-Factor Authentication,是保護使用者的建議方法。Enabling Azure AD Multi-Factor Authentication using Conditional Access policies is the recommended approach to protect users. 條件式存取是 Azure AD Premium P1 或 P2 功能,可讓您套用規則,以在某些情況下需要 MFA。Conditional Access is an Azure AD Premium P1 or P2 feature that lets you apply rules to require MFA as needed in certain scenarios. 若要開始使用條件式存取,請參閱 教學課程:使用 Azure AD Multi-Factor Authentication 保護使用者登入事件To get started using Conditional Access, see Tutorial: Secure user sign-in events with Azure AD Multi-Factor Authentication.

針對 Azure AD 免費的租使用者,而不使用條件式存取,您可以 使用安全性預設值保護使用者For Azure AD free tenants without Conditional Access, you can use security defaults to protect users. 系統會視需要提示使用者進行 MFA,但您無法定義自己的規則來控制行為。Users are prompted for MFA as needed, but you can't define your own rules to control the behavior.

如有需要,您可以改為針對每個使用者 Azure AD Multi-Factor Authentication 啟用每個帳戶。If needed, you can instead enable each account for per-user Azure AD Multi-Factor Authentication. 當使用者個別啟用時,他們會在每次登入時執行多重要素驗證 (但有一些例外狀況,例如當他們從受信任的 IP 位址登入時,或開啟了 [在 信任的裝置上記住 MFA ] 功能時) 。When users are enabled individually, they perform multi-factor authentication each time they sign in (with some exceptions, such as when they sign in from trusted IP addresses or when the remember MFA on trusted devices feature is turned on).

除非您的 Azure AD 授權未包含條件式存取,而且您不想要使用安全性預設值,否則不建議變更使用者狀態。Changing user states isn't recommended unless your Azure AD licenses don't include Conditional Access and you don't want to use security defaults. 如需有關啟用 MFA 之不同方式的詳細資訊,請參閱 Azure AD Multi-Factor Authentication 的功能和授權For more information on the different ways to enable MFA, see Features and licenses for Azure AD Multi-Factor Authentication.

重要

本文將詳細說明如何查看和變更每個使用者 Azure AD Multi-Factor Authentication 的狀態。This article details how to view and change the status for per-user Azure AD Multi-Factor Authentication. 如果您使用條件式存取或安全性預設值,則不會使用這些步驟來檢查或啟用使用者帳戶。If you use Conditional Access or security defaults, you don't review or enable user accounts using these steps.

透過條件式存取原則啟用 Azure AD Multi-Factor Authentication 不會變更使用者的狀態。Enabling Azure AD Multi-Factor Authentication through a Conditional Access policy doesn't change the state of the user. 如果使用者顯示為已停用,請不要驚慌。Don't be alarmed if users appear disabled. 條件式存取不會變更狀態。Conditional Access doesn't change the state.

如果您使用條件式存取原則,請不要啟用或強制執行每個使用者 Azure AD Multi-Factor Authentication。Don't enable or enforce per-user Azure AD Multi-Factor Authentication if you use Conditional Access policies.

Azure AD Multi-Factor Authentication 使用者狀態Azure AD Multi-Factor Authentication user states

使用者的狀態會反映系統管理員是否已在每位使用者的 Azure AD Multi-Factor Authentication 中註冊它們。A user's state reflects whether an admin has enrolled them in per-user Azure AD Multi-Factor Authentication. Azure AD Multi-Factor Authentication 中的使用者帳戶具有下列三種不同的狀態:User accounts in Azure AD Multi-Factor Authentication have the following three distinct states:

State 描述Description 受影響的舊版驗證Legacy authentication affected 受影響的瀏覽器應用程式Browser apps affected 受影響的新式驗證Modern authentication affected
已停用Disabled 未在每位使用者 Azure AD Multi-Factor Authentication 註冊之使用者的預設狀態。The default state for a user not enrolled in per-user Azure AD Multi-Factor Authentication. No No No
啟用Enabled 使用者會在每個使用者 Azure AD Multi-Factor Authentication 中註冊,但仍可使用其密碼進行舊版驗證。The user is enrolled in per-user Azure AD Multi-Factor Authentication, but can still use their password for legacy authentication. 如果使用者尚未註冊 MFA 驗證方法,則會在下一次使用新式驗證 ((例如透過網頁瀏覽器) )登入時收到註冊的提示。If the user hasn't yet registered MFA authentication methods, they receive a prompt to register the next time they sign in using modern authentication (such as via a web browser). 不會。No. 舊版驗證會繼續運作,直到註冊程式完成為止。Legacy authentication continues to work until the registration process is completed. 是。Yes. 會話到期之後,需要 Azure AD Multi-Factor Authentication 註冊。After the session expires, Azure AD Multi-Factor Authentication registration is required. 是。Yes. 存取權杖到期之後,需要 Azure AD Multi-Factor Authentication 註冊。After the access token expires, Azure AD Multi-Factor Authentication registration is required.
已強制Enforced 使用者會在 Azure AD Multi-Factor Authentication 中向每位使用者註冊。The user is enrolled per-user in Azure AD Multi-Factor Authentication. 如果使用者尚未註冊驗證方法,則會在下一次使用新式驗證 ((例如透過網頁瀏覽器) )登入時收到註冊的提示。If the user hasn't yet registered authentication methods, they receive a prompt to register the next time they sign in using modern authentication (such as via a web browser). 啟用 狀態下完成註冊的使用者會自動移至 強制執行 的狀態。Users who complete registration while in the Enabled state are automatically moved to the Enforced state. 是。Yes. 應用程式需要應用程式密碼。Apps require app passwords. 是。Yes. 登入時需要 Azure AD Multi-Factor Authentication。Azure AD Multi-Factor Authentication is required at sign-in. 是。Yes. 登入時需要 Azure AD Multi-Factor Authentication。Azure AD Multi-Factor Authentication is required at sign-in.

所有使用者一開始都是「已停用」狀態。All users start out Disabled. 當您以每位使用者的 Azure AD Multi-Factor Authentication 註冊使用者時,他們的狀態會變更為 [ 已啟用]。When you enroll users in per-user Azure AD Multi-Factor Authentication, their state changes to Enabled. 當已啟用的使用者登入並完成註冊程序之後,他們的狀態就會變更為「已強制」。When enabled users sign in and complete the registration process, their state changes to Enforced. 系統管理員可以在狀態之間移動使用者,包括從 強制執行已啟用已停用Administrators may move users between states, including from Enforced to Enabled or Disabled.

注意

如果在使用者上重新啟用個別使用者 MFA,且使用者不會重新註冊,其 MFA 狀態不會從 啟用 轉換成在 MFA 管理 UI 中 強制執行If per-user MFA is re-enabled on a user and the user doesn't re-register, their MFA state doesn't transition from Enabled to Enforced in MFA management UI. 系統管理員必須直接將使用者移至 [ 強制]。The administrator must move the user directly to Enforced.

檢視使用者的狀態View the status for a user

若要查看及管理使用者狀態,請完成下列步驟以存取 Azure 入口網站頁面:To view and manage user states, complete the following steps to access the Azure portal page:

  1. 以系統管理員身分登入 Azure 入口網站Sign in to the Azure portal as an administrator.
  2. 搜尋並選取 [Azure Active Directory],然後選取 [使用者] > [所有使用者]。Search for and select Azure Active Directory, then select Users > All users.
  3. 選取 [多重要素驗證]。Select Multi-Factor Authentication. 您可能必須捲動到右邊才能看到此功能表選項。You may need to scroll to the right to see this menu option. 選取下方的範例螢幕擷取畫面,以查看完整的 Azure 入口網站視窗和功能表位置:  從 Azure AD 的 [使用者] 視窗中選取 [Multi-Factor Authentication]。Select the example screenshot below to see the full Azure portal window and menu location: Select Multi-Factor Authentication from the Users window in Azure AD.
  4. 隨即開啟新的頁面,其中顯示使用者狀態,如下列範例所示。A new page opens that displays the user state, as shown in the following example. 顯示 Azure AD Multi-Factor Authentication 範例使用者狀態資訊的螢幕擷取畫面Screenshot that shows example user state information for Azure AD Multi-Factor Authentication

變更使用者的狀態Change the status for a user

若要變更使用者的每個使用者 Azure AD Multi-Factor Authentication 狀態,請完成下列步驟:To change the per-user Azure AD Multi-Factor Authentication state for a user, complete the following steps:

  1. 使用先前的步驟來 查看使用者的狀態 ,以取得 Azure AD Multi-Factor Authentication 使用者 ] 頁面。Use the previous steps to view the status for a user to get to the Azure AD Multi-Factor Authentication users page.

  2. 尋找您想要為每個使用者 Azure AD Multi-Factor Authentication 啟用的使用者。Find the user you want to enable for per-user Azure AD Multi-Factor Authentication. 您可能需要將頂端的檢視變更為 [使用者]。You might need to change the view at the top to users. 從 [使用者] 索引標籤選取要變更其狀態的使用者Select the user to change status for from the users tab

  3. 核取要變更其狀態的使用者名稱旁方塊。Check the box next to the name(s) of the user(s) to change the state for.

  4. 在右側的 [快速步驟] 下,選擇 [啟用] 或 [停用]。On the right-hand side, under quick steps, choose Enable or Disable. 在下列範例中,使用者 John Smith 的名稱旁邊有核取方塊,並將予以啟用:按一下 [快速步驟] 功能表中的 [啟用],以啟用選取的使用者In the following example, the user John Smith has a check next to their name and is being enabled for use: Enable selected user by clicking Enable on the quick steps menu

    提示

    已啟用 的使用者註冊 Azure AD Multi-Factor Authentication 時,會自動切換為 強制執行Enabled users are automatically switched to Enforced when they register for Azure AD Multi-Factor Authentication. 請不要手動將使用者狀態變更為 強制執行 ,除非使用者已註冊,或可接受使用者在連線至舊版驗證通訊協定時遇到中斷的情況。Don't manually change the user state to Enforced unless the user is already registered or if it is acceptable for the user to experience interruption in connections to legacy authentication protocols.

  5. 在開啟的快顯視窗中確認您的選取項目。Confirm your selection in the pop-up window that opens.

當您啟用使用者之後,請透過電子郵件通知他們。After you enable users, notify them via email. 告訴使用者系統會顯示提示來要求其在下一次登入時註冊。Tell the users that a prompt is displayed to ask them to register the next time they sign in. 此外,如果您的組織使用不支援新式驗證的非瀏覽器應用程式,他們就需要建立應用程式密碼。Also, if your organization uses non-browser apps that don't support modern authentication, they need to create app passwords. 如需詳細資訊,請參閱 Azure AD Multi-Factor Authentication 的終端使用者指南 ,以協助他們開始使用。For more information, see the Azure AD Multi-Factor Authentication end-user guide to help them get started.

使用 PowerShell 變更狀態Change state using PowerShell

若要使用 Azure AD PowerShell 來變更使用者狀態,您可變更使用者帳戶的 $st.State 參數。To change the user state by using Azure AD PowerShell, you change the $st.State parameter for a user account. 使用者帳戶有三個可能的狀態:There are three possible states for a user account:

  • 已啟用Enabled
  • 已強制Enforced
  • DisabledDisabled

一般情況下,除非已註冊 MFA,否則請勿將使用者直接移至 強制執行 的狀態。In general, don't move users directly to the Enforced state unless they are already registered for MFA. 如果您這樣做,舊版驗證應用程式將會停止運作,因為使用者未通過 Azure AD Multi-Factor Authentication 註冊並取得 應用程式密碼If you do so, legacy authentication apps stop working because the user hasn't gone through Azure AD Multi-Factor Authentication registration and obtained an app password. 在某些情況下,可能會需要這種行為,但會影響使用者體驗,直到使用者註冊為止。In some cases this behavior may be desired, but impacts user experience until the user registers.

若要開始進行,請使用 Install-Module 安裝 MSOnline 模組,如下所示:To get started, install the MSOnline module using Install-Module as follows:

Install-Module MSOnline

接下來,使用 Connect-MsolService 連線:Next, connect using Connect-MsolService:

Connect-MsolService

下列範例 PowerShell 指令碼會為名為 bsimon@contoso.com 的個別使用者啟用 MFA:The following example PowerShell script enables MFA for an individual user named bsimon@contoso.com:

$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)

# Change the following UserPrincipalName to the user you wish to change state
Set-MsolUser -UserPrincipalName bsimon@contoso.com -StrongAuthenticationRequirements $sta

當您需要大量啟用使用者時,使用 PowerShell 是一個不錯的選項。Using PowerShell is a good option when you need to bulk enable users. 下列指令碼會對使用者清單執行迴圈,並針對其帳戶啟用 MFA。The following script loops through a list of users and enables MFA on their accounts. 在第一行中定義針對 $users 設定的使用者帳戶,如下所示:Define the user accounts set it in the first line for $users as follows:

# Define your list of users to update state in bulk
$users = "bsimon@contoso.com","jsmith@contoso.com","ljacobson@contoso.com"

foreach ($user in $users)
{
    $st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
    $st.RelyingParty = "*"
    $st.State = "Enabled"
    $sta = @($st)
    Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta
}

若要停用 MFA,下列範例使用 Get-MsolUser 來取得使用者,然後使用 Set-MsolUser 來移除針對已定義使用者所設定的任何 StrongAuthenticationRequirementsTo disable MFA, the following example gets a user with Get-MsolUser, then removes any StrongAuthenticationRequirements set for the defined user using Set-MsolUser:

Get-MsolUser -UserPrincipalName bsimon@contoso.com | Set-MsolUser -StrongAuthenticationRequirements @()

您也可以使用 Set-MsolUser 來直接停用使用者的 MFA,如下所示:You could also directly disable MFA for a user using Set-MsolUser as follows:

Set-MsolUser -UserPrincipalName bsimon@contoso.com -StrongAuthenticationRequirements @()

將使用者從每一使用者 MFA 轉換成條件式存取Convert users from per-user MFA to Conditional Access

下列 PowerShell 可協助您根據 Azure AD Multi-Factor Authentication 來轉換成條件式存取。The following PowerShell can assist you in making the conversion to Conditional Access based Azure AD Multi-Factor Authentication.

# Sets the MFA requirement state
function Set-MfaState {

    [CmdletBinding()]
    param(
        [Parameter(ValueFromPipelineByPropertyName=$True)]
        $ObjectId,
        [Parameter(ValueFromPipelineByPropertyName=$True)]
        $UserPrincipalName,
        [ValidateSet("Disabled","Enabled","Enforced")]
        $State
    )

    Process {
        Write-Verbose ("Setting MFA state for user '{0}' to '{1}'." -f $ObjectId, $State)
        $Requirements = @()
        if ($State -ne "Disabled") {
            $Requirement =
                [Microsoft.Online.Administration.StrongAuthenticationRequirement]::new()
            $Requirement.RelyingParty = "*"
            $Requirement.State = $State
            $Requirements += $Requirement
        }

        Set-MsolUser -ObjectId $ObjectId -UserPrincipalName $UserPrincipalName `
                     -StrongAuthenticationRequirements $Requirements
    }
}

# Disable MFA for all users
Get-MsolUser -All | Set-MfaState -State Disabled

注意

如果在使用者上重新啟用 MFA,且使用者不會重新註冊,其 MFA 狀態不會從 啟用 轉換為在 MFA 管理 UI 中 強制執行If MFA is re-enabled on a user and the user doesn't re-register, their MFA state doesn't transition from Enabled to Enforced in MFA management UI. 在此情況下,系統管理員必須直接將使用者移至 [ 強制]。In this case, the administrator must move the user directly to Enforced.

下一步Next steps

若要設定 Azure AD Multi-Factor Authentication 設定,請參閱設定 Azure AD Multi-Factor Authentication 設定To configure Azure AD Multi-Factor Authentication settings, see Configure Azure AD Multi-Factor Authentication settings.

若要管理 Azure AD Multi-Factor Authentication 的使用者設定,請參閱 使用 Azure AD Multi-Factor Authentication 管理使用者設定To manage user settings for Azure AD Multi-Factor Authentication, see Manage user settings with Azure AD Multi-Factor Authentication.

若要瞭解為何系統提示使用者執行 MFA,請參閱 Azure AD Multi-Factor Authentication 報表To understand why a user was prompted or not prompted to perform MFA, see Azure AD Multi-Factor Authentication reports.