Azure Active Directory Identity Protection 是什麼?What is Azure Active Directory Identity Protection?

Azure Active Directory Identity Protection 可讓組織設定自動回應偵測到使用者的身分識別相關的可疑活動。Azure Active Directory Identity Protection enables organizations to configure automated responses to detected suspicious actions related to user identities.

開始使用Get started

Microsoft 保護雲端身分識別已經超過十多年。Microsoft has secured cloud-based identities for more than a decade. 在您的環境中使用 Azure Active Directory Identity Protection,即可使用與 Microsoft 用來保護身份識別一樣的保護系統。With Azure Active Directory Identity Protection, in your environment, you can use the same protection systems Microsoft uses to secure identities.

大部分的安全性缺口出現於當攻擊者藉由竊取使用者的身分識別來取得環境的存取權時。The vast majority of security breaches take place when attackers gain access to an environment by stealing a user’s identity. 這些年來,攻擊者變得越來越擅於利用第三方缺口,以及使用複雜的網路釣魚攻擊。Over the years, attackers have become increasingly effective in leveraging third-party breaches and using sophisticated phishing attacks. 只要攻擊者取得更低權限的使用者帳戶的存取權,他們即可相對容易地透過橫向移動存取重要的公司資源。As soon as an attacker gains access to even low privileged user accounts, it is relatively easy for them to gain access to important company resources through lateral movement.

如此一來,您必須:As a consequence of this, you need to:

  • 保護所有的識別身分,不論其權限層級Protect all identities regardless of their privilege level

  • 主動防止遭入侵的身分識別被濫用Proactively prevent compromised identities from being abused

探索遭入侵的身分識別並不容易。Discovering compromised identities is no easy task. Azure Active Directory 使用調適性機器學習運算法和啟發學習法來偵測表示可能遭入侵身份識別的異常與可疑事件。Azure Active Directory uses adaptive machine learning algorithms and heuristics to detect anomalies and suspicious incidents that indicate potentially compromised identities. Identity Protection 會使用此資料來產生報告和警示,讓您評估偵測到的問題並採取適當的緩和或補救動作。Using this data, Identity Protection generates reports and alerts that enable you to evaluate the detected issues and take appropriate mitigation or remediation actions.

Azure Active Directory Identity Protection 不只是監視和報告工具而已。Azure Active Directory Identity Protection is more than a monitoring and reporting tool. 若要保護您組織的身分識別,您可以設定以風險為基礎的原則,當達到指定風險層級時自動回應偵測到的問題。To protect your organization's identities, you can configure risk-based policies that automatically respond to detected issues when a specified risk level has been reached. 這些原則,除了 Azure Active Directory 所提供的其他條件式存取控制並Enterprise Mobility + Security (EMS),可以自動封鎖或起始包括的調適性補救動作重設密碼以及強制 multi-factor authentication。These policies, in addition to other Conditional Access controls provided by Azure Active Directory and Enterprise Mobility + Security (EMS), can either automatically block or initiate adaptive remediation actions including password resets and multi-factor authentication enforcement.

Identity Protection 功能Identity Protection capabilities

偵測弱點和風險帳戶:Detecting vulnerabilities and risky accounts:

  • 提供自訂建議,藉由反白顯示弱點來改善整體安全性狀態Providing custom recommendations to improve overall security posture by highlighting vulnerabilities
  • 計算登入風險層級Calculating sign-in risk levels
  • 計算使用者風險層級Calculating user risk levels

調查風險事件:Investigating risk events:

  • 傳送風險事件的通知Sending notifications for risk events
  • 使用相關和內容資訊來調查風險事件Investigating risk events using relevant and contextual information
  • 提供基本工作流程來追蹤調查Providing basic workflows to track investigations
  • 讓您輕鬆存取補救動作,例如重設密碼Providing easy access to remediation actions such as password reset

風險型條件式存取原則:Risk-based Conditional Access policies:

  • 此原則可藉由封鎖登入或要求多重要素驗證挑戰,以儘量阻止高風險登入Policy to mitigate risky sign-ins by blocking sign-ins or requiring multi-factor authentication challenges
  • 此原則會封鎖或保護有風險的使用者帳戶Policy to block or secure risky user accounts
  • 此原則會要求使用者註冊以便進行 Multi-Factor AuthenticationPolicy to require users to register for multi-factor authentication

Identity Protection 角色Identity Protection roles

若要讓 Identity Protection 實作方面的管理活動達到負載平衡,您可以指派數個角色。To load balance the management activities around your Identity Protection implementation, you can assign several roles. Azure AD Identity Protection 支援 3 種目錄角色:Azure AD Identity Protection supports 3 directory roles:

角色Role 可以執行Can do 無法執行Cannot do
全域管理員Global administrator 完整存取 Identity Protection、將 Identity Protection 上架Full access to Identity Protection, Onboard Identity Protection
安全性系統管理員Security administrator 完整存取 Identity ProtectionFull access to Identity Protection 將 Identity Protection 上架、重設使用者密碼Onboard Identity Protection, reset passwords for a user
安全性讀取者Security reader 唯讀存取 Identity ProtectionRead-only access to Identity Protection 讓 Identity Protection 上線、修復使用者、設定原則、重設密碼Onboard Identity Protection, remediate users, configure policies, reset passwords

如需詳細資訊,請參閱在 Azure Active Directory 中指派系統管理員角色For more details, see Assigning administrator roles in Azure Active Directory

偵測Detection

弱點Vulnerabilities

Azure Active Directory Identity Protection 會分析您的組態,並偵測可能影響您使用者身份識別的弱點。Azure Active Directory Identity Protection analyses your configuration and detects vulnerabilities that can have an impact on your user's identities. 如需詳細資訊,請參閱 Azure Active Directory Identity Protection 偵測到的弱點For more details, see Vulnerabilities detected by Azure Active Directory Identity Protection.

風險事件Risk events

Azure Active Directory 使用調適性機器學習運算法和啟發學習法來偵測與您使用者身份識別有關的可疑動作。Azure Active Directory uses adaptive machine learning algorithms and heuristics to detect suspicious actions that are related to your user's identities. 系統會針對每個偵測到的可疑動作建立記錄。The system creates a record for each detected suspicious action. 這些記錄又名風險事件。These records are also known as risk events.
如需詳細資訊,請參閱 Azure Active Directory風險事件For more details, see Azure Active Directory risk events.

調查Investigation

您通常會從 Identity Protection 儀表板開始使用 Identity Protection。Your journey through Identity Protection typically starts with the Identity Protection dashboard.

補救Remediation

儀表板可讓您存取:The dashboard gives you access to:

  • 報告,例如 [標示有風險的使用者] 、[風險事件] 和 [弱點] Reports such as Users flagged for risk, Risk events and Vulnerabilities
  • 設定,例如 [安全性原則] 、[通知] 和 [Multi-Factor Authentication 註冊] 的組態Settings such as the configuration of your Security Policies, Notifications and multi-factor authentication registration

這通常是調查的起點,而在調查過程中會檢閱風險事件相關活動、記錄和其他相關資訊,以決定是否需要採取補救或緩和步驟,了解身分識別如何遭到入侵,以及了解遭到入侵的身分識別如何被利用。It is typically your starting point for investigation, which is the process of reviewing the activities, logs, and other relevant information related to a risk event to decide whether remediation or mitigation steps are necessary, and how the identity was compromised, and understand how the compromised identity was used.

您可以將調查活動繫結至 Azure Active Directory Protection 傳送的每封電子郵件 通知You can tie your investigation activities to the notifications Azure Active Directory Protection sends per email.

原則Policies

為了實作自動化回應,Azure Active Directory Identity Protection 提供三個原則:To implement automated responses, Azure Active Directory Identity Protection provides you with three policies:

授權需求License requirements

使用這項功能需要 Azure AD Premium P2 授權。Using this feature requires an Azure AD Premium P2 license. 若要為您的需求尋找適當的授權,請參閱 比較 Free、 Basic 及 Premium 版本的正式運作功能To find the right license for your requirements, see Comparing generally available features of the Free, Basic, and Premium editions.

後續步驟Next steps