快速入門:針對 Azure Active Directory Identity Protection 偵測到工作階段風險時封鎖存取Quickstart: Block access when a session risk is detected with Azure Active Directory Identity Protection

為了讓您的環境受到保護,您可以封鎖可疑使用者,不讓他們登入。To keep your environment protected, you might want to block suspicious users from signing in. Azure Active Directory (Azure AD) Identity Protection 會分析每一次登入,並且計算非由使用者帳戶合法擁有者嘗試執行登入的可能性。Azure Active Directory (Azure AD) Identity Protection analyzes each sign-in and calculates the likelihood that a sign-in attempt was not performed by the legitimate owner of a user account. 可能性 (低、中、高) 是以稱為登入風險等級的計算值形式表示。The likelihood (low, medium, high) is indicated in form of a calculated value called sign-in risk level. 藉由設定登入風險條件,您可以設定登入風險條件式存取原則,以回應特定的登入風險層級。By setting the sign-in risk condition, you can configure a sign-in risk Conditional Access policy to respond to specific sign-in risk levels.

本快速入門示範如何設定登入風險條件式存取原則的登入媒體時封鎖以上的登入風險層級偵測到。This quickstart shows how to configure a sign-in risk Conditional Access policy that blocks a sign-in when a medium and above sign-in risk level has been detected.

建立原則

如果您沒有 Azure 訂用帳戶,請在開始前建立 免費帳戶If you don't have an Azure subscription, create a free account before you begin.

必要條件Prerequisites

若要完成本教學課程中的案例,您需要:To complete the scenario in this tutorial, you need:

  • 存取 Azure AD Premium P2 版 - Azure AD Identity Protection 是 Azure AD Premium P2 的功能。Access to an Azure AD Premium P2 edition - Azure AD Identity Protection is an Azure AD Premium P2 feature.

  • Identity Protection - 本快速入門中的案例需要啟用 Identity Protection。Identity Protection - The scenario in this quickstart requires Identity Protection to be enabled. 如果您不知道如何啟用 Identity Protection,請參閱啟用 Azure Active Directory Identity ProtectionIf you don't know how to enable Identity Protection, see Enabling Azure Active Directory Identity Protection.

  • Tor 瀏覽器 - Tor 瀏覽器的設計目的是協助您保留您的線上隱私權。Tor Browser - The Tor Browser is designed to help you preserve your privacy online. Identity Protection 偵測到來自 Tor 瀏覽器的登入是從匿名 IP 位址登入,這種登入有中等風險等級。Identity Protection detects a sign-in from a Tor Browser as sign-ins from anonymous IP addresses, which has a medium risk level. 如需詳細資訊,請參閱 Azure Active Directory 風險事件For more information, see Azure Active Directory risk events.

  • 稱為 Alain Charon 的測試帳戶 - 如果您不知道如何建立測試帳戶,請參閱新增新使用者A test account called Alain Charon - If you don't know how to create a test account, see Add a new user.

測試您的登入Test your sign-in

此步驟的目標是確保您的測試帳戶可以使用 Tor 瀏覽器存取租用戶。The goal of this step is to make sure that your test account can access your tenant using the Tor Browser.

若要測試您的登入:To test your sign-in:

  1. 請以 Alain Charon 身分登入 Azure 入口網站Sign in to your Azure portal as Alain Charon.

  2. 登出。Sign out.

建立您的條件式存取原則Create your Conditional Access policy

本快速入門中的案例會使用來自 Tor 瀏覽器的登入,以產生偵測到從匿名 IP 位址登入的風險事件。The scenario in this quickstart uses a sign-in from a Tor Browser to generate a detected Sign-ins from anonymous IP addresses risk event. 此風險事件的風險等級是「中」。The risk level of this risk event is medium. 若要回應此風險事件,您可以將登入風險條件設定為「中」。To respond to this risk event, you set the sign-in risk condition to medium.

本節說明如何建立需要的登入風險條件式存取原則。This section shows how to create the required sign-in risk Conditional Access policy. 為您的原則進行下列設定:In your policy, set:

設定Setting Value
使用者Users Alain CharonAlain Charon
條件Conditions 登入風險,中 (含) 以上Sign-in risk, Medium and above
控制Controls 封鎖存取Block access

建立原則

若要設定條件式存取原則:To configure your Conditional Access policy:

  1. 以全域管理員身分登入 Azure 入口網站Sign in to your Azure portal as global administrator.

  2. 移至 Azure AD Identity Protection 頁面Go to the Azure AD Identity Protection page.

  3. 在 [Azure AD Identity Protection] 頁面的 [設定] 區段中,按一下 [登入風險原則] 。On the Azure AD Identity Protection page, in the Configure section, click Sign-in risk policy.

  4. 在 [原則] 頁面上,按一下 [指派] 區段中的 [使用者] 。On the policy page, in the Assignments section, click Users.

  5. 在 [使用者] 頁面上,按一下 [選取使用者] 。On the Users page, click Select users.

  6. 在 [選取使用者] 頁面上,選取 Alain Charon,然後按一下 [選取] 。On the Select users page, select Alain Charon, and then click Select.

  7. 在 [使用者] 頁面上,按一下 [完成] 。On the Users page, click Done.

  8. 在 [原則] 頁面上,按一下 [指派] 區段中的 [條件] 。On the policy page, in the Assignments section, click Conditions.

  9. 在 [條件] 頁面上,按一下 [登入風險] 。On the Conditions page, click Sign-in risk.

  10. 在 [登入風險] 頁面上,選取 [中 (含) 以上] ,然後按一下 [選取] 。On the Sign-in risk page, select Medium and above, and then click Select.

  11. 在 [條件] 頁面上,按一下 [完成] 。On the Conditions page, click Done.

  12. 在 [原則] 頁面上,按一下 [控制] 區段中的 [存取] 。On the policy page, in the Controls section, click Access.

  13. 在 [存取] 頁面上,按一下 [允許存取] ,選取 [需要多重要素驗證] ,然後按一下 [選取] 。On the Access page, click Allow access, select Require multi-factor authentication, and then click Select.

  14. 在 [原則] 頁面上,按一下 [儲存] 。On the policy page, click Save.

測試您的條件式存取原則Test your Conditional Access policy

若要測試您的原則,請嘗試使用 Tor 瀏覽器以 Alan Charon 身分登入 Azure 入口網站To test your policy, try to sign-in to your Azure portal as Alan Charon using the Tor Browser. 您的登入嘗試應該會封鎖您的條件式存取原則。Your sign-in attempt should be blocked by your Conditional Access policy.

Multi-Factor Authentication

清除資源Clean up resources

當不再需要刪除測試使用者,Tor 瀏覽器,然後停用登入風險條件式存取原則:When no longer needed, delete the test user, the Tor Browser and disable the sign-in risk Conditional Access policy: