對訂用帳戶系統管理員強制執行多重要素驗證 (MFA)。Enforce multi-factor authentication (MFA) for subscription administrators

在建立您的系統管理員時 (包括全域系統管理員帳戶),請務必使用非常強力的驗證方法。When you create your administrators, including your global administrator account, it is essential that you use very strong authentication methods.

您可以視需要將特定的系統管理員角色指派給 IT 人員的使用者帳戶,例如 Exchange 系統管理員或密碼系統管理員,以便執行例行管理作業。You can perform day-to-day administration by assigning specific administrator roles—such as Exchange administrator or Password administrator—to user accounts of IT staff as needed. 此外,為系統管理員啟用 Azure 多重要素驗證 (MFA) 可以加強防護使用者登入和交易的安全。Additionally, enabling Azure Multi-factor Authentication (MFA) for your administrators adds a second layer of security to user sign-ins and transactions. Azure MFA 也可協助 IT 降低遭入侵的認證能夠存取公司資料的可能性。Azure MFA also helps IT reduce the likelihood that a compromised credential will have access to organization’s data.

例如: 您對使用者強制執行 Azure MFA,並將它設定為使用電話通話或簡訊做為驗證。For example: You enforce Azure MFA for your users and configure it to use a phone call or text message as verification. 如果使用者的認證遭到入侵,攻擊者將無法存取任何資源,因為他們就不需要存取使用者的電話。If the user’s credentials are compromised, the attacker won’t be able to access any resource since they will not have access to user’s phone. 未新增額外身分識別保護層的組織會更容易受到認證竊取攻擊,這可能會導致資料洩漏。Organizations that do not add extra layers of identity protection are more susceptible for credential theft attack, which may lead to data compromise.

想要將整個驗證控制保留於內部部署的組織有一個替代方法,就是使用 Azure Multi-factor Authentication Server (也稱為「MFA 內部部署」)。One alternative for organizations that want to keep the entire authentication control on-premises is to use Azure Multi-Factor Authentication Server, also called "MFA on-premises". 使用此方法,您仍可強制執行 Multi-Factor Authentication,同時保留 MFA 伺服器內部部署。By using this method, you will still be able to enforce multi-factor authentication, while keeping the MFA server on-premises.

若要查看您的組織中有哪些人擁有系統管理權限,您可以使用下列 Microsoft Azure AD V2 PowerShell 命令進行確認:To check who in your organization has administrative privileges you can verify by using the following Microsoft Azure AD V2 PowerShell command:

Get-AzureADDirectoryRole | Where { $_.DisplayName -eq "Company Administrator" } | Get-AzureADDirectoryRoleMember | Ft DisplayName

啟用 MFAEnabling MFA

在繼續前先檢閱 MFA 的運作方式。Review how MFA operates before you proceed.

只要您的使用者具有包含 Azure Multi-Factor Authentication 的授權,您就不需要手動開啟 Azure MFA。As long as your users have licenses that include Azure Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. 您可以開始要求對個別使用者進行雙步驟驗證。You can start requiring two-step verification on an individual user basis. 可啟用 Azure MFA 的授權如下︰The licenses that enable Azure MFA are:

  • Azure Multi-Factor AuthenticationAzure Multi-Factor Authentication
  • Azure Active Directory PremiumAzure Active Directory Premium
  • Enterprise Mobility + SecurityEnterprise Mobility + Security

對使用者開啟雙步驟驗證Turn on two-step verification for users

使用如何要求使用者或群組進行雙步驟驗證中所列的其中一個程序,開始使用 Azure MFA。Use one of the procedures listed in How to require two-step verification for a user or group to start using Azure MFA. 您可以選擇強制執行雙步驟驗證,對所有登入,或者您可以建立只有在與您有關時要求雙步驟驗證的條件式存取原則。You can choose to enforce two-step verification for all sign-ins, or you can create Conditional Access policies to require two-step verification only when it matters to you.