Azure 身分識別管理和存取控制安全性最佳作法Azure Identity Management and access control security best practices

本文會討論一系列的 Azure 身分識別管理和存取控制安全性最佳做法。In this article, we discuss a collection of Azure identity management and access control security best practices. 這些最佳作法衍生自我們的 Azure AD 經驗和客戶的經驗。These best practices are derived from our experience with Azure AD and the experiences of customers like yourself.

針對每個最佳做法,我們會說明︰For each best practice, we explain:

  • 最佳作法是什麼What the best practice is
  • 您為何想要啟用該最佳作法Why you want to enable that best practice
  • 如果無法啟用最佳作法,結果可能為何What might be the result if you fail to enable the best practice
  • 最佳作法的可能替代方案Possible alternatives to the best practice
  • 如何學習啟用最佳作法How you can learn to enable the best practice

這篇「Azure 身分識別管理和存取控制安全性最佳作法」是以共識意見及 Azure 平台功能和特性集 (因為在撰寫本文時已存在) 為基礎。This Azure identity management and access control security best practices article is based on a consensus opinion and Azure platform capabilities and feature sets, as they exist at the time this article was written. 意見和技術會隨著時間改變,這篇文章將會定期進行更新以反映這些變更。Opinions and technologies change over time and this article will be updated on a regular basis to reflect those changes.

本文討論的 Azure 身分識別管理和存取控制安全性最佳作法包括:Azure identity management and access control security best practices discussed in this article include:

  • 將身分識別視為主要安全性周邊Treat identity as the primary security perimeter
  • 集中管理身分識別Centralize identity management
  • 管理已連線的租用戶Manage connected tenants
  • 啟用單一登入Enable single sign-on
  • 開啟 條件式存取Turn on Conditional Access
  • 啟用密碼管理Enable password management
  • 對使用者強制執行多重要素驗證Enforce multi-factor verification for users
  • 使用角色型存取控制Use role-based access control
  • 降低特殊權限帳戶的暴露風險Lower exposure of privileged accounts
  • 控制資源所在的位置Control locations where resources are located
  • 使用 Azure AD 進行驗證儲存體Use Azure AD for storage authentication

將身分識別視為主要安全性周邊Treat identity as the primary security perimeter

許多人認為身分識別是安全性的主要周邊。Many consider identity to be the primary perimeter for security. 這種看法擺脫了傳統以網路安全性為主的觀點。This is a shift from the traditional focus on network security. 網路周邊持續變得更容易滲透,而且周邊防禦已不如 BYOD 裝置和雲端應用程式遽增之前那麼有效。Network perimeters keep getting more porous, and that perimeter defense can’t be as effective as it was before the explosion of BYOD devices and cloud applications.

Azure Active Directory (Azure AD) 是用於管理身分識別和存取的 Azure 解決方案。Azure Active Directory (Azure AD) is the Azure solution for identity and access management. Azure AD 是 Microsoft 提供的多租用戶雲端式目錄和身分識別管理服務。Azure AD is a multitenant, cloud-based directory and identity management service from Microsoft. 它將核心目錄服務、應用程式存取管理及身分識別保護結合到單個解決方案。It combines core directory services, application access management, and identity protection into a single solution.

下列各節列出使用 Azure AD 的身分識別和存取安全性最佳做法。The following sections list best practices for identity and access security using Azure AD.

集中管理身分識別Centralize identity management

混合式身分識別案例中,建議您整合內部部署與雲端目錄。In a hybrid identity scenario we recommend that you integrate your on-premises and cloud directories. 整合可讓您的 IT 團隊管理帳戶從一個位置,不論會建立一個帳戶。Integration enables your IT team to manage accounts from one location, regardless of where an account is created. 整合也可協助您的使用者更具生產力提供常見的身分識別來存取雲端及內部部署資源。Integration also helps your users be more productive by providing a common identity for accessing both cloud and on-premises resources.

最佳做法:建立單一 Azure AD 執行個體。Best practice: Establish a single Azure AD instance. 一致性和單一的權威來源會增加清楚起見,並從人為錯誤和組態複雜度降低安全性風險。Consistency and a single authoritative sources will increase clarity and reduce security risks from human errors and configuration complexity. 詳細資料:指定單一的 Azure AD 目錄視為公司和組織帳戶的授權來源。Detail: Designate a single Azure AD directory as the authoritative source for corporate and organizational accounts.

最佳做法:整合您的內部部署目錄與 Azure AD。Best practice: Integrate your on-premises directories with Azure AD.
詳細資料:使用 Azure AD Connect 同步處理內部部署目錄與雲端目錄。Detail: Use Azure AD Connect to synchronize your on-premises directory with your cloud directory.


因素會影響效能的 Azure AD ConnectThere are factors that affect the performance of Azure AD Connect. 請確定 Azure AD Connect 有足夠的容量來保留表現不佳的系統妨礙安全性與生產力。Ensure Azure AD Connect has enough capacity to keep underperforming systems from impeding security and productivity. 大型或複雜的組織 (組織佈建物件超過 100,000 個) 應該遵循建議最佳化其 Azure AD Connect 實作。Large or complex organizations (organizations provisioning more than 100,000 objects) should follow the recommendations to optimize their Azure AD Connect implementation.

最佳做法:不要同步處理至 Azure AD 中現有的 Active Directory 執行個體擁有較高權限的帳戶。Best practice: Don’t synchronize accounts to Azure AD that have high privileges in your existing Active Directory instance. 詳細資料:不要變更預設值Azure AD Connect 設定,篩選掉這些帳戶。Detail: Don’t change the default Azure AD Connect configuration that filters out these accounts. 此設定可降低進行樞紐分析從雲端至內部部署資產 (這可能造成重大的事件) 的敵人的風險。This configuration mitigates the risk of adversaries pivoting from cloud to on-premises assets (which could create a major incident).

最佳做法:開啟密碼雜湊同步處理。Best practice: Turn on password hash synchronization.
詳細資料:密碼雜湊同步處理是一項功能可用來同步處理使用者密碼雜湊從內部部署 Active Directory 執行個體至雲端的 Azure AD 執行個體。Detail: Password hash synchronization is a feature used to synch user password hashes from an on-premises Active Directory instance to a cloud-based Azure AD instance. 此同步處理有助於防止外洩的認證,在重新執行先前的攻擊。This sync helps to protect against leaked credentials being replayed from previous attacks.

即使您選擇使用與 Active Directory 同盟服務 (AD FS) 或其他身分識別提供者的同盟,仍可選擇性地設定密碼雜湊同步處理作為備用方式,以防內部部署伺服器失敗或暫時無法使用。Even if you decide to use federation with Active Directory Federation Services (AD FS) or other identity providers, you can optionally set up password hash synchronization as a backup in case your on-premises servers fail or become temporarily unavailable. 此同步處理可讓使用者使用他們用來登入其內部部署 Active Directory 執行個體的相同密碼登入服務。This sync enables users to sign in to the service by using the same password that they use to sign in to their on-premises Active Directory instance. 您也可以藉由比較已同步處理的密碼雜湊與已知遭到入侵,如果使用者已在其他未連接到 Azure AD 的服務上使用相同的電子郵件地址和密碼的密碼來偵測認證遭入侵的身分識別保護。It also allows Identity Protection to detect compromised credentials by comparing synchronized password hashes with passwords known to be compromised, if a user has used the same email address and password on other services that aren't connected to Azure AD.

如需詳細資訊,請參閱使用 Azure AD Connect 同步實作密碼雜湊同步處理For more information, see Implement password hash synchronization with Azure AD Connect sync.

最佳做法:新的應用程式開發,使用 Azure AD 進行驗證。Best practice: For new application development, use Azure AD for authentication. 詳細資料:您可以使用正確的功能來支援驗證:Detail: Use the correct capabilities to support authentication:

  • Azure AD 的員工Azure AD for employees
  • Azure AD B2B來賓使用者與外部合作夥伴Azure AD B2B for guest users and external partners
  • Azure AD B2C來控制如何客戶註冊時,登入,然後使用您的應用程式時,管理其設定檔Azure AD B2C to control how customers sign up, sign in, and manage their profiles when they use your applications

未整合內部部署身分識別與雲端身分識別的組織,可能會有更多管理帳戶的額外負荷。Organizations that don’t integrate their on-premises identity with their cloud identity can have more overhead in managing accounts. 此額外負荷提高錯誤和安全性缺口的可能性。This overhead increases the likelihood of mistakes and security breaches.


您必須選擇哪些重大帳戶位於和處理使用的系統管理工作站是否由新的雲端服務或現有的目錄。You need to choose which directories critical accounts will reside in and whether the admin workstation used is managed by new cloud services or existing processes. 使用現有的管理和佈建程序的身分識別可以減少一些風險,但也可以建立攻擊者危害內部部署帳戶和到雲端進行樞紐分析的風險。Using existing management and identity provisioning processes can decrease some risks but can also create the risk of an attacker compromising an on-premises account and pivoting to the cloud. 您可能想要針對不同的角色 (例如,IT 系統管理員與業務單位的系統管理員) 使用不同的策略。You might want to use a different strategy for different roles (for example, IT admins vs. business unit admins). 您有兩個選擇。You have two options. 第一個選項是建立未與您的內部部署 Active Directory 執行個體同步的 Azure AD 帳戶。First option is to create Azure AD Accounts that aren’t synchronized with your on-premises Active Directory instance. 加入 Azure AD 中,您可以管理和修補程式以使用 Microsoft Intune 系統管理工作站。Join your admin workstation to Azure AD, which you can manage and patch by using Microsoft Intune. 第二個選項是使用現有的系統管理員帳戶同步處理至您的內部部署 Active Directory 執行個體。Second option is to use existing admin accounts by synchronizing to your on-premises Active Directory instance. 使用 Active Directory 網域中的現有的工作站,管理和安全性。Use existing workstations in your Active Directory domain for management and security.

管理已連線的租用戶Manage connected tenants

組織的安全性必須評估風險,並且判斷是否已遵循任何法規需求,您的組織,以及原則的可見性。Your security organization needs visibility to assess risk and to determine whether the policies of your organization, and any regulatory requirements, are being followed. 您應該確定組織的安全性已連線到您的生產環境和網路的所有訂用帳戶的可見性 (透過Azure ExpressRoute或是站台對站 VPN)。You should ensure that your security organization has visibility into all subscriptions connected to your production environment and network (via Azure ExpressRoute or site-to-site VPN). A全域管理員/公司系統管理員在 Azure AD 中可以提升其存取權使用者存取系統管理員角色,並查看所有訂用帳戶和受管理的群組連線到您的環境。A Global Administrator/Company Administrator in Azure AD can elevate their access to the User Access Administrator role and see all subscriptions and managed groups connected to your environment.

請參閱提高管理所有 Azure 訂用帳戶和管理群組的存取權限若要確保您和您的安全性群組,可以檢視所有訂用帳戶或管理群組連線到您的環境。See elevate access to manage all Azure subscriptions and management groups to ensure that you and your security group can view all subscriptions or management groups connected to your environment. 在評估風險之後,您應該移除此提高權限的存取權。You should remove this elevated access after you’ve assessed risks.

啟用單一登入Enable single sign-on

在行動第一、雲端第一的世界中,無論是從什麼地方,都要讓使用者能單一登入 (SSO) 至裝置、應用程式和服務,他們才能隨時隨地保有生產力。In a mobile-first, cloud-first world, you want to enable single sign-on (SSO) to devices, apps, and services from anywhere so your users can be productive wherever and whenever. 當您有多個身分識別解決方案要管理時,這不只會成為 IT 的系統管理問題,對於必須記住多組密碼的使用者而言也是個問題。When you have multiple identity solutions to manage, this becomes an administrative problem not only for IT but also for users who have to remember multiple passwords.

將相同的身分識別解決方案使用於您所有的應用程式和資源,即可達成 SSO。By using the same identity solution for all your apps and resources, you can achieve SSO. 而不論資源位於內部部署或雲端,使用者都可以使用同一組認證來登入及存取他們所需的資源。And your users can use the same set of credentials to sign in and access the resources that they need, whether the resources are located on-premises or in the cloud.

最佳做法:啟用 SSO。Best practice: Enable SSO.
詳細資料:Azure AD 會將內部部署 Active Directory 延伸至雲端。Detail: Azure AD extends on-premises Active Directory to the cloud. 使用者可以使用其主要公司或學校帳戶來登入已加入網域的裝置、公司資源,也能登入完成其作業所需的所有 Web 和 SaaS 應用程式。Users can use their primary work or school account for their domain-joined devices, company resources, and all of the web and SaaS applications that they need to get their jobs done. 使用者不需要記住多組使用者名稱和密碼,而且可根據其組織群組成員資格及其身為員工的狀態,自動佈建 (或解除佈建) 其應用程式存取權。Users don’t have to remember multiple sets of usernames and passwords, and their application access can be automatically provisioned (or deprovisioned) based on their organization group memberships and their status as an employee. 而且,您可以透過 Azure AD 應用程式 Proxy 控制資源庫應用程式或您已開發並發佈之自有內部部署應用程式的存取權。And you can control that access for gallery apps or for your own on-premises apps that you’ve developed and published through the Azure AD Application Proxy.

使用 SSO 讓使用者根據其在 Azure AD 中的公司或學校帳戶存取其 SaaS 應用程式Use SSO to enable users to access their SaaS applications based on their work or school account in Azure AD. 這不只適用於 Microsoft SaaS 應用程式,也適用於其他應用程式,例如 Google AppsSalesforceThis is applicable not only for Microsoft SaaS apps, but also other apps, such as Google Apps and Salesforce. 您可以將應用程式設定為使用 Azure AD 作為 SAML 型身分識別提供者。You can configure your application to use Azure AD as a SAML-based identity provider. 為了控制安全性,Azure AD 不會核發允許使用者登入應用程式的權杖,除非他們已透過 Azure AD 獲得存取權。As a security control, Azure AD does not issue a token that allows users to sign in to the application unless they have been granted access through Azure AD. 您可以直接授與存取權,或透過使用者所屬的群組授與。You can grant access directly, or through a group that users are a member of.

未建立通用身分識別來對使用者和應用程式建立 SSO 的組織,更容易遭遇使用者有多組密碼的情況。Organizations that don’t create a common identity to establish SSO for their users and applications are more exposed to scenarios where users have multiple passwords. 這些情況會提高使用者重複使用密碼或使用弱式密碼的可能性。These scenarios increase the likelihood of users reusing passwords or using weak passwords.

開啟 條件式存取Turn on Conditional Access

使用者可以使用各種裝置和應用程式,從任何位置存取您組織的資源。Users can access your organization's resources by using a variety of devices and apps from anywhere. 身為 IT 系統管理員,您會想要確保這些裝置符合安全性與合規性標準。As an IT admin, you want to make sure that these devices meet your standards for security and compliance. 只將焦點放在誰可以存取資源,已不再足夠。Just focusing on who can access a resource is not sufficient anymore.

安全性與生產力之間取得平衡,您需要思考才能進行存取控制的相關決定要如何存取資源。To balance security and productivity, you need to think about how a resource is accessed before you can make a decision about access control. 使用 Azure AD 條件式存取,您可以解決這項需求。With Azure AD Conditional Access, you can address this requirement. 使用條件式存取,您可以進行以存取您雲端應用程式的條件為基礎的自動化的存取控制決定。With Conditional Access, you can make automated access control decisions based on conditions for accessing your cloud apps.

最佳做法:管理和控制公司資源的存取權。Best practice: Manage and control access to corporate resources.
詳細資料:設定 Azure AD條件式存取根據群組、 位置和 SaaS 應用程式與 Azure AD 連線應用程式的應用程式敏感性。Detail: Configure Azure AD Conditional Access based on a group, location, and application sensitivity for SaaS apps and Azure AD–connected apps.

最佳做法:封鎖舊版驗證通訊協定。Best practice: Block legacy authentication protocols. 詳細資料:攻擊者利用舊的通訊協定中的弱點每一天,特別是針對噴灑防範密碼攻擊。Detail: Attackers exploit weaknesses in older protocols every day, particularly for password spray attacks. 設定條件式存取封鎖舊版通訊協定。Configure Conditional Access to block legacy protocols. 請觀看影片Azure AD:建議與禁忌如需詳細資訊。See the video Azure AD: Do’s and Don’ts for more information.

啟用密碼管理Enable password management

如果您有多個租用戶或想要讓使用者重設其密碼,請務必使用適當的安全性原則來防止不當使用。If you have multiple tenants or you want to enable users to reset their own passwords, it’s important that you use appropriate security policies to prevent abuse.

最佳做法:為使用者設定自助式密碼重設 (SSPR)。Best practice: Set up self-service password reset (SSPR) for your users.
詳細資料:使用 Azure AD 自助式密碼重設功能。Detail: Use the Azure AD self-service password reset feature.

最佳做法:監視 SSPR 的使用方式或是否真的正在使用它。Best practice: Monitor how or if SSPR is really being used.
詳細資料:使用 Azure AD 密碼重設註冊活動報告,監視正在註冊的使用者。Detail: Monitor the users who are registering by using the Azure AD Password Reset Registration Activity report. Azure AD 提供的報告功能可協助您使用預先建立的報告來回答問題。The reporting feature that Azure AD provides helps you answer questions by using prebuilt reports. 如果您已適當地取得授權,則也可以建立自訂查詢。If you're appropriately licensed, you can also create custom queries.

最佳做法:擴充您的內部部署基礎結構的雲端密碼原則。Best practice: Extend cloud-based password policies to your on-premises infrastructure. 詳細資料:加強您組織中的密碼原則的雲端架構的密碼變更一樣,執行相同的檢查內部部署密碼變更。Detail: Enhance password policies in your organization by performing the same checks for on-premises password changes as you do for cloud-based password changes. 安裝Azure AD 密碼保護以 Windows Server Active Directory 代理程式-從內部部署擴充到您現有的基礎結構遭到禁用的密碼清單。Install Azure AD password protection for Windows Server Active Directory agents on-premises to extend banned password lists to your existing infrastructure. 使用者和系統管理員變更,請設定,或重設內部部署所需遵守相同的密碼原則,為僅限雲端使用者的密碼。Users and admins who change, set, or reset passwords on-premises are required to comply with the same password policy as cloud-only users.

對使用者強制執行多重要素驗證Enforce multi-factor verification for users

建議您要求所有使用者都使用雙步驟驗證。We recommend that you require two-step verification for all of your users. 這包括系統管理員,以及組織中帳戶遭到入侵時會造成重大影響的其他人員 (例如財務人員)。This includes administrators and others in your organization who can have a significant impact if their account is compromised (for example, financial officers).

有很多選項可供您要求使用雙步驟驗證。There are multiple options for requiring two-step verification. 最適合您的選擇取決於您的目標、您正在執行的 Azure AD 版本,以及您的授權方案。The best option for you depends on your goals, the Azure AD edition you’re running, and your licensing program. 請參閱如何要求使用者使用雙步驟驗證,以判斷最適合您的選項。See How to require two-step verification for a user to determine the best option for you. 如需有關授權和定價的詳細資訊,請參閱 Azure ADAzure Multi-Factor Authentication 定價頁面。See the Azure AD and Azure Multi-Factor Authentication pricing pages for more information about licenses and pricing.

以下是啟用雙步驟驗證的選項和優點:Following are options and benefits for enabling two-step verification:

選項 1藉由變更使用者狀態來啟用 Multi-Factor AuthenticationOption 1: Enable Multi-Factor Authentication by changing user state.
優點:這是要求使用雙步驟驗證的傳統方法。Benefit: This is the traditional method for requiring two-step verification. 同時適用於雲端與 Azure Multi-Factor Authentication Server 中的 Azure Multi-Factor AuthenticationIt works with both Azure Multi-Factor Authentication in the cloud and Azure Multi-Factor Authentication Server. 使用此方法需要每次登入時執行雙步驟驗證的使用者,並覆寫條件式存取原則。Using this method requires users to perform two-step verification every time they sign in and overrides Conditional Access policies.

若要判斷何處啟用 Multi-factor Authentication,請參閱哪個版本的 Azure MFA 是最適合我的組織?To determine where Multi-Factor Authentication needs to be enabled, see Which version of Azure MFA is right for my organization?.

選項 2使用條件式存取原則中啟用 Multi-factor AuthenticationOption 2: Enable Multi-Factor Authentication with Conditional Access policy. 優點:此選項可讓您能夠提示進行雙步驟驗證,在特定情況下,使用條件式存取Benefit: This option allows you to prompt for two-step verification under specific conditions by using Conditional Access. 特定條件可以是使用者從不同的位置、不受信任的裝置,或您認為有危險的應用程式登入。Specific conditions can be user sign-in from different locations, untrusted devices, or applications that you consider risky. 定義您要求使用雙步驟驗證的特定條件,可讓您避免要持續提示使用者,這可能會帶來不愉快的使用者體驗。Defining specific conditions where you require two-step verification enables you to avoid constant prompting for your users, which can be an unpleasant user experience.

這是最具彈性的方法,可為您的使用者啟用雙步驟驗證。This is the most flexible way to enable two-step verification for your users. 啟用條件式存取原則只適用於在雲端中的 Azure Multi-factor Authentication,並為 Azure AD premium 功能。Enabling a Conditional Access policy works only for Azure Multi-Factor Authentication in the cloud and is a premium feature of Azure AD. 您可以在部署雲端式 Azure Multi-Factor Authentication中找到這個方法的詳細資訊。You can find more information on this method in Deploy cloud-based Azure Multi-Factor Authentication.

選項 3:啟用 Multi-factor Authentication 條件式存取原則,藉由評估的使用者和登入風險Azure AD Identity ProtectionOption 3: Enable Multi-Factor Authentication with Conditional Access policies by evaluating user and sign-in risk of Azure AD Identity Protection.
優點:此選項可讓您:Benefit: This option enables you to:

  • 偵測會影響貴組織身分識別的潛在弱點。Detect potential vulnerabilities that affect your organization’s identities.
  • 針對偵測到的與您組織的身分識別有關的可疑動作,設定自動回應。Configure automated responses to detected suspicious actions that are related to your organization’s identities.
  • 調查可疑事件並採取適當動作以解決它們。Investigate suspicious incidents and take appropriate action to resolve them.

這個方法使用 Azure AD Identity Protection 風險評估,根據所有雲端應用程式的使用者和登入風險來判斷是否需要雙步驟驗證。This method uses the Azure AD Identity Protection risk evaluation to determine if two-step verification is required based on user and sign-in risk for all cloud applications. 這個方法需要 Azure Active Directory P2 授權。This method requires Azure Active Directory P2 licensing. 您可以在 Azure Active Directory Identity Protection 中找到這個方法的詳細資訊。You can find more information on this method in Azure Active Directory Identity Protection.


藉由變更使用者狀態來啟用 Multi-factor Authentication 的選項 1,會覆寫條件式存取原則。Option 1, enabling Multi-Factor Authentication by changing the user state, overrides Conditional Access policies. 選項 2 和 3 會使用條件式存取原則,因為您無法使用選項 1 與它們。Because options 2 and 3 use Conditional Access policies, you cannot use option 1 with them.

未新增額外身分識別保護層 (例如雙步驟驗證) 的組織比較容易遭受認證竊取攻擊。Organizations that don’t add extra layers of identity protection, such as two-step verification, are more susceptible for credential theft attack. 認證竊取攻擊可能會導致資料洩漏。A credential theft attack can lead to data compromise.

使用角色型存取控制Use role-based access control

雲端資源的存取管理的公司會使用雲端,至關重要。Access management for cloud resources is critical for any organization that uses the cloud. 角色型存取控制 (RBAC)可協助您管理誰可以存取 Azure 資源,這些資源,可以做什麼,以及哪些地方他們擁有存取權。Role-based access control (RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

指定群組或個別角色負責在 Azure 中的特定函式,可協助避免混淆,可能會導致人力和自動化錯誤,會產生安全性風險。Designating groups or individual roles responsible for specific functions in Azure helps avoid confusion that can lead to human and automation errors that create security risks. 對於想要強制執行資料存取安全性原則的組織,根據需要知道最低權限安全性原則限制存取權限是必須做的事。Restricting access based on the need to know and least privilege security principles is imperative for organizations that want to enforce security policies for data access.

安全性小組需要您的 Azure 資源,以評估及補救風險的可見度。Your security team needs visibility into your Azure resources in order to assess and remediate risk. 如果安全性小組有操作的責任,他們會需要額外的權限執行其工作。If the security team has operational responsibilities, they need additional permissions to do their jobs.

您可以使用RBAC權限指派給使用者、 群組和應用程式在特定範圍。You can use RBAC to assign permissions to users, groups, and applications at a certain scope. 角色指派的範圍可以是訂用帳戶、資源群組或單一資源。The scope of a role assignment can be a subscription, a resource group, or a single resource.

最佳做法:區隔小組內的職責,僅授與的存取權執行其工作所需的使用者。Best practice: Segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. 而不是讓所有人都不受限制的權限,在您的 Azure 訂用帳戶或資源,只允許特定的動作在特定範圍。Instead of giving everybody unrestricted permissions in your Azure subscription or resources, allow only certain actions at a particular scope. 詳細資料:使用內建 RBAC 角色在 Azure 中指派權限給使用者。Detail: Use built-in RBAC roles in Azure to assign privileges to users.


特定權限建立不必要的複雜性和混淆,累積成很難修正不用擔心中斷發生的 「 舊版 」 設定。Specific permissions create unneeded complexity and confusion, accumulating into a “legacy” configuration that’s difficult to fix without fear of breaking something. 避免資源特定權限。Avoid resource-specific permissions. 相反地,為整個企業的權限及訂用帳戶內的權限的資源群組中使用管理群組。Instead, use management groups for enterprise-wide permissions and resource groups for permissions within subscriptions. 避免使用者特定的權限。Avoid user-specific permissions. 相反地,指派給群組存取 Azure AD 中。Instead, assign access to groups in Azure AD.

最佳做法:授與安全性小組,讓他們可以評估和補救風險,請參閱 Azure 資源的存取 Azure 的責任。Best practice: Grant security teams with Azure responsibilities access to see Azure resources so they can assess and remediate risk. 詳細資料:授與安全性小組的 RBAC安全性讀取者角色。Detail: Grant security teams the RBAC Security Reader role. 您可以使用其根管理群組或區段管理群組中,視責任範圍而定:You can use the root management group or the segment management group, depending on the scope of responsibilities:

  • 根管理群組小組負責所有的企業資源Root management group for teams responsible for all enterprise resources
  • 區段管理群組團隊限定範圍 (通常是因為法規或其他組織的界限)Segment management group for teams with limited scope (commonly because of regulatory or other organizational boundaries)

最佳做法:授與安全性小組的直接操作的適當權限。Best practice: Grant the appropriate permissions to security teams that have direct operational responsibilities. 詳細資料:檢閱適當的角色指派的 RBAC 內建角色。Detail: Review the RBAC built-in roles for the appropriate role assignment. 如果內建角色不符合您組織的特定需求,您可以建立適用於 Azure 資源的自訂角色If the built-in roles don't meet the specific needs of your organization, you can create custom roles for Azure resources. 如有內建角色,您可以將自訂角色指派給使用者、 群組和訂用帳戶、 資源群組和資源範圍的服務主體。As with built-in roles, you can assign custom roles to users, groups, and service principals at subscription, resource group, and resource scopes.

最佳做法:需要的安全性角色授與 Azure 資訊安全中心存取。Best practices: Grant Azure Security Center access to security roles that need it. 資訊安全中心可讓安全性小組快速地找出與補救風險。Security Center allows security teams to quickly identify and remediate risks. 詳細資料:這些需求與安全性小組加入 RBAC安全性系統管理員角色,讓他們可以檢視安全性原則、 檢視安全性狀態、 編輯安全性原則、 檢視警示和建議,並關閉警示和建議。Detail: Add security teams with these needs to the RBAC Security Admin role so they can view security policies, view security states, edit security policies, view alerts and recommendations, and dismiss alerts and recommendations. 您可以使用其根管理群組或區段管理群組中,視責任範圍而定。You can do this by using the root management group or the segment management group, depending on the scope of responsibilities.

未強制執行資料存取控制,使用功能,例如 RBAC 可能會提供更多的權限,比使用者所需的組織。Organizations that don’t enforce data access control by using capabilities like RBAC might be giving more privileges than necessary to their users. 這可能會導致資料洩漏藉由允許使用者存取他們不應具備的資料 (例如,高度業務衝擊) 的類型。This can lead to data compromise by allowing users to access types of data (for example, high business impact) that they shouldn’t have.

降低特殊權限帳戶的暴露風險Lower exposure of privileged accounts

保護特殊權限存取是保護企業資產很重要的第一個步驟。Securing privileged access is a critical first step to protecting business assets. 將能夠存取安全資訊或資源的人數降到最低,可以降低惡意使用者取得該存取權,或者授權使用者無意中影響到敏感資源的機率。Minimizing the number of people who have access to secure information or resources reduces the chance of a malicious user getting access, or an authorized user inadvertently affecting a sensitive resource.

特殊權限帳戶是可管理 IT 系統的帳戶。Privileged accounts are accounts that administer and manage IT systems. 網路攻擊者會以這些帳戶為目標,來取得組織資料和系統的存取權。Cyber attackers target these accounts to gain access to an organization’s data and systems. 為了保護特殊權限存取,您應該讓帳戶和系統遠離遭遇惡意使用者的風險。To secure privileged access, you should isolate the accounts and systems from the risk of being exposed to a malicious user.

我們建議您擬定並遵循適當計劃以保護特殊權限存取,使網路攻擊者無法取得。We recommend that you develop and follow a roadmap to secure privileged access against cyber attackers. 如需有關如何擬定詳細的藍圖,以保護 Azure AD、Microsoft Azure、Office 365 和其他雲端服務所管理或報告的身分識別和存取權,請檢閱在 Azure AD 中保護混合式部署和雲端部署的特殊權限存取For information about creating a detailed roadmap to secure identities and access that are managed or reported in Azure AD, Microsoft Azure, Office 365, and other cloud services, review Securing privileged access for hybrid and cloud deployments in Azure AD.

以下摘要說明在 Azure AD 中保護混合式部署和雲端部署的特殊權限存取中找到的最佳做法:The following summarizes the best practices found in Securing privileged access for hybrid and cloud deployments in Azure AD:

最佳做法:管理、控制及監視特殊權限帳戶的存取權。Best practice: Manage, control, and monitor access to privileged accounts.
詳細資料:開啟 Azure AD Privileged Identity ManagementDetail: Turn on Azure AD Privileged Identity Management. 開啟 Privileged Identity Management 之後,您會收到有關於特殊權限存取角色有所變更的通知電子郵件訊息。After you turn on Privileged Identity Management, you’ll receive notification email messages for privileged access role changes. 您目錄中的高特殊權限角色新增了其他使用者時,這些通知將會提供早期警告。These notifications provide early warning when additional users are added to highly privileged roles in your directory.

最佳做法:請確定所有重要的系統管理員帳戶所管理的 Azure AD 帳戶。Best practice: Ensure all critical admin accounts are managed Azure AD accounts. 詳細資料:重要的系統管理員角色 (例如,、 和 等的 Microsoft 帳戶) 中移除任何取用者的帳戶。Detail: Remove any consumer accounts from critical admin roles (for example, Microsoft accounts like,, and

最佳做法:請確定所有重要的系統管理員角色有不同的帳戶系統管理工作,才能避免網路釣魚和其他攻擊方式來侵害系統管理權限。Best practice: Ensure all critical admin roles have a separate account for administrative tasks in order to avoid phishing and other attacks to compromise administrative privileges. 詳細資料:建立個別的系統管理員帳戶已指派執行的系統管理工作所需的權限。Detail: Create a separate admin account that’s assigned the privileges needed to perform the administrative tasks. 封鎖這些系統管理帳戶用於每日的產能工具,例如 Microsoft Office 365 電子郵件或任意的網頁瀏覽。Block the use of these administrative accounts for daily productivity tools like Microsoft Office 365 email or arbitrary web browsing.

最佳做法:識別及分類具備高特殊權限角色的帳戶。Best practice: Identify and categorize accounts that are in highly privileged roles.
詳細資料:在開啟 Azure AD Privileged Identity Management 之後,檢視具備全域管理員、特殊權限角色管理員和其他較高特殊權限角色的使用者。Detail: After turning on Azure AD Privileged Identity Management, view the users who are in the global administrator, privileged role administrator, and other highly privileged roles. 請移除這些角色中不再需要的任何帳戶,並將指派給管理員角色的其餘帳戶分類:Remove any accounts that are no longer needed in those roles, and categorize the remaining accounts that are assigned to admin roles:

  • 個別指派給系統管理使用者,並且可用於非系統管理用途 (例如個人電子郵件)Individually assigned to administrative users, and can be used for non-administrative purposes (for example, personal email)
  • 個別指派給系統管理使用者,且指定為僅供系統管理之用Individually assigned to administrative users and designated for administrative purposes only
  • 在多個使用者之間共用Shared across multiple users
  • 用於緊急存取案例For emergency access scenarios
  • 用於自動化指令碼For automated scripts
  • 用於外部使用者For external users

最佳做法:實作 Just-In-Time (JIT) 存取,以進一步降低權限的暴露時間,並提升使用特殊權限帳戶對您的能見度。Best practice: Implement “just in time” (JIT) access to further lower the exposure time of privileges and increase your visibility into the use of privileged accounts.
詳細資料:Azure AD Privileged Identity Management 可讓您:Detail: Azure AD Privileged Identity Management lets you:

  • 限制使用者只能 JIT 取用其權限。Limit users to only taking on their privileges JIT.
  • 指派縮短持續時間的角色,而且有信心會自動撤銷權限。Assign roles for a shortened duration with confidence that the privileges are revoked automatically.

最佳做法:定義至少兩個緊急存取帳戶。Best practice: Define at least two emergency access accounts.
詳細資料:緊急存取帳戶可協助組織限制現有 Azure Active Directory 環境內的特殊權限存取。Detail: Emergency access accounts help organizations restrict privileged access in an existing Azure Active Directory environment. 這些帳戶具有高特殊權限,不會指派給特定個人。These accounts are highly privileged and are not assigned to specific individuals. 緊急存取帳戶僅限用於無法使用一般系統管理帳戶的情況。Emergency access accounts are limited to scenarios where normal administrative accounts can’t be used. 組織必須將緊急帳戶的使用量限制於僅只必要的時間量。Organizations must limit the emergency account's usage to only the necessary amount of time.

請評估已指派或適用於全域管理員角色的帳戶。Evaluate the accounts that are assigned or eligible for the global admin role. 如果使用 * 網域 (供緊急存取使用),並未看到任何僅限雲端的帳戶,請加以建立。If you don’t see any cloud-only accounts by using the * domain (intended for emergency access), create them. 如需詳細資訊,請參閱在 Azure AD 中管理緊急存取系統管理帳戶For more information, see Managing emergency access administrative accounts in Azure AD.

最佳做法:備妥,萬一發生緊急狀況中的 「 急用 」 的程序。Best practice: Have a “break glass" process in place in case of an emergency. 詳細資料:請依照下列中的步驟保護特殊權限存取 Azure AD 中的 混合式部署和雲端部署Detail: Follow the steps in Securing privileged access for hybrid and cloud deployments in Azure AD.

最佳做法:需要為無密碼的所有重要的系統管理員帳戶 (慣用) 或要求多重要素驗證。Best practice: Require all critical admin accounts to be password-less (preferred), or require Multi-Factor Authentication. 詳細資料:使用Microsoft Authenticator 應用程式無須使用密碼登入任何 Azure AD 帳戶。Detail: Use the Microsoft Authenticator app to sign in to any Azure AD account without using a password. 像是Windows hello 企業版,Microsoft 驗證器會使用金鑰型驗證,以便繫結至裝置,並使用生物識別驗證或 PIN 的使用者認證。Like Windows Hello for Business, the Microsoft Authenticator uses key-based authentication to enable a user credential that’s tied to a device and uses biometric authentication or a PIN.

在 所有個別使用者永久指派給一或多個 Azure AD 管理員角色的登入需要 Azure Multi-factor Authentication:全域管理員、 特殊權限角色管理員、 Exchange Online 系統管理員和 SharePoint Online 系統管理員。Require Azure Multi-Factor Authentication at sign-in for all individual users who are permanently assigned to one or more of the Azure AD admin roles: Global Administrator, Privileged Role Administrator, Exchange Online Administrator, and SharePoint Online Administrator. 啟用為您的系統管理員帳戶的 Multi-factor Authentication ,並確保系統管理員帳戶的使用者已註冊。Enable Multi-Factor Authentication for your admin accounts and ensure that admin account users have registered.

最佳做法:為重要的系統管理員帳戶,具有系統管理工作站,實際執行工作不允許 (適用於範例中,瀏覽和電子郵件) 的位置。Best practice: For critical admin accounts, have an admin workstation where production tasks aren’t allowed (for example, browsing and email). 這會保護您的系統管理員帳戶從攻擊媒介,使用 瀏覽和電子郵件,並大幅降低您的主要事件的風險。This will protect your admin accounts from attack vectors that use browsing and email and significantly lower your risk of a major incident. 詳細資料:使用系統管理工作站。Detail: Use an admin workstation. 選擇工作站的安全性層的級:Choose a level of workstation security:

  • 高度安全的產能的裝置提供進階的安全性,來瀏覽和其他產能的工作。Highly secure productivity devices provide advanced security for browsing and other productivity tasks.
  • 特殊權限存取工作站 (Paw)提供會來抵禦網際網路攻擊和威脅載體敏感性工作的專用的作業系統。Privileged Access Workstations (PAWs) provide a dedicated operating system that’s protected from internet attacks and threat vectors for sensitive tasks.

最佳做法:當員工離開組織時,取消佈建系統管理員帳戶。Best practice: Deprovision admin accounts when employees leave your organization. 詳細資料:備妥停用或刪除系統管理員帳戶,當員工離開組織中的處理程序。Detail: Have a process in place that disables or deletes admin accounts when employees leave your organization.

最佳做法:使用目前的攻擊技巧,定期測試系統管理員帳戶。Best practice: Regularly test admin accounts by using current attack techniques. 詳細資料:使用 Office 365 攻擊模擬器或協力廠商供應項目在您的組織中執行實際的攻擊案例。Detail: Use Office 365 Attack Simulator or a third-party offering to run realistic attack scenarios in your organization. 這可協助您尋找實際的攻擊發生前的易受攻擊的使用者。This can help you find vulnerable users before a real attack occurs.

最佳做法:採取步驟來減輕由最常被使用的攻擊技巧所造成的損害。Best practice: Take steps to mitigate the most frequently used attacked techniques.
詳細資料識別系統管理角色中需要切換至公司或學校帳戶的 Microsoft 帳戶Detail: Identify Microsoft accounts in administrative roles that need to be switched to work or school accounts

確認全域系統管理員帳戶的個別使用者帳戶和郵件轉寄Ensure separate user accounts and mail forwarding for global administrator accounts

確訂系統管理帳戶的密碼近期做過變更Ensure that the passwords of administrative accounts have recently changed

開啟密碼雜湊同步處理Turn on password hash synchronization

所有具有特殊權限角色的使用者和公開的使用者,都必須進行多重要素驗證Require Multi-Factor Authentication for users in all privileged roles as well as exposed users

取得您的 Office 365 安全分數 (如果使用 Office 365)Obtain your Office 365 Secure Score (if using Office 365)

檢閱 Office 365 安全性與合規性指引 (如果使用 Office 365)Review the Office 365 security and compliance guidance (if using Office 365)

設定 Office 365 活動監視 (如果使用 Office 365)Configure Office 365 Activity Monitoring (if using Office 365)

建立事件/緊急回應計劃擁有者Establish incident/emergency response plan owners

保護內部部署的特殊權限系統管理帳戶Secure on-premises privileged administrative accounts

如果您不保護特殊權限的存取,則可能發現您有太多具備較高特殊權限角色的使用者,而且比較容易遭受攻擊。If you don’t secure privileged access, you might find that you have too many users in highly privileged roles and are more vulnerable to attacks. 包括網路攻擊者在內的惡意人士通常會以管理帳戶和特殊權限存取的其他元素為目標,以利用認證竊取來取得敏感性資料和系統的存取權。Malicious actors, including cyber attackers, often target admin accounts and other elements of privileged access to gain access to sensitive data and systems by using credential theft.

控制建立資源的位置Control locations where resources are created

讓雲端操作者能夠執行工作,同時防止他們違反管理組織資源所需的慣例極為重要。Enabling cloud operators to perform tasks while preventing them from breaking conventions that are needed to manage your organization's resources is very important. 想要控制資源建立位置的組織應將這些位置硬式編碼。Organizations that want to control the locations where resources are created should hard code these locations.

您可以使用 Azure Resource Manager 來建立安全性原則,其定義會描述明確拒絕的動作或資源。You can use Azure Resource Manager to create security policies whose definitions describe the actions or resources that are specifically denied. 在所需範圍內指派那些原則定義,例如訂用帳戶、資源群組或是個別的資源。You assign those policy definitions at the desired scope, such as the subscription, the resource group, or an individual resource.


安全性原則與 RBAC 不同。Security policies are not the same as RBAC. 這類原則實際上使用 RBAC 來授權使用者建立這些資源。They actually use RBAC to authorize users to create those resources.

不控制資源建立方式的組織,比較容易遇到使用者因建立超過所需資源而濫用服務的情況。Organizations that are not controlling how resources are created are more susceptible to users who might abuse the service by creating more resources than they need. 強化資源建立程序是保護多租用戶案例的重要步驟。Hardening the resource creation process is an important step to securing a multitenant scenario.

主動監視可疑的活動Actively monitor for suspicious activities

主動身分識別監視系統可快速偵測可疑行為並觸發警示,以便進一步調查。An active identity monitoring system can quickly detect suspicious behavior and trigger an alert for further investigation. 下表列出兩項可協助組織監視其身分識別的 Azure AD 功能:The following table lists two Azure AD capabilities that can help organizations monitor their identities:

最佳做法:想辦法識別:Best practice: Have a method to identify:

詳細資料:使用 Azure AD Premium 的異常報告Detail: Use Azure AD Premium anomaly reports. 備妥相關處理和程序,以便 IT 系統管理員每天或依需求執行這些報告 (通常出現在事件回應案例)。Have processes and procedures in place for IT admins to run these reports on a daily basis or on demand (usually in an incident response scenario).

最佳做法:採用主動監視系統,該系統會將風險通知您,並可針對您的業務需求調整風險層級 (高、中或低)。Best practice: Have an active monitoring system that notifies you of risks and can adjust risk level (high, medium, or low) to your business requirements.
詳細資料:使用Azure AD Identity Protection,它會在自己的儀表板上標示目前的風險,並透過電子郵件傳送每日摘要通知。Detail: Use Azure AD Identity Protection, which flags the current risks on its own dashboard and sends daily summary notifications via email. 若要協助保護貴組織的身分識別,您可設定以風險為基礎的原則,以在達到指定的風險層級時自動回應偵測到的問題。To help protect your organization's identities, you can configure risk-based policies that automatically respond to detected issues when a specified risk level is reached.

未主動監視其身分識別系統的組織有洩漏使用者認證的風險。Organizations that don’t actively monitor their identity systems are at risk of having user credentials compromised. 若不知道有透過這些認證進行的可疑活動,組織便無法減輕這類型的威脅。Without knowledge that suspicious activities are taking place through these credentials, organizations can’t mitigate this type of threat.

使用 Azure AD 進行驗證儲存體Use Azure AD for storage authentication

Azure 儲存體支援 Blob 儲存體和佇列儲存體的驗證和使用 Azure AD 進行授權。Azure Storage supports authentication and authorization with Azure AD for Blob storage and Queue storage. 使用 Azure AD 驗證,您可以使用 Azure 角色型存取控制以特定的權限授與使用者、 群組和個別的 blob 容器或佇列的範圍下的應用程式。With Azure AD authentication, you can use the Azure role-based access control to grant specific permissions to users, groups, and applications down to the scope of an individual blob container or queue.

我們建議您改用Azure AD 驗證存取儲存體We recommend that you use Azure AD for authenticating access to storage.

後續步驟Next step

如需更多安全性最佳做法,請參閱 Azure 安全性最佳做法與模式,以便在使用 Azure 設計、部署和管理雲端解決方案時使用。See Azure security best practices and patterns for more security best practices to use when you’re designing, deploying, and managing your cloud solutions by using Azure.