保護 Microsoft 365 租用戶的使用者登入Secure user sign-ins to your Microsoft 365 tenant

若要加強使用者登入的安全性:To increase the security of user sign-ins:

  • 使用 Windows Hello 企業版Use Windows Hello for Business
  • 使用 Azure Active Directory (Azure AD) 密碼保護Use Azure Active Directory (Azure AD) Password Protection
  • 使用多重要素驗證 (MFA)Use multi-factor authentication (MFA)
  • 部署身分識別與裝置存取設定Deploy identity and device access configurations
  • 使用 Azure AD Identity Protection 來防止認證洩露Protect against credential compromise with Azure AD Identity Protection

Windows Hello 企業版Windows Hello for Business

Windows 10 企業版的 Windows Hello 企業版在登入 Windows 裝置時,會使用加強雙因素驗證取代密碼。Windows Hello for Business in Windows 10 Enterprise replaces passwords with strong two-factor authentication when signing on a Windows device. 雙因素是一種新的使用者認證類型,可與裝置和生物特徵或 PIN 相繫結。The two factors are a new type of user credential that is tied to a device and a biometric or PIN.

如需詳細資訊,請參閱 Windows Hello 企業版概觀For more information, see Windows Hello for Business Overview.

Azure AD 密碼保護Azure AD Password Protection

Azure AD 密碼保護可偵測並封鎖已知的弱式密碼及其變體,也會封鎖貴組織特有的額外弱式詞彙。Azure AD Password Protection detects and blocks known weak passwords and their variants and can also block additional weak terms that are specific to your organization. 預設全域禁用密碼清單會自動套用至 Azure AD 租用戶中的所有使用者。Default global banned password lists are automatically applied to all users in an Azure AD tenant. 您可以在自訂禁用密碼清單中定義其他條目。You can define additional entries in a custom banned password list. 使用者變更或重設密碼時,系統會檢查這些禁用密碼清單,以強制使用強式密碼。When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.

如需詳細資訊,請參閱設定 Azure AD 密碼保護For more information, see Configure Azure AD password protection.

MFAMFA

MFA 會要求使用者登入程序另外遵守使用者帳戶密碼以外的驗證規定。MFA requires that user sign-ins be subject to an additional verification beyond the user account password. 惡意使用者即使確定了使用者帳戶的密碼,還必須能夠回應另外的驗證機制 (例如,傳送至智慧型手機的簡訊),才能獲得存取權。Even if a malicious user determines a user account password, they must also be able to respond to an additional verification, such as a text message sent to a smartphone before access is granted.

正確的密碼加上其他驗證則可導致順利登入

使用 MFA 的第一步是*要求所有系統管理員帳戶 (亦即授權帳戶) 都使用 MFA _。Your first step in using MFA is to *require it for all administrator accounts _, also known as privileged accounts.

除了這個第一步,Microsoft 建議要求所有使用者都使用 MFA。Beyond this first step, Microsoft recommends MFA For all users.

根據您的 Microsoft 365 方案,有三種方法可以要求系統管理員或使用者使用 MFA。There are three ways to require your administrators or users to use MFA based on your Microsoft 365 plan.

方案Plan 建議Recommendation
所有的 Microsoft 365 方案(不含 Azure AD Premium P1 或 P2 授權)All Microsoft 365 plans (without Azure AD Premium P1 or P2 licenses) 在 Azure AD 中啟用安全性預設Enable Security defaults in Azure AD. Azure AD 中的安全性預設包含了適用於使用者和系統管理員的 MFA。Security defaults in Azure AD include MFA for users and administrators.
Microsoft 365 E3 (含 Azure AD Premium P1 授權)Microsoft 365 E3 (includes Azure AD Premium P1 licenses) 使用常見的條件式存取原則來設定下列原則:Use Common Conditional Access policies to configure the following policies:
- 要求系統管理員使用 MFA- Require MFA for administrators
- 要求所有使用者使用 MFA- Require MFA for all users
- 封鎖舊版驗證- Block legacy authentication
Microsoft 365 E5 (含 Azure AD Premium P2 授權)Microsoft 365 E5 (includes Azure AD Premium P2 licenses) 利用 Azure AD Identity Protection,藉由建立下列兩種原則來開始實作 Microsoft 建議的一組條件式存取和相關原則Taking advantage of Azure AD Identity Protection, begin to implement Microsoft's recommended set of conditional access and related policies by creating these two policies:
- 登入風險為中或高時,需要 MFA- Require MFA when sign-in risk is medium or high
- 高風險使用者必須變更密碼- High risk users must change password

安全性預設Security defaults

安全性預設是 2019 年 10 月 21 日之後所建立 Microsoft 365 和 Office 365 付費或試用版訂用帳戶的新功能。Security defaults is a new feature for Microsoft 365 and Office 365 paid or trial subscriptions created after October 21, 2019. 這些訂用帳戶會開啟安全性預設,而 *要求所有使用者都必須使用 MFA 與 Microsoft Authenticator 應用程式*These subscriptions have security defaults turned on, which requires all of your users to use MFA with the Microsoft Authenticator app.

使用者有 14 天的時間可以從其智慧型手機向 Microsoft Authenticator 應用程式註冊 MFA,時間從啟用安全性預設後使用者首次登入時起算。Users have 14 days to register for MFA with the Microsoft Authenticator app from their smart phones, which begins from the first time they sign in after security defaults has been enabled. 14 天過後,使用者就無法登入,除非其完成 MFA 註冊。After 14 days have passed, the user won't be able to sign in until MFA registration is completed.

安全性預設可確保所有組織都具備預設啟用的使用者登入基本層級安全性。Security defaults ensure that all organizations have a basic level of security for user sign-in that is enabled by default. 您可以停用安全性預設,改為使用 MFA 與條件式存取原則或改為使用個別帳戶。You can disable security defaults in favor of MFA with Conditional Access policies or for individual accounts.

如需詳細資訊,請參閱這個安全性預設概觀For more information, see the overview of security defaults.

條件式存取原則Conditional Access policies

條件式存取原則是一組規則,可指定要在什麼條件下評估登入以及授予存取權。Conditional Access policies are a set of rules that specify the conditions under which sign-ins are evaluated and access is granted. 例如,您可以建立敘述如下的條件式存取原則:For example, you can create a Conditional Access policy that states:

  • 如果使用者帳戶名稱是獲派 Exchange、使用者、密碼、安全性、SharePoint 或全域管理員角色的使用者群組成員,則先要求 MFA 再允許存取。If the user account name is a member of a group for users that are assigned the Exchange, user, password, security, SharePoint, or global administrator roles, require MFA before allowing access.

此原則可讓您根據群組成員資格要求 MFA,而不是在指派或取消指派這些管理員角色時,嘗試針對 MFA 設定個別使用者帳戶。This policy allows you to require MFA based on group membership, rather than trying to configure individual user accounts for MFA when they are assigned or unassigned from these administrator roles.

您也可以使用條件式存取原則來執行更進階的功能,例如要求登入必須是來自符合規範的裝置 (例如執行 Windows 10 的膝上型電腦)。You can also use Conditional Access policies for more advanced capabilities, such as requiring that the sign-in is done from a compliant device, such as your laptop running Windows 10.

[條件式存取] 需有 Azure AD Premium P1 授權,已附加在 Microsoft 365 E3 和 E5 套裝中。Conditional Access requires Azure AD Premium P1 licenses, which are included with Microsoft 365 E3 and E5.

如需詳細資訊,請參閱這個條件式存取概觀For more information, see the overview of Conditional Access.

共同使用這些方法Using these methods together

請記住下列事項:Keep the following in mind:

  • 如果您已啟用任何條件式存取原則,則無法啟用安全性預設。You cannot enable security defaults if you have any Conditional Access policies enabled.
  • 如果您已啟用安全性預設,則無法啟用任何條件式存取原則。You cannot enable any Conditional Access policies if you have security defaults enabled.

如果已啟用安全性預設,系統會提示所有新使用者註冊 MFA 並使用 Microsoft Authenticator 應用程式。If security defaults are enabled, all new users are prompted for MFA registration and the use of the Microsoft Authenticator app.

下表顯示啟用 MFA 與安全性預設和條件式存取原則的結果。This table shows the results of enabling MFA with security defaults and Conditional Access policies.

MethodMethod 啟用Enabled 停用Disabled 額外驗證方法Additional authentication method
_ 安全性預設*_ Security defaults* 無法使用條件式存取原則Can’t use Conditional Access policies 可以使用條件式存取原則Can use Conditional Access policies Microsoft Authenticator 應用程式Microsoft Authenticator app
條件式存取原則Conditional Access policies 如果已啟用任何原則,則無法啟用安全性預設If any are enabled, you can’t enable security defaults 如果已停用所有原則,則可啟用安全性預設If all are disabled, you can enable security defaults 在 MFA 註冊期間由使用者指定User specifies during MFA registration

身分識別與裝置存取設定Identity and device access configurations

建議採用身分識別和裝置存取設定和原則這類先決條件功能,其設定結合了條件式存取、Intune 和 Azure Active Directory Identity Protection 原則,決定是否應授予特定存取權要求及其授予條件。Identity and device access settings and policies are recommended prerequisite features and their settings combined with Conditional Access, Intune, and Azure AD Identity Protection policies that determine whether a given access request should be granted and under what conditions. 這項決定的依據是登入的使用者帳戶、使用的裝置、使用者存取時使用的應用程式、建立存取要求的位置,以及對要求的風險評估。This determination is based on the user account of the sign-in, the device being used, the app the user is using for access, the location from which the access request is made, and an assessment of the risk of the request. 這項功能有助於確保,只有經核准的使用者與裝置才可存取重要的資源。This capability helps ensure that only approved users and devices can access your critical resources.

注意

Azure AD Identity Protection 需要 Microsoft 365 E5 隨附的 Azure AD Premium P2 授權。Azure AD Identity Protection requires Azure AD Premium P2 licenses, which are included with Microsoft 365 E5.

身分識別與裝置存取原則的定義為分三層使用:Identity and device access policies are defined to be used in three tiers:

  • 對於存取您的應用程式和資料的身分識別和裝置,基準保護是安全性等級下限。Baseline protection is a minimum level of security for your identities and devices that access your apps and data.
  • 敏感性保護可為特定資料提供額外的安全性。Sensitive protection provides additional security for specific data. 身分識別和裝置的安全性層級與裝置健康情況需求較高。Identities and devices are subject to higher levels of security and device health requirements.
  • 包含高度管制或保密資料環境的防護,適合通常屬於高度保密、包含營業,或是受資料法規約束的少量資料。Protection for environments with highly regulated or classified data is for typically small amounts of data that are highly classified, contain trade secrets, or is subject to data regulations. 身分識別和裝置的安全性層級與裝置健康情況需求高出許多。Identities and devices are subject to much higher levels of security and device health requirements.

這些層級及其對應的設定,可針對所有資料、身分識別和裝置,提供一致的保護層級。These tiers and their corresponding configurations provide consistent levels of protection across your data, identities, and devices.

Microsoft 強烈建議您在組織設定並推出身分識別和裝置存取原則,包括 Microsoft Teams、Exchange Online 和 SharePoint 專有的設定。Microsoft highly recommends configuring and rolling out identity and device access policies in your organization, including specific settings for Microsoft Teams, Exchange Online, and SharePoint. 如需詳細資訊,請參閱身分識別與裝置存取設定For more information, see Identity and device access configurations.

Azure AD Identity ProtectionAzure AD Identity Protection

在這一節中,您將學習如何設定原則以防護認證洩露,避免攻擊者判斷出使用者的帳戶名稱和密碼並存取組織的雲端服務和資料。In this section, you'll learn how to configure policies that protect against credential compromise, where an attacker determines a user’s account name and password to gain access to an organization’s cloud services and data. Azure AD 身分識別保護提供多種方法,可協助防止攻擊者危及使用者帳戶的認證。Azure AD Identity Protection provides a number of ways to help prevent an attacker from compromising a user account's credentials.

使用 Azure AD Identity Protection,您可以:With Azure AD Identity Protection, you can:

功能Capability 描述Description
判斷並處理組織身分識別中潛在的弱點Determine and address potential vulnerabilities in your organization’s identities Azure AD 使用機器學習來偵測異常和可疑活動,例如登入和登入後的活動。Azure AD uses machine learning to detect anomalies and suspicious activity, such as sign-ins and post-sign-in activities. Azure AD Identity Protection 可使用此資料來產生報告和警示,協助您評估問題及採取行動。Using this data, Azure AD Identity Protection generates reports and alerts that help you evaluate the issues and take action.
偵測與組織身分識別相關的可疑活動,並自動進行回應處理Detect suspicious actions that are related to your organization’s identities and respond to them automatically 您可以設定以風險為基礎的原則,當達到指定風險層級時自動回應偵測到的問題。You can configure risk-based policies that automatically respond to detected issues when a specified risk level has been reached. 除了由 Azure AD 和 Microsoft Intune 提供的其他條件式存取控制項之外,這些原則還可以自動封鎖存取權,或採取更正動作,包括密碼重設以及對後續登入要求 Azure AD Multi-Factor Authentication。These policies, in addition to other Conditional Access controls provided by Azure AD and Microsoft Intune, can either automatically block access or take corrective actions, including password resets and requiring Azure AD Multi-Factor Authentication for subsequent sign-ins.
調查可疑事件,並使用系統管理動作加以解決Investigate suspicious incidents and resolve them with administrative actions 您可以使用安全性事件的相關資訊來調查風險事件。基本工作流程可用於追蹤調查及啟動修復動作,例如密碼重設。You can investigate risk events using information about the security incident. Basic workflows are available to track investigations and initiate remediation actions, such as password resets.

請參閱 Azure AD Identity Protection 的相關詳細資訊See more information about Azure AD Identity Protection.

請參閱啟用 Azure AD Identity Protection 的步驟See the steps to enable Azure AD Identity Protection.

適用於 MFA 和身分識別登入的系統管理員技術資源Admin technical resources for MFA and secure sign-ins

下一步Next step

管理您的使用者帳戶Manage your user accounts