在 Microsoft 365 for enterprise test 環境中保護全域系統管理員帳戶Protect global administrator accounts in your Microsoft 365 for enterprise test environment

此測試實驗室指南僅可用於適用于企業測試環境的 Microsoft 365。This Test Lab Guide can only be used for Microsoft 365 for enterprise test environments.

您可以確保您的系統管理員帳戶盡可能安全,以防止組織的數位攻擊。You can prevent digital attacks on your organization by ensuring that your administrator accounts are as secure as possible.

本文說明如何使用 Azure Active Directory (Azure AD) 條件式存取原則來保護全域系統管理員帳戶。This article describes how to use Azure Active Directory (Azure AD) conditional access policies to protect global administrator accounts.

在 Microsoft 365 for enterprise 測試環境中保護全域系統管理員帳戶包括兩個階段:Protecting global administrator accounts in your Microsoft 365 for enterprise test environment involves two phases:

Microsoft Cloud 的測試實驗室指南

提示

如需 Microsoft 365 for enterprise 測試實驗室指南堆疊中所有文章的視覺對應,請移至 microsoft 365 for Enterprise Test Lab Guide 堆疊For a visual map to all the articles in the Microsoft 365 for enterprise Test Lab Guide stack, go to Microsoft 365 for enterprise Test Lab Guide Stack.

階段1:組建您的 Microsoft 365 企業版測試環境Phase 1: Build out your Microsoft 365 for enterprise test environment

若要以輕量的方式測試全域管理員帳戶保護,請依照 輕量基本設定中的指示進行。If you want to test global administrator account protection in a lightweight way with the minimum requirements, follow the instructions in Lightweight base configuration.

如果您想要在模擬的企業中測試全域管理員帳戶保護,請依照 傳遞驗證中的指示進行。If you want to test global administrator account protection in a simulated enterprise, follow the instructions in Pass-through authentication.

注意

測試全域管理員帳戶保護並不需要模擬的企業測試環境,其中包括連線至網際網路的模擬內部網路與目錄同步處理,以及 Active Directory 網域服務 (AD DS) 的目錄同步處理。Testing global administrator account protection does not require the simulated enterprise test environment, which includes a simulated intranet connected to the internet and directory synchronization for an Active Directory Domain Services (AD DS). 這裡是以選項形式提供,可讓您測試全域管理員帳戶保護,並在代表一般組織的環境中進行試驗。It is provided here as an option so that you can test global administrator account protection and experiment with it in an environment that represents a typical organization.

階段2:設定條件式存取原則Phase 2: Configure conditional access policies

首先,建立新的使用者帳戶做為專屬全域管理員。First, create a new user account as a dedicated global administrator.

  1. 在個別的索引標籤上,開啟 [ Microsoft 365 系統管理中心]。On a separate tab, open the Microsoft 365 admin center.
  2. 選取 [使用者作用 > 中使用者],然後選取 [新增使用者]。Select Users > Active users, and then select Add a user.
  3. 在 [新增使用者] 窗格中,于 [名字]、 [顯示名稱] 和 [使用者名稱] 方塊中輸入DedicatedAdminIn the Add user pane, enter DedicatedAdmin in the First name, Display name, and Username boxes.
  4. 選取 [ 密碼],然後選取 [讓我建立密碼],然後輸入強式密碼。Select Password, select Let me create the password, and then enter a strong password. 在安全的位置記錄此新帳戶的密碼。Record the password for this new account in a secure location.
  5. 選取 [下一步]****。Select Next.
  6. 在 [ 指派產品授權 ] 窗格中,選取 [ Microsoft 365 E5],然後選取 [下一步]In the Assign product licenses pane, select Microsoft 365 E5, and then select Next.
  7. 在 [選用設定] 窗格中,選取 [ role > admin center access > 全域管理員 > ] [下一步]In the Optional settings pane, select Roles > Admin center access > Global admin > Next.
  8. 在 [ 即將完成 ] 窗格中,選取 [完成新增],然後選取 [ 關閉]。On the You're almost done pane, select Finish adding, and then select Close.

接下來,建立名為 GlobalAdmins 的新群組,並將 DedicatedAdmin 帳戶新增至該群組。Next, create a new group named GlobalAdmins and add the DedicatedAdmin account to it.

  1. 在 [ Microsoft 365 系統管理中心 ] 索引標籤上,選取左側導覽中的 [ 群組 ],然後選取 [ 群組]。On the Microsoft 365 admin center tab, select Groups in the left navigation, and then select Groups.
  2. 選取 [ 新增群組]。Select Add a group.
  3. 在 [ 選擇群組類型 ] 窗格中,選取 [ 安全性],然後選取 [下一步]In the Choose a group type pane, select Security, and then select Next.
  4. 在 [ 設定基礎 ] 窗格中,選取 [ 建立群組],然後選取 [ 關閉]。In the Set up the basics pane, select Create group, and then select Close.
  5. 在 [ 複查並完成新增群組 ] 窗格中,輸入 GlobalAdmins,然後選取 [下一步]In the Review and finish adding group pane, enter GlobalAdmins, and then select Next.
  6. 在群組清單中,選取 [ GlobalAdmins ] 群組。In the list of groups, select the GlobalAdmins group.
  7. 在 [ GlobalAdmins ] 窗格中,選取 [ 成員],然後選取 [ 全部查看] 和 [管理成員]。In the GlobalAdmins pane, select Members, and then select View all and manage members.
  8. 在 [ GlobalAdmins ] 窗格中,選取 [新增成員],然後選取 [ DedicatedAdmin ] 帳戶和全域管理員帳戶,然後選取 [儲存 > 關閉] [關閉] > ** **。In the GlobalAdmins pane, select Add members, select the DedicatedAdmin account and your global admin account, and then select Save > Close > Close.

接下來,建立條件式存取原則以要求全域管理員帳戶的多重要素驗證,以及在登入風險為中低或高時拒絕驗證。Next, create conditional access policies to require multi-factor authentication for global administrator accounts and to deny authentication if the sign-in risk is medium or high.

此第一個原則要求所有全域管理員帳戶都使用 MFA。This first policy requires that all global administrator accounts use MFA.

  1. 在瀏覽器的新索引標籤上,移至 https://portal.azure.comIn a new tab of your browser, go to https://portal.azure.com.
  2. 按一下 [ Azure Active Directory > 安全性 > 條件式存取]。Click Azure Active Directory > Security > Conditional Access.
  3. 在 [ 條件式存取-原則 ] 窗格中,選取 [ **基準原則:需要 MFA for admins (預覽]) **。In the Conditional access – Policies pane, select Baseline policy: Require MFA for admins (preview).
  4. 在 [ 基準原則 ] 窗格中,選取 [ 立即 > 儲存] 中的 [使用原則]。In the Baseline policy pane, select Use policy immediately > Save.

第二個原則會封鎖存取全域管理員帳戶時,當登入風險為「中」或「高」時。This second policy blocks access to global administrator account authentication when the sign-in risk is medium or high.

  1. 在 [ 條件式存取-原則 ] 窗格中,選取 [ 新增原則]。In the Conditional access – Policies pane, select New policy.
  2. 在 [新增] 窗格中,于 [名稱] 中輸入全域管理員In the New pane, enter Global administrators in Name.
  3. 在 [ 工作分派 ] 區段中,選取 [ 使用者和群組]。In the Assignments section, select Users and groups.
  4. 在 [使用者和群組] 窗格的 [包含] 索引標籤上,選取 [選取使用者及群組 > 使用者和群組] > ** **。On the Include tab of the Users and groups pane, select Select users and groups > Users and groups > Select.
  5. 在 [選取] 窗格中,選取 [ GlobalAdmins ] 群組,然後選取 [選取 > 完成]。In the Select pane, select the GlobalAdmins group, and then select Select > Done.
  6. 在 [ 工作分派 ] 區段中,選取 [ 條件]。In the Assignments section, select Conditions.
  7. 在 [ 條件 ] 窗格中,選取 [登 入風險],選取 [是] 進行 設定,選取 [ ] 和 [ ],然後選取 [ 選取完成]。In the Conditions pane, select Sign-in risk, select Yes for Configure, select High and Medium, and then select Select and Done.
  8. 在 [新增] 窗格的 [存取控制] 區段中,選取 [授與]。In the Access controls section of the New pane, select Grant.
  9. 在 [ 與] 窗格中,選取 [ 封鎖存取],然後選取 [ 選取]。In the Grant pane, select Block access, and then select Select.
  10. 在 [新增] 窗格中,選取 [開啟****原則],然後選取 [建立]。In the New pane, select On for Enable policy, and then select Create.
  11. 關閉 [ Azure 入口網站 ] 和 [ Microsoft 365 管理中心 ] 索引標籤。Close the Azure portal and Microsoft 365 admin center tabs.

若要測試第一個原則,請以 DedicatedAdmin 帳戶登出並登入。To test the first policy, sign out and sign in with the DedicatedAdmin account. 您應該會收到設定 MFA 的提示。You should be prompted to configure MFA. 這會示範正在套用第一個原則。This demonstrates that the first policy is being applied.

下一步Next step

瀏覽測試環境中的其他身分識別功能。Explore additional identity features and capabilities in your test environment.

另請參閱See also

身分識別藍圖Identity roadmap

Microsoft 365 企業版測試實驗室指南Microsoft 365 for enterprise Test Lab Guides

Microsoft 365 企業版概觀Microsoft 365 for enterprise overview

適用于企業的 Microsoft 365 檔Microsoft 365 for enterprise documentation