Microsoft Azure 與 Microsoft 365 的安全性考量Security Considerations for Microsoft Azure and Microsoft 365

重要

已不再支援此版本的 Operations Manager,建議升級至 Operations Manager 2019This version of Operations Manager has reached the end of support, we recommend you to upgrade to Operations Manager 2019.

與 Azure 整合Integration with Azure

Azure 監視組件會在指定的代理程式上執行,並使用多種 Windows Azure API 遠端探索及收集指定之 Windows Azure 應用程式的相關檢測資訊。The Azure monitoring pack runs on a specified agent and uses various Windows Azure APIs to remotely discover and collect instrumentation information about a specified Windows Azure application. 與 Azure 的安全通訊和驗證是透過憑證驗證執行,才能成功監視裝載在 Azure 與 Operations Manager 中的工作負載。Secure communication and authentication with Azure is performed by certificate authentication, which is required in order to successfully monitor workloads hosted in Azure with Operations Manager.

如果您還沒有管理憑證,請從檢閱這裡的 Azure 雲端服務的憑證概觀開始。If you don’t have a management certificate already, begin here by reviewing Certificates overview for Azure Cloud Services.

如需詳細資訊,請參閱 Windows Azure 小組部落格上的 Windows Azure 服務管理 API 簡介For more information, see Introducing the Windows Azure Service Management API on the Windows Azure team blog.

Windows Azure 應用程式的監視組件會建立三個執行身分設定檔︰The Monitoring Pack for Windows Azure Applications creates three Run As profiles:

  • Windows Azure 執行身分設定檔 BlobWindows Azure Run As Profile Blob
  • Windows Azure 執行身分設定檔密碼Windows Azure Run As Profile Password
  • Windows Azure 執行身分設定檔 ProxyWindows Azure Run As Profile Proxy

您必須建立 Windows Azure 執行身分設定檔 Blob 及 Windows Azure 執行身分設定檔密碼的執行身分帳戶。You must create Run As accounts for Windows Azure Run As Profile Blob and Windows Azure Run As Profile Password. Windows Azure 執行身分設定檔 Blob 的帳戶會為 Windows Azure 應用程式儲存具有私密金鑰的憑證。The account for Windows Azure Run As Profile Blob stores the certificate with the private key for the Windows Azure application. Windows Azure 執行身分設定檔密碼的帳戶會儲存私密金鑰的密碼。The account for Windows Azure Run As Profile Password stores the password for the private key.

建立 Windows Azure 執行身分設定檔 Proxy 的帳戶是選擇性的。Creating an account for Windows Azure Run As Profile Proxy is optional. Windows Azure 執行身分設定檔 Proxy 的帳戶所儲存的認證可存取用來對 Windows Azure 進行 API 呼叫的 HTTP Proxy 伺服器。The account for Windows Azure Run As Profile Proxy stores credentials for access to the HTTP proxy server that is used to make API calls to Windows Azure.

您必須將執行身分帳戶與適當的執行身分設定檔產生關聯。You must associate the Run As Account with an appropriate Run As profile. [加入監視精靈] 會將 Windows Azure 執行身分設定檔 Blob 和 Windows Azure 執行身分設定檔密碼設定檔與您指定的帳戶產生關聯。The Add Monitoring Wizard will associate the Windows Azure Run As Profile Blob and Windows Azure Run As Profile Password profiles with the accounts that you specify. 如果您要建立 Windows Azure 執行身分設定檔 Proxy 的執行身分帳戶,必須手動將 Windows Azure 執行身分設定檔 Proxy 設定檔與您所建立的帳戶產生關聯。If you create a Run As account for Windows Azure Run As Profile Proxy, you must manually associate the Windows Azure Run As Profile Proxy profile with the account that you create.

與 Microsoft 365 整合Integration with Microsoft 365

Microsoft 365 管理組件使用無代理程式監視方法。Microsoft 365 management pack uses agentless monitoring approach. 與 Microsoft 365 監視 API 進行通訊的所有監視工作流程僅會在管理伺服器上執行。All monitoring workflows that communicate with Microsoft 365 Monitoring API are being executed on management servers only. 若要監視 Microsoft 365 訂用帳戶,需要對於訂用帳戶具有全域管理員權限的使用者帳戶。A user account with Global Administrator permissions for the subscription is required for monitoring of a Microsoft 365 subscription. 強烈建議將新的專用使用者帳戶新增至您想要監視的每個訂用帳戶。It is highly recommended to add a new dedicated user account to each subscription you want to monitor. 使用 Microsoft 365 系統管理中心建立具有全域管理員權限的新使用者︰To create a new user with Global Administrator permissions using Microsoft 365 admin center:

  1. 移至 https://portal.office.com/Adminportal/ 以開啟系統管理中心。Go to https://portal.office.com/Adminportal/ to open the admin center. 以訂用帳戶全域系統管理員的身分登入。Log in as Subscription Global Administrator.
  2. 在 [使用者和群組] 索引標籤上︰按一下 [新增] 按鈕On Users and Groups tab: click Add button
  3. 輸入 [名字]、[姓氏]、[顯示名稱] 和 [使用者名稱],然後選取連結至訂用帳戶的網域。Enter First name, Last name, Display name and User name and select a domain linked to the subscription. 請注意,具有全域管理員角色的帳戶需要有 [名字] 和 [姓氏]。Note that First and Last names are required for account with Global Administrator role.
    新增使用者詳細資料頁面
  4. 在 [設定] 索引標籤上︰選取要指派給帳戶的全域管理員角色。On setting tab: select Global administrator role to be assigned to account. 指定備用電子郵件地址及使用者位置。Specify alternate email address and user location.
    新增使用者設定頁面
  5. 您不需要將 Microsoft 365 服務授權指派給監視帳戶You are not required to assign Microsoft 365 services licenses to the monitoring account
  6. 指定要接收暫時密碼的電子郵件地址。Specify an email address to receive a temporary password. 登出 Microsoft 365 系統管理中心,並使用在電子郵件中收到的新認證再次登入。Log out from Microsoft 365 admin center and log in again using new credentials received in the email.
  7. 使用新建立的認證登入 Microsoft 365 管理入口網站,並設定該帳戶的密碼。Login to the Microsoft 365 management portal using newly created credentials and set the password for the account. 請務必使用強式複雜密碼,因為此帳戶具有全域管理員權限。Remember to use strong complex password because this account has Global administrator permissions.

    注意

    管理組件工作流程無法取得監視資料、連線狀態監視將訂用帳戶健康情況設定為「重大」狀態,並產生「(401) 未授權」 警示,直到新的全域管理員帳戶用來登入 Microsoft 365 管理入口網站至少一次為止。Management Pack workflows are unable to obtain monitoring data, Connection State monitor sets Subscription health to “Critical” state and generates “(401) Unauthorized” Alert until new Global Administrator account is used to login to the Microsoft 365 management portal at least once.

設定執行身分設定檔Configure Run As profiles

Microsoft 365 管理組件會建立兩個執行身分設定檔︰The Microsoft 365 management pack creates two Run As Profiles:

  • Microsoft 365 訂用帳戶密碼安全參考Microsoft 365 Subscription Password secure reference

    Microsoft 365 Subscription Password secure reference Run As Profile is used to store subscription credentials and shouldn’t be edited manually
    
  • Microsoft 365 訂用帳戶 Proxy 安全參考Microsoft 365 Subscription Proxy secure reference

    應該手動設定 Microsoft 365 訂用帳戶 Proxy 安全參考執行身分設定檔。Microsoft 365 Subscription Proxy secure reference Run As Profile should be configured manually. 這個設定檔是由此管理組件中定義的所有規則和監視使用。This profile is used by all rules and monitors defined in this Management Pack. 對應至此設定檔的所有執行身分帳戶都應該有下列權限︰All Run As Accounts mapped to this profile should have following permissions:

    • 屬於「Operations Manager 操作員」System Center Operations Manager 使用者角色的成員。Be a member of “Operations Manager Operators” System Center Operations Manager user role.
    • 能夠建立管理伺服器至 Microsoft 365 入口網站端點的 HTTPS 連線。Be able to establish an HTTPS connection from the Management Server to the Microsoft 365 portal endpoint. 請檢查您環境內的防火牆和 Proxy 設定,以確保允許先前提及的連線。Please check firewall and proxy settings within your environment to ensure that aforementioned connection is allowed.