如何为Office 365订阅的所有用户强制执行多因素身份验证
Multi-Factor Authentication (MFA) is a great security tool, and we always recommend it. Office 365 admins can enforce MFA for users, which means you can help protect anyone sharing your Office 365 business subscription.
多重身份验证(MFA)是一种出色的安全工具, 我们始终推荐使用 。 Office 365管理员可以为用户强制执行MFA,这意味着您可以帮助保护共享Office 365商业订阅的任何人。
To do this you’ll need to be an Office 365 administrator, which only happens with a business plan. If your Office 365 subscription comes as part of a domain hosting package, then you’ll have access to the Admin console. However, if you’ve just purchased a personal subscription (or home subscription for your family), then you won’t have access to the Admin console, and you can only turn MFA on for yourself. If you’re not sure, click the Office 365 app launcher and look for the Admin tile.
为此,您需要成为Office 365管理员,这仅在业务计划中发生。 如果您的Office 365订阅是域托管程序包的一部分,则您将有权访问管理控制台。 但是,如果您刚刚购买了个人订阅(或家庭的家庭订阅),那么您将无权访问管理控制台,并且只能自己打开MFA。 如果不确定,请单击Office 365应用启动器,然后查找“管理”磁贴。
If it’s there, you’ve got access to the Admin console. Click the Admin tile, and on the menu on the left-hand side click Settings > Services and add-ins.
如果有,您就可以访问管理控制台。 单击管理磁贴,然后在左侧菜单上单击设置>服务和加载项。
This opens the Services and add-ins page, where you can make various tenant-level changes. One of the top items will be “Azure multi-factor authentication.”
这将打开“服务和加载项”页面,您可以在其中进行各种租户级别的更改。 首要项目之一是“ Azure多因素身份验证”。
Click this, and on the panel that opens on the right, click “Manage multi-factor authentication.”
单击此按钮,然后在右侧打开的面板上单击“管理多因素身份验证”。
This will take you to the multi-factor authentication page. You can immediately turn MFA on for anyone who is using your Office 365 subscription, but, before that it’s best to acquaint yourself with the default settings. To do this, click “Service Settings.”
这将带您到多因素身份验证页面。 您可以立即为正在使用Office 365订阅的任何人打开MFA,但是在此之前,最好先熟悉默认设置。 为此,请单击“服务设置”。
You can change whatever settings you like, or leave them as the defaults. One potential setting to look at changing is whether or not MFA can be remembered on a device. By default this is off, but turning it on means your family won’t have to go through the MFA process every time they want to check their email or edit a document.
您可以更改所需的任何设置,或将其保留为默认设置。 观察变化的一个潜在设置是是否可以在设备上记住MFA。 默认情况下,此功能处于关闭状态,但是将其打开意味着您的家人不必每次都要检查其电子邮件或编辑文档时都要经过MFA流程。
If you switch this on, the default number of days a device can go before having to re-authenticate is 14, which means a phone/tablet/computer will be trusted for 14 days before the user has to go through the MFA process again. Having to go through the MFA process is simple, but having to do it every 2 weeks on every device that your family uses might still be a bit too much and you have the option to set this as high as 60 days.
如果启用此功能,则设备在必须重新认证之前可以经过的默认天数为14天,这意味着在用户必须再次执行MFA流程之前,手机/平板电脑/计算机将被信任14天。 必须执行MFA流程很简单,但是必须在家庭使用的每台设备上每2周执行一次,这可能仍然有些繁琐,您可以选择将其设置为长达60天。
If you do make any changes to this or any other settings, click “Save” at the bottom to the panel to save the changes, then click “users” to go back to turning on MFA.
如果确实对此设置或其他设置进行了任何更改,请单击面板底部的“保存”以保存更改,然后单击“用户”以返回到启用MFA的状态。
Now that you’ve made sure the settings are right, you can enable MFA for each user. Select the users for whom you want to turn MFA.
现在,确保设置正确,您可以为每个用户启用MFA。 选择您要为其转换MFA的用户。
To the right of the table of users, click the “Enable” option that appears.
在用户表的右侧,单击出现的“启用”选项。
On the confirmation screen, click “Enable Multi-Factor Authentication.”
在确认屏幕上,单击“启用多重身份验证”。
This will enable MFA for the user, and the next time they login to Office 365 on the web, they’ll have to go through a process of setting up MFA. If they don’t log in very often (or you want to make sure you’re around to help them through the process), you can also send them the link from the confirmation screen so that they can set up MFA at a time that suits them. The link is https://aka.ms/MFASetup, which is the same for everyone setting up MFA.
这将为用户启用MFA,下次他们在网络上登录Office 365时,他们将必须经历设置MFA的过程。 如果他们不经常登录(或者您想确保可以帮助他们完成整个过程),则还可以从确认屏幕向他们发送链接,以便他们可以在某个时间设置MFA适合他们。 链接为https://aka.ms/MFASetup ,每个设置MFA的链接都相同。
Once you’ve clicked “Enable Multi-Factor Authentication” you’ll see a success message, which you can close.
单击“启用多重身份验证”后,您将看到一条成功消息,您可以将其关闭。
MFA is now enabled for the user; now, they need to set it up. Whether they wait until the next time they login, or they use the link we mentioned above, the process for setting up MFA is exactly the same.
现在为用户启用了MFA; 现在,他们需要进行设置。 无论是等待下一次登录还是使用我们上面提到的链接,MFA的设置过程都完全相同。
Login to your Office 365 account as normal, and a screen will be displayed telling you that “your organisation needs more information to keep your account secure.”
照常登录到Office 365帐户,将显示一个屏幕,告诉您“您的组织需要更多信息来保护您的帐户安全。”
Click “Next” to be taken to the “Additional security verification” panel, where you can choose your MFA method. We always recommend using an authenticator app, and you’ll have to use Microsoft Authenticator with Office 365. Even using MFA via SMS is still better than not having MFA at all, so choose the method that works best for you in the first dropdown.
单击“下一步”转到“其他安全验证”面板,您可以在其中选择MFA方法。 我们始终建议您使用身份验证器应用程序,并且您必须在Office 365中使用Microsoft Authenticator。即使通过SMS使用MFA仍然比完全没有MFA更好,因此在第一个下拉列表中选择最适合您的方法。
We’re going to use a mobile app, which will change the available configuration options. First you need to choose whether to”Receive notifications for verification” (which means a message will pop up on the Microsoft Authenticator app on your phone asking you to approve or deny a login to your account) or whether to “Use verification code” (which means you’ll have to enter a code generated by the Microsoft Authenticator app on your phone when you login to Office 365). Either works fine, and it’s up to you what you choose. After this, you need to click the “Set Up” button to set up the app.
我们将使用一个移动应用程序,它将更改可用的配置选项。 首先,您需要选择“接收验证通知”(这意味着一条消息将在手机上的Microsoft Authenticator应用程序上弹出,要求您批准或拒绝登录到您的帐户)或“使用验证码”(这表示您登录Office 365时必须输入手机上Microsoft Authenticator应用程序生成的代码)。 两种方法都可以正常工作,取决于您选择的内容。 之后,您需要单击“设置”按钮来设置应用程序。
At this point a panel will appear telling you to install the Microsoft Authenticator app on your phone and then either scan a QR code or, if you can’t scan the QR code, enter a code and URL instead. Once you’ve done this, click “Next” to go back to the Additional Security Verification window, which will show that the activation status is being checked.
此时,将出现一个面板,告诉您在手机上安装Microsoft Authenticator应用程序,然后扫描QR码,或者,如果无法扫描QR码,则输入代码和URL。 完成此操作后,单击“下一步”返回“其他安全验证”窗口,该窗口将显示正在检查**状态。
This may take a few seconds, and once it’s finished the message will change to show that MFA has been configured.
这可能需要花费几秒钟的时间,完成后,该消息将更改为表明已配置MFA。
Click Next, and Office 365 will check that everything is working. Depending on what option you selected for verification, it will either send a Deny or Approve message to your app, or ask you to enter a code from the app. In this example, it sent a Deny or Approve message and is waiting for a response.
单击“下一步”,Office 365将检查是否一切正常。 根据您选择进行验证的选项,它会向您的应用程序发送“拒绝”或“批准”消息,或者要求您输入应用程序中的代码。 在此示例中,它发送了“拒绝”或“批准”消息,并且正在等待响应。
After you’ve verified that MFA is working, you’ll be asked for a phone number in case you lose access to the app.
确认MFA正常运行后,如果您无法访问该应用程序,系统会要求您提供电话号码。
This phone number will be used as backup to use SMS or voice calls in the event that you can’t use the Microsoft Authenticator app, such as when you haven’t got Wi-Fi (or you’ve run out of data on your monthly plan, and you’re out and about). It could also be used if you’ve lost your phone, so you might want to choose the number of a family member instead of your own. Once you’ve entered a number, click “Next” to see the final screen.
如果您无法使用Microsoft Authenticator应用程序,例如没有Wi-Fi(或者您的数据用完了),则该电话号码将用作备份以使用SMS或语音电话月度计划,而且您出门在外)。 如果您丢失了手机,也可以使用它,因此您可能希望选择一个家庭成员的电话号码而不是您自己的电话号码。 输入号码后,单击“下一步”以查看最终屏幕。
This page includes a Microsoft-generated password that it will recognize as being created for MFA use. You’ll need to use this password now on rather than the one you normally use, in all of the following apps:
此页面包含Microsoft生成的密码,它将被识别为为MFA使用而创建。 在以下所有应用中,您需要立即使用此密码,而不是通常使用的密码:
- Outlook desktop app for your PC or Mac 适用于PC或Mac的Outlook桌面应用
- Email apps (except the Outlook app) on an iOS, Android or BlackBerry device iOS,Android或BlackBerry设备上的电子邮件应用程序(Outlook应用程序除外)
- Office 2010, Office for Mac 2011 or earlier Office 2010,Office for Mac 2011或更早版本
- Windows Essentials (Photo Gallery, Movie Maker, Mail) Windows Essentials(照片库,Movie Maker,邮件)
- Zune desktop app Zune桌面应用程序
- Xbox 360 Xbox 360
- Windows Phone 8 or earlier Windows Phone 8或更早版本
The next time you try to open any of these apps they’ll ask for your password, so copy it down from here and use it when asked. We can verify that Outlook on your computer needs to use the generated password but the Outlook app on your phone doesn’t, and yes, we find that odd as well, but it’s not a great hardship.
下次您尝试打开这些应用程序中的任何一个时,它们都会要求您输入密码,因此请从此处复制密码,并在需要时使用它。 我们可以验证您的计算机上的Outlook是否需要使用生成的密码,但您的电话上的Outlook应用程序不需要使用,是的,我们也觉得很奇怪,但这并不是很大的困难。
Click “Finished,” and you’ll be taken back to the login screen to login as normal, but this time using MFA. It’s a simple, quick process that provide a valuable layer of extra security, and one that we at How-To Geek strongly recommend.
单击“完成”,您将返回到登录屏幕以正常登录,但这一次使用MFA。 这是一个简单,快速的过程,可提供宝贵的额外安全层,我们How-To Geek强烈建议这样做。
翻译自: https://www.howtogeek.com/410055/enforce-mfa-for-anyone-who-uses-your-o365-subscription/