使用 Azure AD PowerShell 配置从 Azure AD 到 Azure Active Directory 域服务的作用域同步Configure scoped synchronization from Azure AD to Azure Active Directory Domain Services using Azure AD PowerShell

为了提供身份验证服务,Azure Active Directory 域服务 (Azure AD DS) 从 Azure AD 同步用户和组。To provide authentication services, Azure Active Directory Domain Services (Azure AD DS) synchronizes users and groups from Azure AD. 在混合环境中,本地 Active Directory 域服务 (AD DS) 环境中的用户和组可以先使用 Azure AD Connect 同步到 Azure AD,然后再同步到 Azure AD DS。In a hybrid environment, users and groups from an on-premises Active Directory Domain Services (AD DS) environment can be first synchronized to Azure AD using Azure AD Connect, and then synchronized to Azure AD DS.

默认情况下,Azure AD 目录中的所有用户和组都同步到 Azure AD DS 托管域。By default, all users and groups from an Azure AD directory are synchronized to an Azure AD DS managed domain. 如果有特定需求,可以改为选择只同步所定义的一组用户。If you have specific needs, you can instead choose to synchronize only a defined set of users.

本文说明如何创建使用作用域同步的托管域,然后使用 Azure AD PowerShell 更改或禁用作用域用户的集合。This article shows you how to create a managed domain that uses scoped synchronization and then change or disable the set of scoped users using Azure AD PowerShell. 也可以使用 Azure 门户完成这些步骤You can also complete these steps using the Azure portal.

准备阶段Before you begin

需有以下资源和特权才能完成本文:To complete this article, you need the following resources and privileges:

具有作用域的同步概述Scoped synchronization overview

默认情况下,Azure AD 目录中的所有用户和组都同步到托管域。By default, all users and groups from an Azure AD directory are synchronized to a managed domain. 如果只有几个用户需要访问托管域,则可以仅同步这些用户帐户。If only a few users need to access the managed domain, you can synchronize only those user accounts. 此具有作用域的同步基于组。This scoped synchronization is group-based. 配置基于组的具有作用域的同步时,只有属于指定组的用户帐户才会同步到托管域。When you configure group-based scoped synchronization, only the user accounts that belong to the groups you specify are synchronized to the managed domain. 不同步嵌套组,只同步所选的特定组。Nested groups aren't synchronized, only the specific groups you select.

可以在创建托管域时或完成部署后更改同步作用域。You can change the synchronization scope when you create the managed domain, or once it's deployed. 现在还可以更改现有托管域上的同步作用域,而无需进行重新创建。You can also now change the scope of synchronization on an existing managed domain without needing to recreate it.

若要详细了解同步过程,请参阅了解 Azure AD 域服务中的同步To learn more about the synchronization process, see Understand synchronization in Azure AD Domain Services.

警告

更改同步作用域会导致托管域重新同步所有数据。Changing the scope of synchronization causes the managed domain to resynchronize all data. 请注意以下事项:The following considerations apply:

  • 如果你更改托管域的同步范围,便会发生完全重新同步。When you change the synchronization scope for a managed domain, a full resynchronization occurs.
  • 托管域中不再需要的对象会被删除。Objects that are no longer required in the managed domain are deleted. 托管域中会新建对象。New objects are created in the managed domain.

用于具有作用域的同步的 PowerShell 脚本PowerShell script for scoped synchronization

若要使用 PowerShell 配置具有作用域的同步,请首先将以下脚本保存到名为 Select-GroupsToSync.ps1 的文件中。To configure scoped synchronization using PowerShell, first save the following script to a file named Select-GroupsToSync.ps1.

此脚本将 Azure AD DS 配置为从 Azure AD 同步所选组。This script configures Azure AD DS to synchronize selected groups from Azure AD. 属于指定组的所有用户帐户都会同步到托管域。All user accounts that are part of the specified groups are synchronized to the managed domain.

此脚本将用于本文中的其他步骤。This script is used in the additional steps in this article.

param (
    [Parameter(Position = 0)]
    [String[]]$groupsToAdd
)

Connect-AzureAD -AzureEnvironmentName AzureChinaCloud
$sp = Get-AzureADServicePrincipal -Filter "AppId eq '2565bd9d-da50-47d4-8b85-4c97f669dc36'"
$role = $sp.AppRoles | where-object -FilterScript {$_.DisplayName -eq "User"}

Write-Output "`n****************************************************************************"

Write-Output "Total group-assignments need to be added: $($groupsToAdd.Count)"
$newGroupIds = New-Object 'System.Collections.Generic.HashSet[string]'
foreach ($groupName in $groupsToAdd)
{
    try
    {
        $group = Get-AzureADGroup -Filter "DisplayName eq '$groupName'"
        $newGroupIds.Add($group.ObjectId)

        Write-Output "Group-Name: $groupName, Id: $($group.ObjectId)"
    }
    catch
    {
        Write-Error "Failed to find group: $groupName. Exception: $($_.Exception)."
    }
}

Write-Output "****************************************************************************`n"
Write-Output "`n****************************************************************************"

$currentAssignments = Get-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId
Write-Output "Total current group-assignments: $($currentAssignments.Count), SP-ObjectId: $($sp.ObjectId)"

$currAssignedObjectIds = New-Object 'System.Collections.Generic.HashSet[string]'
foreach ($assignment in $currentAssignments)
{
    Write-Output "Assignment-ObjectId: $($assignment.PrincipalId)"

    if ($newGroupIds.Contains($assignment.PrincipalId) -eq $false)
    {
        Write-Output "This assignment is not needed anymore. Removing it! Assignment-ObjectId: $($assignment.PrincipalId)"
        Remove-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -AppRoleAssignmentId $assignment.ObjectId
    }
    else
    {
        $currAssignedObjectIds.Add($assignment.PrincipalId)
    }
}

Write-Output "****************************************************************************`n"
Write-Output "`n****************************************************************************"

foreach ($id in $newGroupIds)
{
    try
    {
        if ($currAssignedObjectIds.Contains($id) -eq $false)
        {
            Write-Output "Adding new group-assignment. Role-Id: $($role.Id), Group-Object-Id: $id, ResourceId: $($sp.ObjectId)"
            New-AzureADGroupAppRoleAssignment -Id $role.Id -ObjectId $id -PrincipalId $id -ResourceId $sp.ObjectId
        }
        else
        {
            Write-Output "Group-ObjectId: $id is already assigned."
        }
    }
    catch
    {
        Write-Error "Exception occurred assigning Object-ID: $id. Exception: $($_.Exception)."
    }
}

Write-Output "****************************************************************************`n"

启用作用域同步Enable scoped synchronization

若要为托管域启用基于组的作用域同步,请完成以下步骤:To enable group-based scoped synchronization for a managed domain, complete the following steps:

  1. 首先在 Azure AD DS 资源上设置 "filteredSync" = "Enabled",然后更新托管域。First set "filteredSync" = "Enabled" on the Azure AD DS resource, then update the managed domain.

    出现提示时,使用 Connect-AzureAD cmdlet 为全局管理员指定用于登录到 Azure AD 租户的凭据:When prompted, specify the credentials for a global admin to sign in to your Azure AD tenant using the Connect-AzureAD cmdlet:

    // Connect to your Azure AD tenant
    Connect-AzureAD -AzureEnvironmentName AzureChinaCloud
    
    // Retrieve the Azure AD DS resource.
    $DomainServicesResource = Get-AzResource -ResourceType "Microsoft.AAD/DomainServices"
    
    // Enable group-based scoped synchronization.
    $enableScopedSync = @{"filteredSync" = "Enabled"}
    
    // Update the Azure AD DS resource
    Set-AzResource -Id $DomainServicesResource.ResourceId -Properties $enableScopedSync
    
  2. 现在,指定其用户应同步到托管域的组的列表。Now specify the list of groups whose users should be synchronized to the managed domain.

    运行 Select-GroupsToSync.ps1 脚本并指定要同步的组的列表。在以下示例中,要同步的组为 GroupName1 和 GroupName2。Run the Select-GroupsToSync.ps1 script and specify the list of groups to sync. In the following example, the groups to synchronize are GroupName1 and GroupName2.

    警告

    必须在具有作用域的同步的组列表中包括“AAD DC 管理员”组。You must include the AAD DC Administrators group in the list of groups for scoped synchronization. 如果未包括此组,将无法使用托管域。If you don't include this group, the managed domain is unusable.

    .\Select-GroupsToSync.ps1 -groupsToAdd @("AAD DC Administrators", "GroupName1", "GroupName2")
    

更改同步作用域会导致托管域重新同步所有数据。Changing the scope of synchronization causes the managed domain to resynchronize all data. 托管域中不再需要的对象会被删除,重新同步可能需要很长时间才能完成。Objects that are no longer required in the managed domain are deleted, and resynchronization may take a long time to complete.

修改具有作用域的同步Modify scoped synchronization

若要修改包含应同步到托管域的用户的组列表,请运行 Select-GroupsToSync.ps1 脚本并指定要同步的新的组列表。To modify the list of groups whose users should be synchronized to the managed domain, run Select-GroupsToSync.ps1 script and specify the new list of groups to sync.

在下面的示例中,要同步的组不再包括 GroupName2,其现在包括 GroupName3。In the following example, the groups to synchronize no longer includes GroupName2, and now includes GroupName3.

警告

必须在具有作用域的同步的组列表中包括“AAD DC 管理员”组。You must include the AAD DC Administrators group in the list of groups for scoped synchronization. 如果未包括此组,将无法使用托管域。If you don't include this group, the managed domain is unusable.

出现提示时,使用 Connect-AzureAD cmdlet 为全局管理员指定用于登录到 Azure AD 租户的凭据:When prompted, specify the credentials for a global admin to sign in to your Azure AD tenant using the Connect-AzureAD cmdlet:

.\Select-GroupsToSync.ps1 -groupsToAdd @("AAD DC Administrators", "GroupName1", "GroupName3")

更改同步作用域会导致托管域重新同步所有数据。Changing the scope of synchronization causes the managed domain to resynchronize all data. 托管域中不再需要的对象会被删除,重新同步可能需要很长时间才能完成。Objects that are no longer required in the managed domain are deleted, and resynchronization may take a long time to complete.

禁用具有作用域的同步Disable scoped synchronization

若要为托管域禁用基于组的具有作用域的同步,请在 Azure AD DS 资源上设置 "filteredSync" = "Disabled",然后更新托管域。To disable group-based scoped synchronization for a managed domain, set "filteredSync" = "Disabled" on the Azure AD DS resource, then update the managed domain. 完成后,所有用户和组都设置为从 Azure AD 进行同步。When complete, all users and groups are set to synchronize from Azure AD.

出现提示时,使用 Connect-AzureAD cmdlet 为全局管理员指定用于登录到 Azure AD 租户的凭据:When prompted, specify the credentials for a global admin to sign in to your Azure AD tenant using the Connect-AzureAD cmdlet:

// Connect to your Azure AD tenant
Connect-AzureAD -AzureEnvironmentName AzureChinaCloud

// Retrieve the Azure AD DS resource.
$DomainServicesResource = Get-AzResource -ResourceType "Microsoft.AAD/DomainServices"

// Disable group-based scoped synchronization.
$disableScopedSync = @{"filteredSync" = "Disabled"}

// Update the Azure AD DS resource
Set-AzResource -Id $DomainServicesResource.ResourceId -Properties $disableScopedSync

更改同步作用域会导致托管域重新同步所有数据。Changing the scope of synchronization causes the managed domain to resynchronize all data. 托管域中不再需要的对象会被删除,重新同步可能需要很长时间才能完成。Objects that are no longer required in the managed domain are deleted, and resynchronization may take a long time to complete.

后续步骤Next steps

若要详细了解同步过程,请参阅了解 Azure AD 域服务中的同步To learn more about the synchronization process, see Understand synchronization in Azure AD Domain Services.