操作方法:计划 Azure AD 联接实现How to: Plan your Azure AD join implementation

通过 Azure AD 联接,可在保持用户高效、安全的同时,也将设备直接与 Azure AD 相联接,而无需与本地 Active Directory 相联接。Azure AD join allows you to join devices directly to Azure AD without the need to join to on-premises Active Directory while keeping your users productive and secure. Azure AD 联接面向企业大规模和大范围的部署。Azure AD join is enterprise-ready for both at-scale and scoped deployments.

本文介绍计划 Azure AD 联接实现所需信息。This article provides you with the information you need to plan your Azure AD join implementation.

先决条件Prerequisites

本文假设读者已阅读 Azure Active Directory 中的设备管理简介This article assumes that you are familiar with the Introduction to device management in Azure Active Directory.

规划实施Plan your implementation

若要计划 Azure AD 联接实现,应做好以下准备:To plan your Azure AD join implementation, you should familiarize yourself with:

  • 查看方案Review your scenarios
  • 查看标识基础结构Review your identity infrastructure
  • 评估设备管理Assess your device management
  • 了解有关应用程序和资源的注意事项Understand considerations for applications and resources
  • 了解预配选项Understand your provisioning options
  • 配置条件访问Configure Conditional Access

查看方案Review your scenarios

尽管对于某些方案,可能首选使用混合 Azure AD 联接,但 Azure AD 联接确保能够向具有 Windows 的云优先模型进行转换。While Hybrid Azure AD join may be preferred for certain scenarios, Azure AD join enables you to transition towards a cloud-first model with Windows. 如果想要实现设备管理的现代化并减少设备相关的 IT 成本,Azure AD 联接提供达成上述目标的绝佳基础。If you are planning to modernize your devices management and reduce device-related IT costs, Azure AD join provides a great foundation towards achieving those objectives.

如果目标符合以下条件,则应考虑 Azure AD 联接:You should consider Azure AD join if your goals align with the following criteria:

  • 正在采用 Microsoft 365 作为用户的生产力套件。You are adopting Microsoft 365 as the productivity suite for your users.
  • 想要使用云设备管理解决方案管理设备。You want to manage devices with a cloud device management solution.
  • 想要简化地理位置分散的用户的设备预配。You want to simplify device provisioning for geographically distributed users.
  • 计划实现应用程序基础结构现代化。You plan to modernize your application infrastructure.

查看标识基础结构Review your identity infrastructure

Azure AD 联接适用于托管环境和联合环境。Azure AD join works with both, managed and federated environments.

托管环境Managed environment

可使用无缝单一登录通过密码哈希同步来部署托管环境。A managed environment can be deployed through Password Hash Sync with Seamless Single Sign On.

这些方案不需要配置联合服务器进行身份验证。These scenarios don't require you to configure a federation server for authentication.

联合环境Federated environment

联合环境应具有支持 WS-Trust 和 WS-Fed 协议的标识提供者:A federated environment should have an identity provider that supports both WS-Trust and WS-Fed protocols:

  • WS-Fed: 将设备联接到 Azure AD 时需要此协议。WS-Fed: This protocol is required to join a device to Azure AD.
  • WS-Trust: 登录到 Azure AD 联接设备时需要此协议。WS-Trust: This protocol is required to sign in to an Azure AD joined device.

使用 AD FS 时,需要启用以下 WS-Trust 终结点:/adfs/services/trust/2005/usernamemixedWhen you're using AD FS, you need to enable the following WS-Trust endpoints: /adfs/services/trust/2005/usernamemixed /adfs/services/trust/13/usernamemixed /adfs/services/trust/2005/certificatemixed /adfs/services/trust/13/certificatemixed

如果标识提供者不支持这些协议,则 Azure AD 联接无法本机运行。If your identity provider does not support these protocols, Azure AD join does not work natively.

备注

目前,Azure AD 联接不适用于将外部身份验证提供程序配置为主要身份验证方法的 AD FS 2019Currently, Azure AD join does not work with AD FS 2019 configured with external authentication providers as the primary authentication method. Azure AD 联接默认将密码身份验证作为主要方法,在这种场景中就会导致身份验证失败Azure AD join defaults to password authentication as the primary method, which results in authentication failures in this scenario

智能卡和基于证书的身份验证Smartcards and certificate-based authentication

不能使用智能卡或基于证书的身份验证将设备与 Azure AD 联接。You can't use smartcards or certificate-based authentication to join devices to Azure AD. 但是,如果配置了 AD FS,可以使用智能卡登录到 Azure AD 联接设备。However, smartcards can be used to sign in to Azure AD joined devices if you have AD FS configured.

建议: 安装 Windows Hello 企业版,获取对 Windows 10 设备强大、无需密码的身份验证。Recommendation: Implement Windows Hello for Business for strong, password-less authentication to Windows 10 devices.

用户配置User configuration

如果在下列情况下创建用户:If you create users in your:

  • 本地 Active Directory,需要使用 Azure AD Connect 将其同步到 Azure AD。On-premises Active Directory, you need to synchronize them to Azure AD using Azure AD Connect.
  • Azure AD,无需进行其他设置。Azure AD, no additional setup is required.

Azure AD 加入设备不支持与 Azure AD UPN 不同的本地 UPN。On-premises UPNs that are different from Azure AD UPNs are not supported on Azure AD joined devices. 如果用户使用本地 UPN,你应计划转换成使用其 Azure AD 中的主 UPN。If your users use an on-premises UPN, you should plan to switch to using their primary UPN in Azure AD.

从 Windows 10 2004 更新开始,才支持 UPN 更改。UPN changes are only supported starting Windows 10 2004 update. 如果用户的设备上包含此更新,他们在更改其 UPN 后就不会出现任何问题。Users on devices with this update will not have any issues after changing their UPNs. 对于 Windows 10 2004 更新之前的设备,用户设备上将出现 SSO 和条件访问问题。For devices prior to Windows 10 2004 update, users would have SSO and Conditional Access issues on their devices. 他们需要使用其新 UPN 通过“其他用户”磁贴来登录 Windows,以解决此问题。They need to sign in to Windows through the "Other user" tile using their new UPN to resolve this issue.

评估设备管理Assess your device management

支持的设备Supported devices

Azure AD 联接:Azure AD join:

  • 仅适用于 Windows 10 设备。Is only applicable to Windows 10 devices.
  • 不适用于以前版本的 Windows 或其他操作系统。Is not applicable to previous versions of Windows or other operating systems. 如果有 Windows 7/8.1 设备,则必须升级到 Windows 10 以部署 Azure AD 联接。If you have Windows 7/8.1 devices, you must upgrade to Windows 10 to deploy Azure AD join.
  • 受符合 FIPS 的 TPM 2.0 支持,但不受 TPM 1.2 支持。Is supported for FIPS-compliant TPM 2.0 but not supported for TPM 1.2. 如果设备具有符合 FIPS 的 TPM 1.2,则必须先将其禁用,然后才能继续 Azure AD 联接。If your devices have FIPS-compliant TPM 1.2, you must disable them before proceeding with Azure AD join. Microsoft 不提供任何工具来禁用 TPM 的 FIPS 模式,因为这依赖于 TPM 制造商。Microsoft does not provide any tools for disabling FIPS mode for TPMs as it is dependent on the TPM manufacturer. 请联系硬件 OEM 获取支持。Please contact your hardware OEM for support.

建议: 始终使用最新的 Windows 10 发布版本以充分利用更新的功能。Recommendation: Always use the latest Windows 10 release to take advantage of updated features.

管理平台Management platform

Azure AD 联接设备的设备管理基于 MDM 平台(如 Intune)和 MDM CSP。Device management for Azure AD joined devices is based on an MDM platform such as Intune, and MDM CSPs. Windows 10 提供适用于所有兼容 MDM 解决方案的内置 MDM 代理。Windows 10 has a built-in MDM agent that works with all compatible MDM solutions.

备注

Azure AD 联接设备不支持组策略,因为它们未连接到本地 Active Directory。Group policies are not supported in Azure AD joined devices as they are not connected to on-premises Active Directory. 只能通过 MDM 管理 Azure AD 联接设备Management of Azure AD joined devices is only possible through MDM

管理 Azure AD 联接设备有两种方法:There are two approaches for managing Azure AD joined devices:

  • 仅限 MDM - MDM 提供程序(例如 Intune)以独占方式托管设备。MDM-only - A device is exclusively managed by an MDM provider like Intune. 所有策略都作为 MDM 注册过程的一部分提供。All policies are delivered as part of the MDM enrollment process. 对于 Azure AD Premium 或 EMS 客户,MDM 注册是自动步骤,此步骤是 Azure AD 联接的一部分。For Azure AD Premium or EMS customers, MDM enrollment is an automated step that is part of an Azure AD join.
  • 共同管理 - MDM 提供程序和 SCCM 托管设备。Co-management - A device is managed by an MDM provider and SCCM. 使用这种方法,在 MDM 托管设备上安装 SCCM 代理来管理某些特性。In this approach, the SCCM agent is installed on an MDM-managed device to administer certain aspects.

如果使用组策略,请使用 Microsoft Endpoint Manager 中的组策略分析来评估 GPO 和 MDM 策略的奇偶校验。If you are using Group Policies, evaluate your GPO and MDM policy parity by using Group Policy analytics in Microsoft Endpoint Manager.

查看支持和不支持的策略,以确定是否可以使用 MDM 解决方案,而不是组策略。Review supported and unsupported policies to determine whether you can use an MDM solution instead of Group policies. 对于不支持的策略,请考虑以下内容:For unsupported policies, consider the following:

  • Azure AD 联接设备或用户是否需要不支持的策略?Are the unsupported policies necessary for Azure AD joined devices or users?
  • 不支持的策略是否适用于云驱动部署?Are the unsupported policies applicable in a cloud driven deployment?

如果 MDM 解决方案不能通过 Azure AD 应用库获取,则可以按照 Azure Active Directory integration with MDM(Azure Active Directory 与 MDM 集成)中概述的过程添加该解决方案。If your MDM solution is not available through the Azure AD app gallery, you can add it following the process outlined in Azure Active Directory integration with MDM.

通过共同管理,可以使用 SCCM 来管理设备的某些特性,同时通过 MDM 平台提供策略。Through co-management, you can use SCCM to manage certain aspects of your devices while policies are delivered through your MDM platform. Microsoft Intune 通过 SCCM 启用共同管理。Microsoft Intune enables co-management with SCCM. 有关适用于 Windows 10 设备的共同管理的详细信息,请参阅什么是共同管理?For more information on co-management for Windows 10 devices, see What is co-management?. 如果使用除 Intune 之外的 MDM 产品,请与 MDM 提供商联系,了解适用的共同管理方案。If you use an MDM product other than Intune, please check with your MDM provider on applicable co-management scenarios.

建议: 请考虑用于 Azure AD 联接设备的仅限 MDM 管理。Recommendation: Consider MDM only management for Azure AD joined devices.

了解有关应用程序和资源的注意事项Understand considerations for applications and resources

我们建议将应用程序从本地迁移到云,以获得更好的用户体验和访问控制。We recommend migrating applications from on-premises to cloud for a better user experience and access control. 但是,Azure AD 联接设备可以无缝提供到本地和云应用程序的访问权限。However, Azure AD joined devices can seamlessly provide access to both, on-premises and cloud applications. 有关详细信息,请参阅本地资源的 SSO 在已加入 Azure AD 的设备上的工作原理For more information, see How SSO to on-premises resources works on Azure AD joined devices.

以下部分列出不同类型的应用程序和资源的注意事项。The following sections list considerations for different types of applications and resources.

基于云的应用程序Cloud-based applications

如果将应用程序添加到 Azure AD 应用库,则用户通过 Azure AD 联接设备获得 SSO。If an application is added to Azure AD app gallery, users get SSO through Azure AD joined devices. 这种方式无需任何其他配置。No additional configuration is required. 用户在 Microsoft Edge 和 Chrome 浏览器上获取 SSO。Users get SSO on both, Microsoft Edge and Chrome browsers. 对于 Chrome,你需要部署 Windows 10 Accounts extensionFor Chrome, you need to deploy the Windows 10 Accounts extension.

所有 Win32 应用程序,其:All Win32 applications that:

  • 依赖 Web 帐户管理器 (WAM),因为令牌请求也可获取 Azure AD 联接设备上的 SSO。Rely on Web Account Manager (WAM) for token requests also get SSO on Azure AD joined devices.
  • 不要依赖可能会提示用户进行身份验证的 WAM。Don't rely on WAM may prompt users for authentication.

本地 Web 应用On-premises web applications

如果应用是自定义生成和/或托管在本地,需要将其添加到浏览器的受信任站点,以:If your apps are custom built and/or hosted on-premises, you need to add them to your browser’s trusted sites to:

  • 确保 Windows 集成身份验证运行Enable Windows integrated authentication to work
  • 为用户提供无提示的 SSO 体验。Provide a no-prompt SSO experience to users.

如果使用 AD FS,请参阅使用 AD FS 验证和管理单一登录If you use AD FS, see Verify and manage single sign-on with AD FS.

建议: 考虑托管在云中(例如 Azure),并与 Azure AD 集成,以获得更好的体验。Recommendation: Consider hosting in the cloud (for example, Azure) and integrating with Azure AD for a better experience.

本地网络共享On-premises network shares

设备有权访问本地域控制器时,你的用户从 Azure AD 联接设备获取 SSO。Your users have SSO from Azure AD joined devices when a device has access to an on-premises domain controller.

打印机Printers

对于打印机,需要部署混合云打印,以查找 Azure AD 联接设备上的打印机。For printers, you need to deploy hybrid cloud print for discovering printers on Azure AD joined devices.

在仅限云的环境中无法自动查找打印机时,用户还可以使用打印机的 UNC 路径直接将其添加。While printers can't be automatically discovered in a cloud only environment, your users can also use the printers’ UNC path to directly add them.

依赖计算机身份验证的本地应用程序On-premises applications relying on machine authentication

Azure AD 联接设备不支持依赖计算机身份验证的本地应用程序。Azure AD joined devices don't support on-premises applications relying on machine authentication.

建议: 考虑停用这些应用程序并移动到其新式替代项。Recommendation: Consider retiring these applications and moving to their modern alternatives.

远程桌面服务Remote Desktop Services

Azure AD 联接设备的远程桌面连接需要主机是 Azure AD 联接或混合 Azure AD 联接。Remote desktop connection to an Azure AD joined devices requires the host machine to be either Azure AD joined or Hybrid Azure AD joined. 不支持未联接设备或非 Windows 设备的远程桌面。Remote desktop from an unjoined or non-Windows device is not supported. 有关详细信息,请参阅 Connect to remote Azure Active Directory-joined PC(连接到远程 Azure AD 联接电脑)For more information, see Connect to remote Azure AD joined pc

从 Windows 10 2004 更新开始,用户还可以使用远程桌面从注册了 Azure AD 的 Windows 10 设备连接到 Azure AD 联接设备。Starting Windows 10 2004 update, users can also use remote desktop from an Azure AD registered Windows 10 device to an Azure AD joined device.

了解预配选项Understand your provisioning options

注意:不能使用系统准备工具 (Sysprep) 或类似的映像工具部署 Azure AD 联接设备Note: Azure AD joined devices cannot be deployed using System Preparation Tool (Sysprep) or similar imaging tools

可以使用以下方法预配 Azure AD 联接:You can provision Azure AD join using the following approaches:

  • OOBE/设置中的自助式 - 在自助模式下,用户在 Windows Out of Box Experience (OOBE) 期间或从 Windows 设置完成 Azure AD 联接过程。Self-service in OOBE/Settings - In the self-service mode, users go through the Azure AD join process either during Windows Out of Box Experience (OOBE) or from Windows Settings. 有关详细信息,请参阅将工作设备加入组织的网络For more information, see Join your work device to your organization's network.
  • Windows Autopilot - Windows Autopilot 支持预先配置设备,可在 OOBE 中实现更顺畅的体验,以执行 Azure AD 联接。Windows Autopilot - Windows Autopilot enables pre-configuration of devices for a smoother experience in OOBE to perform an Azure AD join. 有关详细信息,请参阅 Windows Autopilot 概述For more information, see the Overview of Windows Autopilot.
  • 批量注册 - 批量注册通过使用批量预配工具来配置设备,从而实现管理员驱动的 Azure AD 联接。Bulk enrollment - Bulk enrollment enables an administrator driven Azure AD join by using a bulk provisioning tool to configure devices. 有关详细信息,请参阅Windows 设备的批量注册For more information, see Bulk enrollment for Windows devices.

下面是这三种方法的比较Here’s a comparison of these three approaches

元素Element 自助式设置Self-service setup Windows AutopilotWindows Autopilot 批量注册Bulk enrollment
需要用户交互以进行设置Require user interaction to set up Yes Yes No
需要 IT 工作量Require IT effort No Yes Yes
适用的流Applicable flows OOBE 和设置OOBE & Settings 仅限 OOBEOOBE only 仅限 OOBEOOBE only
主要用户的本地管理员权限Local admin rights to primary user 是,默认情况下Yes, by default 可配置Configurable No
需要设备 OEM 的支持Require device OEM support No Yes No
支持的版本Supported versions 1511+1511+ 1709+1709+ 1703+1703+

查看上表和以下采用任一方法的注意事项,选择一个或多个部署方法:Choose your deployment approach or approaches by reviewing the table above and reviewing the following considerations for adopting either approach:

  • 技术精湛的用户是否自行完成设置?Are your users tech savvy to go through the setup themselves?
    • 自助式最适合这些用户。Self-service can work best for these users. 考虑使用 Windows Autopilot 来增强用户体验。Consider Windows Autopilot to enhance the user experience.
  • 用户是远程还是公司内部?Are your users remote or within corporate premises?
    • 自助式或 Autopilot 最适合远程用户进行轻松设置。Self-service or Autopilot work best for remote users for a hassle-free setup.
  • 你更喜欢用户驱动的配置还是管理员托管的配置?Do you prefer a user driven or an admin-managed configuration?
    • 批量注册更适合管理员驱动的部署,以便在转交给用户之前设置设备。Bulk enrollment works better for admin driven deployment to set up devices before handing over to users.
  • 你是从 1-2 家 OEM 厂商处购买设备,或者有广泛的 OEM 设备经销渠道?Do you purchase devices from 1-2 OEMS, or do you have a wide distribution of OEM devices?
    • 如果从有限的且还支持 Autopilot 的 OEM 厂商处购买,可从与 Autopilot 的紧密集成中受益。If purchasing from limited OEMs who also support Autopilot, you can benefit from tighter integration with Autopilot.

配置设备设置Configure your device settings

通过Azure 门户可控制组织中 Azure AD 联接设备的部署。The Azure portal allows you to control the deployment of Azure AD joined devices in your organization. 若要配置相关设置,在“Azure Active Directory 页”中选择 Devices > Device settingsTo configure the related settings, on the Azure Active Directory page, select Devices > Device settings.

用户可以将设备联接到 Azure ADUsers may join devices to Azure AD

根据部署范围和你想允许设置 Azure AD 联接设备的人选,将此选项设置为“全部”或“选定”。Set this option to All or Selected based on the scope of your deployment and who you want to allow to setup an Azure AD joined device.

用户可以将设备联接到 Azure AD

需要进行多重身份验证才能联接设备Require multi-factor Auth to join devices

如果将设备联接到 Azure AD 的同时需要用户执行多重身份验证,则选择“是”。Select “Yes if you require users to perform MFA while joining devices to Azure AD. 对于使用多重身份验证将设备联接到 Azure AD 的用户,设备本身成为第 2 个因素。For the users joining devices to Azure AD using MFA, the device itself becomes a 2nd factor.

需要进行多重身份验证才能联接设备

配置移动性设置Configure your mobility settings

可能必须首先添加 MDM 提供程序,然后才可以配置移动性设置。Before you can configure your mobility settings, you may have to add an MDM provider, first.

若要添加 MDM 提供程序To add an MDM provider:

  1. 在“Azure Active Directory 页”的“管理”部分,单击 Mobility (MDM and MAM)On the Azure Active Directory page, in the Manage section, click Mobility (MDM and MAM).

  2. 单击“添加应用程序”。Click Add application.

  3. 从列表中选择 MDM 提供程序。Select your MDM provider from the list.

    Azure Active Directory“添加应用程序”页的屏幕截图。列出了几个 MDM 提供程序。

选择 MDM 提供程序配置相关设置。Select your MDM provider to configure the related settings.

MDM 用户范围MDM user scope

根据部署范围,选择“部分”或“全部”。Select Some or All based on the scope of your deployment.

MDM 用户范围

根据范围,会发生以下某种情况:Based on your scope, one of the following happens:

  • 用户在 MDM 范围内:如果有 Azure AD Premium 订阅,则自动进行 MDM 注册以及 Azure AD 联接。User is in MDM scope: If you have an Azure AD Premium subscription, MDM enrollment is automated along with Azure AD join. 范围内所有用户必须具有相应的 MDM 许可证。All scoped users must have an appropriate license for your MDM. 如果此方案中 MDM 注册失败,Azure AD 联接也将失败。If MDM enrollment fails in this scenario, Azure AD join will also be rolled back.
  • 用户不在 MDM 范围内:如果用户不在 MDM 范围内,则无需任何 MDM 注册即可完成 Azure AD 联接。User is not in MDM scope: If users are not in MDM scope, Azure AD join completes without any MDM enrollment. 这会产生非管理的设备。This results in an unmanaged device.

MDM URLMDM URLs

三个与 MDM 配置相关的 URL:There are three URLs that are related to your MDM configuration:

  • MDM 使用条款 URLMDM terms of use URL
  • MDM 发现 URLMDM discovery URL
  • MDM 符合性 URLMDM compliance URL

Azure Active Directory MDM 配置部分的部分屏幕截图,其中包含 MDM 使用条款、发现和符合性的 URL 字段。

每个 URL 都有一个预定义的默认值。Each URL has a predefined default value. 如果这些字段都为空,请联系 MDM 提供商,获取更多详细信息。If these fields are empty, please contact your MDM provider for more information.

MAM 设置MAM settings

MAM 不适用于 Azure AD 联接。MAM does not apply to Azure AD join.

配置条件访问Configure Conditional Access

如果为 Azure AD 联接设备配置的 MDM 提供程序,只要该设备处于管理状态,提供程序就将其标记为符合。If you have an MDM provider configured for your Azure AD joined devices, the provider flags the device as compliant as soon as the device is under management.

合规的设备

可使用此实现通过条件访问要求使用托管设备进行云应用访问You can use this implementation to require managed devices for cloud app access with Conditional Access.

后续步骤Next steps