已加入混合 Azure AD 的设备Hybrid Azure AD joined devices

十多年来,许多组织已使用本地 Active Directory 域加入来实现以下目的:For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable:

  • IT 部门能够从中央位置管理工作所有设备。IT departments to manage work-owned devices from a central location.
  • 用户能够使用其 Active Directory 工作或学校帐户登录他们的设备。Users to sign in to their devices with their Active Directory work or school accounts.

通常,具有本地占用空间的组织依靠映像方法预配设备,并常常使用 Configuration Manager 或组策略 (GP) 管理这些设备 。Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use Configuration Manager or group policy (GP) to manage them.

如果你的环境具有本地 AD 占用空间并且你希望利用 Azure Active Directory 提供的功能所带来的优势,则可选择实现混合 Azure AD 加入设备。If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD joined devices. 这些设备是加入到本地 Active Directory 并在 Azure Active Directory 中注册的设备。These devices, are devices that are joined to your on-premises Active Directory and registered with your Azure Active Directory.

混合 Azure AD 联接Hybrid Azure AD Join 说明Description
定义Definition 加入本地 AD 和 Azure AD,需要使用组织帐户登录到设备Joined to on-premises AD and Azure AD requiring organizational account to sign in to the device
主要受众Primary audience 适用于已有本地 AD 基础结构的混合组织Suitable for hybrid organizations with existing on-premises AD infrastructure
适用于组织中的所有用户Applicable to all users in an organization
设备所有权Device ownership 组织Organization
操作系统Operating Systems Windows 10、8.1 和 7Windows 10, 8.1 and 7
Windows Server 2008/R2、2012/R2、2016 和 2019Windows Server 2008/R2, 2012/R2, 2016 and 2019
设置Provisioning Windows 10、Windows Server 2016/2019Windows 10, Windows Server 2016/2019
通过 IT 加入域,并通过 Azure AD Connect 或 ADFS 配置自动加入Domain join by IT and autojoin via Azure AD Connect or ADFS config
通过 Windows Autopilot 加入域,并通过 Azure AD Connect 或 ADFS 配置自动加入Domain join by Windows Autopilot and autojoin via Azure AD Connect or ADFS config
Windows 8.1、Windows 7、Windows Server 2012 R2、Windows Server 2012 和 Windows Server 2008 R2 - 需要 MSIWindows 8.1, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 - Require MSI
设备登录选项Device sign in options 组织帐户使用:Organizational accounts using:
密码Password
适用于 Win10 的 Windows Hello 企业版Windows Hello for Business for Win10
设备管理Device management 组策略Group Policy
单独使用 Configuration Manager 或与 Microsoft Intune 共同管理Configuration Manager standalone or co-management with Microsoft Intune
关键功能Key capabilities SSO 连接到云和本地资源SSO to both cloud and on-premises resources
通过域加入或通过 Intune(如果是共同管理)进行条件访问Conditional Access through Domain join or through Intune if co-managed
在锁屏界面上进行自助式密码重置和 Windows Hello PIN 重置Self-service Password Reset and Windows Hello PIN reset on lock screen

已加入混合 Azure AD 的设备

方案Scenarios

在以下情况下使用 Azure AD 混合联接设备:Use Azure AD hybrid joined devices if:

  • 将 Win32 应用部署到这些依赖 Active Directory 计算机身份验证的设备。You have Win32 apps deployed to these devices that rely on Active Directory machine authentication.
  • 要继续使用组策略来管理设备配置。You want to continue to use Group Policy to manage device configuration.
  • 要继续使用现有映像解决方案来部署和配置设备。You want to continue to use existing imaging solutions to deploy and configure devices.
  • 除 Windows 10 外,还必须支持下级 Windows 7 和 8.1 设备You must support down-level Windows 7 and 8.1 devices in addition to Windows 10

后续步骤Next steps