使用 Azure 门户管理设备标识Manage device identities using the Azure portal

Azure AD 提供了用于管理设备标识的集中场所。Azure AD provides you with a central place to manage device identities.

可在“所有设备”页上完成以下操作:The All devices page enables you to:

  • 识别设备,包括:Identify devices, including:
  • 执行启用、禁用、删除或管理等设备标识管理任务。Perform device identity management tasks like enable, disable, delete, or manage.
    • 打印机Windows Autopilot 设备在 Azure AD 中具有有限的管理选项。Printers and Windows Autopilot devices have limited management options in Azure AD. 它们必须从各自的管理界面进行管理。They must be managed from their respective admin interfaces.
  • 配置设备标识设置。Configure your device identity settings.
  • 查看与设备相关的审核日志Review device-related audit logs

Azure 门户中的“所有设备”视图All devices view in the Azure portal

可以使用以下步骤访问设备门户:You can access the devices portal using the following steps:

  1. 登录 Azure 门户Sign in to the Azure portal.
  2. 浏览到“Azure Active Directory” > “设备” 。Browse to Azure Active Directory > Devices.

管理设备Manage devices

在 Azure AD 中,有两个管理设备的位置:There are two locations to manage devices in Azure AD:

  • “Azure 门户” > “Azure Active Directory” > “设备” Azure portal > Azure Active Directory > Devices
  • “Azure 门户” > “Azure Active Directory” > “用户”>“选择用户”>“设备” Azure portal > Azure Active Directory > Users > Select a user > Devices

通过这两个选项,管理员能够:Both options allow administrators the ability to:

  • 搜索设备。Search for devices.
  • 查看设备详细信息,包括:See device details including:
    • 设备名称Device name
    • 设备 IDDevice ID
    • OS 和版本OS and Version
    • 联接类型Join type
    • 所有者Owner
    • 移动设备管理和合规性Mobile device management and compliance
    • BitLocker 恢复密钥BitLocker recovery key
  • 执行启用、禁用、删除或管理等设备标识管理任务。Perform device identity management tasks like, enable, disable, delete, or manage.
    • 打印机Windows Autopilot 设备在 Azure AD 中具有有限的管理选项。Printers and Windows Autopilot devices have limited management options in Azure AD. 它们必须从各自的管理界面进行管理。They must be managed from their respective admin interfaces.

提示

  • 加入混合 Azure AD 的 Windows 10 设备没有所有者。Hybrid Azure AD Joined Windows 10 devices do not have an owner. 如果按所有者查找设备,但找不到,请按设备 ID 进行搜索。If you are looking for a device by owner and didn't find it, search by the device ID.

  • 如果在“已注册”列下看到状态为“待定”的“已加入混合 Azure AD 的”设备,则表示该设备已从 Azure AD Connect 同步,正在等待从客户端完成注册。If you see a device that is "Hybrid Azure AD joined" with a state "Pending" under the REGISTERED column, it indicates that the device has been synchronized from Azure AD connect and is waiting to complete registration from the client. 详细了解如何规划混合 Azure AD 加入实现Read more on how to plan your Hybrid Azure AD join implementation. 有关详细信息,请参阅设备常见问题解答一文。Additional information can be found in the article, Devices frequently asked questions.

  • 对于某些 iOS 设备,包含单引号的设备名可能会使用看起来像单引号的不同字符。For some iOS devices, the device names containing apostrophes can potentially use different characters that look like apostrophes. 因此搜索此类设备时会有点困难 - 如果没有看到正确的搜索结果,请确保搜索字符串包含匹配的单引号字符。So searching for such devices is a little tricky - if you are not seeing search results correctly, ensure that the search string contains matching apostrophe character.

管理 Intune 设备Manage an Intune device

Intune 管理员可以管理 MDM 标记为“Microsoft Intune”的设备。If you are an Intune administrator, you can manage devices where MDM is marked Microsoft Intune. 如果设备未注册到 Microsoft Intune,则“管理”选项将灰显。If the device is not enrolled with Microsoft Intune, the "Manage" option will be greyed out.

启用或禁用 Azure AD 设备Enable or disable an Azure AD device

若要启用或禁用设备,可以使用两个选项:To enable or disable devices, you have two options:

  • 选择一台或多台设备后,使用“所有设备”页上的工具栏。The toolbar on the All devices page after selecting one or more devices.
  • 向下钻取到特定设备后使用工具栏。The toolbar after drilling down into a specific device.

重要

  • 只有 Azure AD 中的全局管理员或云设备管理员才能启用或禁用设备。You must be a global administrator or cloud device administrator in Azure AD to enable or disable a device.
  • 禁用设备会阻止设备使用 Azure AD 成功进行身份验证,从而阻止设备访问由基于设备的条件访问或 Windows Hello 企业版凭据保护的 Azure AD 资源。Disabling a device prevents a device from successfully authenticating with Azure AD, thereby preventing the device from accessing your Azure AD resources that are protected by device-based Conditional Access or using Windows Hello for Business credentials.
  • 禁用设备将同时撤销设备上的主刷新令牌 (PRT) 和任何刷新令牌 (RT)。Disabling a device will revoke both the Primary Refresh Token (PRT) and any Refresh Tokens (RT) on the device.
  • 无法在 Azure AD 中启用或禁用打印机。Printers cannot be enabled or disabled in Azure AD.

删除 Azure AD 设备Delete an Azure AD device

若要删除设备,可以使用两个选项:To delete a device, you have two options:

  • 选择一台或多台设备后,使用“所有设备”页上的工具栏。The toolbar on the All devices page after selecting one or more devices.
  • 向下钻取到特定设备后使用工具栏。The toolbar after drilling down into a specific device.

重要

  • 只有分配有 Azure AD 中的云设备管理员、Intune 管理员或全局管理员角色才能删除设备。You must be assigned the cloud device administrator, Intune administrator, or global administrator role in Azure AD to delete a device.
  • 无法在 Azure AD 中删除打印机和 Windows Autopilot 设备Printers and Windows Autopilot devices cannot be deleted in Azure AD
  • 删除设备:Deleting a device:
    • 可阻止设备访问你的 Azure AD 资源。Prevents a device from accessing your Azure AD resources.
    • 可删除附加到设备的所有详细信息,例如适用于 Windows 设备的 BitLocker 密钥。Removes all details that are attached to the device, for example, BitLocker keys for Windows devices.
    • 表示一个不可恢复的活动,除非必需,否则不建议。Represents a non-recoverable activity and is not recommended unless it is required.

如果设备由另一管理机构(例如 Microsoft Intune)管理,请确保在 Azure AD 中删除前,已擦除/停用该设备。If a device is managed by another management authority (for example, Microsoft Intune), make sure that the device has been wiped / retired before deleting the device in Azure AD. 删除任何设备之前,请查看如何管理陈旧设备Review how to manage stale devices before deleting any devices.

查看或复制设备 IDView or copy device ID

可以使用设备 ID 在设备上验证设备 ID 详细信息或在故障排除期间使用 PowerShell。You can use a device ID to verify the device ID details on the device or using PowerShell during troubleshooting. 要访问复制选项,请单击设备。To access the copy option, click the device.

查看设备 ID

查看或复制 BitLocker 密钥View or copy BitLocker keys

可以查看和复制 BitLocker 密钥,使用户可以恢复加密的驱动器。You can view and copy the BitLocker keys to allow users to recover encrypted drives. 这些密钥仅适用于已加密并将其密钥存储在 Azure AD 中的 Windows 设备。These keys are only available for Windows devices that are encrypted and have their keys stored in Azure AD. 可以在访问设备的详细信息时找到这些密钥,方法是选择“显示恢复密钥”。You can find these keys when accessing details of a device by selecting Show Recovery Key. 选择“显示恢复密钥”会生成一个审核日志,可以在 KeyManagement 类别中找到该日志。Selecting Show Recovery Key will generate an audit log, which you can find in the KeyManagement category.

查看 BitLocker 密钥

若要查看或复制 BitLocker 密钥,你需要是设备所有者或者是至少分配了以下一个角色的用户:To view or copy the BitLocker keys, you need to be either the owner of the device, or a user that has at least one of the following roles assigned:

  • 云设备管理员Cloud Device Administrator
  • 全局管理员角色Global Administrator
  • 支持管理员Helpdesk Administrator
  • Intune 服务管理员Intune Service Administrator
  • 安全管理员Security Administrator
  • 安全读取者Security Reader

设备列表筛选(预览版)Device list filtering (preview)

以前,只能按活动和已启用状态来筛选设备列表。Previously, you could only filter the devices list by activity and enabled state. 通过此预览版,现在可以按设备上的下列属性筛选设备列表:This preview now allows you to filter the devices list by the following attributes on a device:

  • 已启用状态Enabled state
  • 合规状态Compliant state
  • 联接类型(已加入 Azure AD、已加入混合 Azure AD、已注册 Azure AD)Join type (Azure AD joined, Hybrid Azure AD joined, Azure AD registered)
  • 活动时间戳Activity timestamp
  • OSOS
  • 设备类型(打印机、安全 VM、共享设备、已注册的设备)Device type (Printers, Secure VMs, Shared devices, Registered devices)

若要在“所有设备”视图中启用预览筛选功能,请执行以下操作:To enable the preview filtering functionality in the All devices view:

启用筛选预览功能

  1. 登录 Azure 门户Sign in to the Azure portal.
  2. 浏览到“Azure Active Directory” > “设备” 。Browse to Azure Active Directory > Devices.
  3. 选择显示为“试用新设备筛选改进。单击以启用预览。”的横幅。Select the banner that says, Try out the new devices filtering improvements. Click to enable the preview.

现在可以向“所有设备”视图“添加筛选器” 。You will now have the ability to Add filters to your All devices view.

配置设备设置Configure device settings

若要使用 Azure AD 门户管理设备标识,这些设备需要已注册或已加入 Azure AD。To manage device identities using the Azure AD portal, those devices need to be either registered or joined to Azure AD. 作为管理员,可以通过配置以下设备设置来控制注册和加入设备的过程。As an administrator, you can control the process of registering and joining devices by configuring the following device settings.

若要查看或管理 Azure 门户中的设备设置,必须分配有以下角色之一:You must be assigned one of the following roles to view or manage device settings in the Azure portal:

  • 全局管理员Global administrator
  • 云设备管理员Cloud device administrator
  • 全局读取者Global reader
  • 目录读取者Directory reader

与 Azure AD 相关的设备设置

  • 用户可将设备加入 Azure AD - 可通过此设置选择可以将其设备注册为已加入 Azure AD 的设备的用户。Users may join devices to Azure AD - This setting enables you to select the users who can register their devices as Azure AD joined devices. 默认值是 AllThe default is All.

备注

“用户可将设备加入 Azure AD”设置仅适用于 Windows 10 上的 Azure AD 加入。Users may join devices to Azure AD setting is only applicable to Azure AD join on Windows 10. 此设置不适用于加入混合 Azure AD 的设备、Azure 中已加入 Azure AD 的 VM 和使用 Windows Autopilot 自部署模式的已加入 Azure AD 的设备因为这些方法都是在无用户环境下工作的。This setting does not apply to hybrid Azure AD joined devices, Azure AD joined VMs in Azure and Azure AD joined devices using Windows Autopilot self-deployment mode as these methods work in a userless context.

  • 已加入 Azure AD 设备上的其他本地管理员 - 可选择具有此设备的本地管理员权限的用户。Additional local administrators on Azure AD joined devices - You can select the users that are granted local administrator rights on a device. 这些用户将添加到 Azure AD 中的设备管理员角色。These users are added to the Device Administrators role in Azure AD. 默认情况下,Azure AD 中的全局管理员和设备所有者均具有本地管理员权限。Global administrators in Azure AD and device owners are granted local administrator rights by default. 此选项属于高级版功能,通过 Azure AD Premium 或企业移动性套件 (EMS) 提供。This option is a premium edition capability available through products such as Azure AD Premium or the Enterprise Mobility Suite (EMS).
  • 用户可向 Azure AD 注册其设备 - 需要配置此设置,以允许向 Azure AD 注册 Windows 10 个人、iOS、Android 和 macOS 设备。Users may register their devices with Azure AD - You need to configure this setting to allow Windows 10 personal, iOS, Android, and macOS devices to be registered with Azure AD. 如果选择“无”,则不允许向 Azure AD 注册设备。If you select None, devices are not allowed to register with Azure AD. 登记到 Microsoft Intune 或 Microsoft 365 移动设备管理 (MDM) 需要进行注册。Enrollment with Microsoft Intune or Mobile Device Management (MDM) for Microsoft 365 requires registration. 如果已配置其中的任一服务,则会选中“全部”且“无”不可用。If you have configured either of these services, ALL is selected and NONE is not available.
  • 要加入 Azure AD 或注册到 Azure AD 的设备需要多重身份验证 - 可以选择用户是否需要提供附加身份验证因素才能将其设备加入或注册到 Azure AD。Devices to be Azure AD joined or Azure AD registered require Multi-Factor Authentication - You can choose whether users are required to provide an additional authentication factor to join or register their device to Azure AD. 默认值为 No。The default is No. 在注册或加入设备时,建议要求进行多重身份验证。We recommend requiring multi-factor authentication when registering or joining a device. 为此设备启用多重身份验证前,必须确保已针对注册其设备的用户配置多重身份验证。Before you enable multi-factor authentication for this service, you must ensure that multi-factor authentication is configured for the users that register their devices. 有关各种 Azure AD 多重身份验证服务的详细信息,请参阅 Azure AD 多重身份验证入门For more information on different Azure AD Multi-Factor Authentication services, see getting started with Azure AD Multi-Factor Authentication.

备注

“要加入 Azure AD 或注册到 Azure AD 的设备需要多重身份验证”设置适用于加入 Azure AD(但有一些例外)或注册到 Azure AD 的设备。Devices to be Azure AD joined or Azure AD registered require Multi-Factor Authentication setting applies to devices that are either Azure AD joined (with some exceptions) or Azure AD registered. 此设置不适用于加入混合 Azure AD 的设备、Azure 中已加入 Azure AD 的 VM 和使用 Windows Autopilot 自部署模式的已加入 Azure AD 的设备。This setting does not apply to hybrid Azure AD joined devices, Azure AD joined VMs in Azure and Azure AD joined devices using Windows Autopilot self-deployment mode.

重要

  • 建议使用条件访问中的“注册或加入设备”用户操作来强制执行多重身份验证,以加入或注册设备。We recommend using "Register or join devices" user action in Conditional Access for enforcing multi-factor authentication for joining or registering a device.
  • 如果你使用要求多重身份验证的条件访问策略,则必须将此设置设置为“否”。You must set this setting to No if you are using Conditional Access policy to require multi-factor authencation.
  • 最大设备数 - 可通过此设置选择用户可在 Azure AD 中拥有的已加入 Azure AD 或已注册到 Azure AD 的最大设备数。Maximum number of devices - This setting enables you to select the maximum number of Azure AD joined or Azure AD registered devices that a user can have in Azure AD. 如果用户达到此配额,则必须先删除一个或多个现有设备,然后才可添加其他设备。If a user reaches this quota, they are not be able to add additional devices until one or more of the existing devices are removed. 默认值为“50” 。The default value is 50.

备注

“最大设备数”设置适用于已加入 Azure AD 或已注册 Azure AD 的设备。Maximum number of devices setting applies to devices that are either Azure AD joined or Azure AD registered. 此设置不适用于已加入混合 Azure AD 的设备。This setting does not apply to hybrid Azure AD joined devices.

审核日志Audit logs

设备活动通过活动日志提供。Device activities are available through the activity logs. 这些日志包括由设备注册服务或用户触发的活动:These logs include activities triggered by the device registration service and by users:

  • 创建设备并在设备上添加所有者/用户Device creation and adding owners / users on the device
  • 更改设备设置Changes to device settings
  • 删除设备或更新设备等设备操作Device operations such as deleting or updating a device

审核数据的入口点为“设备”页的“活动”部分中的“审核日志”。Your entry point to the auditing data is Audit logs in the Activity section of the Devices page.

审核日志有一个默认列表视图,用于显示:The audit log has a default list view that shows:

  • 匹配项的日期和时间The date and time of the occurrence
  • 目标The targets
  • 活动的发起者/参与者(人员)The initiator / actor (who) of an activity
  • 活动(内容)The activity (what)

“设备”页的“活动”部分中的表的屏幕截图,其中列出了四个审核日志的日期、目标、参与者和活动。

单击工具栏中的“列”即可自定义列表视图。 You can customize the list view by clicking Columns in the toolbar.

显示“设备”页的工具栏的屏幕截图。突出显示了“列”项。

要将所报告数据的范围缩小到适当的级别,可以使用以下字段筛选审核数据:To narrow down the reported data to a level that works for you, you can filter the audit data using the following fields:

  • CategoryCategory
  • 活动资源类型Activity resource type
  • 活动Activity
  • 日期范围Date range
  • 目标Target
  • 发起者(参与者)Initiated By (Actor)

除筛选器外,还可搜索特定条目。In addition to the filters, you can search for specific entries.

审核数据筛选器控件的屏幕截图,其中包含类别、活动资源类型、活动、日期范围、目标以及参与者字段和搜索字段。

后续步骤Next steps

如何在 Azure AD 中管理陈旧设备How to manage stale devices in Azure AD