规划 Azure Active Directory 设备部署Plan your Azure Active Directory device deployment

本文可帮助你评估以下操作方法:将设备与 Azure AD 集成,选择实施计划,以及提供指向受支持的设备管理工具的关键链接。This article helps you evaluate the methods to integrate your device with Azure AD, choose the implementation plan, and provides key links to supported device management tools.

用户从中登录的设备领域正在扩大。The landscape of devices from which your users sign in is expanding. 组织可以提供台式机、笔记本电脑、手机、平板电脑和其他设备。Organizations may provide desktops, laptops, phones, tablets, and other devices. 你的用户可以携带自己的设备阵列,并访问来自世界各地的信息。Your users may bring their own array of devices, and access information from varied locations. 在此环境中,作为管理员,你的工作是确保所有设备上的组织资源安全性。In this environment, your job as an administrator is to keep your organizational resources secure across all devices.

Azure Active Directory (Azure AD) 使你的组织能够通过设备标识管理实现这些目标。Azure Active Directory (Azure AD) enables your organization to meet these goals with device identity management. 现在,你可以在 Azure AD 中获取设备,并在 Azure 门户的中心位置控制设备。You can now get your devices in Azure AD and control them from a central location in the Azure portal. 这为你提供了统一的体验,增强了安全性,并缩短了配置新设备所需的时间。This gives you a unified experience, enhanced security, and reduces the time needed to configure a new device.

有多种方法可以将设备集成到 Azure AD 中:There are multiple methods to integrate your devices into Azure AD:

LearnLearn

开始之前,请确保你熟悉设备标识管理概述Before you begin, make sure that you're familiar with the device identity management overview.

优点Benefits

为设备提供 Azure AD 标识的主要好处:The key benefits of giving your devices an Azure AD identity:

  • 提高工作效率 - 借助 Azure AD,用户可以对本地和云资源进行无缝登录 (SSO),从而使他们能够随时随地提高工作效率。Increase productivity - With Azure AD, your users can do seamless sign-on (SSO) to your on-premises and cloud resources, which enables them to be productive wherever they are.

  • 提高安全性 - 借助 Azure AD 设备,你可以基于设备或用户的标识将条件访问策略应用于资源。若要使用无密码身份验证策略提高安全性,必须将设备联接到 Azure AD。Increase security - Azure AD devices enable you to apply Conditional Access policies to resources based on the identity of the device or user.Joining a device to Azure AD is a prerequisite for increasing your security with a Passwordless Authentication strategy.

  • 改善用户体验 - 通过 Azure AD 中的设备标识,你可以使你的用户从个人和公司设备轻松访问你组织基于云的资源。Improve user experience - With device identities in Azure AD, you can provide your users with easy access to your organization’s cloud-based resources from both personal and corporate devices.

  • 简化部署和管理 - 可通过设备标识管理简化使用以下资源将设备引入 Azure AD 的过程:Windows Autopilot批量预配自助服务:全新安装体验 (OOBE)Simplify deployment and management - Device identity management simplifies the process of bringing devices to Azure AD with Windows Autopilot, bulk provisioning, and self-service: Out of Box Experience (OOBE). 你可以使用移动设备管理 (MDM) 工具(如 Microsoft Intune)及其在 Azure 门户中的标识来管理这些设备。You can manage these devices with Mobile Device Management (MDM) tools like Microsoft Intune, and their identities in Azure portal.

培训资源Training resources

常见问题解答:Azure AD 设备管理常见问题解答FAQs: Azure AD device management FAQ

规划部署项目Plan the deployment project

在环境中确定此部署的策略时,请考虑组织的需求。Consider your organizational needs while you determine the strategy for this deployment in your environment.

让合适的利益干系人参与Engage the right stakeholders

当技术项目失败时,失败的原因往往是对影响、结果和责任的预期不符。When technology projects fail, they typically do so due to mismatched expectations on impact, outcomes, and responsibilities. 若要避免这些问题,请确保吸引适当的利益干系人并充分了解项目中的利益干系人角色。To avoid these pitfalls, nsure that you are engaging the right stakeholders and that stakeholder roles in the project are well understood.

对于此计划,向列表添加以下利益干系人:For this plan, add the following stakeholders to your list:

角色Role 说明Description
设备管理员Device administrator 设备团队的代表,可以验证计划是否符合组织的设备要求。A representative from the device team that can verify that the plan will meet the device requirements of your organization.
网络管理员Network administrator 网络团队的代表,可以确保满足网络要求。A representative from the network team that can make sure to meet network requirements.
设备管理工具团队Device management team 管理设备清单的团队。Team that manages inventory of devices.
特定于 OS 的管理团队OS-specific admin teams 支持和管理特定 OS 版本的团队。Teams that support and manage specific OS versions. 例如,可能存在特定于 Mac 或 iOS 的团队。For example, there may be a Mac or iOS focused team.

规划沟通Plan communications

沟通对于任何新服务的成功都至关重要。Communication is critical to the success of any new service. 主动与用户交流他们的体验将如何变化、何时会变化以及在遇到问题时如何获取支持。Proactively communicate with your users how their experience will change, when it will change, and how to gain support if they experience issues.

规划试点Plan a pilot

建议在测试环境中,或使用一小组测试设备初始配置集成方法。We recommend that the initial configuration of your integration method is in a test environment, or with a small group of test devices.

混合 Azure AD 联接部署非常简单,无需最终用户操作即可完成 100% 的管理员任务。Hybrid Azure AD join deployment is straightforward, and it's 100% an administrator’s task without end user action necessary. 建议在整个组织中突然启用混合 Azure AD 联接之前对其进行受控验证You may want to do a controlled validation of hybrid Azure AD join before enabling it across the entire organization all at once.

选择集成方法Choose your integration methods

你的组织可以在单个 Azure AD 租户中使用多个设备集成方法。Your organization can use multiple device integration methods in a single Azure AD tenant. 目标是选择适合在 Azure AD 中安全管理设备的方法。The goal is to choose the method(s) suitable to get your devices securely managed in Azure AD. 驱动此决策的参数很多,包括所有权、设备类型、主要受众和组织的基础结构。There are many parameters that drive this decision including ownership, device types, primary audience, and your organization’s infrastructure.

以下信息可以帮助你决定使用哪些集成方法。The following information can help you decide which integration methods to use.

设备集成决策树Decision tree for devices integration

使用此树可以确定组织拥有的设备的选项。Use this tree to determine options for organization-owned devices.

备注

此图中未显示个人或自带设备 (BYOD) 方案。Personal or bring-your-own device (BYOD) scenarios are not pictured in this diagram. 它们始终需要注册 Azure AD。They always result in Azure AD registration.

决策树

比较矩阵Comparison matrix

iOS 和 Android 设备只能注册 Azure AD。iOS and Android devices may only be Azure AD registered. 下表列出了 Windows 客户端设备的大致注意事项。The following table presents high-level considerations for Windows client devices. 使用此表进行概述,然后详细了解不同的集成方法。Use it as an overview, then explore the different integration methods in detail.

注意事项Consideration 已注册 Azure ADAzure AD registered Azure AD 加入Azure AD join 混合 Azure AD 加入Hybrid Azure AD join
客户端操作系统Client operating systems
Windows 10 设备Windows 10 devices 这些值的复选标记。 这些值的复选标记。 这些值的复选标记。
Windows 低端设备(Windows 8.1 或 Windows 7)Windows down-level devices (Windows 8.1 or Windows 7) 这些值的复选标记。
登录选项Sign in options
最终用户本地凭据End-user local credentials 这些值的复选标记。
密码Password 这些值的复选标记。 这些值的复选标记。 这些值的复选标记。
设备 PINDevice PIN 这些值的复选标记。
Windows HelloWindows Hello 这些值的复选标记。
Windows Hello 企业版Windows Hello for Business 这些值的复选标记。 这些值的复选标记。
FIDO 2.0 安全密钥FIDO 2.0 security keys 这些值的复选标记。 这些值的复选标记。
Microsoft Authenticator 应用(无密码)Microsoft Authenticator App (passwordless) 这些值的复选标记。 这些值的复选标记。 这些值的复选标记。
关键功能Key capabilities
SSO 到云资源SSO to cloud resources 这些值的复选标记。 这些值的复选标记。 这些值的复选标记。
SSO 到本地资源SSO to on-premises resources 这些值的复选标记。 这些值的复选标记。
条件性访问Conditional Access
(要求将设备标记为合规)(Require devices be marked as compliant)
(必须由 MDM 托管)(Must be managed by MDM)
这些值的复选标记。 这些值的复选标记。 这些值的复选标记。
条件性访问Conditional Access
(要求已建立混合 Azure AD 联接的设备)(Require hybrid Azure AD joined devices)
这些值的复选标记。
Windows 登录屏幕的自助式密码重置Self-service password reset from windows login screen 这些值的复选标记。 这些值的复选标记。
Windows Hello PIN 重置Windows hello PIN reset 这些值的复选标记。 这些值的复选标记。

Azure AD 注册Azure AD Registration

已注册的设备通常由 Microsoft Intune 管理。Registered devices are often managed with Microsoft Intune. 设备在 Intune 中有多种注册方式,具体取决于操作系统。Devices are enrolled in Intune in a number of ways, depending on the operating system.

已注册 Azure AD 的设备支持通过自带设备 (BYOD) 和公司拥有的设备单一登录到云资源。Azure AD registered devices provide support for Bring Your Own Devices (BYOD) and corporate owned devices to SSO to cloud resources. 对资源的访问基于应用于设备和用户的 Azure AD 条件访问策略Access to resources is based on the Azure AD Conditional Access policies applied to the device and the user.

注册设备Registering devices

已注册的设备通常由 Microsoft Intune 管理。Registered devices are often managed with Microsoft Intune. 设备在 Intune 中有多种注册方式,具体取决于操作系统。Devices are enrolled in Intune in a number of ways, depending on the operating system.

BYOD 和公司拥有的移动设备由安装公司门户应用的用户注册。BYOD and corporate owned mobile device are registered by users installing the Company portal app.

如果注册设备是组织的最佳选择,请参阅以下资源:If registering your devices is the best option for your organization, see the following resources:

Azure AD 加入Azure AD join

通过 Azure AD 联接,可以使用 Windows 转换到云优先模型。Azure AD join enables you to transition towards a cloud-first model with Windows. 如果想要实现设备管理的现代化并减少设备相关的 IT 成本,Azure AD 联接是一个很好的基础。It provides a great foundation if you're planning to modernize your device management and reduce device-related IT costs. Azure AD 联接仅适用于 Windows 10 设备。Azure AD join works with Windows 10 devices only. 可将其视为新设备的优先选择。Consider it as the first choice for new devices.

已建立 Azure AD 联接的设备可以在组织的网络中单一登录到本地资源,可以对本地服务器(如文件、打印和其他应用程序)进行身份验证。However, Azure AD joined devices can SSO to on-premises resources when they are on the organization's network, can authenticate to on-premises servers like file, print, and other applications.

如果这种设备是组织的最佳选择,请参阅以下资源:If this is the best option for your organization, see the following resources:

向设备预配 Azure AD 联接Provisioning Azure AD Join to your devices

可使用以下方法预配 Azure AD 联接:To provision Azure AD Join, you have the following approaches:

如果设备安装了 Windows 10 专业版或 Windows 10 企业版,则体验将默认为公司所拥有设备的设置过程。If you have either Windows 10 Professional or Windows 10 Enterprise installed on a device, the experience defaults to the setup process for company-owned devices.

仔细比较这些方法后,选择部署过程。Choose your deployment procedure after careful comparison of these approaches.

你可以确定 Azure AD 联接是设备的最佳解决方案,并且该设备可能已经位于不同的状态。You may determine that Azure AD Join is the best solution for a device, and that device may already be in a different states. 下面是升级注意事项。Here are the upgrade considerations.

当前设备状态Current device state 所需设备状态Desired device state 操作说明How-to
已加入本地域On-premises domain joined Azure AD 加入Azure AD Join 在联接 Azure AD 之前,从本地域中取消加入设备Unjoin the device from on-premises domain before joining to Azure AD
混合 Azure AD 联接Hybrid Azure AD Join Azure AD 加入Azure AD Join 在联接 Azure AD 之前,从本地域和 Azure AD 中取消加入设备Unjoin the device from on-premises domain and from Azure AD before joining to Azure AD
已注册 Azure ADAzure AD registered Azure AD 加入Azure AD Join 在联接 Azure AD 之前取消注册设备Unregister the device before joining to Azure AD

混合 Azure AD 加入Hybrid Azure AD join

如果你有本地 Active Directory 环境,并且想要将已加入 Active Directory 域的计算机联接到 Azure AD,则可以通过执行混合 Azure AD 联接来实现此目的。If you have an on-premises Active Directory environment and you want to join your Active directory domain-joined computers to Azure AD, you can accomplish this with hybrid Azure AD join. Azure AD 联接支持范围广泛的 Windows 设备,包括 Windows 当前设备和 Windows 低端设备。It supports a broad range of Windows devices, including both Windows current and Windows down-level devices.

大多数组织已经拥有加入域的设备,并通过组策略或 System Center Configuration Manager (SCCM) 管理它们。Most organizations already have domain joined devices and manage them via Group Policy or System Center Configuration Manager (SCCM). 在这种情况下,我们建议配置混合 Azure AD 联接,以开始获得优势,同时利用现有投资。In that case, we recommend configuring hybrid Azure AD Join to start getting benefits while leveraging existing investment.

如果混合 Azure AD 联接是组织的最佳选择,请参阅以下资源:If hybrid Azure AD join is the best option for your organization, see the following resources:

向设备预配混合 Azure AD 联接Provisioning hybrid Azure AD join to your devices

查看标识基础结构Review your identity infrastructure. Azure AD Connect 提供了为以下资源配置混合 Azure AD 联接的向导:Azure AD Connect provides you with a wizard to configure hybrid Azure AD Join for:

如果无法安装所需版本的 Azure AD Connect,请参阅如何手动配置混合 Azure AD 联接If installing the required version of Azure AD Connect isn't an option for you, see how to manually configure Hybrid Azure AD join.

备注

已加入本地域的 Windows 10 设备尝试自动联接 Azure AD 以默认成为混合 Azure AD 联接。The on-premises domain-joined Windows 10 device attempts to auto-join to Azure AD to become Hybrid Azure AD joined by default. 此操作仅当设置了正确的环境时才会成功。This will only succeed if you haves set up the right environment.

你可以确定混合 Azure AD 联接是设备的最佳解决方案,并且该设备可能已经位于不同的状态。You may determine that Hybrid Azure AD Join is the best solution for a device, and that device may already be in a different state. 下面是升级注意事项。Here are the upgrade considerations.

当前设备状态Current device state 所需设备状态Desired device state 操作说明How-to
本地域加入On-premises domain join 混合 Azure AD 联接Hybrid Azure AD Join 使用 Azure AD Connect 或 AD FS 联接 AzureUse Azure AD connect or AD FS to join to Azure
已加入本地工作组或新状态On-premises workgroup joined or new 混合 Azure AD 联接Hybrid Azure AD Join Windows Autopilot 支持。Supported with Windows Autopilot. 否则,在混合 Azure AD 联接之前,设备需要已加入本地本地域Otherwise device needs to be on-premises domain joined before Hybrid Azure AD Join
已加入 Azure ADAzure AD joined 混合 Azure AD 联接Hybrid Azure AD Join 从 Azure AD 取消加入,使其置于本地工作组或新状态。Unjoin from Azure AD, which puts it in the on-premises workgroup or new state.
已注册 Azure ADAzure AD registerd 混合 Azure AD 联接Hybrid Azure AD Join 取决于 Windows 版本。Depends on Windows version. 请参阅这些注意事项See these considerations.

管理设备Manage your devices

将设备注册或联接到 Azure AD 后,请使用 Azure 门户作为管理设备标识的中心位置。Once you have registered or joined your devices to Azure AD, use the Azure portal as a central place to manage your device identities. 通过 Azure Active Directory 设备页,你可以执行以下操作:The Azure Active Directory devices page enables you to:

确保通过管理陈旧设备来保持环境清洁,并将资源集中在管理当前设备上。Make sure that you keep the environment clean by managing stale devices, and focus your resources on managing current devices.

受支持的设备管理工具Supported device management tools

管理员可以使用其他设备管理工具保护并进一步控制这些已注册和联接的设备。Administrators can secure and further control these registered and joined devices using additional device management tools. 通过这些工具,可强制实施组织要求的配置,例如要求加密存储、密码复杂度、软件安装和软件更新。These tools provide a means to enforce organization-required configurations like requiring storage to be encrypted, password complexity, software installations, and software updates.

查看集成设备受支持且不受支持的平台:Review supported and unsupported platforms for integrated devices:

设备管理工具Device management tools 已注册 Azure ADAzure AD registered Azure AD 加入Azure AD join 混合 Azure AD 加入Hybrid Azure AD join
移动设备管理 (MDM)Mobile Device Management (MDM)
示例:Microsoft IntuneExample: Microsoft Intune
这些值的复选标记。 这些值的复选标记。 这些值的复选标记。
使用 Microsoft Intune 和 Microsoft Endpoint Configuration Manager 共同管理Co management with Microsoft Intune and Microsoft Endpoint Configuration Manager
(Windows 10 和更高版本)(Windows 10 and later)
这些值的复选标记。 这些值的复选标记。
组策略Group policy
(仅限 Windows)(Windows only)
这些值的复选标记。

建议考虑对已注册的 iOS 或 Android 设备进行带或不带设备管理的 Microsoft Intune 移动应用管理 (MAM)We recommend that you consider Microsoft Intune Mobile Application management (MAM) with or without device management for registered iOS or Android devices.

管理员还可以在其组织中部署托管 Windows 操作系统的虚拟桌面基础结构 (VDI) 平台,以简化管理并通过资源的合并和集中化来降低成本。Administrators can also deploy virtual desktop infrastructure (VDI) platforms hosting Windows operating systems in their organizations to streamline management and reduce costs through consolidation and centralization of resources.

排查设备标识问题Troubleshoot device identities

如果在完成已加入域的 Windows 设备的混合 Azure AD 加入方面遇到问题,请参阅:If you experience issues with completing hybrid Azure AD join for domain-joined Windows devices, see:

后续步骤Next steps