将 Active Directory 与 Azure Active Directory 进行比较Compare Active Directory to Azure Active Directory

Azure Active Directory 是适用于云的标识和访问管理解决方案的下一次革命。Azure Active Directory is the next evolution of identity and access management solutions for the cloud. Microsoft 在 Windows 2000 中引入了 Active Directory 域服务,使组织能够使用每个用户的单一标识管理多个本地基础结构组件和系统。Microsoft introduced Active Directory Domain Services in Windows 2000 to give organizations the ability to manage multiple on-premises infrastructure components and systems using a single identity per user.

通过为组织提供一种适用于其云中和本地所有应用的标识即服务 (IDaaS) 解决方案,Azure AD 将此方法提升到了一个新层次。Azure AD takes this approach to the next level by providing organizations with an Identity as a Service (IDaaS) solution for all their apps across cloud and on-premises.

大多数 IT 管理员都熟悉 Active Directory 域服务概念。Most IT administrators are familiar with Active Directory Domain Services concepts. 下表概述了 Active Directory 概念与 Azure Active Directory 之间的差异和相似之处。The following table outlines the differences and similarities between Active Directory concepts and Azure Active Directory.

概念Concept Active Directory (AD)Active Directory (AD) Azure Active DirectoryAzure Active Directory
预配:外部标识Provisioning: external identities 组织在专用的外部 AD 林中作为一般用户手动创建外部用户,导致产生管理外部标识(来宾用户)生命周期的管理开销Organizations create external users manually as regular users in a dedicated external AD forest, resulting in administration overhead to manage the lifecycle of external identities (guest users) Azure AD 提供了特殊的标识类来支持外部标识。Azure AD provides a special class of identity to support external identities. Azure AD B2B 会管理指向外部用户标识的链接,以确保它们是有效的。Azure AD B2B will manage the link to the external user identity to make sure they are valid.
权利管理和组Entitlement management and groups 管理员使用户成为组的成员。Administrators make users members of groups. 然后,应用和资源所有者向组授予对应用或资源的访问权限。App and resource owners then give groups access to apps or resources. Azure AD 中也提供了,管理员也可以使用组来授予对资源的权限。Groups are also available in Azure AD and administrators can also use groups to grant permissions to resources. 在 Azure AD 中,管理员可以手动将成员身份分配到组,也可以使用查询动态地将用户包括到组中。In Azure AD, administrators can assign membership to groups manually or use a query to dynamically include users to a group.
管理员管理Admin management 组织将在 AD 中使用域、组织单位和组的组合来委派管理权限,以管理其控制的目录和资源。Organizations will use a combination of domains, organizational units, and groups in AD to delegate administrative rights to manage the directory and resources it controls. Azure AD 为内置角色提供了 Azure AD 基于角色的访问控制 (Azure AD RBAC) 系统,带有对创建自定义角色的有限支持,以用于委派对它控制的标识系统、应用和资源的特权访问。Azure AD provides built-in roles with its Azure AD role-based access control (Azure AD RBAC) system, with limited support for creating custom roles to delegate privileged access to the identity system, the apps, and resources it controls.
可以通过 Privileged Identity Management (PIM) 增强对角色的管理,以提供对特权角色的实时、有时间限制或基于工作流的访问。Managing roles can be enhanced with Privileged Identity Management (PIM) to provide just-in-time, time-restricted, or workflow-based access to privileged roles.
凭据管理Credential management Active Directory 中的凭据基于密码、证书身份验证和智能卡身份验证。Credentials in Active Directory is based on passwords, certificate authentication, and smartcard authentication. 密码是使用基于密码长度、有效期和复杂性的密码策略管理的。Passwords are managed using password policies that are based on password length, expiry, and complexity. Azure AD 对云和本地都使用智能密码保护。Azure AD uses intelligent password protection for cloud and on-premises. 保护包括智能锁定,以及阻止通用和自定义密码短语和替换。Protection includes smart lockout plus blocking common and custom password phrases and substitutions.
Azure AD 通过多重身份验证技术显著提高了安全性。Azure AD significantly boosts security through Multi-factor authentication technologies.
Azure AD 通过向用户提供自助式密码重置系统来降低支持成本。Azure AD reduces support costs by providing users a self-service password reset system.
基础结构应用Infrastructure apps Active Directory 构成了许多基础结构本地组件的基础,例如 DNS、DHCP、IPSec、WiFi、NPS 和 VPN 访问Active Directory forms the basis for many infrastructure on-premises components, for example, DNS, DHCP, IPSec, WiFi, NPS, and VPN access 在新的云环境中,Azure AD 是用于访问应用的新控制平面,而不是依赖于网络控制。In a new cloud world, Azure AD, is the new control plane for accessing apps versus relying on networking controls. 当用户进行身份验证时,条件访问 (CA) 将控制在所需条件下哪些用户可以访问哪些应用。When users authenticate, Conditional access (CA), will control which users, will have access to which apps under required conditions.
采用新式身份验证的业务线 (LOB) 应用Line of business (LOB) apps with modern authentication 组织可以将 AD FS 与 Active Directory 配合使用来支持需要新式身份验证的 LOB 应用。Organizations can use AD FS with Active Directory to support LOB apps requiring modern authentication. 需要新式身份验证的 LOB 应用可以配置为使用 Azure AD 进行身份验证。LOB apps requiring modern authentication can be configured to use Azure AD for authentication.
中间层级/守护程序服务Mid-tier/Daemon services 在本地环境中运行的服务通常使用 AD 服务帐户或组托管服务帐户 (gMSA) 来运行。Services running in on-premises environments normally use AD service accounts or group Managed Service Accounts (gMSA) to run. 然后,这些应用将继承服务帐户的权限。These apps will then inherit the permissions of the service account. Azure AD 提供托管标识,以在云中运行其他工作负荷。Azure AD provides managed identities to run other workloads in the cloud. 这些标识的生命周期由 Azure AD 管理,并绑定到资源提供程序,无法用于其他目的以获得后门访问。The lifecycle of these identities is managed by Azure AD and is tied to the resource provider can't be used for other purposes to gain backdoor access.
移动型Mobile 在没有第三方解决方案的情况下,Active Directory 本身不支持移动设备。Active Directory doesn't natively support mobile devices without third-party solutions. Microsoft 的移动设备管理解决方案 Microsoft Intune 集成了 Azure AD。Microsoft’s mobile device management solution, Microsoft Intune, is integrated with Azure AD. Microsoft Intune 向标识系统提供在身份验证期间要评估的设备状态信息。Microsoft Intune provides device state information to the identity system to evaluate during authentication.
Windows 服务器Windows servers Active Directory 为使用组策略或其他管理解决方案的本地 Windows 服务器提供了强大的管理功能。Active Directory provides strong management capabilities for on-premises Windows servers using Group Policy or other management solutions. 可以通过 Azure AD 域服务来管理 Azure 中的 Windows Server 虚拟机。Windows servers virtual machines in Azure can be managed with Azure AD Domain Services. 当 VM 需要访问标识系统目录或资源时,可以使用托管标识Managed identities can be used when VMs need access to the identity system directory or resources.
Linux/Unix 工作负荷Linux/Unix workloads 尽管 Linux 计算机可以配置为向 Active Directory(作为 Kerberos 领域)进行身份验证,但 Active Directory 在没有第三方解决方案的情况下本身不支持非 Windows。Active Directory doesn't natively support non-Windows without third-party solutions, although Linux machines can be configured to authenticate with Active Directory as a Kerberos realm. Linux/Unix VM 可以使用托管标识来访问标识系统或资源。Linux/Unix VMs can use managed identities to access the identity system or resources. 某些组织将这些工作负荷迁移到云容器技术,这些技术也可以使用托管标识。Some organizations, migrate these workloads to cloud container technologies, which can also use managed identities.

后续步骤Next steps