有关 Azure Active Directory 的常见问题Frequently asked questions about Azure Active Directory

Azure Active Directory (Azure AD) 是综合性的标识即服务 (IDaaS) 解决方案,涉及到标识、访问管理和安全的方方面面。Azure Active Directory (Azure AD) is a comprehensive identity as a service (IDaaS) solution that spans all aspects of identity, access management, and security.

有关详细信息,请参阅什么是 Azure Active Directory?For more information, see What is Azure Active Directory?.

访问 Azure 和 Azure Active DirectoryAccess Azure and Azure Active Directory

问:尝试在 Azure 门户中访问 Azure AD 时,为何出现“找不到订阅”错误?Q: Why do I get "No subscriptions found" when I try to access Azure AD in the Azure portal?

答: 若要访问 Azure 门户,每个用户都需要 Azure 订阅的权限。A: To access the Azure portal, each user needs permissions with an Azure subscription. 如果没有付费的 Microsoft 365 或 Azure AD 订阅,则需要激活 Azure 帐户If you don't have a paid Microsoft 365 or Azure AD subscription, you will need to activate an Azure account.

有关详细信息,请参阅:For more information, see:

问:Azure AD、Microsoft 365 与 Azure 之间是什么关系?Q: What's the relationship between Azure AD, Microsoft 365, and Azure?

答: Azure AD 为所有 Web 服务提供通用的标识和访问功能。A: Azure AD provides you with common identity and access capabilities to all web services. 不管使用的是 Microsoft 365、Azure、Intune 还是其他服务,都是在使用 Azure AD 为所有这些服务启用登录和访问管理。Whether you are using Microsoft 365, Azure, Intune, or others, you're already using Azure AD to help turn on sign-on and access management for all these services.

可以将所有已设置为使用 Web 服务的用户定义为一个或多个 Azure AD 实例中的用户帐户。All users who are set up to use web services are defined as user accounts in one or more Azure AD instances. 可以在设置这些帐户时启用免费的 Azure AD 功能,例如云应用程序访问。You can set up these accounts for free Azure AD capabilities like cloud application access.

Azure AD 付费型服务(例如企业移动性 + 安全性)可通过综合性的企业级管理和安全解决方案来弥补其他 Web 服务(例如 Microsoft 365 和 Azure)的不足。Azure AD paid services like Enterprise Mobility + Security complement other web services like Microsoft 365 and Azure with comprehensive enterprise-scale management and security solutions.

问:所有者与全局管理员之间的差异是什么?Q: What are the differences between Owner and Global Administrator?

答: 默认情况下,系统会将注册 Azure 订阅的人员指派为 Azure 资源的所有者角色。A: By default, the person who signs up for an Azure subscription is assigned the Owner role for Azure resources. 所有者可以使用 Microsoft 帐户,也可以使用 Azure 订阅与之关联的目录中的工作或学校帐户。An Owner can use either a Microsoft account or a work or school account from the directory that the Azure subscription is associated with. 此角色有权管理 Azure 门户中的服务。This role is authorized to manage services in the Azure portal.

如果其他人需要使用同一个订阅登录和访问服务,则可向他们分配相应的内置角色If others need to sign in and access services by using the same subscription, you can assign them the appropriate built-in role. 有关其他信息,请参阅使用 Azure 门户分配 Azure 角色For additional information, see Assign Azure roles using the Azure portal.

默认情况下,系统会将注册 Azure 订阅的人员指派为目录的全局管理员角色。By default, the person who signs up for an Azure subscription is assigned the Global Administrator role for the directory. 全局管理员有权访问所有 Azure AD 目录功能。The Global Administrator has access to all Azure AD directory features. Azure AD 提供一组不同的管理员角色,用于管理目录和标识相关的功能。Azure AD has a different set of administrator roles to manage the directory and identity-related features. 这些管理员将有权访问 Azure 门户中的各种功能。These administrators will have access to various features in the Azure portal. 管理员的角色决定了其所能执行的操作,例如创建或编辑用户、向其他用户分配管理角色、重置用户密码、管理用户许可证,或者管理域。The administrator's role determines what they can do, like create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, or manage domains. 有关 Azure AD 目录管理员及其角色的其他信息,请参阅在 Azure Active Directory 中向用户分配管理员角色在 Azure Active Directory 中分配管理员角色For additional information on Azure AD directory admins and their roles, see Assign a user to administrator roles in Azure Active Directory and Assigning administrator roles in Azure Active Directory.

另外,Azure AD 付费型服务(例如企业移动性 + 安全性)可通过综合性企业级管理和安全解决方案来弥补其他 Web 服务(例如 Microsoft 365 和 Azure)的不足。Additionally, Azure AD paid services like Enterprise Mobility + Security complement other web services, such as Microsoft 365 and Azure, with comprehensive enterprise-scale management and security solutions.

问:是否可以通过报表来查看我的 Azure AD 用户许可证何时会过期?Q: Is there a report that shows when my Azure AD user licenses will expire?

答: 不是。A: No. 此功能目前不可用。This is not currently available.

混合 Azure AD 入门Get started with Hybrid Azure AD

问:如果我已被添加为协作者,该如何离开原来的租户?Q: How do I leave a tenant when I am added as a collaborator?

答: 如果被作为协作者添加到另一组织的租户,可使用右上角的“租户切换器”在租户之间切换。A: When you are added to another organization's tenant as a collaborator, you can use the "tenant switcher" in the upper right to switch between tenants. 目前还无法主动离开邀请组织,Microsoft 正致力于提供该功能。Currently, there is no way to leave the inviting organization, and Microsoft is working on providing this functionality. 在该功能可用之前,可以要求邀请阻止你将从其租户中删除。Until this feature is available, you can ask the inviting organization to remove you from their tenant.

问:如何将我的本地目录连接到 Azure AD?Q: How can I connect my on-premises directory to Azure AD?

答: 可以使用 Azure AD Connect 将本地目录连接到 Azure AD。A: You can connect your on-premises directory to Azure AD by using Azure AD Connect.

有关详细信息,请参阅将本地标识与 Azure Active Directory 集成For more information, see Integrating your on-premises identities with Azure Active Directory.

问:Azure AD 是否为组织中的用户提供自助服务门户?Q: Does Azure AD provide a self-service portal for users in my organization?

答: 是的,Azure AD 提供 Azure AD 访问面板,方便用户使用自助服务以及进行应用程序访问。A: Yes, Azure AD provides you with the Azure AD Access Panel for user self-service and application access. 如果你是 Microsoft 365 客户,可以在 Office 365 门户中找到许多相同的功能。If you are a Microsoft 365 customer, you can find many of the same capabilities in the Office 365 portal.

密码管理Password management

问:是否可以使用 Azure AD 密码写回但不使用密码同步?(在这种情况下,是否可以结合密码写回使用 Azure AD 自助服务密码重置 (SSPR),而不将密码存储在云中?)Q: Can I use Azure AD password write-back without password sync? (In this scenario, is it possible to use Azure AD self-service password reset (SSPR) with password write-back and not store passwords in the cloud?)

答: 无需将 Active Directory 密码同步到 Azure AD 即可启用写回。A: You do not need to synchronize your Active Directory passwords to Azure AD to enable write-back. 在联合环境中,Azure AD 单一登录 (SSO) 依赖本地目录对用户进行身份验证。In a federated environment, Azure AD single sign-on (SSO) relies on the on-premises directory to authenticate the user. 在这种情况下,并不需要在 Azure AD 中跟踪本地密码。This scenario does not require the on-premises password to be tracked in Azure AD.

问:需要多长时间才能将密码写回到 Active Directory 本地?Q: How long does it take for a password to be written back to Active Directory on-premises?

答: 密码写回实时进行。A: Password write-back operates in real time.

有关详细信息,请参阅密码管理入门For more information, see Getting started with password management.

问:是否可以对管理员管理的密码使用密码写回?Q: Can I use password write-back with passwords that are managed by an admin?

答: 可以。如果已启用密码写回,管理员执行的密码操作将写回到用户的本地环境。A: Yes, if you have password write-back enabled, the password operations performed by an admin are written back to your on-premises environment.

问:如果我在尝试更改 Microsoft 365/Azure AD 密码时忘记了现有的密码,该怎么办?Q: What can I do if I can't remember my existing Microsoft 365/Azure AD password while trying to change my password?

答: 对于这种情况,有几个选项。A: For this type of situation, there are a couple of options. 在可行的情况下,使用自助服务密码重置 (SSPR)。Use self-service password reset (SSPR) if it's available. SSPR 是否适用取决于其配置方式。Whether SSPR works depends on how it's configured. 有关详细信息,请参阅密码重置门户的工作原理For more information, see How does the password reset portal work.

对于 Microsoft 365 用户,管理员可以使用重置用户密码中概述的步骤重置密码。For Microsoft 365 users, your admin can reset the password by using the steps outlined in Reset user passwords.

对于 Azure AD 帐户,管理员可以使用以下选项之一重置密码:For Azure AD accounts, admins can reset passwords by using one of the following:


问:帐户在经过特定次数的失败尝试后被锁定还是使用了更复杂的策略?Q: Are accounts locked after a specific number of failed attempts or is there a more sophisticated strategy used?

我们使用更复杂的策略来锁定帐户。We use a more sophisticated strategy to lock accounts. 这基于请求的 IP 和输入的密码。This is based on the IP of the request and the passwords entered. 锁定的持续时间也会根据存在攻击的可能性而延长。The duration of the lockout also increases based on the likelihood that it is an attack.

问:某些(通用)密码会被拒绝并且显示消息“此密码已使用了许多次”,这是否是指当前 Active Directory 中使用的密码?Q: Certain (common) passwords get rejected with the messages 'this password has been used to many times', does this refer to passwords used in the current active directory?

这指的是全局通用的密码,例如“Password”和“123456”的任何变体。This refers to passwords that are globally common, such as any variants of "Password" and "123456".

问:B2C 租户中就会阻止来自可疑来源(僵尸网络、Tor 终结点)的登录请求还是需要使用基本或高级版租户才能阻止?Q: Will a sign-in request from dubious sources (botnets, tor endpoint) be blocked in a B2C tenant or does this require a Basic or Premium edition tenant?

我们有一个网关,它会筛选请求并针对僵尸网络提供一定的防护,它适用于所有 B2C 租户。We do have a gateway that filters requests and provides some protection from botnets, and is applied for all B2C tenants.

应用程序访问Application access

问:用户如何使用 Azure AD 来登录应用程序?Q: How do users sign in to applications by using Azure AD?

答: Azure AD 提供多种方式供用户查看和访问其应用程序,例如:A: Azure AD provides several ways for users to view and access their applications, such as:

  • Azure AD 访问面板The Azure AD access panel
  • Microsoft 365 应用程序启动器The Microsoft 365 application launcher
  • 直接登录联合应用Direct sign-in to federated apps
  • 联合、基于密码或现有应用的深层链接Deep links to federated, password-based, or existing apps

问:如何要求访问特定应用程序的用户进行多重身份验证?Q: How do I require multi-factor authentication for users who access a particular application?

答: 使用 Azure AD 条件访问,可以针对每个应用程序分配独特的访问策略。A: With Azure AD Conditional Access, you can assign a unique access policy for each application. 可以在策略中要求用户始终进行多重身份验证,或者在未连接到本地网络时才进行。In your policy, you can require multi-factor authentication always, or when users are not connected to the local network.

有关详细信息,请参阅保护对 Microsoft 365 和其他连接到 Azure Active Directory 的应用的访问For more information, see Securing access to Microsoft 365 and other apps connected to Azure Active Directory.

问:是否可以通过 Azure AD 设置安全的 LDAP 连接?Q: Can I set up a secure LDAP connection with Azure AD?

答: 不是。A: No. Azure AD 不直接支持轻型目录访问协议 (LDAP) 或安全 LDAP。Azure AD does not support the Lightweight Directory Access Protocol (LDAP) protocol or Secure LDAP directly. 但是,可以借助 Azure 网络通过正确配置的网络安全组在 Azure AD 租户上启用 Azure AD 域服务 (Azure AD DS) 实例,以实现 LDAP 连接。However, it's possible to enable Azure AD Domain Services (Azure AD DS) instance on your Azure AD tenant with properly configured network security groups through Azure Networking to achieve LDAP connectivity. 有关详细信息,请参阅为 Azure Active Directory 域服务托管域配置安全 LDAPFor more information, see Configure secure LDAP for an Azure Active Directory Domain Services managed domain