有关 Azure Active Directory 的常见问题Frequently asked questions about Azure Active Directory

Azure Active Directory (Azure AD) 是综合性的标识即服务 (IDaaS) 解决方案,涉及到标识、访问管理和安全的方方面面。Azure Active Directory (Azure AD) is a comprehensive identity as a service (IDaaS) solution that spans all aspects of identity, access management, and security.

有关详细信息,请参阅什么是 Azure Active Directory?For more information, see What is Azure Active Directory?.

访问 Azure 和 Azure Active DirectoryAccess Azure and Azure Active Directory

问:尝试在 Azure 门户中访问 Azure AD 时,为何收到“找不到订阅”错误?Q: Why do I get "No subscriptions found" when I try to access Azure AD in the Azure portal?

答: 若要访问 Azure 门户,每个用户都需要 Azure 订阅的权限。A: To access the Azure portal, each user needs permissions with an Azure subscription. 如果没有付费 Office 365 或 Azure AD 订阅,则需要激活 Azure 帐户或付费订阅。If you don't have a paid Office 365 or Azure AD subscription, you will need to activate a Azure account or a paid subscription.

有关详细信息,请参阅:For more information, see:

问:Azure AD、Office 365 与 Azure 之间是什么关系?Q: What's the relationship between Azure AD, Office 365, and Azure?

答: Azure AD 为所有 Web 服务提供通用的标识和访问功能。A: Azure AD provides you with common identity and access capabilities to all web services. 不管使用的是 Office 365、Azure、Intune 还是其他服务,都是在使用 Azure AD 为上述所有服务启用登录和访问管理。Whether you are using Office 365, Azure, Intune, or others, you're already using Azure AD to help turn on sign-on and access management for all these services.

可以将所有已设置为使用 Web 服务的用户定义为一个或多个 Azure AD 实例中的用户帐户。All users who are set up to use web services are defined as user accounts in one or more Azure AD instances. 可以在设置这些帐户时启用免费的 Azure AD 功能,例如云应用程序访问。You can set up these accounts for free Azure AD capabilities like cloud application access.

Azure AD 付费型服务(例如企业移动性 + 安全性)可通过综合性的企业级管理和安全解决方案来弥补其他 Web 服务(例如 Office 365 和 Azure)的不足。Azure AD paid services like Enterprise Mobility + Security complement other web services like Office 365 and Azure with comprehensive enterprise-scale management and security solutions.

问:所有者和全局管理员之间有什么区别?Q: What are the differences between Owner and Global Administrator?

答: 默认情况下,注册 Azure 订阅的人员将被分配 Azure 资源的所有者角色。A: By default, the person who signs up for an Azure subscription is assigned the Owner role for Azure resources. 所有者可以使用 Microsoft 帐户,也可以使用 Azure 订阅与之关联的目录中的工作或学校帐户。An Owner can use either a Microsoft account or a work or school account from the directory that the Azure subscription is associated with. 此角色有权在 Azure 门户中管理服务。This role is authorized to manage services in the Azure portal.

如果其他人需要使用相同的订阅登录和访问服务,则可以为其分配相应的内置角色If others need to sign in and access services by using the same subscription, you can assign them the appropriate built-in role. 有关其他信息,请参阅使用 RBAC 和 Azure 门户管理访问权限For additional information, see Manage access using RBAC and the Azure portal.

默认情况下,系统会将注册 Azure 订阅的人员指派为目录的全局管理员角色。By default, the person who signs up for an Azure subscription is assigned the Global Administrator role for the directory. 全局管理员有权访问所有 Azure AD 目录功能。The Global Administrator has access to all Azure AD directory features. Azure AD 提供一组不同的管理员角色,用于管理目录和标识相关的功能。Azure AD has a different set of administrator roles to manage the directory and identity-related features. 这些管理员将有权访问 Azure 门户中的各种功能。These administrators will have access to various features in the Azure portal. 管理员的角色决定了其所能执行的操作,例如创建或编辑用户、向其他用户分配管理角色、重置用户密码、管理用户许可证,或者管理域。The administrator's role determines what they can do, like create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, or manage domains. 有关 Azure AD 目录管理员及其角色的其他信息,请参阅在 Azure Active Directory 中向用户分配管理员角色在 Azure Active Directory 中分配管理员角色For additional information on Azure AD directory admins and their roles, see Assign a user to administrator roles in Azure Active Directory and Assigning administrator roles in Azure Active Directory.

另外,Azure AD 付费型服务(例如企业移动性 + 安全性)可通过综合性的企业级管理和安全解决方案来弥补其他 Web 服务(例如 Office 365 和 Azure)的不足。Additionally, Azure AD paid services like Enterprise Mobility + Security complement other web services, such as Office 365 and Azure, with comprehensive enterprise-scale management and security solutions.

问:是否可以通过报告来查看我的 Azure AD 用户许可证何时过期?Q: Is there a report that shows when my Azure AD user licenses will expire?

答: 否。A: No. 此功能目前不可用。This is not currently available.

混合 Azure AD 入门Get started with Hybrid Azure AD

问:如果我已被添加为协作者,该如何离开原来的租户?Q: How do I leave a tenant when I am added as a collaborator?

答: 如果被作为协作者添加到另一组织的租户,可使用右上角的“租户切换器”在租户之间切换。A: When you are added to another organization's tenant as a collaborator, you can use the "tenant switcher" in the upper right to switch between tenants. 目前还无法主动离开邀请组织,Microsoft 正致力于提供该功能。Currently, there is no way to leave the inviting organization, and Microsoft is working on providing this functionality. 在该功能推出之前,可以请求邀请组织将你从其租户中删除。Until this feature is available, you can ask the inviting organization to remove you from their tenant.

问:如何将我的本地目录连接到 Azure AD?Q: How can I connect my on-premises directory to Azure AD?

答: 可以使用 Azure AD Connect 将本地目录连接到 Azure AD。A: You can connect your on-premises directory to Azure AD by using Azure AD Connect.

有关详细信息,请参阅将本地标识与 Azure Active Directory 集成For more information, see Integrating your on-premises identities with Azure Active Directory.

问:如果尝试更改 Office 365/Azure AD 密码时忘记了现有的密码,该怎么办?Q: What can I do if I can't remember my existing Office 365/Azure AD password while trying to change my password?

答: 对于这种情况,有几个选项。A: For this type of situation, there are a couple of options. 在可用的情况下,使用自助密码重置 (SSPR)。Use self-service password reset (SSPR) if it's available. SSPR 是否适用取决于其配置方式。Whether SSPR works depends on how it's configured. 有关详细信息,请参阅 密码重置门户的工作原理For more information, see How does the password reset portal work.

对于 Office 365 用户,管理员可以使用 重置用户密码中所述的步骤重置密码。For Office 365 users, your admin can reset the password by using the steps outlined in Reset user passwords.

对于 Azure AD 帐户,管理员可以使用以下选项之一重置密码:For Azure AD accounts, admins can reset passwords by using one of the following:


问:是将在失败尝试次数达到特定数字后锁定帐户,还是会使用更复杂的策略?Q: Are accounts locked after a specific number of failed attempts or is there a more sophisticated strategy used?

我们使用更复杂的策略锁定帐户。We use a more sophisticated strategy to lock accounts. 此策略基于请求的 IP 和输入的密码。This is based on the IP of the request and the passwords entered. 根据存在攻击的可能性,锁定持续时间也会增加。The duration of the lockout also increases based on the likelihood that it is an attack.

问:某些(常用)密码被拒绝并显示消息“此密码已使用多次”,这是指当前 Active Directory 中使用的密码吗?Q: Certain (common) passwords get rejected with the messages 'this password has been used to many times', does this refer to passwords used in the current active directory?

这是指全局通用的密码,例如“Password”和“123456”的任何变体。This refers to passwords that are globally common, such as any variants of "Password" and "123456".

问:B2C 租户中就会阻止来自可疑来源(僵尸网络、Tor 终结点)的登录请求还是需要使用基本或高级版租户才能阻止?Q: Will a sign-in request from dubious sources (botnets, tor endpoint) be blocked in a B2C tenant or does this require a Basic or Premium edition tenant?

我们确实有一个网关,该网关筛选请求且提供一些保护免受僵尸网络的危害,并应用于所有 B2C 租户。We do have a gateway that filters requests and provides some protection from botnets, and is applied for all B2C tenants.

应用程序访问Application access

有关预先集成的应用程序的完整列表,请参阅 Active Directory 市场For a complete list of the pre-integrated applications, see the Active Directory Marketplace.

问:用户如何使用 Azure AD 来登录应用程序?Q: How do users sign in to applications by using Azure AD?

答: Azure AD 提供多种方式供用户查看和访问其应用程序,例如:A: Azure AD provides several ways for users to view and access their applications, such as:

  • Azure AD 访问面板The Azure AD access panel
  • Office 365 应用程序启动器The Office 365 application launcher
  • 直接登录到联合应用Direct sign-in to federated apps
  • 联合、基于密码或现有应用的深层链接Deep links to federated, password-based, or existing apps

问:如何要求访问特定应用程序的用户进行多重身份验证?Q: How do I require multi-factor authentication for users who access a particular application?

答: 使用 Azure AD 条件访问,可以针对每个应用程序分配独特的访问策略。A: With Azure AD Conditional Access, you can assign a unique access policy for each application. 可以在策略中要求用户始终进行多重身份验证,或者在未连接到本地网络时才进行。In your policy, you can require multi-factor authentication always, or when users are not connected to the local network.

有关详细信息,请参阅保护对 Office 365 和其他连接到 Azure Active Directory 的应用的访问For more information, see Securing access to Office 365 and other apps connected to Azure Active Directory.

问:是否可以通过 Azure AD 设置安全的 LDAP 连接?Q: Can I set up a secure LDAP connection with Azure AD?

答: 否。A: No. Azure AD 不直接支持轻型目录访问协议 (LDAP) 或安全 LDAP。Azure AD does not support the Lightweight Directory Access Protocol (LDAP) protocol or Secure LDAP directly.