与 Azure AD 联合的多域支持Multiple Domain Support for Federating with Azure AD

以下文档提供了有关与 Office 365 或 Azure AD 域联合时如何使用多个顶级域和子域的指导。The following documentation provides guidance on how to use multiple top-level domains and subdomains when federating with Office 365 or Azure AD domains.

多个顶级域支持Multiple top-level domain support

若要让多个顶级域与 Azure AD 联合,需要一些让单个顶级域联合时不需要的额外配置。Federating multiple, top-level domains with Azure AD requires some additional configuration that is not required when federating with one top-level domain.

当域与 Azure AD 联合时,系统在 Azure 中的域上设置几个属性。When a domain is federated with Azure AD, several properties are set on the domain in Azure. 其中一个重要属性是 IssuerUri。One important one is IssuerUri. 此属性是 Azure AD 用于标识与令牌关联的域的 URI。This property is a URI that is used by Azure AD to identify the domain that the token is associated with. 该 URI 不需要解析为任何内容,但是它必须是有效的 URI。The URI doesn’t need to resolve to anything but it must be a valid URI. 默认情况下,Azure AD 将该 URI 设置为本地 AD FS 配置中的联合身份验证服务标识符的值。By default, Azure AD sets the URI to the value of the federation service identifier in your on-premises AD FS configuration.

Note

联合身份验证服务标识符是可唯一标识联合身份验证服务的 URI。The federation service identifier is a URI that uniquely identifies a federation service. 联合身份验证服务是可充当安全令牌服务的 AD FS 实例。The federation service is an instance of AD FS that functions as the security token service.

可以使用 PowerShell 命令 Get-MsolDomainFederationSettings -DomainName <your domain> 查看 IssuerUri。You can view the IssuerUri by using the PowerShell command Get-MsolDomainFederationSettings -DomainName <your domain>.

Get-MsolDomainFederationSettings

当添加多个顶级域时,会出现问题。A problem arises when you add more than one top-level domain. 例如,假设已设置了 Azure AD 和本地环境之间的联合。For example, let's say you have set up federation between Azure AD and your on-premises environment. 本文档中使用的是域 bmcontoso.com。For this document, the domain, bmcontoso.com is being used. 现在,已添加了第二个顶级域 bmfabrikam.com。Now a second, top-level domain, bmfabrikam.com has been added.

域

当尝试将 bmfabrikam.com 域转换为联合域时,发生错误。When you attempt to convert the bmfabrikam.com domain to be federated, an error occurs. 原因在于,Azure AD 有一项限制,此限制不允许多个域的 IssuerUri 属性拥有相同的值。The reason is, Azure AD has a constraint that does not allow the IssuerUri property to have the same value for more than one domain.

联合错误

SupportMultipleDomain 参数SupportMultipleDomain Parameter

若要避免此约束,需要添加一个不同的 IssuerUri,可以使用 -SupportMultipleDomain 参数来实现此目的。To work around this constraint, you need to add a different IssuerUri, which can be done by using the -SupportMultipleDomain parameter. 此参数可配合以下 cmdlet 使用:This parameter is used with the following cmdlets:

  • New-MsolFederatedDomain
  • Convert-MsolDomaintoFederated
  • Update-MsolFederatedDomain

此参数可让 Azure AD 根据域名称设置 IssuerUri。This parameter makes Azure AD configure the IssuerUri so that it is based on the name of the domain. IssuerUri 在 Azure AD 中的所有目录中将是唯一的。The IssuerUri will be unique across directories in Azure AD. 使用参数可让 PowerShell 命令成功完成。Using the parameter allows the PowerShell command to complete successfully.

联合错误

检查 bmfabrikam.com 域的设置,可以看到以下内容:Looking at the settings for the bmfabrikam.com domain you can see the following:

联合错误

-SupportMultipleDomain 不会更改其他终结点,它们仍然配置为指向 adfs.bmcontoso.com 上的联合身份验证服务。does not change the other endpoints, which are still configured to point to the federation service on adfs.bmcontoso.com.

-SupportMultipleDomain 的另一个功用是确保 AD FS 系统在颁发给 Azure AD 的令牌中包含正确的颁发者值。Another thing that -SupportMultipleDomain does is that it ensures that the AD FS system includes the proper Issuer value in tokens issued for Azure AD. 此值是通过获取用户 UPN 的域部分并将其设置为 IssuerUri 中的域(即 https://{upn suffix}/adfs/services/trust)来设置的。This value is set by taking the domain portion of the users UPN and setting it as the domain in the IssuerUri, i.e. https://{upn suffix}/adfs/services/trust.

因此,在 Azure AD 或 Office 365 上进行身份验证期间,会使用用户令牌中的 IssuerUri 元素来查找 Azure AD 中的域。Thus during authentication to Azure AD or Office 365, the IssuerUri element in the user’s token is used to locate the domain in Azure AD. 如果找不到匹配项,身份验证将会失败。If, a match cannot be found, the authentication will fail.

例如,如果用户的 UPN 是 bsimon@bmcontoso.com,则 AD FS 颁发的令牌中的 IssuerUri 元素将设置为 http://bmcontoso.com/adfs/services/trustFor example, if a user’s UPN is bsimon@bmcontoso.com, the IssuerUri element in the token, AD FS issues, will be set to http://bmcontoso.com/adfs/services/trust. 此元素将匹配 Azure AD 配置,并且身份验证会成功。This element will match the Azure AD configuration, and authentication will succeed.

以下是实现此逻辑的自定义声明规则:The following is the customized claim rule that implements this logic:

c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?<domain>.+)", "http://${domain}/adfs/services/trust/"));

Important

若要在尝试添加新域或转换已有域时使用 -SupportMultipleDomain 开关,需要先设置联合信任才能支持它们。In order to use the -SupportMultipleDomain switch when attempting to add new or convert already existing domains, your federated trust needs to have already been set up to support them.

如何更新 AD FS 与 Azure AD 之间的信任How to update the trust between AD FS and Azure AD

如果未设置 AD FS 与 Azure AD 实例之间的联合信任,可能需要重新创建此信任。If you did not set up the federated trust between AD FS and your instance of Azure AD, you may need to re-create this trust. 原因是,当进行初始设置时未使用 -SupportMultipleDomain 参数时,会将 IssuerUri 设置为默认值。The reason is, when it is originally set up without the -SupportMultipleDomain parameter, the IssuerUri is set with the default value. 在下面的屏幕截图中,可以看到 IssuerUri 设置为 https://adfs.bmcontoso.com/adfs/services/trust。In the screenshot below, you can see the IssuerUri is set to https://adfs.bmcontoso.com/adfs/services/trust.

如果已成功在 Azure AD 门户中添加了新域,然后尝试使用 Convert-MsolDomaintoFederated -DomainName <your domain> 对其进行转换,则会收到以下错误。If you have successfully added a new domain in the Azure AD portal and then attempt to convert it using Convert-MsolDomaintoFederated -DomainName <your domain>, you will get the following error.

联合错误

如果尝试添加 -SupportMultipleDomain 开关,将会收到以下错误:If you try to add the -SupportMultipleDomain switch, you will receive the following error:

联合错误

只是尝试针对原始域运行 Update-MsolFederatedDomain -DomainName <your domain> -SupportMultipleDomain 也会导致错误。Simply trying to run Update-MsolFederatedDomain -DomainName <your domain> -SupportMultipleDomain on the original domain will also result in an error.

联合错误

使用以下步骤来添加其他顶级域。Use the steps below to add an additional top-level domain. 如果已添加了一个域并且未使用 -SupportMultipleDomain 参数,请从删除及更新原始域的步骤开始。If you have already added a domain, and did not use the -SupportMultipleDomain parameter, start with the steps for removing and updating your original domain. 如果尚未添加顶级域,可以从使用 Azure AD Connect 的 PowerShell 添加域的步骤开始。If you have not added a top-level domain yet, you can start with the steps for adding a domain using PowerShell of Azure AD Connect.

请使用以下步骤来删除 Microsoft Online 信任,并更新原始域。Use the following steps to remove the Microsoft Online trust and update your original domain.

  1. 在 AD FS 联合身份验证服务器上,打开“AD FS 管理”。On your AD FS federation server open AD FS Management.
  2. 展开左侧的“信任关系”和“信赖方信任”On the left, expand Trust Relationships and Relying Party Trusts
  3. 删除右侧的“Microsoft Office 365 标识平台”项。On the right, delete the Microsoft Office 365 Identity Platform entry. 删除 Microsoft Online
  4. 在已安装适用于 Windows PowerShell 的 Azure Active Directory 模块的计算机上运行以下命令:$cred=Get-CredentialOn a machine that has Azure Active Directory Module for Windows PowerShell installed on it run the following: $cred=Get-Credential.
  5. 输入要联合的 Azure AD 域的全局管理员用户名和密码。Enter the username and password of a global administrator for the Azure AD domain you are federating with.
  6. 在 PowerShell 中输入In PowerShell enter Connect-MsolService -AzureEnvironment AzureChinaCloud -Credential $cred
  7. 在 PowerShell 中,输入 Update-MSOLFederatedDomain -DomainName <Federated Domain Name> -SupportMultipleDomainIn PowerShell, enter Update-MSOLFederatedDomain -DomainName <Federated Domain Name> -SupportMultipleDomain. 此更新是针对原始域的。This update is for the original domain. 因此,使用上述域后,命令将是:So using the above domains it would be: Update-MsolFederatedDomain -DomainName bmcontoso.com -SupportMultipleDomain

使用以下步骤通过 PowerShell 添加新的顶级域Use the following steps to add the new top-level domain using PowerShell

  1. 在已安装适用于 Windows PowerShell 的 Azure Active Directory 模块的计算机上运行以下命令:$cred=Get-CredentialOn a machine that has Azure Active Directory Module for Windows PowerShell installed on it run the following: $cred=Get-Credential.
  2. 输入要联合的 Azure AD 域的全局管理员用户名和密码Enter the username and password of a global administrator for the Azure AD domain you are federating with
  3. 在 PowerShell 中,输入In PowerShell, enter Connect-MsolService -AzureEnvironment AzureChinaCloud -Credential $cred
  4. 在 PowerShell 中,输入In PowerShell, enter New-MsolFederatedDomain -SupportMultipleDomain -DomainName

使用以下步骤通过 Azure AD Connect 添加新的顶级域Use the following steps to add the new top-level domain using Azure AD Connect.

  1. 从桌面或开始菜单启动 Azure AD ConnectLaunch Azure AD Connect from the desktop or start menu
  2. 选择“添加其他 Azure AD 域”添加其他 Azure AD 域Choose “Add an additional Azure AD Domain” Add an additional Azure AD domain
  3. 输入 Azure AD 和 Active Directory 凭据Enter your Azure AD and Active Directory credentials
  4. 选择要配置联合的第二个域。Select the second domain you wish to configure for federation. 添加其他 Azure AD 域
  5. 单击“安装”Click Install

验证新的顶级域Verify the new top-level domain

使用 PowerShell 命令 Get-MsolDomainFederationSettings -DomainName <your domain>可以查看更新的 IssuerUri。By using the PowerShell command Get-MsolDomainFederationSettings -DomainName <your domain>you can view the updated IssuerUri. 下面的屏幕截图显示原始域 http://bmcontoso.com/adfs/services/trust 上的联合设置已更新The screenshot below shows the federation settings were updated on the original domain http://bmcontoso.com/adfs/services/trust

Get-MsolDomainFederationSettings

新域上的 IssuerUri 已设置为 https://bmfabrikam.com/adfs/services/trustAnd the IssuerUri on the new domain has been set to https://bmfabrikam.com/adfs/services/trust

Get-MsolDomainFederationSettings

对子域的支持Support for subdomains

添加子域时,因为 Azure AD 处理域的方式,导致子域继承父项的设置。When you add a subdomain, because of the way Azure AD handled domains, it will inherit the settings of the parent. 因此,IssuerUri 需要与父项匹配。So, the IssuerUri, needs to match the parents.

例如,假设我有 bmcontoso.com,后来又添加了 corp.bmcontoso.com。So lets say, for example, that I have bmcontoso.com and then add corp.bmcontoso.com. corp.bmcontoso.com 中的用户的 IssuerUri 将需要是 http://bmcontoso.com/adfs/services/trust。The IssuerUri for a user from corp.bmcontoso.com will need to be http://bmcontoso.com/adfs/services/trust. 但是,为 Azure AD 实现的上述标准规则将生成颁发者为 http://corp.bmcontoso.com/adfs/services/trust 的令牌。However the standard rule implemented above for Azure AD, will generate a token with an issuer as http://corp.bmcontoso.com/adfs/services/trust. 这与域的所需值不匹配,身份验证将失败。which will not match the domain's required value and authentication will fail.

如何启用对子域的支持How To enable support for subdomains

若要避免此行为,需要更新 Microsoft Online 的 AD FS 信赖方信任。In order to work around this behavior, the AD FS relying party trust for Microsoft Online needs to be updated. 为此,必须配置自定义声明规则,使其在构造自定义 Issuer 值时能够从用户的 UPN 后缀中删除任何子域。To do this, you must configure a custom claim rule so that it strips off any subdomains from the user’s UPN suffix when constructing the custom Issuer value.

以下声明将执行此操作:The following claim will do this:

c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, "^.*@([^.]+\.)*?(?<domain>([^.]+\.?){2})$", "http://${domain}/adfs/services/trust/"));

[!NOTE] 正则表达式中的最后一个数字设置根域中有多少个父域。The last number in the regular expression set is how many parent domains there are in your root domain. 此处使用的是 bmcontoso.com,因此必须有两个父域。Here bmcontoso.com is used, so two parent domains are necessary. 如果保留三个父域(即:corp.bmcontoso.com),则该数字为 3。If three parent domains were to be kept (i.e.: corp.bmcontoso.com), then the number would have been three. 最终可以指示一个范围,并且始终会以匹配方式来匹配最大域数。Eventually a range can be indicated, the match will always be made to match the maximum of domains. “{2,3}”将匹配两到三个域(即:bmfabrikam.com 和 corp.bmcontoso.com)。"{2,3}" will match two to three domains (i.e.: bmfabrikam.com and corp.bmcontoso.com).

请使用以下步骤添加自定义声明,以支持子域。Use the following steps to add a custom claim to support subdomains.

  1. 打开“AD FS 管理”Open AD FS Management

  2. 右键单击 Microsoft Online RP 信任,并选择“编辑声明规则”Right-click the Microsoft Online RP trust and choose Edit Claim rules

  3. 选择第三个声明规则并替换编辑声明Select the third claim rule, and replace Edit claim

  4. 替换当前声明:Replace the current claim:

     c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?<domain>.+)","http://${domain}/adfs/services/trust/"));
    
    with
    
     c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, "^.*@([^.]+\.)*?(?<domain>([^.]+\.?){2})$", "http://${domain}/adfs/services/trust/"));
    

    替换声明

  5. 单击“确定”。Click Ok. 单击“应用”。Click Apply. 单击“确定”。Click Ok. 关闭“AD FS 管理”。Close AD FS Management.

后续步骤Next steps

安装 Azure AD Connect 后,可以验证安装并分配许可证Now that you have Azure AD Connect installed you can verify the installation and assign licenses.

若要了解在安装过程中启用的这些功能,请参阅:自动升级防止意外删除Learn more about these features, which were enabled with the installation: Automatic upgrade and Prevent accidental deletes.

若要了解有关这些常见主题的详细信息,请参阅计划程序以及如何触发同步Learn more about these common topics: scheduler and how to trigger sync.

了解有关将本地标识与 Azure Active Directory 集成的详细信息。Learn more about Integrating your on-premises identities with Azure Active Directory.