Azure AD Connect 用户登录选项Azure AD Connect user sign-in options

Azure Active Directory (Azure AD) Connect 可让用户使用同一组密码登录云和本地资源。Azure Active Directory (Azure AD) Connect allows your users to sign in to both cloud and on-premises resources by using the same passwords. 本文介绍每个标识模型的重要概念,以帮助你选择登录到 Azure AD 时想要使用的标识。This article describes key concepts for each identity model to help you choose the identity that you want to use for signing in to Azure AD.

如果已熟悉了 Azure AD 标识模型,并且想详细了解某个特定的方法,则请参阅相应的链接:If you’re already familiar with the Azure AD identity model and want to learn more about a specific method, see the appropriate link:

Note

请务必记住,通过为 Azure AD 配置联合,可以在 Azure AD 租户与联合域之间建立信任。It is important to remember that by configuring federation for Azure AD, you establish trust between your Azure AD tenant and your federated domains. 有了此可信的联合域,用户将能够在租户中访问 Azure AD 云资源。With this trust federated domain users will have access to Azure AD cloud resources within the tenant.

为组织选择用户登录方法Choosing the user sign-in method for your organization

实施 Azure AD Connect 的第一项决策是选择用户登录时要使用的身份验证方法。The first decision of implementing Azure AD Connect is choosing which authentication method your users will use to sign in. 必须确保选择符合组织安全要求和高级要求的适当方法。It's important to make sure you choose the right method that meets your organization's security and advanced requirements. 身份验证至关重要,因为它用于验证访问云中应用和数据的用户的身份。Authentication is critical, because it will validate user's identities to access apps and data in the cloud. 若要选择适当的身份验证方法,需要考虑时间、现有基础结构、复杂性和实现所选内容的成本。To choose the right authentication method, you need to consider the time, existing infrastructure, complexity, and cost of implementing your choice. 这些因素对每个组织都不同,并可能随时间变化。These factors are different for every organization and might change over time.

Azure AD 支持以下身份验证方法:Azure AD supports the following authentication methods:

  • 云身份验证 - 如果选择此身份验证方法,Azure AD 将处理用户登录时的身份验证过程。Cloud Authentication - When you choose this authentication method Azure AD handles the authentication process for user's sign-in. 使用云身份验证时,可以选择:With cloud authentication you can choose :

    • 密码哈希同步 (PHS) - 通过密码哈希同步,用户可以使用与其在本地使用的相同用户名和密码,而无需部署除 Azure AD Connect 以外的其他任何基础结构。Password hash synchronization (PHS) - Password Hash Sync enables users to use the same username and password that they use on-premises without having to deploy any additional infrastructure besides Azure AD Connect.
  • 联合身份验证 - 如果选择此身份验证方法,Azure AD 会将身份验证过程移交给单独的受信任身份验证系统(例如 AD FS 或第三方联合身份验证服务)来验证用户的登录。Federated authentication - When you choose this authentication method Azure AD will hand off the authentication process to a separate trusted authentication system, such as AD FS or a third-party federation system, to validate the user's sign-in.

由于大多数组织只想让用户登录 Office 365 和其他基于 Azure AD 的资源,因此,我们建议使用默认的密码哈希同步选项。For most organizations that just want to enable user sign-in to Office 365 and other Azure AD-based resources, we recommend the default password hash synchronization option.

密码哈希同步Password hash synchronization

凭借密码哈希同步,可将用户密码的哈希从本地 Active Directory 同步到 Azure AD。With password hash synchronization, hashes of user passwords are synchronized from on-premises Active Directory to Azure AD. 当在本地更改或重置密码时,新密码哈希将立即同步到 Azure AD,以便用户始终可用相同密码访问云资源与本地资源。When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD immediately so that your users can always use the same password for cloud resources and on-premises resources. 密码绝不会被发送到 Azure AD,也不会以明文的形式存储在 Azure AD 中。The passwords are never sent to Azure AD or stored in Azure AD in clear text. 密码哈希同步

有关详细信息,请参阅密码哈希同步一文。For more information, see the password hash synchronization article.

在 Windows Server 2012 R2 中使用新的或现有 AD FS 场进行联合身份验证Federation that uses a new or existing farm with AD FS in Windows Server 2012 R2

凭借联合登录,用户可以使用其本地密码登录到 Azure 基于 AD 的服务。With federated sign-in, your users can sign in to Azure AD-based services with their on-premises passwords. 当用户处于企业网络上时,他们甚至无需输入其密码。While they're on the corporate network, they don't even have to enter their passwords. 使用 AD FS 的联合身份验证选项,可在 Windows Server 2012 R2 中部署新的或现有的 AD FS 场。By using the federation option with AD FS, you can deploy a new or existing farm with AD FS in Windows Server 2012 R2. 如果选择指定现有场,Azure AD Connect 将在场与 Azure AD 之间配置信任,使你的用户能够登录。If you choose to specify an existing farm, Azure AD Connect configures the trust between your farm and Azure AD so that your users can sign in.

在 Windows Server 2012 R2 中使用 AD FS 进行联合身份验证

在 Windows Server 2012 R2 中部署使用 AD FS 的联合身份验证Deploy federation with AD FS in Windows Server 2012 R2

如果要部署新场,则需要:If you're deploying a new farm, you need:

  • 用于联合服务器的 Windows Server 2012 R2 服务器。A Windows Server 2012 R2 server for the federation server.
  • 用于 Web 应用程序代理的 Windows Server 2012 R2 服务器。A Windows Server 2012 R2 server for the Web Application Proxy.
  • 一个 .pfx 文件,其中包含目标联合服务名称的 SSL 证书。A .pfx file with one SSL certificate for your intended federation service name. 例如:fs.contoso.com。For example: fs.contoso.com.

如果要部署新场或使用现有场,则需要:If you're deploying a new farm or using an existing farm, you need:

  • 联合服务器上的本地管理员凭据。Local administrator credentials on your federation servers.
  • 要将 Web 应用程序代理角色部署在上面的任何工作组服务器(未加入域)上的本地管理员凭据。Local administrator credentials on any workgroup servers (not domain-joined) that you intend to deploy the Web Application Proxy role on.
  • 运行向导的计算机能够通过 Windows 远程管理连接到要安装 AD FS 或 Web 应用程序代理的任何其他计算机。The machine that you run the wizard on to be able to connect to any other machines that you want to install AD FS or Web Application Proxy on by using Windows Remote Management.

使用 PingFederate 进行联合身份验证Federation with PingFederate

凭借联合登录,用户可以使用其本地密码登录到 Azure 基于 AD 的服务。With federated sign-in, your users can sign in to Azure AD-based services with their on-premises passwords. 当用户处于企业网络上时,他们甚至无需输入其密码。While they're on the corporate network, they don't even have to enter their passwords.

有关配置 PingFederate 以与 Azure Active Directory 一起使用的详细信息,请参阅 PingFederate 与 Azure Active Directory 和 Office 365 的集成For more information on configuring PingFederate for use with Azure Active Directory, see PingFederate Integration with Azure Active Directory and Office 365

有关使用 PingFederate 设置 Azure AD Connect 的信息,请参阅 Azure AD Connect 自定义安装For information on setting up Azure AD Connect using PingFederate, see Azure AD Connect custom installation

使用早期版本的 AD FS 或第三方解决方案登录Sign in by using an earlier version of AD FS or a third-party solution

如果已使用早期版本的 AD FS(例如 AD FS 2.0)或第三方联合身份验证提供程序配置了云登录,则可以通过 Azure AD Connect 选择跳过用户登录配置。If you've already configured cloud sign-in by using an earlier version of AD FS (such as AD FS 2.0) or a third-party federation provider, you can choose to skip user sign-in configuration through Azure AD Connect. 这样,便可以获取最新的同步和 Azure AD Connect 的其他功能,同时仍可使用现有的解决方案进行登录。This will enable you to get the latest synchronization and other capabilities of Azure AD Connect while still using your existing solution for sign-in.

有关详细信息,请参阅 Azure AD 第三方联合身份验证兼容性列表For more information, see the Azure AD third-party federation compatibility list.

用户登录名和用户主体名User sign-in and user principal name

了解用户主体名Understanding user principal name

在 Active Directory 中,默认的用户主体名 (UPN) 后缀是在其中创建用户帐户的域的 DNS 名称。In Active Directory, the default user principal name (UPN) suffix is the DNS name of the domain where the user account was created. 在大多数情况下,这是在 Internet 上注册为企业域的域名。In most cases, this is the domain name that's registered as the enterprise domain on the Internet. 但是,可以使用 Active Directory 域和信任来添加更多的 UPN 后缀。However, you can add more UPN suffixes by using Active Directory Domains and Trusts.

用户的 UPN 的格式为 username@domain。The UPN of the user has the format username@domain. 例如,对于名为“contoso.com”的 Active Directory 域,名为 John 的用户的 UPN 可能是“john@contoso.com”。For example, for an Active Directory domain named "contoso.com", a user named John might have the UPN "john@contoso.com". 用户的 UPN 基于 RFC 822。The UPN of the user is based on RFC 822. 尽管 UPN 和电子邮件共享相同的格式,但用户的 UPN 值与用户的电子邮件地址可能相同,也可能不相同。Although the UPN and email share the same format, the value of the UPN for a user might or might not be the same as the email address of the user.

Azure AD 中的用户主体名User principal name in Azure AD

Azure AD Connect 向导使用 userPrincipalName 属性,或让你从本地指定要用作 Azure AD 中的用户主体名的属性(在自定义安装中)。The Azure AD Connect wizard uses the userPrincipalName attribute or lets you specify the attribute (in a custom installation) to be used from on-premises as the user principal name in Azure AD. 这是用于登录 Azure AD 的值。This is the value that is used for signing in to Azure AD. 如果 userPrincipalName 属性的值不对应于 Azure AD 中已验证的域,则 Azure AD 会将该值替换为默认的 .partner.onmschina.cn 值。If the value of the userPrincipalName attribute doesn't correspond to a verified domain in Azure AD, then Azure AD replaces it with a default .partner.onmschina.cn value.

Azure Active Directory 中的每个目录随附内置域名,格式为 contoso.partner.onmschina.cn,可让你开始使用 Azure 或其他 Microsoft 服务。Every directory in Azure Active Directory comes with a built-in domain name, with the format contoso.partner.onmschina.cn, that lets you get started using Azure or other Microsoft services. 可以使用自定义域来改善和简化登录体验。You can improve and simplify the sign-in experience by using custom domains. 有关 Azure AD 中的自定义域名以及如何验证域的信息,请阅读将自定义域名添加到 Azure Active DirectoryFor information on custom domain names in Azure AD and how to verify a domain, see Add your custom domain name to Azure Active Directory.

Azure AD 登录配置Azure AD sign-in configuration

使用 Azure AD Connect 配置 Azure AD 登录Azure AD sign-in configuration with Azure AD Connect

Azure AD 登录体验取决于 Azure AD是否能够匹配要同步到某个自定义域(在 Azure AD 目录中已验证)的用户的用户主体名后缀。The Azure AD sign-in experience depends on whether Azure AD can match the user principal name suffix of a user that's being synced to one of the custom domains that are verified in the Azure AD directory. 在配置 Azure AD 登录设置时 Azure AD Connect 将提供帮助,使用户在云中能获得类似于本地登录的登录体验。Azure AD Connect provides help while you configure Azure AD sign-in settings, so that the user sign-in experience in the cloud is similar to the on-premises experience.

Azure AD Connect 列出了为域定义的 UPN 后缀,并尝试在 Azure AD 中将其与自定义域进行匹配。Azure AD Connect lists the UPN suffixes that are defined for the domains and tries to match them with a custom domain in Azure AD. 然后它会帮助你执行需要执行的相应操作。Then it helps you with the appropriate action that needs to be taken. Azure AD 登录页列出了为本地 Active directory 定义的 UPN 后缀,并根据每个后缀显示相应的状态。The Azure AD sign-in page lists the UPN suffixes that are defined for on-premises Active Directory and displays the corresponding status against each suffix. 状态值可以是下列其中一项:The status values can be one of the following:

状态State 说明Description 所需操作Action needed
已验证Verified Azure AD Connect 在 Azure AD 中找到匹配的已验证域。Azure AD Connect found a matching verified domain in Azure AD. 此域的所有用户均可使用其本地凭据登录。All users for this domain can sign in by using their on-premises credentials. 无需采取任何措施。No action is needed.
未验证Not verified Azure AD Connect 在 Azure AD 中找到了匹配的但未验证的自定义域。Azure AD Connect found a matching custom domain in Azure AD, but it isn't verified. 如果域未验证,则在同步后此域的用户的 UPN 后缀将更改为默认的 .partner.onmschina.cn 后缀。The UPN suffix of the users of this domain will be changed to the default .partner.onmschina.cn suffix after synchronization if the domain isn't verified. 在 Azure AD 中验证自定义域。Verify the custom domain in Azure AD.
未添加Not added Azure AD Connect 未找到对应于 UPN 后缀的自定义域。Azure AD Connect didn't find a custom domain that corresponded to the UPN suffix. 如果未在 Azure 中添加域且域未进行验证,则此域的用户的 UPN 后缀将更改为默认的 .partner.onmschina.cn 后缀。The UPN suffix of the users of this domain will be changed to the default .partner.onmschina.cn suffix if the domain isn't added and verified in Azure. 添加和验证与 UPN 后缀相对应的自定义域。Add and verify a custom domain that corresponds to the UPN suffix.

Azure AD 登录页列出了针对本地 Active Directory 定义的 UPN 后缀,以及 Azure AD 中对应的自定义域与当前验证状态。The Azure AD sign-in page lists the UPN suffixes that are defined for on-premises Active Directory and the corresponding custom domain in Azure AD with the current verification status. 在自定义安装中,现在可以在“Azure AD 登录”页上选择用户主体名的属性。In a custom installation, you can now select the attribute for the user principal name on the Azure AD sign-in page.

Azure AD 登录页

可以单击“刷新”按钮,从 Azure AD 中重新提取自定义域最新的状态。You can click the refresh button to re-fetch the latest status of the custom domains from Azure AD.

选择 Azure AD 中的用户主体名的属性Selecting the attribute for the user principal name in Azure AD

属性 userPrincipalName 是用户登录 Azure AD 和 Office 365 时使用的属性。The attribute userPrincipalName is the attribute that users use when they sign in to Azure AD and Office 365. 应在同步处理用户之前对在 Azure AD 中使用的域(也称为 UPN 后缀)进行验证。You should verify the domains (also known as UPN suffixes) that are used in Azure AD before the users are synchronized.

强烈建议保留默认属性 userPrincipalName。We strongly recommend that you keep the default attribute userPrincipalName. 如果此属性不可路由且无法验证,则可以选择另一个属性(例如 email)作为保存登录 ID 的属性。If this attribute is nonroutable and can't be verified, then it's possible to select another attribute (email, for example) as the attribute that holds the sign-in ID. 这就是所谓的备用 ID。This is known as the Alternate ID. “备用 ID”属性值必须遵循 RFC 822 标准。The Alternate ID attribute value must follow the RFC 822 standard.

Note

所有 Office 365 工作负荷都不允许使用替代 ID。Using an Alternate ID isn't compatible with all Office 365 workloads. 有关详细信息,请参阅配置备用登录 IDFor more information, see Configuring Alternate Login ID.

不同的自定义域状态及其对 Azure 登录体验的影响Different custom domain states and their effect on the Azure sign-in experience

请务必要了解 Azure AD 目录中的自定义域状态与本地定义的 UPN 后缀之间的关系。It's very important to understand the relationship between the custom domain states in your Azure AD directory and the UPN suffixes that are defined on-premises. 让我们逐步了解当使用 Azure AD Connnect 设置同步时可能遇到的不同 Azure 登录体验。Let's go through the different possible Azure sign-in experiences when you're setting up synchronization by using Azure AD Connect.

对于下面的信息,假设我们所关注的是 UPN 后缀 contoso.com,它在本地目录中用作 UPN 的一部分,例如 user@contoso.com。For the following information, let's assume that we're concerned with the UPN suffix contoso.com, which is used in the on-premises directory as part of UPN--for example user@contoso.com.

快速设置/密码哈希同步Express settings/Password hash synchronization
状态State 对 Azure 用户登录体验的影响Effect on user Azure sign-in experience
未添加Not added 在这种情况下,并未在 Azure AD 目录中针对 contoso.com 添加任何自定义域。In this case, no custom domain for contoso.com has been added in the Azure AD directory. 在本地具有后缀 @contoso.com 的 UPN 的用户将无法使用其本地 UPN 来登录 Azure。Users who have UPN on-premises with the suffix @contoso.com won't be able to use their on-premises UPN to sign in to Azure. 他们需要为默认的 Azure AD 目录添加后缀,以改用 Azure AD 向他们提供的新 UPN。They'll instead have to use a new UPN that's provided to them by Azure AD by adding the suffix for the default Azure AD directory. 例如,如果要将用户同步到 Azure AD 目录 azurecontoso.partner.onmschina.cn,则为本地用户 user@contoso.com 指定 UPN user@azurecontoso.partner.onmschina.cn。For example, if you're syncing users to the Azure AD directory azurecontoso.partner.onmschina.cn, then the on-premises user user@contoso.com will be given a UPN of user@azurecontoso.partner.onmschina.cn.
未验证Not verified 在这种情况下,我们拥有已添加在 Azure AD 目录中的自定义域 contoso.com。In this case, we have a custom domain contoso.com that's added in the Azure AD directory. 但是,该域尚未验证。However, it's not yet verified. 如果在没有验证域的情况下继续同步用户,则 Azure AD 将为用户分配新 UPN,如同“未添加”方案中所做的一样。If you go ahead with syncing users without verifying the domain, then the users will be assigned a new UPN by Azure AD, just like in the "Not added" scenario.
已验证Verified 在这种情况下,我们拥有已在 Azure AD 中为 UPN 后缀添加并验证了的自定义域 contoso.com。In this case, we have a custom domain contoso.com that's already added and verified in Azure AD for the UPN suffix. 在用户被同步到 Azure AD 后,用户可以使用其本地用户主体名(例如 user@contoso.com)登录到 Azure。Users will be able to use their on-premises user principal name, for example user@contoso.com, to sign in to Azure after they're synced to Azure AD.
AD FS 联合AD FS federation

无法使用 Azure AD 中的默认 .partner.onmschina.cn 域或 Azure AD 中未验证的自定义域创建联合。You can't create a federation with the default .partner.onmschina.cn domain in Azure AD or an unverified custom domain in Azure AD. 在运行 Azure AD Connect 向导时,如果选择使用未验证的域创建联合,则 Azure AD Connect 将发出提示,并指出要为域创建的将托管 DNS 的必需记录。When you're running the Azure AD Connect wizard, if you select an unverified domain to create a federation with, then Azure AD Connect prompts you with the necessary records to be created where your DNS is hosted for the domain. 有关详细信息,请参阅验证选择用于联合的 Azure AD 域For more information, see Verify the Azure AD domain selected for federation.

如果选择的用户登录选项为“与 AD FS 联合”,则必须有一个自定义域才能继续在 Azure AD 中创建联合。If you selected the user sign-in option Federation with AD FS, then you must have a custom domain to continue creating a federation in Azure AD. 针对我们的讨论,这意味着我们应在 Azure AD 目录中添加自定义域 contoso.com。For our discussion, this means that we should have a custom domain contoso.com added in the Azure AD directory.

状态State 对 Azure 用户登录体验的影响Effect on the user Azure sign-in experience
未添加Not added 在这种情况下,Azure AD Connect 没有在 Azure AD 目录中找到 UPN 后缀 contoso.com 的匹配自定义域。In this case, Azure AD Connect didn't find a matching custom domain for the UPN suffix contoso.com in the Azure AD directory. 如果需要让用户在 AD FS 中使用其本地 UPN(例如 user@contoso.com)登录,则需要添加自定义域 contoso.com。You need to add a custom domain contoso.com if you need users to sign in by using AD FS with their on-premises UPN (like user@contoso.com).
未验证Not verified 在这种情况下,Azure AD Connect 将发出提示,并提供有关如何在后面的阶段验证域的相应详细信息。In this case, Azure AD Connect prompts you with appropriate details on how you can verify your domain at a later stage.
已验证Verified 在这种情况下,可以继续进行配置,而不需要采取任何进一步的操作。In this case, you can go ahead with the configuration without any further action.

更改用户登录方法 Changing the user sign-in method

在使用向导完成 Azure AD Connect 的初始配置后,可以使用 Azure AD Connect 中的可用任务将用户的登录方法在“联合”、“密码哈希同步之间切换。You can change the user sign-in method from federation, password hash synchronization by using the tasks that are available in Azure AD Connect after the initial configuration of Azure AD Connect with the wizard. 再次运行 Azure AD Connect 向导,随后将看到可执行的任务列表。Run the Azure AD Connect wizard again, and you'll see a list of tasks that you can perform. 在任务列表中选择“更改用户登录”。Select Change user sign-in from the list of tasks.

更改用户登录

在下一页上,系统将要求你提供 Azure AD 的凭据。On the next page, you're asked to provide the credentials for Azure AD.

连接到 Azure AD

在“用户登录” 页上,选择所需的用户登录选项。On the User sign-in page, select the desired user sign-in.

连接到 Azure AD

Note

如果只是要暂时切换到密码哈希同步,请选中“请勿切换用户帐户”复选框。If you're only making a temporary switch to password hash synchronization, then select the Do not convert user accounts check box. 不选中该选项会将每个用户转换为联合用户,并且该操作可能需要花费几小时。Not checking the option will convert each user to federated, and it can take several hours.

后续步骤Next steps