混合标识和 Microsoft 标识解决方案Hybrid identity and Microsoft identity solutions

使用 Azure Active Directory (Azure AD) 混合标识解决方案可将本地目录与 Azure AD 同步,同时仍可在本地管理用户。Azure Active Directory (Azure AD) hybrid identity solutions enable you to synchronize on-premises directory objects with Azure AD while still managing your users on-premises. 如果计划将本地 Windows Server Active Directory 与 Azure AD 进行同步,首先需要决定是使用托管标识还是使用联合标识。The first decision to make when planning to synchronize your on-premises Windows Server Active Directory with Azure AD is whether you want to use managed identities or federated identity.

  • 托管标识 - 从本地 Active Directory 同步的用户帐户和组以及用户身份验证由 Azure 进行管理。Managed identities - User accounts and groups that are synchronized from a on-premises Active Directory and the user authentication is managed by Azure.
  • 联合标识可以对用户进行更多的控制,其方法是将用户身份验证与 Azure 隔离开,将身份验证委托给受信任的本地标识提供者。Federated identities allow for more control over users by separating user authentication from Azure, and delegating authentication to a trusted, on-premises, identity provider.

有多个选项可用于配置混合标识。There are several options available for configuring hybrid identity. 当考虑哪个标识模型最适合组织需求时,还需考虑时间、现有基础结构、复杂性和成本。As you consider which identity model best fits your organization’s needs, you also need to think about time, existing infrastructure, complexity, and cost. 这些因素对每个组织都不同,并可能随时间变化。These factors are different for every organization, and might change over time. 但是,如果需求确实发生更改,则还可灵活切换到不同的标识模型。However, if your requirements do change, you also have the flexibility to switch to a different identity model.

托管标识Managed identity

托管标识是将本地目录对象(用户和组)与 Azure AD 同步的最简单方法。Managed identity is the simplest way to synchronize on-premises directory objects (users and groups) with Azure AD.


尽管托管标识是最简单且最快速的方法,你的用户将仍需针对基于云的资源维护一个单独的密码。While managed identity is the easiest and quickest method, your users still need to maintain a separate password for cloud-based resources. 若要避免此问题,还可以(可选)将用户密码哈希同步到 Azure AD 目录中。To avoid this, you can also (optionally) synchronize a hash of user passwords to your Azure AD directory. 同步密码哈希使用户能够使用与本地使用的相同用户名和密码登录基于云的组织资源。Synchronizing password hashes enables users to log in to cloud-based organizational resources with the same user name and password that they use on-premises. Azure AD Connect 会定期检查本地目录是否发生更改,并保持 Azure AD 目录同步。Azure AD Connect periodically checks your on-premises directory for changes and keeps your Azure AD directory synchronized. 如果本地 Active Directory 的用户属性或密码已更改,则会在 Azure AD 中自动更新此信息。When a user attribute or password is changed on-premises Active Directory, it is automatically updated in Azure AD.

由于大多数组织只想让用户登录 Office 365 和其他基于 Azure AD 的资源,因此建议使用默认的密码哈希同步选项。For most organizations who only need to enable their users to sign in to Office 365 and other Azure AD-based resources, the default password hash synchronization option is recommended.


用户密码以表示实际用户密码的哈希值形式存储在本地 Windows Server Active Directory 中。User passwords are stored in on-premises Windows Server Active Directory in the form of a hash value that represents the actual user password. 哈希值是单向数学函数(哈希算法)的计算结果。A hash value is a result of a one-way mathematical function (the hashing algorithm). 没有任何方法可将单向函数的结果还原为纯文本版本的密码。There is no method to revert the result of a one-way function to the plain text version of a password. 无法使用密码哈希来登录本地网络。You cannot use a password hash to sign in to your on-premises network. 如果选择同步密码,Azure AD Connect 会从本地 Active Directory 提取密码哈希,并在同步到 Azure AD 之前将额外安全处理应用于密码哈希。When you opt to synchronize passwords, Azure AD Connect extracts password hashes from the on-premises Active Directory and applies extra security processing to the password hash before it is synchronized to Azure AD.

联合标识 (AD FS)Federated identity (AD FS)

使用 AD FS 联合验证用户的登录时,可将身份验证委托给验证用户凭据的本地服务器。Federating your user's sign-ins with AD FS delegates authentication to an on-premises server that validates user credentials. 在此模型中,本地 Active Directory 凭据永远不会传递到 Azure AD 中。In this model, on-premises Active Directory credentials are never passed to Azure AD.


也称为“联合身份验证”,这种登录方法可确保所有用户身份验证均在本地得以控制,并且允许管理员实施更严格的访问控制。Also called identity federation, this sign-in method ensures that all user authentication is controlled on-premises and allows administrators to implement more rigorous levels of access control. 使用 AD FS 的联合身份验证是最复杂的选项,需要在本地环境中部署其他服务器。Identity federation with AD FS is the most complicated option and requires deploying additional servers in your on-premises environment. 联合身份验证还承诺为 Active Directory 和 AD FS 基础结构提供全天候支持。Identity federation also commits you to providing 24x7 support for your Active Directory and AD FS infrastructure. 如果本地 Internet 访问、域控制器或 AD FS 服务器不可用,用户无法登录云服务,此时就需要这种高级支持。This high level of support is necessary because if your on-premises Internet access, domain controller, or AD FS servers are unavailable, users can't sign in to cloud services.


如果决定使用 Active Directory 联合身份验证服务 (AD FS) 进行联合身份验证,则可以选择性地设置密码哈希同步,作为在 AD FS 基础结构发生故障时的备用身份验证方式。If you decide to use Federation with Active Directory Federation Services (AD FS), you can optionally set up password hash synchronization as a backup in case your AD FS infrastructure fails.

什么是 Azure AD Connect?What is Azure AD Connect?

Azure AD Connect 专用于满足和完成混合标识目标的 Microsoft 工具。Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals. 这样便可以为集成到 Azure AD 的 Office 365、Azure 和 SaaS 应用程序的用户提供一个通用标识。This allows you to provide a common identity for your users for Office 365, Azure, and SaaS applications integrated with Azure AD. 它提供以下功能:It provides the following features:

  • 同步 - 此组件负责创建用户、组和其他对象。Synchronization - This component is responsible for creating users, groups, and other objects. 它还负责确保本地用户和组的标识信息与云匹配。It is also responsible for making sure identity information for your on-premises users and groups is matching the cloud. 它负责将密码哈希与 Azure AD 进行同步。It is responsible for synchronizing password hashes with Azure AD.
  • 密码哈希同步 - 一个可选组件,可以将用户密码哈希与 Azure AD 同步,这样用户就可以在本地和云中使用相同的密码。Password hash synchronization - An optional component that allows users to use the same password on-premises and in the cloud by synchronizing a hash of the users password with Azure AD.
  • AD FS 和联合身份验证集成 - 联合身份验证是 Azure AD Connect 的可选部件,可用于使用本地 AD FS 基础结构配置混合环境。AD FS and federation integration - Federation is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. 它还提供了 AD FS 管理功能,例如证书续订和其他 AD FS 服务器部署。It also provides AD FS management capabilities such as certificate renew and additional AD FS server deployments.
  • PingFederate 和联合身份验证集成 - 另一联合身份验证选项,允许你使用 PingFederate 作为标识提供者。PingFederate and federation integration - Another federation option that allows you to use PingFederate as your identity provider.

什么是 Azure AD Connect

为何使用 Azure AD Connect?Why use Azure AD Connect?

将本地目录与 Azure AD 集成可提供用于访问云和本地资源的通用标识,来提高用户的工作效率。Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. 用户和组织可以享受到以下好处:Users and organizations can take advantage of the following:

  • 用户可以使用单个标识来访问本地应用程序和云服务,例如 Office 365。Users can use a single identity to access on-premises applications and cloud services such as Office 365.
  • 单个工具即可提供轻松同步和登录的部署体验。Single tool to provide an easy deployment experience for synchronization and sign-in.

后续步骤Next Steps