您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 Azure 门户管理设备标识Manage device identities using the Azure portal

Azure AD 提供了一个用于管理设备标识的中心位置。Azure AD provides you with a central place to manage device identities.

通过 " 所有设备 " 页,您可以:The All devices page enables you to:

  • 确定设备,包括:Identify devices, including:
  • 执行 "启用"、"禁用"、"删除" 或 "管理" 等设备身份管理任务。Perform device identity management tasks like enable, disable, delete, or manage.
    • 在 Azure AD 中,打印机Windows Autopilot设备的管理选项有限。Printers and Windows Autopilot devices have limited management options in Azure AD. 它们必须从各自的管理界面进行管理。They must be managed from their respective admin interfaces.
  • 配置设备标识设置。Configure your device identity settings.
  • 启用或禁用企业状态漫游。Enable or disable Enterprise State Roaming.
  • 查看与设备相关的审核日志Review device-related audit logs

Azure 门户中的 "所有设备" 视图All devices view in the Azure portal

你可以使用以下步骤访问设备门户:You can access the devices portal using the following steps:

  1. 登录 Azure 门户Sign in to the Azure portal.
  2. 浏览到Azure Active Directory > 设备"。Browse to Azure Active Directory > Devices.

管理设备Manage devices

在 Azure AD 中,有两个管理设备的位置:There are two locations to manage devices in Azure AD:

  • Azure 门户 > Azure Active Directory > 设备Azure portal > Azure Active Directory > Devices
  • Azure 门户 > Azure Active Directory > 用户> 选择用户 >设备Azure portal > Azure Active Directory > Users > Select a user > Devices

这两个选项使管理员能够:Both options allow administrators the ability to:

  • 搜索设备。Search for devices.
  • 请参阅设备详细信息,包括:See device details including:
    • 设备名称Device name
    • 设备 IDDevice ID
    • 操作系统和版本OS and Version
    • 联接类型Join type
    • 所有者Owner
    • 移动设备管理和合规性Mobile device management and compliance
    • BitLocker 恢复密钥BitLocker recovery key
  • 执行设备标识管理任务,如、启用、禁用、删除或管理。Perform device identity management tasks like, enable, disable, delete, or manage.
    • 在 Azure AD 中,打印机Windows Autopilot设备的管理选项有限。Printers and Windows Autopilot devices have limited management options in Azure AD. 它们必须从各自的管理界面进行管理。They must be managed from their respective admin interfaces.

提示

  • 加入混合 Azure AD 的 Windows 10 设备没有所有者。Hybrid Azure AD Joined Windows 10 devices do not have an owner. 如果你正在按所有者查找设备,并且找不到它,请按设备 ID 进行搜索。If you are looking for a device by owner and didn't find it, search by the device ID.

  • 如果在 "已注册" 列下看到 "混合 Azure AD 联接" 状态为 "挂起" 的设备,则表示设备已从 Azure AD 连接同步,并正在等待客户端完成注册。If you see a device that is "Hybrid Azure AD joined" with a state "Pending" under the REGISTERED column, it indicates that the device has been synchronized from Azure AD connect and is waiting to complete registration from the client. 阅读有关如何 计划混合 Azure AD 联接实现的详细信息。Read more on how to plan your Hybrid Azure AD join implementation. 有关详细信息,请参阅 设备常见问题解答Additional information can be found in the article, Devices frequently asked questions.

  • 对于某些 iOS 设备,包含单引号的设备名可能会使用看起来像单引号的不同字符。For some iOS devices, the device names containing apostrophes can potentially use different characters that look like apostrophes. 因此搜索此类设备有点棘手:如果您不能正确地看到搜索结果,请确保搜索字符串包含匹配的撇号字符。So searching for such devices is a little tricky - if you are not seeing search results correctly, ensure that the search string contains matching apostrophe character.

管理 Intune 设备Manage an Intune device

如果你是 Intune 管理员,则可以管理将 MDM 标记 Microsoft Intune的设备。If you are an Intune administrator, you can manage devices where MDM is marked Microsoft Intune. 如果设备未注册到 Microsoft Intune,则 "管理" 选项将灰显。If the device is not enrolled with Microsoft Intune, the "Manage" option will be greyed out.

启用或禁用 Azure AD 设备Enable or disable an Azure AD device

若要启用或禁用设备,可以使用两个选项:To enable or disable devices, you have two options:

  • 选择一台或多台设备后," 所有设备 " 页上的工具栏。The toolbar on the All devices page after selecting one or more devices.
  • 向下钻取到特定设备后使用工具栏。The toolbar after drilling down into a specific device.

重要

  • 您必须是中的全局管理员或云设备管理员,才能启用或禁用设备 Azure AD。You must be a global administrator or cloud device administrator in Azure AD to enable or disable a device.
  • 禁用设备会阻止设备在 Azure AD 上成功进行身份验证,从而阻止设备访问通过基于设备的条件访问或 Windows Hello 企业版凭据保护的 Azure AD 资源。Disabling a device prevents a device from successfully authenticating with Azure AD, thereby preventing the device from accessing your Azure AD resources that are protected by device-based Conditional Access or using Windows Hello for Business credentials.
  • 禁用设备会在设备上同时吊销 (PRT) 和 (RT) 的任何刷新令牌。Disabling a device will revoke both the Primary Refresh Token (PRT) and any Refresh Tokens (RT) on the device.
  • 无法在 Azure AD 中启用或禁用打印机。Printers cannot be enabled or disabled in Azure AD.

删除 Azure AD 设备Delete an Azure AD device

若要删除设备,可以使用两个选项:To delete a device, you have two options:

  • 选择一台或多台设备后," 所有设备 " 页上的工具栏。The toolbar on the All devices page after selecting one or more devices.
  • 向下钻取到特定设备后使用工具栏。The toolbar after drilling down into a specific device.

重要

  • 你必须在 Azure AD 中为云设备管理员、Intune 管理员或全局管理员角色分配,才能删除设备。You must be assigned the cloud device administrator, Intune administrator, or global administrator role in Azure AD to delete a device.
  • 无法在 Azure AD 中删除打印机和 Windows Autopilot 设备Printers and Windows Autopilot devices cannot be deleted in Azure AD
  • 删除设备:Deleting a device:
    • 可阻止设备访问你的 Azure AD 资源。Prevents a device from accessing your Azure AD resources.
    • 可删除附加到设备的所有详细信息,例如适用于 Windows 设备的 BitLocker 密钥。Removes all details that are attached to the device, for example, BitLocker keys for Windows devices.
    • 表示一个不可恢复的活动,除非必需,否则不建议。Represents a non-recoverable activity and is not recommended unless it is required.

如果设备由另一管理机构管理 (例如 Microsoft Intune) ,则在 Azure AD 中删除设备之前,请确保已擦除/停用设备。If a device is managed by another management authority (for example, Microsoft Intune), make sure that the device has been wiped / retired before deleting the device in Azure AD. 删除任何设备之前,请查看如何 管理过时设备Review how to manage stale devices before deleting any devices.

查看或复制设备 IDView or copy device ID

可以使用设备 ID 在设备上验证设备 ID 详细信息或在故障排除期间使用 PowerShell。You can use a device ID to verify the device ID details on the device or using PowerShell during troubleshooting. 要访问复制选项,请单击设备。To access the copy option, click the device.

查看设备 ID

查看或复制 BitLocker 密钥View or copy BitLocker keys

您可以查看和复制 BitLocker 密钥,以允许用户恢复加密的驱动器。You can view and copy the BitLocker keys to allow users to recover encrypted drives. 这些密钥仅适用于已加密并将其密钥存储在 Azure AD 中的 Windows 设备。These keys are only available for Windows devices that are encrypted and have their keys stored in Azure AD. 通过选择 " 显示恢复密钥" 访问设备的详细信息时,可以找到这些密钥。You can find these keys when accessing details of a device by selecting Show Recovery Key. 选择 " 显示恢复密钥 " 将生成一个审核日志,您可以在该类别中找到该日志 KeyManagementSelecting Show Recovery Key will generate an audit log, which you can find in the KeyManagement category.

查看 BitLocker 密钥

若要查看或复制 BitLocker 密钥,你需要是设备所有者或者是至少分配了以下一个角色的用户:To view or copy the BitLocker keys, you need to be either the owner of the device, or a user that has at least one of the following roles assigned:

  • 云设备管理员Cloud Device Administrator
  • 全局管理员角色Global Administrator
  • 支持管理员Helpdesk Administrator
  • Intune 服务管理员Intune Service Administrator
  • 安全管理员Security Administrator
  • 安全读取者Security Reader

(预览的设备列表筛选) Device list filtering (preview)

以前,只能按活动和已启用状态筛选设备列表。Previously, you could only filter the devices list by activity and enabled state. 此预览版现在允许你按设备上的下列属性筛选设备列表:This preview now allows you to filter the devices list by the following attributes on a device:

  • 启用状态Enabled state
  • 相容状态Compliant state
  • 联接类型 (Azure AD 联接,混合 Azure AD 联接,Azure AD 注册) Join type (Azure AD joined, Hybrid Azure AD joined, Azure AD registered)
  • 活动时间戳Activity timestamp
  • OSOS
  • 设备类型 (打印机、安全 Vm、共享设备、已注册设备) Device type (Printers, Secure VMs, Shared devices, Registered devices)

若要在 " 所有设备 " 视图中启用预览筛选功能:To enable the preview filtering functionality in the All devices view:

启用筛选预览功能

  1. 登录 Azure 门户Sign in to the Azure portal.
  2. 浏览到Azure Active Directory > 设备"。Browse to Azure Active Directory > Devices.
  3. 选择显示的标题, 尝试新的设备筛选改进。单击以启用预览。Select the banner that says, Try out the new devices filtering improvements. Click to enable the preview.

你现在可以 将筛选器添加 到 " 所有设备 " 视图。You will now have the ability to Add filters to your All devices view.

配置设备设置Configure device settings

若要使用 Azure AD 门户管理设备标识,需要将这些设备 注册或联接 到 Azure AD。To manage device identities using the Azure AD portal, those devices need to be either registered or joined to Azure AD. 作为管理员,你可以通过配置以下设备设置来控制注册和加入设备的过程。As an administrator, you can control the process of registering and joining devices by configuring the following device settings.

若要查看或管理 Azure 门户中的设备设置,您必须分配有以下角色之一:You must be assigned one of the following roles to view or manage device settings in the Azure portal:

  • 全局管理员Global administrator
  • 云设备管理员Cloud device administrator
  • 全局读取者Global reader
  • 目录读取器Directory reader

与 Azure AD 相关的设备设置

  • 用户可以将设备加入到 Azure AD -此设置使你能够选择可将其设备注册为 Azure AD 加入设备的用户。Users may join devices to Azure AD - This setting enables you to select the users who can register their devices as Azure AD joined devices. 默认值是 AllThe default is All.

备注

用户可以将设备加入到 Azure AD 设置仅适用于 Windows 10 上的 Azure AD 加入。Users may join devices to Azure AD setting is only applicable to Azure AD join on Windows 10.

  • 已加入 Azure AD 设备上的其他本地管理员 - 可选择具有此设备的本地管理员权限的用户。Additional local administrators on Azure AD joined devices - You can select the users that are granted local administrator rights on a device. 将这些用户添加到 Azure AD 中的 " 设备管理员 " 角色。These users are added to the Device Administrators role in Azure AD. 默认情况下,Azure AD 中的全局管理员和设备所有者均具有本地管理员权限。Global administrators in Azure AD and device owners are granted local administrator rights by default. 此选项属于高级版功能,通过 Azure AD Premium 或企业移动性套件 (EMS) 提供。This option is a premium edition capability available through products such as Azure AD Premium or the Enterprise Mobility Suite (EMS).
  • 用户可能将其设备注册到 Azure AD -需要配置此设置,以允许向 Azure AD 注册 Windows 10 个人、IOS、Android 和 macOS 设备。Users may register their devices with Azure AD - You need to configure this setting to allow Windows 10 personal, iOS, Android, and macOS devices to be registered with Azure AD. 如果选择 " ",则不允许设备注册 Azure AD。If you select None, devices are not allowed to register with Azure AD. 注册 Microsoft Intune 或移动设备管理 (MDM) Microsoft 365 需要注册。Enrollment with Microsoft Intune or Mobile Device Management (MDM) for Microsoft 365 requires registration. 如果已配置其中的任一服务,则会选中“全部”且“无”不可用********。If you have configured either of these services, ALL is selected and NONE is not available.
  • 需要多重身份验证才能加入设备 -可以选择是否要求用户提供附加身份验证因素,以将其设备加入 Azure AD。Require Multi-Factor Auth to join devices - You can choose whether users are required to provide an additional authentication factor to join their device to Azure AD. 默认值为 No****。The default is No. 在注册设备时,建议要求多重身份验证。We recommend requiring multi-factor authentication when registering a device. 为此设备启用多重身份验证前,必须确保已针对注册其设备的用户配置多重身份验证。Before you enable multi-factor authentication for this service, you must ensure that multi-factor authentication is configured for the users that register their devices. 有关各种 Azure 多重身份验证服务的详细信息,请参阅 Azure 多重身份验证入门For more information on different Azure multi-factor authentication services, see getting started with Azure multi-factor authentication.

备注

需要多重身份验证加入设备 "设置适用于 Azure AD 联接或 Azure AD 注册的设备。Require Multi-Factor Auth to join devices setting applies to devices that are either Azure AD joined or Azure AD registered. 此设置不适用于混合 Azure AD 连接设备。This setting does not apply to hybrid Azure AD joined devices.

  • 最大设备数 -通过此设置,可以选择用户可以在 Azure AD 中具有的 Azure AD 联接或 Azure AD 注册设备的最大数量。Maximum number of devices - This setting enables you to select the maximum number of Azure AD joined or Azure AD registered devices that a user can have in Azure AD. 如果用户达到此配额,则必须先删除一个或多个现有设备,然后才可添加其他设备。If a user reaches this quota, they are not be able to add additional devices until one or more of the existing devices are removed. 默认值为 50The default value is 50.

备注

"最大设备数" 设置适用于 Azure AD 联接或注册 Azure AD 的设备。Maximum number of devices setting applies to devices that are either Azure AD joined or Azure AD registered. 此设置不适用于混合 Azure AD 连接设备。This setting does not apply to hybrid Azure AD joined devices.

审核日志Audit logs

设备活动通过活动日志提供。Device activities are available through the activity logs. 这些日志包括设备注册服务和用户触发的活动:These logs include activities triggered by the device registration service and by users:

  • 创建设备并在设备上添加所有者/用户Device creation and adding owners / users on the device
  • 更改设备设置Changes to device settings
  • 删除设备或更新设备等设备操作Device operations such as deleting or updating a device

审核数据的入口点为“设备”页的“活动”部分中的“审核日志”************。Your entry point to the auditing data is Audit logs in the Activity section of the Devices page.

审核日志有一个默认列表视图,其中显示:The audit log has a default list view that shows:

  • 匹配项的日期和时间The date and time of the occurrence
  • 目标The targets
  • 活动的发起者/参与者(人员)The initiator / actor (who) of an activity
  • 活动(内容)The activity (what)

审核日志

单击工具栏中的“列”即可自定义列表视图。 You can customize the list view by clicking Columns in the toolbar.

审核日志

要将所报告数据的范围缩小到适当的级别,可以使用以下字段筛选审核数据:To narrow down the reported data to a level that works for you, you can filter the audit data using the following fields:

  • 类别Category
  • 活动资源类型Activity resource type
  • 活动Activity
  • 日期范围Date range
  • 目标Target
  • 发起者(参与者)Initiated By (Actor)

除筛选器外,还可搜索特定条目。In addition to the filters, you can search for specific entries.

审核日志

后续步骤Next steps

如何在 Azure AD 中管理过时设备How to manage stale devices in Azure AD

企业状态漫游Enterprise State Roaming