您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

教程:为联盟域配置混合 Azure Active Directory 加入Tutorial: Configure hybrid Azure Active Directory join for federated domains

与组织中的用户一样,设备也是要保护的核心标识。Like a user in your organization, a device is a core identity you want to protect. 可以使用设备标识随时随地保护你的资源。You can use a device's identity to protect your resources at any time and from any location. 要实现此目的,可以使用下述某种方法将设备标识引入 Azure Active Directory (Azure AD) 并对其进行管理:You can accomplish this goal by bringing device identities and managing them in Azure Active Directory (Azure AD) by using one of the following methods:

  • Azure AD 加入Azure AD join
  • 混合 Azure AD 加入Hybrid Azure AD join
  • Azure AD 注册Azure AD registration

将设备引入 Azure AD 可通过云和本地资源中的单一登录 (SSO) 最大程度地提高用户的工作效率。Bringing your devices to Azure AD maximizes user productivity through single sign-on (SSO) across your cloud and on-premises resources. 同时,可以使用条件访问保护对云和本地资源的访问。You can secure access to your cloud and on-premises resources with Conditional Access at the same time.

联合环境应具有支持以下要求的标识提供者。A federated environment should have an identity provider that supports the following requirements. 如果已有使用 Active Directory 联合身份验证服务 (AD FS) 的联合环境,则已经支持以下要求。If you have a federated environment using Active Directory Federation Services (AD FS), then the below requirements are already supported.

  • WIAORMULTIAUTHN 声明: 此声明是为 Windows 下层设备执行混合Azure AD 加入所必需的。WIAORMULTIAUTHN claim: This claim is required to do hybrid Azure AD join for Windows down-level devices.
  • WS-Trust 协议: 使用 Azure AD 对当前已加入混合 Azure AD 的 Windows 设备进行身份验证时需要此协议。WS-Trust protocol: This protocol is required to authenticate Windows current hybrid Azure AD joined devices with Azure AD. 使用 AD FS 时,需要启用以下 WS-Trust 终结点:/adfs/services/trust/2005/windowstransportWhen you're using AD FS, you need to enable the following WS-Trust endpoints: /adfs/services/trust/2005/windowstransport /adfs/services/trust/13/windowstransport /adfs/services/trust/2005/usernamemixed /adfs/services/trust/13/usernamemixed /adfs/services/trust/2005/certificatemixed /adfs/services/trust/13/certificatemixed

警告

adfs/services/trust/2005/windowstransportadfs/services/trust/13/windowstransport 只能作为面向 Intranet 的终结点启用,不能通过 Web 应用程序代理作为面向 Extranet 的终结点公开。Both adfs/services/trust/2005/windowstransport or adfs/services/trust/13/windowstransport should be enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web Application Proxy. 若要详细了解如何禁用 WS-Trust WIndows 终结点,请参阅在代理上禁用 WS-Trust Windows 终结点To learn more on how to disable WS-Trust WIndows endpoints, see Disable WS-Trust Windows endpoints on the proxy. 可以通过 AD FS 管理控制台中的“服务” > “终结点”查看已启用哪些终结点。 You can see what endpoints are enabled through the AD FS management console under Service > Endpoints.

本教程介绍如何使用 AD FS 在联合环境中为已加入 Active Directory 域的计算机设备配置混合 Azure AD 加入。In this tutorial, you learn how to configure hybrid Azure AD join for Active Directory domain-joined computers devices in a federated environment by using AD FS.

学习如何:You learn how to:

  • 配置混合 Azure AD 联接Configure hybrid Azure AD join
  • 启用 Windows 下层设备Enable Windows downlevel devices
  • 验证注册Verify the registration
  • 故障排除Troubleshoot

先决条件Prerequisites

本教程假定你熟悉以下文章:This tutorial assumes that you'e familiar with these articles:

要配置本教程中的方案,需具备以下项:To configure the scenario in this tutorial, you need:

自 1.1.819.0 版起,Azure AD Connect 包含用于配置混合 Azure AD 加入的向导。Beginning with version 1.1.819.0, Azure AD Connect includes a wizard that you can use to configure hybrid Azure AD join. 该向导显著简化了配置过程。The wizard significantly simplifies the configuration process. 相关向导:The related wizard:

  • 配置设备注册的服务连接点 (SCP)Configures the service connection points (SCPs) for device registration
  • 备份现有的 Azure AD 信赖方信任Backs up your existing Azure AD relying party trust
  • 更新 Azure AD 信任中的声明规则Updates the claim rules in your Azure AD trust

本文中的配置步骤需要使用 Azure AD Connect 向导。The configuration steps in this article are based on using the Azure AD Connect wizard. 如果安装有较旧版本的 Azure AD Connect,需要将其升级到 1.1.819 或更高版本才能使用该向导。If you have an earlier version of Azure AD Connect installed, you must upgrade it to 1.1.819 or later to use the wizard. 如果无法安装最新版本的 Azure AD Connect,请参阅如何手动配置混合 Azure AD 加入If installing the latest version of Azure AD Connect isn't an option for you, see how to manually configure hybrid Azure AD join.

混合 Azure AD 加入要求设备能够从组织的网络中访问以下 Microsoft 资源:Hybrid Azure AD join requires devices to have access to the following Microsoft resources from inside your organization's network:

  • https://enterpriseregistration.windows.net
  • https://login.microsoftonline.com
  • https://device.login.microsoftonline.com
  • 组织的安全令牌服务 (STS)(联合域)Your organization's Security Token Service (STS) (For federated domains)
  • https://autologon.microsoftazuread-sso.com(如果使用或计划使用无缝 SSO)https://autologon.microsoftazuread-sso.com (If you use or plan to use seamless SSO)

从 Windows 10 1803 开始,如果无法在使用 AD FS 的联合环境中实现即时混合 Azure AD 加入,我们将依赖 Azure AD Connect 同步 Azure AD 中的计算机对象,该计算机对象随后用于完成混合 Azure AD 加入的设备注册。Beginning with Windows 10 1803, if the instantaneous hybrid Azure AD join for a federated environment by using AD FS fails, we rely on Azure AD Connect to sync the computer object in Azure AD that's subsequently used to complete the device registration for hybrid Azure AD join. 验证 Azure AD Connect 是否已将要加入混合 Azure AD 的设备的计算机对象同步到 Azure AD。Verify that Azure AD Connect has synced the computer objects of the devices you want to be hybrid Azure AD joined to Azure AD. 如果这些计算机对象属于特定组织单位 (OU),则还需要在 Azure AD Connect 中配置这些 OU 以进行同步。If the computer objects belong to specific organizational units (OUs), you must also configure the OUs to sync in Azure AD Connect. 要详细了解如何使用 Azure AD Connect 同步计算机对象,请参阅使用 Azure AD Connect 配置筛选To learn more about how to sync computer objects by using Azure AD Connect, see Configure filtering by using Azure AD Connect.

如果你的组织需要通过出站代理访问 Internet,Microsoft 建议实施 Web 代理自动发现 (WPAD),以使 Windows 10 计算机在 Azure AD 进行设备注册。If your organization requires access to the internet via an outbound proxy, Microsoft recommends implementing Web Proxy Auto-Discovery (WPAD) to enable Windows 10 computers for device registration with Azure AD. 如果在配置和管理 WPAD 时遇到问题,请参阅自动检测故障排除If you encounter issues configuring and managing WPAD, see Troubleshoot automatic detection.

如果不使用 WPAD 并希望在计算机上配置代理设置,则可以从 Windows 10 1709 开始。If you don't use WPAD and want to configure proxy settings on your computer, you can do so beginning with Windows 10 1709. 有关详细信息,请参阅使用组策略对象 (GPO) 配置 WinHTTP 设置For more information, see Configure WinHTTP settings by using a group policy object (GPO).

备注

如果使用 WinHTTP 设置在计算机上配置代理设置,则无法连接到所配置的代理的任何计算机将无法连接到 Internet。If you configure proxy settings on your computer by using WinHTTP settings, any computers that can't connect to the configured proxy will fail to connect to the internet.

如果组织需要通过经身份验证的出站代理访问 Internet,则必须确保 Windows 10 计算机能够成功验证出站代理的身份。If your organization requires access to the internet via an authenticated outbound proxy, you must make sure that your Windows 10 computers can successfully authenticate to the outbound proxy. 由于 Windows 10 计算机使用计算机上下文运行设备注册,因此必须使用计算机上下文配置出站代理身份验证。Because Windows 10 computers run device registration by using machine context, you must configure outbound proxy authentication by using machine context. 根据配置要求使用相应的出站代理提供程序。Follow up with your outbound proxy provider on the configuration requirements.

若要验证设备是否能够访问系统帐户下的上述 Microsoft 资源,可以使用测试设备注册连接脚本。To verify if the device is able to access the above Microsoft resources under the system account, you can use Test Device Registration Connectivity script.

配置混合 Azure AD 联接Configure hybrid Azure AD join

要使用 Azure AD Connect 配置混合 Azure AD 加入,需具备以下各项:To configure a hybrid Azure AD join by using Azure AD Connect, you need:

  • Azure AD 租户的全局管理员凭据The credentials of a global administrator for your Azure AD tenant
  • 每个林的企业管理员凭据The enterprise administrator credentials for each of the forests
  • AD FS 管理员凭据The credentials of your AD FS administrator

使用 Azure AD Connect 配置混合 Azure AD 加入To configure a hybrid Azure AD join by using Azure AD Connect:

  1. 启动 Azure AD Connect,然后选择“配置” 。Start Azure AD Connect, and then select Configure.

    欢迎使用

  2. 在“其他任务”页面上,选择“配置设备选项”,然后单击“下一步” 。On the Additional tasks page, select Configure device options, and then select Next.

    其他任务

  3. 在“概述”页面上,选择“下一步” 。On the Overview page, select Next.

    概述

  4. 上“连接到 Azure AD”页面上,输入 Azure AD 租户的全局管理员凭据,然后选择“下一步” 。On the Connect to Azure AD page, enter the credentials of a global administrator for your Azure AD tenant, and then select Next.

    连接到 Azure AD

  5. 在“设备选项”页面上,选择“配置混合 Azure AD 加入”,然后选择“下一步” 。On the Device options page, select Configure Hybrid Azure AD join, and then select Next.

    设备选项

  6. 在“SCP”页面上,完成以下步骤,然后选择“下一步” :On the SCP page, complete the following steps, and then select Next:

    SCP

    1. 选择林。Select the forest.
    2. 选择身份验证服务。Select the authentication service. 除非你的组织仅有 Windows 10 客户端且你已配置计算机/设备同步或者你的组织使用无缝 SSO,否则必须选择“AD FS 服务器” 。You must select AD FS server unless your organization has exclusively Windows 10 clients and you have configured computer/device sync, or your organization uses seamless SSO.
    3. 单击“添加”,输入企业管理员凭据 。Select Add to enter the enterprise administrator credentials.
  7. 在“设备操作系统”页面上,选择 Active Directory 环境中设备使用的操作系统,然后选择“下一步” 。On the Device operating systems page, select the operating systems that the devices in your Active Directory environment use, and then select Next.

    设备操作系统

  8. 在“联合身份验证配置”页面上,输入 AD FS 管理员凭据,然后选择“下一步” 。On the Federation configuration page, enter the credentials of your AD FS administrator, and then select Next.

    联合身份验证配置

  9. 在“准备好配置”页面上,选择“配置” 。On the Ready to configure page, select Configure.

    已准备好配置

  10. 在“配置完成”页面上,选择“退出” 。On the Configuration complete page, select Exit.

    配置完成

启用 Windows 下层设备Enable Windows downlevel devices

如果某些已加入域的设备是 Windows 下层设备,则需要:If some of your domain-joined devices are Windows downlevel devices, you must:

  • 配置设备注册的本地 Intranet 设置Configure the local intranet settings for device registration
  • 安装适用于 Windows 下层计算机的 Microsoft Workplace JoinInstall Microsoft Workplace Join for Windows downlevel computers

配置设备注册的本地 Intranet 设置Configure the local intranet settings for device registration

要成功完成 Windows 下层设备的混合 Azure AD 加入,同时避免在设备向 Azure AD 进行身份验证时出现证书提示,可将一个策略推送到已加入域的设备,从而在 Internet Explorer 中将以下 URL 添加到本地 Intranet 区域:To successfully complete hybrid Azure AD join of your Windows downlevel devices and to avoid certificate prompts when devices authenticate to Azure AD, you can push a policy to your domain-joined devices to add the following URLs to the local intranet zone in Internet Explorer:

  • https://device.login.microsoftonline.com
  • 组织的 STS(联合域)Your organization's STS (For federated domains)
  • https://autologon.microsoftazuread-sso.com(适用于无缝 SSO)https://autologon.microsoftazuread-sso.com (For seamless SSO)

此外,还需要在用户的本地 Intranet 区域中启用“允许通过脚本更新状态栏” 。You also must enable Allow updates to status bar via script in the user’s local intranet zone.

安装适用于 Windows 下层计算机的 Microsoft Workplace JoinInstall Microsoft Workplace Join for Windows downlevel computers

要注册 Windows 下层设备,组织必须安装适用于 Windows 10 计算机的 Microsoft Workplace JoinTo register Windows downlevel devices, organizations must install Microsoft Workplace Join for non-Windows 10 computers. 适用于 Windows 10 计算机的 Microsoft Workplace Join 在 Microsoft 下载中心提供。Microsoft Workplace Join for non-Windows 10 computers is available in the Microsoft Download Center.

可以使用  System Center Configuration Manager 等软件分发系统部署该包。You can deploy the package by using a software distribution system like System Center Configuration Manager. 此包支持使用标准无提示安装选项(包含 quiet 参数)。The package supports the standard silent installation options with the quiet parameter. Configuration Manager 的 Current Branch 提供优于早期版本的优势,例如可以跟踪已完成的注册。The current branch of Configuration Manager offers benefits over earlier versions, like the ability to track completed registrations.

安装程序会在系统上创建一项计划任务,该任务会在用户的上下文中运行。The installer creates a scheduled task on the system that runs in the user context. 当用户登录到 Windows 时触发该任务。The task is triggered when the user signs in to Windows. 在 Azure AD 中进行身份验证后,此任务便会使用用户凭据将设备静默加入 Azure AD。The task silently joins the device with Azure AD by using the user credentials after it authenticates with Azure AD.

验证注册Verify the registration

要验证 Azure 租户中的设备注册状态,可使用 Azure Active Directory PowerShell 模块中的 Get-MsolDevice cmdlet 。To verify the device registration state in your Azure tenant, you can use the Get-MsolDevice cmdlet in the Azure Active Directory PowerShell module.

使用 Get-MSolDevice cmdlet 检查服务详细信息时 :When you use the Get-MSolDevice cmdlet to check the service details:

  • 必须存在其设备 ID 与 Windows 客户端上的 ID 相匹配的对象。An object with the device ID that matches the ID on the Windows client must exist.
  • DeviceTrustType 的值必须是“已加入域” 。The value for DeviceTrustType must be Domain Joined. 此设置相当于 Azure AD 门户中“设备”页面下的“已加入混合 Azure AD”状态 。This setting is equivalent to the Hybrid Azure AD joined state under Devices in the Azure AD portal.
  • 对于采用了条件访问的设备,“已启用”值必须为 True,“DeviceTrustLevel”值必须为“Managed” 。For devices that are used in Conditional Access, the value for Enabled must be True and DeviceTrustLevel must be Managed.

检查服务详细信息To check the service details:

  1. 以管理员身份打开 Windows PowerShell。Open Windows PowerShell as an administrator.
  2. 输入 Connect-MsolService 以连接到 Azure 租户。Enter Connect-MsolService to connect to your Azure tenant.
  3. 输入 get-msoldevice -deviceId <deviceId>Enter get-msoldevice -deviceId <deviceId>.
  4. 确认“已启用”设置为 True 。Verify that Enabled is set to True.

对实现进行故障排除Troubleshoot your implementation

如果在完成已加入域的 Windows 设备的混合 Azure AD 加入方面遇到问题,请参阅:If you experience issues with completing hybrid Azure AD join for domain-joined Windows devices, see:

后续步骤Next steps

了解如何使用 Azure 门户管理设备标识Learn how to manage device identities by using the Azure portal.