您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

教程:为托管域配置混合 Azure Active Directory 加入Tutorial: Configure hybrid Azure Active Directory join for managed domains

与组织中的用户一样,设备也是要保护的核心标识。Like a user in your organization, a device is a core identity you want to protect. 可以使用设备标识随时随地保护你的资源。You can use a device's identity to protect your resources at any time and from any location. 要实现此目的,可以使用下述某种方法将设备标识引入 Azure Active Directory (Azure AD) 并对其进行管理:You can accomplish this goal by bringing device identities and managing them in Azure Active Directory (Azure AD) by using one of the following methods:

  • Azure AD 加入Azure AD join
  • 混合 Azure AD 加入Hybrid Azure AD join
  • Azure AD 注册Azure AD registration

将设备引入 Azure AD 可通过云和本地资源中的单一登录 (SSO) 最大程度地提高用户的工作效率。Bringing your devices to Azure AD maximizes user productivity through single sign-on (SSO) across your cloud and on-premises resources. 同时,可以使用条件访问保护对云和本地资源的访问。You can secure access to your cloud and on-premises resources with Conditional Access at the same time.

本教程介绍如何在托管环境中为已加入 Active Directory 域的计算机设备配置混合 Azure AD 加入。In this tutorial, you learn how to configure hybrid Azure AD join for Active Directory domain-joined computers devices in a managed environment.

可使用无缝单一登录通过密码哈希同步 (PHS)直通身份验证 (PTA) 来部署托管环境。A managed environment can be deployed either through password hash sync (PHS) or pass-through authentication (PTA) with seamless single sign-on. 这些方案不需要配置联合服务器进行身份验证。These scenarios don't require you to configure a federation server for authentication.

本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 配置混合 Azure AD 联接Configure hybrid Azure AD join
  • 启用 Windows 下层设备Enable Windows down-level devices
  • 验证联接的设备Verify joined devices
  • 故障排除Troubleshoot

先决条件Prerequisites

本教程假定你熟悉以下文章:This tutorial assumes that you're familiar with these articles:

备注

Azure AD 不支持托管域中的智能卡或证书。Azure AD doesn't support smartcards or certificates in managed domains.

要配置本文中的方案,需要安装最新版本的 Azure AD Connect (1.1.819.0 或更高版本)。To configure the scenario in this article, you need the latest version of Azure AD Connect (1.1.819.0 or later) installed.

验证 Azure AD Connect 是否已将要加入混合 Azure AD 的设备的计算机对象同步到 Azure AD。Verify that Azure AD Connect has synced the computer objects of the devices you want to be hybrid Azure AD joined to Azure AD. 如果这些计算机对象属于特定组织单位 (OU),则还需要在 Azure AD Connect 中配置这些 OU 以进行同步。If the computer objects belong to specific organizational units (OUs), you must also configure the OUs to sync in Azure AD Connect. 要详细了解如何使用 Azure AD Connect 同步计算机对象,请参阅使用 Azure AD Connect 配置筛选To learn more about how to sync computer objects by using Azure AD Connect, see Configure filtering by using Azure AD Connect.

自 1.1.819.0 版起,Azure AD Connect 包含用于配置混合 Azure AD 加入的向导。Beginning with version 1.1.819.0, Azure AD Connect includes a wizard that you can use to configure hybrid Azure AD join. 该向导显著简化了配置过程。The wizard significantly simplifies the configuration process. 向导配置设备注册的服务连接点 (SCP)。The wizard configures the service connection points (SCPs) for device registration.

本文中的配置步骤需要使用 Azure AD Connect 中的向导。The configuration steps in this article are based on using the wizard in Azure AD Connect.

混合 Azure AD 加入要求设备能够从组织的网络中访问以下 Microsoft 资源:Hybrid Azure AD join requires devices to have access to the following Microsoft resources from inside your organization's network:

  • https://enterpriseregistration.windows.net
  • https://login.microsoftonline.com
  • https://device.login.microsoftonline.com
  • https://autologon.microsoftazuread-sso.com(如果使用或计划使用无缝 SSO)https://autologon.microsoftazuread-sso.com (If you use or plan to use seamless SSO)

如果你的组织需要通过出站代理访问 Internet,Microsoft 建议实施 Web 代理自动发现 (WPAD),以使 Windows 10 计算机在 Azure AD 进行设备注册。If your organization requires access to the internet via an outbound proxy, Microsoft recommends implementing Web Proxy Auto-Discovery (WPAD) to enable Windows 10 computers for device registration with Azure AD. 如果在配置和管理 WPAD 时遇到问题,请参阅自动检测故障排除If you encounter issues configuring and managing WPAD, see Troubleshoot automatic detection.

如果不使用 WPAD 并需要在计算机上配置代理设置,则可以从 Windows 10 1709 开始。If you don't use WPAD and need to configure proxy settings on your computer, you can do so beginning with Windows 10 1709. 有关详细信息,请参阅使用组策略对象 (GPO) 配置 WinHTTP 设置For more information, see Configure WinHTTP settings using a group policy object (GPO).

备注

如果使用 WinHTTP 设置在计算机上配置代理设置,则无法连接到所配置的代理的任何计算机将无法连接到 Internet。If you configure proxy settings on your computer by using WinHTTP settings, any computers that can't connect to the configured proxy will fail to connect to the internet.

如果组织需要通过经身份验证的出站代理访问 Internet,则必须确保 Windows 10 计算机能够成功验证出站代理的身份。If your organization requires access to the internet via an authenticated outbound proxy, you must make sure that your Windows 10 computers can successfully authenticate to the outbound proxy. 由于 Windows 10 计算机使用计算机上下文运行设备注册,因此必须使用计算机上下文配置出站代理身份验证。Because Windows 10 computers run device registration by using machine context, you must configure outbound proxy authentication by using machine context. 根据配置要求使用相应的出站代理提供程序。Follow up with your outbound proxy provider on the configuration requirements.

若要验证设备是否能够访问系统帐户下的上述 Microsoft 资源,可以使用测试设备注册连接脚本。To verify if the device is able to access the above Microsoft resources under the system account, you can use Test Device Registration Connectivity script.

配置混合 Azure AD 联接Configure hybrid Azure AD join

要使用 Azure AD Connect 配置混合 Azure AD 联接,需具备以下项:To configure a hybrid Azure AD join using Azure AD Connect, you need:

  • Azure AD 租户的全局管理员凭据The credentials of a global administrator for your Azure AD tenant
  • 每个林的企业管理员凭据The enterprise administrator credentials for each of the forests

使用 Azure AD Connect 配置混合 Azure AD 加入:To configure a hybrid Azure AD join by using Azure AD Connect:

  1. 启动 Azure AD Connect,然后选择“配置” 。Start Azure AD Connect, and then select Configure.

    欢迎使用

  2. 在“其他任务”页面上,选择“配置设备选项”,然后单击“下一步” 。On the Additional tasks page, select Configure device options, and then select Next.

    其他任务

  3. 在“概述”页面上,选择“下一步” 。On the Overview page, select Next.

    概述

  4. 在“连接到 Azure AD”页上,输入 Azure AD 租户的全局管理员凭据 。On the Connect to Azure AD page, enter the credentials of a global administrator for your Azure AD tenant.

    连接到 Azure AD

  5. 在“设备选项”页面上,选择“配置混合 Azure AD 加入”,然后选择“下一步” 。On the Device options page, select Configure Hybrid Azure AD join, and then select Next.

    设备选项

  6. 在 SCP 页上,对于希望 Azure AD Connect 配置 SCP 的每个林,完成以下步骤,然后选择“下一步” :On the SCP page, for each forest where you want Azure AD Connect to configure the SCP, complete the following steps, and then select Next:

    SCP

    1. 选择林。Select the forest.
    2. 选择身份验证服务。Select the authentication service.
    3. 单击“添加”,输入企业管理员凭据 。Select Add to enter the enterprise administrator credentials.
  7. 在“设备操作系统”页面上,选择 Active Directory 环境中设备使用的操作系统,然后选择“下一步” 。On the Device operating systems page, select the operating systems that devices in your Active Directory environment use, and then select Next.

    设备操作系统

  8. 在“准备好配置”页面上,选择“配置” 。On the Ready to configure page, select Configure.

    已准备好配置

  9. 在“配置完成”页面上,选择“退出” 。On the Configuration complete page, select Exit.

    配置完成

启用 Windows 下层设备Enable Windows downlevel devices

如果某些已加入域的设备是 Windows 下层设备,则需要:If some of your domain-joined devices are Windows downlevel devices, you must:

  • 配置设备注册的本地 Intranet 设置Configure the local intranet settings for device registration
  • 配置无缝 SSOConfigure seamless SSO
  • 安装适用于 Windows 下层计算机的 Microsoft Workplace JoinInstall Microsoft Workplace Join for Windows downlevel computers

配置设备注册的本地 Intranet 设置Configure the local intranet settings for device registration

要成功完成 Windows 下层设备的混合 Azure AD 加入,同时避免在设备向 Azure AD 进行身份验证时出现证书提示,可将一个策略推送到已加入域的设备,从而在 Internet Explorer 中将以下 URL 添加到本地 Intranet 区域:To successfully complete hybrid Azure AD join of your Windows downlevel devices and to avoid certificate prompts when devices authenticate to Azure AD, you can push a policy to your domain-joined devices to add the following URLs to the local intranet zone in Internet Explorer:

  • https://device.login.microsoftonline.com
  • https://autologon.microsoftazuread-sso.com

此外,还需要在用户的本地 Intranet 区域中启用“允许通过脚本更新状态栏” 。You also must enable Allow updates to status bar via script in the user’s local intranet zone.

配置无缝 SSOConfigure seamless SSO

若要在使用 PHSPTA 作为 Azure AD 云身份验证方法的托管域中成功完成 Windows 下层设备的混合 Azure AD 联接,还必须配置无缝 SSOTo successfully complete hybrid Azure AD join of your Windows downlevel devices in a managed domain that uses PHS or PTA as your Azure AD cloud authentication method, you must also configure seamless SSO.

安装适用于 Windows 下层计算机的 Microsoft Workplace JoinInstall Microsoft Workplace Join for Windows downlevel computers

要注册 Windows 下层设备,组织必须安装适用于 Windows 10 计算机的 Microsoft Workplace JoinTo register Windows downlevel devices, organizations must install Microsoft Workplace Join for non-Windows 10 computers. 适用于 Windows 10 计算机的 Microsoft Workplace Join 在 Microsoft 下载中心提供。Microsoft Workplace Join for non-Windows 10 computers is available in the Microsoft Download Center.

可以使用  System Center Configuration Manager 等软件分发系统部署该包。You can deploy the package by using a software distribution system like System Center Configuration Manager. 此包支持使用标准无提示安装选项(包含 quiet 参数)。The package supports the standard silent installation options with the quiet parameter. Configuration Manager 的 Current Branch 提供优于早期版本的优势,例如可以跟踪已完成的注册。The current branch of Configuration Manager offers benefits over earlier versions, like the ability to track completed registrations.

安装程序会在系统上创建一项计划任务,该任务会在用户的上下文中运行。The installer creates a scheduled task on the system that runs in the user context. 当用户登录到 Windows 时触发该任务。The task is triggered when the user signs in to Windows. 在 Azure AD 中进行身份验证后,此任务便会使用用户凭据将设备静默加入 Azure AD。The task silently joins the device with Azure AD by using the user credentials after it authenticates with Azure AD.

验证注册Verify the registration

要验证 Azure 租户中的设备注册状态,可使用 Azure Active Directory PowerShell 模块中的 Get-MsolDevice cmdlet 。To verify the device registration state in your Azure tenant, you can use the Get-MsolDevice cmdlet in the Azure Active Directory PowerShell module.

使用 Get-MSolDevice cmdlet 检查服务详细信息时 :When you use the Get-MSolDevice cmdlet to check the service details:

  • 必须存在其设备 ID 与 Windows 客户端上的 ID 相匹配的对象。An object with the device ID that matches the ID on the Windows client must exist.
  • DeviceTrustType 的值必须是“已加入域” 。The value for DeviceTrustType must be Domain Joined. 此设置相当于 Azure AD 门户中“设备”页上的“已加入混合 Azure AD”状态 。This setting is equivalent to the Hybrid Azure AD joined state on the Devices page in the Azure AD portal.
  • 对于采用了条件访问的设备,“已启用”值必须为 True,“DeviceTrustLevel”值必须为“Managed” 。For devices that are used in Conditional Access, the value for Enabled must be True and DeviceTrustLevel must be Managed.

检查服务详细信息To check the service details:

  1. 以管理员身份打开 Windows PowerShell。Open Windows PowerShell as an administrator.
  2. 输入 Connect-MsolService 以连接到 Azure 租户。Enter Connect-MsolService to connect to your Azure tenant.
  3. 输入 get-msoldevice -deviceId <deviceId>Enter get-msoldevice -deviceId <deviceId>.
  4. 确认“已启用”设置为 True 。Verify that Enabled is set to True.

对实现进行故障排除Troubleshoot your implementation

如果在完成已加入域的 Windows 设备的混合 Azure AD 加入方面遇到问题,请参阅:If you experience issues with completing hybrid Azure AD join for domain-joined Windows devices, see:

后续步骤Next steps

了解如何使用 Azure 门户管理设备标识Learn how to manage device identities by using the Azure portal.