您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

教程:手动配置加入到混合 Azure Active Directory 的设备Tutorial: Configure hybrid Azure Active Directory joined devices manually

使用 Azure Active Directory (Azure AD) 中的设备管理,可以确保用户从满足安全性和符合性标准的设备访问资源。With device management in Azure Active Directory (Azure AD), you can ensure that users are accessing your resources from devices that meet your standards for security and compliance. 有关详细信息,请参阅 Azure Active Directory 中的设备管理简介For more information, see Introduction to device management in Azure Active Directory.

提示

如果使用 Azure AD Connect 是合适的选项,请参阅托管域或联合域的相关教程。If using Azure AD Connect is an option for you, see the related tutorials for managed or federated domains. 使用 Azure AD Connect,可以大大简化混合 Azure AD 加入配置。By using Azure AD Connect, you can significantly simplify the configuration of hybrid Azure AD join.

如果你有本地 Active Directory 环境,并且想要将已加入域的设备联接到 Azure AD,则可以通过配置联接到混合 Azure AD 的设备来实现。If you have an on-premises Active Directory environment and you want to join your domain-joined devices to Azure AD, you can accomplish this by configuring hybrid Azure AD joined devices. 本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 手动配置混合 Azure AD 加入Manually configure hybrid Azure AD join
  • 配置服务连接点Configure a service connection point
  • 设置声明颁发Set up issuance of claims
  • 启用 Windows 下层设备Enable Windows down-level devices
  • 验证联接的设备Verify joined devices
  • 对实现进行故障排除Troubleshoot your implementation

先决条件Prerequisites

本教程假定你熟悉以下内容:This tutorial assumes that you're familiar with:

在组织中开始启用已加入混合 Azure AD 的设备之前,请确保:Before you start enabling hybrid Azure AD joined devices in your organization, make sure that:

  • 运行的是最新版本的 Azure AD Connect。You're running an up-to-date version of Azure AD Connect.
  • Azure AD Connect 已将要加入混合 Azure AD 的设备的计算机对象同步到 Azure AD。Azure AD Connect has synchronized the computer objects of the devices you want to be hybrid Azure AD joined to Azure AD. 如果这些计算机对象属于特定组织单位 (OU),则也需要在 Azure AD Connect 中配置这些 OU 以进行同步。If the computer objects belong to specific organizational units (OUs), these OUs need to be configured for synchronization in Azure AD Connect as well.

Azure AD Connect:Azure AD Connect:

  • 保留本地 Active Directory 实例中的计算机帐户与 Azure AD 中的设备对象之间的关联。Keeps the association between the computer account in your on-premises Active Directory instance and the device object in Azure AD.
  • 启用与设备相关的其他功能,例如 Windows Hello for Business。Enables other device-related features, like Windows Hello for Business.

请确保可从组织网络内的计算机访问以下 URL,以便将计算机注册到 Azure AD:Make sure that the following URLs are accessible from computers inside your organization's network for registration of computers to Azure AD:

  • https://enterpriseregistration.windows.net
  • https://login.microsoftonline.com
  • https://device.login.microsoftonline.com
  • 组织的 STS(适用于联盟域),应包含在用户的本地 Intranet 设置中Your organization's STS (for federated domains), which should be included in the user's local intranet settings

如果组织计划使用无缝 SSO,则必须可从组织内的计算机访问以下 URL,If your organization plans to use Seamless SSO, the following URL needs to be reachable from the computers inside your organization. 并且还必须将该 URL 添加到用户的本地 Intranet 区域。It must also be added to the user's local intranet zone.

  • https://autologon.microsoftazuread-sso.com

此外,应在用户的 Intranet 区域中启用以下设置:“允许通过脚本更新状态栏”。Also, the following setting should be enabled in the user's intranet zone: "Allow status bar updates via script."

如果组织对本地 Active Directory 使用托管(非联合)设置并且不使用 Active Directory 联合身份验证服务 (AD FS) 与 Azure AD 联合,则 Windows 10 上的混合 Azure AD 加入依赖于 Active Directory 中要同步到 Azure AD 的计算机对象。If your organization uses managed (non-federated) setup with on-premises Active Directory and does not use Active Directory Federation Services (AD FS) to federate with Azure AD, then hybrid Azure AD join on Windows 10 relies on the computer objects in Active Directory to be synced to Azure AD. 确保包含需要加入混合 Azure AD 的计算机对象的任何 OU 都启用了 Azure AD Connect 同步配置中的同步。Make sure that any OUs that contain the computer objects that need to be hybrid Azure AD joined are enabled for sync in the Azure AD Connect sync configuration.

对于 Windows 10 设备(1703 或更早版本),如果组织需要通过出站代理访问 Internet,则必须实现 Web 代理自动发现 (WPAD),使 Windows 10 计算机可以注册到 Azure AD。For Windows 10 devices on version 1703 or earlier, if your organization requires access to the internet via an outbound proxy, you must implement Web Proxy Auto-Discovery (WPAD) to enable Windows 10 computers to register to Azure AD.

从 Windows 10 1803 开始,即使由联合域中的设备通过 AD FS 进行的混合 Azure AD 加入尝试失败,在 Azure AD Connect 已配置为将计算机/设备对象同步到 Azure AD 的情况下,设备也会尝试使用同步的计算机/设备完成混合 Azure AD 加入操作。Beginning with Windows 10 1803, even if a hybrid Azure AD join attempt by a device in a federated domain through AD FS fails, and if Azure AD Connect is configured to sync the computer/device objects to Azure AD, the device will try to complete the hybrid Azure AD join by using the synced computer/device.

若要验证设备是否能够访问系统帐户下的上述 Microsoft 资源,可以使用测试设备注册连接脚本。To verify if the device is able to access the above Microsoft resources under the system account, you can use Test Device Registration Connectivity script.

验证配置步骤Verify configuration steps

可以为各种类型的 Windows 设备平台配置联接到混合 Azure AD 的设备。You can configure hybrid Azure AD joined devices for various types of Windows device platforms. 本主题包含所有典型配置方案所需的步骤。This topic includes the required steps for all typical configuration scenarios.

在下表中了解方案所需的步骤概述:Use the following table to get an overview of the steps that are required for your scenario:

StepsSteps Windows 当前设备与密码哈希同步Windows current and password hash sync Windows 当前设备与联合Windows current and federation Windows 下层设备Windows down-level
配置服务连接点Configure service connection point 勾选标记 勾选标记 勾选标记
设置声明颁发Set up issuance of claims 勾选标记 勾选标记
启用非 Windows 10 设备Enable non-Windows 10 devices 勾选标记
验证联接的设备Verify joined devices 勾选标记 勾选标记 检查Check

配置服务连接点Configure a service connection point

在注册过程中,设备使用服务连接点 (SCP) 对象来发现 Azure AD 租户信息。Your devices use a service connection point (SCP) object during the registration to discover Azure AD tenant information. 在本地 Active Directory 实例中,计算机林的配置命名上下文分区中必须存在用于加入混合 Azure AD 的设备的 SCP 对象。In your on-premises Active Directory instance, the SCP object for the hybrid Azure AD joined devices must exist in the configuration naming context partition of the computer's forest. 每个林只有一个配置命名上下文。There is only one configuration naming context per forest. 在多林 Active Directory 配置中,服务连接点必须存在于所有包含已加入域的计算机的林中。In a multi-forest Active Directory configuration, the service connection point must exist in all forests that contain domain-joined computers.

可以使用 Get-ADRootDSE cmdlet 来检索林的配置命名上下文。You can use the Get-ADRootDSE cmdlet to retrieve the configuration naming context of your forest.

对于具有 Active Directory 域名 fabrikam.com 的林,配置命名上下文是:For a forest with the Active Directory domain name fabrikam.com, the configuration naming context is:

CN=Configuration,DC=fabrikam,DC=com

在林中,用于自动注册已加入域的设备的 SCP 对象位于:In your forest, the SCP object for the auto-registration of domain-joined devices is located at:

CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,[Your Configuration Naming Context]

SCP 对象可能已进行配置,具体取决于 Azure AD Connect 的部署方式。Depending on how you have deployed Azure AD Connect, the SCP object might have already been configured. 可使用以下 Windows PowerShell 脚本验证该对象是否存在并检索发现值:You can verify the existence of the object and retrieve the discovery values by using the following Windows PowerShell script:

$scp = New-Object System.DirectoryServices.DirectoryEntry;

$scp.Path = "LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=fabrikam,DC=com";

$scp.Keywords;

$scp.Keywords 输出显示 Azure AD 租户信息。The $scp.Keywords output shows the Azure AD tenant information. 下面是一个示例:Here's an example:

azureADName:microsoft.com
azureADId:72f988bf-86f1-41af-91ab-2d7cd011db47

如果该服务连接点不存在,可在 Azure AD Connect 服务器上运行 Initialize-ADSyncDomainJoinedComputerSync cmdlet 来创建它:If the service connection point does not exist, you can create it by running the Initialize-ADSyncDomainJoinedComputerSync cmdlet on your Azure AD Connect server. 必须有企业管理员凭据,才能运行此 cmdlet。Enterprise admin credentials are required to run this cmdlet.

cmdlet:The cmdlet:

  • 在 Azure AD Connect 连接到的 Active Directory 林中创建服务连接点。Creates the service connection point in the Active Directory forest that Azure AD Connect is connected to.
  • 要求指定 AdConnectorAccount 参数。Requires you to specify the AdConnectorAccount parameter. 此帐户在 Azure AD Connect 中配置为 Active Directory 连接器帐户。This account is configured as the Active Directory connector account in Azure AD Connect.

以下脚本演示了该 cmdlet 的用法示例。The following script shows an example for using the cmdlet. 在此脚本中,$aadAdminCred = Get-Credential 要求键入用户名。In this script, $aadAdminCred = Get-Credential requires you to type a user name. 需要以用户主体名称 (UPN) 格式 (user@example.com) 提供用户名。You need to provide the user name in the user principal name (UPN) format (user@example.com).

Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1";

$aadAdminCred = Get-Credential;

Initialize-ADSyncDomainJoinedComputerSync –AdConnectorAccount [connector account name] -AzureADCredentials $aadAdminCred;

Initialize-ADSyncDomainJoinedComputerSync cmdlet:The Initialize-ADSyncDomainJoinedComputerSync cmdlet:

  • 使用 Active Directory PowerShell 模块和 Azure Active Directory 域服务 (Azure AD DS) 工具。Uses the Active Directory PowerShell module and Azure Active Directory Domain Services (Azure AD DS) tools. 这些工具依赖于在域控制器上运行的 Active Directory Web 服务。These tools rely on Active Directory Web Services running on a domain controller. 运行 Windows Server 2008 R2 和更高版本的域控制器支持 Active Directory Web 服务。Active Directory Web Services is supported on domain controllers running Windows Server 2008 R2 and later.
  • 仅受 MSOnline PowerShell 模块 1.1.166.0 版支持。Is only supported by the MSOnline PowerShell module version 1.1.166.0. 若要下载此模块,请使用此链接To download this module, use this link.
  • 如果未安装 AD DS 工具,Initialize-ADSyncDomainJoinedComputerSync 会失败。If the AD DS tools are not installed, Initialize-ADSyncDomainJoinedComputerSync will fail. 可以通过服务器管理器(在“功能” > “远程服务器管理工具” > “角色管理工具”下)安装 AD DS 工具。 You can install the AD DS tools through Server Manager under Features > Remote Server Administration Tools > Role Administration Tools.

对于运行 Windows Server 2008 或更低版本的域控制器,请使用以下脚本来创建服务连接点。For domain controllers running Windows Server 2008 or earlier versions, use the following script to create the service connection point. 在多林配置中,请使用以下脚本在计算机所在的每个林中创建服务连接点。In a multi-forest configuration, use the following script to create the service connection point in each forest where computers exist.

$verifiedDomain = "contoso.com" # Replace this with any of your verified domain names in Azure AD
$tenantID = "72f988bf-86f1-41af-91ab-2d7cd011db47" # Replace this with you tenant ID
$configNC = "CN=Configuration,DC=corp,DC=contoso,DC=com" # Replace this with your Active Directory configuration naming context

$de = New-Object System.DirectoryServices.DirectoryEntry
$de.Path = "LDAP://CN=Services," + $configNC
$deDRC = $de.Children.Add("CN=Device Registration Configuration", "container")
$deDRC.CommitChanges()

$deSCP = $deDRC.Children.Add("CN=62a0ff2e-97b9-4513-943f-0d221bd30080", "serviceConnectionPoint")
$deSCP.Properties["keywords"].Add("azureADName:" + $verifiedDomain)
$deSCP.Properties["keywords"].Add("azureADId:" + $tenantID)

$deSCP.CommitChanges()

在前面的脚本中,$verifiedDomain = "contoso.com" 为占位符。In the preceding script, $verifiedDomain = "contoso.com" is a placeholder. 将它替换为 Azure AD 中的已验证域名之一。Replace it with one of your verified domain names in Azure AD. 需要先拥有域,然后才能使用它。You have to own the domain before you can use it.

若要详细了解验证域名,请参阅将自定义域名添加到 Azure Active DirectoryFor more information about verified domain names, see Add a custom domain name to Azure Active Directory.

若要获取已验证的公司域的列表,可以使用 Get-AzureADDomain cmdlet。To get a list of your verified company domains, you can use the Get-AzureADDomain cmdlet.

公司域的列表

设置声明颁发Set up issuance of claims

在联合 Azure AD 配置中,设备依赖 AD FS 或 Microsoft 合作伙伴的本地联合身份验证服务向 Azure AD 进行身份验证。In a federated Azure AD configuration, devices rely on AD FS or an on-premises federation service from a Microsoft partner to authenticate to Azure AD. 设备将执行身份验证,以获取一个访问令牌来针对 Azure Active Directory 设备注册服务 (Azure DRS) 注册。Devices authenticate to get an access token to register against the Azure Active Directory Device Registration Service (Azure DRS).

Windows 当前设备使用 Windows 集成身份验证向本地联合身份验证服务托管的 WS-Trust 活动终结点(版本 1.3 或 2005)进行身份验证。Windows current devices authenticate by using Integrated Windows Authentication to an active WS-Trust endpoint (either 1.3 or 2005 versions) hosted by the on-premises federation service.

使用 AD FS 时,需要启用以下 WS-Trust 终结点When you're using AD FS, you need to enable the following WS-Trust endpoints

  • /adfs/services/trust/2005/windowstransport
  • /adfs/services/trust/13/windowstransport
  • /adfs/services/trust/2005/usernamemixed
  • /adfs/services/trust/13/usernamemixed
  • /adfs/services/trust/2005/certificatemixed
  • /adfs/services/trust/13/certificatemixed

警告

adfs/services/trust/2005/windowstransportadfs/services/trust/13/windowstransport 只能作为面向 Intranet 的终结点启用,不能通过 Web 应用程序代理作为面向 Extranet 的终结点公开。Both adfs/services/trust/2005/windowstransport or adfs/services/trust/13/windowstransport should be enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web Application Proxy. 若要详细了解如何禁用 WS-Trust Windows 终结点,请参阅在代理上禁用 WS-Trust Windows 终结点To learn more on how to disable WS-Trust Windows endpoints, see Disable WS-Trust Windows endpoints on the proxy. 可以通过 AD FS 管理控制台中的“服务” > “终结点”查看已启用哪些终结点。 You can see what endpoints are enabled through the AD FS management console under Service > Endpoints.

备注

如果不使用 AD FS 作为本地联合身份验证服务,请按供应商的说明操作,确保供应商支持 WS-Trust 1.3 或 2005 终结点,并且已通过元数据交换文件 (MEX) 发布这些终结点。If you don’t have AD FS as your on-premises federation service, follow the instructions from your vendor to make sure they support WS-Trust 1.3 or 2005 endpoints and that these are published through the Metadata Exchange file (MEX).

若要完成设备注册,Azure DRS 收到的令牌中必须存在以下声明。For device registration to finish, the following claims must exist in the token that Azure DRS receives. Azure DRS 会根据该信息的部分内容在 Azure AD 中创建设备对象。Azure DRS will create a device object in Azure AD with some of this information. 然后,Azure AD Connect 使用该信息将新建的设备对象与本地计算机帐户相关联。Azure AD Connect then uses this information to associate the newly created device object with the computer account on-premises.

  • http://schemas.microsoft.com/ws/2012/01/accounttype
  • http://schemas.microsoft.com/identity/claims/onpremobjectguid
  • http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid

如果有多个已验证的域名,需要提供计算机的以下声明:If you have more than one verified domain name, you need to provide the following claim for computers:

  • http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid

如果已颁发 ImmutableID 声明(例如备用登录 ID),需要提供计算机的一个对应声明:If you're already issuing an ImmutableID claim (for example, alternate login ID), you need to provide one corresponding claim for computers:

  • http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID

以下部分介绍:In the following sections, you find information about:

  • 每个声明应使用的值。The values that each claim should have.
  • AD FS 中的定义形式。What a definition would look like in AD FS.

定义可以帮助验证值是否存在,或者是否需要创建值。The definition helps you to verify whether the values are present or if you need to create them.

备注

如果不对本地联合身份验证服务器使用 AD FS,请遵照供应商的说明创建相应的配置来颁发这些声明。If you don’t use AD FS for your on-premises federation server, follow your vendor's instructions to create the appropriate configuration to issue these claims.

颁发帐户类型声明Issue account type claim

http://schemas.microsoft.com/ws/2012/01/accounttype 声明必须包含值 DJ,用于将设备标识为已加入域的计算机。The http://schemas.microsoft.com/ws/2012/01/accounttype claim must contain a value of DJ, which identifies the device as a domain-joined computer. 在 AD FS 中,可以添加如下所示的颁发转换规则:In AD FS, you can add an issuance transform rule that looks like this:

@RuleName = "Issue account type for domain-joined computers"
c:[
   Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
   Value =~ "-515$",
   Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
=> issue(
   Type = "http://schemas.microsoft.com/ws/2012/01/accounttype",
   Value = "DJ"
);

颁发本地计算机帐户的 objectGUIDIssue objectGUID of the computer account on-premises

http://schemas.microsoft.com/identity/claims/onpremobjectguid 声明必须包含本地计算机帐户的 objectGUID 值。The http://schemas.microsoft.com/identity/claims/onpremobjectguid claim must contain the objectGUID value of the on-premises computer account. 在 AD FS 中,可以添加如下所示的颁发转换规则:In AD FS, you can add an issuance transform rule that looks like this:

@RuleName = "Issue object GUID for domain-joined computers"
c1:[
   Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
   Value =~ "-515$", 
   Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
&&
c2:[
   Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
   Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
=> issue(
   store = "Active Directory",
   types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"),
   query = ";objectguid;{0}",
   param = c2.Value
);

颁发本地计算机帐户的 objectSIDIssue objectSID of the computer account on-premises

http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid 声明必须包含本地计算机帐户的 objectSid 值。The http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid claim must contain the objectSid value of the on-premises computer account. 在 AD FS 中,可以添加如下所示的颁发转换规则:In AD FS, you can add an issuance transform rule that looks like this:

@RuleName = "Issue objectSID for domain-joined computers"
c1:[
   Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
   Value =~ "-515$",
   Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
&&
c2:[
   Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid",
   Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
=> issue(claim = c2);

当 Azure AD 中存在多个已验证域名时颁发计算机的 issuerIDIssue issuerID for the computer when multiple verified domain names are in Azure AD

http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid 声明必须包含与颁发令牌的本地联合身份验证服务(AD FS 或合作伙伴)相连接的任何已验证域名的统一资源标识符 (URI)。The http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or partner) issuing the token. 在 AD FS 中,可以在上述规则的后面,按特定的顺序添加如下所示的颁发转换规则。In AD FS, you can add issuance transform rules that look like the following ones in that specific order, after the preceding ones. 注意,必须创建一条规则来显式为用户颁发规则。Note that one rule to explicitly issue the rule for users is necessary. 在下面的规则中,添加的第一个规则用于标识用户而不是计算机身份验证。In the following rules, a first rule that identifies user versus computer authentication is added.

@RuleName = "Issue account type with the value User when its not a computer"
NOT EXISTS(
[
   Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
   Value == "DJ"
]
)
=> add(
   Type = "http://schemas.microsoft.com/ws/2012/01/accounttype",
   Value = "User"
);

@RuleName = "Capture UPN when AccountType is User and issue the IssuerID"
c1:[
   Type == "http://schemas.xmlsoap.org/claims/UPN"
]
&&
c2:[
   Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
   Value == "User"
]
=> issue(
   Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid",
   Value = regexreplace(
   c1.Value,
   ".+@(?<domain>.+)",
   "http://${domain}/adfs/services/trust/"
   )
);

@RuleName = "Issue issuerID for domain-joined computers"
c:[
   Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
   Value =~ "-515$",
   Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
=> issue(
   Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid",
   Value = "http://<verified-domain-name>/adfs/services/trust/"
);

在前面的声明中,<verified-domain-name> 为占位符。In the preceding claim, <verified-domain-name> is a placeholder. 将它替换为 Azure AD 中的已验证域名之一。Replace it with one of your verified domain names in Azure AD. 例如,使用 Value = "http://contoso.com/adfs/services/trust/"For example, use Value = "http://contoso.com/adfs/services/trust/".

若要详细了解验证域名,请参阅将自定义域名添加到 Azure Active DirectoryFor more information about verified domain names, see Add a custom domain name to Azure Active Directory.

若要获取已验证的公司域的列表,可以使用 Get-MsolDomain cmdlet。To get a list of your verified company domains, you can use the Get-MsolDomain cmdlet.

公司域的列表

当用户存在一个 ImmutableID 时颁发计算机的 ImmutableID(例如,设置备用登录 ID)Issue ImmutableID for the computer when one for users exists (for example, an alternate login ID is set)

http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID 声明必须包含计算机的有效值。The http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID claim must contain a valid value for computers. 在 AD FS 中,可按如下所示创建颁发转换规则:In AD FS, you can create an issuance transform rule as follows:

@RuleName = "Issue ImmutableID for computers"
c1:[
   Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
   Value =~ "-515$",
   Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
&&
c2:[
   Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
   Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
=> issue(
   store = "Active Directory",
   types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"),
   query = ";objectguid;{0}",
   param = c2.Value
);

用于创建 AD FS 颁发转换规则的帮助器脚本Helper script to create the AD FS issuance transform rules

可以借助以下脚本创建前述颁发转换规则。The following script helps you with the creation of the issuance transform rules described earlier.

$multipleVerifiedDomainNames = $false
$immutableIDAlreadyIssuedforUsers = $false
$oneOfVerifiedDomainNames = 'example.com'   # Replace example.com with one of your verified domains

$rule1 = '@RuleName = "Issue account type for domain-joined computers"
c:[
   Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
   Value =~ "-515$",
   Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
=> issue(
   Type = "http://schemas.microsoft.com/ws/2012/01/accounttype",
   Value = "DJ"
);'

$rule2 = '@RuleName = "Issue object GUID for domain-joined computers"
c1:[
   Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
   Value =~ "-515$",
   Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
&&
c2:[
   Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
   Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
=> issue(
   store = "Active Directory",
   types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"),
   query = ";objectguid;{0}",
   param = c2.Value
);'

$rule3 = '@RuleName = "Issue objectSID for domain-joined computers"
c1:[
   Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
   Value =~ "-515$",
   Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
&&
c2:[
   Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid",
   Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
=> issue(claim = c2);'

$rule4 = ''
if ($multipleVerifiedDomainNames -eq $true) {
$rule4 = '@RuleName = "Issue account type with the value User when it is not a computer"
NOT EXISTS(
[
   Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
   Value == "DJ"
]
)
=> add(
   Type = "http://schemas.microsoft.com/ws/2012/01/accounttype",
   Value = "User"
);

@RuleName = "Capture UPN when AccountType is User and issue the IssuerID"
c1:[
   Type == "http://schemas.xmlsoap.org/claims/UPN"
]
&&
c2:[
   Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
   Value == "User"
]
=> issue(
   Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid",
   Value = regexreplace(
   c1.Value,
   ".+@(?<domain>.+)",
   "http://${domain}/adfs/services/trust/"
   )
);

@RuleName = "Issue issuerID for domain-joined computers"
c:[
   Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
   Value =~ "-515$",
   Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
=> issue(
   Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid",
   Value = "http://' + $oneOfVerifiedDomainNames + '/adfs/services/trust/"
);'
}

$rule5 = ''
if ($immutableIDAlreadyIssuedforUsers -eq $true) {
$rule5 = '@RuleName = "Issue ImmutableID for computers"
c1:[
   Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
   Value =~ "-515$",
   Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
&&
c2:[
   Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
   Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
=> issue(
   store = "Active Directory",
   types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"),
   query = ";objectguid;{0}",
   param = c2.Value
);'
}

$existingRules = (Get-ADFSRelyingPartyTrust -Identifier urn:federation:MicrosoftOnline).IssuanceTransformRules 

$updatedRules = $existingRules + $rule1 + $rule2 + $rule3 + $rule4 + $rule5

$crSet = New-ADFSClaimRuleSet -ClaimRule $updatedRules

Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:MicrosoftOnline -IssuanceTransformRules $crSet.ClaimRulesString

备注Remarks

  • 此脚本将规则追加到现有规则。This script appends the rules to the existing rules. 请不要运行该脚本两次,否则会添加规则集两次。Do not run the script twice, because the set of rules would be added twice. 再次运行该脚本之前,请确保这些声明没有相应的规则(在相应的条件下)。Make sure that no corresponding rules exist for these claims (under the corresponding conditions) before running the script again.

  • 如果有多个已验证的域名(可通过 Azure AD 门户或 Get-MsolDomain cmdlet 查看),请在脚本中将 $multipleVerifiedDomainNames 的值设置为 $trueIf you have multiple verified domain names (as shown in the Azure AD portal or via the Get-MsolDomain cmdlet), set the value of $multipleVerifiedDomainNames in the script to $true. 此外,请确保删除那些可能是通过 Azure AD Connect 创建的或通过其他方式创建的所有现有的 issuerid 声明。Also make sure that you remove any existing issuerid claim that might have been created by Azure AD Connect or via other means. 下面是此规则的一个示例:Here's an example for this rule:

    c:[Type == "http://schemas.xmlsoap.org/claims/UPN"]
    => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?<domain>.+)",  "http://${domain}/adfs/services/trust/")); 
    

如果已颁发用户帐户的 ImmutableID 声明,请在脚本中将 $immutableIDAlreadyIssuedforUsers 的值设置为 $trueIf you have already issued an ImmutableID claim for user accounts, set the value of $immutableIDAlreadyIssuedforUsers in the script to $true.

启用 Windows 下层设备Enable Windows down-level devices

如果某些已加入域的设备是 Windows 下层设备,则需要:If some of your domain-joined devices are Windows down-level devices, you need to:

  • 在 Azure AD 中设置策略,使用户能够注册设备。Set a policy in Azure AD to enable users to register devices.
  • 配置本地联合身份验证服务,通过颁发声明来支持使用 Windows 集成身份验证 (IWA) 进行设备注册。Configure your on-premises federation service to issue claims to support Integrated Windows Authentication (IWA) for device registration.
  • 将 Azure AD 设备身份验证终结点添加到本地 Intranet 区域,避免对设备进行身份验证时出现证书提示。Add the Azure AD device authentication endpoint to the local intranet zones to avoid certificate prompts when authenticating the device.
  • 控制 Windows 下层设备Control Windows down-level devices.

在 Azure AD 中设置策略,让用户能够注册设备Set a policy in Azure AD to enable users to register devices

若要注册 Windows 下层设备,请确保已启用设置,允许用户在 Azure AD 中注册设备。To register Windows down-level devices, make sure that the setting to allow users to register devices in Azure AD is enabled. 在 Azure 门户中,可以在“Azure Active Directory” > “用户和组” > “设备设置” 下找到此设置。In the Azure portal, you can find this setting under Azure Active Directory > Users and groups > Device settings.

以下策略必须设置为 All用户可以向 Azure AD 注册其设备The following policy must be set to All: Users may register their devices with Azure AD.

允许用户注册设备的“全部”按钮

配置本地联合身份验证服务Configure the on-premises federation service

接收发往 Azure AD 信赖方的身份验证请求时,本地联合身份验证服务必须支持颁发 authenticationmehodwiaormultiauthn 声明,其中包含具有以下编码值的 resource_params 参数:Your on-premises federation service must support issuing the authenticationmethod and wiaormultiauthn claims when it receives an authentication request to the Azure AD relying party holding a resource_params parameter with the following encoded value:

eyJQcm9wZXJ0aWVzIjpbeyJLZXkiOiJhY3IiLCJWYWx1ZSI6IndpYW9ybXVsdGlhdXRobiJ9XX0

which decoded is {"Properties":[{"Key":"acr","Value":"wiaormultiauthn"}]}

此类请求传入时,本地联合身份验证服务必须使用 Windows 集成身份验证对用户进行身份验证。When such a request comes, the on-premises federation service must authenticate the user by using Integrated Windows Authentication. 身份验证成功后,联合身份验证服务必须颁发以下两个声明:When authentication is successful, the federation service must issue the following two claims:

http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows http://schemas.microsoft.com/claims/wiaormultiauthnhttp://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows http://schemas.microsoft.com/claims/wiaormultiauthn

在 AD FS 中,必须添加一个用于传递身份验证方法的颁发转换规则。In AD FS, you must add an issuance transform rule that passes through the authentication method. 若要添加此规则,请执行以下操作:To add this rule:

  1. 在 AD FS 管理控制台中,转到“AD FS” > “信任关系” > “信赖方信任” 。In the AD FS management console, go to AD FS > Trust Relationships > Relying Party Trusts.

  2. 右键单击“Microsoft Office 365 标识平台”信赖方信任对象,并选择“编辑声明规则” 。Right-click the Microsoft Office 365 Identity Platform relying party trust object, and then select Edit Claim Rules.

  3. 在“颁发转换规则” 选项卡中,选择“添加规则” 。On the Issuance Transform Rules tab, select Add Rule.

  4. 在“声明规则” 模板列表中选择“使用自定义规则发送声明” 。In the Claim rule template list, select Send Claims Using a Custom Rule.

  5. 选择“下一步”。Select Next.

  6. 在“声明规则名称” 框中,输入“身份验证方法声明规则” 。In the Claim rule name box, enter Auth Method Claim Rule.

  7. 在“声明规则” 框中,输入以下规则:In the Claim rule box, enter the following rule:

    c:[Type == "http://schemas.microsoft.com/claims/authnmethodsreferences"] => issue(claim = c);

  8. 在联合身份验证服务器上,输入以下 PowerShell 命令。On your federation server, enter the following PowerShell command. <RPObjectName> 替换为 Azure AD 信赖方信任对象的信赖方对象名称。Replace <RPObjectName> with the relying party object name for your Azure AD relying party trust object. 此对象通常命名为“Microsoft Office 365 标识平台” 。This object usually is named Microsoft Office 365 Identity Platform.

    Set-AdfsRelyingPartyTrust -TargetName <RPObjectName> -AllowedAuthenticationClassReferences wiaormultiauthn

将 Azure AD 设备身份验证终结点添加到本地 Intranet 区域Add the Azure AD device authentication endpoint to the local intranet zones

为了避免已注册设备的用户在向 Azure AD 进行身份验证时出现证书提示,可将一个策略推送到已加入域的设备,以便在 Internet Explorer 中将以下 URL 添加到本地 Intranet 区域:To avoid certificate prompts when users of registered devices authenticate to Azure AD, you can push a policy to your domain-joined devices to add the following URL to the local intranet zone in Internet Explorer:

https://device.login.microsoftonline.com

控制 Windows 下层设备Control Windows down-level devices

若要注册 Windows 下层设备,需要通过下载中心下载并安装 Windows Installer 包 (.msi)。To register Windows down-level devices, you need to download and install a Windows Installer package (.msi) from the Download Center. 有关详细信息,请参阅以受控方式验证 Windows 下层设备上的混合 Azure AD 加入部分。For more information, see the section Controlled validation of hybrid Azure AD join on Windows down-level devices.

验证联接的设备Verify joined devices

可以在 Azure Active Directory PowerShell 模块中运行 Get-MsolDevice cmdlet,查看组织中是否有已成功加入的设备。You can check for successfully joined devices in your organization by using the Get-MsolDevice cmdlet in the Azure Active Directory PowerShell module.

此 cmdlet 的输出显示向 Azure AD 进行注册并与之联接的设备。The output of this cmdlet shows devices that are registered and joined with Azure AD. 若要获取所有设备,请使用 -All 参数,然后使用 deviceTrustType 属性筛选结果。To get all devices, use the -All parameter, and then filter them by using the deviceTrustType property. 已加入域的设备的值为 Domain Joined 。Domain-joined devices have a value of Domain Joined.

对实现进行故障排除Troubleshoot your implementation

如果在完成已加入域的 Windows 设备的混合 Azure AD 加入方面遇到问题,请参阅:If you're experiencing issues with completing hybrid Azure AD join for domain-joined Windows devices, see:

后续步骤Next steps