您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

如何:规划混合 Azure Active Directory 加入实现How To: Plan your hybrid Azure Active Directory join implementation

与用户类似,设备是要保护的,并且随时随时要用来保护资源的另一个核心标识。In a similar way to a user, a device is another core identity you want to protect and use it to protect your resources at any time and from any location. 若要实现此目的,可以使用下述某种方法将设备标识引入 Azure AD 并对其进行管理:You can accomplish this goal by bringing and managing device identities in Azure AD using one of the following methods:

  • Azure AD 加入Azure AD join
  • 混合 Azure AD 加入Hybrid Azure AD join
  • Azure AD 注册Azure AD registration

借助将设备引入 Azure AD,可通过云和本地资源中的单一登录 (SSO) 最大程度地提高用户的工作效率。By bringing your devices to Azure AD, you maximize your users' productivity through single sign-on (SSO) across your cloud and on-premises resources. 同时,可以使用条件性访问来保护对云和本地资源的访问。At the same time, you can secure access to your cloud and on-premises resources with Conditional Access.

如果你有本地 Active Directory (AD)环境,并且想要将已加入 AD 域的计算机加入到 Azure AD,则可以通过混合 Azure AD 加入来实现此目的。If you have an on-premises Active Directory (AD) environment and you want to join your AD domain-joined computers to Azure AD, you can accomplish this by doing hybrid Azure AD join. 本文提供了在环境中实现混合 Azure AD 加入的相关步骤。This article provides you with the related steps to implement a hybrid Azure AD join in your environment.

先决条件Prerequisites

本文假设你熟悉Azure Active Directory 中设备标识管理的简介This article assumes that you are familiar with the Introduction to device identity management in Azure Active Directory.

备注

Windows 10 混合 Azure AD 联接所需的最少域控制器版本为 Windows Server 2008 R2。The minimum required domain controller version for Windows 10 hybrid Azure AD join is Windows Server 2008 R2.

规划实施Plan your implementation

若要规划混合 Azure AD 实现,应做好以下准备:To plan your hybrid Azure AD implementation, you should familiarize yourself with:

检查 查看支持的设备Review supported devices
检查 查看应该知道的事项Review things you should know
检查 查看混合 Azure AD 联接的受控验证Review controlled validation of hybrid Azure AD join
检查 基于标识基础结构选择方案Select your scenario based on your identity infrastructure
检查 查看本地 AD UPN 支持混合 Azure AD 联接Review on-premises AD UPN support for hybrid Azure AD join

查看支持的设备Review supported devices

混合 Azure AD 加入支持多种 Windows 设备。Hybrid Azure AD join supports a broad range of Windows devices. 由于运行旧版 Windows 的设备的配置需要额外或不同的步骤,支持的设备划分为两个类别:Because the configuration for devices running older versions of Windows requires additional or different steps, the supported devices are grouped into two categories:

Windows 当前设备Windows current devices

  • Windows 10Windows 10
  • Windows Server 2016Windows Server 2016
  • Windows Server 2019Windows Server 2019

对于运行 Windows 桌面操作系统的设备,受支持的版本将在Windows 10 版本信息中列出。For devices running the Windows desktop operating system, supported version are listed in this article Windows 10 release information. 最佳做法是,Microsoft 建议升级到最新版本的 Windows 10。As a best practice, Microsoft recommends you upgrade to the latest version of Windows 10.

Windows 下层设备Windows down-level devices

第一个规划步骤是审查环境,并确定是否需要支持 Windows 下层设备。As a first planning step, you should review your environment and determine whether you need to support Windows down-level devices.

查看应该知道的事项Review things you should know

如果你的环境包含将标识数据同步到多个 Azure AD 租户的单个 AD 林,则当前不支持混合 Azure AD 联接。Hybrid Azure AD join is currently not supported if your environment consists of a single AD forest synchronizing identity data to more than one Azure AD tenant.

使用虚拟桌面基础结构(VDI)时,当前不支持混合 Azure AD 联接。Hybrid Azure AD join is currently not supported when using virtual desktop infrastructure (VDI).

对于符合 FIPS 的 TPM 2.0,支持混合 Azure AD 联接,不适用于 TPM 1.2。Hybrid Azure AD join is supported for FIPS-compliant TPM 2.0 and not supported for TPM 1.2. 如果设备具有符合 FIPS 标准的 TPM 1.2,则必须先将其禁用,然后才能继续混合 Azure AD 联接。If your devices have FIPS-compliant TPM 1.2, you must disable them before proceeding with Hybrid Azure AD join. Microsoft 不提供任何工具用于为 Tpm 禁用 FIPS 模式,因为它依赖于 TPM 制造商。Microsoft does not provide any tools for disabling FIPS mode for TPMs as it is dependent on the TPM manufacturer. 请联系你的硬件 OEM 以获得支持。Please contact your hardware OEM for support. 从 WIndows 10 1903 版本开始,Tpm 1.2 不用于混合 Azure AD 联接,具有这些 Tpm 的设备将视为没有 TPM。Starting from WIndows 10 1903 release, TPMs 1.2 are not used for hybrid Azure AD join and devices with those TPMs will be considered as if they don't have a TPM.

运行域控制器(DC)角色的 Windows Server 不支持混合 Azure AD 联接。Hybrid Azure AD join is not supported for Windows Server running the Domain Controller (DC) role.

使用凭据漫游或用户配置文件漫游时,Windows 下层设备上不支持混合 Azure AD 联接。Hybrid Azure AD join is not supported on Windows down-level devices when using credential roaming or user profile roaming.

如果你依赖于系统准备工具(Sysprep),并且你使用的是Windows 之前的 10 1809映像进行安装,请确保映像不是从已注册到 Azure AD 混合 Azure AD 加入的设备。If you are relying on the System Preparation Tool (Sysprep) and if you are using a pre-Windows 10 1809 image for installation, make sure that image is not from a device that is already registered with Azure AD as Hybrid Azure AD join.

如果你依赖于虚拟机(VM)快照来创建其他 Vm,请确保快照不是来自已注册到 Azure AD 的 VM,因为混合 Azure AD 加入。If you are relying on a Virtual Machine (VM) snapshot to create additional VMs, make sure that snapshot is not from a VM that is already registered with Azure AD as Hybrid Azure AD join.

如果已加入 Windows 10 域的设备Azure AD 注册到你的租户,则可能会导致混合 Azure AD 加入和 Azure AD 注册设备的双重状态。If your Windows 10 domain joined devices are Azure AD registered to your tenant, it could lead to a dual state of Hybrid Azure AD joined and Azure AD registered device. 建议升级到 Windows 10 1803 (应用了 KB4489894)或更高版本来自动处理此方案。We recommend upgrading to Windows 10 1803 (with KB4489894 applied) or above to automatically address this scenario. 在1803之前的版本中,你将需要手动删除 Azure AD 注册状态,然后才能启用混合 Azure AD join。In pre-1803 releases, you will need to remove the Azure AD registered state manually before enabling Hybrid Azure AD join. 在1803及更高版本中,已进行了以下更改,以避免这种双重状态:In 1803 and above releases, the following changes have been made to avoid this dual state:

  • 混合 Azure AD 加入设备后,会自动删除任何现有 Azure AD 注册状态。Any existing Azure AD registered state would be automatically removed after the device is Hybrid Azure AD joined.
  • 可以通过添加此注册表项-HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin "BlockAADWorkplaceJoin" = dword:00000001,阻止已加入域的设备 Azure AD 注册。You can prevent your domain joined device from being Azure AD registered by adding this registry key - HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin, "BlockAADWorkplaceJoin"=dword:00000001.
  • 在 Windows 10 1803 中,如果已配置 Windows Hello 企业版,则用户需要在双重状态清理后重新设置 Windows Hello 企业版。此问题已通过 KB4512509 解决。In Windows 10 1803, if you have Windows Hello for Business configured, the user needs to re-setup Windows Hello for Business after the dual state clean up.This issue has been addressed with KB4512509

查看混合 Azure AD 联接的受控验证Review controlled validation of hybrid Azure AD join

当所有先决条件都准备就绪后,Windows 设备将自动作为 Azure AD 租户中的设备进行注册。When all of the pre-requisites are in place, Windows devices will automatically register as devices in your Azure AD tenant. Azure AD 中这些设备标识的状态称为 "混合 Azure AD 联接"。The state of these device identities in Azure AD is referred as hybrid Azure AD join. 有关本文中所述概念的详细信息,请参阅文章Azure Active Directory 中的设备标识管理规划混合 Azure Active Directory 加入实现More information about the concepts covered in this article can be found in the articles Introduction to device identity management in Azure Active Directory and Plan your hybrid Azure Active Directory join implementation.

在整个组织中同时启用混合 Azure AD 联接之前,组织可能需要对其进行控制验证。Organizations may want to do a controlled validation of hybrid Azure AD join before enabling it across their entire organization all at once. 查看对混合 Azure AD 联接的受控验证一文,了解如何实现它。Review the article controlled validation of hybrid Azure AD join to understand how to accomplish it.

基于标识基础结构选择方案Select your scenario based on your identity infrastructure

混合 Azure AD 联接适用于、托管和联合环境,具体取决于 UPN 是可路由还是不可路由。Hybrid Azure AD join works with both, managed and federated environments depending on whether the UPN is routable or non-routable. 有关支持的方案,请参阅表的底部。See bottom of the page for table on supported scenarios.

托管环境Managed environment

可使用无缝单一登录通过密码哈希同步 (PHS)直通身份验证 (PTA) 来部署托管环境。A managed environment can be deployed either through Password Hash Sync (PHS) or Pass Through Authentication (PTA) with Seamless Single Sign On.

这些方案不需要配置联合服务器进行身份验证。These scenarios don't require you to configure a federation server for authentication.

联合环境Federated environment

联合环境应具有支持以下要求的标识提供者。A federated environment should have an identity provider that supports the following requirements. 如果已有使用 Active Directory 联合身份验证服务 (AD FS) 的联合环境,则已经支持以下要求。If you have a federated environment using Active Directory Federation Services (AD FS), then the below requirements are already supported.

  • WIAORMULTIAUTHN 声明: 此声明是为 Windows 下层设备执行混合Azure AD 加入所必需的。WIAORMULTIAUTHN claim: This claim is required to do hybrid Azure AD join for Windows down-level devices.
  • WS-Trust 协议: 使用 Azure AD 对当前已加入混合 Azure AD 的 Windows 设备进行身份验证时需要此协议。WS-Trust protocol: This protocol is required to authenticate Windows current hybrid Azure AD joined devices with Azure AD. 使用 AD FS 时,需要启用以下 WS-Trust 终结点:/adfs/services/trust/2005/windowstransportWhen you're using AD FS, you need to enable the following WS-Trust endpoints: /adfs/services/trust/2005/windowstransport
    /adfs/services/trust/13/windowstransport
    /adfs/services/trust/2005/usernamemixed /adfs/services/trust/13/usernamemixed /adfs/services/trust/2005/certificatemixed /adfs/services/trust/13/certificatemixed

警告

adfs/services/trust/2005/windowstransportadfs/services/trust/13/windowstransport 只能作为面向 Intranet 的终结点启用,不能通过 Web 应用程序代理作为面向 Extranet 的终结点公开。Both adfs/services/trust/2005/windowstransport or adfs/services/trust/13/windowstransport should be enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web Application Proxy. 若要详细了解如何禁用 WS-Trust Windows 终结点,请参阅在代理上禁用 WS-Trust Windows 终结点To learn more on how to disable WS-Trust Windows endpoints, see Disable WS-Trust Windows endpoints on the proxy. 可以通过 AD FS 管理控制台中的“服务” > “终结点”查看已启用哪些终结点。You can see what endpoints are enabled through the AD FS management console under Service > Endpoints.

备注

Azure AD 不支持托管域中的智能卡或证书。Azure AD does not support smartcards or certificates in managed domains.

自版本 1.1.819.0 起,Azure AD Connect 提供了混合 Azure AD 联接的配置向导。Beginning with version 1.1.819.0, Azure AD Connect provides you with a wizard to configure hybrid Azure AD join. 使用该向导能够大幅简化配置过程。The wizard enables you to significantly simplify the configuration process. 如果无法安装所需版本的 Azure AD Connect,请参阅如何手动配置设备注册If installing the required version of Azure AD Connect is not an option for you, see how to manually configure device registration.

根据与标识基础结构匹配的方案,请参阅:Based on the scenario that matches your identity infrastructure, see:

查看混合 Azure AD 联接的本地 AD UPN 支持Review on-premises AD UPN support for Hybrid Azure AD join

有时,本地 AD UPN 可能不同于 Azure AD UPN。Sometimes, your on-premises AD UPNs could be different from your Azure AD UPNs. 在此类情况下,Windows 10 混合 Azure AD 加入根据身份验证方法、域类型和 Windows 10 版本对本地 AD UPN 提供有限支持。In such cases, Windows 10 Hybrid Azure AD join provides limited support for on-premises AD UPNs based on the authentication method, domain type and Windows 10 version. 环境中可以存在两种类型的本地 AD UPN:There are two types of on-premises AD UPNs that can exist in your environment:

  • 可路由的 UPN:可路由的 UPN 具有已向域注册机构注册的有效的已验证域。Routable UPN: A routable UPN has a valid verified domain, that is registered with a domain registrar. 例如,如果 contoso.com 是 Azure AD 中的主域,则 contoso.org 是 Contoso 拥有的且已在 Azure AD 中验证的本地 AD 中的主域For example, if contoso.com is the primary domain in Azure AD, contoso.org is the primary domain in on-premises AD owned by Contoso and verified in Azure AD
  • 非可路由的 UPN:非可路由的 UPN 没有已验证域。Non-routable UPN: A non-routable UPN does not have a verified domain. 它仅在组织的专用网络内适用。It is applicable only within your organization's private network. 例如,如果 contoso.com 是 Azure AD 中的主域,则 contoso.local 是本地 AD 中的主域,但在 Internet 中不是可验证的域,且仅可在 Contoso 的网络内使用。For example, if contoso.com is the primary domain in Azure AD, contoso.local is the primary domain in on-premises AD but is not a verifiable domain in the internet and only used within Contoso's network.

下表提供了 Windows 10 混合 Azure AD 加入中对这些本地 AD UPN 的支持情况的详细信息The table below provides details on support for these on-premises AD UPNs in Windows 10 Hybrid Azure AD join

本地 AD UPN 类型Type of on-premises AD UPN 域类型Domain type Windows 10 版本Windows 10 version 描述Description
可路由的Routable 联合Federated 从 1703 版本开始From 1703 release 正式发布Generally available
非可路由的Non-routable 联合Federated 从 1803 版本开始From 1803 release 正式发布Generally available
可路由的Routable 已管理Managed 从 1803 版本开始From 1803 release Azure AD 不支持 Windows 锁屏上的 SSPRGenerally available, Azure AD SSPR on Windows lockscreen is not supported
非可路由的Non-routable 已管理Managed 不支持Not supported

后续步骤Next steps