您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

什么是设备标识?What is a device identity?

随着各种形状和大小的设备不断问世以及自带设备 (BYOD) 概念的出现,IT 专业人员面临着两个有所对立的目标:With the proliferation of devices of all shapes and sizes and the Bring Your Own Device (BYOD) concept, IT professionals are faced with two somewhat opposing goals:

  • 使用户能够随时随地保持高效的工作Allow end users to be productive wherever and whenever
  • 保护组织的资产Protect the organization's assets

若要保护这些资产,IT 人员首先需要管理设备标识。To protect these assets, IT staff need to first manage the device identities. IT 工作人员可以使用 Microsoft Intune 等工具基于设备标识生成解决方案,以确保符合安全与合规标准。IT staff can build on the device identity with tools like Microsoft Intune to ensure standards for security and compliance are met. Azure Active Directory (Azure AD) 允许从任何位置通过这些设备以单一登录方式登录到设备、应用和服务。Azure Active Directory (Azure AD) enables single sign-on to devices, apps, and services from anywhere through these devices.

  • 用户可以访问你的组织中他们所需的资产。Your users get access to your organization's assets they need.
  • IT 工作人员可以使用所需的控制措施来保护组织的安全。Your IT staff get the controls they need to secure your organization.

设备标识管理是基于设备的条件访问的基础。Device identity management is the foundation for device-based conditional access. 通过基于设备的条件访问策略,可确保只有受管理设备才能访问环境中的资源。With device-based conditional access policies, you can ensure that access to resources in your environment is only possible with managed devices.

在 Azure AD 中获取设备Getting devices in Azure AD

若要获取 Azure AD 中的设备,可以使用多个选项:To get a device in Azure AD, you have multiple options:

  • 已注册到 Azure ADAzure AD registered
    • 已注册到 Azure AD 的设备通常是个人拥有的设备或移动设备,并已登录到个人 Microsoft 帐户或其他本地帐户。Devices that are Azure AD registered are typically personally owned or mobile devices, and are signed into with a personal Microsoft account or another local account.
      • Windows 10Windows 10
      • iOSiOS
      • AndroidAndroid
      • MacOSMacOS
  • 已加入 Azure ADAzure AD joined
    • 已加入 Azure AD 的设备由组织拥有,已登录到属于该组织的 Azure AD 帐户。Devices that are Azure AD joined are owned by an organization, and are signed in to with an Azure AD account belonging to that organization. 这些设备位于云中。They exist only in the cloud.
      • Windows 10Windows 10
  • 已加入混合 Azure ADHybrid Azure AD joined
    • 已加入混合 Azure AD 的设备由组织拥有,已登录到属于该组织的 Azure AD 帐户。Devices that are hybrid Azure AD joined are owned by an organization, and are signed in to with an Azure AD account belonging to that organization. 这些设备位于云中和本地。They exist in the cloud and on-premises.
      • Windows 7、8.1 或 10Windows 7, 8.1, or 10
      • Windows Server 2008 或更高版本Windows Server 2008 or newer

“Azure AD 设备”边栏选项卡中显示的设备

设备管理Device management

使用 Microsoft Intune、System Center Configuration Manager、组策略(混合 Azure AD 加入)、移动应用管理 (MAM) 工具等移动设备管理 (MDM) 工具或其他第三方工具,来管理 Azure AD 中的设备。Devices in Azure AD can be managed using Mobile Device Management (MDM) tools like Microsoft Intune, System Center Configuration Manager, Group Policy (hybrid Azure AD join), Mobile Application Management (MAM) tools, or other third-party tools.

资源访问Resource access

注册和加入操作可让用户无缝单一登录 (SSO) 到云资源,并可让管理员将条件访问策略应用到这些资源。Registering and joining give your users Seamless Sign-on (SSO) to cloud resources and administrators the ability to apply Conditional Access policies to those resources.

已加入 Azure AD 或加入混合 Azure AD 的设备可受益于组织本地资源以及云资源的 SSO。Devices that are Azure AD joined or hybrid Azure AD joined benefit from SSO to your organization's on-premises resources as well as cloud resources. 本地资源的 SSO 在已加入 Azure AD 的设备上的工作原理一文中可以找到详细信息。More information can be found in the article, How SSO to on-premises resources works on Azure AD joined devices.

设备安全性Device security

  • 已注册到 Azure AD 的设备利用最终用户管理的帐户,此帐户是使用以下一项或多项措施保护的 Microsoft 帐户或其他本地管理的凭据。Azure AD registered devices utilize an account managed by the end user, this account is either a Microsoft account or another locally managed credential secured with one or more of the following.
    • 密码Password
    • PINPIN
    • 模式Pattern
    • Windows HelloWindows Hello
  • 已加入 Azure AD 或混合 Azure AD 的设备利用 Azure AD 中受以下一项或多项措施保护的组织帐户。Azure AD joined or hybrid Azure AD joined devices utilize an organizational account in Azure AD secured with one or more of the following.
    • 密码Password
    • Windows Hello for BusinessWindows Hello for Business

设置Provisioning

可通过自助方式或者由管理员执行的受控预配流程,将设备加入 Azure AD。Getting devices in to Azure AD can be done in a self-service manner or a controlled provisioning process by administrators.

摘要Summary

使用 Azure AD 中的设备标识管理能够:With device identity management in Azure AD, you can:

  • 简化在 Azure AD 中引入和管理设备的过程Simplify the process of bringing and managing devices in Azure AD
  • 方便用户访问组织中基于云的资源Provide your users with an easy to use access to your organization’s cloud-based resources

许可要求License requirements

使用此功能需要 Azure AD Premium P1 许可证。Using this feature requires an Azure AD Premium P1 license. 若要根据需要查找合适的许可证,请参阅 比较免费版、基本版和高级版的正式发布功能To find the right license for your requirements, see Comparing generally available features of the Free, Basic, and Premium editions.

后续步骤Next steps