您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

在 Azure Active Directory 中以管理员身份接管非托管目录Take over an unmanaged directory as administrator in Azure Active Directory

本文介绍了在 Azure Active Directory (Azure AD) 的非托管目录中接管 DNS 域名的两种方式。This article describes two ways to take over a DNS domain name in an unmanaged directory in Azure Active Directory (Azure AD). 当自助服务用户注册一个使用 Azure AD 的云服务时,系统会根据其电子邮件域将其添加到非托管 Azure AD 目录。When a self-service user signs up for a cloud service that uses Azure AD, they are added to an unmanaged Azure AD directory based on their email domain. 有关自助服务或 "病毒" 注册服务的详细信息,请参阅 什么是 Azure Active Directory 的自助注册?For more about self-service or "viral" sign-up for a service, see What is self-service sign-up for Azure Active Directory?

决定非托管目录的接管方式Decide how you want to take over an unmanaged directory

在管理员接管的过程中,可按向 Azure AD 添加自定义域名中所述,证明所有权。During the process of admin takeover, you can prove ownership as described in Add a custom domain name to Azure AD. 以下部分更详细地介绍了管理员体验,不过本文只会提供摘要:The next sections explain the admin experience in more detail, but here's a summary:

  • 当你对非托管 Azure 目录执行 "内部" 管理员接管 时,会将你添加为非托管目录的全局管理员。When you perform an "internal" admin takeover of an unmanaged Azure directory, you are added as the global administrator of the unmanaged directory. 不会将用户、域或服务计划迁移到你管理的任何其他目录。No users, domains, or service plans are migrated to any other directory you administer.

  • 当你对非托管 Azure 目录执行 "外部" 管理员接管 时,会将非托管目录的 DNS 域名添加到托管 azure 目录。When you perform an "external" admin takeover of an unmanaged Azure directory, you add the DNS domain name of the unmanaged directory to your managed Azure directory. 添加域名时,将在托管 Azure 目录中创建用户到资源的映射,以便用户可以继续访问服务而不会遇到中断。When you add the domain name, a mapping of users to resources is created in your managed Azure directory so that users can continue to access services without interruption.

内部管理员接管Internal admin takeover

某些包括 SharePoint 和 OneDrive 的产品(如 Microsoft 365)不支持外部接管。Some products that include SharePoint and OneDrive, such as Microsoft 365, do not support external takeover. 如果是你的方案,或者如果你是管理员,并且想要接管使用自助注册的用户创建的非托管或 "影子" Azure AD 组织,则可以使用内部管理员接管来执行此操作。If that is your scenario, or if you are an admin and want to take over an unmanaged or "shadow" Azure AD organization create by users who used self-service sign-up, you can do this with an internal admin takeover.

  1. 通过注册 Power BI 在非托管组织中创建用户上下文。Create a user context in the unmanaged organization through signing up for Power BI. 为方便举例,以下步骤假定采用该方式。For convenience of example, these steps assume that path.

  2. 打开 Power BI 网站并选择“免费开始”****。Open the Power BI site and select Start Free. 输入使用组织域名的用户帐户,如 admin@fourthcoffee.xyzEnter a user account that uses the domain name for the organization; for example, admin@fourthcoffee.xyz. 输入验证码后,请检查电子邮件,查看确认代码。After you enter in the verification code, check your email for the confirmation code.

  3. 在来自 Power BI 的确认电子邮件中,选择“是,是我”****。In the confirmation email from Power BI, select Yes, that's me.

  4. 用 Power BI 用户帐户登录到 Microsoft 365 管理中心Sign in to the Microsoft 365 admin center with the Power BI user account. 您将收到一条消息,指示您成为在非托管组织中已验证的域名的 管理员You receive a message that instructs you to Become the Admin of the domain name that was already verified in the unmanaged organization. 选择“是,我想成为管理员”****。select Yes, I want to be the admin.

    “成为管理员”的首个屏幕截图

  5. 添加 TXT 记录以证明在域名注册机构拥有域名 fourthcoffee.xyz****。Add the TXT record to prove that you own the domain name fourthcoffee.xyz at your domain name registrar. 在本示例中,此站点为 GoDaddy.com。In this example, it is GoDaddy.com.

    为域名添加 txt 记录

在域名注册机构验证 DNS TXT 记录后,可以管理 Azure AD 组织。When the DNS TXT records are verified at your domain name registrar, you can manage the Azure AD organization.

完成前面的步骤后,你现在就是 Microsoft 365 的第四个咖啡组织的全局管理员。When you complete the preceding steps, you are now the global administrator of the Fourth Coffee organization in Microsoft 365. 若要将域名与其他 Azure 服务集成,你可以将其从 Microsoft 365 中删除,并将其添加到 Azure 中的其他托管组织。To integrate the domain name with your other Azure services, you can remove it from Microsoft 365 and add it to a different managed organization in Azure.

将域名添加到 Azure AD 中的托管组织Adding the domain name to a managed organization in Azure AD

  1. 打开 Microsoft 365 管理中心Open the Microsoft 365 admin center.

  2. 选择 " 用户 " 选项卡,并使用不使用自定义域名的名称(例如 用户 @ fourthcoffeexyz.onmicrosoft.com )创建新的用户帐户。Select Users tab, and create a new user account with a name like user@fourthcoffeexyz.onmicrosoft.com that does not use the custom domain name.

  3. 确保新的用户帐户具有 Azure AD 组织的全局管理员权限。Ensure that the new user account has global admin privileges for the Azure AD organization.

  4. 在 Microsoft 365 管理中心中打开 " " 选项卡,选择域名,然后选择 " 删除"。Open Domains tab in the Microsoft 365 admin center, select the domain name and select Remove.

    从 Microsoft 365 中删除域名

  5. 如果 Microsoft 365 中的任何用户或组引用了删除的域名,则必须将其重命名为 onmicrosoft.com 域。If you have any users or groups in Microsoft 365 that reference the removed domain name, they must be renamed to the .onmicrosoft.com domain. 如果你强制删除域名,则所有用户都将自动重命名,在此示例中为 user @ fourthcoffeexyz.onmicrosoft.comIf you force delete the domain name, all users are automatically renamed, in this example to user@fourthcoffeexyz.onmicrosoft.com.

  6. 使用作为 Azure AD 组织的全局管理员的帐户登录到 Azure AD 管理中心Sign in to the Azure AD admin center with an account that is the global admin for the Azure AD organization.

  7. 选择“自定义域名”,然后添加域名****。Select Custom domain names, then add the domain name. 需要输入 DNS TXT 记录来验证该域名的所有权。You'll have to enter the DNS TXT records to verify ownership of the domain name.

    域已验证为已添加到 Azure AD

备注

如果删除了域名,则在 Microsoft 365 组织中分配了许可证的 Power BI 或 Azure Rights Management 服务的任何用户必须保存其仪表板。Any users of Power BI or Azure Rights Management service who have licenses assigned in the Microsoft 365 organization must save their dashboards if the domain name is removed. 他们必须使用用户名 * @ fourthcoffeexyz.onmicrosoft.com* (而不是 用户 @ fourthcoffee)登录用户名。They must sign in with a user name like user@fourthcoffeexyz.onmicrosoft.com rather than user@fourthcoffee.xyz.

外部管理员接管External admin takeover

如果已使用 Azure 服务或 Microsoft 365 管理组织,则无法添加自定义域名(如果它已在另一 Azure AD 组织中验证过)。If you already manage an organization with Azure services or Microsoft 365, you cannot add a custom domain name if it is already verified in another Azure AD organization. 但是,在 Azure AD 中,你可以将非托管组织作为外部管理员接管。However, from your managed organization in Azure AD you can take over an unmanaged organization as an external admin takeover. 常规过程遵循文章将自定义域添加到 Azure AD 中的步骤。The general procedure follows the article Add a custom domain to Azure AD.

验证域名的所有权时,Azure AD 会从非托管组织中删除域名,并将其移到现有组织中。When you verify ownership of the domain name, Azure AD removes the domain name from the unmanaged organization and moves it to your existing organization. 非托管目录的外部管理员接管操作需要执行与内部管理员接管操作相同的 DNS TXT 验证过程。External admin takeover of an unmanaged directory requires the same DNS TXT validation process as internal admin takeover. 不同之处在于,除域名外还会移动以下内容:The difference is that the following are also moved over with the domain name:

  • 用户Users
  • 订阅Subscriptions
  • 许可证分配License assignments

支持外部管理员接管Support for external admin takeover

以下联机服务支持外部管理员接管:External admin takeover is supported by the following online services:

  • Azure Rights ManagementAzure Rights Management
  • Exchange OnlineExchange Online

支持的服务计划包括:The supported service plans include:

  • PowerApps 免费版PowerApps Free
  • PowerFlow 免费版PowerFlow Free
  • 个人版 RMSRMS for individuals
  • Microsoft StreamMicrosoft Stream
  • Dynamics 365 免费试用版Dynamics 365 free trial

对于包含 SharePoint、OneDrive 或 Skype For Business 的服务计划的任何服务,都不支持外部管理员接管;例如,通过 Office 免费订阅。External admin takeover is not supported for any service that has service plans that include SharePoint, OneDrive, or Skype For Business; for example, through an Office free subscription.

您可以选择使用 ForceTakeover选项从非托管组织中删除域名,并在所需的组织中对其进行验证。You can optionally use the ForceTakeover option for removing the domain name from the unmanaged organization and verifying it on the desired organization.

有关个人版 RMS 的详细信息More information about RMS for individuals

对于 个人 RMS,如果非托管组织与你拥有的组织位于同一区域,则自动创建的 Azure 信息保护组织密钥默认保护模板 将另外随域名一起移动。For RMS for individuals, when the unmanaged organization is in the same region as the organization that you own, the automatically created Azure Information Protection organization key and default protection templates are additionally moved over with the domain name.

当非托管组织在不同的区域时,密钥和模板不会移动。The key and templates are not moved over when the unmanaged organization is in a different region. 例如,如果非托管组织在欧洲,并且你拥有的组织处于北美中。For example, if the unmanaged organization is in Europe and the organization that you own is in North America.

虽然个人版 RMS 旨在支持通过 Azure AD 身份验证来打开受保护的内容,但它不会阻止用户对内容也进行保护。Although RMS for individuals is designed to support Azure AD authentication to open protected content, it doesn't prevent users from also protecting content. 如果用户已通过个人 RMS 订阅保护内容,并且未移动密钥和模板,则在域接管后,不能访问该内容。If users did protect content with the RMS for individuals subscription, and the key and templates were not moved over, that content is not accessible after the domain takeover.

用于“ForceTakeover”选项的 Azure AD PowerShell cmdletAzure AD PowerShell cmdlets for the ForceTakeover option

可以查看在 PowerShell 示例中使用的这些 cmdlet。You can see these cmdlets used in PowerShell example.

cmdletcmdlet 用法Usage
connect-msolservice 出现提示时,请登录到托管组织。When prompted, sign in to your managed organization.
get-msoldomain 显示与当前组织关联的域名。Shows your domain names associated with the current organization.
new-msoldomain –name <domainname> 将域名添加到组织作为未验证 (尚未执行任何 DNS 验证) 。Adds the domain name to organization as Unverified (no DNS verification has been performed yet).
get-msoldomain 域名现在包含在与托管组织关联的域名列表中,但列为 "未 验证"。The domain name is now included in the list of domain names associated with your managed organization, but is listed as Unverified.
get-msoldomainverificationdns –Domainname <domainname> –Mode DnsTxtRecord 提供信息以将其放入域 (MS=xxxxx) 的新 DNS TXT 记录中。Provides the information to put into new DNS TXT record for the domain (MS=xxxxx). 可能不会立即进行验证,因为 TXT 记录需要花费一些时间传播,所以请等待几分钟,然后再考虑使用“-ForceTakeover”选项****。Verification might not happen immediately because it takes some time for the TXT record to propagate, so wait a few minutes before considering the -ForceTakeover option.
confirm-msoldomain –Domainname <domainname> –ForceTakeover Force
  • 若仍未验证域名,则可使用“-ForceTakeover”选项继续操作****。If your domain name is still not verified, you can proceed with the -ForceTakeover option. 它验证已创建 TXT 记录并启动接管进程。It verifies that the TXT record was created and kicks off the takeover process.
  • 仅当强制执行外部管理接管时,才应将 -ForceTakeover 选项添加到 cmdlet,例如当非托管组织 Microsoft 365 服务阻止接管时。The -ForceTakeover option should be added to the cmdlet only when forcing an external admin takeover, such as when the unmanaged organization has Microsoft 365 services blocking the takeover.
  • get-msoldomain 域列表现在将该域名显示为“已验证”****。The domain list now shows the domain name as Verified.

    备注

    执行外部接管强制选项后,会在10天内删除非托管 Azure AD 组织。The unmanaged Azure AD organization is deleted 10 days after you exercise the external takeover force option.

    PowerShell 示例PowerShell example

    1. 使用凭据连接到 Azure AD,这些凭据曾用于响应自助服务产品:Connect to Azure AD using the credentials that were used to respond to the self-service offering:

      Install-Module -Name MSOnline
      $msolcred = get-credential
      
      connect-msolservice -credential $msolcred
      
    2. 获取域的列表:Get a list of domains:

      Get-MsolDomain
      
    3. 运行 Get-MsolDomainVerificationDns cmdlet 以创建质询:Run the Get-MsolDomainVerificationDns cmdlet to create a challenge:

      Get-MsolDomainVerificationDns –DomainName *your_domain_name* –Mode DnsTxtRecord
      

      例如:For example:

      Get-MsolDomainVerificationDns –DomainName contoso.com –Mode DnsTxtRecord
      
    4. 复制从此命令返回的值(质询)。Copy the value (the challenge) that is returned from this command. 例如:For example:

      MS=32DD01B82C05D27151EA9AE93C5890787F0E65D9
      
    5. 在公共 DNS 命名空间中,创建包含在上一步中复制的值的 DNS txt 记录。In your public DNS namespace, create a DNS txt record that contains the value that you copied in the previous step. 此记录的名称即是父域的名称,因此,如果要使用 Windows Server 中的 DNS 角色创建此资源记录,请将记录名称保留空白,而只在文本框中粘贴该值。The name for this record is the name of the parent domain, so if you create this resource record by using the DNS role from Windows Server, leave the Record name blank and just paste the value into the Text box.

    6. 运行 Confirm-MsolDomain cmdlet 以验证质询:Run the Confirm-MsolDomain cmdlet to verify the challenge:

      Confirm-MsolDomain –DomainName *your_domain_name* –ForceTakeover Force
      

      例如:For example:

      Confirm-MsolDomain –DomainName contoso.com –ForceTakeover Force
      

    如果质询成功,将返回到提示符,且不会显示错误。A successful challenge returns you to the prompt without an error.

    后续步骤Next steps