您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

什么是 Azure Active Directory?What is Azure Active Directory?

Azure Active Directory (Azure AD) 是 Microsoft 推出的基于云的标识和访问管理服务,可帮助员工登录及访问以下位置的资源:Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources in:

  • 外部资源,例如 Microsoft Office 365、Azure 门户以及成千上万的其他 SaaS 应用程序。External resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications.

  • 内部资源,例如公司网络和 Intranet 上的应用,以及由自己的组织开发的任何云应用。Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization.

可以通过各种面向企业架构师的 Microsoft 云系列海报更好地了解 Azure、Azure AD 和 Office 365 中的核心标识服务。You can use the various Microsoft Cloud for Enterprise Architects Series posters to better understand the core identity services in Azure, Azure AD, and Office 365.

谁在使用 Azure AD?Who uses Azure AD?

Azure AD 适用于:Azure AD is intended for:

  • IT 管理员。IT admins. 作为 IT 管理员,你可以使用 Azure AD 根据业务要求控制用户对你的应用和应用资源的访问。As an IT admin, you can use Azure AD to control access to your apps and your app resources, based on your business requirements. 例如,可以使用 Azure AD 要求用户在访问重要的组织资源时进行多重身份验证。For example, you can use Azure AD to require multi-factor authentication when accessing important organizational resources. 另外,还可以使用 Azure AD 在现有 Windows Server AD 和云应用(包括 Office 365)之间自动完成用户预配。Additionally, you can use Azure AD to automate user provisioning between your existing Windows Server AD and your cloud apps, including Office 365. 最终可以利用 Azure AD 提供的强大工具自动保护用户标识和凭据,实现访问管理要求。Finally, Azure AD gives you powerful tools to automatically help protect user identities and credentials and to meet your access governance requirements. 若要开始尝试,请注册 30 天 Azure Active Directory Premium 免费试用版To get started, sign up for a free 30-day Azure Active Directory Premium trial.

  • 应用开发人员。App developers. 作为应用开发人员,你可以使用 Azure AD 作为一种基于标准的方法,将单一登录 (SSO) 添加到应用中,从而允许它使用用户预先存在的凭据。As an app developer, you can use Azure AD as a standards-based approach for adding single sign-on (SSO) to your app, allowing it to work with a user's pre-existing credentials. 另外还可以通过 Azure AD 提供的 API 来构建个性化应用体验,充分使用现有的组织数据。Azure AD also provides APIs that can help you build personalized app experiences using existing organizational data. 若要开始尝试,请注册 30 天 Azure Active Directory Premium 免费试用版To get started, sign up for a free 30-day Azure Active Directory Premium trial. 有关详细信息,还可以参阅针对开发人员的 Azure Active DirectoryFor more information, you can also see Azure Active Directory for developers.

  • Microsoft 365、Office 365、Azure 或 Dynamics CRM Online 订阅者。Microsoft 365, Office 365, Azure, or Dynamics CRM Online subscribers. 作为订阅者,你已在使用 Azure AD。As a subscriber, you're already using Azure AD. 每个 Microsoft 365、Office 365、Azure 和 Dynamics CRM Online 租户都会自动成为 Azure AD 租户。Each Microsoft 365, Office 365, Azure, and Dynamics CRM Online tenant is automatically an Azure AD tenant. 你可以立即开始管理用户对集成云应用的访问。You can immediately start to manage access to your integrated cloud apps.

什么是 Azure AD 许可证?What are the Azure AD licenses?

Microsoft Online 业务服务(例如 Office 365 或 Microsoft Azure)要求通过 Azure AD 来完成登录操作并进行标识保护。Microsoft Online business services, such as Office 365 or Microsoft Azure, require Azure AD for sign-in and to help with identity protection. 如果订阅任何 Microsoft Online 业务服务,则会自动获得 Azure AD 并且能够访问所有免费功能。If you subscribe to any Microsoft Online business service, you automatically get Azure AD with access to all the free features.

为了增强 Azure AD 实现,还可以通过升级到 Azure Active Directory Premium P1 或 Premium P2 许可证添加付费功能。To enhance your Azure AD implementation, you can also add paid capabilities by upgrading to Azure Active Directory Premium P1 or Premium P2 licenses. Azure AD 付费许可证建立在现有免费目录基础之上,提供自助服务、增强型监视、安全报告和移动用户安全访问。Azure AD paid licenses are built on top of your existing free directory, providing self-service, enhanced monitoring, security reporting, and secure access for your mobile users.


有关这些许可证的定价选项,请参阅 Azure Active Directory 定价For the pricing options of these licenses, see Azure Active Directory Pricing.

中国地区目前不支持 Azure Active Directory Premium P1 和 Premium P2。Azure Active Directory Premium P1 and Premium P2 are not currently supported in China. 有关 Azure AD 定价的详细信息,请访问 Azure Active Directory 论坛For more information about Azure AD pricing, contact the Azure Active Directory Forum.

  • Azure Active Directory Free。Azure Active Directory Free. 跨 Azure、Office 365 和许多常用 SaaS 应用提供用户和组管理、本地目录同步、基本报告、云用户的自助密码更改以及单一登录。Provides user and group management, on-premises directory synchronization, basic reports, self-service password change for cloud users, and single sign-on across Azure, Office 365, and many popular SaaS apps.

  • Azure Active Directory Premium P1。Azure Active Directory Premium P1. 除了免费版功能,P1 还允许混合用户访问本地资源和云资源。In addition to the Free features, P1 also lets your hybrid users access both on-premises and cloud resources. 它还支持高级管理,例如动态组、自助服务组管理、Microsoft Identity Manager(一个本地标识与访问管理套件),以及允许本地用户进行自助密码重置的云写回功能。It also supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager (an on-premises identity and access management suite) and cloud write-back capabilities, which allow self-service password reset for your on-premises users.

  • Azure Active Directory Premium P2。Azure Active Directory Premium P2. 除了免费版和 P1 版功能,P2 还提供 Azure Active Directory 标识保护,可帮助对应用和重要的公司数据提供基于风险的条件访问,以及提供 Privileged Identity Management以便发现、限制和监视管理员及其对资源的访问,并在需要时提供实时访问。In addition to the Free and P1 features, P2 also offers Azure Active Directory Identity Protection to help provide risk-based Conditional Access to your apps and critical company data and Privileged Identity Management to help discover, restrict, and monitor administrators and their access to resources and to provide just-in-time access when needed.

  • “即用即付”功能许可证。"Pay as you go" feature licenses. 也可获取其他功能许可证,例如 Azure Active Directory 企业对客户 (B2C) 许可证。You can also get additional feature licenses, such as Azure Active Directory Business-to-Customer (B2C). 可以通过 B2C 为面向客户的应用提供标识和访问管理解决方案。B2C can help you provide identity and access management solutions for your customer-facing apps. 有关详细信息,请参阅 Azure Active Directory B2C 文档For more information, see Azure Active Directory B2C documentation.

若要详细了解如何将 Azure 订阅关联到 Azure AD,请参阅如何:将 Azure 订阅关联或添加到 Azure Active Directory;若要详细了解如何为用户分配许可证,请参阅如何:分配或删除 Azure Active Directory 许可证For more information about associating an Azure subscription to Azure AD, see How to: Associate or add an Azure subscription to Azure Active Directory and for more information about assigning licenses to your users, see How to: Assign or remove Azure Active Directory licenses.


为了更好地理解 Azure AD 及其文档,我们建议查看以下术语。To better understand Azure AD and its documentation, we recommend reviewing the following terms.

术语或概念Term or concept 说明Description
标识Identity 可以获得身份验证的东西。A thing that can get authenticated. 标识可以是具有用户名和密码的用户。An identity can be a user with a username and password. 标识还包括可能需要通过密钥或证书进行身份验证的应用程序或其他服务器。Identities also include applications or other servers that might require authentication through secret keys or certificates.
帐户Account 具有与之关联的数据的标识。An identity that has data associated with it. 你不能拥有没有标识的帐户。You cannot have an account without an identity.
Azure AD 帐户Azure AD account 通过 Azure AD 或其他 Microsoft 云服务(例如 Office 365)创建的标识。An identity created through Azure AD or another Microsoft cloud service, such as Office 365. 标识存储在 Azure AD 中,可供组织的云服务订阅访问。Identities are stored in Azure AD and accessible to your organization's cloud service subscriptions. 此帐户有时也称为工作或学校帐户。This account is also sometimes called a Work or school account.
Azure 订阅Azure subscription 用于为 Azure 云服务付费。Used to pay for Azure cloud services. 可以有多个订阅,这些订阅与一张信用卡关联。You can have many subscriptions and they're linked to a credit card.
Azure 租户Azure tenant 组织在注册 Microsoft Azure、Microsoft Intune 或 Office 365 等 Microsoft 云服务订阅时自动创建的专用且受信任的 Azure AD 实例。A dedicated and trusted instance of Azure AD that's automatically created when your organization signs up for a Microsoft cloud service subscription, such as Microsoft Azure, Microsoft Intune, or Office 365. 一个 Azure 租户表示一个组织。An Azure tenant represents a single organization.
单租户Single tenant 可以将访问专用环境中的其他服务的 Azure 租户视为单租户。Azure tenants that access other services in a dedicated environment are considered single tenant.
多租户Multi-tenant 可以将访问共享环境中的其他服务的 Azure 租户(跨多个组织)视为多租户。Azure tenants that access other services in a shared environment, across multiple organizations, are considered multi-tenant.
Azure AD 目录Azure AD directory 每个 Azure 租户都有一个专用且受信任的 Azure AD 目录。Each Azure tenant has a dedicated and trusted Azure AD directory. Azure AD 目录包括租户的用户、组和应用,用于针对租户资源执行标识和访问管理功能。The Azure AD directory includes the tenant's users, groups, and apps and is used to perform identity and access management functions for tenant resources.
自定义域Custom domain 每个新的 Azure AD 目录都附带了初始域名 domainname.onmicrosoft.com。Every new Azure AD directory comes with an initial domain name, domainname.onmicrosoft.com. 除了该初始名称,还可以向列表添加组织的域名,其中包括用来开展业务的名称以及用户用来访问组织资源的名称。In addition to that initial name, you can also add your organization's domain names, which include the names you use to do business and your users use to access your organization's resources, to the list. 添加自定义域名有助于创建用户所熟悉的用户名,例如 alain@contoso.com。Adding custom domain names helps you to create user names that are familiar to your users, such as alain@contoso.com.
帐户管理员Account Administrator 从概念上讲,此经典订阅管理员角色是订阅的账单所有者。This classic subscription administrator role is conceptually the billing owner of a subscription. 此角色可以访问 Azure 帐户中心,用于管理一个帐户中的所有订阅。This role has access to the Azure Account Center and enables you to manage all subscriptions in an account. 有关详细信息,请参阅经典订阅管理员角色、Azure 基于角色的访问控制 (RBAC) 角色和 Azure AD 管理员角色For more information, see Classic subscription administrator roles, Azure Role-based access control (RBAC) roles, and Azure AD administrator roles.
服务管理员Service Administrator 此经典订阅管理员角色用于管理所有 Azure 资源,包括访问权限。This classic subscription administrator role enables you to manage all Azure resources, including access. 此角色拥有在订阅范围内分配有“所有者”角色的用户的等效访问权限。This role has the equivalent access of a user who is assigned the Owner role at the subscription scope. 有关详细信息,请参阅经典订阅管理员角色、Azure RBAC 角色和 Azure AD 管理员角色For more information, see Classic subscription administrator roles, Azure RBAC roles, and Azure AD administrator roles.
“所有者”Owner 此角色有助于管理所有 Azure 资源,包括访问权限。This role helps you manage all Azure resources, including access. 此角色在称为基于角色的访问控制 (RBAC) 的较新授权系统上构建,该系统可提供对 Azure 资源的精细访问管理。This role is built on a newer authorization system called role-base access control (RBAC) that provides fine-grained access management to Azure resources. 有关详细信息,请参阅经典订阅管理员角色、Azure RBAC 角色和 Azure AD 管理员角色For more information, see Classic subscription administrator roles, Azure RBAC roles, and Azure AD administrator roles.
Azure AD 全局管理员Azure AD Global administrator 此管理员角色自动分配给创建 Azure AD 租户的人员。This administrator role is automatically assigned to whomever created the Azure AD tenant. 全局管理员可以执行 Azure AD 以及与 Azure AD 联合的任意服务(例如 Exchange Online、SharePoint Online 和 Skype for Business Online)的所有管理功能。Global administrators can do all of the administrative functions for Azure AD and any services that federate to Azure AD, such as Exchange Online, SharePoint Online, and Skype for Business Online. 可以有多个全局管理员,但只有全局管理员才能向用户分配管理员角色(包括分配其他全局管理员)。You can have multiple Global administrators, but only Global administrators can assign administrator roles (including assigning other Global administrators) to users.

此管理员角色在 Azure 门户中称为“全局管理员”,但在 Microsoft Graph API 和 Azure AD PowerShell 中称为“公司管理员”。 This administrator role is called Global administrator in the Azure portal, but it's called Company administrator in the Microsoft Graph API and Azure AD PowerShell.

有关各种管理员角色的详细信息,请参阅 Azure Active Directory 中的管理员角色权限For more information about the various administrator roles, see Administrator role permissions in Azure Active Directory.
Microsoft 帐户(也称 MSA)Microsoft account (also called, MSA) 个人帐户,用于访问面向使用者的 Microsoft 产品和云服务,例如 Outlook、OneDrive、Xbox LIVE 或 Office 365。Personal accounts that provide access to your consumer-oriented Microsoft products and cloud services, such as Outlook, OneDrive, Xbox LIVE, or Office 365. Microsoft 帐户在由 Microsoft 运行的 Microsoft 使用者标识帐户系统中创建和存储。Your Microsoft account is created and stored in the Microsoft consumer identity account system that's run by Microsoft.

哪些功能可以在 Azure AD 中使用?Which features work in Azure AD?

在选择 Azure AD 许可证以后,即可访问下面这些适用于组织的部分或所有功能:After you choose your Azure AD license, you'll get access to some or all of the following features for your organization:

类别Category 说明Description
应用程序管理Application management 使用应用程序代理、单一登录、“我的应用”门户(也称“访问面板”)和软件即服务 (SaaS) 应用来管理云应用和本地应用。Manage your cloud and on-premises apps using Application Proxy, single sign-on, the My Apps portal (also known as the Access panel), and Software as a Service (SaaS) apps. 有关详细信息,请参阅如何提供对本地应用程序的安全远程访问应用程序管理文档For more information, see How to provide secure remote access to on-premises applications and Application Management documentation.
AuthenticationAuthentication 管理 Azure Active Directory 自助密码重置、多重身份验证、自定义禁止密码列表和智能锁定。Manage Azure Active Directory self-service password reset, Multi-Factor Authentication, custom banned password list, and smart lockout. 有关详细信息,请参阅 Azure AD 身份验证文档For more information, see Azure AD Authentication documentation.
企业对企业 (B2B)Business-to-Business (B2B) 管理来宾用户和外部合作伙伴,同时保持对自己公司数据的控制。Manage your guest users and external partners, while maintaining control over your own corporate data. 有关详细信息,请参阅 Azure Active Directory B2B 文档For more information, see Azure Active Directory B2B documentation.
企业对客户 (B2C)Business-to-Customer (B2C) 自定义并控制用户在使用应用时如何注册、登录并管理其配置文件。Customize and control how users sign up, sign in, and manage their profiles when using your apps. 有关详细信息,请参阅 Azure Active Directory B2C 文档For more information, see Azure Active Directory B2C documentation.
条件性访问Conditional Access 管理对云应用进行的访问。Manage access to your cloud apps. 有关详细信息,请参阅 Azure AD 条件访问文档For more information, see Azure AD Conditional Access documentation.
针对开发人员的 Azure Active DirectoryAzure Active Directory for developers 生成应用,以便进行所有 Microsoft 标识的登录,以及获取令牌来调用 Microsoft Graph、其他 Microsoft API 或自定义 API。Build apps that sign in all Microsoft identities, get tokens to call Microsoft Graph, other Microsoft APIs, or custom APIs. 有关详细信息,请参阅 Microsoft 标识平台(针对开发人员的 Azure Active Directory)For more information, see Microsoft identity platform (Azure Active Directory for developers).
设备管理Device Management 管理云设备或本地设备访问企业数据的方式。Manage how your cloud or on-premises devices access your corporate data. 有关详细信息,请参阅 Azure AD 设备管理文档For more information, see Azure AD Device Management documentation.
域服务Domain services 在不使用域控制器的情况下将 Azure 虚拟机加入域。Join Azure virtual machines to a domain without using domain controllers. 有关详细信息,请参阅 Azure AD 域服务文档For more information, see Azure AD Domain Services documentation.
企业用户Enterprise users 使用组和管理员角色管理许可证分配、访问应用以及设置委托。Manage license assignment, access to apps, and set up delegates using groups and administrator roles. 有关详细信息,请参阅 Azure Active Directory 用户管理文档For more information, see Azure Active Directory user management documentation.
混合标识Hybrid identity 使用 Azure Active Directory Connect 和 Connect Health 提供单一用户标识,以便针对所有资源进行身份验证和授权,而不考虑位置(云或本地)。Use Azure Active Directory Connect and Connect Health to provide a single user identity for authentication and authorization to all resources, regardless of location (cloud or on-premises). 有关详细信息,请参阅混合标识文档For more information, see Hybrid identity documentation.
标识治理Identity governance 通过员工、业务合作伙伴、供应商、服务和应用访问控制管理组织的标识。Manage your organization's identity through employee, business partner, vendor, service, and app access controls. 还可执行访问评审。You can also perform access reviews. 有关详细信息,请参阅 Azure AD 标识治理文档Azure AD 访问评审For more information, see Azure AD identity governance documentation and Azure AD access reviews.
标识保护Identity protection 检测影响组织标识的潜在漏洞,配置用于响应可疑操作的策略,然后采取相应的解决措施。Detect potential vulnerabilities affecting your organization's identities, configure policies to respond to suspicious actions, and then take appropriate action to resolve them. 有关详细信息,请参阅 Azure AD 标识保护For more information, see Azure AD Identity Protection.
Azure 资源的托管标识Managed identities for Azure resources 在 Azure AD 中为 Azure 服务提供可以对任何 Azure AD 支持的身份验证服务(包括 Key Vault)进行身份验证的自动托管标识。Provides your Azure services with an automatically managed identity in Azure AD that can authenticate any Azure AD-supported authentication service, including Key Vault. 有关详细信息,请参阅什么是 Azure 资源的托管标识?For more information, see What is managed identities for Azure resources?.
Privileged Identity Management (PIM)Privileged identity management (PIM) 管理、控制和监视组织内的访问。Manage, control, and monitor access within your organization. 此功能包括访问 Azure AD、Azure 和其他 Microsoft Online Services(例如 Office 365 或 Intune)中的资源。This feature includes access to resources in Azure AD and Azure, and other Microsoft Online Services, like Office 365 or Intune. 有关详细信息,请参阅 Azure AD Privileged Identity ManagementFor more information, see Azure AD Privileged Identity Management.
报表和监视Reports and monitoring 了解环境中的安全性和使用模式。Gain insights into the security and usage patterns in your environment. 有关详细信息,请参阅 Azure Active Directory 报表和监视For more information, see Azure Active Directory reports and monitoring.

后续步骤Next steps