您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

企业协议注册和 Azure Active Directory 租户Enterprise Agreement enrollment and Azure Active Directory tenants

规划企业注册Plan for enterprise enrollment

企业协议 (EA) 注册表示 Microsoft 与组织使用 Azure 的方式之间的商业关系。An Enterprise Agreement (EA) enrollment represents the commercial relationship between Microsoft and how your organization uses Azure. 它提供所有订阅的计费基础,并且会对数字资产的管理产生影响。It provides the basis for billing across all your subscriptions and affects administration of your digital estate. 你的 EA 注册通过 Azure EA 门户进行管理。Your EA enrollment is managed via the Azure EA portal. 注册通常表示组织的层次结构,其中包括部门、帐户和订阅。An enrollment often represents an organization's hierarchy, which includes departments, accounts, and subscriptions. 此层次结构表示组织内的成本注册组。This hierarchy represents cost-enrollment groups within an organization.

显示 Azure EA 层次结构的关系图。

图1: Azure EA 注册层次结构。Figure 1: An Azure EA enrollment hierarchy.

  • “部门”有助于将成本细分为逻辑分组,以及在部门级别设置预算或配额。Departments help to segment costs into logical groupings and to set a budget or quota at the department level. 配额不会严格执行,而是用于报告目的。The quota isn't enforced firmly and is used for reporting purposes.
  • “帐户”是 Azure EA 门户中的组织单位。Accounts are organizational units in the Azure EA portal. 它们可用于管理订阅和访问报表。They can be used to manage subscriptions and access reports.
  • “订阅”是 Azure EA 门户中最小的单位。Subscriptions are the smallest unit in the Azure EA portal. 它们是由服务管理员管理的 Azure 服务的容器。They're containers for Azure services managed by the Service Administrator. 它们是组织部署 Azure 服务的位置。They're where your organization deploys Azure services.
  • EA 注册角色将用户与其功能角色关联。EA enrollment roles link users with their functional role. 这些角色包括:These roles are:
    • 企业管理员Enterprise Administrator
    • 部门管理员Department Administrator
    • 帐户所有者Account Owner
    • 服务管理员Service Administrator
    • 通知联系人Notification Contact

设计注意事项:Design considerations:

  • 注册提供分层组织结构,用于管理订阅。The enrollment provides a hierarchical organizational structure to govern the management of subscriptions.
  • 可以在 EA 帐户级别分隔多个环境,以支持整体隔离。Multiple environments can be separated at an EA-account level to support holistic isolation.
  • 可以为单个注册指定多个管理员。There can be multiple administrators appointed to a single enrollment.
  • 每个订阅都必须有一个关联的帐户所有者。Each subscription must have an associated Account Owner.
  • 每个帐户所有者将成为该帐户下预配的任何订阅的订阅所有者。Each Account Owner will be made a subscription owner for any subscriptions provisioned under that account.
  • 一个订阅在任意指定时间都只能属于一个帐户。A subscription can belong to only one account at any given time.
  • 可以根据一组指定条件暂停订阅。A subscription can be suspended based on a specified set of criteria.

设计建议:Design recommendations:

  • Work or school account 对所有帐户类型使用身份验证类型。Only use the authentication type Work or school account for all account types. 避免使用 Microsoft account (MSA) 帐户类型。Avoid using the Microsoft account (MSA) account type.
  • 设置通知联系人电子邮件地址,以确保将通知发送到相应的组邮箱。Set up the Notification Contact email address to ensure notifications are sent to an appropriate group mailbox.
  • 为每个帐户分配预算,并建立与预算关联的警报。Assign a budget for each account, and establish an alert associated with the budget.
  • 组织可以具有多种结构,例如职能、部门、地理、矩阵或团队结构。An organization can have a variety of structures, such as functional, divisional, geographic, matrix, or team structure. 可使用组织结构将组织结构映射到注册层次结构。Use organizational structure to map your organization structure to your enrollment hierarchy.
  • 如果各业务领域具有独立的 IT 功能,则为 IT 新建一个部门。Create a new department for IT if business domains have independent IT capabilities.
  • 限制并最大限度地减少注册中的帐户所有者数量,以避免对订阅和关联的 Azure 资源进行管理访问。Restrict and minimize the number of account owners within the enrollment to avoid the proliferation of admin access to subscriptions and associated Azure resources.
  • 如果使用了多个 Azure Active Directory (Azure AD) 租户,则验证帐户所有者是否与设置该帐户的订阅的同一租户相关联。If multiple Azure Active Directory (Azure AD) tenants are used, verify that the Account Owner is associated with the same tenant as where subscriptions for the account are provisioned.
  • 在 EA 帐户级别设置 Enterprise 开发/测试和生产环境,以支持整体隔离。Set up Enterprise Dev/Test and production environments at an EA account level to support holistic isolation.
  • 不要忽略发送到通知帐户电子邮件地址的通知电子邮件。Don't ignore notification emails sent to the notification account email address. Microsoft 会将 EA 范围的重要通信发送到此帐户。Microsoft sends important EA-wide communications to this account.
  • 不要在 Azure AD 中移动或重命名 EA 帐户。Don't move or rename an EA account in Azure AD.
  • 定期审核 EA 门户,以查看谁具有访问权限,并尽可能避免使用 Microsoft 帐户。Periodically audit the EA portal to review who has access and avoid using a Microsoft account where possible.

定义 Azure AD 租户Define Azure AD tenants

Azure AD 租户提供标识和访问管理,标识和访问管理是安全状态的重要组成部分。An Azure AD tenant provides identity and access management, which is an important part of your security posture. Azure AD 租户确保经过身份验证和获得授权的用户只能访问其有权访问的资源。An Azure AD tenant ensures that authenticated and authorized users have access to only the resources for which they have access permissions. Azure AD 向 Azure 中部署的应用程序和服务,以及在 Azure 外部部署的服务和应用程序(例如本地或第三方云提供商)提供这些服务。Azure AD provides these services to applications and services deployed in Azure and also to services and applications deployed outside of Azure (such as on-premises or third-party cloud providers).

软件即服务应用程序(例如 Microsoft 365 和 Azure 市场)也使用 Azure AD。Azure AD is also used by software as a service applications such as Microsoft 365 and Azure Marketplace. 已经在使用本地 Active Directory 的组织可以使用其现有基础结构,并通过与 Azure AD 集成将身份验证扩展到云。Organizations already using on-premises Active Directory can use their existing infrastructure and extend authentication to the cloud by integrating with Azure AD. 每个 Azure AD 目录都具有一个或多个域。Each Azure AD directory has one or more domains. 一个目录可以有多个关联的订阅,但只能有一个 Azure AD 租户。A directory can have many subscriptions associated with it but only one Azure AD tenant.

在 Azure AD 设计阶段询问基本的安全问题,例如组织如何管理凭据以及如何控制人员、应用程序和程序访问。Ask basic security questions during the Azure AD design phase, such as how your organization manages credentials and how it controls human, application, and programmatic access.

设计注意事项:Design considerations:

  • 多个 Azure AD 租户可以在同一注册中正常运行。Multiple Azure AD tenants can function in the same enrollment.

设计建议:Design recommendations:

  • 基于所选 规划拓扑使用 Azure AD 无缝单一登录。Use Azure AD seamless single sign-on based on the selected planning topology.
  • 如果你的组织没有标识基础结构,请首先实现仅适用于 Azure AD 的标识部署。If your organization doesn't have an identity infrastructure, start by implementing an Azure-AD-only identity deployment. 具有 Azure AD 域服务Microsoft 企业移动性 + 安全性 的此类部署为 SaaS 应用程序、企业应用程序和设备提供端到端保护。Such deployment with Azure AD Domain Services and Microsoft Enterprise Mobility + Security provides end-to-end protection for SaaS applications, enterprise applications, and devices.
  • 多重身份验证提供另一层安全保障和第二个身份验证屏障。Multi-factor authentication provides another layer of security and a second barrier of authentication. 为所有特权帐户强制实施 多重身份验证条件访问策略 ,以获得更高的安全性。Enforce multi-factor authentication and conditional access policies for all privileged accounts for greater security.
  • 规划和实施 紧急访问 帐户或破解玻璃帐户,以防止租户范围内的帐户锁定。Plan and implement for emergency access or break-glass accounts to prevent tenant-wide account lockout.
  • Azure AD Privileged Identity Management 用于标识和访问管理。Use Azure AD Privileged Identity Management for identity and access management.
  • 如果从标识角度来看,开发/测试和生产将成为隔离环境,请通过多个租户在租户级别分离这些环境。If dev/test and production are going to be isolated environments from an identity perspective, separate them at a tenant level via multiple tenants.
  • 除非标识和访问管理的理由非常充分且已有相关流程,否则请避免新建 Azure AD 租户。Avoid creating a new Azure AD tenant unless there's a strong identity and access management justification and processes are already in place.