Microsoft 职责Microsoft responsibilities

在载入期间 Microsof 具有下列职责。Microsoft has the following responsibilities during onboarding.


  • 对于所需的配置活动,为你提供远程支持协助(请参阅具体阶段中所列内容)。Provide remote support assistance to you for the required configuration activities as listed in the detailed phase descriptions.

  • 提供可用的文档和软件工具、管理控制台和脚本,帮助您减少或消除配置任务。Provide available documentation and software tools, admin consoles, and scripts to help you reduce or eliminate configuration tasks.

启动阶段Initiate phase

  • 对于新租户,在购买符合条件的许可证的 30 天内与您联系。Contact you within 30 days of the purchase of eligible licenses for a new tenant.

  • 和你一起开始载入。Work with you to begin onboarding.

  • 定义您要载入的符合条件的服务。Define which eligible services you want to onboard.

评估阶段Assess phase

  • 提供管理概述。Provide an administrative overview.

  • 提供以下方面的指导:Provide guidance about:

    • DNS、网络和基础结构需求。DNS, network, and infrastructure needs.

    • 客户端需求(Internet 浏览器、客户端操作系统和服务需求)。Client needs (Internet browser, client operating system, and services' needs).

    • 用户标识和设置。User identity and provisioning.

    • 启用已购买且定义为载入部分的符合条件的服务。Enabling eligible services that have been purchased and defined to be part of the onboarding.

  • 为修正活动设置时间表。Establish the timeline for remediation activities.

  • 提供修正清单。Provide a remediation checklist.

修正阶段Remediate phase

  • 根据商定的日程安排与你开始电话会议,以审核修正活动的进度。Hold conference calls with you according to the agreed-upon schedule to review the progress of the remediation activities.

  • 运行工具以识别并解决问题,并对结果进行说明,从而提供协助。Assist with running tools to identify and remediate issues and with interpreting the results.

启用阶段Enable phase

提供以下方面的指导:Provide guidance about:

  • 激活您的 Microsoft Online Service 租户。Activating your Microsoft online service tenant.

  • 配置 TCP/IP 协议和防火墙端口。Configuring TCP/IP protocols and firewall ports.

  • 为符合条件的服务配置 DNS。Configuring DNS for eligible services.

  • 验证 Microsoft Online Services 的连接。Validating connectivity to Microsoft online services.

  • 对于单林环境:For a single-forest environment:

    • 根据需要,在 Active Directory 域服务 (AD DS) 和符合条件的 Microsoft Online Service 之间安装目录同步服务器。Installing a directory synchronization server between your Active Directory Domain Services (AD DS) and the eligible Microsoft online services (if required).

    • 使用 Azure Active Directory Connect 工具配置密码同步(密码哈希)到 Microsoft Intune (Azure Active Directory)。Configuring password synchronization (password hash) to Microsoft Intune (Azure Active Directory) with the Azure Active Directory Connect tool.


      自定义规则扩展的开发和实现不在讨论范围内。Development and implementation for custom rules extensions are out of scope.

  • 对于目标为联合标识的单林:根据需要安装并配置 Active Directory 联合身份验证服务 (AD FS),在单个站点、容错配置中使用 Intune 对本地域进行身份验证。For a single forest when the target is federated identities: Installing and configuring Active Directory Federation Services (AD FS) for local domain authentication with Intune in a single-site, fault-tolerant configuration, if required.


    对于多林配置,AD FS 部署不在讨论范围内。For all multiple forest configurations, AD FS deployments are out of scope.

  • 如果已部署单一登录 (SSO),请测试其功能。Testing single sign-on (SSO) functionality, if deployed.

启用阶段 - Microsoft Azure Active Directory PremiumEnable phase - Microsoft Azure Active Directory Premium

提供以下方面的指导:Provide guidance about:

  • 激活 Azure AD Premium 帐户。Activating your Azure AD Premium tenant.

  • 配置防火墙端口。Configuring firewall ports.

  • 为符合条件的服务配置 DNS。Configuring DNS for eligible services.

  • 验证到 Azure AD Premium 服务的连接。Validating connectivity to Azure AD Premium services.

  • 对于单林环境:For a single-forest environment:

    • 根据需要,在你的 Active Directory 域服务 (AD DS) 和 Azure AD Connect 之间安装目录同步。Installing a directory synchronization between your Active Directory Domain Services (AD DS) and Azure AD Connect, if required.

    • 使用 Azure AD Connect 工具配置密码同步。Configuring password synchronization with the Azure AD Connect tool.

  • 对于多林环境:For a multiple-forest environment:

    • 安装 Azure AD Connect 同步,为多林方案进行设置。Installing Azure AD Connect synchronization, set up for multiple forest scenarios.


      密码哈希同步和密码写回支持多林。Password hash sync and password writeback support multiple forests. 但是,不支持其他写回方案。However, other writeback scenarios aren't supported.

    • 配置本地 Active Directory 林和 Microsoft Azure Active Directory Premium 目录 (Azure Active Directory) 之间的同步。Configuring synchronization between on-premises Active Directory forests and Microsoft Azure Active Directory Premium directory (Azure Active Directory).


      自定义规则扩展的开发和实现不在讨论范围内。Development and implementation for custom rules extensions are out of scope.

  • 对于目标为联合标识的单林:For a single forest when the target is federated identities:

    • 根据需要安装并配置 AD FS,以便在单个站点、容错配置中使用 Azure AD Premium 进行本地域身份验证。Installing and configuring AD FS for local domain authentication with Azure AD Premium in a single-site, fault-tolerant configuration (if required).

    对于多林配置,AD FS 部署不在讨论范围内。For all multiple forest configurations, AD FS deployments are out of scope.

  • 测试 SSO 功能(如果已部署)。Testing SSO functionality (if deployed).

启用阶段 - Azure AD Premium-- 使用 Azure AD Connect 和 AD FSEnable phase - Azure AD Premium--with Azure AD Connect and AD FS

提供设置以下内容的相关指导:Provide guidance about setting up:

  • 用户设置(包括许可)。User provisioning, including licensing.

  • Azure AD Connect 目录同步(使用密码写回和密码哈希同步)。Azure AD Connect directory synchronization (with password writeback and password hash sync).

    • 自助服务密码重置 (SSPR)。Self Service Password Reset (SSPR).

    • Azure 多重身份验证。Azure Multi-Factor Authentication.

    • 一个服务型软件 (SaaS) 应用程序与来自 Azure Active Directory 应用商店的 SSO 的集成。One Software as a Service (SaaS) application integration with SSO from the Azure Active Directory Marketplace.

    • 自定义的登录屏幕(包括徽标、文本和图像)。Customized logon screen, including logo, text and images.

    • 自助服务和动态组(组)。Self-Service and Dynamic Groups (Groups).

    • Azure Active Directory 应用程序代理。Azure Active Directory Application Proxy.

    • Azure AD Connect 运行状况。Azure AD Connect Health.

    • 标识保护。Identity Protection.

    • 特权标识管理。Privileged Identity Management.

    • 发至管理员的使用情况和安全报告。Usage and security reports to administrators.

    • 管理性通知和警报。Administrative notifications and alerts.

启用阶段 - IntuneEnable phase - Intune

提供以下方面的指导:Provide guidance about:

  • 授权你的最终用户。Licensing your end users.

  • 通过利用本地 Active Directory 或利用云标识,配置将由 Intune 使用的标识。Configuring identities to be used by Intune, by either leveraging your on-premises Active Directory or cloud identities.

  • 向 Intune 订阅添加用户时,定义 IT 管理员角色并创建用户组和设备组。Adding users to your Intune subscription, defining IT admin roles, and creating user and device groups.

  • 根据管理需要配置移动设备管理 (MDM) 机构,包括:Configuring your Mobile Device Management MDM) authority, based on your management needs, including:

    • 当 Intune 是你唯一的 MDM 解决方案或其与 Office 365 的移动设备管理结合时,请将 Intune 设置为你的 MDM 机构。Setting Intune as your MDM authority when Intune is your only MDM solution or is in conjunction with Mobile Device Management for Office 365.

    • 如果已具有 Configuration Manager 的现有实施,并想使用 Intune 扩展其管理功能,请将 System Center Configuration Manager 设置为 MDM 机构。Setting System Center Configuration Manager as your MDM authority if you have an existing implementation of Configuration Manager and you want to expand its management capabilities with Intune.


      如果只希望对最终用户拥有的设备、共享设备或展台类型的设备使用 MDM,则不需要设置 MDM 机构。If you only want to leverage MDM over your end-users' owned devices, shared devices, or kiosk-type devices, setting up an MDM authority is not required.

    • 配置用于验证 MDM 管理策略的测试组。Configuring tests groups to be used to validate MDM management policies.

    • 配置 MDM 管理策略和服务,如:Configuring MDM management policies and services like:

      • 通过 Web 链接或深层链接为每个受支持平台进行的应用程序部署。Application deployment for each supported platform through web links or deep links.

      • 条件性访问策略。Conditional access policies.

      • 电子邮件、无线网络和 VPN 配置文件的部署(如果组织中有现有的证书颁发机构、Wi-Fi 或 VPN 基础结构)。Deployment of e-mail, wireless networks, and VPN profiles if you have an existing certificate authority, Wi-Fi or VPN infrastructure in your organization.

      • 设置 Microsoft Intune Exchange Connector(如果适用)。Setting up the Microsoft Intune Exchange Connector (when applicable).

    • 将每个受支持平台的设备注册到 Intune 或具有 Microsoft Intune 服务的 Configuration Manager。Enrolling devices of each supported platform to your Intune or Configuration Manager with Microsoft Intune service.

    • 使用硬件和软件清单报告。Using hardware and software inventory reports.

    • 为每个支持平台配置 MAM 策略。Configuring MAM policies for each supported platform.

    • 为托管应用配置条件性访问策略。Configuring conditional access policies for managed apps.

    • 使用上述 MAM 策略定位适当的用户组。Targeting the appropriate user groups with the above MAM policies.

    • 使用托管应用程序使用情况报告。Using managed-applications usage reports.

    • 安装 Intune 客户端软件(如果需要)。Installing the Intune client software (when needed).

    • 使用 Intune 中可用的软件和硬件报告。Using the software and hardware reports available in Intune.

想要了解更多信息?Want to learn more?

企业移动性 + 安全性Enterprise Mobility + Security