大规模管理访问权限Manage access at scale

Microsoft 自成立以来一直在为各大组织提供支持。Microsoft has been empowering organizations since its existence. Microsoft 不仅提供标识以便随时随地进行访问,还提供一组工具以便在组织内对 IT 资源进行自动化、保护和管理。Microsoft provides not only identity that takes you everywhere, but also a set of tools to automate, help secure, and manage IT within your organization. 即使在云计算问世后,仍需要管理和控制 IT 任务,如呼叫支持人员以重置用户密码、管理用户组和应用程序请求。Even after the advent of cloud computing, there is still demand to manage and control IT tasks like helpdesk calls to reset user passwords, user group management, and application requests.

企业移动性 + 安全性可提供哪些帮助How Enterprise Mobility + Security can help you

企业移动性 + 安全性 (EMS) 不仅从设备自身本机保护公司数据,还是采用标识、设备、应用和数据这四个保护层提供更多保护的综合云解决方案。Enterprise Mobility + Security (EMS) is the only comprehensive cloud solution that natively helps protect corporate data on the device itself and beyond with four layers of protection across identities, devices, apps, and data. EMS 帮助你解决移动优先、云优先世界中的其中一个主要挑战,即如何在 Azure Active directory (Azure AD) 中提供一组全面型工具,帮助你实现以下目的:EMS helps you solve one of the key challenges in the mobile-first, cloud-first world—how to provide a comprehensive set of tools within Azure Active Directory (Azure AD) that will help you with the following:

  • 高级用户生命周期管理Advanced user lifecycle management
  • 低 IT 开销和成本Low IT overhead and cost
  • 监视标识桥Monitoring your identity bridge

建议采用 Azure AD Premium 解决方案为组织实现标识访问管理。Azure AD Premium is the recommended solution to empower your organization with identity access management.

高级用户生命周期管理Advanced user lifecycle management

Azure AD 利用动态组成员身份规则和应用程序管理功能,提供自动化的高级用户生命周期管理。Azure AD provides automated, advanced user lifecycle management by using dynamic group membership rules and application management capabilities. 下面是更多详细信息:Here’s more detail:

  • 对于拥有本地 HR 的组织,Microsoft Identity Manager 在 Windows Server Active Directory 中建立用户标识。For organizations with on-premises HR, Microsoft Identity Manager establishes user identities in Windows Server Active Directory.
  • 对于拥有服务型软件 (SaaS) 交付 HR 的组织,Azure AD 当前与 Workday 集成。For organizations with software as a service (SaaS)–delivered HR, Azure AD currently integrates with Workday.
  • Azure AD Connect 在 Windows Server Active Directory 与 Azure AD 之间同步用户和组。Azure AD Connect syncs users and groups between Windows Server Active Directory and Azure AD.
  • Azure AD 为 Office 365 和其他 Microsoft 联机服务提供基于组的自动授权。Azure AD provides group-based automated licensing for Office 365 and other Microsoft online services.

显示 Azure AD Connect 如何同步 Windows Server Active Directory 与 Azure Active Directory 之间的用户和组的图形

应用程序管理Application management

有多少用户愿意记住日常使用的每个应用程序的密码?How many users like to remember passwords for each application they use every day? 单一登录可解决这一常见问题。Single sign-on addresses this common problem. 你可以使用单一用户帐户和密码登录到多个 SaaS 应用程序。You can log in to several SaaS applications by using a single user account and password. 可为组织内的所有应用程序自动预配单一登录。Single sign-on can be automatically provisioned for all the applications within your organization. 此功能可用于 Office 365 等 Microsoft 云应用程序和 Salesforce、ServiceNow 和 Workday 等第三方应用程序。This capability is available for Microsoft cloud applications like Office 365, and for third-party applications like Salesforce, ServiceNow, and Workday.

下面是有关单一登录的详细信息:Here’s more detail about single sign-on:

  • 云中操作,可以节省时间和资金。It works in the cloud, so you can save time and money. 本地解决方案要求设置和维护外围网络、边缘服务器或其他复杂基础结构。On-premises solutions require you to set up and maintain perimeter networks, edge servers, or other complex infrastructures.
  • 相比本地解决方案,它更加易于设置和保护,因为不必允许任何入站连接通过防火墙。It is easier to set up and secure than on-premises solutions because you don't have to open any inbound connections through your firewall.
  • 提供更高安全性。It offers great security. 使用 Azure AD 应用程序代理发布应用时,可利用 Azure 中的授权控件和安全分析功能。When you publish your apps by using Azure AD Application Proxy, you can take advantage of the authorization controls and security analytics in Azure. 这意味着无需更改任何应用,即可获得适用于所有现有应用的高级安全功能。This means that you get advanced security capabilities for all your existing apps without having to change any app.
  • 为用户提供始终如一的身份验证体验。It gives your users a consistent authentication experience. 单一登录允许用户使用一个密码即可访问高效完成工作所需的所有应用。Single sign-on gives your users access to all the apps they need to be productive with one password.

低 IT 开销和成本Low IT overhead and cost

Azure AD Premium 提供密码重置、组管理和应用管理功能的自助服务,可提高组织中 IT 人员和用户的工作效率。Azure AD Premium offers self-service for password reset, group management, and app management capabilities to empower IT and users’ productivity in your organization. 用户无需呼叫支持人员,提供大量信息,通过电子邮件或电话不安全地获取临时密码。There’s no need for users to make a helpdesk phone call and provide a lot of information to get a temporary password that’s sent in e-mail or shared during the call in an unsecured way.

下面是有关密码重置的详细信息:Here’s more detail about password reset:

  • 它适用于联合身份验证、密码同步或仅限云的用户帐户。It works with federation, password sync, or cloud-only user accounts. 此外,还实施所有本地密码策略。It also enforces all your on-premises password policies.
  • 所有通信均采用特定于租户的密钥并通过 HTTPS 进行加密。All traffic is encrypted with a tenant-specific key, and over HTTPS.
  • 用户可以实时更新其 AD 密码或解锁其 AD 帐户。Users can update their AD password or unlock their own AD accounts in real time.
  • 向用户和管理员发送实时通知。Real-time notifications are sent to users and admins.

显示 Azure Active Directory 如何在本地和云中向最终用户提供自助服务密码重置功能的图形

监视标识桥Monitor your identity bridge

Azure AD Connect Health 可帮助组织监视和深入了解本地标识基础结构以及同步服务。Azure AD Connect Health helps organizations to monitor and gain insight into their on-premises identity infrastructure and the synchronization services. 它还可通过监视关键标识组件帮助组织可靠连接 Office 365 和 Microsoft Online Services。It also helps organizations maintain a reliable connection to Office 365 and Microsoft Online Services by providing monitoring capabilities for their key identity components. 这些组件包括 Active Directory 联合身份验证服务 (AD FS) 服务器、 Azure AD Connect 服务器和 Active Directory 域控制器 (DC)。These components include Active Directory Federation Services (AD FS) servers, Azure AD Connect servers, and Active Directory domain controllers (DCs).

下面是有关 Azure AD Health 的详细信息:Here’s more detail about Azure AD Health:

  • 通过 Azure 门户进行一键式“审核和合规性”One-click audit and compliance through the Azure portal
  • 取证和调查:帮助 IT 管理员了解“活动及其执行者、发生位置和时间”Forensics and investigation: helps IT admins to answer “who did what, where, and when”
  • 活动报表:提供审核、登录、自助服务、密码重置、组活动、应用活动、应用设置等Activity reports: provides audit, sign-ins, self-service password reset, group activity, app activity, app provisioning, and more
  • 安全报告:通过标识保护提供安全异常缓解措施和解决办法Security reports: provides mitigation and resolution for security anomalies through identity protection

显示 Azure AD Connect Health 如何帮助组织监视密钥标识组件(如 AD FS 服务器、Azure AD Connect 服务器和 Active Directory 域控制器)的图形

如何实现高级用户生命周期管理How to implement an advanced user lifecycle management

下面介绍几个示例以及可用于实现此解决方案的步骤:Let’s go through a few examples and the steps that you might take to implement this solution:

  1. 在实际方案中,组织雇用专业人员,并将其用户作为市场营销团队的成员添加到 HR 系统。In a real-world scenario, your organization hires a professional and adds a user to the HR system as a member of the Marketing team.
  2. 假设已通过目录同步集成了本地 Active Directory 实例和 Azure AD,则本地 Azure AD Connect 会将用户帐户与 Azure AD 进行同步。Assuming you’ve already integrated your on-premises Active Directory instance with Azure AD through directory synchronization, the on-premises Azure AD Connect syncs the user account with Azure AD.
  3. 用户帐户显示在 Azure AD 上后,便可以创建自动向其分配市场营销用户的动态组成员身份规则。After the user account appears on Azure AD, you can create dynamic group membership rules that automatically assign Marketing users to it.
  4. 市场营销组自动填充了其用户之后,你可以使用基于组的选择性授权。After the Marketing group is automatically populated with its users, you can use group-based selective licensing. 这种类型的授权能够将用户添加到特定许可证组,如 Azure AD 高级版或 Office 365 企业版 E5。This kind of licensing gives you the ability to add users to a specific license group, like Azure AD Premium or Office 365 Enterprise E5. 在此示例中,它向用户提供了执行工作所需的所有 Office 365 应用的访问权限,以及执行其他自动化任务的 Azure AD Premium 访问权限。In this example, that gives the users access to all the required Office 365 apps they need to do their work, as well as Azure AD Premium accesses to do other automated tasks.

如果某位员工需要离开公司,你可以在 HR 系统中将其删除。If an employee needs to leave the company, you can remove them from the HR system. 这会自动删除之前预配给他的对所有应用程序和资源的访问权限。This automatically removes access from all the applications and resources previously provisioned to them. 如果仅需将员工调动到另一部门,则从市场营销团队中删除用户并将其添加到新部门的动态组时,动态组成员身份规则将自动删除其对市场营销应用程序的访问权限,并添加对另一部门应用程序的访问权限。If the employee just needs to move to another department, the dynamic group membership rules automatically remove access from Marketing applications and add access to another department’s applications as the user is removed from the Marketing team and added to the new department’s dynamic group.

如何管理云和本地应用程序How to manage cloud and on-premises applications

使用 Azure AD 添加、部署和管理 Microsoft 及第三方 SaaS 应用程序时,可执行以下步骤:Here are steps that you can take to add, deploy, and manage Microsoft and third-party SaaS applications by using Azure AD:

如何实现密码重置自助服务门户How to implement password reset self-service portal

默认情况下,Azure AD 附带免费功能,每位管理员都可用它自助重置自己的密码。By default, Azure AD comes with a free feature that lets every admin perform their own self-service password reset.

使用 Azure AD Premium 时,可以通过为用户提供密码重置自助服务门户功能超越 IT 管理员职责。When you’re using Azure AD Premium, you can go beyond IT admins by providing password reset self-service portal capabilities for your users. 你可以快速启用用户密码重置策略,以便将相同的管理功能扩展到目录中的每位用户。You can quickly enable user password reset policies that will extend the same admin capabilities to every user within your directory.

详细了解在 Azure AD 租户上使用密码自助服务门户的先决条件、启用及设置方式Learn more about the prerequisites, how to enable, and how to set up the password self-service portal on your Azure AD tenant.

如何使用 Azure AD Connect HealthHow to use Azure AD Connect Health

可以查看 Azure AD Connect Health 文档以收集有关该工具、其功能及可执行以开始在组织中使用它的步骤的详细信息。You can check the Azure AD Connect Health documentation to gather more information about the tool, its capabilities, and the steps you can take to start using it in your organization.

Azure 门户提供 Azure AD Connect Health,该功能要求在要监视的本地域控制器上安装运行状况代理。Azure AD Connect Health is available in the Azure portal and requires a health agent to be installed on the on-premises domain controllers that you want to monitor. 了解有关如何安装运行状况代理的详细信息。Learn more about how to install the health agent.

域控制器仪表板提供运行状况和环境操作状态的单一视图。The Domain Controllers dashboard provides a single view into the health and operational status of the environment. 管理员可以轻松地确定哪些域控制器是灵活单主机操作 (FSMO) 角色所有者,哪些域控制器具有活动警报,以及哪些域控制器是全局目录。There, the admin can easily find which DCs are Flexible Single Master Operations (FSMO) role owners, which DCs have active alerts, and which DCs are global catalogs. 其他列包括 可访问的 PDC可访问的 GCSYSVOL 状态Other columns include PDC reachable, GC reachable, and SYSVOL state.

显示含所选域控制器相关信息的域控制器仪表板的屏幕截图

此外,管理员可按 DC 的对应域或站点对其进行分组。In addition, DCs can be grouped by their corresponding domain, or the admin can group them by site.

显示按站点分组的域控制器的屏幕截图

“复制状态”仪表板显示复制拓扑在环境中的外观,以及每个命名环境上次复制尝试的相关信息。The Replication Status dashboard shows what the replication topology looks like within the environment, along with information about the last replication attempt for each naming context.

显示含上次复制尝试相关信息的“复制状态”仪表板的屏幕截图

警报详细信息包含有关引起警报的问题、所需修复和更多疑难解答资源链接的详细信息。The details of an alert have more information about the issue that’s causing the alert, the required fix, and a link to more troubleshooting resources.

显示特定警报相关详细信息的屏幕截图

通过 AD Connect Health 性能监视,可简单地比较受监视 DC 之间的性能及各方面不同指标。AD Connect Health performance monitoring provides an easy way to compare the performance of the monitored DCs against each other, as well as comparing different metrics of interest.

显示所选域控制器的性能监视的屏幕截图