身份验证和授权Authentication and authorization

备注

本主题是更大的设计注意事项指南的一部分。This topic is part of a larger design considerations guide. 如果你希望从指南的开头开始,请查看主要主题If you'd like to start at the beginning of the guide, check out the main topic. 若要获取此完整指南的可下载副本,请访问 TechNet 库To get a downloadable copy of this entire guide, visit the TechNet Gallery.

在你可以正确地保护公司数据前,你必须标识你的用户的身份,然后才能验证是否已授权他们访问他们所请求的资源。Before you can properly protect your company data, you must identify who your users are, and then you can verify that they’re authorized to access the resource that they’re requesting. 已有本地 Active Directory 服务的组织应将其用于对移动用户进行身份验证和授权。Organizations that already have on-premises Active Directory services should leverage it to authenticate and authorize mobile users. 所有 Microsoft 移动设备管理解决方案都可以使用现有 Active Directory 基础结构来执行此操作。All Microsoft mobile device management solutions can use an existing Active Directory infrastructure to do this.

有关身份验证和授权的另一个决策点是目录服务所在的位置。Another decision point for authentication and authorization is where the directory services will be located. 尽管大多数组织都有本地 Active Directory 服务,但某些组织可能正在考虑使用基于云的目录服务(例如 Azure AD)扩展其本地目录服务。While most organizations have on-premises Active Directory services, some organizations might be considering extending their on-premises directory services with a cloud-based directory service such as Azure AD.

ConfigMgr 允许集成 Microsoft Passport for Work,它是在运行 Windows 10 的设备上使用 Active Directory 或 Azure Active Directory 帐户取代密码、智能卡或虚拟智能卡进行登录的一种替代方法。对于混合解决方案,将两个目录集成在一起是一个很好的选择,以便可以充分利用 Azure AD 功能,比如:ConfigMgr lets you integrate with Microsoft Passport for Work which is an alternative sign-in method that uses Active Directory, or an Azure Active Directory account to replace a password, smart card, or virtual smart card on devices running Windows 10.For a hybrid scenario, integrating both directories is a good alternative to leverage Azure AD capabilities, such as the following:

  • 自助服务组管理:允许用户创建组、请求对其他组的访问权限、委派组所有权,以便其他组可以批准请求和维护他们的组成员资格。Self-service group management: Allows users to create groups, request access to other groups, delegate group ownership so others can approve requests, and maintain their group memberships.
  • 99.9% 的公司 SLA:我们保证 Azure Active Directory 高级服务至少有 99.9% 的可用性。Enterprise SLA of 99.9%: Microsoft guarantees at least 99.9% availability of the Azure Active Directory Premium service.
  • 密码重置回写:可将自助服务密码重置回写到本地目录。Password reset with write-back: Self-service password reset can be written back to on-premises directories.

Azure Active Directory 中阅读有关不同选项和功能的详细信息。Read more about the different options and capabilities at Azure Active Directory. 要求两种类型的身份验证(多因素身份验证或 MFA)是在规划移动设备管理解决方案时应考虑包含的另一个策略。Requiring two types of authentication (multi-factor authentication, or MFA) is another strategy to consider including when planning a mobile device management solution. Intune 可将目录服务与多因素身份验证 (MFA) 集成,这将为身份验证过程添加另一层安全性。Intune can integrate directory services with multi-factor authentication (MFA), which adds another layer of security for the authentication process.

如果你的组织具有的本地 IT 基础结构包括具有 Active Directory 联合身份验证服务 (AD FS) 的 Active Directory 域,则可以在联合服务器上配置 MFA,然后启用 MFA 以便在 Intune 中注册。If your organization has an on-premises IT infrastructure that includes an Active Directory domain with Active Directory Federation Services (AD FS), you can configure MFA on your federation server and then enable MFA for enrollment in Intune. 如果你在联合身份验证服务器上配置 MFA,但你未启用 MFA 以在 Intune 中注册,则用户将需要在其每次从任何设备访问公司资源时使用 MFA。If you configure MFA on your federation server, but you don’t enable MFA for enrollment in Intune, users will need to use MFA each time that they access corporate resources from any device.

你还可以使用 Azure AD MFA 在每次用户访问公司资源时要求 MFA,并且可以根据每个用户启用此要求。You can also use Azure AD MFA to require MFA each time that users access your corporate resources, enabled on a per-user basis. Azure AD MFA 是不需要任何本地 IT 基础结构的云服务。Azure AD MFA is a cloud service that doesn’t require any on-premises IT infrastructure.

使用下表作为参考协助你选择最符合组织的身份验证和授权要求的 MDM 选项。Use the table below as a reference to assist you choosing the MDM option that best fits your organization’s authentication and authorization requirements.

Intune(独立版)Intune (standalone)

优点Advantages

  • 可以使用本地目录服务(例如 Active Directory)进行身份验证Can use on-premises directory services, such as Active Directory for authentication
  • 可以使用基于云的目录服务(例如 Azure AD)进行身份验证Can use cloud-based directory services, such as Azure AD for authentication
  • 可以与多因素身份验证集成Can integrate with multi-factor authentication

缺点Disadvantages

  • 当你购买 Intune 订阅时,不包含 Azure AD 云服务Azure AD cloud service is not included when you purchase an Intune subscription

Office 365 的 MDMMDM for Office 365

优点Advantages

  • 可以使用本地目录(例如 Active Directory)进行身份验证Can use on-premises directory, such as Active Directory for authentication
  • 可以使用基于云的目录(例如 Azure AD)进行身份验证Can use cloud based directory, such as Azure AD for authentication
  • 可以与多因素身份验证集成Can integrate with multi-factor authentication
  • 可以利用合规性中心来使用基于角色的访问控制 (RBAC) 权限模型Can leverage Compliance Center to use Role Based Access Control (RBAC) permissions model

缺点Disadvantages

  • 当你购买 Office 365 订阅时,不包含 Azure AD 云服务Azure AD cloud service is not included when you purchase an Office 365 subscription

混合版(带 ConfigMgr 的 Intune)Hybrid (Intune with ConfigMgr)

优点Advantages

  • 可以使用本地目录(例如 Active Directory)进行身份验证Can use on-premises directory, such as Active Directory for authentication
  • 可以使用基于云的目录(例如 Azure AD)进行身份验证Can use cloud based directory, such as Azure AD for authentication

缺点Disadvantages

  • 当你购买 Intune 订阅时,不包含 Azure AD 云服务Azure AD cloud service is not included when you purchase an Intune subscription

企业移动性 + 安全性Enterprise Mobility + Security

优点Advantages

  • 利用 Azure AD Premium 提供访问控制Leverages Azure AD Premium to provide access control
  • Azure AD Premium 许可证已包含在 EMS 中Azure AD Premium license is already included with EMS
  • 不需要本地目录服务Does not required on-premises directory services
  • 可以与本地 Active Directory 服务同步Can synchronize with on-premises Active Directory services
  • MFA 在本地适用于 EMSMFA is natively available with EMS

缺点Disadvantages

  • 不适用于不采用基于云的解决方案的客户Not available for customers that are not adopting a cloud-based solution