Microsoft 365 Enterprise 服务与概念Microsoft 365 Enterprise services and concepts

Microsoft 365 企业版专为大型组织而设计,集成了 Office 365 企业版、Windows 10 企业版和企业移动性 + 安全性 (EMS),让所有人都能够尽情挥洒创意,并安全地开展协作。Microsoft 365 Enterprise is designed for large organizations and integrates Office 365 Enterprise, Windows 10 Enterprise, and Enterprise Mobility + Security (EMS) to empower everyone to be creative and work together, securely. Microsoft 365 企业版包括 Windows 10 企业版,以及 Office 365 专业增强版包含的 Office 应用程序。Microsoft 365 Enterprise includes an enterprise edition of Windows 10 and Office applications through Office 365 ProPlus.

Windows 10 和 Office 365 专业增强版都在 3 月和 9 月通过半年频道发布了适用于企业的新功能。Both Windows 10 and Office 365 ProPlus provide new feature releases to the enterprise in March and September via the Semi-Annual Channel. 通过半年频道发布的功能的支持期为 18 个月。A feature release of Semi-Annual Channel is supported for 18 months. Microsoft Intune 和 System Center Configuration Manager 都提供可用于部署和更新 Windows 10 和 Office 365 专业增强版的功能。Both Microsoft Intune and System Center Configuration Manager provide capabilities to deploy and update Windows 10 and Office 365 ProPlus.

下面列出了 Windows 10、Office 365 专业增强版、Microsoft Intune 和 System Center Configuration Manager 的最新版本:Here are the most current versions of Windows 10, Office 365 ProPlus, Microsoft Intune, and System Center Configuration Manager:

半年频道(定向)Semi-Annual Channel (Targeted) 半年频道Semi-Annual Channel
Windows 10Windows 10 Windows 10 Fall Creators Update(即将推出)Windows 10 Fall Creators Update (coming soon) 版本 1703Version 1703
Office 365 专业增强版Office 365 ProPlus 版本 1708Version 1708 版本 1705Version 1705
IntuneIntune 不适用N/A 版本 1708Version 1708
System Center Configuration ManagerSystem Center Configuration Manager Technical Preview 版本 1708Technical Preview Version 1708 版本 1706Version 1706

System Center Configuration Manager 最新分支的更新 1706 作为控制台内更新提供,用于运行版本 1606、1610 或 1702 的之前安装的网站。 Update 1706 for System Center Configuration Manager current branch is available as an in-console update for previously installed sites that run version 1606, 1610, or 1702.


Microsoft Azure 服务也会定期更新,但没有按版本号划分的参考资料。Microsoft Azure services are also updated on a regular basis, but are not referenced by a version number. 若要查看 Azure 服务的最新更新和即将发布的更新,请参阅云平台路线图To review the latest updates, and what's coming, for Azure services, see the cloud platform roadmap.

若要详细了解这些版本提供的功能,请参阅以下文章:For more information about the features available in these versions, see the following articles:

服务概述Services overview

本部分概述了 Microsoft 365 Enterprise 随附的 EMS 和 Office 365 服务,并介绍了一些必须掌握的核心概念,以便读者可以了解如何充分利用此解决方案来满足组织需求。This section provides an overview of the EMS and Office 365 services included with Microsoft 365 Enterprise and also introduces the core concepts necessary to understand how to best use it for your oganizational needs. 借助这些服务提供的功能,Microsoft 云企业管理员不仅可以保护公司员工的标识和设备,还可以控制对公司数据本身的访问(无论是在传输中,还是在静态状态下)。These services provide capabilities that enable Microsoft cloud enterprise administrators to not just protect company employees’ identities and devices, but also control access to company data itself; both in transit and at rest.

服务Service 描述Description
Microsoft Azure Active DirectoryMicrosoft Azure Active Directory Azure AD 提供一整套标识管理功能,包括多重身份验证、设备注册、自助式密码管理、自助式组管理、基于角色的访问控制、应用程序使用情况监视、各种审核以及安全监视和警报。Azure AD provides a full suite of identity management capabilities including multi-factor authentication, device registration, self-service password management, self-service group management, role based access control, application usage monitoring, rich auditing and security monitoring and alerting.
Azure AD Identity ProtectionAzure AD Identity Protection 借助此服务,可以检测影响组织标识的潜在漏洞,并通过条件访问策略配置对低、中、高登录风险和用户风险的自动响应。This service enables you to detect potential vulnerabilities affecting your organization’s identities and configure automated responses via conditional access policies to low, medium and high sign-in risk and user risk.
Azure AD Privileged Identity ManagementAzure AD Privileged Identity Management 借助此服务,组织可以将永久有权执行特权操作的用户数降至最低;Azure AD Privileged Identity Management 引入了符合条件的管理员这一概念。符合条件的管理员应为偶尔(而不是每天)需要特权的用户。This service enables organizations to minimize the number of people who have persistent access to privileged operations; Azure AD Privileged Identity Management introduces the concept of an eligible admin. Eligible admins should be users that need privileged access now and then, but not every day. 在用户需要访问权限之前,此角色处于非活动状态。完成激活过程后,此管理员角色将在预先确定的一段时间内处于活动状态。The role is inactive until the user needs access, then they complete an activation process and become an active admin for a predetermined amount of time.
Azure 信息保护Azure Information Protection Azure 信息保护是基于云的解决方案,属于 EMS E5 产品/服务,可有助于组织分类、标示和保护文档和电子邮件。Azure Information Protection is a cloud-based solution, delivered as part of the EMS E5 offering, that helps an organization to classify, label, and protect its documents and emails. 这可以由定义规则和条件的管理员自动进行、由用户手动进行或是组合进行(在这种情况下会向用户提供建议)。This can be done automatically by administrators who define rules and conditions, manually by users, or a combination where users are given recommendations. 可使用 Azure 信息保护标签对文档和电子邮件应用分类。You use Azure Information Protection labels to apply classification to documents and emails. 执行此操作时,分类在任何时候都是可识别的,无论数据的存储位置在哪或者与谁共享数据。When you do this, the classification is identifiable at all times, regardless of where the data is stored or with whom it’s shared.

Azure 信息保护策略设置受 Azure Rights Management 保护。Azure Information Protection policy settings are protected by Azure Rights Management. 与标签的应用方式类似,使用 Rights Management 应用的保护会一直为文档和电子邮件提供保护,与位置无关(无论是在组织内外、网络内外、文件服务器内外,还是在应用程序内外)。Similar to how the labels that are applied, protection that is applied by using Rights Management stays with the documents and emails, independently of the location—inside or outside your organization, networks, file servers, and applications.
Microsoft IntuneMicrosoft Intune Intune 是一种基于云的企业移动管理 (EMM) 服务,可帮助员工提高工作效率,同时保护企业数据。Intune is a cloud-based enterprise mobility management (EMM) service that helps enable your workforce to be productive while keeping your corporate data protected. Intune 与 Azure AD 紧密集成以提供标识和访问控制,Intune 可用于管理设备和应用程序。Intune integrates closely with Azure AD for identity and access control and is used for device and application management. Intune 设备管理功能用于配置和保护用户设备,包括 Windows 电脑。Intune’s device management capabilities are used to configure and protect your user’s devices, including Windows PCs.

Intune 设备管理功能支持自带设备办公 (BYOD) 注册,以便用户能够注册个人手机、平板电脑或电脑;此外,还支持企业自有设备 (COD) 注册,从而支持自动注册、共享设备或预授权的注册需求配置等管理方案。Intune device management capabilities support both Bring Your Own Device (BYOD) enrollment which lets users enroll their personal phones, tablets, or PCs, and Corporate-owned Device (COD) enrollment that enable management scenarios like automatic enrollment, shared devices, or pre-authorized enrollment requirement configurations. 为提高安全性,甚至可以要求必须通过 MFA 才能注册设备。For added security, you can even require MFA to enroll a device. 注册管理功能后,Intune 可以配置设备功能和设置,以实现对公司资源的安全访问。Once enrolled into management, Intune can configure device features and settings to enable secure access to company resources.

需要了解的重要概念Important concepts to understand

下表介绍了应熟悉的核心概念和 EMS 功能。Core concepts and EMS capabilities that you should be familiar with are described in the table below.

核心概念Core Concept 描述Description
Azure 多重身份验证 (MFA)Azure Multi-Factor Authentication (MFA) 作为 Microsoft 的双重验证解决方案,Azure MFA 有助于保护对数据和应用程序的访问,同时可以满足用户对简单登录过程的需求。As Microsoft's two-step verification solution, Azure MFA helps safeguard access to data and applications while meeting user demand for a simple sign-in process. 此解决方案通过一系列验证方法(包括电话呼叫、短信或移动应用验证)提供了安全系数高的身份验证。It delivers strong authentication via a range of verification methods, including phone call, text message, or mobile app verification.
Azure AD 条件访问Azure AD Conditional Access 借助 Azure AD 的这一功能,可以根据特定条件强制控制对环境中云应用的访问。This capability of Azure AD enables you to enforce controls on the access to cloud apps in your environment based on specific conditions. 通过施加控制,可以对访问附加要求,也可以阻止访问。With controls, you can either tie additional requirements to the access or you can block it. 条件访问的实现依据为策略。The implementation of conditional access is based on policies.
Exchange Online 数据丢失防护 (DLP)Exchange Online Data Loss Prevention (DLP) 作为 Exchange Online 计划 2 和 Office 365 订阅的高级功能,Exchange Online 数据丢失防护 (DLP) 策略可有助于组织跨 Office 365 标识、监视和自动保护敏感信息。Exchange Online Data Loss Prevention (DLP) policies, available as a premium feature of Exchange Online Plan 2 and Office 365 subscriptions, enable organizations to identify, monitor, and automatically protect sensitive information across Office 365.

通过 Exchange Online DLP 策略,可以跨多个位置(如 Exchange Online、SharePoint Online 和 OneDrive for Business)标识敏感信息。With Exchange Online DLP policies you can identify sensitive information across many locations, such as Exchange Online, SharePoint Online, and OneDrive for Business. 例如,这些策略有助于标识包含敏感信息的文档,或防止与组织外部人员意外共享敏感信息。For example, these policies help you identify documents containing sensitive information or prevent the accidental sharing of sensitive information with people outside your organization.
Exchange 邮件流/传输规则Exchange Mail Flow/Transport Rules Exchange 邮件流规则(亦称为“传输规则”)在通过组织传递的邮件中查找特定条件,并采取相应措施。Exchange mail flow rules, also known as transport rules, look for specific conditions in messages that pass through your organization and act on them. 邮件流规则与许多电子邮件客户端中的收件箱规则一样。Mail flow rules are like the Inbox rules that are available in many email clients. 邮件流规则与在客户端应用程序(如 Outlook)中设置的规则的主要区别在于,邮件流规则针对的是传递中的邮件,而不是已传递的邮件。The main difference between mail flow rules and rules you would set up in a client application such as Outlook is that mail flow rules act on messages while they’re in transit as opposed to after the message is delivered. 邮件流规则还包含一组更丰富的条件、异常和操作,以便用户可以灵活实现多种类型的邮件传递策略。Mail flow rules also contain a richer set of conditions, exceptions, and actions, which provides you with the flexibility to implement many types of messaging policies.
Intune 移动设备管理Intune Mobile Device Management Intune 使用移动操作系统中的可用协议或 API 提供移动设备管理 (MDM)。Intune provides mobile device management (MDM) by using the protocols or APIs that are available in the mobile operating systems. 具体包括如下任务:为设备注册管理功能以便 IT 有访问企业服务的设备清单、配置设备以确保它们符合公司安全和运行状况标准、提供用于访问企业服务的证书和 Wi-Fi/VPN 配置文件、报告和衡量设备是否符合公司标准、从受管理设备中删除企业数据。It includes tasks like enrolling devices into management so IT has an inventory of devices that are accessing corporate services, configuring devices to ensure they meet company security and health standards, providing certificates and Wi-Fi/VPN profiles to access corporate services, reporting on and measuring device compliance to corporate standards, and removing corporate data from managed devices.
Intune 应用保护策略Intune app protection policies 无论是否为设备注册管理功能,Intune 应用保护策略都可用于保护公司在移动应用中的数据。Intune app protection policies can be used to protect your company’s data in mobile apps with or without enrolling devices into management. 事实上,用户的移动设备甚至可以由其他非 Microsoft MDM 解决方案进行管理,同时通过 Intune 保护 Office 365 信息In fact, your users' mobile devices can even be managed by another non-Microsoft MDM solution while Intune helps protect Office 365 information. 在确保员工仍可高效工作的同时,还可以防止有意和无意数据丢失。While making sure your employees can still be productive, you can also prevent data loss—intentional and unintentional. 通过实现应用级策略,既可以限制对公司资源的访问,也可以让数据在 IT 部门的控制范围之内。By implementing app-level policies, you can restrict access to company resources and keep data within the control of your IT department.
Azure AD 令牌生存期Azure AD Token Lifetime 可以指定 Azure Active Directory (Azure AD) 颁发的令牌的生存期。You can specify the lifetime of a token issued by Azure Active Directory (Azure AD). 可以为组织中的所有应用程序、多租户(多组织)应用程序或组织中的特定服务主体设置令牌生存期。You can set token lifetimes for all apps in your organization, for a multi-tenant (multi-organization) application, or for a specific service principal in your organization.
Microsoft 标识中转站Microsoft Identity Brokers Microsoft 为每个移动平台提供应用,以允许跨不同供应商的应用桥接凭据,并提供需要从一个安全位置验证凭据的特殊增强功能。Microsoft provides applications for every mobile platform that allow for the bridging of credentials across applications from different vendors and allows for special enhanced features that require a single secure place from where to validate credentials. 我们称之为“中转站”。We call these brokers. 在 iOS 和 Android 上,这些中转站是通过 Microsoft Authenticator 和 Intune 公司门户应用提供。On iOS and Android these brokers are provided through the Microsoft Authenticator and Intune Company Portal apps. 在 Windows 10 中,此功能由操作系统中内置的帐户选择器提供,在技术上称为“Web 身份验证中转站”。In Windows 10, this functionality is provided by an account chooser built in to the operating system, known technically as the Web Authentication Broker.

安全最佳做法和建议Security best practices and recommendations

并不存在适用于所有客户环境的最佳建议,推荐的安全策略和配置一文介绍了应了解的重要安全最佳实践概念。While there is no single best recommendation for all customer environments, the recommended security policies and configurations article introduces important security best practices concepts to understand. 本文还介绍了一些通用的 Microsoft 建议,这些建议针对如何在 Microsoft 云中应用策略和配置,以确保员工在安全的环境中高效工作。This article also describes general Microsoft recommendations about how to apply policy and configuration within the Microsoft cloud to ensure that your employees are both secure and productive.

通用身份识别与设备访问策略建议介绍了一些通用的策略,这些策略可帮助你保护 Microsoft 365 Enterprise。General identity and device access policy recommendations describes the common recommended policies to help you secure Microsoft 365 Enterprise. 此外,还介绍了我们为了向用户提供最佳 SSO 体验而推荐的默认平台客户端配置,以及条件访问的技术先决条件。Also discussed are the default platform client configurations we recommend to provide the best SSO experience to your users, as well as the technical pre-requisites for conditional access.

Exchange Online 访问策略Exchange Online access policies

Microsoft 在可帮助保护电子邮件的策略建议中提供了建议,可帮助你保护支持新式验证和条件访问的组织电子邮件和电子邮件客户端。Policy recommendations to help secure email provides Microsoft recommendations to help you secure organizational email, and email clients that support Modern Authentication and Conditional Access. 这些建议是通用身份识别与设备访问策略建议的补充。These recommendations are in addition to the common identity and access policy recommendations.

SharePoint Online 访问策略SharePoint Online access policies

通用身份识别与设备访问策略建议可帮助保护电子邮件的策略建议外,保护 SharePoint Online 文件访问中也提供了建议。Recommendations are provided to safeguard SharePoint Online file access in addition to the common identity and access policy recommendations and policy recommendations to help secure email. 本文介绍了必须创建哪些新策略,以及应如何修订现有策略,以保护 Exchange Online 电子邮件和 SharePoint Online 文件访问。This article describes the new policies that must be created, and how existing policies should be amended, to protect both Exchange Online email and SharePoint online file access.

部署 Windows 10 和 Office 365 专业增强版Deploy Windows 10 and Office 365 ProPlus

了解如何部署 Windows 10 和 Office 365 专业增强版,以及如何集成到 Microsoft Azure Active Directory (Azure AD) 或本地 Active Directory 域服务 (AD DS) 中。Learn how to deploy Windows 10 and Office 365 ProPlus and integrate into Microsoft Azure Active Directory (Azure AD) or on-premises Active Directory Domain Services (AD DS). 使用 Intune、System Center Configuration Manager 和组策略,将 Windows 10、Office 365 专业增强版和其他业务线应用程序部署到新设备,或将现有设备升级到 Windows 10,以便管理设备。Deploy Windows 10, Office 365 ProPlus, and your other line-of-business apps to new devices or upgrade existing devices to Windows 10 using Intune, System Center Configuration Manager, and Group Policy to manage devices.

有关详细信息,请参阅以下文章:For more information, see the following articles:

若要获取部署 Microsoft 365 方面的帮助,请联系 FastTrackFor deployment assistance with Microsoft 365, contact FastTrack.

管理 Windows 10 和 Office 365 专业增强版的更新Manage updates to Windows 10 and Office 365 ProPlus

单击以下链接,可以了解如何最大限度地控制 Windows 10 和 Office 365 专业增强版的质量和功能更新。The following links show you how to gain maximum control over quality and feature updates for Windows 10 and Office 365 ProPlus. 了解如何有效控制带宽使用,并应用最新功能和安全更新程序,不断更新 Windows 和 Office。Learn how to effectively control bandwidth usage and keep Windows and Office up-to-date with the newest features, capabilities, and security updates.

有关详细信息,请参阅以下文章:For more information, see the following articles:

Microsoft 建议当前使用 Configuration Manager 管理 Windows 更新的组织,继续对 Windows 10 客户端计算机这样做。 Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers.

后续步骤Next steps

Microsoft 365 企业版产品页 云平台路线图Microsoft 365 Enterprise product page Cloud platform roadmap