Microsoft 365 标识模型和 Azure Active DirectoryMicrosoft 365 identity models and Azure Active Directory

本文适用于 Microsoft 365 企业版和 Office 365 企业版。This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.

Microsoft 365 使用 Azure Active Directory (Azure AD) (Microsoft 365 订阅中包含的基于云的用户标识和身份验证服务)来管理 Microsoft 365 的标识和身份验证。Microsoft 365 uses Azure Active Directory (Azure AD), a cloud-based user identity and authentication service that is included with your Microsoft 365 subscription, to manage identities and authentication for Microsoft 365. 正确配置标识基础结构对于管理组织的 Microsoft 365 用户访问和权限至关重要。Getting your identity infrastructure configured correctly is vital to managing Microsoft 365 user access and permissions for your organization.

开始之前,请观看此视频,以获取 Microsoft 365 身份模型和身份验证的概述。Before you begin, watch this video for an overview of identity models and authentication for Microsoft 365.

你的第一个规划选择是 Microsoft 365 标识模型。Your first planning choice is the Microsoft 365 identity model.

Microsoft 365 标识模型Microsoft 365 identity models

若要规划用户帐户,首先需要了解 Microsoft 365 中的两种标识模型。To plan for user accounts, you first need to understand the two identity models in Microsoft 365. 只能在云中维护组织的标识,也可以维护本地 Active Directory 域服务 (AD DS) 标识,并使用它们在用户访问 Microsoft 365 云服务时进行身份验证。You can maintain your organization's identities only in the cloud, or you can maintain your on-premises Active Directory Domain Services (AD DS) identities and use them for authentication when users access Microsoft 365 cloud services.

下面是两种类型的标识及其最佳匹配和优势。Here are the two types of identity and their best fit and benefits.

属性Attribute 仅限云标识Cloud-only identity 混合标识Hybrid identity
定义Definition 用户帐户仅存在于 Microsoft 365 订阅的 Azure AD 租户中。User account only exists in the Azure AD tenant for your Microsoft 365 subscription. 用户帐户存在于 AD DS 中,并且副本也在 Microsoft 365 订阅的 Azure AD 租户中。User account exists in AD DS and a copy is also in the Azure AD tenant for your Microsoft 365 subscription. Azure AD 中的用户帐户可能还包括已哈希 AD DS 用户帐户密码的哈希版本。The user account in Azure AD might also include a hashed version of the already hashed AD DS user account password.
Microsoft 365 如何对用户凭据进行身份验证How Microsoft 365 authenticates user credentials Microsoft 365 订阅的 Azure AD 租户使用云标识帐户执行身份验证。The Azure AD tenant for your Microsoft 365 subscription performs the authentication with the cloud identity account. Microsoft 365 订阅的 Azure AD 租户处理身份验证过程或将用户重定向到其他标识提供程序。The Azure AD tenant for your Microsoft 365 subscription either handles the authentication process or redirects the user to another identity provider.
最适用于Best for 没有或不需要本地 AD DS 的组织。Organizations that do not have or need an on-premises AD DS. 使用 AD DS 或其他标识提供程序的组织。Organizations using AD DS or another identity provider.
最大优势Greatest benefit 易于使用。Simple to use. 无需额外的目录工具或服务器。No extra directory tools or servers required. 在访问本地或基于云的资源时,用户可以使用相同的凭据。Users can use the same credentials when accessing on-premises or cloud-based resources.

仅限云标识Cloud-only identity

仅云标识使用仅存在于 Azure AD 中的用户帐户。A cloud-only identity uses user accounts that exist only in Azure AD. 仅云标识通常由没有本地服务器或使用 AD DS 管理本地标识的小组织使用。Cloud-only identity is typically used by small organizations that do not have on-premises servers or do not use AD DS to manage local identities.

以下是仅云标识的基本组件。Here are the basic components of cloud-only identity.

仅云标识的基本组件

本地和远程 (联机) 用户使用其 Azure AD 用户帐户和密码访问 Microsoft 365 云服务。Both on-premises and remote (online) users use their Azure AD user accounts and passwords to access Microsoft 365 cloud services. Azure AD 根据存储的用户帐户和密码对用户凭据进行身份验证。Azure AD authenticates user credentials based on its stored user accounts and passwords.

管理Administration

由于用户帐户仅存储在 Azure AD 中,因此可以使用Microsoft 365管理中心和管理中心等工具管理Windows PowerShell。Because user accounts are only stored in Azure AD, you manage cloud identities with tools such as the Microsoft 365 admin center and Windows PowerShell.

混合标识Hybrid identity

混合标识使用源自本地 AD DS 且在 Microsoft 365 订阅的 Azure AD 租户中具有副本的帐户。Hybrid identity uses accounts that originate in an on-premises AD DS and have a copy in the Azure AD tenant of a Microsoft 365 subscription. 但是,大多数更改仅单向流动。However, most changes only flow one way. 对 AD DS 用户帐户所做的更改将同步到 Azure AD 中的副本。Changes that you make to AD DS user accounts are synchronized to their copy in Azure AD. 但是,对 Azure AD 中基于云的帐户所做的更改(如新用户帐户)不会与 AD DS 同步。But changes made to cloud-based accounts in Azure AD, such as new user accounts, are not synchronized with AD DS.

Azure AD Connect 提供持续的帐户同步。Azure AD Connect provides the ongoing account synchronization. 它在本地服务器上运行,检查 AD DS 中的更改,将这些更改转发到 Azure AD。It runs on an on-premises server, checks for changes in the AD DS, and forwards those changes to Azure AD. Azure AD Connect 提供筛选哪些帐户已同步以及是否同步哈希版本的用户密码(称为密码哈希同步 (PHS) )。Azure AD Connect provides the ability to filter which accounts are synchronized and whether to synchronize a hashed version of user passwords, known as password hash synchronization (PHS).

实现混合标识时,本地 AD DS 是帐户信息的权威源。When you implement hybrid identity, your on-premises AD DS is the authoritative source for account information. 这意味着你执行的管理任务大部分是本地的,然后同步到 Azure AD。This means that you perform administration tasks mostly on-premises, which are then synchronized to Azure AD.

下面是混合标识的组件。Here are the components of hybrid identity.

混合标识的组件

Azure AD 租户具有 AD DS 帐户的副本。The Azure AD tenant has a copy of the AD DS accounts. 在此配置中,访问 Microsoft 365 云服务的本地和远程用户均会针对 Azure AD 进行身份验证。In this configuration, both on-premises and remote users accessing Microsoft 365 cloud services authenticate against Azure AD.

备注

你始终需要使用 Azure AD Connect 来同步混合标识的用户帐户。You always need to use Azure AD Connect to synchronize user accounts for hybrid identity. 你需要在 Azure AD 中同步用户帐户才能执行许可证分配和组管理、配置权限以及涉及用户帐户的其他管理任务。You need the synchronized user accounts in Azure AD to perform license assignment and group management, configure permissions, and other administrative tasks that involve user accounts.

管理Administration

因为原始和权威用户帐户存储在本地 AD DS 中,所以使用管理 AD DS 时相同的工具管理标识。Because the original and authoritative user accounts are stored in the on-premises AD DS, you manage your identities with the same tools as you manage your AD DS.

不使用 Microsoft 365 管理中心或适用于 Microsoft 365 的 PowerShell 在 Azure AD 中管理同步的用户帐户。You don't use the Microsoft 365 admin center or PowerShell for Microsoft 365 to manage synchronized user accounts in Azure AD.

后续步骤Next step

如果你需要仅云标识模型,请参阅仅 云标识If you need the cloud-only identity model, see Cloud-only identity.

如果需要混合标识模型,请参阅混合 标识If you need the hybrid identity model, see Hybrid identity.

另请参阅See also

Microsoft 365 企业版概述Microsoft 365 Enterprise overview