用于 Microsoft 365 测试环境的联合身份Federated identity for your Microsoft 365 test environment

此测试实验室指南可用于适用于企业和 Office 365 企业测试环境的 Microsoft 365。This Test Lab Guide can be used for both Microsoft 365 for enterprise and Office 365 Enterprise test environments.

Microsoft 365 支持联合标识。也就是说,Microsoft 365 将连接用户转到 Microsoft 365 信任的联合身份验证服务器,而不是自己执行凭据验证。如果用户的凭据正确,联合身份验证服务器会颁发安全令牌,然后客户端将此令牌作为通过身份验证的证明发送给 Microsofte 365。借助联合标识,可以为 Microsoft 365 订阅以及高级身份验证和安全方案卸载和扩展身份验证。Microsoft 365 supports federated identity. This means that instead of performing the validation of credentials itself, Microsoft 365 refers the connecting user to a federated authentication server that Microsoft 365 trusts. If the user's credentials are correct, the federated authentication server issues a security token that the client then sends to Microsoft 365 as proof of authentication. Federated identity allows for the offloading and scaling up of authentication for a Microsoft 365 subscription and advanced authentication and security scenarios.

本文介绍如何为 Microsoft 365 测试环境配置联合身份验证,从而产生以下结果:This article describes how to configure federated authentication for your Microsoft 365 test environment, resulting in the following:

Microsoft 365 测试环境的联合身份验证

此配置包括:This configuration consists of:

  • Microsoft 365 E5 试用版或生产版订阅。A Microsoft 365 E5 trial or production subscription.

  • 连接到 internet 的简化的组织 intranet,由 Azure 虚拟网络的子网上的五个虚拟机组成 (DC1、APP1、CLIENT1、ADFS1 和 PROXY1) 。A simplified organization intranet connected to the internet, consisting of five virtual machines on a subnet of an Azure virtual network (DC1, APP1, CLIENT1, ADFS1, and PROXY1). Azure AD Connect 在 APP1 上运行,以将 Active Directory 域服务域中的帐户列表与 Microsoft 365 同步。Azure AD Connect runs on APP1 to synchronize the list of accounts in the Active Directory Domain Services domain to Microsoft 365. PROXY1 接收传入的身份验证请求。PROXY1 receives the incoming authentication requests. ADFS1 使用 DC1 验证凭据并颁发安全令牌。ADFS1 validates credentials with DC1 and issues security tokens.

设置此测试环境涉及五个阶段:Setting up this test environment involves five phases:

备注

无法使用 Azure 试用订阅配置此测试环境。You can't configure this test environment with an Azure Trial subscription.

阶段 1:为 Microsoft 365 测试环境配置密码哈希同步Phase 1: Configure password hash synchronization for your Microsoft 365 test environment

按照 针对 Microsoft 365 的密码哈希同步中的说明进行操作。Follow the instructions in password hash synchronization for Microsoft 365. 生成的配置如下所示:Your resulting configuration looks like this:

使用密码哈希同步测试环境的模拟企业配置

此配置包括:This configuration consists of:

  • Microsoft 365 E5 试用版或付费版订阅。A Microsoft 365 E5 trial or paid subscriptions.
  • 连接到 internet 的简化的组织 intranet,由 Azure 虚拟网络的子网上的 DC1、APP1 和 CLIENT1 虚拟机组成。A simplified organization intranet connected to the internet, consisting of the DC1, APP1, and CLIENT1 virtual machines on a subnet of an Azure virtual network. Azure AD Connect 在 APP1 上运行,以将 AD DS) 域的 TESTLAB Active Directory 域服务 (为定期向 Microsoft 365 订阅的 Azure AD 租户进行同步。Azure AD Connect runs on APP1 to synchronize the TESTLAB Active Directory Domain Services (AD DS) domain to the Azure AD tenant of your Microsoft 365 subscriptions periodically.

阶段 2:创建 AD FS 服务器Phase 2: Create the AD FS server

AD FS 服务器在 Microsoft 365 和 DC1 上托管的 corp.contoso.com 域中的帐户之间提供联合身份验证。An AD FS server provides federated authentication between Microsoft 365 and the accounts in the corp.contoso.com domain hosted on DC1.

若要为 ADFS1 创建 Azure 虚拟机,请填写基础配置的订阅和资源组名称及 Azure 位置,然后在本地计算机上的 Azure PowerShell 命令提示符处运行下面这些命令。To create an Azure virtual machine for ADFS1, fill in the name of your subscription and the resource group and Azure location for your Base Configuration, and then run these commands at the Azure PowerShell command prompt on your local computer.

$subscrName="<your Azure subscription name>"
$rgName="<the resource group name of your Base Configuration>"
$vnetName="TlgBaseConfig-01-VNET"
# NOTE: If you built your simulated intranet with Azure PowerShell, comment the previous line with a "#" and remove the "#" from the next line.
#$vnetName="TestLab"
Connect-AzAccount
Select-AzSubscription -SubscriptionName $subscrName
$staticIP="10.0.0.100"
$locName=(Get-AzResourceGroup -Name $rgName).Location
$vnet=Get-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgName
$pip = New-AzPublicIpAddress -Name ADFS1-PIP -ResourceGroupName $rgName -Location $locName -AllocationMethod Dynamic
$nic = New-AzNetworkInterface -Name ADFS1-NIC -ResourceGroupName $rgName -Location $locName -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id -PrivateIpAddress $staticIP
$vm=New-AzVMConfig -VMName ADFS1 -VMSize Standard_D2_v2
$cred=Get-Credential -Message "Type the name and password of the local administrator account for ADFS1."
$vm=Set-AzVMOperatingSystem -VM $vm -Windows -ComputerName ADFS1 -Credential $cred -ProvisionVMAgent -EnableAutoUpdate
$vm=Set-AzVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2016-Datacenter -Version "latest"
$vm=Add-AzVMNetworkInterface -VM $vm -Id $nic.Id
$vm=Set-AzVMOSDisk -VM $vm -Name "ADFS-OS" -DiskSizeInGB 128 -CreateOption FromImage -StorageAccountType "Standard_LRS"
New-AzVM -ResourceGroupName $rgName -Location $locName -VM $vm

接下来,通过 Azure 门户使用 ADFS1 本地管理员帐户名称和密码连接 ADFS1 虚拟机,然后打开 Windows PowerShell 命令提示符。Next, use the Azure portal to connect to the ADFS1 virtual machine using the ADFS1 local administrator account name and password, and then open a Windows PowerShell command prompt.

若要检查 ADFS1 和 DC1 之间的名称解析和网络通信,请运行 ping dc1.corp.contoso.com 命令,然后查看是否存在四个答复。To check name resolution and network communication between ADFS1 and DC1, run the ping dc1.corp.contoso.com command and check that there are four replies.

接下来,在 ADFS1 上的 Windows PowerShell 提示符处运行下面这些命令,将 ADFS1 虚拟机加入 CORP 域。Next, join the ADFS1 virtual machine to the CORP domain with these commands at the Windows PowerShell prompt on ADFS1.

$cred=Get-Credential -UserName "CORP\User1" -Message "Type the User1 account password."
Add-Computer -DomainName corp.contoso.com -Credential $cred
Restart-Computer

生成的配置如下所示:Your resulting configuration looks like this:

添加到用于 Microsoft 365 测试环境的 DirSync 的 AD FS 服务器

阶段 3:创建 Web 代理服务器Phase 3: Create the web proxy server

PROXY1 在尝试进行身份验证的用户和 ADFS1 之间提供身份验证消息代理。PROXY1 provides proxying of authentication messages between users trying to authenticate and ADFS1.

若要为 PROXY1 创建 Azure 虚拟机,请填写资源组名称和 Azure 位置,然后在本地计算机上的 Azure PowerShell 命令提示符处运行下面这些命令。To create an Azure virtual machine for PROXY1, fill in the name of your resource group and Azure location, and then run these commands at the Azure PowerShell command prompt on your local computer.

$rgName="<the resource group name of your Base Configuration>"
$vnetName="TlgBaseConfig-01-VNET"
# NOTE: If you built your simulated intranet with Azure PowerShell, comment the previous line with a "#" and remove the "#" from the next line.
#$vnetName="TestLab"
$staticIP="10.0.0.101"
$locName=(Get-AzResourceGroup -Name $rgName).Location
$vnet=Get-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgName
$pip = New-AzPublicIpAddress -Name PROXY1-PIP -ResourceGroupName $rgName -Location $locName -AllocationMethod Static
$nic = New-AzNetworkInterface -Name PROXY1-NIC -ResourceGroupName $rgName -Location $locName -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id -PrivateIpAddress $staticIP
$vm=New-AzVMConfig -VMName PROXY1 -VMSize Standard_D2_v2
$cred=Get-Credential -Message "Type the name and password of the local administrator account for PROXY1."
$vm=Set-AzVMOperatingSystem -VM $vm -Windows -ComputerName PROXY1 -Credential $cred -ProvisionVMAgent -EnableAutoUpdate
$vm=Set-AzVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2016-Datacenter -Version "latest"
$vm=Add-AzVMNetworkInterface -VM $vm -Id $nic.Id
$vm=Set-AzVMOSDisk -VM $vm -Name "PROXY1-OS" -DiskSizeInGB 128 -CreateOption FromImage -StorageAccountType "Standard_LRS"
New-AzVM -ResourceGroupName $rgName -Location $locName -VM $vm

备注

PROXY1 分配有一个静态公共 IP 地址,因为将创建一个指向它的公共 DNS 记录,并且它不得在 PROXY1 虚拟机重启时有变化。PROXY1 is assigned a static public IP address because you will create a public DNS record that points to it and it must not change when you restart the PROXY1 virtual machine.

接下来,将规则添加到企业网络子网的网络安全组,以允许来自 internet 的未经请求的入站流量从 internet 到 PROXY1's 的专用 IP 地址和 TCP 端口443。Next, add a rule to the network security group for the CorpNet subnet to allow unsolicited inbound traffic from the internet to PROXY1's private IP address and TCP port 443. 在本地计算机上的 Azure PowerShell 命令提示符处,运行下面这些命令。Run these commands at the Azure PowerShell command prompt on your local computer.

$rgName="<the resource group name of your Base Configuration>"
Get-AzNetworkSecurityGroup -Name CorpNet -ResourceGroupName $rgName | Add-AzNetworkSecurityRuleConfig -Name "HTTPS-to-PROXY1" -Description "Allow TCP 443 to PROXY1" -Access "Allow" -Protocol "Tcp" -Direction "Inbound" -Priority 101 -SourceAddressPrefix "Internet" -SourcePortRange "*" -DestinationAddressPrefix "10.0.0.101" -DestinationPortRange "443" | Set-AzNetworkSecurityGroup

接下来,通过 Azure 门户,使用 PROXY1 本地管理员帐户名称和密码连接 PROXY1 虚拟机,然后在 PROXY1 上打开 Windows PowerShell 命令提示符。Next, use the Azure portal to connect to the PROXY1 virtual machine using the PROXY1 local administrator account name and password, and then open a Windows PowerShell command prompt on PROXY1.

若要检查 PROXY1 和 DC1 之间的名称解析和网络通信,请运行 ping dc1.corp.contoso.com 命令,然后查看是否存在四个答复。To check name resolution and network communication between PROXY1 and DC1, run the ping dc1.corp.contoso.com command and check that there are four replies.

接下来,在 PROXY1 上的 Windows PowerShell 提示符处运行下面这些命令,将 PROXY1 虚拟机加入 CORP 域。Next, join the PROXY1 virtual machine to the CORP domain with these commands at the Windows PowerShell prompt on PROXY1.

$cred=Get-Credential -UserName "CORP\User1" -Message "Type the User1 account password."
Add-Computer -DomainName corp.contoso.com -Credential $cred
Restart-Computer

在本地计算机上使用这些 Azure PowerShell 命令显示 PROXY1 的公共 IP 地址。Display the public IP address of PROXY1 with these Azure PowerShell commands on your local computer.

Write-Host (Get-AzPublicIpaddress -Name "PROXY1-PIP" -ResourceGroup $rgName).IPAddress

接下来,结合使用公共 DNS 提供程序,为解析为由 Write-Host 命令显示的 IP 地址的 fs.testlab.<your DNS domain name> 新建一个公共 DNS A 记录。fs.testlab.<your DNS domain name> 以下称为联合身份验证服务 FQDNNext, work with your public DNS provider and create a new public DNS A record for fs.testlab.<your DNS domain name> that resolves to the IP address displayed by the Write-Host command. The fs.testlab.<your DNS domain name> is hereafter referred to as the federation service FQDN.

接下来,通过 Azure 门户,使用 CORP\User1 凭据连接 DC1 虚拟机,然后在管理员级 Windows PowerShell 命令提示符处运行以下命令:Next, use the Azure portal to connect to the DC1 virtual machine using the CORP\User1 credentials, and then run the following commands at an administrator-level Windows PowerShell command prompt:

Add-DnsServerPrimaryZone -Name corp.contoso.com -ZoneFile corp.contoso.com.dns
Add-DnsServerResourceRecordA -Name "fs" -ZoneName corp.contoso.com -AllowUpdateAny -IPv4Address "10.0.0.100" -TimeToLive 01:00:00

这些命令创建内部 DNS A 记录,以便 Azure 虚拟网络上的虚拟机可以将内部联合身份验证服务 FQDN 解析为 ADFS1's 专用 IP 地址。These commands create an internal DNS A record so that virtual machines on the Azure virtual network can resolve the internal federation service FQDN to ADFS1's private IP address.

生成的配置如下所示:Your resulting configuration looks like this:

添加到用于 Microsoft 365 测试环境的 DirSync 的 Web 应用程序代理服务器

阶段 4:创建自签名证书并配置 ADFS1 和 PROXY1Phase 4: Create a self-signed certificate and configure ADFS1 and PROXY1

在此阶段,将为联合身份验证服务 FQDN 创建自签名数字证书,并将 ADFS1 和 PROXY1 配置为 AD FS 场。In this phase, you create a self-signed digital certificate for your federation service FQDN and configure ADFS1 and PROXY1 as an AD FS farm.

首先,通过 Azure 门户,使用 CORP\User1 凭据连接 DC1 虚拟机,然后打开管理员级 Windows PowerShell 命令提示符。First, use the Azure portal to connect to the DC1 virtual machine using the CORP\User1 credentials, and then open an administrator-level Windows PowerShell command prompt.

接下来,在 DC1 上的 Windows PowerShell 命令提示符处,使用以下命令创建 AD FS 服务帐户:Next, create an AD FS service account with this command at the Windows PowerShell command prompt on DC1:

New-ADUser -SamAccountName ADFS-Service -AccountPassword (read-host "Set user password" -assecurestring) -name "ADFS-Service" -enabled $true -PasswordNeverExpires $true -ChangePasswordAtLogon $false

请注意,此命令会提示你提供帐户密码。Note that this command prompts you to supply the account password. 选择强密码,然后在安全位置记录此密码。Choose a strong password and record it in a secured location. 在此阶段和第5阶段将需要它。You will need it for this phase and for Phase 5.

通过 Azure 门户,使用 CORP\User1 凭据连接 ADFS1 虚拟机。在 ADFS1 上打开管理员级 Windows PowerShell 命令提示符,填写联合身份验证服务 FQDN,然后运行下面这些命令,从而创建自签名证书:Use the Azure portal to connect to the ADFS1 virtual machine using the CORP\User1 credentials. Open an administrator-level Windows PowerShell command prompt on ADFS1, fill in your federation service FQDN, and then run these commands to create a self-signed certificate:

$fedServiceFQDN="<federation service FQDN>"
New-SelfSignedCertificate -DnsName $fedServiceFQDN -CertStoreLocation "cert:\LocalMachine\My"
New-Item -path c:\Certs -type directory
New-SmbShare -name Certs -path c:\Certs -changeaccess CORP\User1

接下来,按下面这些步骤操作,将新建的自签名证书保存为文件。Next, use these steps to save the new self-signed certificate as a file.

  1. 选择 " 开始",输入 mmc.exe,然后按 enterSelect Start, enter mmc.exe, and then press Enter.

  2. 选择 "文件" " > 添加/删除管理单元"Select File > Add/Remove Snap-in.

  3. 在 " 添加或删除管理单元" 中,双击可用管理单元列表中的 " 证书 ",选择 " 计算机帐户",然后选择 " 下一步"。In Add or Remove Snap-ins, double-click Certificates in the list of available snap-ins, select Computer account, and then select Next.

  4. 在 " 选择计算机" 中,选择 " 完成",然后选择 "确定"In Select Computer, select Finish, and then select OK.

  5. 在树窗格中,依次打开“证书(本地计算机)”>“个人”>“证书”。****In the tree pane, open Certificates (Local Computer) > Personal > Certificates.

  6. 选择并按住 (,或右键单击) 使用联合身份验证服务 FQDN 的证书,选择 " 所有任务",然后选择 " 导出"。Select and hold (or right-click) the certificate with your federation service FQDN, select All tasks, and then select Export.

  7. 在 " 欢迎 " 页上,选择 " 下一步"。On the Welcome page, select Next.

  8. 在 " 导出私钥 " 页上,选择 "是",然后选择 " 下一步"。On the Export Private Key page, select Yes, and then select Next.

  9. 在 " 导出文件格式 " 页上,选择 " 导出所有扩展属性",然后选择 " 下一步"。On the Export File Format page, select Export all extended properties, and then select Next.

  10. 在 "安全" 页上,选择 "密码",并在 "密码" 和 "确认密码" 中输入密码。On the Security page, select Password and enter a password in Password and Confirm password.

  11. 在 " 要导出的文件 " 页上,选择 " 浏览"。On the File to Export page, select Browse.

  12. 浏览到 " C: \ 证书" 文件夹,在 "文件名" 中输入SSL ,然后选择 "保存"。Browse to the C:\Certs folder, enter SSL in File name, and then select Save.

  13. 在 " 要导出的文件 " 页上,选择 " 下一步"。On the File to Export page, select Next.

  14. 在 " 正在完成证书导出向导 " 页上,选择 " 完成"。On the Completing the Certificate Export Wizard page, select Finish. 出现提示时,选择 "确定"When prompted, select OK.

接下来,在 ADFS1 上的 Windows PowerShell 命令提示符处运行以下命令,安装 AD FS 服务:Next, install the AD FS service with this command at the Windows PowerShell command prompt on ADFS1:

Install-WindowsFeature ADFS-Federation -IncludeManagementTools

等待安装完成。Wait for the installation to complete.

接下来,按下面这些步骤操作,配置 AD FS 服务:Next, configure the AD FS service with these steps:

  1. 选择 " 开始",然后选择 " 服务器管理器 " 图标。Select Start, and then select the Server Manager icon.

  2. 在服务器管理器的树窗格中,选择 " AD FS"。In the tree pane of Server Manager, select AD FS.

  3. 在顶部的工具栏中,选择橙色警告符号,然后选择 " 在此服务器上配置联合身份验证服务"。In the tool bar at the top, select the orange caution symbol, and then select Configure the federation service on this server.

  4. 在 "Active Directory 联合身份验证服务配置向导" 的 " 欢迎 " 页上,选择 " 下一步"。On the Welcome page of the Active Directory Federation Services Configuration Wizard, select Next.

  5. 在 " 连接到 AD DS " 页上,选择 " 下一步"。On the Connect to AD DS page, select Next.

  6. 在“指定服务属性”页上:****On the Specify Service Properties page:

  • 对于 " SSL 证书",选择向下箭头,然后选择 "证书",其中包含联合身份验证服务 FQDN 的名称。For SSL Certificate, select the down arrow, and then select the certificate with the name of your federation service FQDN.

  • 在 " 联合身份验证服务显示名称" 中,输入虚构组织的名称。In Federation Service Display Name, enter the name of your fictional organization.

  • 选择“下一步”。Select Next.

  1. 在 "指定服务帐户" 页上,选择 "为帐户名称****选择"。On the Specify Service Account page, select Select for Account name.

  2. 在 " 选择用户或服务帐户" 中,输入 " ADFS-服务",选择 " 检查名称",然后选择 "确定"In Select User or Service Account, enter ADFS-Service, select Check Names, and then select OK.

  3. 在 " 帐户密码" 中,输入 ADFS-Service 帐户的密码,然后选择 " 下一步"。In Account Password, enter the password for the ADFS-Service account, and then select Next.

  4. 在 " 指定配置数据库 " 页上,选择 " 下一步"。On the Specify Configuration Database page, select Next.

  5. 在 " 查看选项 " 页上,选择 " 下一步"。On the Review Options page, select Next.

  6. 在 " 先决条件检查 " 页上,选择 " 配置"。On the Pre-requisite Checks page, select Configure.

  7. 在 " 结果 " 页上,选择 " 关闭"。On the Results page, select Close.

  8. 选择 " 开始",选择 "电源" 图标,选择 " 重新启动",然后选择 " 继续"。Select Start, select the power icon, select Restart, and then select Continue.

通过 CORP\User1 帐户凭据从 Azure 门户连接到 PROXY1。From the Azure portal, connect to PROXY1 with the CORP\User1 account credentials.

接下来,按下面这些步骤操作,在 PROXY1 和 APP1 上安装自签名证书。Next, use these steps to install the self-signed certificate on both PROXY1 and APP1.

  1. 选择 " 开始",输入 mmc.exe,然后按 enterSelect Start, enter mmc.exe, and then press Enter.

  2. 选择 " 文件" > "添加/删除管理单元"Select File > Add/Remove Snap-in.

  3. 在 " 添加或删除管理单元" 中,双击可用管理单元列表中的 " 证书 ",选择 " 计算机帐户",然后选择 " 下一步"。In Add or Remove Snap-ins, double-click Certificates in the list of available snap-ins, select Computer account, and then select Next.

  4. 在 " 选择计算机" 中,选择 " 完成",然后选择 "确定"In Select Computer, select Finish, and then select OK.

  5. 在树窗格中,打开 " ** (本地计算机) ** > 个人 > 证书" 的 "证书"。In the tree pane, open Certificates (Local Computer) > Personal > Certificates.

  6. 选择并按住 (,或右键单击) 个人",选择" 所有任务",然后选择" 导入"。Select and hold (or right-click) Personal, select All tasks, and then select Import.

  7. 在 " 欢迎 " 页上,选择 " 下一步"。On the Welcome page, select Next.

  8. 在 "要导入的文件" 页上,输入** \ \ adfs1 \ 证书 \ ssl .pfx**,然后选择 "**下一步**"。On the File to Import page, enter \\adfs1\certs\ssl.pfx, and then select Next.

  9. 在 " 私钥保护 " 页上,在 " 密码" 中输入证书密码,然后选择 " 下一步"。On the Private key protection page, enter the certificate password in Password, and then select Next.

  10. 在 " 证书存储 " 页上,选择 " 下一步"。On the Certificate store page, select Next.

  11. 在 " 完成 " 页上,选择 " 完成"。On the Completing page, select Finish.

  12. 在 " 证书存储 " 页上,选择 " 下一步"。On the Certificate Store page, select Next.

  13. 出现提示时,选择 "确定"When prompted, select OK.

  14. 在树窗格中,选择 " 证书"。In the tree pane, select Certificates.

  15. 选择并按住 (,或右键单击证书) ,然后选择 " 复制"。Select and hold (or right-click) the certificate, and then select Copy.

  16. 在树窗格中,打开 "受信任的根证书颁发机构" > 证书In the tree pane, open Trusted Root Certification Authorities > Certificates.

  17. 将鼠标指针移到已安装证书列表的下方,选择并按住 (或右键单击) ,然后选择 " 粘贴"。Move your mouse pointer below the list of installed certificates, select and hold (or right-click), and then select Paste.

打开管理员级 PowerShell 命令提示符,然后运行以下命令:Open an administrator-level PowerShell command prompt and run the following command:

Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools

等待安装完成。Wait for the installation to complete.

按下面这些步骤操作,将 Web 应用程序代理服务配置为使用 ADFS1 作为其联合服务器:Use these steps to configure the web application proxy service to use ADFS1 as its federation server:

  1. 选择 " 开始",然后选择 " 服务器管理器"。Select Start, and then select Server Manager.

  2. 在树窗格中,选择 " 远程访问"。In the tree pane, select Remote Access.

  3. 在顶部的工具栏中,选择橙色警告符号,然后选择 "打开 Web 应用程序代理向导"In the tool bar at the top, select the orange caution symbol, and then select Open the Web Application Proxy Wizard.

  4. 在 "Web 应用程序代理配置向导" 的 " 欢迎 " 页上,选择 " 下一步"。On the Welcome page of the Web Application Proxy Configuration Wizard, select Next.

  5. 在“联合服务器”页上:****On the Federation Server page:

  • 在 " 联合身份验证服务名称 " 框中,输入联合身份验证服务 FQDN。In the Federation service name box, enter your federation service FQDN.

  • 在 " 用户名 " 框中,输入 CORP \ User1In the User name box, enter CORP\User1.

  • 在 " 密码 " 框中,输入 User1 帐户的密码。In the Password box, enter the password for the User1 account.

  • 选择“下一步”。Select Next.

  1. 在 " AD FS 代理证书 " 页上,选择向下箭头,选择包含联合身份验证服务 FQDN 的证书,然后选择 " 下一步"。On the AD FS Proxy Certificate page, select the down arrow, select the certificate with your federation service FQDN, and then select Next.

  2. 在 " 确认 " 页上,选择 " 配置"。On the Confirmation page, select Configure.

  3. 在 " 结果 " 页上,选择 " 关闭"。On the Results page, select Close.

第 5 阶段:为 Microsoft 365 配置联合标识。Phase 5: Configure Microsoft 365 for federated identity

通过 Azure 门户,使用 CORP\User1 帐户凭据连接 APP1 虚拟机。Use the Azure portal to connect to the APP1 virtual machine with the CORP\User1 account credentials.

若要为 Azure AD Connect 和 Microsoft 365 订阅配置联合身份验证,请按照下面这些步骤操作:Use these steps to configure Azure AD Connect and your Microsoft 365 subscription for federated authentication:

  1. 在桌面上,双击“Azure AD Connect”****。From the desktop, double-click Azure AD Connect.

  2. 在 " 欢迎使用 AZURE AD Connect " 页上,选择 " 配置"。On the Welcome to Azure AD Connect page, select Configure.

  3. 在 " 其他任务 " 页上,选择 " 更改用户登录",然后选择 " 下一步"。On the Additional tasks page, select Change user sign-in, and then select Next.

  4. 在 " 连接到 AZURE AD " 页上,输入全局管理员帐户名称和密码,然后选择 " 下一步"。On the Connect to Azure AD page, enter your global administrator account name and password, and then select Next.

  5. 在 " 用户登录 " 页上,选择 " 联盟与 AD FS",然后选择 " 下一步"。On the User sign-in page, select Federation with AD FS, and then select Next.

  6. 在 " AD fs 场" 页上,选择 "使用现有 AD FS 场",在 "服务器名称" 框中输入ADFS1 ,然后选择 "下一步"。On the AD FS farm page, select Use an existing AD FS farm, enter ADFS1 in the Server Name box, and then select Next.

  7. 当系统提示输入服务器凭据时,请输入 CORP \ User1 帐户的凭据,然后选择 "确定"When prompted for server credentials, enter the credentials of the CORP\User1 account, and then select OK.

  8. 在 "域管理员凭据" 页上,在 "用户名" 框中输入CORP \ User1 ,在 "密码" 框中输入帐户密码,然后选择 "下一步"。On the Domain Administrator credentials page, enter CORP\User1 in the Username box, enter the account password in the Password box, and then select Next.

  9. 在 " AD FS 服务帐户" 页上,在 "域用户名" 框中输入CORP \ ADFS 服务,在 "域用户密码" 框中输入帐户密码,然后选择 "下一步"。On the AD FS service account page, enter CORP\ADFS-Service in the Domain Username box, enter the account password in the Domain User Password box, and then select Next.

  10. 在 " AZURE AD 域 " 页上的 " " 中,选择您之前在第1阶段中创建并添加到订阅中的域的名称,然后选择 " 下一步"。On the Azure AD Domain page, in Domain, select the name of the domain that you previously created and added to your subscription in Phase 1, and then select Next.

  11. 在 " 准备配置 " 页上,选择 " 配置"。On the Ready to configure page, select Configure.

  12. 在 " 安装完成 " 页上,选择 " 验证"。On the Installation complete page, select Verify.

    您应该会看到表明 intranet 和 internet 配置均已验证的消息。You should see messages indicating that both the intranet and internet configuration was verified.

  13. 在 " 安装完成 " 页上,选择 " 退出"。On the Installation complete page, select Exit.

若要证明联合身份验证能够正常运行,请执行以下操作:To demonstrate that federated authentication is working:

  1. 在本地计算机上打开浏览器的新专用实例,然后转到 https://admin.microsoft.comOpen a new private instance of your browser on your local computer and go to https://admin.microsoft.com.

  2. 对于登录凭据,请输入user1@ <the domain created in Phase 1> 。For the sign-in credentials, enter user1@<the domain created in Phase 1>.

    例如,如果您的测试域是 testlab.contoso.com,则应输入 "user1@testlab.contoso.com"。For example, if your test domain is testlab.contoso.com, you would enter "user1@testlab.contoso.com". tab 键或允许 Microsoft 365 自动重定向。Press the Tab key or allow Microsoft 365 to automatically redirect you.

    现在应该可以看到“你所用连接不是专用连接”页。You should now see a Your connection is not private page. 你会看到这是因为你的 ADFS1 上安装了你的桌面计算机无法验证的自签名证书。You are seeing this because you installed a self-signed certificate on ADFS1 that your desktop computer can't validate. 在联合身份验证的生产部署中,将使用受信任的证书颁发机构颁发的证书,你的用户将不会看到此页。In a production deployment of federated authentication, you would use a certificate from a trusted certification authority and your users would not see this page.

  3. 在 "您的连接不是专用" 页上,选择 "高级",然后** <your federation service FQDN> **选择 "继续"。On the Your connection is not private page, select Advanced, and then select Proceed to <your federation service FQDN>.

  4. 在包含虚构组织名称的页上,使用以下凭据登录:On the page with the name of your fictional organization, sign in with the following:

  • 该名称的 CORP\User1CORP\User1 for the name

  • User1 帐户密码The password for the User1 account

    应该会看到“Microsoft Office 主页”页面。****You should see the Microsoft Office Home page.

此过程证明了试用订阅与 DC1 上托管的 AD DS corp.contoso.com 域进行了联合。下面是身份验证流程的基本信息:This procedure demonstrates that your trial subscription is federated with the AD DS corp.contoso.com domain hosted on DC1. Here are the basics of the authentication process:

  1. 如果你在登录帐户名中使用在第 1 阶段中创建的联盟域,Microsoft 365 将浏览器重定向到联合身份验证服务 FQDN 和 PROXY1。When you use the federated domain that you created in Phase 1 within the sign-in account name, Microsoft 365 redirects your browser to your federation service FQDN and PROXY1.

  2. PROXY1 向本地计算机发送虚构的公司登录页。PROXY1 sends your local computer the fictional company sign-in page.

  3. PROXY1 会将你发送给它的 CORP\User1 和密码转发给 ADFS1。When you send CORP\User1 and the password to PROXY1, it forwards them to ADFS1.

  4. ADFS1 使用 DC1 验证 CORP\User1 和密码,然后向本地计算机发送安全令牌。ADFS1 validates CORP\User1 and the password with DC1 and sends your local computer a security token.

  5. 本地计算机向 Microsoft 365 发送安全令牌。Your local computer sends the security token to Microsoft 365.

  6. Microsoft 365 验证安全令牌是否由 ADFS1 创建,并在验证通过后允许访问。Microsoft 365 validates that the security token was created by ADFS1 and allows access.

现在,试用订阅已配置了联合身份验证。可以将此开发/测试环境用于高级身份验证方案。Your trial subscription is now configured with federated authentication. You can use this dev/test environment for advanced authentication scenarios.

后续步骤Next step

当您准备好在 Azure 中为 Microsoft 365 部署生产就绪、高可用性联合身份验证时,请参阅 在 azure 中部署适用于 microsoft 365 的高可用性联合身份验证When you are ready to deploy production-ready, high availability federated authentication for Microsoft 365 in Azure, see Deploy high availability federated authentication for Microsoft 365 in Azure.