混合式設定和測試所需的帳戶Accounts needed for hybrid configuration and testing

摘要:了解設定 SharePoint Server 混合式解決方案時需要使用的帳戶。Summary: Learn about the accounts you need to use when you configure a SharePoint Server hybrid solution.

設定 SharePoint Server 混合式環境時,您在內部部署 Active Directory 和 Office 365 中都需要數個使用者帳戶。這些帳戶也需要有不同的權限及群組或角色成員資格。其中有些帳戶是用來部署和設定軟體,而有些帳戶是用來測試特定的功能,以確保安全性和驗證系統的運作符合預期。When you configure a SharePoint Server hybrid environment, you need several user accounts in both your on-premises Active Directory and Office 365. These accounts also need different permissions and group or role memberships. Some of these accounts are used to deploy and configure software, and some are used to test specific functionality to help ensure that security and authentication systems are working as expected.

在混合式環境中,Active Directory 中的部分或所有使用者帳戶會與 Azure AD 目錄服務同步處理。我們將這些帳戶稱為「同盟使用者」。SharePoint Server 和 SharePoint Online 是以伺服器對伺服器 (S2S) 信任關係來設定,而服務應用程式可以設為讓同盟使用者只要使用單一身分識別,就能存取兩個伺服器陣列中的內容和資源。因為使用者帳戶和認證在 SharePoint Server 和 SharePoint Online 之間已同步,所以兩個伺服器陣列中可以使用同一組使用者和群組來套用清單和文件庫內容安全性。In a hybrid environment, some or all user accounts in Active Directory are synchronized with Azure AD directory services. We refer to these accounts as federated users. SharePoint Server and SharePoint Online are configured with a server-to-server (S2S) trust relationship, and service applications can be configured to enable federated users to access content and resources from both farms using a single identity. Because user accounts and credentials are synchronized between SharePoint Server and SharePoint Online, list and library content security can be applied in both farms using the same set of users and groups.

注意

下表不含服務帳戶,在某些 SharePoint Server 混合式解決方案中,對於服務應用程式和功能,這些帳戶可能有特定的需求。如需每一個受支援解決方案之需求的詳細資訊,請參閱<設定 SharePoint Server 的混合式解決方案>中的解決方案設定文章。This table does not include service accounts, which may have specific requirements for service applications and features in certain SharePoint Server hybrid solutions. For more information about the requirements for each supported solution, see the solution configuration articles at Configure a hybrid solution for SharePoint Server.

表格:SharePoint 混合式設定和測試所需的帳戶Table: Accounts needed for SharePoint hybrid configuration and testing

帳戶Account 身分識別提供者Identity provider 角色Role
全域管理員Global Administrator
Office 365 和 Azure Active DirectoryOffice 365 and Azure Active Directory
使用已指派給全域管理員角色以便進行 Office 365 設定工作 (例如,設定 SharePoint Online 功能、執行 Azure AD 和 SharePoint OnlinePowerShell 命令,以及測試 SharePoint Online) 的 Office 365工作帳戶。Use an Office 365 work account that has been assigned to the Global Administrator role for Office 365 configuration tasks such as configuring SharePoint Online features, running Azure AD and SharePoint Online PowerShell commands, and testing SharePoint Online.
AD 網域管理員AD Domain Administrator
內部部署 ADOn-premises AD
使用 Domain Admins 群組中的 AD 帳戶,以設定和測試 AD、ADFS、DNS 和憑證,以及其他需要提高權限的作業。Use an AD account in the Domain Admins group to configure and test AD, ADFS, DNS, and certificates and to do other tasks that require elevation.
SharePoint 伺服器陣列管理員SharePoint Farm Administrator
內部部署 ADOn-premises AD
使用 SharePoint 伺服器陣列管理員群組中的 AD 帳戶來執行 SharePoint Server 設定作業,例如在 SharePoint 管理命令介面中執行 PowerShell 命令,以設定 S2S 信任、建立和設定 Web 應用程式和網站集合、部署和設定 SQL Server 資料庫,以及進行 SharePoint Server 疑難排解。Use an AD account in the Farm Administrators SharePoint group for SharePoint Server configuration tasks such as running PowerShell commands in the SharePoint Management Shell to configure S2S trusts, create and configure web applications and site collections, deploy and configure SQL Server databases, and troubleshoot SharePoint Server.
此帳戶也必須有更多權限,才能使用 SharePoint 管理命令介面:This account must also have additional privileges to use the SharePoint Management Shell:
在 SQL Server 執行個體上,擁有 securityadmin 固定伺服器角色的成員資格。Membership in the securityadmin fixed server role on the SQL Server instance.
在待更新的所有資料庫上,擁有 db_owner 固定資料庫角色的成員資格。Membership in the db_owner fixed database role on all databases that are to be updated.
在您執行 PowerShell Cmdlet 的伺服器上,擁有 Administrators 群組的成員資格。Membership in the Administrators group on the server on which you are running the PowerShell cmdlets.
同盟使用者Federated Users
內部部署 ADOn-premises AD
使用已經與 Office 365 同步處理的 AD 帳戶,以測試對 SharePoint Server 和 SharePoint Online 中特定資源的存取。Use AD accounts that have been synchronized with Office 365 to test access to specific resources in both SharePoint Server and SharePoint Online.
這些帳戶或其所隸屬的群組在兩個環境中,都必須有權限存取 SharePoint Server 網站集合和資源,且在 Office 365 訂閱中也必須指派適當的產品授權。這些帳戶也必須設定為使用您在規劃過程中指定給同盟使用者的替代網域 UPN 尾碼。These accounts, or groups of which they are members, must have permissions to SharePoint Server site collections and resources in both environments and have the appropriate product licenses assigned in the Office 365 subscription. They also must be set to use the alternative domain UPN suffix that you specify for federated users during the planning process.
您可以對多個同盟帳戶設定不同的權限或群組成員資格,以測試網站資源的安全性修剪和存取是否適當。You can configure multiple federated accounts with different permissions or group memberships to test for appropriate security trimming and access to site resources.