Azure Stack Hub 的身分識別架構Identity architecture for Azure Stack Hub

在您選擇要與 Azure Stack Hub 搭配使用的身分識別提供者時,請了解 Azure Active Directory (Azure AD) 與 Active Directory 同盟服務 (AD FS) 的選項之間有何重要差異。When choosing an identity provider to use with Azure Stack Hub, you should understand the important differences between the options of Azure Active Directory (Azure AD) and Active Directory Federation Services (AD FS).

功能和限制Capabilities and limitations

您選擇的身分識別提供者可能會限制您的選項,包括支援多租用戶。The identity provider that you choose can limit your options, including support for multi-tenancy.

功能或案例Capability or scenario Azure ADAzure AD AD FSAD FS
已連線至網際網路Connected to the internet Yes 選用Optional
支援多租用戶Support for multi-tenancy Yes No
Marketplace 中的供應項目Offer items in the Marketplace Yes 是 (要求使用離線 Marketplace 摘要整合工具)Yes (requires use of the offline Marketplace Syndication tool)
支援 Active Directory 驗證程式庫 (ADAL)Support for Active Directory Authentication Library (ADAL) Yes Yes
支援 Azure CLI、Visual Studio 和 PowerShell 等工具Support for tools such as Azure CLI, Visual Studio, and PowerShell Yes Yes
透過 Azure 入口網站建立服務主體Create service principals through the Azure portal Yes No
建立包含憑證的服務主體Create service principals with certificates Yes Yes
建立包含祕密 (金鑰) 的服務主體Create service principals with secrets (keys) Yes Yes
應用程式可以使用 Graph 服務Applications can use the Graph service Yes No
應用程式可以使用身分識別提供者進行登入Applications can use identity provider for sign-in Yes 是 (要求應用程式與內部部署 AD FS 執行個體同盟)Yes (requires apps to federate with on-premises AD FS instances)
受控系統身分識別Managed System Identities No No


下列各節討論您可使用的各種身分識別拓撲。The following sections discuss the different identity topologies that you can use.

Azure AD:單一租用戶拓撲Azure AD: single-tenant topology

根據預設,當您安裝 Azure Stack Hub 並使用 Azure AD 時,Azure Stack Hub 會使用單一租用戶拓撲。By default, when you install Azure Stack Hub and use Azure AD, Azure Stack Hub uses a single-tenant topology.

在下列情況下,單一租用戶拓撲很有用:A single-tenant topology is useful when:

  • 所有使用者都屬於相同的租用戶。All users are part of the same tenant.
  • 服務提供者主控組織的 Azure Stack Hub 執行個體。A service provider hosts an Azure Stack Hub instance for an organization.

Azure Stack Hub 單一租用戶拓撲搭配 Azure AD

此拓撲具有下列特性︰This topology features the following characteristics:

  • Azure Stack Hub 會將所有的應用程式和服務註冊到相同的 Azure AD 租用戶目錄。Azure Stack Hub registers all apps and services to the same Azure AD tenant directory.
  • Azure Stack Hub 只會驗證該目錄中的使用者和應用程式,包括權杖。Azure Stack Hub authenticates only the users and apps from that directory, including tokens.
  • 系統管理員 (雲端操作員) 和租用戶使用者的身分識別位於相同的目錄租用戶中。Identities for administrators (cloud operators) and tenant users are in the same directory tenant.
  • 若要讓其他目錄的使用者能夠存取此 Azure Stack Hub 環境,您必須邀請使用者成為租用戶目錄的來賓。To enable a user from another directory to access this Azure Stack Hub environment, you must invite the user as a guest to the tenant directory.

Azure AD:多租用戶拓撲Azure AD: multi-tenant topology

雲端操作員可將 Azure Stack Hub 設定為允許一或多個組織的租用戶存取應用程式。Cloud operators can configure Azure Stack Hub to allow access to apps by tenants from one or more organizations. 使用者可透過 Azure Stack Hub 使用者入口網站存取應用程式。Users access apps through the Azure Stack Hub user portal. 在此組態中,系統管理員入口網站 (由雲端操作員使用) 受限於單一目錄中的使用者。In this configuration, the administrator portal (used by the cloud operator) is limited to users from a single directory.

在下列情況下,多租用戶拓撲很有用:A multi-tenant topology is useful when:

  • 服務提供者想要允許多個組織中的使用者存取 Azure Stack Hub。A service provider wants to allow users from multiple organizations to access Azure Stack Hub.

Azure Stack Hub 多租用戶拓撲搭配 Azure AD

此拓撲具有下列特性︰This topology features the following characteristics:

  • 資源的存取權應該以每個組織為基礎。Access to resources should be on a per-organization basis.
  • 某個組織中的使用者不能將資源的存取權授與給其組織外部的使用者。Users from one organization should be unable to grant access to resources to users who are outside their organization.
  • 系統管理員 (雲端操作員) 的身分識別可以位於與使用者身分識別不同的目錄租用戶中。Identities for administrators (cloud operators) can be in a separate directory tenant from the identities for users. 此分隔可提供識別提供者層級的帳戶隔離。This separation provides account isolation at the identity provider level.


下列其中一個條件成立時需要 AD FS 拓撲:The AD FS topology is required when either of the following conditions is true:

  • Azure Stack Hub 未連線至網際網路。Azure Stack Hub doesn't connect to the internet.
  • Azure Stack Hub 可連線至網際網路,但您選擇使用 AD FS 作為您的識別提供者。Azure Stack Hub can connect to the internet, but you choose to use AD FS for your identity provider.

使用 AD FS 的 Azure Stack Hub 拓撲

此拓撲具有下列特性︰This topology features the following characteristics:

  • 若要支援在生產環境中使用此拓撲,您必須透過同盟信任來整合內建 Azure Stack Hub AD FS 執行個體與 Active Directory 所支援的現有 AD FS 執行個體。To support the use of this topology in production, you must integrate the built-in Azure Stack Hub AD FS instance with an existing AD FS instance that's backed by Active Directory, through a federation trust.

  • 您可以整合 Azure Stack Hub 中的 Graph 服務與現有的 Active Directory 執行個體。You can integrate the Graph service in Azure Stack Hub with your existing Active Directory instance. 您也可以使用以 OData 為基礎的圖形 API 服務,該服務支援與 Azure AD Graph API 一致的 API。You can also use the OData-based Graph API service that supports APIs that are consistent with the Azure AD Graph API.

    若要與您的 Active Directory 執行個體互動,圖形 API 需要您的 Active Directory 中具有唯讀權限的使用者認證。To interact with your Active Directory instance, the Graph API requires user credentials from your Active Directory instance that have read-only permissions.

    • 內建 AD FS 是以 Server 2016 為基礎。The built-in AD FS instance is based on Windows Server 2016.
    • AD FS 與 Active Directory 執行個體必須以 Windows Server 2012 或更新版本為基礎。Your AD FS and Active Directory instances must be based on Windows Server 2012 or later.

    Active Directory 執行個體與內建 AD FS 執行個體之間的互動不限於 OpenID Connect,並可使用任何相互支援的通訊協定。Between your Active Directory instance and the built-in AD FS instance, interactions aren't restricted to OpenID Connect, and they can use any mutually supported protocol.

    • 使用者帳戶是在內部部署 Active Directory 執行個體中進行建立和管理。User accounts are created and managed in your on-premises Active Directory instance.
    • 應用程式的服務主體和註冊是在內建 Active Directory 執行個體中進行管理。Service principals and registrations for apps are managed in the built-in Active Directory instance.

後續步驟Next steps