作法:規劃 Azure AD 聯結實作How to: Plan your Azure AD join implementation

Azure AD Join 可讓您直接將裝置加入 Azure AD,而不需要加入內部部署 Active Directory,同時讓您的使用者保有生產力和安全性。Azure AD join allows you to join devices directly to Azure AD without the need to join to on-premises Active Directory while keeping your users productive and secure. Azure AD Join 在大規模和限域的部署中都符合企業需求。Azure AD join is enterprise-ready for both at-scale and scoped deployments.

本文將為您提供規劃 Azure AD Join 實作所需的資訊。This article provides you with the information you need to plan your Azure AD join implementation.

必要條件Prerequisites

本文假設您熟悉 Azure Active Directory 中的裝置管理簡介This article assumes that you are familiar with the Introduction to device management in Azure Active Directory.

計劃您的實作Plan your implementation

若要規劃您的 Azure AD 聯結實作,您應該熟悉:To plan your Azure AD join implementation, you should familiarize yourself with:

勾選 檢閱您的案例Review your scenarios
勾選 檢閱您的身分識別基礎結構Review your identity infrastructure
勾選 存取您的裝置管理Assess your device management
勾選 了解應用程式和資源的考量Understand considerations for applications and resources
勾選 了解您的佈建選項Understand your provisioning options
勾選 設定企業狀態漫遊Configure enterprise state roaming
勾選 設定條件式存取Configure Conditional Access

檢閱您的案例Review your scenarios

混合式 Azure AD Join 可能較適用於特定案例,而 Azure AD Join 則可讓您轉換至以雲端優先的 Windows 模型。While Hybrid Azure AD join may be preferred for certain scenarios, Azure AD join enables you to transition towards a cloud-first model with Windows. 如果您打算現代化裝置管理,並降低裝置相關 IT 成本,Azure AD Join 所提供的絕佳基礎將可讓您達到這些目標。If you are planning to modernize your devices management and reduce device-related IT costs, Azure AD join provides a great foundation towards achieving those objectives.

如果您的目標符合下列準則,則應考慮使用 Azure AD Join:You should consider Azure AD join if your goals align with the following criteria:

  • 您想要採用 Microsoft 365 作為使用者的生產力套件。You are adopting Microsoft 365 as the productivity suite for your users.

  • 您想要以雲端裝置管理解決方案來管理裝置。You want to manage devices with a cloud device management solution.

  • 您想要為分散於各處的使用者簡化裝置佈建程序。You want to simplify device provisioning for geographically distributed users.

  • 您想要現代化應用程式基礎結構。You plan to modernize your application infrastructure.

檢閱您的身分識別基礎結構Review your identity infrastructure

Azure AD Join 在受控和同盟環境中均可運作。Azure AD join works with both, managed and federated environments.

受控環境Managed environment

受控環境可使用無縫單一登入透過密碼雜湊同步傳遞驗證進行部署。A managed environment can be deployed either through Password Hash Sync or Pass Through Authentication with Seamless Single Sign On.

在這些案例中,您不需要設定同盟伺服器以進行驗證。These scenarios don't require you to configure a federation server for authentication.

同盟環境Federated environment

同盟環境應具有支援 WS-Trust 和 WS-Fed 通訊協定的識別提供者:A federated environment should have an identity provider that supports both WS-Trust and WS-Fed protocols:

  • WS-Fed: 必須使用此通訊協定,才能將裝置加入 Azure AD。WS-Fed: This protocol is required to join a device to Azure AD.

  • WS-Trust: 必須使用此通訊協定,才能登入已加入 Azure AD 的裝置。WS-Trust: This protocol is required to sign in to an Azure AD joined device.

如果您的識別提供者不支援這些通訊協定,則 Azure AD Join 無法原生運作。If your identity provider does not support these protocols, Azure AD join does not work natively. 從 Windows 10 1809 開始,您的使用者即可經由 SAML 型識別提供者透過 Windows 10 的 Web 登入來登入已加入 Azure AD 的裝置。Beginning with Windows 10 1809, your users can sign in to an Azure AD joined device with a SAML-based identity provider through web sign-in on Windows 10. Web 登入目前為僅供預覽的功能。Currently, web sign-in is a preview-only feature.

智慧卡和憑證型驗證Smartcards and certificate-based authentication

您無法使用智慧卡或憑證型驗證將裝置加入 Azure AD。You can't use smartcards or certificate-based authentication to join devices to Azure AD. 不過,如果您已設定 AD FS,則可以使用智慧卡來登入已加入 Azure AD 的裝置。However, smartcards can be used to sign in to Azure AD joined devices if you have AD FS configured.

建議: 實作 Windows Hello 企業版,向 Windows 10 裝置進行強式無密碼驗證。Recommendation: Implement Windows Hello for Business for strong, password-less authentication to Windows 10 devices.

使用者組態User configuration

如果您將使用者建立於:If you create users in your:

  • 內部部署 Active Directory,您必須使用 Azure AD Connect 將其同步至 Azure AD。On-premises Active Directory, you need to synchronize them to Azure AD using Azure AD Connect.

  • Azure AD,則不需另行設定。Azure AD, no additional setup is required.

內部部署 UPN 與 Azure AD UPN 不同,加入 Azure AD 的裝置上並不支援它。On-premises UPNs that are different from Azure AD UPNs are not supported on Azure AD joined devices. 如果您使用內部部署 UPN,您應規劃改為使用它們在 Azure AD 中的主要 UPN。If your users use an on-premises UPN, you should plan to switch to using their primary UPN in Azure AD.

存取您的裝置管理Assess your device management

支援的裝置Supported devices

Azure AD Join:Azure AD join:

  • 僅適用於 Windows 10 裝置。Is only applicable to Windows 10 devices.

  • 不適用舊版的 Windows 或其他作業系統。Is not applicable to previous versions of Windows or other operating systems. 如果您有 Windows 7/8.1 裝置,您必須升級為 Windows 10,以部署 Azure AD Join。If you have Windows 7/8.1 devices, you must upgrade to Windows 10 to deploy Azure AD join.

  • 不支援 FIPS 模式中搭配 TPM 的裝置。Is not supported on devices with TPM in FIPS mode.

建議: 一律使用最新的 Windows 10 版本,以享有更新的功能。Recommendation: Always use the latest Windows 10 release to take advantage of updated features.

管理平台Management platform

Azure AD 已加入裝置的裝置管理為基礎的 MDM 平台,例如 Intune 和 MDM Csp。Device management for Azure AD joined devices is based on an MDM platform such as Intune, and MDM CSPs. Windows 10 有內建的 MDM 代理程式,可與所有相容的 MDM 解決方案搭配運作。Windows 10 has a built-in MDM agent that works with all compatible MDM solutions.

注意

因為在未連線至內部部署 Active Directory 群組原則不支援在 Azure AD 加入裝置。Group policies are not supported in Azure AD joined devices as they are not connected to on-premises Active Directory. Azure AD 已加入裝置的管理,才可以透過 MDMManagement of Azure AD joined devices is only possible through MDM

有兩種方法可用來管理已加入 Azure AD 的裝置:There are two approaches for managing Azure AD joined devices:

  • 僅限 MDM - 裝置由 Intune 之類的 MDM 提供者以獨佔方式管理。MDM-only - A device is exclusively managed by an MDM provider like Intune. 所有原則都會在 MDM 註冊的過程中提供。All policies are delivered as part of the MDM enrollment process. 對 Azure AD Premium 或 EMS 客戶而言,MDM 註冊會是包含在 Azure AD Join 中的自動化步驟。For Azure AD Premium or EMS customers, MDM enrollment is an automated step that is part of an Azure AD join.

  • 共同管理 - 裝置由 MDM 提供者和 SCCM 所管理。Co-management - A device is managed by an MDM provider and SCCM. 使用此方法時,SCCM 代理程式會安裝在 MDM 管理的裝置上,以管理特定層面。In this approach, the SCCM agent is installed on an MDM-managed device to administer certain aspects.

如果您要使用群組原則,請使用 MDM 移轉分析工具 (MMAT) 評估您的 MDM 原則同位檢查。If you are using group policies, evaluate your MDM policy parity by using the MDM Migration Analysis Tool (MMAT).

請檢閱支援和不支援的原則,以判斷您是否可使用 MDM 解決方案,而非群組原則。Review supported and unsupported policies to determine whether you can use an MDM solution instead of Group policies. 針對不支援的原則,請考量下列各項:For unsupported policies, consider the following:

  • 已加入Azure AD 的裝置或使用者是否需要不支援的原則?Are the unsupported policies necessary for Azure AD joined devices or users?

  • 不支援的原則是否適用於雲端驅動的部署中?Are the unsupported policies applicable in a cloud driven deployment?

如果您的 MDM 解決方案無法透過 Azure AD 應用程式資源庫來啟用,您可以依照 Azure Active Directory 與 MDM 的整合中所列的程序新增該解決方案。If your MDM solution is not available through the Azure AD app gallery, you can add it following the process outlined in Azure Active Directory integration with MDM.

透過共同管理,您可以使用 SCCM 來管理裝置的特定層面,同時透過 MDM 平台來提供原則。Through co-management, you can use SCCM to manage certain aspects of your devices while policies are delivered through your MDM platform. Microsoft Intune 可支援與 SCCM 搭配的共同管理。Microsoft Intune enables co-management with SCCM. 如需詳細資訊,請參閱 Windows 10 裝置的共同管理For more information, see Co-management for Windows 10 devices. 如果您使用 Intune 以外的 MDM 產品,請向 MDM 提供者洽詢適用的共同管理案例。If you use an MDM product other than Intune, please check with your MDM provider on applicable co-management scenarios.

建議: 針對已加入 Azure AD 的裝置,請考慮使用僅限 MDM 的管理。Recommendation: Consider MDM only management for Azure AD joined devices.

了解應用程式和資源的考量Understand considerations for applications and resources

建議您將應用程式從內部部署移轉至雲端,以獲取較佳的使用者體驗和存取控制。We recommend migrating applications from on-premises to cloud for a better user experience and access control. 不過,已加入 Azure AD 的裝置可以順暢地提供對內部部署和雲端應用程式的存取。However, Azure AD joined devices can seamlessly provide access to both, on-premises and cloud applications. 如需詳細資訊,請參閱內部部署資源的 SSO 如何在加入 Azure AD 的裝置上運作For more information, see How SSO to on-premises resources works on Azure AD joined devices.

以下幾節將列出不同應用程式和資源類型的考量。The following sections list considerations for different types of applications and resources.

雲端式應用程式Cloud-based applications

如果應用程式已新增至 Azure AD 應用程式資源庫,使用者將可透過已加入 Azure AD 的裝置進行 SSO。If an application is added to Azure AD app gallery, users get SSO through Azure AD joined devices. 他們不需進行其他設定。No additional configuration is required. 使用者可在Microsoft Edge 和 Chrome 瀏覽器上進行 SSO。Users get SSO on both, Microsoft Edge and Chrome browsers. 若要使用 Chrome,您必須部署 Windows 10 帳戶延伸模組For Chrome, you need to deploy the Windows 10 Accounts extension.

所有 Win32 應用程式只要:All Win32 applications that:

  • 使用 Web 帳戶管理員 (WAM) 提出權杖要求,則也可在已加入 Azure AD 的裝置上進行 SSO。Rely on Web Account Manager (WAM) for token requests also get SSO on Azure AD joined devices.

  • 不使用 WAM,系統可能會提示使用者進行驗證。Don't rely on WAM may prompt users for authentication.

內部部署 Web 應用程式On-premises web applications

如果您的應用程式是以自訂方式建置,且 (或) 裝載於內部部署,您就必須將其新增至瀏覽器的信任網站,以便:If your apps are custom built and/or hosted on-premises, you need to add them to your browser’s trusted sites to:

  • 啟用 Windows 整合式驗證Enable Windows integrated authentication to work
  • 為使用者提供無提示的 SSO 體驗。Provide a no-prompt SSO experience to users.

如果您使用 AD FS,請參閱驗證及管理使用 AD FS 的單一登入If you use AD FS, see Verify and manage single sign-on with AD FS.

建議: 考慮裝載於雲端 (例如 Azure) 並且與 Azure AD 整合,以提供更理想的體驗。Recommendation: Consider hosting in the cloud (for example, Azure) and integrating with Azure AD for a better experience.

使用舊版通訊協定的內部部署應用程式On-premises applications relying on legacy protocols

如果裝置可存取網域控制站,則使用者可從已加入 Azure AD 的裝置進行 SSO。Users get SSO from Azure AD joined devices if the device has access to a domain controller.

建議: 部署 Azure AD App Proxy,以啟用這些應用程式的安全存取。Recommendation: Deploy Azure AD App proxy to enable secure access for these applications.

內部部署網路共用On-premises network shares

如果裝置可存取內部部署網域控制站,則使用者可從已加入 Azure AD 的裝置進行 SSO。Your users have SSO from Azure AD joined devices when a device has access to an on-premises domain controller.

印表機Printers

針對印表機,您必須部署混合式雲端列印,以在已加入 Azure AD 的裝置上探索印表機。For printers, you need to deploy hybrid cloud print for discovering printers on Azure AD joined devices.

雖然在僅限雲端的環境中無法自動探索印表機,您的使用者仍可使用印表機的 UNC 路徑直接加以新增。While printers can't be automatically discovered in a cloud only environment, your users can also use the printers’ UNC path to directly add them.

使用機器驗證的內部部署應用程式On-premises applications relying on machine authentication

已加入 Azure AD 的裝置不支援使用機器驗證的內部部署應用程式。Azure AD joined devices don't support on-premises applications relying on machine authentication.

建議: 考慮淘汰這些應用程式,並改用其最新的替代方案。Recommendation: Consider retiring these applications and moving to their modern alternatives.

遠端桌面服務問題Remote Desktop Services

若要從遠端桌面連線至已加入 Azure AD 的裝置,主機電腦必須已加入 Azure AD 或已加入混合式 Azure AD。Remote desktop connection to an Azure AD joined devices requires the host machine to be either Azure AD joined or Hybrid Azure AD joined. 不支援從未加入或非 Windows 的裝置進行遠端桌面連線。Remote desktop from an unjoined or non-Windows device is not supported. 如需詳細資訊,請參閱連線至已加入 Azure AD 的遠端 PCFor more information, see Connect to remote Azure AD joined pc

了解您的佈建選項Understand your provisioning options

您可以使用下列方法來佈建 Azure AD Join:You can provision Azure AD join using the following approaches:

  • OOBE/設定中的自助模式 - 在自助模式中,使用者可在使用 Windows 全新體驗 (OOBE) 期間或從 [Windows 設定] 中進行 Azure AD Join 程序。Self-service in OOBE/Settings - In the self-service mode, users go through the Azure AD join process either during Windows Out of Box Experience (OOBE) or from Windows Settings. 如需詳細資訊,請參閱了解如何將您的工作裝置加入組織的網路For more information, see Join your work device to your organization's network.

  • Windows Autopilot - Windows Autopilot 可讓您預先設定裝置,以提升在 OOBE 中執行 Azure AD Join 的體驗。Windows Autopilot - Windows Autopilot enables pre-configuration of devices for a smoother experience in OOBE to perform an Azure AD join. 如需詳細資訊,請參閱 Windows Autopilot 概觀For more information, see the Overview of Windows Autopilot.

  • 大量註冊 - 大量註冊可讓系統管理員使用大量佈建工具設定裝置,以驅動 Azure AD Join。Bulk enrollment - Bulk enrollment enables an administrator driven Azure AD join by using a bulk provisioning tool to configure devices. 如需詳細資訊,請參閱 Windows 裝置的大量註冊For more information, see Bulk enrollment for Windows devices.

以下是這三種方法的比較Here’s a comparison of these three approaches

自助式設定Self-service setup Windows AutopilotWindows Autopilot 大量註冊Bulk enrollment
需要使用者手動設定Require user interaction to set up Yes Yes No
需要 IT 工作Require IT effort No yesYes Yes
適用的流程Applicable flows OOBE 和設定OOBE & Settings 僅限 OOBEOOBE only 僅限 OOBEOOBE only
主要使用者的本機管理員權限Local admin rights to primary user 是,依照預設Yes, by default 可設定Configurable No
需要裝置 OEM 支援Require device OEM support No Yes No
支援的版本Supported versions 1511+1511+ 1709+1709+ 1703+1703+

請檢閱上表,並檢閱下列有關於採用任一方法的考量,選擇您的一或多個部署方法:Choose your deployment approach or approaches by reviewing the table above and reviewing the following considerations for adopting either approach:

  • 使用者是否有精熟的技術可獨自完成設定?Are your users tech savvy to go through the setup themselves?

    • 這類使用者最適合使用自助模式。Self-service can work best for these users. 請考慮以 Windows Autopilot 提升使用者體驗。Consider Windows Autopilot to enhance the user experience.
  • 使用者位於遠端還是公司內部?Are your users remote or within corporate premises?

    • 遠端使用者最適合使用自助模式或 Autopilot 輕鬆完成設定。Self-service or Autopilot work best for remote users for a hassle-free setup.
  • 您偏好由使用者驅動還是由管理員管理的設定?Do you prefer a user driven or an admin-managed configuration?

    • 管理員驅動的部署較適合使用大量註冊來設定裝置並提供給使用者。Bulk enrollment works better for admin driven deployment to set up devices before handing over to users.
  • 您是向 1 到 2 個 OEM 購買裝置,還是向許多不同的 OEM 購買裝置?Do you purchase devices from 1-2 OEMS, or do you have a wide distribution of OEM devices?

    • 如果您的裝置來自於少數幾個也支援 Autopilot 的 OEM,則可以較緊密地與 Autopilot 整合而獲得效益。If purchasing from limited OEMs who also support Autopilot, you can benefit from tighter integration with Autopilot.

設定您的裝置設定Configure your device settings

Azure 入口網站可讓您控制如何將已加入 Azure AD 的裝置部署到您的組織中。The Azure portal allows you to control the deployment of Azure AD joined devices in your organization. 若要設定相關設定,請在 [Azure Active Directory ] 頁面上選取 Devices > Device settingsTo configure the related settings, on the Azure Active Directory page, select Devices > Device settings.

使用者可以將裝置加入 Azure ADUsers may join devices to Azure AD

請根據您部署的範圍,和您要允許哪些人設定已加入 Azure AD 的裝置,將此選項設為 [全部] 或 [選取的] 。Set this option to All or Selected based on the scope of your deployment and who you want to allow to setup an Azure AD joined device.

使用者可以將裝置加入 Azure AD

已加入 Azure AD 的裝置上的其他本機系統管理員Additional local administrators on Azure AD joined devices

選擇 [選取的] ,然後選取您要在所有已加入 Azure AD 的裝置上新增至本機系統管理員群組的使用者。Choose Selected and selects the users you want to add to the local administrators’ group on all Azure AD joined devices.

已加入 Azure AD 的裝置上的其他本機系統管理員

需要多因素驗證才能加入裝置Require multi-factor Auth to join devices

如果您要求使用者在將裝置加入 Azure AD 時必須執行 MFA,請選取 [是] 。Select “Yes if you require users to perform MFA while joining devices to Azure AD. 針對使用 MFA 將裝置加入 Azure AD 的使用者,裝置本身會成為第 2 個因素。For the users joining devices to Azure AD using MFA, the device itself becomes a 2nd factor.

需要多因素驗證才能加入裝置

設定您的行動性設定Configure your mobility settings

您可能必須先新增 MDM 提供者,才能設定行動性設定。Before you can configure your mobility settings, you may have to add an MDM provider, first.

若要新增 MDM 提供者To add an MDM provider:

  1. 在 [Azure Active Directory] 頁面的 [管理] 區段中,按一下 Mobility (MDM and MAM)On the Azure Active Directory page, in the Manage section, click Mobility (MDM and MAM).

  2. 按一下 [新增應用程式] 。Click Add application.

  3. 從清單中選取您的 MDM 提供者。Select your MDM provider from the list.

    新增應用程式

選取您的 MDM 提供者以設定相關設定。Select your MDM provider to configure the related settings.

MDM 使用者範圍MDM user scope

根據您的部署範圍選取 [部分] 或 [全部] 。Select Some or All based on the scope of your deployment.

MDM 使用者範圍

根據您的範圍,會出現下列其中一種情況:Based on your scope, one of the following happens:

  • 使用者在 MDM 範圍內:如果您具有 Azure AD Premium 訂用帳戶,則會隨著 Azure AD Join 自動執行 MDM 註冊。User is in MDM scope: If you have an Azure AD Premium subscription, MDM enrollment is automated along with Azure AD join. 範圍內的所有使用者皆必須具有適當的 MDM 授權。All scoped users must have an appropriate license for your MDM. 在此情況下,如果 MDM 註冊失敗,Azure AD Join 也將回復。If MDM enrollment fails in this scenario, Azure AD join will also be rolled back.

  • 使用者不在 MDM 範圍內:如果使用者不在 MDM 範圍內,則 Azure AD Join 會逕自完成而不進行 MDM 註冊。User is not in MDM scope: If users are not in MDM scope, Azure AD join completes without any MDM enrollment. 這會導致裝置未受管理。This results in an unmanaged device.

MDM URLMDM URLs

您的 MDM 組態會有三個相關的 URL:There are three URLs that are related to your MDM configuration:

  • MDM 使用條款 URLMDM terms of use URL

  • MDM 探索 URLMDM discovery URL

  • MDM 合規性 URLMDM compliance URL

新增應用程式

每個 URL 都有預先定義的預設值。Each URL has a predefined default value. 如果這些欄位是空的,請連絡您的 MDM 提供者以取得詳細資訊。If these fields are empty, please contact your MDM provider for more information.

MAM 設定MAM settings

MAM 不適用於 Azure AD Join。MAM does not apply to Azure AD join.

設定企業狀態漫遊Configure enterprise state roaming

如果您想要啟用 Azure AD 的狀態漫遊,讓使用者可在裝置間同步其設定,請參閱在 Azure Active Directory 中啟用企業狀態漫遊If you want to enable state roaming to Azure AD so that users can sync their settings across devices, see Enable Enterprise State Roaming in Azure Active Directory.

建議:即使對混合式 Azure AD Join 裝置也可啟用此設定。Recommendation: Enable this setting even for hybrid Azure AD joined devices.

設定條件式存取Configure Conditional Access

如果您為已加入 Azure AD 的裝置設定了 MDM 提供者,只要裝置受到管理,提供者即會將裝置標示為符合規範。If you have an MDM provider configured for your Azure AD joined devices, the provider flags the device as compliant as soon as the device is under management.

符合規範的裝置

您可以使用此實作需要受管理的裝置存取雲端應用程式使用條件式存取You can use this implementation to require managed devices for cloud app access with Conditional Access.

後續步驟Next steps