如何:規劃混合式 Azure Active Directory Join 實作How To: Plan your hybrid Azure Active Directory join implementation

以類似的使用方式,裝置是您想要保護的另一個核心身分識別,可用來隨時隨地保護您的資源。In a similar way to a user, a device is another core identity you want to protect and use it to protect your resources at any time and from any location. 您可以使用下列其中一種方法,將裝置身分識別導入 Azure AD 中進行管理,以達到此目標:You can accomplish this goal by bringing and managing device identities in Azure AD using one of the following methods:

  • Azure AD JoinAzure AD join
  • 混合式 Azure AD JoinHybrid Azure AD join
  • Azure AD 註冊Azure AD registration

將您的裝置導入 Azure AD 中,您將可透過跨雲端和內部部署資源的單一登入 (SSO),將使用者的生產力最大化。By bringing your devices to Azure AD, you maximize your users' productivity through single sign-on (SSO) across your cloud and on-premises resources. 在此同時,您可以安全存取您雲端和內部部署資源條件式存取At the same time, you can secure access to your cloud and on-premises resources with Conditional Access.

如果您有內部部署 Active Directory (AD) 環境,而且您想要將您的 AD 網域的電腦加入 Azure AD,您可以藉由混合式 Azure AD join 完成。If you have an on-premises Active Directory (AD) environment and you want to join your AD domain-joined computers to Azure AD, you can accomplish this by doing hybrid Azure AD join. 本文提供在您的環境中實作混合式 Azure AD Join 的相關步驟。This article provides you with the related steps to implement a hybrid Azure AD join in your environment.


本文假設您已熟悉Azure Active Directory 中的裝置身分識別管理簡介This article assumes that you are familiar with the Introduction to device identity management in Azure Active Directory.


需要的最低網域功能和樹系功能等級為 Windows 10 的混合式 Azure AD join 是 Windows Server 2008 R2。The minimum required domain functional and forest functional levels for Windows 10 hybrid Azure AD join is Windows Server 2008 R2.

計劃您的實作Plan your implementation

若要規劃您的混合式 Azure AD 實作,您應該熟悉:To plan your hybrid Azure AD implementation, you should familiarize yourself with:

勾選 檢閱支援的裝置Review supported devices
勾選 檢閱您應該知道的事情Review things you should know
勾選 檢閱受控制的混合式 Azure AD join 的驗證Review controlled validation of hybrid Azure AD join
勾選 選取您根據您的身分識別基礎結構的案例Select your scenario based on your identity infrastructure
勾選 檢閱內部部署 AD UPN 的支援將混合式 Azure AD joinReview on-premises AD UPN support for hybrid Azure AD join

檢閱支援的裝置Review supported devices

混合式 Azure AD Join 支援廣泛的 Windows 裝置。Hybrid Azure AD join supports a broad range of Windows devices. 因為執行舊版 Windows 的裝置設定需要其他或不同的步驟,所以支援的裝置會分為兩類:Because the configuration for devices running older versions of Windows requires additional or different steps, the supported devices are grouped into two categories:

現行 Windows 裝置Windows current devices

  • Windows 10Windows 10
  • Windows Server 2016Windows Server 2016
  • Windows Server 2019Windows Server 2019

對於執行 Windows 桌面作業系統的裝置,這篇文章中列出支援的版本Windows 10 版本資訊For devices running the Windows desktop operating system, supported version are listed in this article Windows 10 release information. 最佳做法是,Microsoft 會建議您升級至 Windows 10 最新版本。As a best practice, Microsoft recommends you upgrade to the latest version of Windows 10.

舊版 Windows 裝置Windows down-level devices

  • Windows 8.1Windows 8.1
  • Windows 7.Windows 7. 如需 Windows 7 的支援資訊,請檢閱這篇文章適用於 Windows 7 支援即將結束For support information on Windows 7, please review this article Support for Windows 7 is ending
  • Windows Server 2012 R2Windows Server 2012 R2
  • Windows Server 2012Windows Server 2012
  • Windows Server 2008 R2Windows Server 2008 R2

在第一個規劃步驟中,您應該檢閱您的環境,並判斷是否需要支援 Windows 舊版裝置。As a first planning step, you should review your environment and determine whether you need to support Windows down-level devices.

檢閱您應該知道的事情Review things you should know

如果您的環境是由單一 AD 樹系同步處理多個 Azure AD 租用戶的身分識別資料所組成,混合式 Azure AD join 是目前不支援。Hybrid Azure AD join is currently not supported if your environment consists of a single AD forest synchronizing identity data to more than one Azure AD tenant.

加入混合式 Azure AD 目前不支援使用虛擬桌面基礎結構 (VDI) 時。Hybrid Azure AD join is currently not supported when using virtual desktop infrastructure (VDI).

混合式 Azure AD 不支援 FIPS 相容的 Tpm。Hybrid Azure AD is not supported for FIPS-compliant TPMs. 如果您的裝置有 FIPS 相容的 Tpm,您必須進行混合式 Azure AD 聯結之前,先停用它們。If your devices have FIPS-compliant TPMs, you must disable them before proceeding with Hybrid Azure AD join. Microsoft 不提供任何工具對 Tpm 中停用 FIPS 模式,因為它是取決於 TPM 製造商。Microsoft does not provide any tools for disabling FIPS mode for TPMs as it is dependent on the TPM manufacturer. 請如需支援,連絡您的硬體 OEM。Please contact your hardware OEM for support.

執行網域控制站 (DC) 角色的 Windows Server 不支援混合式 Azure AD join。Hybrid Azure AD join is not supported for Windows Server running the Domain Controller (DC) role.

混合式 Azure AD 聯結不支援在 Windows 舊版裝置上使用認證漫遊,或使用者設定檔漫遊時。Hybrid Azure AD join is not supported on Windows down-level devices when using credential roaming or user profile roaming.

如果您依賴的系統準備工具 (Sysprep),如果您使用pre-Windows 10 1809年安裝映像,請確定該映像不是從已向 Azure AD 混合式 Azure AD 聯結裝置。If you are relying on the System Preparation Tool (Sysprep) and if you are using a pre-Windows 10 1809 image for installation, make sure that image is not from a device that is already registered with Azure AD as Hybrid Azure AD join.

如果您依賴在虛擬機器 (VM) 快照集來建立其他 Vm,請確定該快照集不是來自已向 Azure AD 混合式 Azure AD join 的 VM。If you are relying on a Virtual Machine (VM) snapshot to create additional VMs, make sure that snapshot is not from a VM that is already registered with Azure AD as Hybrid Azure AD join.

如果您已加入網域的 Windows 10 裝置已向租用戶註冊 Azure AD,我們強烈建議您先移除該狀態,再啟用混合式 Azure AD Join。If your Windows 10 domain joined devices are already Azure AD registered to your tenant, we highly recommend removing that state before enabling Hybrid Azure AD join. 自 Windows 10 1809 版起,我們已進行下列變更以避免這種雙重狀態:From Windows 10 1809 release, the following changes have been made to avoid this dual state:

  • 在裝置加入混合式 Azure AD 之後,就會自動移除任何現有的 Azure AD 註冊狀態。Any existing Azure AD registered state would be automatically removed after the device is Hybrid Azure AD joined.
  • 您可以防止您加入的網域的裝置 Azure AD 註冊加入此登錄機碼-HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin,「 BlockAADWorkplaceJoin"= dword: 00000001。You can prevent your domain joined device from being Azure AD registered by adding this registry key - HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin, "BlockAADWorkplaceJoin"=dword:00000001.
  • 這項變更現在是適用於 Windows 10 1803年版 KB4489894 套用使用中。This change is now available for Windows 10 1803 release with KB4489894 applied. 不過,如果您有 Windows hello 企業版設定,使用者也需要重新設定 Windows hello 企業版的雙狀態之後清除。However, if you have Windows Hello for Business configured, the user is required to re-setup Windows Hello for Business after the dual state clean up.

檢閱受控制的混合式 Azure AD join 的驗證Review controlled validation of hybrid Azure AD join

所有必要的元件時就地,將自動將 Windows 裝置註冊為 Azure AD 租用戶中的裝置。When all of the pre-requisites are in place, Windows devices will automatically register as devices in your Azure AD tenant. 在 Azure AD 中的這些裝置身分識別狀態稱為 「 混合式 Azure AD 聯結 」。The state of these device identities in Azure AD is referred as hybrid Azure AD join. 可以在文章中找到這篇文章所涵蓋的概念的詳細資訊Azure Active Directory 中的裝置身分識別管理簡介規劃您的混合式 Azure Active Directory join實作More information about the concepts covered in this article can be found in the articles Introduction to device identity management in Azure Active Directory and Plan your hybrid Azure Active Directory join implementation.

組織可能想要執行混合式 Azure AD join 控制的驗證,再讓它全部一次其整個組織。Organizations may want to do a controlled validation of hybrid Azure AD join before enabling it across their entire organization all at once. 檢閱文件控制的混合式 Azure AD join 驗證來了解如何完成這項工作。Review the article controlled validation of hybrid Azure AD join to understand how to accomplish it.

選取您根據您的身分識別基礎結構的案例Select your scenario based on your identity infrastructure

混合式 Azure AD join 搭配,受控和同盟的環境。Hybrid Azure AD join works with both, managed and federated environments.

受控環境Managed environment

受控環境可使用無縫單一登入透過密碼雜湊同步 (PHS)傳遞驗證 (PTA) 進行部署。A managed environment can be deployed either through Password Hash Sync (PHS) or Pass Through Authentication (PTA) with Seamless Single Sign On.

在這些案例中,您不需要設定同盟伺服器以進行驗證。These scenarios don't require you to configure a federation server for authentication.

同盟環境Federated environment

同盟的環境中應該有識別提供者支援下列需求:A federated environment should have an identity provider that supports the following requirements:

  • Ws-trust 通訊協定: 此通訊協定,才能驗證 Windows 目前的混合式 Azure AD 已加入 Azure ad 的裝置。WS-Trust protocol: This protocol is required to authenticate Windows current hybrid Azure AD joined devices with Azure AD.
  • WIAORMULTIAUTHN 宣告: 此宣告,才能執行混合式 Azure AD join 適用於 Windows 舊版裝置。WIAORMULTIAUTHN claim: This claim is required to do hybrid Azure AD join for Windows down-level devices.

如果您有使用 Active Directory Federation Services (AD FS) 同盟的環境中,都已經支援上述的需求。If you have a federated environment using Active Directory Federation Services (AD FS), then the above requirements are already supported.


Azure AD 不支援受控網域中的智慧卡或憑證。Azure AD does not support smartcards or certificates in managed domains.

從 1.1.819.0 版開始,Azure AD Connect 即為您提供用來設定混合式 Azure AD Join 的精靈。Beginning with version 1.1.819.0, Azure AD Connect provides you with a wizard to configure hybrid Azure AD join. 此精靈可讓您大幅簡化設定程序。The wizard enables you to significantly simplify the configuration process. 如果安裝必要的 Azure AD Connect 版本不適合您,請參閱如何手動設定裝置註冊If installing the required version of Azure AD Connect is not an option for you, see how to manually configure device registration.

根據符合您的身分識別基礎結構的案例,請參閱:Based on the scenario that matches your identity infrastructure, see:

檢閱內部部署 AD UPN 支援混合式 Azure AD 加入Review on-premises AD UPN support for Hybrid Azure AD join

有時候,您的內部部署 AD UPN 可能與 Azure AD UPN 不同。Sometimes, your on-premises AD UPNs could be different from your Azure AD UPNs. 在此情況下,Windows 10 混合式 Azure AD Join 會根據驗證方法、網域類型和 Windows 10 版本,提供有限的內部部署 AD UPN 支援。In such cases, Windows 10 Hybrid Azure AD join provides limited support for on-premises AD UPNs based on the authentication method, domain type and Windows 10 version. 您的環境中可以有兩種類型的內部部署 AD UPN:There are two types of on-premises AD UPNs that can exist in your environment:

  • 可路由的 UPN:可路由的 UPN 具有有效的已驗證網域,該網域已向網域註冊機構註冊。Routable UPN: A routable UPN has a valid verified domain, that is registered with a domain registrar. 例如,如果 Azure AD 中的主要網域為 contoso.com,則 contoso.org 在 Contoso 所擁有且已在 Azure AD 中驗證的內部部署 AD 中是主要網域For example, if contoso.com is the primary domain in Azure AD, contoso.org is the primary domain in on-premises AD owned by Contoso and verified in Azure AD
  • 不可路由的 UPN:不可路由的 UPN 沒有已驗證的網域。Non-routable UPN: A non-routable UPN does not have a verified domain. 它僅適用於組織的私人網路內。It is applicable only within your organization's private network. 例如,如果 Azure AD 中的主要網域為 contoso.com,則 contoso.local 是內部部署 AD 中的主要網域,但不是網際網路中可驗證的網域,而且只能在 Contoso 的網路內使用。For example, if contoso.com is the primary domain in Azure AD, contoso.local is the primary domain in on-premises AD but is not a verifiable domain in the internet and only used within Contoso's network.

下表提供有關在 Windows 10 混合式 Azure AD Join 中支援這些內部部署 AD UPN 的詳細資料The table below provides details on support for these on-premises AD UPNs in Windows 10 Hybrid Azure AD join

內部部署 AD UPN 的類型Type of on-premises AD UPN 網域類型Domain type Windows 10 版本Windows 10 version 描述Description
路由式Routable 同盟Federated 自 1703 版起From 1703 release 正式推出Generally available
非可路由傳送Non-routable 同盟Federated 自 1803 版起From 1803 release 正式推出Generally available
路由式Routable 受控Managed 不支援Not supported
非可路由傳送Non-routable 受控Managed 不支援Not supported

後續步驟Next steps