How To:規劃混合式 Azure Active Directory Join 實作How To: Plan your hybrid Azure Active Directory join implementation

以類似的使用方式,裝置是您想要保護的另一個核心身分識別,可用來隨時隨地保護您的資源。In a similar way to a user, a device is another core identity you want to protect and use it to protect your resources at any time and from any location. 您可以使用下列其中一種方法,將裝置身分識別導入 Azure AD 中進行管理,以達到此目標:You can accomplish this goal by bringing and managing device identities in Azure AD using one of the following methods:

  • Azure AD JoinAzure AD join
  • 混合式 Azure AD JoinHybrid Azure AD join
  • Azure AD 註冊Azure AD registration

將您的裝置導入 Azure AD 中,您將可透過跨雲端和內部部署資源的單一登入 (SSO),將使用者的生產力最大化。By bringing your devices to Azure AD, you maximize your users' productivity through single sign-on (SSO) across your cloud and on-premises resources. 同時,您可以使用條件式存取來保護對雲端和內部部署資源的存取。At the same time, you can secure access to your cloud and on-premises resources with Conditional Access.

如果您有內部部署 Active Directory (AD) 環境,而且您想要將已加入 AD 網域的電腦加入 Azure AD,您可以執行混合式 Azure AD 聯結來完成這項作業。If you have an on-premises Active Directory (AD) environment and you want to join your AD domain-joined computers to Azure AD, you can accomplish this by doing hybrid Azure AD join. 本文提供在您的環境中實作混合式 Azure AD Join 的相關步驟。This article provides you with the related steps to implement a hybrid Azure AD join in your environment.

必要條件Prerequisites

本文假設您已熟悉Azure Active Directory 中的裝置身分識別管理簡介This article assumes that you are familiar with the Introduction to device identity management in Azure Active Directory.

注意

Windows 10 混合式 Azure AD 加入所需的最低網域控制站版本為 Windows Server 2008 R2。The minimum required domain controller version for Windows 10 hybrid Azure AD join is Windows Server 2008 R2.

計劃您的實作Plan your implementation

若要規劃您的混合式 Azure AD 實作,您應該熟悉:To plan your hybrid Azure AD implementation, you should familiarize yourself with:

  • 檢閱支援的裝置Review supported devices
  • 檢閱您應該知道的事情Review things you should know
  • 審查混合式 Azure AD 聯結的受控制驗證Review controlled validation of hybrid Azure AD join
  • 根據您的身分識別基礎結構來選取您的案例Select your scenario based on your identity infrastructure
  • 檢查混合式 Azure AD 聯結的內部部署 AD UPN 支援Review on-premises AD UPN support for hybrid Azure AD join

檢閱支援的裝置Review supported devices

混合式 Azure AD Join 支援廣泛的 Windows 裝置。Hybrid Azure AD join supports a broad range of Windows devices. 因為執行舊版 Windows 的裝置設定需要其他或不同的步驟,所以支援的裝置會分為兩類:Because the configuration for devices running older versions of Windows requires additional or different steps, the supported devices are grouped into two categories:

現行 Windows 裝置Windows current devices

  • Windows 10Windows 10
  • Windows Server 2016Windows Server 2016
    • 注意: Azure 國家/地區雲端客戶需要版本1809Note: Azure National cloud customers require version 1809
  • Windows Server 2019Windows Server 2019

對於執行 Windows 桌面作業系統的裝置,支援的版本會列在這篇文章中的windows 10 版本資訊For devices running the Windows desktop operating system, supported version are listed in this article Windows 10 release information. 最佳作法是 Microsoft 建議您升級至最新版本的 Windows 10。As a best practice, Microsoft recommends you upgrade to the latest version of Windows 10.

舊版 Windows 裝置Windows down-level devices

在第一個規劃步驟中,您應該檢閱您的環境,並判斷是否需要支援 Windows 舊版裝置。As a first planning step, you should review your environment and determine whether you need to support Windows down-level devices.

檢閱您應該知道的事情Review things you should know

不支援的情節Unsupported scenarios

  • 如果您的環境包含將識別資料同步處理至多個 Azure AD 租使用者的單一 AD 樹系,則目前不支援混合式 Azure AD 聯結。Hybrid Azure AD join is currently not supported if your environment consists of a single AD forest synchronizing identity data to more than one Azure AD tenant.

  • 執行網域控制站 (DC) 角色的 Windows Server 不支援混合式 Azure AD 聯結。Hybrid Azure AD join is not supported for Windows Server running the Domain Controller (DC) role.

  • 使用認證漫遊或使用者設定檔漫遊或強制設定檔時,舊版 Windows 裝置不支援混合式 Azure AD 聯結。Hybrid Azure AD join is not supported on Windows down-level devices when using credential roaming or user profile roaming or mandatory profile.

  • Server Core OS 不支援任何類型的裝置註冊。Server Core OS doesn't support any type of device registration.

OS 映射考慮OS imaging considerations

  • 如果您依賴系統準備工具 (Sysprep) ,而且如果您使用Windows 前 10 1809映射來進行安裝,請確定映射不是來自已向 Azure AD 註冊混合式 Azure AD 聯結的裝置。If you are relying on the System Preparation Tool (Sysprep) and if you are using a pre-Windows 10 1809 image for installation, make sure that image is not from a device that is already registered with Azure AD as Hybrid Azure AD join.

  • 如果您依賴虛擬機器 (VM) 快照集來建立其他 Vm,請確定該快照集不是來自已向 Azure AD 註冊混合式 Azure AD 聯結的 VM。If you are relying on a Virtual Machine (VM) snapshot to create additional VMs, make sure that snapshot is not from a VM that is already registered with Azure AD as Hybrid Azure AD join.

  • 如果您使用的是整合寫入篩選器,以及在重新開機時清除磁片變更的類似技術,則必須在裝置混合式 Azure AD 聯結之後套用。If you are using Unified Write Filter and similar technologies that clear changes to the disk at reboot, they must be applied after the device is Hybrid Azure AD joined. 在混合式 Azure AD 聯結完成之前啟用這類技術,會導致裝置在每次重新開機時都無法退出Enabling such technologies prior to completion of Hybrid Azure AD join will result in the device getting unjoined on every reboot

處理具有 Azure AD 註冊狀態的裝置Handling devices with Azure AD registered state

如果您已加入 Windows 10 網域的裝置 Azure AD 向您的租使用者註冊,則可能會導致混合式 Azure AD 已加入的雙重狀態並 Azure AD 已註冊的裝置。If your Windows 10 domain joined devices are Azure AD registered to your tenant, it could lead to a dual state of Hybrid Azure AD joined and Azure AD registered device. 建議您升級至 Windows 10 1803 (,並將 KB4489894 套用) 或更新版本,以自動解決此案例。We recommend upgrading to Windows 10 1803 (with KB4489894 applied) or above to automatically address this scenario. 在1803之前的版本中,您必須先手動移除 Azure AD 註冊狀態,才能啟用混合式 Azure AD 聯結。In pre-1803 releases, you will need to remove the Azure AD registered state manually before enabling Hybrid Azure AD join. 在1803和更新版本中,已進行下列變更以避免這種雙重狀態:In 1803 and above releases, the following changes have been made to avoid this dual state:

  • 當裝置已加入混合式 Azure AD,而且使用者登入之後,系統會自動移除任何現有的 Azure AD 註冊狀態。Any existing Azure AD registered state for a user would be automatically removed after the device is Hybrid Azure AD joined and the same user logs in. 例如,如果使用者 A 在裝置上有 Azure AD 註冊的狀態,則只有在使用者 A 登入裝置時,才會清除使用者 A 的雙重狀態。For example, if User A had an Azure AD registered state on the device, the dual state for User A is cleaned up only when User A logs in to the device. 如果相同的裝置上有多個使用者,當這些使用者登入時,會個別清除雙重狀態。If there are multiple users on the same device, the dual state is cleaned up individually when those users log in. 除了移除 Azure AD 註冊狀態以外,如果註冊是透過自動註冊的 Azure AD 註冊,Windows 10 也會將裝置從 Intune 或其他 MDM 取消註冊。In addition to removing the Azure AD registered state, Windows 10 will also unenroll the device from Intune or other MDM, if the enrollment happened as part of the Azure AD registration via auto-enrollment.
  • 您可以將下列登錄值新增至 HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin,以防止加入網域的裝置 Azure AD 註冊: "BlockAADWorkplaceJoin" = dword:00000001。You can prevent your domain joined device from being Azure AD registered by adding the following registry value to HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin: "BlockAADWorkplaceJoin"=dword:00000001.
  • 在 Windows 10 1803 中,如果您已設定 Windows Hello 企業版,則使用者必須在雙重狀態清除之後重新設定 Windows Hello 企業版。KB4512509 已解決此問題In Windows 10 1803, if you have Windows Hello for Business configured, the user needs to re-setup Windows Hello for Business after the dual state clean up.This issue has been addressed with KB4512509

注意

即使 Windows 10 會在本機自動移除 Azure AD 註冊的狀態,Azure AD 中的裝置物件如果是由 Intune 所管理,則不會立即遭到刪除。Even though Windows 10 automatically removes the Azure AD registered state locally, the device object in Azure AD is not immediately deleted if it is managed by Intune. 您可以藉由執行 dsregcmd.exe/status 來驗證移除 Azure AD 已註冊狀態,並考慮不要根據該裝置 Azure AD 註冊。You can validate the removal of Azure AD registered state by running dsregcmd /status and consider the device not to be Azure AD registered based on that.

其他考量Additional considerations

  • 如果您的環境使用 (VDI) 的虛擬桌面基礎結構,請參閱裝置身分識別和桌面虛擬化If your environment uses virtual desktop infrastructure (VDI), see Device identity and desktop virtualization.

  • 符合 FIPS 規範的 TPM 2.0 支援混合式 Azure AD 聯結,TPM 1.2 則不支援。Hybrid Azure AD join is supported for FIPS-compliant TPM 2.0 and not supported for TPM 1.2. 如果您的裝置具有 FIPS 相容的 TPM 1.2,您必須先停用它們,再繼續進行混合式 Azure AD 聯結。If your devices have FIPS-compliant TPM 1.2, you must disable them before proceeding with Hybrid Azure AD join. Microsoft 不會提供任何工具來停用 Tpm 的 FIPS 模式,因為它相依于 TPM 製造商。Microsoft does not provide any tools for disabling FIPS mode for TPMs as it is dependent on the TPM manufacturer. 請洽詢您的硬體 OEM 以取得支援。Please contact your hardware OEM for support.

  • 從 Windows 10 1903 版本開始,Tpm 1.2 不會與混合式 Azure AD 聯結搭配使用,而那些 Tpm 的裝置將被視為沒有 TPM。Starting from Windows 10 1903 release, TPMs 1.2 are not used with hybrid Azure AD join and devices with those TPMs will be considered as if they don't have a TPM.

審查混合式 Azure AD 聯結的受控制驗證Review controlled validation of hybrid Azure AD join

當所有必要條件都已就緒時,Windows 裝置會自動在您的 Azure AD 租使用者中註冊為裝置。When all of the pre-requisites are in place, Windows devices will automatically register as devices in your Azure AD tenant. 這些裝置身分識別在 Azure AD 中的狀態稱為混合式 Azure AD 聯結。The state of these device identities in Azure AD is referred as hybrid Azure AD join. 如需本文所涵蓋概念的詳細資訊,請參閱Azure Active Directory 中的裝置身分識別管理簡介一文。More information about the concepts covered in this article can be found in the article Introduction to device identity management in Azure Active Directory.

組織可能會想要對混合式 Azure AD 聯結進行受控制的驗證,然後一次在整個組織中啟用它。Organizations may want to do a controlled validation of hybrid Azure AD join before enabling it across their entire organization all at once. 請參閱受控制的混合式 Azure AD 聯結驗證一文,以瞭解如何完成。Review the article controlled validation of hybrid Azure AD join to understand how to accomplish it.

根據您的身分識別基礎結構來選取您的案例Select your scenario based on your identity infrastructure

視 UPN 是否可路由傳送或無法路由傳送,混合式 Azure AD 聯結適用于、受控和同盟環境。Hybrid Azure AD join works with both, managed and federated environments depending on whether the UPN is routable or non-routable. 如需支援的案例,請參閱資料表的底部頁面。See bottom of the page for table on supported scenarios.

受控環境Managed environment

受控環境可使用無縫單一登入透過密碼雜湊同步 (PHS)傳遞驗證 (PTA) 進行部署。A managed environment can be deployed either through Password Hash Sync (PHS) or Pass Through Authentication (PTA) with Seamless Single Sign On.

在這些案例中,您不需要設定同盟伺服器以進行驗證。These scenarios don't require you to configure a federation server for authentication.

注意

只有從 Windows 10 1903 update 開始才支援使用分段推出的雲端驗證Cloud authentication using Staged rollout is only supported starting Windows 10 1903 update

同盟環境Federated environment

同盟環境應具有支援下列需求的識別提供者。A federated environment should have an identity provider that supports the following requirements. 如果您的同盟環境使用 Active Directory 同盟服務 (AD FS),則已支援下列需求。If you have a federated environment using Active Directory Federation Services (AD FS), then the below requirements are already supported.

  • WIAORMULTIAUTHN 宣告: 必須有此宣告才能對舊版 Windows 裝置進行混合式 Azure AD Join。WIAORMULTIAUTHN claim: This claim is required to do hybrid Azure AD join for Windows down-level devices.
  • WS-Trust 通訊協定: 必須有此通訊協定才能向 Azure AD 驗證 Windows 目前的混合式 Azure AD 加入裝置。WS-Trust protocol: This protocol is required to authenticate Windows current hybrid Azure AD joined devices with Azure AD. 當您使用 AD FS 時,您必須啟用下列 WS-Trust 端點:/adfs/services/trust/2005/windowstransportWhen you're using AD FS, you need to enable the following WS-Trust endpoints: /adfs/services/trust/2005/windowstransport
    /adfs/services/trust/13/windowstransport
    /adfs/services/trust/2005/usernamemixed /adfs/services/trust/13/usernamemixed /adfs/services/trust/2005/certificatemixed /adfs/services/trust/13/certificatemixed

警告

adfs/services/trust/2005/windowstransportadfs/services/trust/13/windowstransport 都只能啟用為內部網路對應端點,且不得透過 Web 應用程式 Proxy 公開為內部網路對應端點。Both adfs/services/trust/2005/windowstransport or adfs/services/trust/13/windowstransport should be enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web Application Proxy. 若要深入了解如何停用 WS-Trust Windows 端點,請參閱在 Proxy上停用 WS-Trust Windows 端點To learn more on how to disable WS-Trust Windows endpoints, see Disable WS-Trust Windows endpoints on the proxy. 您可以在 AD FS 管理主控台的 [服務] > [端點] 下方查看已啟用的端點。You can see what endpoints are enabled through the AD FS management console under Service > Endpoints.

注意

Azure AD 不支援受控網域中的智慧卡或憑證。Azure AD does not support smartcards or certificates in managed domains.

從 1.1.819.0 版開始,Azure AD Connect 能提供設定混合式 Azure AD Join 的精靈。Beginning with version 1.1.819.0, Azure AD Connect provides you with a wizard to configure hybrid Azure AD join. 此精靈可讓您大幅簡化設定程序。The wizard enables you to significantly simplify the configuration process. 如果安裝必要的 Azure AD Connect 版本不適合您,請參閱如何手動設定裝置註冊If installing the required version of Azure AD Connect is not an option for you, see how to manually configure device registration.

根據符合您身分識別基礎結構的案例,請參閱:Based on the scenario that matches your identity infrastructure, see:

審查內部部署 AD 使用者混合式 Azure AD 聯結的 UPN 支援Review on-premises AD users UPN support for Hybrid Azure AD join

有時候,您的內部部署 AD 使用者 Upn 可能會與您的 Azure AD Upn 不同。Sometimes, your on-premises AD users UPNs could be different from your Azure AD UPNs. 在此情況下,Windows 10 混合式 Azure AD Join 會根據驗證方法、網域類型和 Windows 10 版本,提供有限的內部部署 AD UPN 支援。In such cases, Windows 10 Hybrid Azure AD join provides limited support for on-premises AD UPNs based on the authentication method, domain type and Windows 10 version. 您的環境中可以有兩種類型的內部部署 AD UPN:There are two types of on-premises AD UPNs that can exist in your environment:

  • 可路由使用者 UPN:可路由的 UPN 具有有效的已驗證網域,並已向網域註冊機構註冊。Routable users UPN: A routable UPN has a valid verified domain, that is registered with a domain registrar. 例如,如果 Azure AD 中的主要網域為 contoso.com,則 contoso.org 在 Contoso 所擁有且已在 Azure AD 中驗證的內部部署 AD 中是主要網域For example, if contoso.com is the primary domain in Azure AD, contoso.org is the primary domain in on-premises AD owned by Contoso and verified in Azure AD
  • 不可路由傳送的使用者 UPN:不可路由傳送的 UPN 沒有已驗證的網域。Non-routable users UPN: A non-routable UPN does not have a verified domain. 它僅適用於組織的私人網路內。It is applicable only within your organization's private network. 例如,如果 Azure AD 中的主要網域為 contoso.com,則 contoso.local 是內部部署 AD 中的主要網域,但不是網際網路中可驗證的網域,而且只能在 Contoso 的網路內使用。For example, if contoso.com is the primary domain in Azure AD, contoso.local is the primary domain in on-premises AD but is not a verifiable domain in the internet and only used within Contoso's network.

注意

本節中的資訊僅適用于內部部署使用者 UPN。The information in this section applies only to an on-premises users UPN. 不適用內部部署電腦網域尾碼, (範例: computer1) 。It isn't applicable to an on-premises computer domain suffix (example: computer1.contoso.local).

下表提供有關在 Windows 10 混合式 Azure AD Join 中支援這些內部部署 AD UPN 的詳細資料The table below provides details on support for these on-premises AD UPNs in Windows 10 Hybrid Azure AD join

內部部署 AD UPN 的類型Type of on-premises AD UPN 網域類型Domain type Windows 10 版本Windows 10 version 描述Description
路由式Routable 同盟Federated 自 1703 版起From 1703 release 正式推出Generally available
非可路由傳送Non-routable 同盟Federated 自 1803 版起From 1803 release 正式推出Generally available
路由式Routable 受管理Managed 自 1803 版起From 1803 release 已正式推出,不支援 Windows 鎖屏上的 Azure AD SSPRGenerally available, Azure AD SSPR on Windows lockscreen is not supported
非可路由傳送Non-routable 受管理Managed 不支援Not supported

後續步驟Next steps