什麼是裝置身分識別?What is a device identity?

隨著各種外型和大小的裝置和自備裝置 (BYOD) 觀念的快速發展,IT 專業人員面臨到兩個有點互相衝突的目標︰With the proliferation of devices of all shapes and sizes and the Bring Your Own Device (BYOD) concept, IT professionals are faced with two somewhat opposing goals:

  • 讓使用者隨時隨地都具有生產力Allow end users to be productive wherever and whenever
  • 保護組織的資產Protect the organization's assets

為了保護這些資產,IT 人員必須先管理裝置身分識別。To protect these assets, IT staff need to first manage the device identities. IT 人員可以使用 Microsoft Intune 等工具來建置裝置身分識別,以確保能符合安全性與合規性的標準。IT staff can build on the device identity with tools like Microsoft Intune to ensure standards for security and compliance are met. Azure Active Directory (Azure AD) 可讓使用者透過這些裝置從任何位置對裝置、應用程式和服務進行單一登入。Azure Active Directory (Azure AD) enables single sign-on to devices, apps, and services from anywhere through these devices.

  • 使用者可對您的組織存取他們所需的資產。Your users get access to your organization's assets they need.
  • IT 人員保有必要的掌控權可保護您的組織。Your IT staff get the controls they need to secure your organization.

裝置身分識別管理是裝置型條件式存取的基礎。Device identity management is the foundation for device-based conditional access. 透過裝置型條件式存取原則,您可以確保只有受控裝置可存取您環境中的資源。With device-based conditional access policies, you can ensure that access to resources in your environment is only possible with managed devices.

在 Azure AD 中取得裝置Getting devices in Azure AD

若要將裝置移入 Azure AD 中,您有數個選項:To get a device in Azure AD, you have multiple options:

  • 已在 Azure AD 註冊Azure AD registered
    • 已在 Azure AD 註冊的裝置通常是個人擁有的裝置或行動裝置,且會以個人 Microsoft 帳戶或其他本機帳戶登入。Devices that are Azure AD registered are typically personally owned or mobile devices, and are signed into with a personal Microsoft account or another local account.
      • Windows 10Windows 10
      • iOSiOS
      • AndroidAndroid
      • MacOSMacOS
  • 已加入 Azure ADAzure AD joined
    • 已加入 Azure AD 的裝置由組織所擁有,且會使用屬於該組織的 Azure AD 帳戶進行登入。Devices that are Azure AD joined are owned by an organization, and are signed in to with an Azure AD account belonging to that organization. 這些裝置僅存在於雲端中。They exist only in the cloud.
      • Windows 10Windows 10
  • 已加入混合式 Azure ADHybrid Azure AD joined
    • 已加入混合式 Azure AD 的裝置由組織所擁有,且會使用屬於該組織的 Azure AD 帳戶進行登入。Devices that are hybrid Azure AD joined are owned by an organization, and are signed in to with an Azure AD account belonging to that organization. 它們存在於雲端和內部部署中。They exist in the cloud and on-premises.
      • Windows 7、8.1 或 10Windows 7, 8.1, or 10
      • Windows Server 2008 或更新版本Windows Server 2008 or newer

[Azure AD 裝置] 刀鋒視窗中顯示的裝置

裝置管理Device management

Azure AD 中的裝置可使用 Microsoft Intune、System Center Configuration Manager、群組原則 (混合式 Azure AD Join)、行動應用程式管理 (MAM) 工具等行動裝置管理 (MDM) 工具來管理,或以其他第三方工具管理。Devices in Azure AD can be managed using Mobile Device Management (MDM) tools like Microsoft Intune, System Center Configuration Manager, Group Policy (hybrid Azure AD join), Mobile Application Management (MAM) tools, or other third-party tools.

資源存取Resource access

註冊和加入可讓您的使用者對雲端資源進行無縫登入 (SSO),並且讓系統管理員能夠將條件式存取原則套用至這些資源。Registering and joining give your users Seamless Sign-on (SSO) to cloud resources and administrators the ability to apply Conditional Access policies to those resources.

已加入 Azure AD 或混合式 Azure AD 的裝置,可以對您組織的內部部署資源和雲端資源進行 SSO。Devices that are Azure AD joined or hybrid Azure AD joined benefit from SSO to your organization's on-premises resources as well as cloud resources. 如需詳細資訊,請參閱內部部署資源的 SSO 如何在加入 Azure AD 的裝置上運作一文。More information can be found in the article, How SSO to on-premises resources works on Azure AD joined devices.

裝置安全性Device security

  • Azure AD 註冊裝置會使用由使用者管理的帳戶,而此帳戶不是 Microsoft 帳戶,就是其他由下列一或多項機制保護的本機管理認證。Azure AD registered devices utilize an account managed by the end user, this account is either a Microsoft account or another locally managed credential secured with one or more of the following.
    • 密碼Password
    • PIN 碼PIN
    • 模式Pattern
    • Windows HelloWindows Hello
  • 已加入 Azure AD 或混合式 Azure AD 的裝置會使用 Azure AD 中受到下列一或多項機制保護的組織帳戶。Azure AD joined or hybrid Azure AD joined devices utilize an organizational account in Azure AD secured with one or more of the following.
    • 密碼Password
    • Windows Hello 企業版Windows Hello for Business

佈建Provisioning

將裝置放入 Azure AD 中的作業可用自助方式完成,或以系統管理員所控制的佈建程序完成。Getting devices in to Azure AD can be done in a self-service manner or a controlled provisioning process by administrators.

總結Summary

使用 Azure AD 中的裝置身分識別管理,您可以:With device identity management in Azure AD, you can:

  • 簡化將裝置導入 Azure AD 中進行管理的流程Simplify the process of bringing and managing devices in Azure AD
  • 為使用者提供對貴組織雲端式資源易於使用的存取方式Provide your users with an easy to use access to your organization’s cloud-based resources

授權需求License requirements

使用此方法需要 Azure AD Premium P1 授權。Using this feature requires an Azure AD Premium P1 license. 若要尋找適用於您需求的正確授權,請參閱 比較 Free、Basic 及 Premium 版本的正式運作功能To find the right license for your requirements, see Comparing generally available features of the Free, Basic, and Premium editions.

後續步驟Next steps