什麼是裝置身分識別?What is a device identity?

在行動第一、雲端第一的世界中,Azure Active Directory (Azure AD) 可讓您從任何地方單一登入至裝置、應用程式和服務。In a mobile-first, cloud-first world, Azure Active Directory (Azure AD) enables single sign-on to devices, apps, and services from anywhere. 隨著裝置的激增 - 包括自備裝置 (BYOD),IT 專業人員面臨到兩個相對的目標︰With the proliferation of devices - including Bring Your Own Device (BYOD), IT professionals are faced with two opposing goals:

  • 讓使用者隨時隨地都具有生產力Empower the end users to be productive wherever and whenever
  • 隨時保護公司資產Protect the corporate assets at any time

透過 Azure AD 中的裝置,您的使用者可存取公司資產。Through devices in Azure AD, your users are getting access to your corporate assets. 為了保護公司資產,身為 IT 管理員,您希望能夠管理這些裝置身分識別。To protect your corporate assets, as an IT administrator, you want to manage these devices identities. 這可讓您確保使用者會從符合安全性與合規性之標準的裝置來存取您的資源。This enables you to make sure that your users are accessing your resources from devices that meet your standards for security and compliance.

裝置身分識別管理也是裝置型條件式存取的基礎。Device identity management is also the foundation for device-based conditional access. 使用裝置型條件式存取時,您可以確保只能透過受控裝置存取環境中的資源。With device-based conditional access, you can ensure that access to resources in your environment is only possible with managed devices.

在 Azure AD 中取得裝置Getting devices in Azure AD

若要在 Azure AD 中取得裝置,您有兩個選項:To get a device in Azure AD, you have two options:

  • 註冊Registering
  • 加入Joining

向 Azure AD 註冊裝置可讓您管理裝置的身分識別。Registering a device to Azure AD enables you to manage a device’s identity. 當裝置已註冊時,Azure AD 裝置註冊會在使用者登入 Azure AD 時對裝置提供用來驗證裝置的身分識別。When a device is registered, Azure AD device registration provides the device with an identity that is used to authenticate the device when a user signs-in to Azure AD. 您可以使用此身分識別來啟用或停用裝置。You can use the identity to enable or disable a device.

與 Microsoft Intune 這類的行動裝置管理 (MDM) 解決方案結合時,將會以裝置的其他相關資訊更新 Azure AD 中的裝置屬性。When combined with a mobile device management(MDM) solution such as Microsoft Intune, the device attributes in Azure AD are updated with additional information about the device. 這可讓您建立條件式存取規則,強制讓裝置的存取符合您的安全性和相容性標準。This allows you to create conditional access rules that enforce access from devices to meet your standards for security and compliance. 如需如何在 Microsoft Intune 中註冊裝置的詳細資訊,請參閱什麼是裝置註冊?For more information on enrolling devices in Microsoft Intune, see What is device enrollment?

加入裝置是註冊裝置的擴充功能。Joining a device is an extension to registering a device. 這表示,它會為您提供註冊裝置的所有優點,此外,也會變更裝置的本機狀態。This means, it provides you with all the benefits of registering a device and in addition to this, it also changes the local state of a device. 變更本機狀態可讓您的使用者使用組織的公司或學校帳戶 (而非個人帳戶) 來登入裝置。Changing the local state enables your users to sign-in to a device using an organizational work or school account instead of a personal account.

Azure AD 註冊裝置Azure AD registered devices

Azure AD 註冊裝置的目標是為您提供自備裝置 (BYOD) 案例的支援。The goal of Azure AD registered devices is to provide you with support for the Bring Your Own Device (BYOD) scenario. 在此案例中,使用者可以使用個人裝置存取貴組織的 Azure Active Directory 受控資源。In this scenario, a user can access your organization’s Azure Active Directory controlled resources using a personal device.

Azure AD 註冊裝置

此存取是根據裝置上輸入的公司或學校帳戶。The access is based on a work or school account that has been entered on the device.
例如,Windows 10 可讓使用者將公司或學校帳戶新增至個人電腦、平板電腦或電話。For example, Windows 10 enables users to add a work or school account to a personal computer, tablet, or phone.
當使用者新增公司帳戶或學校帳戶時,會向 Azure AD 註冊裝置,並選擇性地在貴組織已設定的行動裝置管理 (MDM) 系統中註冊。When a user has added a work or school account, the device is registered with Azure AD and optionally enrolled in the mobile device management (MDM) system that your organization has configured. 貴組織的使用者可以非常方便地將公司或學校帳戶新增至個人裝置:Your organization’s users can add a work or school account to a personal device conveniently:

  • 第一次存取工作應用程式時When accessing a work application for the first time
  • 在 Windows 10 的情況下,手動透過 [設定] 功能表Manually via the Settings menu in the case of Windows 10

您可以為 Windows 10、iOS、Android 和 macOS 裝置設定 Azure AD 註冊裝置狀態。You can configure an Azure AD registered device state for Windows 10 personal, iOS, Android and macOS devices.

Azure AD 加入裝置Azure AD joined devices

Azure AD 加入裝置的目標是簡化:The goal of Azure AD joined devices is to simplify:

  • Windows 部署工作用的裝置Windows deployments of work-owned devices
  • 從任何 Windows 裝置存取組織應用程式與資源Access to organizational apps and resources from any Windows device
  • 工作用裝置的雲端式管理Cloud-based management of work-owned devices

Azure AD 註冊裝置

您可以使用下列任何一種方法來部署 Azure AD Join:Azure AD Join can be deployed by using any of the following methods:

Azure AD Join 適用於想要採用雲端優先 (亦即,以使用雲端服務為主,目標是減少使用內部部署基礎結構) 或只使用雲端 (沒有內部部署基礎結構) 的組織。Azure AD Join is intended for organizations that want to be cloud-first (that is, primarily use cloud services, with a goal to reduce use of an on-premises infrastructure) or cloud-only (no on-premises infrastructure). 針對哪些組織可以部署 Azure AD Join,並沒有任何大小或類型的限制。There are no restrictions on the size or type of organizations that can deploy Azure AD Join. Azure AD Join 即使在混合式環境中也可以良好運作,可讓您同時存取雲端及內部部署應用程式與資源。Azure AD Join works well even in a hybrid environment, enabling access to both cloud and on-premises apps and resources.

實作 Azure AD 加入裝置提供下列優點:Implementing Azure AD joined devices provides you with the following benefits:

  • 單一登入 (SSO) Azure 受控 SaaS 應用程式和服務。Single-Sign-On (SSO) to your Azure managed SaaS apps and services. 存取工作資源時,您的使用者看不到額外的驗證提示。Your users don’t see additional authentication prompts when accessing work resources. 您的使用者即使未連線到網域網路,也可以使用 SSO 功能。The SSO functionality is available, even when your users are not connected to the domain network.
  • 在跨加入裝置之間進行使用者設定的企業符合規範漫遊Enterprise compliant roaming of user settings across joined devices. 使用者不需要連線 Microsoft 帳戶 (例如 Hotmail) 以查看裝置之間的設定。Users don’t need to connect a Microsoft account (for example, Hotmail) to see settings across devices.
  • 使用 Azure AD 帳戶存取商務用 Windows 市集Access to Windows Store for Business using an Azure AD account. 您的使用者可以從組織預先選取之應用程式清查中選擇。Your users can choose from an inventory of applications pre-selected by the organization.
  • Windows Hello 支援安全又方便地存取工作資源。Windows Hello support for secure and convenient access to work resources.
  • 限制僅從符合合規性原則的裝置存取應用程式。Restriction of access to apps from only devices that meet compliance policy.
  • 當裝置可以看見內部部署網域控制站時,即可順暢地存取內部部署資源Seamless access to on-premises resources when the device has line of sight to the on-premises domain controller.

雖然 Azure AD Join 主要適用於沒有內部部署 Windows Server Active Directory 基礎結構的組織,但您也可以在下列情況下使用它:While Azure AD join is primarily intended for organizations that do not have an on-premises Windows Server Active Directory infrastructure, you can certainly use it in scenarios where:

  • 您想要使用 Azure AD 和 MDM (例如 Intune) 來轉換成雲端式基礎結構。You want to transition to cloud-based infrastructure using Azure AD and MDM like Intune.
  • 例如,如果您需要取得行動裝置 (例如控制下的平板電腦和電話),您無法使用內部部署網域加入。You can’t use an on-premises domain join, for example, if you need to get mobile devices such as tablets and phones under control.
  • 您的使用者主要需要存取 Office 365 或與 Azure AD 整合的其他 SaaS 應用程序。Your users primarily need to access Office 365 or other SaaS apps integrated with Azure AD.
  • 您想要管理 Azure AD 中的使用者群組,而不是 Active Directory 中的使用者群組。You want to manage a group of users in Azure AD instead of in Active Directory. 例如,這可以套用於季節工、約聘員工或學生。This can apply, for example, to seasonal workers, contractors, or students.
  • 您要為內部部署基礎結構受到限制的遠端分公司工作者提供加入功能。You want to provide joining capabilities to workers in remote branch offices with limited on-premises infrastructure.

您可以設定適用於 Windows 10 裝置的 Azure AD 已加入裝置。You can configure Azure AD joined devices for Windows 10 devices.

混合式 Azure AD 已加入裝置Hybrid Azure AD joined devices

十多年來,許多組織已對他們的內部部署 Active Directory 使用網域加入以讓:For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable:

  • IT 部門可從中央位置管理工作用的裝置。IT departments to manage work-owned devices from a central location.
  • 使用者可使用使用其 Active Directory 公司或學校帳戶登入他們的裝置。Users to sign in to their devices with their Active Directory work or school accounts.

通常,具有內部部署使用量的組織依賴映像處理方法來佈建裝置,且通常使用 System Center Configuration Manager (SCCM)群組原則 (GP) 加以管理。Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use System Center Configuration Manager (SCCM) or group policy (GP) to manage them.

如果您的環境具有內部部署 AD 使用量,而且您也想要從 Azure Active Directory 所提供的功能受益,您可以實作混合式 Azure AD 已加入裝置。If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD joined devices. 這些裝置已加入內部部署 Active Directory 並已向 Azure Active Directory 註冊。These are devices that are joined to your on-premises Active Directory and registered with your Azure Active Directory.

Azure AD 註冊裝置

您應該使用 Azure AD 混合式加入裝置,如果:You should use Azure AD hybrid joined devices if:

  • 您已將 Win32 應用程式部署至這些倚賴 Active Directory 電腦驗證的裝置。You have Win32 apps deployed to these devices that rely on Active Directory machine authentication.
  • 您需要 GP 來管理裝置。You require GP to manage devices.
  • 您想要繼續使用映像處理解決方案來設定員工的裝置。You want to continue to use imaging solutions to configure devices for your employees.

您可以針對 Windows 10 及舊版裝置 (例如 Windows 8 和 Windows 7) 設定混合式 Azure AD 已加入裝置。You can configure Hybrid Azure AD joined devices for Windows 10 and down-level devices such as Windows 8 and Windows 7.

總結Summary

使用 Azure AD 中的裝置身分識別管理,您可以:With device identity management in Azure AD, you can:

  • 簡化將裝置導入 Azure AD 中進行管理的流程Simplify the process of bringing and managing devices in Azure AD
  • 為使用者提供對貴組織雲端式資源易於使用的存取方式Provide your users with an easy to use access to your organization’s cloud-based resources

根據經驗法則,您應該使用:As a rule of a thumb, you should use:

  • Azure AD 註冊裝置:Azure AD registered devices:
    • 對於個人裝置For personal devices
    • 若要手動向 Azure AD 註冊裝置To manually register devices with Azure AD
  • Azure AD 已加入裝置:Azure AD joined devices:
    • 對於您的組織所擁有的裝置For devices that are owned by your organization
    • 對於加入內部部署 AD 的裝置For devices that are not joined to an on-premises AD
    • 若要手動向 Azure AD 註冊裝置To manually register devices with Azure AD
    • 若要變更裝置的本機狀態To change the local state of a device
  • 已加入內部部署 AD 之裝置的混合式 Azure AD 已加入裝置Hybrid Azure AD joined devices for devices that are joined to an on-premises AD
    • 對於您的組織所擁有的裝置For devices that are owned by your organization
    • 對於已加入內部部署 AD 的裝置For devices that are joined to an on-premises AD
    • 若要自動向 Azure AD 中註冊裝置To automatically register devices with Azure AD
    • 若要變更裝置的本機狀態To change the local state of a device

授權需求License requirements

使用此方法需要 Azure AD Premium P1 授權。Using this feature requires an Azure AD Premium P1 license. 若要尋找適用於您需求的正確授權,請參閱 比較 Free、Basic 及 Premium 版本的正式運作功能To find the right license for your requirements, see Comparing generally available features of the Free, Basic, and Premium editions.

後續步驟Next steps