什麼是 Azure Active Directory?What is Azure Active Directory?

Azure Active Directory (Azure AD) 是 Microsoft 的雲端式身分識別和存取管理服務,可協助員工登入及存取以下資源:Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees' sign in and access resources in:

  • 外部資源,例如 Microsoft Office 365、Azure 入口網站和其他數千個 SaaS 應用程式。External resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications.

  • 內部資源,例如公司網路和內部網路上的應用程式,以及您自己的組織所開發的任何雲端應用程式。Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization.

您可以使用各種 Microsoft Cloud for Enterprise Architects 系列的海報,來深入了解 Azure、Azure AD 和 Office 365 中的核心識別服務。You can use the various Microsoft Cloud for Enterprise Architects Series posters to better understand the core identity services in Azure, Azure AD, and Office 365.

誰會使用 Azure AD?Who uses Azure AD?

Azure AD 的適用對象是:Azure AD is intended for:

  • IT 系統管理員。IT admins. 身為 IT 系統管理員,您可以使用 Azure AD,根據業務需求來控制應用程式和應用程式資源的存取權。As an IT admin, you can use Azure AD to control access to your apps and your app resources, based on your business requirements. 例如,您可以使用 Azure AD,來要求在存取組織的重要資源時必須進行多重要素驗證。For example, you can use Azure AD to require multi-factor authentication when accessing important organizational resources. 此外,您也可以使用 Azure AD,自動地在現有 Windows Server AD 和雲端應用程式 (包括 Office 365) 之間佈建使用者。Additionally, you can use Azure AD to automate user provisioning between your existing Windows Server AD and your cloud apps, including Office 365. 最後,Azure AD 可提供功能強大的工具,以便自動地協助保護使用者的身分識別和認證,以及符合存取治理需求。Finally, Azure AD gives you powerful tools to automatically help protect user identities and credentials and to meet your access governance requirements. 若要開始作業,請註冊免費的 30 天 Azure Active Directory Premium 試用版To get started, sign up for a free 30-day Azure Active Directory Premium trial.

  • 應用程式開發人員。App developers. 身為應用程式開發人員,Azure AD 可讓您以標準的方法,將單一登入 (SSO) 新增至應用程式,讓它與使用者預先存在的認證搭配運作。As an app developer, Azure AD gives you a standards-based approach for adding single sign-on (SSO) to your app, allowing it to work with a user's pre-existing credentials. Azure AD 也會提供 API,來協助您建置會使用現有組織資料的個人化應用程式體驗。Azure AD also provides APIs that can help you build personalized app experiences using existing organizational data. 若要開始作業,請註冊免費的 30 天 Azure Active Directory Premium 試用版To get started, sign up for a free 30-day Azure Active Directory Premium trial. 如需詳細資訊,您也可以參閱適用於開發人員的 Azure Active DirectoryFor more information, you can also see Azure Active Directory for developers.

  • Microsoft 365、Office 365、Azure 或 Dynamics CRM Online 訂閱者。Microsoft 365, Office 365, Azure, or Dynamics CRM Online subscribers. 身為訂閱者,您早已在使用 Azure AD。As a subscriber, you're already using Azure AD. 每個 Microsoft 365、Office365、Azure 和 Dynamics CRM Online 租用戶都會自動成為 Azure AD 租用戶。Each Microsoft 365, Office 365, Azure, and Dynamics CRM Online tenant is automatically an Azure AD tenant. 您立即就可以開始管理整合式雲端應用程式的存取權。You can immediately start to manage access to your integrated cloud apps.

什麼是 Azure AD 授權?What are the Azure AD licenses?

Office 365 或 Microsoft Azure 等 Microsoft Online 業務服務需要 Azure AD 才能登入,並可用來協助進行身分識別保護。Microsoft Online business services, such as Office 365 or Microsoft Azure, require Azure AD for sign-in and to help with identity protection. 如果您訂閱任何 Microsoft Online 業務服務,您就會自動取得 Azure AD 並可存取所有免費的功能。If you subscribe to any Microsoft Online business service, you automatically get Azure AD with access to all the free features.

若要增強您的 AD 實作,您也可以升級至 Azure Active Directory Basic、Premium P1 或 Premium P2 授權來新增付費功能。To enhance your Azure AD implementation, you can also add paid capabilities by upgrading to Azure Active Directory Basic, Premium P1, or Premium P2 licenses. Azure AD 付費授權會建立在您現有的免費目錄上,提供適用於行動使用者的自助服務、增強監視、安全性報告及安全存取。Azure AD paid licenses are built on top of your existing free directory, providing self-service, enhanced monitoring, security reporting, and secure access for your mobile users.

注意

這兩種授權的詳細價格請參閱 Azure Active Directory 價格For the pricing options of these licenses, see Azure Active Directory Pricing.

目前在中國不支援 Premium P1、Premium P2 及 Azure Active Directory Basic。Azure Active Directory Premium P1, Premium P2, and Azure Active Directory Basic are not currently supported in China. 如需有關 Azure AD 定價的詳細資訊,請透過 Azure Active Directory 論壇與我們連絡。For more information about Azure AD pricing, contact the Azure Active Directory Forum.

  • Azure Active Directory Free。Azure Active Directory Free. 提供跨 Azure、Office 365 和許多熱門 SaaS 應用程式的使用者和群組管理、內部部署目錄同步作業、基本報告和單一登入。Provides user and group management, on-premises directory synchronization, basic reports, and single sign-on across Azure, Office 365, and many popular SaaS apps.

  • Azure Active Directory Basic。Azure Active Directory Basic. 除了 Free 版的功能外,Basic 版還會提供以雲端為中心的應用程式存取、以群組為基礎的存取管理、適用於雲端應用程式的自助式密碼重設,以及 Azure AD 應用程式 Proxy,讓您可以使用 Azure AD 來發佈內部部署 Web 應用程式。In addition to the Free features, Basic also provides cloud-centric app access, group-based access management, self-service password reset for cloud apps, and Azure AD Application Proxy, which lets you publish on-premises web apps using Azure AD.

  • Azure Active Directory Premium P1。Azure Active Directory Premium P1. 除了 Free 版和 Basic 版的功能外,P1 版還會讓混合式使用者可以同時存取內部部署和雲端的資源。In addition to the Free and Basic features, P1 also lets your hybrid users access both on-premises and cloud resources. 不僅如此,它還支援進階的管理 (例如,動態群組、自助群組管理、Microsoft Identity Manager (此為內部部署身分識別和存取管理套件)),以及雲端回寫功能 (可讓內部部署使用者使用自助密碼重設)。It also supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager (an on-premises identity and access management suite) and cloud write-back capabilities, which allow self-service password reset for your on-premises users.

  • Azure Active Directory Premium P2。Azure Active Directory Premium P2. 除了 Free 版、Basic 版和 P1 版的功能外,P2 版還會提供 Azure Active Directory Identity Protection (以協助針對應用程式和重要的公司資料提供以風險為基礎的條件式存取權) 以及 Privileged Identity Management (以協助探索、限制和監視系統管理員及其對資源的存取權,以及視需要提供 Just-In-Time 存取權)。In addition to the Free, Basic, and P1 features, P2 also offers Azure Active Directory Identity Protection to help provide risk-based conditional access to your apps and critical company data and Privileged Identity Management to help discover, restrict, and monitor administrators and their access to resources and to provide just-in-time access when needed.

  • 「預付型方案」功能授權。"Pay as you go" feature licenses. 您也可以取得其他功能授權,例如 Azure Active Directory 企業對消費者 (B2C)。You can also get additional feature licenses, such as Azure Active Directory Business-to-Customer (B2C). B2C 可協助您提供適用於消費者面向應用程式的身分識別和存取管理解決方案。B2C can help you provide identity and access management solutions for your customer-facing apps. 如需詳細資訊,請參閱 Azure Active Directory B2C 文件For more information, see Azure Active Directory B2C documentation.

如需如何將 Azure 訂用帳戶關聯至 Azure AD 的詳細資訊,請參閱操作說明:將 Azure 訂用帳戶關聯或新增至 Azure Active Directory,以及如需如何將授權指派給使用者的詳細資訊,請參閱操作說明:指派或移除 Azure Active Directory 授權For more information about associating an Azure subscription to Azure AD, see How to: Associate or add an Azure subscription to Azure Active Directory and for more information about assigning licenses to your users, see How to: Assign or remove Azure Active Directory licenses.

術語Terminology

若要深入了解 Azure AD 及其文件,建議檢閱下列詞彙。To better understand Azure AD and its documentation, we recommend reviewing the following terms.

詞彙或概念Term or concept 說明Description
Azure 訂用帳戶Azure subscription 用來支付 Azure 雲端服務費用。Used to pay for Azure cloud services. 您可以擁有許多訂用帳戶,而它們都會與信用卡連結。You can have many subscriptions and they're linked to a credit card.
Azure 租用戶Azure tenant 組織在註冊 Microsoft 雲端服務訂用帳戶 (例如 Microsoft Azure、Microsoft Intune 或 Office 365) 時,所自動建立的專用且受信任 Azure AD 執行個體。A dedicated and trusted instance of Azure AD that's automatically created when your organization signs up for a Microsoft cloud service subscription, such as Microsoft Azure, Microsoft Intune, or Office 365. 一個 Azure 租用戶代表一個組織。An Azure tenant represents a single organization.
單一租用戶Single tenant 如果 Azure 租用戶會存取專用環境中的其他服務,便可將其視為單一租用戶。Azure tenants that access other services in a dedicated environment are considered single tenant.
多租用戶Multi-tenant 如果 Azure 租用戶會存取多個組織所共用環境中的其他服務,便可將其視為多租用戶。Azure tenants that access other services in a shared environment, across multiple organizations, are considered multi-tenant.
Azure AD 目錄Azure AD directory 每個 Azure 租用戶都有專用且受信任的 Azure AD 目錄。Each Azure tenant has a dedicated and trusted Azure AD directory. Azure AD 目錄包含租用戶的使用者、群組和應用程式,並可用來對租用戶資源執行身分識別和存取管理功能。The Azure AD directory includes the tenant's users, groups, and apps and is used to perform identity and access management functions for tenant resources.
Azure AD 帳戶Azure AD account 透過 Azure AD 或其他 Microsoft 雲端服務 (例如 Office 365) 所建立的身分識別。An identity created through Azure AD or another Microsoft cloud service, such as Office 365. 身分識別會儲存在 Azure AD 中,並可供組織的雲端服務訂用帳戶來存取。Identities are stored in Azure AD and accessible to your organization's cloud service subscriptions. 此帳戶有時也稱為公司或學校帳戶。This account is also sometimes called a Work or school account.
自訂網域Custom domain 每個新的 Azure AD 目錄皆隨附初始網域名稱 (domainname.onmicrosoft.com)。Every new Azure AD directory comes with an initial domain name, domainname.onmicrosoft.com. 除了初始名稱外,您也可以在清單中新增組織的網域名稱,其中的名稱除了可供營運使用,亦可供使用者用來存取組織的資源。In addition to that initial name, you can also add your organization's domain names, which include the names you use to do business and your users use to access your organization's resources, to the list. 新增自訂網域名稱可協助您建立使用者熟悉的使用者名稱,例如 alain@contoso.com。Adding custom domain names helps you to create user names that are familiar to your users, such as alain@contoso.com.
帳戶管理員Account Administrator 在概念上,這個傳統的訂用帳戶系統管理員角色是訂用帳戶的計費擁有者。This classic subscription administrator role is conceptually the billing owner of a subscription. 這個角色可存取 Azure 帳戶中心,並可讓您管理帳戶中的所有訂用帳戶。This role has access to the Azure Account Center and enables you to manage all subscriptions in an account. 如需詳細資訊,請參閱傳統訂用帳戶管理員角色、Azure 角色型存取控制 (RBAC) 角色和 Azure AD 管理員角色For more information, see Classic subscription administrator roles, Azure Role-based access control (RBAC) roles, and Azure AD administrator roles.
服務管理員Service Administrator 這個傳統的訂用帳戶系統管理員角色可讓您管理所有 Azure 資源,包括存取權。This classic subscription administrator role enables you to manage all Azure resources, including access. 這個角色所具有的存取權,與在訂用帳戶範圍獲派擁有者角色的使用者相同。This role has the equivalent access of a user who is assigned the Owner role at the subscription scope. 如需詳細資訊,請參閱傳統訂用帳戶管理員角色、Azure RBAC 角色和 Azure AD 管理員角色For more information, see Classic subscription administrator roles, Azure RBAC roles, and Azure AD administrator roles.
擁有者Owner 這個角色可協助您管理所有 Azure 資源,包括存取權。This role helps you manage all Azure resources, including access. 這個角色建置在較新的授權系統 (稱為角色型存取控制 (RBAC)) 上,可讓您以更細微的方式管理 Azure 資源的存取權。This role is built on a newer authorization system called role-base access control (RBAC) that provides fine-grained access management to Azure resources. 如需詳細資訊,請參閱傳統訂用帳戶管理員角色、Azure RBAC 角色和 Azure AD 管理員角色For more information, see Classic subscription administrator roles, Azure RBAC roles, and Azure AD administrator roles.
Azure AD 全域系統管理員Azure AD Global administrator 這個系統管理員角色會自動指派給 Azure AD 租用戶的建立者。This administrator role is automatically assigned to whomever created the Azure AD tenant. 全域系統管理員可以針對 Azure AD 和任何與 Azure AD 同盟的服務 (例如,Exchange Online、SharePoint Online 和商務用 Skype Online),執行所有系統管理功能。Global administrators can do all of the administrative functions for Azure AD and any services that federate to Azure AD, such as Exchange Online, SharePoint Online, and Skype for Business Online. 您可以有多個全域系統管理員,但只有全域系統管理員可以對使用者指派系統管理員角色 (包括指派其他全域系統管理員)。You can have multiple Global administrators, but only Global administrators can assign administrator roles (including assigning other Global administrators) to users.

注意Note
在 Azure 入口網站中,這個系統管理員角色稱為全域系統管理員,但在 Microsoft Graph API、Azure AD Graph API 和 Azure AD PowerShell 中,則稱為公司系統管理員This administrator role is called Global administrator in the Azure portal, but it's called Company administrator in Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell.

如需各種系統管理員角色的詳細資訊,請參閱 Azure Active Directory 中的系統管理員角色權限For more information about the various administrator roles, see Administrator role permissions in Azure Active Directory.
Microsoft 帳戶 (也稱為 MSA)Microsoft account (also called, MSA) 此為個人帳戶,可讓您存取消費者導向的 Microsoft 產品和雲端服務,例如 Outlook、OneDrive、Xbox LIVE 或 Office 365。Personal accounts that provide access to your consumer-oriented Microsoft products and cloud services, such as Outlook, OneDrive, Xbox LIVE, or Office 365. Microsoft 帳戶會建立並儲存在 Microsoft 所執行的 Microsoft 取用者身分識別帳戶系統中。Your Microsoft account is created and stored in the Microsoft consumer identity account system that's run by Microsoft.

Azure AD 中有哪些可用功能?Which features work in Azure AD?

在選擇 Azure AD 授權後,您便可存取組織可用的下列功能 (部分或全部):After you choose your Azure AD license, you'll get access to some or all of the following features for your organization:

類別Category 說明Description
應用程式管理Application management 使用應用程式 Proxy、單一登入、「我的 app」入口網站 (也稱為「存取面板」) 和軟體即服務 (SaaS) 應用程式,來管理雲端和內部部署應用程式。Manage your cloud and on-premises apps using Application Proxy, single sign-on, the My Apps portal (also known as the Access panel), and Software as a Service (SaaS) apps. 如需詳細資訊,請參閱如何為內部部署應用程式提供安全的遠端存取應用程式管理文件For more information, see How to provide secure remote access to on-premises applications and Application Management documentation.
AuthenticationAuthentication 管理 Azure Active Directory 自助式密碼重設、Multi-Factor Authentication、自訂的禁用密碼清單與智慧鎖定。Manage Azure Active Directory self-service password reset, Multi-Factor Authentication, custom banned password list, and smart lockout. 如需詳細資訊,請參閱 Azure AD 驗證文件For more information, see Azure AD Authentication documentation.
企業對企業 (B2B)Business-to-Business (B2B) 在管理來賓使用者和外部合作夥伴的同時,持續掌控住您自己的公司資料。Manage your guest users and external partners, while maintaining control over your own corporate data. 如需詳細資訊,請參閱 Azure Active Directory B2B 文件For more information, see Azure Active Directory B2B documentation.
企業對消費者 (B2C)Business-to-Customer (B2C) 自訂和控制使用者在使用應用程式時,要如何註冊、登入和管理其設定檔。Customize and control how users sign up, sign in, and manage their profiles when using your apps. 如需詳細資訊,請參閱 Azure Active Directory B2C 文件For more information, see Azure Active Directory B2C documentation.
條件式存取Conditional access 管理雲端應用程式的存取權。Manage access to your cloud apps. 如需詳細資訊,請參閱 Azure AD 條件式存取文件For more information, see Azure AD Conditional Access documentation.
開發人員適用的 Azure Active DirectoryAzure Active Directory for developers 建置應用程式來登入所有 Microsoft 身分識別、取得權杖來呼叫 Microsoft Graph、其他 Microsoft API 或自訂 API。Build apps that sign in all Microsoft identities, get tokens to call Microsoft Graph, other Microsoft APIs, or custom APIs. 如需詳細資訊,請參閱 Microsoft 身分識別平台 (適用於開發人員的 Azure Active Directory)For more information, see Microsoft identity platform (Azure Active Directory for developers).
裝置管理Device Management 管理雲端或內部部署裝置存取公司資料的方式。Manage how your cloud or on-premises devices access your corporate data. 如需詳細資訊,請參閱 Azure AD 裝置管理文件For more information, see Azure AD Device Management documentation.
網域服務Domain services 在不使用網域控制站的情況下,將 Azure 虛擬機器加入網域中。Join Azure virtual machines to a domain without using domain controllers. 如需詳細資訊,請參閱 Azure AD Domain Services 文件For more information, see Azure AD Domain Services documentation.
企業使用者Enterprise users 管理授權指派、應用程式的存取權,並使用群組和系統管理員角色來設定委派。Manage license assignment, access to apps, and set up delegates using groups and administrator roles. 如需詳細資訊,請參閱 Azure Active Directory 使用者管理文件For more information, see Azure Active Directory user management documentation.
混合式身分識別Hybrid identity 使用 Azure Active Directory Connect 和 Connect Health 提供單一使用者身分識別,以便對不同位置 (不論是雲端還是內部部署) 的所有資源執行驗證和授權程序。Use Azure Active Directory Connect and Connect Health to provide a single user identity for authentication and authorization to all resources, regardless of location (cloud or on-premises). 如需詳細資訊,請參閱混合式身分識別文件For more information, see Hybrid identity documentation.
身分識別治理Identity governance 管理組織的身分識別,從員工、業務合作夥伴、廠商、服務到應用程式的存取控制。Manage your organization's identity through employee, business partner, vendor, service, and app access controls. 您也可以執行存取權檢閱。You can also perform access reviews. 如需詳細資訊,請參閱 Azure AD Identity Governance 文件Azure AD 存取權檢閱For more information, see Azure AD identity governance documentation and Azure AD access reviews.
身分識別保護Identity protection 偵測會影響組織身分識別的潛在弱點、設定用來回應可疑動作的原則,然後採取適當動作來加以解決。Detect potential vulnerabilities affecting your organization's identities, configure policies to respond to suspicious actions, and then take appropriate action to resolve them. 如需詳細資訊,請參閱 Azure AD Identity ProtectionFor more information, see Azure AD Identity Protection.
適用於 Azure 資源的受控識別Managed identities for Azure resources 在 Azure AD 中,為 Azure 服務提供受到自動管理的身分識別,以供其用來驗證 Azure AD 所支援的驗證服務,包括 Key Vault。Provides your Azure services with an automatically managed identity in Azure AD that can authenticate any Azure AD-supported authentication service, including Key Vault. 如需詳細資訊,請參閱什麼是適用於 Azure 資源的受控識別?For more information, see What is managed identities for Azure resources?.
Privileged Identity Management (PIM)Privileged identity management (PIM) 管理、控制及監視組織內的存取。Manage, control, and monitor access within your organization. 這個功能包括存取 Azure AD 和Azure 中的資源,以及其他 Microsoft Online Services (如 Office 365 或 Intune)。This feature includes access to resources in Azure AD and Azure, and other Microsoft Online Services, like Office 365 or Intune. 如需詳細資訊,請參閱 Azure AD Privileged Identity ManagementFor more information, see Azure AD Privileged Identity Management.
報告和監視Reports and monitoring 深入了解環境中的安全性和使用模式。Gain insights into the security and usage patterns in your environment. 如需詳細資訊,請參閱 Azure Active Directory 報告和監視For more information, see Azure Active Directory reports and monitoring.

後續步驟Next steps