什麼是 Azure Active Directory 的混合式身分識別?What is hybrid identity with Azure Active Directory?

現今的企業和公司混合使用內部部署和雲端應用程式的情形越來越多。Today, businesses, and corporations are becoming more and more a mixture of on-premises and cloud applications. 使用者需要在內部部署環境和雲端存取這些應用程式。Users require access to those applications both on-premises and in the cloud. 同時管理內部部署和雲端的使用者帶來極大的挑戰。Managing users both on-premises and in the cloud poses challenging scenarios.

Microsoft 的身分識別解決方案可跨越內部部署和雲端架構功能。Microsoft’s identity solutions span on-premises and cloud-based capabilities. 這些解決方案會建立通用使用者身分識別,以便進行所有資源的驗證和授權 (不論位於何處)。These solutions create a common user identity for authentication and authorization to all resources, regardless of location. 我們稱之為混合式身分識別We call this hybrid identity.

透過 Azure AD 的混合式身分識別和混合式身分識別管理可以達到這個目的。With hybrid identity to Azure AD and hybrid identity management these scenarios become possible.

若要使用 Azure AD 達到混合式身分識別,可以視您的案例而定,使用下列其中一種驗證方法。To achieve hybrid identity with Azure AD, one of three authentication methods can be used, depending on your scenarios. 方法有三種:The three methods are:

這些驗證方法也會提供單一登入功能。These authentication methods also provide single-sign on capabilities. 使用者位於連線到貴公司網路的公司裝置時,單一登入功能會自動將他們登入。Single-sign on automatically signs your users in when they are on their corporate devices, connected to your corporate network.

如需其他資訊,請參閱針對 Azure Active Directory 混合式身分識別解決方案選擇正確的驗證方法For additional information, see Choose the right authentication method for your Azure Active Directory hybrid identity solution.

常見案例和建議Common scenarios and recommendations

以下是一些常見的混合式身分識別和存取管理案例,其中包含各自適合的混合式身分識別選項建議。Here are some common hybrid identity and access management scenarios with recommendations as to which hybrid identity option (or options) might be appropriate for each.

我需要:I need to: PHS 和 SSO1PHS and SSO1 PTA 和 SSO2PTA and SSO2 AD FS3AD FS3
自動將我的內部部署 Active Directory 中建立的新使用者、連絡人及群組帳戶同步至雲端。Sync new user, contact, and group accounts created in my on-premises Active Directory to the cloud automatically. 建議 建議 建議
設定適用於 Office 365 混合式案例的租用戶。Set up my tenant for Office 365 hybrid scenarios. 建議 建議 建議
讓我的使用者可以使用其內部部署密碼登入及存取雲端服務。Enable my users to sign in and access cloud services using their on-premises password. 建議 建議 建議
使用公司認證實作單一登入。Implement single sign-on using corporate credentials. 建議 建議 建議
確定雲端中未儲存任何密碼雜湊。Ensure no password hashes are stored in the cloud. 建議 建議
啟用雲端式多重要素驗證解決方案。Enable cloud-based multi-factor authentication solutions. 建議 建議 建議
啟用內部部署多重要素驗證解決方案。Enable on-premises multi-factor authentication solutions. 建議
對使用者支援智慧卡驗證。4Support smartcard authentication for my users.4 建議
在 Office 入口網站中和 Windows 10 桌面上顯示密碼到期通知。Display password expiry notifications in the Office Portal and on the Windows 10 desktop. 建議

1 單一登入的密碼雜湊同步處理。1 Password hash synchronization with single sign-on.

2 傳遞驗證和單一登入。2 Pass-through authentication and single sign-on.

3 與 AD FS 同盟的單一登入。3 Federated single sign-on with AD FS.

4 AD FS 可與您的企業 PKI 整合,以允許使用憑證登入。4 AD FS can be integrated with your enterprise PKI to allow sign-in using certificates. 這些憑證可以是透過信任的佈建管道 (例如 MDM、GPO、智慧卡憑證 (包括 PIV/CAC 卡) 或 Hello for Business (cert-trust)) 部署的軟性憑證。These certificates can be soft-certificates deployed via trusted provisioning channels such as MDM or GPO or smartcard certificates (including PIV/CAC cards) or Hello for Business (cert-trust). 如需智慧卡驗證支援的詳細資訊,請參閱這個部落格For more information about smartcard authentication support, see this blog.

使用 Azure AD Connect 的授權需求License requirements for using Azure AD Connect

在您的 Azure 訂用帳戶中免費使用此功能。Using this feature is free and included in your Azure subscription.

後續步驟Next Steps