Enterprise 合約註冊和 Azure Active Directory 租用戶Enterprise Agreement enrollment and Azure Active Directory tenants

規劃 enterprise 註冊Plan for enterprise enrollment

註冊 Enterprise 合約 (EA) 代表 Microsoft 與您的組織如何使用 Azure 之間的商業關係。An Enterprise Agreement (EA) enrollment represents the commercial relationship between Microsoft and how your organization uses Azure. 它提供您所有訂用帳戶的計費基礎,並影響您的數位資產管理。It provides the basis for billing across all your subscriptions and affects administration of your digital estate. 您的 EA 註冊可透過 Azure EA 入口網站進行管理。Your EA enrollment is managed via the Azure EA portal. 註冊通常代表組織的階層,其中包括部門、帳戶和訂用帳戶。An enrollment often represents an organization's hierarchy, which includes departments, accounts, and subscriptions. 此階層代表組織內的成本註冊群組。This hierarchy represents cost-enrollment groups within an organization.

顯示 Azure EA 階層的圖表。

圖1: Azure EA 註冊階層。Figure 1: An Azure EA enrollment hierarchy.

  • 部門有助於將成本分割成邏輯群組,以及設定部門層級的預算或配額。Departments help to segment costs into logical groupings and to set a budget or quota at the department level. 配額並不會強制執行,而是用於報告用途。The quota isn't enforced firmly and is used for reporting purposes.
  • 帳戶是 Azure EA 入口網站中的組織單位,Accounts are organizational units in the Azure EA portal. 可以用來管理訂閱和存取報表。They can be used to manage subscriptions and access reports.
  • 訂用帳戶是 Azure EA 入口網站中的最小單位。Subscriptions are the smallest unit in the Azure EA portal. 它們是由服務管理員管理之 Azure 服務的容器。They're containers for Azure services managed by the Service Administrator. 它們是您的組織部署 Azure 服務的位置。They're where your organization deploys Azure services.
  • EA 註冊角色會連結使用者與其功能角色。EA enrollment roles link users with their functional role. 這些角色包括:These roles are:
    • 企業系統管理員Enterprise Administrator
    • 部門系統管理員Department Administrator
    • 帳戶擁有者Account Owner
    • 服務管理員Service Administrator
    • 通知連絡人Notification Contact

設計考慮:Design considerations:

  • 註冊提供階層式的組織結構來控管訂用帳戶的管理。The enrollment provides a hierarchical organizational structure to govern the management of subscriptions.
  • 可以在 EA 帳戶層級分隔多個環境,以支援全面隔離。Multiple environments can be separated at an EA-account level to support holistic isolation.
  • 可以將多個管理員指定至單一註冊。There can be multiple administrators appointed to a single enrollment.
  • 每個訂用帳戶都必須有相關聯的帳戶擁有者。Each subscription must have an associated Account Owner.
  • 每個帳戶擁有者都會成為該帳戶所布建之任何訂用帳戶的訂用帳戶擁有者。Each Account Owner will be made a subscription owner for any subscriptions provisioned under that account.
  • 訂用帳戶在任何指定的時間都只能屬於一個帳戶。A subscription can belong to only one account at any given time.
  • 可以根據一組指定的準則將訂用帳戶暫止。A subscription can be suspended based on a specified set of criteria.

設計建議:Design recommendations:

  • 只使用 Work or school account 所有帳戶類型的驗證類型。Only use the authentication type Work or school account for all account types. 請避免使用 Microsoft account (MSA) 帳戶類型。Avoid using the Microsoft account (MSA) account type.
  • 設定通知連絡人電子郵件地址,以確保會將通知傳送到適當的群組信箱。Set up the Notification Contact email address to ensure notifications are sent to an appropriate group mailbox.
  • 指派每個帳戶的預算,並建立與預算相關聯的警示。Assign a budget for each account, and establish an alert associated with the budget.
  • 組織可以有各種不同的結構,例如功能、分部、地理、總體或小組結構。An organization can have a variety of structures, such as functional, divisional, geographic, matrix, or team structure. 使用組織結構將您的組織結構對應至您的註冊階層。Use organizational structure to map your organization structure to your enrollment hierarchy.
  • 如果商務網域有獨立的 IT 功能,請為 IT 建立新的部門。Create a new department for IT if business domains have independent IT capabilities.
  • 限制並減少註冊內的帳戶擁有者數目,以避免系統管理員對訂用帳戶和相關 Azure 資源的存取權激增。Restrict and minimize the number of account owners within the enrollment to avoid the proliferation of admin access to subscriptions and associated Azure resources.
  • 如果使用多個 Azure Active Directory (Azure AD) 的租使用者,請確認帳戶擁有者與帳戶的訂用帳戶布建所在的租使用者相關聯。If multiple Azure Active Directory (Azure AD) tenants are used, verify that the Account Owner is associated with the same tenant as where subscriptions for the account are provisioned.
  • 在 EA 帳戶層級設定企業開發/測試和實際執行環境,以支援全面隔離。Set up Enterprise Dev/Test and production environments at an EA account level to support holistic isolation.
  • 不要忽略傳送至通知帳戶電子郵件地址的通知電子郵件。Don't ignore notification emails sent to the notification account email address. Microsoft 會將全 EA 的重要通訊傳送到此帳戶。Microsoft sends important EA-wide communications to this account.
  • 請勿移動或重新命名 Azure AD 中的 EA 帳戶。Don't move or rename an EA account in Azure AD.
  • 定期審核 EA 入口網站,以檢查誰有存取權,並盡可能避免使用 Microsoft 帳戶。Periodically audit the EA portal to review who has access and avoid using a Microsoft account where possible.

定義 Azure AD 租使用者Define Azure AD tenants

Azure AD 租用戶提供身分識別與存取權管理,這是安全性狀態的重要部分。An Azure AD tenant provides identity and access management, which is an important part of your security posture. Azure AD 租用戶可確保已驗證和授權的使用者只能存取他們具有存取權限的資源。An Azure AD tenant ensures that authenticated and authorized users have access to only the resources for which they have access permissions. Azure AD 會將這些服務提供給 Azure 中部署的應用程式和服務,也會提供給部署在 Azure 外部 (例如內部部署或協力廠商雲端提供者) 的服務和應用程式。Azure AD provides these services to applications and services deployed in Azure and also to services and applications deployed outside of Azure (such as on-premises or third-party cloud providers).

「軟體即服務」應用程式 (例如 Microsoft 365、Azure Marketplace) 也會使用 Azure AD。Azure AD is also used by software as a service applications such as Microsoft 365 and Azure Marketplace. 已經使用內部部署 Active Directory 的組織可以使用現有的基礎結構,並藉由與 Azure AD 整合,將驗證延伸到雲端。Organizations already using on-premises Active Directory can use their existing infrastructure and extend authentication to the cloud by integrating with Azure AD. 每個 Azure AD 目錄都有一或多個網域。Each Azure AD directory has one or more domains. 一個目錄可以有多個與其相關聯的訂用帳戶,但只能有一個 Azure AD 租用戶。A directory can have many subscriptions associated with it but only one Azure AD tenant.

在 Azure AD 設計階段詢問基本的安全性問題,例如您的組織如何管理認證,以及如何控制人員、應用程式、寫在程式碼中的存取。Ask basic security questions during the Azure AD design phase, such as how your organization manages credentials and how it controls human, application, and programmatic access.

設計考慮:Design considerations:

  • 多個 Azure AD 租用戶可以在相同的註冊中運作。Multiple Azure AD tenants can function in the same enrollment.

設計建議:Design recommendations:

  • 根據選取的 規劃拓撲使用 Azure AD 的無縫單一登入。Use Azure AD seamless single sign-on based on the selected planning topology.
  • 如果您的組織沒有身分識別基礎結構,請從實作僅限 Azure AD 的身分識別部署開始。If your organization doesn't have an identity infrastructure, start by implementing an Azure-AD-only identity deployment. Azure AD Domain ServicesMicrosoft Enterprise Mobility + Security這類部署可為 SaaS 應用程式、企業應用程式和裝置提供端對端的保護。Such deployment with Azure AD Domain Services and Microsoft Enterprise Mobility + Security provides end-to-end protection for SaaS applications, enterprise applications, and devices.
  • 多重要素驗證提供另一層的安全性和第二個驗證屏障。Multi-factor authentication provides another layer of security and a second barrier of authentication. 針對所有具特殊許可權的帳戶強制執行 多重要素驗證條件式存取原則 ,以獲得更高的安全性。Enforce multi-factor authentication and conditional access policies for all privileged accounts for greater security.
  • 規劃和實行 緊急存取 或半透明帳戶,以防止整個租使用者的帳戶鎖定。Plan and implement for emergency access or break-glass accounts to prevent tenant-wide account lockout.
  • 使用 Azure AD Privileged Identity Management 進行身分識別和存取管理。Use Azure AD Privileged Identity Management for identity and access management.
  • 如果要從身分識別的觀點將開發/測試和實際執行環境隔離,請透過多個租用戶在租用戶層級將它們分開。If dev/test and production are going to be isolated environments from an identity perspective, separate them at a tenant level via multiple tenants.
  • 避免建立新的 Azure AD 租用戶,除非有身分識別與存取權管理方面強而有力的理由,而且流程已經到位。Avoid creating a new Azure AD tenant unless there's a strong identity and access management justification and processes are already in place.