單一登入與混合式部署Single sign-on with hybrid deployments

單一登入功能可讓使用者存取內部部署和 Office 365 組織與單一使用者名稱和密碼。它提供使用者熟悉的登入體驗並可供系統管理員可以輕易地控制帳戶原則 Exchange Online 組織信箱使用內部部署 Active Directory 管理工具。雖然您不需要設定混合式部署搭配單一登入已啟用,我們強烈建議您執行動作。不使用單一登入,使用者必須記住兩組不同的認證、 另一個適用於內部部署組織與 Office 365 的其中一個。以下是一些其他的優點單一登入:Single sign-on enables users to access both the on-premises and Office 365 organizations with a single user name and password. It provides users with a familiar sign-on experience and can allow administrators to easily control account policies for Exchange Online organization mailboxes by using on-premises Active Directory management tools. While you don't have to configure a hybrid deployment with single sign-on enabled, we strongly recommend that you do. Without single sign-on, users will need to remember two different sets of credentials, one for your on-premises organization, and one for Office 365. Here are a few other advantages to single sign-on:

  • Exchange Online 封存單一登入部署時,內部 Outlook 提示使用者輸入認證存取封存的內容中第一次的 Exchange Online 組織時。不過,使用者可以然後暫時避免未來認證提示選擇"儲存密碼"並再將只會提示輸入認證再次其內部部署帳戶密碼變更時。如果單一登入不部署中部署 Exchange 組織與 Exchange Online 封存啟用、 內部部署使用者主要名稱 (UPN) 必須符合其 Exchange Online 的帳戶及永遠提示其內部部署使用者認證時存取其封存。Exchange Online Archiving When single sign-on is deployed, on-premises Outlook users are prompted for their credentials when accessing archived content in the Exchange Online organization for the first time. However, users can then temporarily avoid future credential prompting by choosing "save password" and then will only be prompted for credentials again when their on-premises account password is changed. If single sign-on isn't deployed in Exchange organizations and Exchange Online Archiving is enabled, the on-premises user principal name (UPN) must match their Exchange Online account and users will always be prompted for their on-premises credentials when accessing their archive.

  • 原則控制您可以透過控制帳戶原則 Active Directory,讓您能夠管理密碼原則、 工作站限制、 鎖定延展控制項及詳細資訊,而不需要在 Office 365 組織中執行其他工作。Policy control You can control account policies through Active Directory, which gives you the ability to manage password policies, workstation restrictions, lock-out controls, and more, without having to perform additional tasks in your Office 365 organization.

  • 降低支援通話遺忘的密碼是在公司中所有的支援呼叫的常見來源。如果使用者具有較少的密碼,請記得,則它們會幾乎忘記它們。Reduced support calls Forgotten passwords are a common source of support calls in all companies. If users have fewer passwords to remember, they are less likely to forget them.

單一登入部署時,您有幾個選項: 密碼同步處理與 Active Directory Federation Services (AD FS)。由 Azure [Active Directory 連線提供這兩個選項。我們強烈建議使用密碼同步處理方法除非有需要的特定需要 AD FS。密碼同步處理提供許多沒有其部署複雜性的 AD FS 的相同的優點。下表提供一些常見有其優缺點每個選項。You have a couple of options when deploying single sign-on: password synchronization and Active Directory Federation Services (AD FS). Both options are provided by Azure Active Directory Connect. We strongly recommend using the password synchronization method unless you have a specific need that requires AD FS. Password synchronization provides many of the same benefits of AD FS without the complexity of its deployment. The following table provides some common advantages and disadvantages for each option.


根據預設,如果您部署 AD FS,而網際網路因為任何原因無法連線到您的內部部署 AD FS 伺服器,Office 365 會切換使用密碼同步處理來驗證使用者。這樣一來,即使您的內部部署無法使用,也能讓具備 Office 365 信箱的使用者繼續不中斷地工作。 By default, if you deploy AD FS and your on-premises AD FS servers aren't reachable from the Internet for any reason, Office 365 will fall back to password synchronization to authenticate users. This allows users with Office 365 mailboxes to continue working uninterrupted even if your on-premises servers aren't available.

若要深入了解每個選項,請參閱Azure AD 連線的使用者登入選項To learn more about each option, see Azure AD Connect User Sign-on options.

| |

單一登入方法Single sign-on method 優點Advantages 缺點Disadvantages
密碼同步處理 (建議選項)Password synchronization (recommended)
明顯沒有 AD FS 那麼複雜Significantly less complex than AD FS
即使您的內部部署 Active Directory 無法使用,使用者還是可以登入 Office 365。Users can log in to Office 365 even if your on-premises Active Directory is unavailable.
部署密碼同步處理需要較少的其他伺服器。Fewer additional servers are required to deploy password synchronization.
不需要協力廠商憑證。No third-party certificates are required.
不需要透過 AD FS 從外部存取您的內部部署 Active Directory。Doesn't require external access to your on-premises Active Directory via AD FS.
通常可以在幾小時內完成部署。Deployment can often be completed in just a few hours.
停用內部部署 Active Directory 中的使用者帳戶並不會在 Office 365 中停用它。您必須在 Office 365 管理入口網站中手動停用帳戶。Disabling a user account in your on-premises Active Directory doesn't disable it in Office 365. You need to manually disable the account in the Office 365 Admin portal.
需要內部部署 Active Directory。不支援其他目錄服務。Requires on-premises Active Directory. Other directory services aren't supported.
密碼變更會立刻生效。Password changes are immediate.
停用內部部署 Active Directory 中的使用者會同時停用其內部部署網路存取和其 Office 365 帳戶。Disabling a user in your on-premises Active Directory disables both their on-premises network access and their Office 365 account.
支援 Active Directory 以外的目錄服務。Supports directory services other than Active Directory.
支援非常龐大且不同的部署。Supports very large and diverse deployments.
支援雙重要素驗證。Support for two-factor authentication.
需要更多伺服器,其中至少一個必須位於您的周邊網路。Requires more servers, at least one of which needs to reside in your perimeter network.
需要公用 IP 位址和 TCP 連接埠 443 都必須能夠在您的防火牆上開啟。Requires a public IP address and TCP port 443 to be opened on your firewall.
若要偵測帳戶密碼變更或近期曾啟用或停用帳戶,必須要具備與內部部署 Active Directory 的連線能力。Connectivity with your on-premises Active Directory is required to detect changes to account passwords and with an account has recently been enabled or disabled.