Microsoft 365 的混合式身分識別及目錄同步處理Hybrid identity and directory synchronization for Microsoft 365

本文適用於 Microsoft 365 企業版和 Office 365 企業版。This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.

根據您的業務需求和技術需求,混合式身分識別模型及目錄同步處理對於採用 Microsoft 365 的企業客戶而言是最常見的選擇。Depending on your business needs and technical requirements, the hybrid identity model and directory synchronization is the most common choice for enterprise customers who are adopting Microsoft 365. 目錄同步處理可讓您在 Active Directory 網域服務 (AD DS) 中管理身分識別,並同步處理使用者帳戶、群組和連絡人的所有更新至) 訂閱的 Azure Active Directory (Azure AD Microsoft 365 租使用者。Directory synchronization allows you to manage identities in your Active Directory Domain Services (AD DS) and all updates to user accounts, groups, and contacts are synchronized to the Azure Active Directory (Azure AD) tenant of your Microsoft 365 subscription.

注意

當 AD DS 使用者帳戶第一次同步處理時,不會自動指派 Microsoft 365 授權,也無法存取 Microsoft 365 服務,例如電子郵件。When AD DS user accounts are synchronized for the first time, they are not automatically assigned a Microsoft 365 license and cannot access Microsoft 365 services, such as email. 您必須先將其指派為使用位置。You must first assign them a usage location. 然後,透過群組成員資格個別或動態指派授權給這些使用者帳戶。Then, assign a license to these user accounts, either individually or dynamically through group membership.

混合式識別的驗證Authentication for hybrid identity

使用混合式識別模型時,有兩種驗證類型:There are two types of authentication when using the hybrid identity model:

  • 管理的驗證Managed authentication

    Azure AD 會使用本機儲存的雜湊版本的密碼,或將認證傳送至內部部署 AD DS 來驗證內部部署軟體代理程式,以處理驗證程式。Azure AD handles the authentication process by using a locally-stored hashed version of the password or sends the credentials to an on-premises software agent to be authenticated by the on-premises AD DS.

  • 同盟驗證Federated authentication

    Azure AD 會將要求驗證的用戶端電腦重新導向至另一個身分識別提供者。Azure AD redirects the client computer requesting authentication to another identity provider.

管理的驗證Managed authentication

受管理的驗證類型有兩種:There are two types of managed authentication:

  • 密碼雜湊同步處理 (PHS) Password hash synchronization (PHS)

    Azure AD 會自行執行驗證。Azure AD performs the authentication itself.

  • 傳遞驗證 (PTA)Pass-through authentication (PTA)

    Azure AD 具有 AD DS 執行驗證。Azure AD has AD DS perform the authentication.

密碼雜湊同步處理 (PHS) Password hash synchronization (PHS)

透過 PHS,您可以將 AD DS 使用者帳戶與 Microsoft 365 同步處理,並在內部部署中管理您的使用者。With PHS, you synchronize your AD DS user accounts with Microsoft 365 and manage your users on-premises. 使用者密碼的雜湊會從您的 AD DS 同步處理到 Azure AD,讓使用者在內部部署和雲端都有相同的密碼。Hashes of user passwords are synchronized from your AD DS to Azure AD so that the users have the same password on-premises and in the cloud. 這是在 Azure AD 中啟用 AD DS 身分識別驗證的最簡單方式。This is the simplest way to enable authentication for AD DS identities in Azure AD.

密碼雜湊同步處理 (PHS)

當密碼變更或重設為內部部署時,新的密碼雜湊會同步處理至 Azure AD,這樣您的使用者就可以在雲端資源和內部部署資源中永遠使用相同的密碼。When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. 使用者密碼永遠不會以明文形式傳送至 Azure AD 或儲存在 Azure AD 中。The user passwords are never sent to Azure AD or stored in Azure AD in clear text. 不論選取哪一種驗證方法,Azure AD 的某些精品功能(例如身分識別保護)都需要 PHS。Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected.

若要深入瞭解,請參閱 選擇正確的驗證方法See choosing the right authentication method to learn more.

傳遞驗證 (PTA)Pass-through authentication (PTA)

PTA 提供使用一或多個內部部署伺服器上執行的軟體代理程式,直接向您的 AD DS 驗證使用者,以進行 Azure AD 驗證服務的簡單密碼驗證。PTA provides a simple password validation for Azure AD authentication services using a software agent running on one or more on-premises servers to validate the users directly with your AD DS. 透過 PTA,您可以將 AD DS 使用者帳戶與 Microsoft 365 同步處理,並在內部部署中管理您的使用者。With PTA, you synchronize AD DS user accounts with Microsoft 365 and manage your users on-premises.

傳遞驗證 (PTA)

PTA 可讓您的使用者使用內部部署帳戶和密碼,登入內部部署和 Microsoft 365 資源及應用程式。PTA allows your users to sign in to both on-premises and Microsoft 365 resources and applications using their on-premises account and password. 此設定會直接驗證使用者密碼與您的內部部署 AD DS,而不會在 Azure AD 中儲存密碼雜湊。This configuration validates users passwords directly against your on-premises AD DS without storing password hashes in Azure AD.

PTA 也適用于具有安全性需求的組織,以立即強制執行內部部署使用者帳戶狀態、密碼原則和登入時間。PTA is also for organizations with a security requirement to immediately enforce on-premises user account states, password policies, and logon hours.

若要深入瞭解,請參閱 選擇正確的驗證方法See choosing the right authentication method to learn more.

同盟驗證Federated authentication

同盟驗證主要針對大型企業組織,其驗證需求較複雜。Federated authentication is primarily for large enterprise organizations with more complex authentication requirements. AD DS 身分識別與 Microsoft 365 同步,而且使用者帳戶是在內部部署管理。AD DS identities are synchronized with Microsoft 365 and users accounts are managed on-premises. 透過同盟驗證,使用者可以在內部部署和雲端中使用相同的密碼,而且不需要重新登入即可使用 Microsoft 365。With federated authentication, users have the same password on-premises and in the cloud and they do not have to sign in again to use Microsoft 365.

同盟驗證可支援其他驗證需求,例如智慧卡型驗證或協力廠商的多重要素驗證,而且在組織具備 Azure AD 本身不支援的驗證需求時,通常需要使用。Federated authentication can support additional authentication requirements, such as smartcard-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD.

若要深入瞭解,請參閱 選擇正確的驗證方法See choosing the right authentication method to learn more.

協力廠商驗證和身分識別提供者Third-party authentication and identity providers

內部部署目錄物件可同步處理至 Microsoft 365,而雲端資源存取主要是由協力廠商身分識別提供者 (IdP) 所管理。On-premises directory objects may be synchronized to Microsoft 365 and cloud resource access is primarily managed by a third-party identity provider (IdP). 如果您的組織使用協力廠商同盟解決方案,只要協力廠商同盟解決方案與 Azure AD 相容,您就可以使用該解決方案來設定 Microsoft 365 的登錄。If your organization uses a third-party federation solution, you can configure sign-on with that solution for Microsoft 365 provided that the third-party federation solution is compatible with Azure AD.

請參閱 AZURE AD federation 相容性清單 以深入瞭解。See the Azure AD federation compatibility list to learn more.

AD DS 準備AD DS Preparation

為了協助確保透過同步處理順利轉換為 Microsoft 365,您必須先準備您的 AD DS 樹系,再開始 Microsoft 365 目錄同步部署。To help ensure a seamless transition to Microsoft 365 by using synchronization, you must prepare your AD DS forest before you begin your Microsoft 365 directory synchronization deployment.

您的目錄準備工作應該著重于下列工作:Your directory preparation should focus on the following tasks:

  • 移除重複的 proxyAddressuserPrincipalName 屬性。Remove duplicate proxyAddress and userPrincipalName attributes.

  • 使用有效的 userPrincipalName 屬性,更新空白及不正確 userPrincipalName 屬性。Update blank and invalid userPrincipalName attributes with valid userPrincipalName attributes.

  • 移除 givenName、姓 ( sn ) 、 sAMAccountNamedisplayNamemailproxyAddressesmailNicknameuserPrincipalName 屬性中的無效且可疑的字元。Remove invalid and questionable characters in the givenName, surname ( sn ), sAMAccountName, displayName, mail, proxyAddresses, mailNickname, and userPrincipalName attributes. 如需準備屬性的詳細資訊,請參閱由 Azure Active Directory 同步處理工具同步處理的屬性清單For details about preparing attributes, see List of attributes that are synced by the Azure Active Directory Sync Tool.

    注意

    這些是 Azure AD 連線同步處理的相同屬性。These are the same attributes that Azure AD Connect synchronizes.

多樹系部署的考慮Multi-forest deployment considerations

若為多個樹系和 SSO 選項,請使用AZURE AD 連線的自訂安裝For multiple forests and SSO options, use a Custom Installation of Azure AD Connect.

如果您的組織有多個樹系用於驗證 (登入樹系) ,我們強烈建議下列事項:If your organization has multiple forests for authentication (logon forests), we highly recommend the following:

  • 請考慮合併您的樹系。Consider consolidating your forests. 一般說來,維護多個樹系需要額外的額外負荷。In general, there's more overhead required to maintain multiple forests. 除非您的組織有規定個別樹系需求的安全性限制,否則請考慮簡化您的內部部署環境。Unless your organization has security constraints that dictate the need for separate forests, consider simplifying your on-premises environment.
  • 僅在您的主要登入樹系中使用。Use only in your primary logon forest. 請考慮將 Microsoft 365 只部署在主要登入樹系中,以供最初的 Microsoft 365 部署。Consider deploying Microsoft 365 only in your primary logon forest for your initial rollout of Microsoft 365.

如果您無法合併多樹系 AD DS 部署,或正在使用其他目錄服務來管理身分識別,您可以使用 Microsoft 或協力廠商的說明同步處理這些身分識別。If you can't consolidate your multi-forest AD DS deployment or are using other directory services to manage identities, you may be able to synchronize these with the help of Microsoft or a partner.

如需詳細資訊,請參閱Azure AD 連線的拓撲See Topologies for Azure AD Connect for more information.

依存于目錄同步處理的功能Features that are dependent on directory synchronization

下列功能需要目錄同步處理:Directory synchronization is required for the following features and functionality:

  • (SSO) 的 Azure AD 無縫單一 Sign-OnAzure AD Seamless Single Sign-On (SSO)
  • Skype 共存Skype coexistence
  • Exchange 混合部署,包括:Exchange hybrid deployment, including:
    • 在您的內部部署 Exchange 環境和 Microsoft 365 之間 (GAL) 的完全共用全域通訊清單。Fully shared global address list (GAL) between your on-premises Exchange environment and Microsoft 365.
    • 同步處理來自不同郵件系統的 GAL 資訊。Synchronizing GAL information from different mail systems.
    • 在 Microsoft 365 服務產品中新增及移除使用者的功能。The ability to add users to and remove users from Microsoft 365 service offerings. 這需要下列各項:This requires the following:
    • 在目錄同步處理設定期間,必須設定雙向同步處理。Two-way synchronization must be configured during directory synchronization setup. 根據預設,目錄同步處理工具只會將目錄資訊寫入雲端。By default, directory synchronization tools write directory information only to the cloud. 當您設定雙向同步處理時,您可以啟用寫回功能,使有限數目的物件屬性從雲端複製,然後再將其寫入您的本機 AD DS。When you configure two-way synchronization, you enable write-back functionality so that a limited number of object attributes are copied from the cloud, and then written them back to your local AD DS. 回寫也稱為 Exchange 混合模式。Write-back is also referred to as Exchange hybrid mode.
    • 內部部署 Exchange 混合式部署An on-premises Exchange hybrid deployment
    • 能夠將部分使用者信箱移至 Microsoft 365,同時保留其他使用者信箱的內部部署。The ability to move some user mailboxes to Microsoft 365 while keeping other user mailboxes on-premises.
    • 安全寄件者和封鎖的寄件者內部部署會複製到 Microsoft 365。Safe senders and blocked senders on-premises are replicated to Microsoft 365.
    • 基本委派和代理傳送電子郵件功能。Basic delegation and send-on-behalf-of email functionality.
    • 您有整合式內部部署智慧卡或多重要素驗證解決方案。You have an integrated on-premises smart card or multi-factor authentication solution.
  • 同步處理相片、縮圖、會議室及安全性群組Synchronization of photos, thumbnails, conference rooms, and security groups

下一步Next step

當您準備好部署混合式身分識別時,請參閱 prepare for 目錄同步處理。When you are ready to deploy hybrid identity, see prepare for directory synchronization.