設定 Microsoft 365 的目錄同步處理Set up directory synchronization for Microsoft 365

本文適用於 Microsoft 365 企業版和 Office 365 企業版。This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.

Microsoft 365 會使用 Azure Active Directory (Azure AD) 租使用者來儲存和管理身分識別,以存取雲端架構資源的驗證和許可權。Microsoft 365 uses an Azure Active Directory (Azure AD) tenant to store and manage identities for authentication and permissions to access cloud-based resources.

如果您有內部部署 Active Directory 網域服務 (AD ds) 網域或樹系中,您可以使用 Microsoft 365 訂閱的 Azure AD 租使用者來同步處理您的 ad ds 使用者帳戶、群組和連絡人。If you have an on-premises Active Directory Domain Services (AD DS) domain or forest, you can synchronize your AD DS user accounts, groups, and contacts with the Azure AD tenant of your Microsoft 365 subscription. 這是 Microsoft 365 的混合式身分識別。This is hybrid identity for Microsoft 365. 以下是其元件。Here are its components.

Microsoft 365 的目錄同步處理元件

Azure AD 連線會在內部部署伺服器上執行,並與 Azure AD 租使用者同步處理 AD DS。Azure AD Connect runs on an on-premises server and synchronizes your AD DS with the Azure AD tenant. 除了目錄同步處理之外,您還可以指定下列驗證選項:Along with directory synchronization, you can also specify these authentication options:

  • 密碼雜湊同步處理 (PHS) Password hash synchronization (PHS)

    Azure AD 會自行執行驗證。Azure AD performs the authentication itself.

  • 傳遞驗證 (PTA)Pass-through authentication (PTA)

    Azure AD 具有 AD DS 執行驗證。Azure AD has AD DS perform the authentication.

  • 同盟驗證Federated authentication

    Azure AD 是指向另一個身分識別提供者要求驗證的用戶端電腦。Azure AD refers the client computer requesting authentication to another identity provider.

如需詳細資訊,請參閱 混合式識別碼See Hybrid identities for more information.

1. 檢查 Azure AD 連線的必要條件1. Review prerequisites for Azure AD Connect

您可以使用 Microsoft 365 訂閱取得免費的 Azure AD 訂閱。You get a free Azure AD subscription with your Microsoft 365 subscription. 當您設定目錄同步處理時,您會在其中一個內部部署伺服器上安裝 Azure AD 連線。When you set up directory synchronization, you will install Azure AD Connect on one of your on-premises servers.

如需 Microsoft 365,您必須:For Microsoft 365 you'll need to:

  • 驗證您的內部部署網域。Verify your on-premises domain. Azure AD 連線嚮導會引導您完成此步驟。The Azure AD Connect wizard guides you through this.
  • 取得 Microsoft 365 租使用者和 AD DS 之系統管理員帳戶的使用者名稱和密碼。Obtain the user names and passwords for the admin accounts of your Microsoft 365 tenant and AD DS.

針對您在其上安裝 Azure AD 連線的內部部署伺服器,您需要:For your on-premises server on which you install Azure AD Connect, you'll need:

伺服器作業系統Server OS 其他軟體Other software
Windows Server 2012R2 和更新版本Windows Server 2012 R2 and later -預設會安裝 PowerShell,不需要採取任何動作。- PowerShell is installed by default, no action is required.
-透過 Windows 更新提供 Net 4.5.1 和更新版本。- Net 4.5.1 and later releases are offered through Windows Update. 請確認您已在 [控制台] 中安裝 Windows 伺服器的最新更新。Make sure you have installed the latest updates to Windows Server in the Control Panel.
Windows伺服器 2008 R2 Service Pack 1 (SP1) * * 或 Windows Server 2012Windows Server 2008 R2 with Service Pack 1 (SP1)** or Windows Server 2012 -Windows Management Framework 4.0 提供 PowerShell 的最新版本。- The latest version of PowerShell is available in Windows Management Framework 4.0. Microsoft 下載中心搜尋。Search for it on Microsoft Download Center.
-您可以在 Microsoft 下載中心取得 .net 4.5.1 和更新版本。- .Net 4.5.1 and later releases are available on Microsoft Download Center.
Windows Server 2008Windows Server 2008 -PowerShell 的最新支援版本可在Microsoft 下載中心上找到 Windows Management Framework 3.0。- The latest supported version of PowerShell is available in Windows Management Framework 3.0, available on Microsoft Download Center.
-您可以在 Microsoft 下載中心取得 .net 4.5.1 和更新版本。- .Net 4.5.1 and later releases are available on Microsoft Download Center.

請參閱Azure Active Directory 連線的必要條件,以取得硬體、軟體、帳戶與許可權需求的詳細資料、SSL 憑證需求,以及 Azure AD 連線的物件限制。See Prerequisites for Azure Active Directory Connect for the details of hardware, software, account and permissions requirements, SSL certificate requirements, and object limits for Azure AD Connect.

您也可以查看 Azure AD 連線版本發行歷程記錄,以查看每個版本中包含和修正的內容。You can also review the Azure AD Connect version release history to see what is included and fixed in each release.

2. 安裝 Azure AD 連線和設定目錄同步處理2. Install Azure AD Connect and configure directory synchronization

開始之前,請確定您已具備下列專案:Before you begin, make sure you have:

  • 全域管理員 Microsoft 365 的使用者名稱和密碼The user name and password of a Microsoft 365 global admin
  • AD DS 域管理員的使用者名稱和密碼The user name and password of an AD DS domain administrator
  • 哪種驗證方法 (PHS、PTA、同盟) Which authentication method (PHS, PTA, federated)
  • 您是否要使用 AZURE AD 無縫單一登入 (SSO) Whether you want to use Azure AD Seamless Single Sign-on (SSO)

遵循下列步驟:Follow these steps:

  1. 登入 Microsoft 365 系統 管理中心 (https://admin.microsoft.com) 並選擇左側導覽中的 [使用者] [作用中 > 使用者]。Sign in to the Microsoft 365 admin center (https://admin.microsoft.com) and choose Users > Active Users on the left navigation.

  2. 在 [作用中 使用者 ] 頁面上,選擇 [ 其他 (三個點) > 目錄同步 處理]。On the Active users page, choose More (three dots) > Directory synchronization.

  3. 在 [ Azure Active Directory 準備] 頁面上,選取 [移至下載中心] 以取得 Azure AD 連線工具 連結開始。On the Azure Active Directory preparation page, select the Go to the Download center to get the Azure AD Connect tool link to get started.

  4. 請遵循AZURE ad 連線和 AZURE ad 中連線健康情況安裝藍圖中的步驟進行。Follow the steps in Azure AD Connect and Azure AD Connect Health installation roadmap.

3. 完成網域的設定3. Finish setting up domains

當您管理 DNS 記錄以完成網域的設定時,請遵循下列步驟,為 Microsoft 365 建立 dns 記錄Follow the steps in Create DNS records for Microsoft 365 when you manage your DNS records to finish setting up your domains.

下一步Next step

將授權指派給使用者帳戶Assign licenses to user accounts