SharePoint 移轉識別對應工具SharePoint Migration Identity Mapping Tool

使用「SharePoint 遷移評估」工具的「識別對應」功能,協助您的身分識別遷移。Use the Identity Mapping feature of the SharePoint Migration Assessment Tool to assist in your Identity Migration.

注意

若要下載 SharePoint 遷移工具,請選取: 下載 SharePoint 遷移評估工具To download the SharePoint Migration Tool, select: Download the SharePoint Migration Assessment Tool

簡介Introduction

身分識別遷移是將識別碼從 SharePoint 內部部署環境對應至目標狀態 Azure AD 的處理常式。Identity Migration is the process of mapping identities from the SharePoint on-premises environment to the target-state Azure AD.

身分識別對應

因為從 AD 到 Azure AD 的使用者和群組同步處理對許多客戶而言是新的,所以必須指定適當的資源。Since user and group synchronization from AD to Azure AD is new to many customers, it is essential to assign appropriate resources. 執行所有內部規劃,並執行所有與身分識別遷移相關的工作,與整體內部部署遷移計畫協同作業。Perform all internal planning and execute all identity migration-related tasks in unison with your overall on-premises migration plan.

身分識別專案最重要的目標是驗證所有必要的使用者和群組是否都同步處理至 Azure Active Directory。The identity project's most important goal is verification that all needed users and groups are synchronized to Azure Active Directory. 如果您先進行遷移,但沒有先進行此分析,使用者可能會失去對內容的存取權。If you migrate without doing this analysis first, users could lose access to content.

參考此檔,以取得與「一次性身分識別」遷移程式相關聯之程式、角色和責任、專案及控制項的相關資訊。Reference this document for information about the process, roles and responsibilities, artifacts, and controls associated with the One-time Identity Migration process.

概觀Overview

身分識別遷移的目標是同步處理所有可能的使用者,並使用合理性論證來處置未同步處理的任何其他未對應記錄。The goal of the identity migration is to synchronize all possible users and to disposition any remaining unmapped records with justification as to why they are not synchronized. 在準備使用者接受度測試(為 晾乾執行 1 )之前,必須完成此同步處理與處理常式。This synchronization and disposition process must be complete prior to preparation of user acceptance testing, which is Dry Run 1. 所有未對應的記錄都必須具有有效的理由,且由 Microsoft project 小組核准。All unmapped records must have valid justification and be approved by the Microsoft project team.

執行三個不同的掃描,以執行識別對應:Run three different scans to perform identity mapping:

程序Process

針對可以存取 FullIdentityReport.csv 報告中 SharePoint 的使用者和群組,使用此程式。Use this process for Users and Groups that have access to SharePoint found in the FullIdentityReport.csv report.

請務必小心謹慎,以確保所有必要的使用者和群組都包含在 Azure AD 同步處理中。Care should be taken to ensure all required users and groups are included in the Azure AD synchronization. 如果 SharePoint 內容歸尚未遷移的使用者所有,則不會遷移其使用者許可權。If SharePoint content is owned by users who have not been migrated, their user permissions will not be migrated.

目標是同步處理來源 SharePoint 環境存取的100% 的身分識別,或為任何未同步處理的身分識別原因。The goal is to synchronize 100% of the identities that have access to the source SharePoint environment or provide reasons for any identities that are not synchronized.

需要有所有使用者和群組的初始準備,才能決定要遷移的使用者和群組。Initial preparation of all users and groups is needed to determine which users and groups to migrate.

  • 理想狀況下,所有使用者和群組會將 TypeOfMatch 設定為 ExactMatch 或 PartialMatch。Ideally all users and groups will have TypeOfMatch set to ExactMatch or PartialMatch.

  • 如果有例外狀況,請在 FullIdentityReport.csv 檔的 [MappingRationale] 欄位中進行附注,以追蹤目的。If there are exceptions, make notes in the MappingRationale field of the FullIdentityReport.csv file for tracking purposes.

步驟:Steps:

  1. 將評估工具下載至 SharePoint 伺服器陣列中的電腦。Download the assessment tool to a computer in your SharePoint farm. 若要下載,請移至這裡: SharePoint 遷移評估工具To download, go here: SharePoint Migration Assessment Tool

  2. 請同意允許工具存取您的 Azure Active Directory。Provide consent to allow the tool to access your Azure Active Directory.

  3. Run: SMAT.exe GenerateIdentityMappingRun: SMAT.exe -GenerateIdentityMapping

  4. 在 Excel 中開啟 FullIdentityReport.csvOpen FullIdentityReport.csv in Excel.

  5. Filter on TypeOfMatch = NoMatch。Filter on TypeOfMatch = NoMatch. 這些使用者和群組將無法存取內容遷移。These users and groups will not have access to content post migration. 例如,contoso\johndoe 列為 NoMatch。For example, contoso\johndoe is listed as NoMatch. AclExists 為 True。AclExists is True. 後期遷移 contoso\johndoe 對來源的存取權的任何內容,都不會用於遷移後的帳戶。Post migration any content that contoso\johndoe had access to on the source will not work for that account post migration. 網站擁有者必須將 contoso\johndoe 的 Azure AD 帳戶新增回許可權,以解決問題。A site owner will need to add contoso\johndoe's Azure AD account back into permissions to resolve the issue.

  6. Filter on TypeOfMatch = PartialMatch。Filter on TypeOfMatch = PartialMatch. 確定找到的相符專案正確無誤。Ensure the matches we found are correct. 如果有多人的顯示名稱相同或使用者主要名稱從來源變更為目標,則部分相符可能會不正確。It is possible for partial matches to be incorrect if multiple people have the same Display Names or the User Principal Names changed from the source to target.

  7. 建立修復缺口的計畫。Build a plan to remediate the gaps. 例如,如果您使用 Windows 身分識別,且有 TypeOfMatch 設定為 NoMatch 或 PartialMatch 的使用者和群組,您通常會想要將這些其他使用者和群組同步處理至 Azure AD,然後重新執行身分識別對應。For example, if you are using Windows identities and there are users and groups that have TypeOfMatch set to NoMatch or PartialMatch, then you will typically want to sync those additional users and groups to Azure AD and rerun the identity mapping process.

  8. 將其他使用者和群組同步處理至 Azure AD。Sync additional users and groups to Azure AD.

  9. 請重複此步驟,直到您取得正確表示您期望後遷移的 FullIdentityReport.csv。Repeat until you get a FullIdentityReport.csv that properly represents your expectations post migration.

航班前驗證檢查Pre-flight validation checks

工具會執行預先進行的驗證檢查,以確保操作員可以存取 Azure Active Directory。The tool will perform a pre-flight validation check to ensure the operator has access to Azure Active Directory. 必須具備 Azure Active Directory 的存取權,才可執行身分識別對應處理常式。Access to Azure Active Directory is required to perform the identity mapping process.

出現提示時,請輸入 Azure AD 認證。When prompted, enter Azure AD credentials. 如有需要,登入提示會要求同意。If needed the logon prompt will ask for consent. 若要讓此應用程式讀取 Azure Active Directory,您必須具備 Azure 租使用者管理員的同意。Azure tenant admin consent is required for this application to read Azure Active Directory.

如果您的登入失敗,或無法提供同意,您會看到下列失敗:If your sign-in fails or you are unable to provide consent, you will see the following failure:

MigrationScanAssessmentTool-錯誤-同意

如果您在提示中說 [否],工具將會退出,而不會執行任何身分識別對應掃描。If you say no at the prompt, the tool will exit without performing any identity mapping scans.

如果您選擇繼續進行識別對應程式,當執行 Azure Active Directory 掃描時,您會收到另一個提示。If you choose to continue with the Identity Mapping process, you will receive one more prompt when the Azure Active Directory scan runs. 如果您無法驗證或認可該位置,Azure Active Directory 掃描會失敗。If you are unable to authenticate or provide consent at that point, the Azure Active Directory scan will fail. 您仍會收到報告,但不會執行對應。You will still receive the reports, but mapping will not be performed. 產生的輸出代表具有來源 SharePoint 環境存取權的所有識別碼。The resulting output is representative of all the identities that have access to the source SharePoint environment.

設定檔Configuration File

您可以在檔案的 ScanDef.js 中設定身分識別對應掃描。The identity mapping scans can be configured in the ScanDef.json file. 此檔案位於與 SMAT.exe 相同的目錄中。This file is located in the same directory as SMAT.exe.

若要產生身分識別對應報告,您必須同意允許評估工具來讀取您的 Azure AD 目錄。To generate the Identity Mapping Reports, you need to consent to allow assessment tool to read your Azure AD directory. 有兩種方法可供使用。There are two methods available.

選項1: 使用-ConfigureIdentityMapping 參數執行評估工具。Option 1: Run the assessment tool with the -ConfigureIdentityMapping switch.

此選項可讓評估工具存取您租使用者的企業應用程式部分。This option gives the assessment tool access to your tenant's Enterprise Applications section. 它可讓您租使用者中的任何人執行該工具,以在 Microsoft 365 中執行識別對應,以進行遷移。It allows anyone in your tenant to run the tool to perform identity mapping for migration in Microsoft 365.

  1. 請從以下網址下載評估工具: SharePoint 遷移評估工具Download the assessment tool from here: SharePoint Migration Assessment Tool

  2. Run: SMAT.exe ConfigureIdentityMappingRun: SMAT.exe -ConfigureIdentityMapping

    注意

    不需要在 SharePoint 環境中執行此步驟。It is not required to run this step on the SharePoint environment. 您可以在任何可以存取 Azure 租使用者的電腦上執行上述命令。You can run the above command on any machine that has access to the Azure tenant.

  3. 當系統提示 [Azure 登入] 對話方塊時,輸入您的 Azure 租使用者管理員認證。When prompted with the Azure sign in dialog, enter your Azure tenant admin credentials.

  4. 當系統提示您同意時,請選取 [ 接受 ]。When prompted for consent, select Accept.

  5. SMAT.exe 應用程式會指出應用程式已順利註冊。The SMAT.exe application will indicate the application was successfully registered. SharePoint 管理員現在可以執行身分識別對應程式。A SharePoint admin is now able to run the identity mapping process.

    在命令提示字元處進行識別對應

選項2: 以擁有 Azure 租使用者系統管理員許可權的使用者身分執行評估工具。Option 2: Run the assessment tool as a user with Azure Tenant Admin rights.

擁有 Azure 租使用者系統管理員許可權的使用者可以執行工具,並只為自己提供同意。It is possible for a user with Azure tenant admin rights to run the tool and only provide consent for themselves.

  1. 請從以下網址下載評估工具: SharePoint 遷移評估工具Download the assessment tool from here: SharePoint Migration Assessment Tool

  2. 在命令列上輸入 Run SMAT.exe -GenerateIdentityMappingAt the command line, type Run SMAT.exe -GenerateIdentityMapping

  3. 當系統提示 [Azure 登入] 對話方塊時,輸入您的 Azure 租使用者管理員認證。When prompted with the Azure sign in dialog, enter your Azure Tenant Admin credentials.

  4. 當系統提示您同意時,請選取 [確定]When prompted for consent, select OK. 這只會同意提供登入的應用程式。This will only consent the app for the sign in provided.

  5. 身分識別對應會執行並產生必要的報告。The identity mapping will run and generate the needed reports.

請遵循下列步驟,移除 Azure 租使用者 SharePoint 身分識別對應應用程式的同意。Follow the steps below to remove consent for the SharePoint Identity Mapping Application from your Azure Tenant. 執行這些步驟之後,您會在下一次執行身分識別對應程式時,提供同意。Once these steps have been performed, it will be necessary to provide consent the next time you run the identity mapping process.

  1. 流覽 https://portal.azure.comBrowse https://portal.azure.com

  2. 以組織管理員身分登入。Log in as an organization admin.

  3. 尋找企業應用程式。Locate Enterprise applications.

  4. 選取 [ 所有應用程式 ]。Select All applications.

  5. 在應用程式清單中,選取 [ SharePoint 身分識別對應工具 ],然後選取 [ 刪除 ]。In the list of applications, select SharePoint Identity Mapping Tool , and then select Delete.

產生的報告Reports generated

由-GenerateIdentityMapping 參數所產生的兩個報告。There are two reports generated by the -GenerateIdentityMapping switch. 每個報告都是用來做為身分識別對應處理常式的一部分。Each report is used as part of the identity mapping process.

這兩個報告都表示授與 SharePoint 內容之許可權的使用者。Both reports indicate users granted permissions to SharePoint content.

FullIdentityReport.csvFullIdentityReport.csv

FullIdentityReport.csv 包含我們針對 SharePoint 環境中列出為作用中的使用者和群組所探索的所有身分識別資料的轉儲。The FullIdentityReport.csv contains a dump of all the identity data we discovered about the users and groups that were listed as active in the SharePoint environment. 此報告的目的在於瞭解所有可存取 SharePoint 的使用者和群組,以及這些身分識別是否有相關聯的 Azure AD 身分識別。The purpose of this report is to understand all the users and groups that have access to SharePoint and whether those identities have an associated Azure AD identity.

如果在 Active Directory 中找不到身分識別,則 Active Directory 欄位將會是空的。If the identity is not found in Active Directory, the Active Directory fields will be empty. FoundInAD 欄位將為 False, ReasonNotFoundInAD 會包含原因代碼。The FoundInAD field will be false and ReasonNotFoundInAD will contain a reason code.

如果在 Azure Active Directory 中找不到身分識別,Azure Active Directory 欄位將會是空的。If the identity was not found in Azure Active Directory, the Azure Active Directory fields will be empty. FoundInAzureAD 欄位將為 false,ReasonNotFoundInAzureAD 會包含原因代碼。The FoundInAzureAD field will be false and ReasonNotFoundInAzureAD will contain a reason code.

資料行名稱Column name SourceSource 描述Description
UniqueIDUniqueID
SharePointSharePoint
若為 Windows 帳戶,將會是) (SID 的安全性識別碼。For Windows accounts this will be a Security Identifier (SID). 若為非 Windows 帳戶,這將是用於 ACL SharePoint 的宣告。For non-Windows accounts, this will be the claim used to ACL SharePoint.
TypeOfMatchTypeOfMatch
評估工具Assessment Tool
ExactMatch -來源身分識別為 Windows 帳戶,我們可以將 SharePoint 中的 SID 與 Azure AD 中的 OnPremisesSecurityIdentifier 相符。ExactMatch - The source identity is a Windows account and we were able to match the SID in SharePoint to the OnPremisesSecurityIdentifier in Azure AD.
PartialMatch -符合 UserPrincipalName、電子郵件或顯示名稱為基礎。PartialMatch - The match was based on UserPrincipalName, Email, or Display Name. 對於群組,我們只會在顯示名稱上只進行部分相符。For groups, we only partial match on Display Name.
NoMatch -無法符合任何資訊的身分識別。NoMatch - Unable to match the identity against any information.
IsGroupIsGroup
SharePointSharePoint
True 是表示如果身分識別為群組。True if the identity is a group.
ACLExistsACLExists
SharePointSharePoint
True 是表示如果身分識別與 SharePoint 中的許可權相關聯。True if the identity is associated with permissions in SharePoint. 這表示身分識別可以存取某個內容片段。This indicates the identity has access to some piece of content.
MySiteExistsMySiteExists
SharePointSharePoint
True 是表示如果身分識別為使用者,且該使用者具有與其設定檔關聯的「我的網站」/OneDrive。True if the identity is a user and that user has a My Site/OneDrive associated with their profile.
ClaimTypeClaimType
SharePointSharePoint
與身分識別關聯的宣告驗證模式類型。Type of claim authentication mode associated with the identity. 這會是下列其中一個值:這些是傳統的 Windows 帳戶。This will be one of the following values Classic - These are classic Windows accounts. 不涉及任何宣告,且已使用 Windows 安全性識別碼 [SID] ACL'ed 使用者。No claims are involved and the user was ACL'ed using a Windows Security Identifier [SID]. Windows-Windows 宣告。Windows - Windows claims. TrustedSTS-SAML 宣告提供者。TrustedSTS - SAML claim provider. 使用表單驗證。Forms - Forms authentication is used. ASPNetMembership-.NET 成員資格提供者。ASPNetMembership - .NET Membership provider. ASPNetRole-.NET 角色提供者。ASPNetRole - .NET Role provider. ClaimProvider-宣告式提供者。ClaimProvider - Claims based provider. LocalSTS-Local SharePoint Token 服務。LocalSTS - Local SharePoint Token Service. https://social.technet.microsoft.com/wiki/contents/articles/13921.sharepoint-20102013-claims-encoding.aspxhttps://social.technet.microsoft.com/wiki/contents/articles/13921.sharepoint-20102013-claims-encoding.aspx
SharePointLoginNameSharePointLoginName
SharePointSharePoint
與 SharePoint 中找到之識別碼相關聯的登入名稱。Login name associated with the identity found in SharePoint.
SharePointDisplayNameSharePointDisplayName
SharePointSharePoint
與 SharePoint 中找到之識別碼相關聯的顯示名稱。Display name associated with the identity found in SharePoint.
SharePointProfileEmailSharePointProfileEmail
SharePointSharePoint
與使用者相關聯的電子郵件地址。Email address associated with the user. 只有在身分識別為使用者、使用者有 SharePoint 設定檔,且該設定檔具有電子郵件時,才會填入此設定。This is only populated if the identity is a user, the user has a SharePoint profile, and that profile has an email set.
ActiveDirectoryDisplayNameActiveDirectoryDisplayName
Active DirectoryActive Directory
在 Active Directory 中找到的顯示名稱。Display name found in Active Directory.
ActiveDirectoryDomainActiveDirectoryDomain
Active DirectoryActive Directory
身分識別所在的功能變數名稱。Domain name in which the identity was located.
SamAccountNameSamAccountName
Active DirectoryActive Directory
身分識別的帳戶名稱。Account name for the identity. 群組的此值將會是空的。This value will be empty for groups.
GroupTypeGroupType
Active DirectoryActive Directory
群組的類型。Type of group. 這對使用者來說將是空的。This will be empty for users.
GroupMemberCountGroupMemberCount
Active DirectoryActive Directory
群組中的成員數目。Number of members in the group. 這不會反映嵌套的群組計數。This will not reflect nested group counts. 例如,如果有包含3個其他群組的群組,則會顯示為3。For example, if there is a group that contains 3 other groups, this will show as 3. 使用者的此值將會是空的。This value will be empty for users.
DistinguishedNameDistinguishedName
Active DirectoryActive Directory
與 Active Directory 中身分識別相關聯的辨識名稱。The distinguished name associated with the identity in Active Directory. 範例: CN = 小明 Smith,OU = UserAccounts,DC=contoso,DC=comExample: CN=Bob Smith,OU=UserAccounts,DC=contoso,DC=com
AccountEnabledAccountEnabled
Active DirectoryActive Directory
True 是表示如果在 Active Directory 中啟用帳戶。True if the account is enabled in Active Directory. 對於群組,這將會是空的。This will be empty for groups.
LastLoginTimeInADLastLoginTimeInAD
Active DirectoryActive Directory
使用者帳戶上次登入 Active Directory 的日期和時間。Date and time the user account last logged into Active Directory. 這並不表示該登入已與 SharePoint 相關聯,但可用於判斷這是否為作用中的使用者帳戶。This does not indicate the logon was associated with SharePoint, but can be used to determine if this is an active user account. 對於群組,這將會是空的。This will be empty for groups.
FoundInADFoundInAD
Active DirectoryActive Directory
True 是表示如果在 Active Directory 中找到身分識別。True if the identity was found in Active Directory.
ReasonNotFoundInADReasonNotFoundInAD
Active DirectoryActive Directory
在 Active Directory 中找不到帳戶的原因。Reason why we did not find the account in Active Directory. 這會是下列其中一項: BadCredentials-提供的使用者名稱/密碼對網域而言是不正確。This will be one of the following: BadCredentials - The username/password provided was invalid for the domain. DomainSidMatchNotFound-在 SharePoint 中找到的 SID 具有與任何找到的網域都不相符的網域 SID。DomainSidMatchNotFound - The SID found in SharePoint has a domain SID that does not match any of the located domains. InvalidSecurityIdentifier-在 SharePoint 中找到的 SID 無效。InvalidSecurityIdentifier - The SID found in SharePoint is invalid. OnPremisesSidTranslationFailed-SID 似乎無效,我們嘗試強制轉譯,但失敗。OnPremisesSidTranslationFailed - The SID appeared to be invalid, we tried to force a translation and that failed. UnableToConnect-無法連接至網域。UnableToConnect - Unable to connect to the domains. UnableToDetermine-我們無法判斷從網域傳回的 AD 屬性。UnableToDetermine - We were unable to determine AD properties returned from the domain. UnknownException-發生未預期的錯誤。UnknownException - An unexpected error occurred. 詳細資料會記錄在 SMAT 檔案中。Details are logged in the SMAT.log file. UserNotFoundInRemoteAd-我們找到有效的網域,但無法使用 SID 找到身分識別。UserNotFoundInRemoteAd - We found a valid domain, but were unable to locate the identity using the SID. 如果 FoundInAD 為 true,則會是空的。If FoundInAD is true, then this will be empty.
AzureObjectIDAzureObjectID
Active DirectoryActive Directory
Azure AD 中身分識別的物件識別碼。Object ID of the identity in Azure AD.
AzureUserPrincipalNameAzureUserPrincipalName
Active DirectoryActive Directory
身分識別的使用者主體名稱。User principal name of the identity. 這只會為使用者填入。This is only populated for users.
AzureDisplayNameAzureDisplayName
Active DirectoryActive Directory
與 Azure AD 中的身分識別相關聯的顯示名稱。Display name associated with the identity in Azure AD.
FoundInAzureADFoundInAzureAD
Active DirectoryActive Directory
True 是表示如果身分識別位於 Azure AD。True if the identity was located in Azure AD.
ReasonNotFoundInAzureADReasonNotFoundInAzureAD
Active DirectoryActive Directory
在 Azure Active Directory 中找不到帳戶的原因。The reason why we did not find the account in Azure Active Directory. 原因可以是: PrincipalNotFound-無法在 Azure AD 中找到身分識別。The reason can be: PrincipalNotFound - Unable to locate the identity in Azure AD. Azure AD 的 AdalExceptionFound-驗證失敗。AdalExceptionFound - Authentication failure to Azure AD. UnknownException-發生未預期的錯誤。UnknownException - Unexpected error occurred. 詳細資料將會在 SMAT 檔案中。Details will be in the SMAT.log file. 如果 FoundInAzureAd 為 true,則此值會是空的。This will be empty if FoundInAzureAd is true.
MappingRationaleMappingRationale
Active DirectoryActive Directory
使用此開啟的附注欄位追蹤未對應的使用者。Use this open notes field to track unmapped users.
SanIDSanID
評估工具Assessment Tool
識別對應過程的特定執行的唯一識別碼。Unique identifier of a particular execution of the identity mapping process. 每次執行工具時,它都會產生獨特的識別碼。Each time you run the tool, it will generate a distinct ID.

IdentityMapping.csvIdentityMapping.csv

IdentityMapping.csv 是預先產生的身分識別對應檔案。IdentityMapping.csv is a pre-generated identity mapping file. 所有身分識別都是在檔案中表示。All identities are represented in the file. 未對應的身分識別,TargetIdentity 的值會是空白的。Unmapped identities will have blank values for TargetIdentity.

資料行名稱Column name 描述Description
UniqueIdentityUniqueIdentity
用於識別來源環境中物件的唯一值。Unique value to identify the object in the source environment. 若為 Windows identity,這會是 (SID) 的安全性識別碼。For Windows identities, this will be the Security Identifier (SID). 對於所有其他身分識別類型,這會是在 SharePoint 中找到的宣告。For all other identity types, this will be the claim found in SharePoint.
TargetIdentityTargetIdentity
要對應來源身分識別的身分識別。Identity to map the source identity to.
針對使用者,此值是 Azure Active Directory 中使用者的使用者主要名稱。For users, this value is the User Principal Name of the user in Azure Active Directory. 對於群組,此值是 Azure Active Directory 中群組的物件識別碼。For groups, this value is the Object ID of the group in Azure Active Directory.
IsGroupIsGroup
True 是表示如果資料列代表群組。True if the row represents a group.

請參閱See also

其他資源Other Resources

下載 SharePoint 遷移評估工具Download the SharePoint Migration Assessment Tool