裝置為基礎的條件存取先計劃Plan Device-based Conditional Access on-Premises

適用於:Windows Server 2016Applies To: Windows Server 2016

本文件描述根據在混合案例中,先目錄連接到使用 Azure AD 連接 Azure AD 的裝置條件存取原則。This document describes conditional access policies based on devices in a hybrid scenario where the on-premises directories are connected to Azure AD using Azure AD Connect.

AD FS 和混合條件存取AD FS and Hybrid conditional access

AD FS 提供條件存取原則在混合案例中的上場所元件。AD FS provides the on premises component of conditional access policies in a hybrid scenario. 當您使用雲端資源條件存取 Azure AD 登記裝置時,Azure AD 連接裝置重新寫入項功能可以讓裝置登記資訊可在場所 AD FS 使用並執行的原則。When you register devices with Azure AD for conditional access to cloud resources, the Azure AD Connect device write back capability makes device registration information available on premises for AD FS policies to consume and enforce. 如此一來,您可以存取控制原則場所在兩個和雲端資源一致的方式。This way, you have a consistent approach to access control policies for both on premises and cloud resources.

條件存取

且已裝置類型Types of registered devices

有三種類型的且已全部以在 Azure AD 的裝置物件,可用於條件存取上,以及場所 AD FS 使用的裝置。There are three kinds of registered devices, all of which are represented as Device objects in Azure AD and can be used for conditional access with AD FS on premises as well.

新增工作或學校 AccountAdd Work or School Account Azure AD JoinAzure AD Join Windows 10 Domian 加入Windows 10 Domian Join
描述Description 使用者加入他們的作品或學校 account 他們 BYOD 裝置互動。Users add their work or school account to their BYOD device interactively. 注意:新增公司或學校 Account 是替換的工作地點加入 Windows 8/8.1Note: Add Work or School Account is the replacement for Workplace Join in Windows 8/8.1 使用者加入 Azure ad 的 Windows 10 裝置的工作。Users join their Windows 10 work device to Azure AD. 使用 Azure AD 自動登記加入網域的 Windows 10 裝置。Windows 10 domain joined devices automatically register with Azure AD.
如何使用者登入的裝置How users log in to the device Windows 即公司或學校 account 不登入。No login to Windows as the work or school account. 使用 Microsoft account 登入。Login using a Microsoft account. Windows 即登記裝置 (公司或學校) account 登入。Login to Windows as the (work or school) account that registered the device. 請使用 AD account 登入。Login using AD account.
如何管理的裝置How devices are managed MDM 原則 (以其他 Intune 註冊)MDM Policies (with additional Intune enrollment) MDM 原則 (以其他 Intune 註冊)MDM Policies (with additional Intune enrollment) 群組原則、 System Center Configuration Manager (SCCM)Group Policy, System Center Configuration Manager (SCCM)
Azure AD 信任類型Azure AD Trust type 加入的地點Workplace joined 加入 azure ADAzure AD joined 加入網域Domain joined
W10 設定的位置W10 Settings location 設定 > 帳號 > 您 > [新增公司或學校 accountSettings > Accounts > Your account > Add a work or school account 設定 > 系統 > 有關 > 加入 Azure ADSettings > System > About > Join Azure AD 設定 > 系統 > 有關 > 加入網域Settings > System > About > Join a domain
也適用於 iOS 和 Android 裝置嗎?Also available for iOS and Android Devices? [是]Yes 否]No 否]No

適用於登記裝置的不同方式的詳細資訊,請查看也:For more information on the different ways to register devices, see also:

Windows 10 使用者和裝置登入是從先前版本不同How Windows 10 User and Device Sign on is different from previous versions

適用於 Windows 10 和 「 AD FS 2016 有一些新的裝置登記和驗證您必須知道 (尤其是您熟悉非常裝置登記和 」 的工作地點加入 「 先前發行的版本中)。For Windows 10 and AD FS 2016 there are some new aspects of device registration and authentication you should know about (especially if you are very familiar with device registration and "workplace join" in previous releases).

首先,在 Windows 10 和 Windows Server 2016 中的 AD FS,裝置登記和驗證不會再完全根據 X509 使用者憑證。First, in Windows 10 and AD FS in Windows Server 2016, device registration and authentication is no longer based solely on an X509 user certificate. 還有新的和更穩定的通訊協定,可提供更佳的安全性,更順暢的使用者體驗。There is a new and more robust protocol that provides better security and a more seamless user experience. 主要不同的適用於 Windows 10 網域加入 Azure AD Join,還有 X509 呼叫 PRT 電腦憑證和新的憑證。The key differences are that, for Windows 10 Domain Join and Azure AD Join, there is an X509 computer certificate and a new credential called a PRT. 您可以朗讀所有關於在此以下You can read all about it here and here.

第二,Windows 10 和 「 AD FS 2016 支援使用者驗證使用 Microsoft Passport 工作,您可以了解在此以下Second, Windows 10 and AD FS 2016 support user authentication using Microsoft Passport for Work, which you can read about here and here.

AD FS 2016 提供順暢的裝置 」 和使用者 SSO 基礎護照和 PRT 認證。AD FS 2016 provides seamless device and user SSO based on both PRT and Passport credentials. 您可以使用本文件中的步驟,讓這些功能並查看其運作。Using the steps in this document, you can enable these capabilities and see them work.

裝置存取控制原則Device Access Control Policies

裝置可用於簡單 AD FS 存取控制規則例如:Devices can be used in simple AD FS access control rules such as:

  • 可讓存取只從且已裝置allow access only from a registered device
  • 當裝置不登記需要使用多監視器因素驗證require multi factor authentication when a device is not registered

本規則再加其他因素而有所不同,例如網路存取您的位置和多因素驗證,建立豐富的條件存取原則,例如:These rules can then be combined with other factors such as network access location and multi factor authentication, creating rich conditional access policies such as:

  • 從以外的公司網路時,除了的特定群組成員存取解除裝置需要多因素驗證require multi factor authentication for unregistered devices accessing from outside the corporate network, except for members of a particular group or groups

使用 AD FS 2016,可以這些原則設定專為需要特定裝置信任層級,以及: 任一個驗證管理,或相容With AD FS 2016, these policies can be configured specifically to require a particular device trust level as well: either authenticated, managed, or compliant.

如需有關設定 AD FS 存取控制原則、 查看存取控制原則 AD FS 在For more information on configuring AD FS access control policies, see Access control policies in AD FS.

已驗證的裝置Authenticated devices

已驗證的裝置會不會參與 MDM (Intune 和 3 廠商 MDMs 適用於 Windows 10 中,Intune 僅適用於 iOS 和 Android) 的且已的裝置。Authenticated devices are registered devices that are not enrolled in MDM (Intune and 3rd party MDMs for Windows 10, Intune only for iOS and Android).

已驗證的裝置將會有isManaged AD FS 取得值的\ [false]Authenticated devices will have the isManaged AD FS claim with value FALSE. (而不會完全登記裝置缺乏此宣告。)已驗證的裝置 (和所有且已的裝置) 將會有 isKnown AD FS 取得值的TRUE(Whereas devices that are not registered at all will lack this claim.) Authenticated devices (and all registered devices) will have the isKnown AD FS claim with value TRUE.

受管理的裝置:Managed Devices:

受管理的裝置是且已退出 MDM.使用的裝置Managed devices are registered devices that are enrolled with MDM.

受管理的裝置將會有 isManaged AD FS 取得值的TRUEManaged devices will have the isManaged AD FS claim with value TRUE.

(使用 MDM 或群組原則) 相容的裝置Devices compliant (with MDM or Group Policies)

相容的裝置的且已的裝置會不只退出使用 MDM 但相容的 MDM 原則。Compliant devices are registered devices that are not only enrolled with MDM but compliant with the MDM policies. (compliance 資訊來自 MDM 和寫入 Azure AD)。(Compliance information originates with the MDM and is written to Azure AD.)

相容的裝置將會有isCompliant AD FS 取得值的,則為 TRUECompliant devices will have the isCompliant AD FS claim with value TRUE.

AD FS 2016 的裝置」和「宣告條件存取的完整清單,請查看參考For complete list of AD FS 2016 device and conditional access claims, see Reference.

參考資料Reference

新 AD FS 2016 與裝置宣告的完整清單Complete list of new AD FS 2016 and device claims