Microsoft 帳戶Microsoft Accounts

適用對象Applies to

  • Windows10Windows 10

本主題的 IT 專業人員會說明 Microsoft 帳戶如何運作,以增強使用者的安全性和隱私權,以及如何管理組織中的此消費者帳戶類型。This topic for the IT professional explains how a Microsoft account works to enhance security and privacy for users, and how you can manage this consumer account type in your organization.

Microsoft 網站、服務和屬性以及執行 Windows 10 的電腦,都可以使用 Microsoft 帳戶做為識別使用者的方法。Microsoft sites, services, and properties, as well as computers running Windows 10, can use a Microsoft account as a means of identifying a user. Microsoft 帳戶先前稱為 WindowsLive ID。Microsoft account was previously called WindowsLive ID. 它具有使用者定義的機密,且包含唯一的電子郵件地址和密碼。It has user-defined secrets, and consists of a unique email address and a password.

當使用者使用 Microsoft 帳戶登入時,裝置會連線到雲端服務。When a user signs in with a Microsoft account, the device is connected to cloud services. 許多使用者的設定、喜好設定和應用程式都可以在裝置之間共用。Many of the user's settings, preferences, and apps can be shared across devices.

Microsoft 帳戶的運作方式How a Microsoft account works

Microsoft 帳戶可讓使用者使用一組認證,登入支援此服務的網站。The Microsoft account allows users to sign in to websites that support this service by using a single set of credentials. 使用者的認證是由與網站相關聯的 Microsoft 帳戶驗證服務器驗證。Users' credentials are validated by a Microsoft account authentication server that is associated with a website. Microsoft Store 就是這個關聯的範例。The Microsoft Store is an example of this association. 當新使用者登入已啟用使用 Microsoft 帳戶的網站時,系統會將它們重新導向至最接近的驗證服務器,這會要求輸入使用者名稱和密碼。When new users sign in to websites that are enabled to use Microsoft accounts, they are redirected to the nearest authentication server, which asks for a user name and password. Windows 使用 Schannel 安全支援提供者來開啟此函數的傳輸層級安全性/安全通訊端層(TLS/SSL)連線。Windows uses the Schannel Security Support Provider to open a Transport Level Security/Secure Sockets Layer (TLS/SSL) connection for this function. 然後,使用者可以選擇使用認證管理員來儲存其認證。Users then have the option to use Credential Manager to store their credentials.

當使用者登入已啟用使用 Microsoft 帳戶的網站時,系統會在電腦上安裝時間有限的 cookie,包括三重 DES 加密識別碼標記。When users sign in to websites that are enabled to use a Microsoft account, a time-limited cookie is installed on their computers, which includes a triple DES encrypted ID tag. 在驗證服務器與網站之間,已同意此加密的 ID 標記。This encrypted ID tag has been agreed upon between the authentication server and the website. 此識別碼標記會傳送至網站,網站會在使用者的電腦上使用其他時間有限加密的 HTTP cookie。This ID tag is sent to the website, and the website plants another time-limited encrypted HTTP cookie on the user’s computer. 當這些 cookie 有效時,不需要使用者提供使用者名稱和密碼。When these cookies are valid, users are not required to supply a user name and password. 如果使用者積極登出其 Microsoft 帳戶,這些 cookie 就會被移除。If a user actively signs out of their Microsoft account, these cookies are removed.

重要: 本機 Windows 帳戶功能尚未移除,且仍是在受管理的環境中使用的選項。Important Local Windows account functionality has not been removed, and it is still an option to use in managed environments.

建立 Microsoft 帳戶的方式How Microsoft accounts are created

為了防止欺詐,Microsoft 系統會在使用者建立帳戶時驗證 IP 位址。To prevent fraud, the Microsoft system verifies the IP address when a user creates an account. 嘗試建立多個具有相同 IP 位址的 Microsoft 帳戶的使用者已停止。A user who tries to create multiple Microsoft accounts with the same IP address is stopped.

Microsoft 帳戶並非專門針對您企業中的一組網域使用者,以批次建立。Microsoft accounts are not designed to be created in batches, such as for a group of domain users within your enterprise.

有兩種方法可以建立 Microsoft 帳戶:There are two methods for creating a Microsoft account:

  • 使用現有的電子郵件地址Use an existing email address.

    使用者可以使用有效的電子郵件地址來註冊 Microsoft 帳戶。Users are able to use their valid email addresses to sign up for Microsoft accounts. 服務會將要求使用者的電子郵件地址變成 Microsoft 帳戶。The service turns the requesting user's email address into a Microsoft account. 使用者也可以選擇個人密碼。Users can also choose their personal passwords.

  • 註冊 Microsoft 電子郵件地址Sign up for a Microsoft email address.

    使用者可以使用 Microsoft 的 web 郵件服務來註冊電子郵件帳戶。Users can sign up for an email account with Microsoft's webmail services. 這個帳戶可以用來登入已啟用使用 Microsoft 帳戶的網站。This account can be used to sign in to websites that are enabled to use Microsoft accounts.

如何影響 Microsoft 帳戶資訊How the Microsoft account information is safeguarded

認證資訊的加密兩次。Credential information is encrypted twice. 第一次加密是以帳戶的密碼為基礎。The first encryption is based on the account’s password. 認證在網際網路上傳送時,會再次加密。Credentials are encrypted again when they are sent across the Internet. 其他 Microsoft 或非 Microsoft 服務無法使用儲存的資料。The data that is stored is not available to other Microsoft or non-Microsoft services.

  • 需要強密碼Strong password is required.

    不允許空白密碼。Blank passwords are not allowed.

    如需詳細資訊,請參閱Microsoft 帳戶安全性概覽For more information, see Microsoft Account Security Overview.

  • 需要身分識別身分驗證Secondary proof of identity is required.

    您必須先提供輔助身分識別證明,才能在第二次支援的 Windows 電腦上存取使用者設定檔資訊和設定。Before user profile information and settings can be accessed on a second supported Windows computer for the first time, trust must established for that device by providing secondary proof of identity. 您可以提供含有傳送到行動電話號碼之程式碼的 Windows,或是按照傳送至使用者在帳戶設定中指定之備用電子郵件地址的指示來完成。This can be accomplished by providing Windows with a code that is sent to a mobile phone number or by following the instructions that are sent to an alternate email address that a user specifies in the account settings.

  • 所有的使用者設定檔資料都會在用戶端傳送到雲端之前經過加密All user profile data is encrypted on the client before it is transmitted to the cloud.

    使用者資料預設不會透過無線廣域網路(WWAN)漫遊,從而保護設定檔資料。User data does not roam over a wireless wide area network (WWAN) by default, thereby protecting profile data. 離開裝置的所有資料和設定都是透過 TLS/SSL 通訊協定傳送。All data and settings that leave a device are transmitted through the TLS/SSL protocol.

已新增 Microsoft 帳戶安全性資訊Microsoft account security information is added.

使用者可以透過執行支援的 Windows 版本之電腦上的帳戶介面,在其 Microsoft 帳戶中新增安全性資訊。Users can add security information to their Microsoft accounts through the Accounts interface on computers running the supported versions of Windows. 這項功能可讓使用者在建立帳戶時,更新他們提供的安全性資訊。This feature allows the user to update the security information that they provided when they created their accounts. 此安全性資訊包含備用電子郵件地址或電話號碼,因此如果密碼遭到破壞或忘記,就可以傳送驗證碼來驗證其身分識別。This security information includes an alternate email address or phone number so if their password is compromised or forgotten, a verification code can be sent to verify their identity. 使用者可能會使用 Microsoft 帳戶將公司資料儲存在個人 OneDrive 或電子郵件應用程式上,所以帳戶擁有者可以安全地將此安全性資訊保持在最新狀態。Users can potentially use their Microsoft accounts to store corporate data on a personal OneDrive or email app, so it is safe practice for the account owner to keep this security information up-to-date.

企業版中的 Microsoft 帳戶The Microsoft account in the enterprise

雖然 Microsoft 帳戶是針對消費者提供的,但是您可能會發現網域使用者可以在企業中使用個人 Microsoft 帳戶來獲益的情況。Although the Microsoft account was designed to serve consumers, you might find situations where your domain users can benefit by using their personal Microsoft account in your enterprise. 下列清單說明一些優點。The following list describes some advantages.

  • 下載 Microsoft Store 應用程式Download Microsoft Store apps:

    如果您的企業選擇透過 Microsoft 網上商店發佈軟體,您的使用者就可以使用他們的 Microsoft 帳戶來下載,並在多達五台執行任何 Windows 10 版本、Windows 8.1、Windows8 或 WindowsRT 的裝置上使用。If your enterprise chooses to distribute software through the Microsoft Store, your users can use their Microsoft accounts to download and use them on up to five devices running any version of Windows 10, Windows 8.1, Windows8, or WindowsRT.

  • 單一登入Single sign-on:

    您的使用者可以使用 Microsoft 帳號憑證,登入運行 Windows 10、Windows 8.1、Windows8 或 Windows RT 的裝置。Your users can use Microsoft account credentials to sign in to devices running Windows 10, Windows 8.1, Windows8 or Windows RT. 當他們這麼做時,Windows 會與您的 Microsoft Store 應用程式搭配使用,為他們提供經過驗證的體驗。When they do this, Windows works with your Microsoft Store app to provide authenticated experiences for them. 使用者可以將 Microsoft 帳戶與他們的 Microsoft Store app 或網站的登入認證建立關聯,以便在執行這些支援版本的任何裝置上都能漫遊這些認證。Users can associate a Microsoft account with their sign-in credentials for Microsoft Store apps or websites, so that these credentials roam across any devices running these supported versions.

  • 個人化設定同步處理:Personalized settings synchronization:

    使用者可以將最常用的作業系統設定與 Microsoft 帳戶建立關聯。Users can associate their most commonly used operating-system settings with a Microsoft account. 只要使用者在執行受支援版本 Windows 且已連線至雲端的任何裝置上登入該帳戶,就可以使用這些設定。These settings are available whenever a user signs in with that account on any device that is running a supported version of Windows and is connected to the cloud. 使用者登入之後,裝置會自動嘗試從雲端取得使用者的設定,並將其套用至裝置。After a user signs in, the device automatically attempts to get the user's settings from the cloud and apply them to the device.

  • App 同步處理:App synchronization:

    Microsoft Store 應用程式可以儲存使用者專用的設定,以便讓任何裝置都能使用這些設定。Microsoft Store apps can store user-specific settings so that these settings are available to any device. 與作業系統設定一樣,當使用者在執行支援的 Windows 版本且已連線到雲端的任何裝置上使用相同的 Microsoft 帳戶登入時,就可以使用這些使用者專用的應用程式設定。As with operating system settings, these user-specific app settings are available whenever the user signs in with the same Microsoft account on any device that is running a supported version of Windows and is connected to the cloud. 使用者登入之後,該裝置會自動從雲端下載設定,並在應用程式安裝時加以套用。After the user signs in, that device automatically downloads the settings from the cloud and applies them when the app is installed.

  • 整合的社交媒體服務Integrated social media services:

    使用者朋友的連絡人資訊和狀態會自動從 Hotmail、Outlook、Facebook、Twitter 和 LinkedIn 等網站保持最新狀態。Contact information and status for your users’ friends and associates automatically stay up-to-date from sites such as Hotmail, Outlook, Facebook, Twitter, and LinkedIn. 使用者也可以從 OneDrive、Facebook 和 Flickr 等網站存取及共用相片、檔及其他檔案。Users can also access and share photos, documents, and other files from sites such as OneDrive, Facebook, and Flickr.

管理網域中的 Microsoft 帳戶Managing the Microsoft account in the domain

根據您的 IT 和公司模型,在您的企業中引入 Microsoft 帳戶可能會增加複雜性或可能提供解決方案。Depending on your IT and business models, introducing Microsoft accounts into your enterprise might add complexity or it might provide solutions. 您必須先解決下列考慮,才能允許在您的企業中使用這些帳戶類型:You should address the following considerations before you allow the use of these account types in your enterprise:

限制 Microsoft 帳戶的使用Restrict the use of the Microsoft account

下列群組原則設定可協助控制企業中 Microsoft 帳戶的使用:The following Group Policy settings help control the use of Microsoft accounts in the enterprise:

封鎖所有消費者的 Microsoft 帳戶使用者驗證Block all consumer Microsoft account user authentication

此設定控制使用者是否可提供 Microsoft 帳戶來針對應用程式或服務進行驗證。This setting controls whether users can provide Microsoft accounts for authentication for applications or services.

如果啟用此設定,裝置上的所有應用程式和服務都將無法使用 Microsoft 帳戶進行驗證。If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication. 這適用于裝置的現有使用者以及可能新增的新使用者。This applies both to existing users of a device and new users who may be added.

不過,任何已驗證使用者的應用程式或服務,都不會受到啟用此設定的影響,除非驗證快取到期為止。However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires. 建議您先啟用此設定,才能讓任何使用者登入裝置,以免已緩存的權杖出現。It is recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present.

如果此設定為 [已停用] 或 [未設定],應用程式和服務就可以使用 Microsoft 帳戶進行驗證。If this setting is disabled or not configured, applications and services can use Microsoft accounts for authentication. 根據預設,此設定為停用By default, this setting is Disabled.

此設定不會影響使用者是否可以使用 Microsoft 帳戶登入裝置,或讓使用者透過瀏覽器提供 Microsoft 帳戶來使用 web 應用程式來進行驗證。This setting does not affect whether users can sign in to devices by using Microsoft accounts, or the ability for users to provide Microsoft accounts via the browser for authentication with web-based applications.

此設定的路徑為:The path to this setting is:

電腦管理元件 \Windows 元件 [microsoft 帳戶Computer Configuration\Administrative Templates\Windows Components\Microsoft account

帳戶: 封鎖 Microsoft 帳戶Accounts: Block Microsoft accounts

此設定會防止使用 [設定] 應用程式新增 microsoft 帳戶以進行 microsoft 服務與部分背景服務的單一登入(SSO)驗證,或使用 Microsoft 帳戶單一登入至其他應用程式或服務。This setting prevents using the Settings app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services.

如果啟用此設定,有兩個選項可供選擇:There are two options if this setting is enabled:

  • 使用者無法新增 Microsoft 帳戶代表現有線上帳戶仍可登入裝置(並顯示在登入畫面上)。Users can’t add Microsoft accounts means that existing connected accounts can still sign in to the device (and appear on the Sign in screen). 不過,使用者無法使用 [設定] 應用程式來新增連線的帳戶(或將本機帳戶連線到 Microsoft 帳戶)。However, users cannot use the Settings app to add new connected accounts (or connect local accounts to Microsoft accounts).
  • 使用者無法使用 Microsoft 帳戶新增或登入,表示使用者無法新增連線的帳戶(或將本機帳戶連線到 Microsoft 帳戶),或使用現有的線上帳戶來透過 [設定]。Users can’t add or log on with Microsoft accounts means that users cannot add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through Settings.

此設定不會影響為應用程式驗證新增 Microsoft 帳戶。This setting does not affect adding a Microsoft account for application authentication. 例如,如果啟用此設定,使用者仍可提供 Microsoft 帳戶,以使用郵件等應用程式進行驗證,但是使用者無法針對其他應用程式或服務使用 microsoft 帳戶來進行單一登入驗證(換句話說,系統會提示使用者對其他應用程式或服務進行驗證。For example, if this setting is enabled, a user can still provide a Microsoft account for authentication with an application such as Mail, but the user cannot use the Microsoft account for single sign-on authentication for other applications or services (in other words, the user will be prompted to authenticate for other applications or services).

根據預設,不會定義此設定。By default, this setting is Not defined.

此設定的路徑為:The path to this setting is:

電腦設定\Windows 設定\安全性設定\本機原則\安全性選項Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

設定連線的帳戶Configure connected accounts

使用者可以將 Microsoft 帳戶連線至其網域帳戶,並同步處理它們之間的設定和喜好設定。Users can connect a Microsoft account to their domain account and synchronize the settings and preferences between them. 這可讓使用者在其他裝置上看到相同的桌面背景、應用程式設定、瀏覽器歷程記錄和 [我的最愛] 以及其他 Microsoft 帳戶設定。This enables users to see the same desktop background, app settings, browser history and favorites, and other Microsoft account settings on their other devices.

使用者可以在任何時間中斷 Microsoft 帳戶與其網域帳戶的連線:在 [電腦設定] 中,輕觸或按一下 [使用者],然後敲擊或按一下 [中斷連線],然後輕觸或按一下 [完成]Users can disconnect a Microsoft account from their domain account at any time as follows: In PC settings, tap or click Users, tap or click Disconnect, and then tap or click Finish.

注意將 Microsoft 帳戶與網域帳戶連線可限制 Windows 中一些高許可權工作的存取權。Note Connecting Microsoft accounts with domain accounts can limit access to some high-privileged tasks in Windows. 例如,「任務計畫程式將會評估已連線的 Microsoft 帳戶以取得存取權並失敗。For example, Task Scheduler will evaluate the connected Microsoft account for access and fail. 在這些情況下,帳戶擁有者應該中斷帳戶的連線。In these situations, the account owner should disconnect the account.

在企業中提供 Microsoft 帳戶Provision Microsoft accounts in the enterprise

Microsoft 帳戶是私人使用者帳戶。Microsoft accounts are private user accounts. Microsoft 不會提供任何方法來為企業提供 Microsoft 帳戶。There are no methods provided by Microsoft to provision Microsoft accounts for an enterprise. 企業應該使用網域帳戶。Enterprises should use domain accounts.

審核帳戶活動Audit account activity

因為 Microsoft 帳戶是以網際網路為基礎,所以 Windows 沒有在帳戶與網域帳戶相關聯時審核其使用的機制。Because Microsoft accounts are Internet-based, Windows does not have a mechanism to audit their use until the account is associated with a domain account. 但這個關聯不會限制使用者從網域中斷帳戶或 disjoining 的連線。But this association does not restrict the user from disconnecting the account or disjoining from the domain. 無法審核與您的網域沒有關聯之帳戶的活動。It is not possible to audit the activity of accounts that are not associated with your domain.

執行密碼重設Perform password resets

只有 Microsoft 帳戶的擁有者才能變更密碼。Only the owner of the Microsoft account can change the password. 您可以在Microsoft 帳戶登入入口網站中變更密碼。Passwords can be changed in the Microsoft account sign-in portal.

限制 app 安裝與使用Restrict app installation and usage

在貴組織內,您可以設定應用程式控制原則來控制 Microsoft 帳戶的 app 安裝與使用方式。Within your organization, you can set application control policies to regulate app installation and usage for Microsoft accounts. 如需詳細資訊, 請參閱Applocker 中的 Applocker 與封裝應用程式和封裝應用程式安裝程式規則For more information, see AppLocker and Packaged Apps and Packaged App Installer Rules in AppLocker.

也請參閱See also