category
Microsoft Entra ID是一种基于云的身份和访问管理服务,您的员工可以使用它来访问外部资源。示例资源包括Microsoft 365、Azure门户和数千个其他SaaS应用程序。
Microsoft Entra ID还可以帮助他们访问内部资源,如公司内部网上的应用程序,以及为您自己的组织开发的任何云应用程序。要了解如何创建租户,请参阅快速入门:在Microsoft Entra ID中创建新租户。
要了解Active Directory和Microsoft Entra ID之间的差异,请参阅比较Active Directory和微软Entra ID。您还可以参考微软企业架构师云系列海报,以更好地了解Azure中的核心身份服务,如微软Entra标识和微软-365。
谁使用微软Entra ID?
Microsoft Entra ID根据组织成员的角色为他们提供不同的福利:
- IT管理员使用Microsoft Entra ID根据业务需求控制对应用程序和应用程序资源的访问。例如,作为IT管理员,您可以使用Microsoft Entra ID在访问重要组织资源时要求进行多因素身份验证。您还可以使用Microsoft Entra ID在现有的Windows Server AD和云应用程序(包括Microsoft 365)之间自动进行用户配置。最后,Microsoft Entra ID为您提供了强大的工具,可以自动帮助保护用户身份和凭据,并满足您的访问治理要求。要开始使用,请注册30天免费试用Microsoft Entra ID P1或P2。
- 应用程序开发人员可以使用Microsoft Entra ID作为基于标准的身份验证提供者,帮助他们向使用用户现有凭据的应用程序添加单点登录(SSO)。开发人员还可以使用Microsoft Entra API使用组织数据构建个性化体验。要开始使用,请注册30天免费试用Microsoft Entra ID P1或P2。如需更多信息,您还可以查看面向开发人员的Microsoft Entra ID。
- Microsoft 365、Office 365、Azure或Dynamics CRM Online订阅者已经使用Microsoft Entra ID,因为每个Microsoft 365、办公室365、Azure和Dynamics CRM Online租户都会自动成为Microsoft Entra租户。您可以立即开始管理对集成云应用程序的访问。
什么是Microsoft Entra ID许可证?
Microsoft Online商业服务,如Microsoft 365或Microsoft Azure,使用Microsoft Entra ID进行登录活动,并帮助保护您的身份。如果您订阅了任何Microsoft Online商业服务,您将自动免费访问Microsoft Entra ID。
为了增强您的Microsoft Entra实施,您还可以通过升级到Microsoft Entra ID P1或P2许可证,或为Microsoft Entra ID Governance等产品添加许可证来添加付费功能。您还可以授权Microsoft Entra。付费许可证构建在您现有的免费目录之上。许可证为您的移动用户提供自助服务、增强的监控、安全报告和安全访问。
注:
有关这些许可证的定价选项,请参阅Microsoft Entra定价。
有关Microsoft Entra定价的更多信息,请联系Microsoft Entra论坛。
- 微软Entra ID免费。提供用户和组管理、本地目录同步、基本报告、云用户自助密码更改,以及跨Azure、Microsoft 365和许多流行的SaaS应用程序的单点登录。
- 微软Entra ID P1。除了免费功能外,P1还允许混合用户访问本地和云资源。它还支持高级管理,如动态成员组、自助服务组管理、Microsoft Identity Manager和云回写功能,这些功能允许为您的本地用户重置自助密码。
- 微软Entra ID P2。除了免费和P1功能外,P2还提供Microsoft Entra ID保护,以帮助为您的应用程序和关键公司数据提供基于风险的条件访问,并提供特权身份管理,以帮助发现、限制和监控管理员及其对资源的访问,并在需要时提供及时访问。
除了Microsoft Entra ID许可证外,您还可以使用其他Microsoft Entra产品的许可证启用其他身份管理功能,包括:
- 微软Entra ID治理。Microsoft Entra ID Governance是针对Microsoft Entra IDP1和P2客户的一套高级身份治理功能。
- Microsoft Entra权限管理。Microsoft Entra权限管理是一种云基础设施权限管理(CIEM)解决方案,它提供了对跨云基础设施Microsoft Azure、Amazon Web Services(AWS)和Google cloud Platform(GCP)分配给所有身份(用户和工作负载)、操作和资源的权限的全面可见性。
- “按需付费”功能许可证。您还可以获得Microsoft Entra域服务和Microsoft Entra企业对客户(B2C)等功能的许可证。B2C可以帮助您为面向客户的应用程序提供身份和访问管理解决方案。有关详细信息,请参阅Azure Active Directory B2C文档。
有关Microsoft Entra产品系列的详细信息,请参阅Microsoft Entra。
有关将Azure订阅与Microsoft Entra ID关联的更多信息,请参阅将Azure订阅关联或添加到Microsoft Entra ID.有关向用户分配许可证的更多信息的,请参阅如何:分配或删除Microsoft Entra ID许可证。
哪些功能适用于Microsoft Entra ID?
选择Microsoft Entra ID许可证后,您将可以访问以下部分或全部功能:
Category | Description |
---|---|
Application management | Manage your cloud and on-premises apps using Application Proxy, single sign-on, the My Apps portal, and Software as a Service (SaaS) apps. For more information, see How to provide secure remote access to on-premises applications and Application Management documentation. |
Authentication | Manage Microsoft Entra self-service password reset, Multifactor Authentication, custom banned password list, and smart lockout. For more information, see Microsoft Entra authentication documentation. |
Microsoft Entra ID for developers | Build apps that sign in all Microsoft identities, get tokens to call Microsoft Graph, other Microsoft APIs, or custom APIs. For more information, see Microsoft identity platform (Microsoft Entra ID for developers). |
Business-to-Business (B2B) | Manage your guest users and external partners, while maintaining control over your own corporate data. For more information, see Microsoft Entra B2B documentation. |
Business-to-Customer (B2C) | Customize and control how users sign up, sign in, and manage their profiles when using your apps. For more information, see Azure Active Directory B2C documentation. |
Conditional Access | Manage access to your cloud apps. For more information, see Microsoft Entra Conditional Access documentation. |
Device Management | Manage how your cloud or on-premises devices access your corporate data. For more information, see Microsoft Entra Device Management documentation. |
Domain services | Join Azure virtual machines to a domain without using domain controllers. For more information, see Microsoft Entra Domain Services documentation. |
Enterprise users | Manage license assignments, access to apps, and set up delegates using groups and administrator roles. For more information, see Microsoft Entra user management documentation. |
Hybrid identity | Use Microsoft Entra Connect and Connect Health to provide a single user identity for authentication and authorization to all resources, regardless of location (cloud or on-premises). For more information, see Hybrid identity documentation. |
Identity governance | Microsoft Entra ID P2 includes basic capabilities for privileged identity management (PIM), access reviews and entitlement management. Microsoft Entra ID Governance customers can manage their organization's identities and access through comprehensive employee, business partner, vendor, service, and app controls. For more information, see Microsoft Entra ID Governance documentation and features by license. |
Microsoft Entra ID Protection | Detect potential vulnerabilities affecting your organization's identities, configure policies to respond to suspicious actions, and then take appropriate action to resolve them. For more information, see Microsoft Entra ID Protection. |
Managed identities for Azure resources | Provide your Azure services with an automatically managed identity in Microsoft Entra ID that can authenticate any Microsoft Entra-supported authentication service, including Key Vault. For more information, see What is managed identities for Azure resources?. |
Privileged identity management (PIM) | Manage, control, and monitor access within your organization. This feature includes access to resources in Microsoft Entra ID and Azure, and other Microsoft Online Services, like Microsoft 365 or Intune. For more information, see Microsoft Entra Privileged Identity Management. |
Monitoring and health | Gain insights into the security and usage patterns in your environment. For more information, see Microsoft Entra monitoring and health. |
Workload identities | Give an identity to your software workload (such as an application, service, script, or container) to authenticate and access other services and resources. For more information, see workload identities faqs. |
术语
为了更好地理解Microsoft Entra ID及其文档,我们建议您查看以下条款。
Term or concept | Description |
---|---|
Identity | A thing that can get authenticated. An identity can be a user with a username and password. Identities also include applications or other servers that might require authentication through secret keys or certificates. |
Account | An identity that has data associated with it. You can’t have an account without an identity. |
Microsoft Entra account | An identity created through Microsoft Entra ID or another Microsoft cloud service, such as Microsoft 365. Identities are stored in Microsoft Entra ID and accessible to your organization's cloud service subscriptions. This account is also sometimes called a Work or school account. |
Account Administrator | This classic subscription administrator role is conceptually the billing owner of a subscription. This role enables you to manage all subscriptions in an account. For more information, see Azure roles, Microsoft Entra roles, and classic subscription administrator roles. |
Service Administrator | This classic subscription administrator role enables you to manage all Azure resources, including access. This role has the equivalent access of a user who is assigned the Owner role at the subscription scope. For more information, see Azure roles, Microsoft Entra roles, and classic subscription administrator roles. |
Owner | This role helps you manage all Azure resources, including access. This role is built on a newer authorization system called Azure role-based access control (Azure RBAC) that provides fine-grained access management to Azure resources. For more information, see Azure roles, Microsoft Entra roles, and classic subscription administrator roles. |
Microsoft Entra Global Administrator | This administrator role is automatically assigned to whomever created the Microsoft Entra tenant. You can have multiple accounts with this role, but anyone with at least Privileged Role Administrator can assign administrator roles to users. For more information about the various administrator roles, see Administrator role permissions in Microsoft Entra ID. |
Azure subscription | Used to pay for Azure cloud services. You can have many subscriptions and they're linked to a credit card. |
Tenant | A dedicated and trusted instance of Microsoft Entra ID. The tenant is automatically created when your organization signs up for a Microsoft cloud service subscription. These subscriptions include Microsoft Azure, Microsoft Intune, or Microsoft 365. This tenant represents a single organization and is intended for managing your employees, business apps, and other internal resources. For this reason, it's considered a workforce tenant configuration. By contrast, you can create a tenant in an external configuration, which is used in customer identity and access management (CIAM) solutions for your consumer-facing apps (learn more about Microsoft Entra External ID). |
Single tenant | Azure tenants that access other services in a dedicated environment are considered single tenant. |
Multitenant | Azure tenants that access other services in a shared environment, across multiple organizations, are considered multitenant. |
Microsoft Entra directory | Each Azure tenant has a dedicated and trusted Microsoft Entra directory. The Microsoft Entra directory includes the tenant's users, groups, and apps and is used to perform identity and access management functions for tenant resources. |
Custom domain | Every new Microsoft Entra directory comes with an initial domain name, for example domainname.onmicrosoft.com . In addition to that initial name, you can also add your organization's domain names. Your organization's domain names include the names you use to do business and your users use to access your organization's resources, to the list. Adding custom domain names helps you to create user names that are familiar to your users, such as alain@contoso.com. |
Microsoft account (also called, MSA) | Personal accounts that provide access to your consumer-oriented Microsoft products and cloud services. These products and services include Outlook, OneDrive, Xbox LIVE, or Microsoft 365. Your Microsoft account is created and stored in the Microsoft consumer identity account system that's run by Microsoft. |
Next steps
- 登录 发表评论
- 3 次浏览
最新内容
- 4 hours ago
- 7 hours ago
- 7 hours ago
- 2 days 22 hours ago
- 3 days 6 hours ago
- 3 days 6 hours ago
- 3 days 6 hours ago
- 3 days 7 hours ago
- 1 week ago
- 1 week ago