内部部署AD - >混合Azure AD - >仅限Azure AD [英] On-premises AD -> Hybrid Azure AD -> Azure AD only

问题描述

大家好，

我正计划执行以下任务：

Windows 10（1709或更高版本）设备现已加入本地活动目录。所需的状态是仅将设备加入Azure AD，本地域将被解除授权。我认为这应该通过混合AAD连接完成，然后仅将
移动到AAD。在加入Azure AD时，这些设备将注册到Intune。

我可以找到很多关于如何迁移到混合AAD的文档，但是如何从混合AAD迁移仅AAD到AAD？

一个小细节：当文档谈论混合AAD连接时我有点困惑：有些句子谈论注册设备，有些关于加入设备，这是相同的文件。

任何想法如何达到理想状态（仅限AAD）的麻烦最少？

PS我知道应用程序和身份验证更改（以及许多其他更改），这些也将在同一时间处理。首先，我试图找出如何将Windows 10设备移动到AAD的麻烦最少，所以在这篇文章中我只专注于Windows。

解决方案

对于你的场景，加入的设备听起来不错。

这部分取决于你的要求。 Azure Active Directory不能替代本地Active Directory，但如果您不需要Azure AD中缺少的任何功能（列出

here 和
here ），那么你应该没问题。  

部分原因取决于您是否已通过AD Connect将用户同步到Azure AD。如果您已同步所有内容，则需要禁用AAD同步，或将用户移至未同步的OU并将其还原。  https://techcommunity.microsoft.com/t5/Security- Identity-Convert-Pre-AD-Users-from-Office-365-Azure-AD-to-Cloud / td-p / 42908

注册设备主要供个人使用。连接的设备适用于组织拥有的设备。设备类型有时也各不相同。 https://docs.microsoft .com / zh-CN / azure / active-directory / devices / overview

此博客文章也全面介绍了该主题。  https://blogs.technet.microsoft.com/trejo/ 2016/04/09 /天青-AD-加入-VS-天青-AD-设备登记/

Hi all,

I am planning a following task:

Windows 10 (1709 or later) devices are now joined to on-premises active directory. The desired state is to get device joined to Azure AD only, on-premises domain will be decommissioned. I assume this should be accomplished via hybrid AAD join, and then move to AAD only. The devices will be enrolled to Intune while joining Azure AD.

I can find lots of documentation how to move to hybrid AAD, but how to move from Hybrid AAD to AAD only?

A minor detail: I am a bit confused when documents are talking about Hybrid AAD join: Some sentences talk about registering devices, and some about joining the devices, this in the same document.

Any ideas how to get to the desired state (AAD only) with least trouble?

P.S. I am aware about applications and authentication changes (and lots of other changes), and those will also be taken care of in the same time. First I am trying to figure out how to move Windows 10 devices to AAD with least trouble, so in this post I am concentrating only to Windows.

解决方案

For your scenario joined devices sound right.

It partly depends on your requirements. Azure Active Directory is not intended as a replacement for your on-premises Active Directory, but if you don't need any of the features that are missing from Azure AD (listed here and here), then you should be fine. 

Part of this depends on whether you have already synced users to Azure AD via AD Connect. If you have already synced everything then you will need to disable AAD Sync, or move the users to an OU which is not synced and restore them. https://techcommunity.microsoft.com/t5/Security-Identity/Convert-On-Prem-AD-Users-from-Office-365-Azure-AD-to-In-Cloud/td-p/42908

Registered devices are mainly intended for personal use. Joined devices are intended for devices owned by the organization. The types of devices are different for each sometimes too. https://docs.microsoft.com/en-us/azure/active-directory/devices/overview

This blog post covers the topic thoroughly as well. https://blogs.technet.microsoft.com/trejo/2016/04/09/azure-ad-join-vs-azure-ad-device-registration/

这篇关于内部部署AD - >混合Azure AD - >仅限Azure AD的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！