Azure MFA内部部署 - 需要澄清 [英] Azure MFA on premise - need clarification
问题描述
大家好,
请提供我的要求的输入。
Please provide inputs for my requirements.
当前设置
1)第三方基于云的内部部署和内部部署应用程序,可从互联网访问
1) 3rd party cloud-based and on-premise applications, to be accessed from the internet
2)用户位于2个域(域A和域B) 在需要访问应用程序的单独林(具有单向信任)中
2) Users are in 2 domains (domain A and domain B) in separate forests (with 1-way trust) that require access to the applications
3) 由于安全性要求,需要Azure MFA才能从互联网上为两个域用户访问
4)域A用户只能从互联网访问资源,因为他们是承包商。
我正在考虑创建:
What I am thinking of creating:
1)每个森林在DMZ中有2个独立的ADFS 2016农场与WAP
1) 2 separate ADFS 2016 farms with WAP in DMZ for each forest
2)每个林中的Azure MFA服务器
2) Azure MFA servers in each forest
问题:
1)域B用户已经拥有Office365 E3。我可以为这些用户使用Azure MFA吗?
1) Domain B users already have Office365 E3. Can I utilize the Azure MFA for those users?
2)域A用户没有任何Office365或Azure AD。我可以使用 按使用付费的Azure MFA吗?我知道自2018年9月以来不再允许新客户使用。但是,由于客户已经拥有Office365 for Domain B,他们是否被认为是b $ b现有客户?
2) Domain A users do not have any Office365 or Azure AD. Can I use the pay-per-use Azure MFA? I understand this is no longer allowed for new customers since September 2018. However, since customer already has Office365 for Domain B, are they considered existing customers?
3)我可以两个域只有一组MFA?
3) Can I have just 1 set of MFA for both domains?
4)如果我需要为域A用户购买Azure AD premium,是否需要将内部部署AD同步到Azure AD允许MFA?
4) If in case I need to purchase Azure AD premium for Domain A users, do I need to sync on-premise AD to Azure AD to allow MFA?
谢谢
推荐答案
嗨Zizou,
Hi Zizou,
你有没有提到这个指南方案? https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-single-adfs-multitenant-federation
1.是的,如果您的用户拥有E3许可证,则应该能够使用Azure MFA,因为其中包含Azure AD Premium。
Have you referred referred to the guide for this scenario? https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-single-adfs-multitenant-federation
1. Yes, you should be able to use Azure MFA if your users have an E3 license because that includes Azure AD Premium.
2。仍然可以使用现有的auth提供程序。如果您有新用户,则您的许可协议规定您需要为他们分别提供许可。 https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-authprovider
2. Existing auth providers can still be used. If you have new users your licensing agreement states that you need to have separate licenses for them. https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-authprovider
3。你是什么意思"一套" MFA?
3. What do you mean by "one set" of MFA?
4。如果您使用的是普通MFA服务器,则无需同步。但要允许Azure MFA,您需要同步用户。
4. If you are using plain MFA Server you do not need to sync. But to allow Azure MFA you need to sync the users.
这篇关于Azure MFA内部部署 - 需要澄清的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
