51CTO blog address: https://blog.51cto.com/14669127blog
garden blog address: https://www.cnblogs.com/Nancy1983
Under normal circumstances, we do not recommend that enterprises of a certain size use pure cloud user management. Unless Windows Server AD has not been used locally, we will recommend the following two deployment methods for customers:
- Directory and password synchronization
- Identity federation
This article will focus on directory and password synchronization, as shown in the following figure:
Directory and password synchronization: It is the easiest way, and it is also recommended for most enterprise organizations, because this solution:
- You can synchronize user accounts from the local directory to Azure AD tenants, while the local directory is still used to manage accounts;
- Azure AD performs all authentication for cloud-based services and applications.
- Support multi-forest synchronization.
Password synchronization: Just like locally, the user enters the same password for the cloud service, and the user password is not sent to Azure AD. At the same time, each password hash is synchronized without decrypting the password or obtaining the password directly.
Multi-factor authentication (MFA): Utilizing the basic MFA functions provided by Office 365, applications in Azure can use the MFA multi-factor authentication service. Directory synchronization does not provide integration with local MFA solutions.
更多资料:
• Prepare for directory synchronization to Microsoft 365
• Set up multi-factor authentication
• What is: Multifactor Authentication