如何将外部因素最好地组织到AAD中

本文介绍了如何将外部因素最好地组织到AAD中的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

这里的哲学问题是，我们刚刚开始以IDP身份通往Azure.

Philosophical question here as we have just started the road to Azure as IDP.

我为一个活动组织工作，我们有(一些)本地AD和大量的外部用户.他们中的数千人是大型活动的直接承包商，其中有数百人作为团队的扩展，又有成千上万对夫妇数十万外部利益相关者可能会与我们开展业务.如今，我们在广告活动中以假员工"身份管理了一堆外部设备.因为他们需要访问公司资源.

I work for an event organisation and we have (some) onprem AD's and a massive number of external users. Some thousands of them are direct contractors for larger events, some hundreds of them are working as team extensions, again some ten thousands to a couple hundred thousands are external stakeholders that might do business with us at some point. Today we have a bunch of externals administered in our AD as "fake employees" as they needed access to company resources.

我们希望为他们提供一个公司身份，以便在整个IT环境中使用一个帐户.到目前为止的AAD图书示例.

We would want to give them a single Company Identity to work with a single account across the IT landscape. Book example of AAD so far.

我们已经有一个AADC，将我们的company.com onprem AD同步到Azure.

We already have an AADC syncing our company.com onprem AD into Azure.

我一直在权衡如何最好地利用所有这些外部因素的一些选项，我很乐意听取一些关于这些外部因素的意见.从技术上讲，这些都是可行的(我相信)，我想听听您的经验或最佳做法"，如果可以的话，用这些.

I've been weighing in some options on how to best approach all these externals and I'd love to hear some input to these. Technically these are all doable (I believe), I'd like to hear your experience or "best practices" with these, if you will.

0)对待每个内部人员:相同的AD(不同的OU)，相同的AAD，相同的显示名称

0) Treat everyone internal: same AD (different OU's), same AAD, same Displayname

-将外部对象分组到同一AD域中的另一个OU中

- Externals grouped in a different OU in the same AD domain

-根据需要将所有员工+外部公司同步到AAD

- Sync all employees + the external companies as needed to the AAD

[email protected]与外部[email protected]几乎没有区别，但在内部部署中

- [email protected] and the external [email protected] has virtually no difference, but in the onprem

这基本上是我们想要摆脱的概念，但是可能有充分的理由保留它.

This is basically the concept we want to get away from, but there might be good reasons to keep it.

1)相同的AAD，相同的域，不同的显示名称.

1) Same AAD, same domain, different Displaynames.

-将每个人都放入company.com AD +同步化的AAD中，

- Put everyone in the company.com AD + sync'ed AAD,

-将公司名称作为显示名称的一部分，例如"Jane Doe(OTHERCOMPANY)".

- make the company name part of the display name like "Jane Doe (OTHERCOMPANY)".

通过这种方式，所有员工都知道她是外部员工，但是公司的所有第三方(首先)都只会看到company.com电子邮件.

This way all employees would know that she is an external, but all 3rd parties to the company would just see a company.com email (at first).

2)相同的AAD，不同的域

2) Same AAD, different domains

-将每个人都添加到company.com AD中，并同步AAD，并向AAD中添加自定义域和云身份.

- Put everyone in the company.com AD + sync'd AAD, plus add custom domains and cloud-born identities to the AAD

-我们将拥有"[email protected]"和"[email protected]"；在同一AAD中

- We're going to have "[email protected]" and "[email protected]" in the same AAD

优势:相同的AAD简单性

Advantage: same AAD simplicity

缺点:所有人都知道Jane不是公司的雇员，有人需要与核心雇员一道管理外部事务(管理隔离必须有计划地进行)

Disadvantage: everyone knows that Jane is not an employee of Company, someone needs to admin the externals along with the core employees (admin segregation needs to be planned well)

3)不同的AAD，不同的域

3) Different AADs, different domains

-仅在AD中放置员工

-将所有外部设备放入"company-ext" AAD并根据需要邀请他们以嘉宾身份进入AAD公司.

- Put all externals into an "company-ext" AAD and invite them to the company AAD as guests as needed

[email protected]仍然看起来像一个外部地址

- [email protected] will still look like an external address

优势:不同的广告可以适当区分管理任务

Advantage: different AD allows for proper segregation of admin tasks

缺点:引入了联盟复杂性(一切正常吗?)

Disadvantage: introduces federation complexity (will everything work properly?)

还是以上的任何组合?我已经看到0)和1)可以工作了，但是还没有经历2和3.

Or any combination of the above? I've seen 0) and 1) working, I've yet to experience 2 and 3.

AAD

如何将外部因素最好地组织到AAD中

问题描述

推荐答案