瞭解 Azure AD Connect 1.4.xx.x 和裝置註冊
透過 Azure Active Directory Connect 1.4.xx.x 版的實作 (Azure AD Connect) ,客戶可能會看到部分或所有 Windows 裝置從 Azure AD 消失。 這並不值得考慮,因為 Azure Active Directory (Azure AD) 在 條件式存取 授權期間不會使用這些裝置身分識別。 這項變更不會刪除已正確向 Azure AD 註冊混合式 Azure AD Join 的任何 Windows 裝置。
如果您看到 Azure AD 中裝置物件的刪除超過匯出 刪除閾值,請允許刪除進行。 如何:允許刪除在超過刪除閾值時流動
背景
註冊為已加入混合式 Azure AD 的 Windows 裝置會在 Azure AD 中以裝置物件表示,而且可用於條件式存取。 Windows 10裝置會透過 Azure AD Connect 同步至雲端,而下層 Windows 裝置則會直接使用 Active Directory 同盟服務 (AD FS) 或無縫單一登入來註冊。
Windows 10 裝置
只有 Windows 10具有混合式 Azure AD Join 所設定之特定userCertificate屬性值的裝置,才應該由 Azure AD Connect 同步至雲端。 在舊版的 Azure AD Connect 中,此需求並未嚴格強制執行,而且不必要的裝置物件已新增至 Azure AD。 Azure AD 中的這類裝置一律會保持「擱置中」狀態,因為這些裝置並非要向 Azure AD 註冊。
此版本的 Azure AD Connect 只會同步Windows 10已正確設定為已加入混合式 Azure AD 的裝置。 Windows 10沒有 Azure AD 加入特定使用者的裝置物件,將會從 Azure AD 中移除。
Down-Level Windows 裝置
Azure AD Connect 絕對不應該同步 處理下層 Windows 裝置。 Azure AD 中先前未正確同步處理的任何裝置都會從 Azure AD 中刪除。 如果 Azure AD Connect 嘗試刪除下層 Windows 裝置,則裝置不是Microsoft Workplace Join 為非Windows 10電腦 MSI所建立的裝置,而且任何其他 Azure AD 功能都無法取用該裝置。
有些客戶可能需要重新流覽 如何:規劃混合式 Azure Active Directory 加入實 作,以正確註冊其 Windows 裝置,並確保這些裝置可以參與裝置型條件式存取。
如何使用此更新來確認哪些裝置已刪除?
若要確認已刪除哪些裝置,請使用 PowerShell 憑證報表腳本中的 PowerShell 腳本。
此腳本會產生儲存在 Active Directory 電腦 物件中之憑證的相關報告,特別是混合式 Azure AD 聯結功能所簽發的憑證。
腳本也會檢查 AD 中 Computer 物件之 UserCertificate 屬性中存在的憑證。 針對每個未過期的憑證,腳本會驗證是否已針對混合式 Azure AD 聯結功能發行憑證;例如, Subject Name matches CN={ObjectGUID} 。
在此更新之前,Azure AD Connect 會同步至 Azure AD 任何包含至少一個有效憑證的電腦。 從 Azure AD Connect 1.4 版開始,同步處理引擎會識別混合式 Azure AD 聯結憑證,並且會使用 cloudfilter 篩選來防止電腦物件同步處理至 Azure AD,除非有有效的混合式 Azure AD 加入憑證。
同步處理引擎會使用 篩選 CloudFiltered=TRUE 來刪除先前已同步處理至 AD,但沒有有效混合式 Azure AD 加入憑證的 Azure AD 裝置。
PowerShell 憑證報表腳本
<#
Filename: Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1.
DISCLAIMER:
Copyright (c) Microsoft Corporation. All rights reserved. This script is made available to you without any express, implied or statutory warranty, not even the implied warranty of merchantability or fitness for a particular purpose, or the warranty of title or non-infringement. The entire risk of the use or the results from the use of this script remains with you.
.Synopsis
This script generates a report about certificates stored in Active Directory Computer objects, specifically,
certificates issued by the Hybrid Azure AD join feature.
.DESCRIPTION
It checks the certificates present in the UserCertificate property of a Computer object in AD and, for each
non-expired certificate present, validates if the certificate was issued for the Hybrid Azure AD join feature
(i.e. Subject Name matches CN={ObjectGUID}).
Before, Azure AD Connect would synchronize to Azure AD any Computer that contained at least one valid
certificate but starting on Azure AD Connect version 1.4, the sync engine can identify Hybrid
Azure AD join certificates and will 'cloudfilter' the computer object from synchronizing to Azure AD unless
there's a valid Hybrid Azure AD join certificate.
Azure AD Device objects that were already synchronized to AD but do not have a valid Hybrid Azure AD join
certificate will be deleted (CloudFiltered=TRUE) by the sync engine.
.EXAMPLE
.\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 -DN 'CN=Computer1,OU=SYNC,DC=Fabrikam,DC=com'
.EXAMPLE
.\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 -OU 'OU=SYNC,DC=Fabrikam,DC=com' -Filename "MyHybridAzureADjoinReport.csv" -Verbose
#>
[CmdletBinding()]
Param
(
# Computer DistinguishedName
[Parameter(ParameterSetName='SingleObject',
Mandatory=$true,
ValueFromPipelineByPropertyName=$true,
Position=0)]
[String]
$DN,
# AD OrganizationalUnit
[Parameter(ParameterSetName='MultipleObjects',
Mandatory=$true,
ValueFromPipelineByPropertyName=$true,
Position=0)]
[String]
$OU,
# Output CSV filename (optional)
[Parameter(Mandatory=$false,
ValueFromPipelineByPropertyName=$false,
Position=1)]
[String]
$Filename
)
# Generate Output filename if not provided
If ($Filename -eq "")
{
$Filename = [string] "$([string] $(Get-Date -Format yyyyMMddHHmmss))_ADSyncAADHybridJoinCertificateReport.csv"
}
Write-Verbose "Output filename: '$Filename'"
# Read AD object(s)
If ($PSCmdlet.ParameterSetName -eq 'SingleObject')
{
$directoryObjs = @(Get-ADObject $DN -Properties UserCertificate)
Write-Verbose "Starting report for a single object '$DN'"
}
Else
{
$directoryObjs = Get-ADObject -Filter { ObjectClass -like 'computer' } -SearchBase $OU -Properties UserCertificate
Write-Verbose "Starting report for $($directoryObjs.Count) computer objects in OU '$OU'"
}
Write-Host "Processing $($directoryObjs.Count) directory object(s). Please wait..."
# Check Certificates on each AD Object
$results = @()
ForEach ($obj in $directoryObjs)
{
# Read UserCertificate multi-value property
$objDN = [string] $obj.DistinguishedName
$objectGuid = [string] ($obj.ObjectGUID).Guid
$userCertificateList = @($obj.UserCertificate)
$validEntries = @()
$totalEntriesCount = $userCertificateList.Count
Write-verbose "'$objDN' ObjectGUID: $objectGuid"
Write-verbose "'$objDN' has $totalEntriesCount entries in UserCertificate property."
If ($totalEntriesCount -eq 0)
{
Write-verbose "'$objDN' has no Certificates - Skipped."
Continue
}
# Check each UserCertificate entry and build array of valid certs
ForEach($entry in $userCertificateList)
{
Try
{
$cert = [System.Security.Cryptography.X509Certificates.X509Certificate2] $entry
}
Catch
{
Write-verbose "'$objDN' has an invalid Certificate!"
Continue
}
Write-verbose "'$objDN' has a Certificate with Subject: $($cert.Subject); Thumbprint:$($cert.Thumbprint)."
$validEntries += $cert
}
$validEntriesCount = $validEntries.Count
Write-verbose "'$objDN' has a total of $validEntriesCount certificates (shown above)."
# Get non-expired Certs (Valid Certificates)
$validCerts = @($validEntries | Where-Object {$_.NotAfter -ge (Get-Date)})
$validCertsCount = $validCerts.Count
Write-verbose "'$objDN' has $validCertsCount valid certificates (not-expired)."
# Check for AAD Hybrid Join Certificates
$hybridJoinCerts = @()
$hybridJoinCertsThumbprints = [string] "|"
ForEach ($cert in $validCerts)
{
$certSubjectName = $cert.Subject
If ($certSubjectName.StartsWith($("CN=$objectGuid")) -or $certSubjectName.StartsWith($("CN={$objectGuid}")))
{
$hybridJoinCerts += $cert
$hybridJoinCertsThumbprints += [string] $($cert.Thumbprint) + '|'
}
}
$hybridJoinCertsCount = $hybridJoinCerts.Count
if ($hybridJoinCertsCount -gt 0)
{
$cloudFiltered = 'FALSE'
Write-verbose "'$objDN' has $hybridJoinCertsCount AAD Hybrid Join Certificates with Thumbprints: $hybridJoinCertsThumbprints (cloudFiltered=FALSE)"
}
Else
{
$cloudFiltered = 'TRUE'
Write-verbose "'$objDN' has no AAD Hybrid Join Certificates (cloudFiltered=TRUE)."
}
# Save results
$r = "" | Select ObjectDN, ObjectGUID, TotalEntriesCount, CertsCount, ValidCertsCount, HybridJoinCertsCount, CloudFiltered
$r.ObjectDN = $objDN
$r.ObjectGUID = $objectGuid
$r.TotalEntriesCount = $totalEntriesCount
$r.CertsCount = $validEntriesCount
$r.ValidCertsCount = $validCertsCount
$r.HybridJoinCertsCount = $hybridJoinCertsCount
$r.CloudFiltered = $cloudFiltered
$results += $r
}
# Export results to CSV
Try
{
$results | Export-Csv $Filename -NoTypeInformation -Delimiter ';'
Write-Host "Exported Hybrid Azure AD Domain Join Certificate Report to '$Filename'.`n"
}
Catch
{
Throw "There was an error saving the file '$Filename': $($_.Exception.Message)"
}
後續步驟
與我們連絡,以取得說明
如果您有問題或需要相關協助,請建立支援要求,或詢問 Azure community 支援。 您也可以將產品意見反應提交給 Azure 社群支援。