管理 Azure 注册Manage Azure registration

适用于 Azure Stack HCI v20H2Applies to Azure Stack HCI v20H2

创建 Azure Stack HCI 群集后,必须向 Azure Arc 注册该群集。群集注册后,会定期在本地群集和云之间同步信息。Once you've created an Azure Stack HCI cluster, you must register the cluster with Azure Arc. Once the cluster is registered, it periodically syncs information between the on-premises cluster and the cloud. 本主题说明如何了解你的注册状态,如何授予 Azure Active Directory 权限,并在你准备好解除群集的授权时注销群集。This topic explains how to understand your registration status, grant Azure Active Directory permissions, and unregister your cluster when you're ready to decommission it.

了解注册状态Understanding registration status

若要了解注册状态,请使用 Get-AzureStackHCI PowerShell cmdlet 和 ClusterStatusRegistrationStatusConnectionStatus 属性。To understand registration status, use the Get-AzureStackHCI PowerShell cmdlet and the ClusterStatus, RegistrationStatus, and ConnectionStatus properties. 例如,在安装 Azure Stack HCI 操作系统之后、创建或加入群集之前,ClusterStatus 属性显示为“尚未”状态:For example, after installing the Azure Stack HCI operating system, before creating or joining a cluster, the ClusterStatus property shows "not yet" status:

创建群集前的 Azure 注册状态

创建群集后,只有 RegistrationStatus 显示“尚未”状态:Once the cluster is created, only RegistrationStatus shows "not yet" status:

创建群集后的 Azure 注册状态

根据 Azure 在线服务条款,Azure Stack HCI 需要在安装后 30 天内进行注册。Azure Stack HCI needs to register within 30 days of installation per the Azure Online Services Terms. 如果在 30 天后未群集化,则 ClusterStatus 将显示 OutOfPolicy,如果 30 天后未注册,则 RegistrationStatus 将显示 OutOfPolicyIf not clustered after 30 days, the ClusterStatus will show OutOfPolicy, and if not registered after 30 days, the RegistrationStatus will show OutOfPolicy.

注册群集后,可以查看 ConnectionStatusLastConnected 时间(通常在最后一天内),除非群集暂时与 Internet 断开连接。Once the cluster is registered, you can see the ConnectionStatus and LastConnected time, which is usually within the last day unless the cluster is temporarily disconnected from the Internet. Azure Stack HCI 群集最多可以连续 30 天完全脱机运行。An Azure Stack HCI cluster can operate fully offline for up to 30 consecutive days.

注册后的 Azure 注册状态

如果超出允许的最长时间,则 ConnectionStatus 将显示 OutOfPolicyIf that maximum period is exceeded, the ConnectionStatus will show OutOfPolicy.

Azure Active Directory 应用权限Azure Active Directory app permissions

除了在订阅中创建 Azure 资源外,注册 Azure Stack HCI 还可以在 Azure Active Directory 租户中创建一个概念类似于用户的应用标识。In addition to creating an Azure resource in your subscription, registering Azure Stack HCI creates an app identity, conceptually similar to a user, in your Azure Active Directory tenant. 应用标识会继承群集名称。The app identity inherits the cluster name. 此标识代表订阅中的 Azure Stack HCI 云服务(如果适用)执行操作。This identity acts on behalf on the Azure Stack HCI cloud service, as appropriate, within your subscription.

如果运行 Register-AzureStackHCI 的用户是 Azure Active Directory 管理员或已被委派了足够的权限,则这一切都会自动发生,无需执行其他操作。If the user who runs Register-AzureStackHCI is an Azure Active Directory administrator or has been delegated sufficient permissions, this all happens automatically, and no additional action is required. 否则,可能需要 Azure Active Director 管理员的批准才能完成注册。If not, approval may be needed from your Azure Active Directory administrator to complete registration. 你的管理员可以向应用显式授予同意,也可以委派权限,使你可以向应用授予同意:Your administrator can either explicitly grant consent to the app, or they can delegate permissions so that you can grant consent to the app:

Azure Active Directory 权限和标识图

若要授予许可,请打开 portal.azure.com ,并使用对 Azure Active Directory 具有足够权限的 azure 帐户登录。To grant consent, open portal.azure.com and sign in with an Azure account that has sufficient permissions on the Azure Active Directory. 依次导航到“Azure Active Directory”、“应用注册”。 Navigate to Azure Active Directory, then App registrations. 选择以你的群集命名的应用标识,然后导航到“API 权限”。Select the app identity named after your cluster and navigate to API permissions.

(GA) 版本 Azure Stack HCI 公开上市时,应用需要以下权限,这不同于公共预览版中所需的应用权限:For the General Availability (GA) release of Azure Stack HCI, the app requires the following permissions, which are different than the app permissions required in Public Preview:

https://azurestackhci-usage.trafficmanager.net/AzureStackHCI.Cluster.Read

https://azurestackhci-usage.trafficmanager.net/AzureStackHCI.Cluster.ReadWrite

https://azurestackhci-usage.trafficmanager.net/AzureStackHCI.ClusterNode.Read

https://azurestackhci-usage.trafficmanager.net/AzureStackHCI.ClusterNode.ReadWrite

对于公共预览版,应用权限已 (这些权限现已弃用) :For Public Preview, the app permissions were (these are now deprecated):

https://azurestackhci-usage.trafficmanager.net/AzureStackHCI.Census.Sync

https://azurestackhci-usage.trafficmanager.net/AzureStackHCI.Billing.Sync

向 Azure Active Directory 管理员寻求批准可能需要一些时间,因此 Register-AzureStackHCI cmdlet 会退出,并将注册状态保持为“待管理员同意”,即完成部分注册。Seeking approval from your Azure Active Directory administrator could take some time, so the Register-AzureStackHCI cmdlet will exit and leave the registration in status "pending admin consent," i.e. partially completed. 授予同意后,只需重新运行 Register-AzureStackHCI 即可完成注册。Once consent has been granted, simply re-run Register-AzureStackHCI to complete registration.

Azure Active Directory 用户权限Azure Active Directory user permissions

运行 Register-AzStackHCI 的用户需要 Azure AD 权限:The user who runs Register-AzStackHCI needs Azure AD permissions to:

  • 创建/获取/设置/删除 Azure AD 应用程序 (新建/获取/设置/删除-Get-azureadapplication) Create/Get/Set/Remove Azure AD applications (New/Get/Set/Remove-AzureADApplication)
  • 创建/获取 Azure AD 服务主体 (New/Get-azureadserviceprincipal) Create/Get Azure AD service principal (New/Get-New-AzureADServicePrincipal)
  • (新建/获取/删除-Get-azureadapplicationkeycredential) 管理 AD 应用程序机密Manage AD application secrets (New/Get/Remove-AzureADApplicationKeyCredential)
  • 授予同意使用特定的应用程序权限 (新建/获取/删除 AzureADServiceAppRoleAssignments) Grant consent to use specific application permissions (New/Get/Remove AzureADServiceAppRoleAssignments)

可以通过三种方式来完成此操作。There are three ways in which this can be accomplished.

选项1:允许任何用户注册应用程序Option 1: Allow any user to register applications

在 Azure Active Directory 中,导航到 " 用户设置" > 应用注册"。In Azure Active Directory, navigate to User settings > App registrations. 在 " 用户可以注册应用程序" 下,选择 "是"Under Users can register applications, select Yes.

这将允许任何用户注册应用程序。This will allow any user to register applications. 但是,用户仍将要求 Azure AD 管理员在进行群集注册期间授予同意。However, the user will still require the Azure AD admin to grant consent during cluster registration. 请注意,这是租户级别设置,因此它可能不适用于大型企业客户。Note that this is a tenant level setting, so it may not be suitable for large enterprise customers.

选项2:分配云应用程序管理角色Option 2: Assign Cloud Application Administration role

向用户分配内置的 "云应用程序管理" Azure AD 角色。Assign the built-in "Cloud Application Administration" Azure AD role to the user. 这将允许用户注册群集,而无需额外的 AD 管理员许可。This will allow the user to register clusters without the need for additional AD admin consent.

最严格的选项是使用自定义同意策略创建自定义 AD 角色,该角色将租户范围内的管理员许可委托给 Azure Stack HCI 服务所需的权限。The most restrictive option is to create a custom AD role with a custom consent policy that delegates tenant-wide admin consent for required permissions to the Azure Stack HCI Service. 分配此自定义角色时,用户可以注册并授予许可,而无需额外的 AD 管理员许可。When assigned this custom role, users are able to both register and grant consent without the need for additional AD admin consent.

备注

此选项需要 Azure AD Premium 许可证,并使用当前在公共预览版中的自定义 AD 角色和自定义同意策略功能。This option requires an Azure AD Premium license and uses custom AD roles and custom consent policy features which are currently in public preview.

  1. 连接到 Azure AD:Connect to Azure AD:

    Connect-AzureAD
    
  2. 创建自定义同意策略:Create a custom consent policy:

    New-AzureADMSPermissionGrantPolicy -Id "AzSHCI-registration-consent-policy" -DisplayName "Azure Stack HCI registration admin app consent policy" -Description "Azure Stack HCI registration admin app consent policy"
    
  3. 添加一个条件,其中包括应用 ID 为1322e676-dee7-41ee-a874-ac923822781c 的 Azure Stack HCI 服务所需的应用权限。Add a condition that includes required app permissions for Azure Stack HCI service, which carries the app ID 1322e676-dee7-41ee-a874-ac923822781c. 请注意,以下权限适用于 Azure Stack HCI 的 GA 版本,除非你已将 2020 年11月23日) 的 (预览版 应用到群集中的每个服务器,并且下载了 StackHCI 模块版本0.4.1 或更高版本,否则不能使用公共预览版。Note that the following permissions are for the GA release of Azure Stack HCI, and will not work with Public Preview unless you have applied the November 23, 2020 Preview Update (KB4586852) to every server in your cluster and have downloaded the Az.StackHCI module version 0.4.1 or later.

    New-AzureADMSPermissionGrantConditionSet -PolicyId "AzSHCI-registration-consent-policy" -ConditionSetType "includes" -PermissionType "application" -ResourceApplication "1322e676-dee7-41ee-a874-ac923822781c" -Permissions "bbe8afc9-f3ba-4955-bb5f-1cfb6960b242","8fa5445e-80fb-4c71-a3b1-9a16a81a1966","493bd689-9082-40db-a506-11f40b68128f","2344a320-6a09-4530-bed7-c90485b5e5e2"
    
  4. 授予允许注册 Azure Stack HCI 的权限,请注意在步骤2:Grant permissions to allow registering Azure Stack HCI, noting the custom consent policy created in Step 2:

    $displayName = "Azure Stack HCI Registration Administrator "
    $description = "Custom AD role to allow registering Azure Stack HCI "
    $templateId = (New-Guid).Guid
    $allowedResourceAction =
    @(
           "microsoft.directory/applications/createAsOwner",
           "microsoft.directory/applications/delete",
           "microsoft.directory/applications/standard/read",
           "microsoft.directory/applications/credentials/update",
           "microsoft.directory/applications/permissions/update",
           "microsoft.directory/servicePrincipals/appRoleAssignedTo/update",
           "microsoft.directory/servicePrincipals/appRoleAssignedTo/read",
           "microsoft.directory/servicePrincipals/appRoleAssignments/read",
           "microsoft.directory/servicePrincipals/createAsOwner",
           "microsoft.directory/servicePrincipals/credentials/update",
           "microsoft.directory/servicePrincipals/permissions/update",
           "microsoft.directory/servicePrincipals/standard/read",
           "microsoft.directory/servicePrincipals/managePermissionGrantsForAll.AzSHCI-registration-consent-policy"
    )
    $rolePermissions = @{'allowedResourceActions'= $allowedResourceAction}
    
  5. 创建新的自定义 AD 角色:Create the new custom AD role:

    $customADRole = New-AzureADMSRoleDefinition -RolePermissions $rolePermissions -DisplayName $displayName -Description $description -TemplateId $templateId -IsEnabled $true
    
  6. 按照以下 说明将新的自定义 AD 角色分配给将向 Azure 注册 Azure Stack HCI 群集的用户。Assign the new custom AD role to the user who will register the Azure Stack HCI cluster with Azure by following these instructions.

使用 Azure 注销 Azure Stack HCIUnregister Azure Stack HCI with Azure

准备好解除 Azure Stack HCI 群集的授权后,请使用 Unregister-AzStackHCI cmdlet 进行注销。When you're ready to decommission your Azure Stack HCI cluster, use the Unregister-AzStackHCI cmdlet to unregister. 这将停止通过 Azure Arc 进行的所有监视、支持和计费功能。将删除代表群集的 Azure 资源和 Azure Active Directory 应用标识,但不会删除该资源组,因为它可能包含其他不相关的资源。This stops all monitoring, support, and billing functionality through Azure Arc. The Azure resource representing the cluster and the Azure Active Directory app identity are deleted, but the resource group is not, because it may contain other unrelated resources.

如果在群集节点上运行 Unregister-AzStackHCI cmdlet,请使用以下语法并指定你的 Azure 订阅 ID 以及要注销的 Azure Stack HCI 群集的资源名称:If running the Unregister-AzStackHCI cmdlet on a cluster node, use this syntax and specify your Azure subscription ID as well as the resource name of the Azure Stack HCI cluster you wish to unregister:

Unregister-AzStackHCI -SubscriptionId "e569b8af-6ecc-47fd-a7d5-2ac7f23d8bfe" -ResourceName HCI001

系统将提示你在另一台设备 (例如你的电脑或手机) 上访问 microsoft.com/devicelogin,输入代码,并登录到此处,以通过 Azure 进行身份验证。You'll be prompted to visit microsoft.com/devicelogin on another device (like your PC or phone), enter the code, and sign in there to authenticate with Azure.

如果从管理电脑运行 cmdlet,则还需要指定群集中服务器的名称:If running the cmdlet from a management PC, you'll also need to specify the name of a server in the cluster:

Unregister-AzStackHCI -ComputerName ClusterNode1 -SubscriptionId "e569b8af-6ecc-47fd-a7d5-2ac7f23d8bfe" -ResourceName HCI001

将弹出一个交互式 Azure 登录窗口。An interactive Azure login window will pop up. 显示的确切提示将因安全设置(例如双重身份验证)而异。The exact prompts you see will vary depending on your security settings (e.g. two-factor authentication). 按照提示进行登录。Follow the prompts to log in.

后续步骤Next steps

如需相关信息,另请参阅:For related information, see also: