您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure Active Directory 许可框架Azure Active Directory consent framework

使用 Azure Active Directory (Azure AD) 许可框架可以轻松开发多租户 Web 应用程序和本机客户端应用程序。The Azure Active Directory (Azure AD) consent framework makes it easy to develop multi-tenant web and native client applications. 这些应用程序允许用户帐户从与应用程序所注册到的租户不同的 Azure AD 租户登录。These applications allow sign-in by user accounts from an Azure AD tenant that's different from the one where the application is registered. 这些帐户除了需要访问你自己的 Web API 以外,可能还需要访问 Microsoft Graph API 等 Web API(以访问 Azure AD、Intune,以及 Office 365 中的服务)和其他 Microsoft 服务 API。They may also need to access web APIs such as the Microsoft Graph API (to access Azure AD, Intune, and services in Office 365) and other Microsoft services' APIs, in addition to your own web APIs.

该框架基于某个用户或管理员,该用户或管理员允许某个应用程序在其目录中注册,这可能涉及到访问目录数据。The framework is based on a user or an administrator giving consent to an application that asks to be registered in their directory, which may involve accessing directory data. 例如,如果某个 Web 客户端应用程序需要从 Office 365 中读取关于用户的日历信息,则该用户首先需要许可该客户端应用程序。For example, if a web client application needs to read calendar information about the user from Office 365, that user is required to consent to the client application first. 同意后,该客户端应用程序能够代表该用户调用 Microsoft Graph API,并根据需要使用日历信息。After consent is given, the client application will be able to call the Microsoft Graph API on behalf of the user, and use the calendar information as needed. Microsoft Graph API 可用来访问 Office 365 中的数据(例如来自 Exchange 的日历和邮件、来自 SharePoint 的站点和列表、来自 OneDrive 的文档、来自 OneNote 的笔记本、来自 Planner 的任务以及来自 Excel 的工作簿)、Azure AD 中的用户和组以及更多 Microsoft 云服务中的其他数据对象。The Microsoft Graph API provides access to data in Office 365 (like calendars and messages from Exchange, sites and lists from SharePoint, documents from OneDrive, notebooks from OneNote, tasks from Planner, and workbooks from Excel), as well as users and groups from Azure AD and other data objects from more Microsoft cloud services.

同意框架使用公共或机密客户端,建立在 OAuth 2.0 及其各种流程的基础之上,例如,代码授权和客户端凭据授权。The consent framework is built on OAuth 2.0 and its various flows, such as authorization code grant and client credentials grant, using public or confidential clients. 通过使用 OAuth 2.0,Azure AD 可生成多种不同类型的客户端应用程序(例如手机、平板电脑、服务器上的客户端应用程序或 Web 应用程序),并获取对所需资源的访问权限。By using OAuth 2.0, Azure AD makes it possible to build many different types of client applications--such as on a phone, tablet, server, or a web application--and gain access to the required resources.

有关将许可框架与 OAuth2.0 授权配合使用的详细信息,请参阅使用 OAuth 2.0 和 Azure AD 授权访问 Web 应用程序Azure AD 的身份验证方案For more info about using the consent framework with OAuth2.0 authorization grants, see Authorize access to web applications using OAuth 2.0 and Azure AD and Authentication scenarios for Azure AD. 有关通过 Microsoft Graph 获取 Office 365 的授权访问权限的信息,请参阅使用 Microsoft Graph 进行应用身份验证For info about getting authorized access to Office 365 through Microsoft Graph, see App authentication with Microsoft Graph.

以下步骤说明应用程序开发人员和用户如何使用同意体验。The following steps show you how the consent experience works for both the application developer and the user.

  1. 假设某个 Web 客户端应用程序需要请求资源/API 的特定访问权限。Assume you have a web client application that needs to request specific permissions to access a resource/API. 下一部分将介绍如何执行此配置,但实质上,配置时需使用 Azure 门户来声明权限请求。You'll learn how to do this configuration in the next section, but essentially the Azure portal is used to declare permission requests at configuration time. 这些配置与其他配置设置一样,将会成为应用程序的 Azure AD 注册的一部分:Like other configuration settings, they become part of the application's Azure AD registration:

    针对其他应用程序的权限

  2. 考虑已更新应用程序的权限,该应用程序正在运行,并且某个用户即将首次使用该应用程序。Consider that your application’s permissions have been updated, the application is running, and a user is about to use it for the first time. 首先,应用程序需要从 Azure AD 的 /authorize 终结点获取授权代码。First, the application needs to obtain an authorization code from Azure AD’s /authorize endpoint. 然后,可以使用该授权代码获取新的访问令牌和刷新令牌。The authorization code can then be used to acquire a new access and refresh token.

  3. 如果用户尚未经过身份验证,Azure AD 的 /authorize 终结点会提示用户登录。If the user is not already authenticated, Azure AD's /authorize endpoint prompts the user to sign in.

    用户或管理员登录到 Azure AD

  4. 用户登录后,Azure AD 将决定是否要向该用户显示同意页。After the user has signed in, Azure AD will determine if the user needs to be shown a consent page. 此决定基于该用户(或其组织的管理员)是否已授予应用程序许可。This determination is based on whether the user (or their organization’s administrator) has already granted the application consent. 如果尚未授予许可,Azure AD 会提示用户授予许可,并显示运行该应用程序所需的权限。If consent has not already been granted, Azure AD prompts the user for consent and displays the required permissions it needs to function. 许可对话框中显示的权限集与在 Azure 门户中的“委托权限” 中选择的权限集相匹配。The set of permissions that are displayed in the consent dialog match the ones selected in the Delegated permissions in the Azure portal.

    显示同意对话框中显示的权限的示例

  5. 用户授予许可后,授权代码会返回到应用程序,应用程序可凭此获取访问令牌和刷新令牌。After the user grants consent, an authorization code is returned to your application, which is redeemed to acquire an access token and refresh token. 有关此流程的详细信息,请参阅 Web API 应用类型For more information about this flow, see Web API app type.

  6. 作为管理员,还可以代表租户中的所有用户同意应用程序的委派权限。As an administrator, you can also consent to an application's delegated permissions on behalf of all the users in your tenant. 管理许可可防止针对租户中的每个用户显示许可对话框,可通过具有管理员角色的用户在 Azure 门户中执行。Administrative consent prevents the consent dialog from appearing for every user in the tenant, and can be done in the Azure portal by users with the administrator role. 若要了解哪些管理员角色可以同意委托的权限,请参阅 Azure AD 中的管理员角色权限To learn which administrator roles can consent to delegated permissions, see Administrator role permissions in Azure AD.

    同意应用的委托权限To consent to an app's delegated permissions

    1. 转到API 权限应用程序页Go to the API permissions page for your application

    2. 单击授予管理员同意按钮。Click on the Grant admin consent button.

      授予显式管理许可权限

    重要

    使用 ADAL.js 的单页应用程序 (SPA) 目前要求使用“授予权限”按钮授予显式许可 。Granting explicit consent using the Grant permissions button is currently required for single-page applications (SPA) that use ADAL.js. 否则,在请求访问令牌时应用程序会失败。Otherwise, the application fails when the access token is requested.

后续步骤Next steps