您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

支持的帐户类型Supported account types

本文介绍了应用程序支持的帐户类型(有时称为受众)。This article explains what accounts types (sometimes named audiences) are supported in applications.

Microsoft 标识平台应用程序中支持的帐户类型Supported accounts types in Microsoft Identity platform applications

在 Microsoft Azure 公共云中,大多数类型的应用都可以使用任何受众登录用户:In the Microsoft Azure public Cloud, most types of apps can sign in users with any audience:

  • 如果你正在编写业务线 (LOB) 应用程序,则可以在自己的组织中登录用户。If you're writing a Line of Business (LOB) application, you can sign in users in your own organization. 此类应用程序有时被命名为“单租户”****。Such an application is sometimes named single tenant.

  • 如果你为 ISV,则可以编写一个应用程序来登录用户:If you're an ISV, you can write an application which signs-in users:

    • 在任何组织中。In any organization. 这样的应用程序被命名为“多租户”Web 应用程序****。Such an application is named a multi-tenant web application. 你有时会看到它使用工作或学校帐户登录用户。You'll sometimes read that it signs-in users with their work or school accounts.
    • 使用工作、学校或个人 Microsoft 帐户。With their work or school or personal Microsoft account.
    • 仅使用个人 Microsoft 帐户。With only personal Microsoft account.

      备注

      目前,Microsoft 标识平台通过为“工作、学校或 Microsoft 个人帐户”注册应用,仅支持个人 Microsoft 帐户,然后,在构建应用程序(例如 https://login.microsoftonline.com/consumers)时,通过指定 Azure AD 权限来限制应用程序代码中的登录****。Currently the Microsoft identity platform supports personal Microsoft accounts only by registering an app for work or school or Microsoft personal accounts, and then, restrict sign-in in the code for the application by specifying an Azure AD authority, when building the application, such as https://login.microsoftonline.com/consumers.

  • 如果你正在为消费者应用程序编写业务,还可以借助 Azure AD B2C 使用其社交身份登录用户。If you're writing a business to consumers application, you can also sign in users with their social identities, using Azure AD B2C.

某些身份验证流程并不支持所有帐户类型Certain authentication flows don't support all the account types

某些帐户类型不能与某些身份验证流程一起使用。Some account types can't be used with certain authentication flows. 例如,在桌面、UWP 应用程序或守护程序应用程序中:For instance, in desktop, UWP applications, or daemon applications:

  • 守护程序应用程序只能与 Azure Active Directory 组织配合使用。Daemon applications can only be used with Azure Active Directory organizations. 尝试使用守护程序应用程序来操作 Microsoft 个人帐户是没有意义的(永远不会授予管理员同意)。It doesn't make sense to attempt to use daemon applications to manipulate Microsoft personal accounts (the admin consent will never be granted).
  • 只能将集成身份验证流与工作或学校帐户配合使用(在你的组织或任何组织中均可)。You can only use the Integrated Windows Authentication flow with work or school accounts (in your organization or any organization). 实际上,集成 Windows 身份验证适用于域帐户,并且需要将计算机加入域或加入 Azure AD。Indeed, Integrated Windows Authentication works with domain accounts, and requires the machines to be domain joined or Azure AD joined. 该流对个人 Microsoft 帐户不适应。This flow doesn't make sense for personal Microsoft Accounts.
  • 资源所有者密码授权(用户名/密码)不能用于个人 Microsoft 帐户。The Resource Owner Password Grant (Username/Password), can't be used with personal Microsoft accounts. 实际上,个人 Microsoft 帐户要求用户同意在每次登录会话中访问个人资源。Indeed, personal Microsoft accounts require that the user consents to accessing personal resources at each sign-in session. 这就是这种行为与非交互流不兼容的原因。That's why, this behavior isn't compatible with non-interactive flows.
  • 设备代码流尚不适用于个人 Microsoft 帐户。Device code flow doesn't yet work with personal Microsoft accounts.

国家/地区云支持的帐户类型Supported account types in national clouds

应用还可以在国家/地区云中登录用户。Apps can also sign in users in national clouds. 但是,这些云不支持 Microsoft 个人帐户(根据这些云的定义)。However, Microsoft personal accounts aren't supported in these clouds (by definition of these clouds). 正因如此,这些云才将支持的帐户类型减少到你的组织(单个租户)或任何组织(多租户应用程序)。That's why the supported account types are reduced, for these clouds, to your organization (single tenant) or any organizations (multi-tenant applications).

后续步骤Next steps