您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用门户创建可访问资源的 Azure Active Directory 应用程序和服务主体Use portal to create an Azure Active Directory application and service principal that can access resources

当应用程序需要访问或修改资源时,必须设置 Azure Active Directory (AD) 应用程序,并为其分配所需的权限。When you have an application that needs to access or modify resources, you must set up an Azure Active Directory (AD) application and assign the required permissions to it. 与使用用户自己的凭据运行应用相比,此方法更优,原因在于:This approach is preferable to running the app under your own credentials because:

  • 可以将权限分配给应用标识,这些权限不同于自己的权限。You can assign permissions to the app identity that are different than your own permissions. 通常情况下,这些权限仅限于应用需执行的操作。Typically, these permissions are restricted to exactly what the app needs to do.
  • 职责变化时,无需更改应用的凭据。You do not have to change the app's credentials if your responsibilities change.
  • 执行无人参与的脚本时,可使用证书自动进行身份验证。You can use a certificate to automate authentication when executing an unattended script.

本文介绍了如何通过门户执行这些步骤。This article shows you how to perform those steps through the portal. 重点介绍单租户应用程序,其中应用程序只应在一个组织内运行。It focuses on a single-tenant application where the application is intended to run within only one organization. 通常会将单租户应用程序作为在组织中运行的业务线应用程序使用。You typically use single-tenant applications for line-of-business applications that run within your organization.

所需的权限Required permissions

若要完成本文,必须拥有足够的权限向 Azure AD 租户注册应用,并将应用分配给 Azure 订阅中的角色。To complete this article, you must have sufficient permissions to register an application with your Azure AD tenant, and assign the application to a role in your Azure subscription. 请确保拥有适当的权限来执行这些步骤。Let's make sure you have the right permissions to perform those steps.

检查 Azure Active Directory 权限Check Azure Active Directory permissions

  1. 通过 Azure 门户登录 Azure 帐户。Log in to your Azure Account through the Azure portal.

  2. 选择“Azure Active Directory”。Select Azure Active Directory.

    选择 azure active directory

  3. 在 Azure Active Directory 中,选择“用户设置”。In Azure Active Directory, select User settings.

    选择用户设置

  4. 检查“应用注册”设置。Check the App registrations setting. 如果设置为“是”,则非管理员用户可以注册 AD 应用。If set to Yes, non-admin users can register AD apps. 此设置意味着 Active AD 租户中的任何用户都可以注册应用。This setting means any user in the Azure AD tenant can register an app. 可继续转到检查 Azure 订阅权限You can proceed to Check Azure subscription permissions.

    查看应用注册

  5. 如果应用注册设置已设置为“否”,则只有管理员用户可以注册应用。If the app registrations setting is set to No, only admin users can register apps. 检查帐户是否为 Active AD 租户的管理员。Check whether your account is an admin for the Azure AD tenant. 从快速任务选择“概述”和“查找用户”。Select Overview and Find a user from Quick tasks.

    查找用户

  6. 搜索帐户,在找到帐户后选择它。Search for your account, and select it when you find it.

    搜索用户

  7. 对于帐户,选择“目录角色”。For your account, select Directory role.

    目录角色

  8. 在 Azure AD 中查看分配给目录角色。View your assigned directory role in Azure AD. 如果帐户分配到“用户”角色,但(前面的步骤中设置的)应用注册设置仅限于管理员用户,请要求管理员分配管理员角色或允许用户注册应用。If your account is assigned to the User role, but the app registration setting (from the preceding steps) is limited to admin users, ask your administrator to either assign you to an administrator role, or to enable users to register apps.

    查看角色

检查 Azure 订阅权限Check Azure subscription permissions

在 Azure 订阅中,帐户必须具有 Microsoft.Authorization/*/Write 访问权限才能向角色分配 AD 应用。In your Azure subscription, your account must have Microsoft.Authorization/*/Write access to assign an AD app to a role. 通过所有者角色或用户访问管理员角色授权此操作。This action is granted through the Owner role or User Access Administrator role. 如果将帐户分配到“参与者”角色,则没有足够权限。If your account is assigned to the Contributor role, you do not have adequate permission. 尝试将服务主体分配到角色时,将收到错误。You receive an error when attempting to assign the service principal to a role.

检查订阅权限的方法如下:To check your subscription permissions:

  1. 如果未在前述步骤中看到 Azure AD 帐户,请从左窗格选择“Azure Active Directory”。If you are not already looking at your Azure AD account from the preceding steps, select Azure Active Directory from the left pane.

  2. 查找 Azure AD 帐户。Find your Azure AD account. 从快速任务选择“概述”和“查找用户”。Select Overview and Find a user from Quick tasks.

    查找用户

  3. 搜索帐户,在找到帐户后选择它。Search for your account, and select it when you find it.

    搜索用户

  4. 选择“Azure 资源”。Select Azure resources.

    选择资源

  5. 查看分配到的角色,确定是否拥有足够的权限向角色分配 AD 应用。View your assigned roles, and determine if you have adequate permissions to assign an AD app to a role. 如果没有,请要求订阅管理员你将添加到用户访问管理员角色。If not, ask your subscription administrator to add you to User Access Administrator role. 在下图中,用户分配到了两个订阅的“所有者”角色,这意味着该用户具有足够的权限。In the following image, the user is assigned to the Owner role for two subscriptions, which means that user has adequate permissions.

    显示权限

创建 Azure Active Directory 应用程序Create an Azure Active Directory application

  1. 通过 Azure 门户登录 Azure 帐户。Log in to your Azure Account through the Azure portal.
  2. 选择“Azure Active Directory”。Select Azure Active Directory.

    选择 azure active directory

  3. 选择“应用注册”。Select App registrations.

    选择应用注册

  4. 选择“新建应用程序注册”。Select New application registration.

    添加应用

  5. 为应用提供名称和 URL。Provide a name and URL for the application. 选择“Web 应用/API”作为要创建的应用类型。Select Web app / API for the type of application you want to create. 无法创建原生应用的凭据,因此这种类型不适用于自动应用。You cannot create credentials for a Native application; therefore, that type does not work for an automated application. 设置这些值后,选择“创建”。After setting the values, select Create.

    命名应用程序

已创建应用程序。You have created your application.

获取应用程序 ID 和身份验证密钥Get application ID and authentication key

以编程方式登录时,需要使用应用程序的 ID 和身份验证密钥。When programmatically logging in, you need the ID for your application and an authentication key. 若要获取这些值,请使用以下步骤:To get those values, use the following steps:

  1. 从 Azure Active Directory 中的“应用注册”,选择应用程序。From App registrations in Azure Active Directory, select your application.

    选择应用程序

  2. 复制“应用程序 ID”并将其存储在应用程序代码中。Copy the Application ID and store it in your application code. 某些示例应用程序将此值作为客户端 ID。Some sample applications refer to this value as the client ID.

    客户端 ID

  3. 若要生成身份验证密钥,请选择“密钥”。To generate an authentication key, select Keys.

    选择密钥

  4. 提供密钥说明和密钥持续时间。Provide a description of the key, and a duration for the key. 完成后,选择“保存”。When done, select Save.

    保存密钥

    保存密钥后, 会显示密钥的值。After saving the key, the value of the key is displayed. 复制此值,因为稍后不能检索密钥。Copy this value because you are not able to retrieve the key later. 提供密钥值及应用程序 ID 登录为该应用程序。You provide the key value with the application ID to log in as the application. 将密钥值存储在应用程序可检索的位置。Store the key value where your application can retrieve it.

    保存的密钥

获取租户 IDGet tenant ID

以编程方式登录时,需要随身份验证请求传递租户 ID。When programmatically logging in, you need to pass the tenant ID with your authentication request.

  1. 选择“Azure Active Directory”。Select Azure Active Directory.

    选择 azure active directory

  2. 若要获取租户 ID,请选择 Azure AD 租户的“属性”。To get the tenant ID, select Properties for your Azure AD tenant.

    选择 Azure AD 属性

  3. 复制“目录 ID”。Copy the Directory ID. 此值即为租户 ID。This value is your tenant ID.

    租户 ID

将应用程序分配到角色Assign application to role

要访问订阅中的资源,必须将应用程序分配到角色。To access resources in your subscription, you must assign the application to a role. 决定哪个角色表示应用程序的相应权限。Decide which role represents the right permissions for the application. 若要了解有关可用角色的信息,请参阅 RBAC:内置角色To learn about the available roles, see RBAC: Built in Roles.

可将作用域设置为订阅、资源组或资源级别。You can set the scope at the level of the subscription, resource group, or resource. 较低级别的作用域将继承权限。Permissions are inherited to lower levels of scope. 例如,将某个应用程序添加到资源组的“读取者”角色意味着该应用程序可以读取该资源组及其包含的所有资源。For example, adding an application to the Reader role for a resource group means it can read the resource group and any resources it contains.

  1. 导航到要将应用程序分配到的作用域级别。Navigate to the level of scope you wish to assign the application to. 例如,若要在订阅范围内分配角色,选择“订阅”。For example, to assign a role at the subscription scope, select Subscriptions. 可改为选择资源组或资源。You could instead select a resource group or resource.

    选择订阅

  2. 选择特定订阅(资源组或资源),向其中分配应用程序。Select the particular subscription (resource group or resource) to assign the application to.

    选择进行分配的订阅

  3. 选择“访问控制 (IAM)”。Select Access Control (IAM).

    选择访问权限

  4. 选择“添加”。Select Add.

    选择添加

  5. 选择要分配到应用程序的角色。Select the role you wish to assign to the application. 下图显示“读者”角色。The following image shows the Reader role.

    选择角色

  6. 搜索你的应用程序,并选择它。Search for your application, and select it.

    搜索应用

  7. 选择“保存”完成角色分配。Select Save to finish assigning the role. 该应用程序会显示在分配到该范围角色的用户列表中。You see your application in the list of users assigned to a role for that scope.

作为应用程序登录Log in as the application

现已在 Azure Active Directory 中设置应用程序。Your application is now set up in Azure Active Directory. 可使用 ID 和密钥登录为该应用程序。You have an ID and key to use for signing in as the application. 应用程序分配到角色,可以该角色身份执行特定操作。The application is assigned to a role that gives it certain actions it can perform. 有关在不同平台上通过应用程序登录的信息,请参阅:For information about logging in as the application through different platforms, see:

后续步骤Next steps