您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 Active Directory 对 Batch 管理解决方案进行身份验证Authenticate Batch Management solutions with Active Directory

调用 Azure Batch Management 服务的应用程序使用 Azure Active Directory (Azure AD) 进行身份验证。Applications that call the Azure Batch Management service authenticate with Azure Active Directory (Azure AD). Azure AD 是 Microsoft 提供的基于多租户云的目录和标识管理服务。Azure AD is Microsoft's multi-tenant cloud based directory and identity management service. Azure 本身使用 Azure AD 来对其客户、服务管理员和组织用户进行身份验证。Azure itself uses Azure AD for the authentication of its customers, service administrators, and organizational users.

批处理管理 .NET 库公开用于使用批处理帐户、帐户密钥、应用程序和应用程序包的类型。The Batch Management .NET library exposes types for working with Batch accounts, account keys, applications, and application packages. Batch Management .NET 库是一个 Azure 资源提供程序客户端,可与 Azure 资源管理器一起使用,以编程方式管理这些资源。The Batch Management .NET library is an Azure resource provider client, and is used together with Azure Resource Manager to manage these resources programmatically. 需要使用 Azure AD 对通过任何 Azure 资源提供程序客户端(包括 Batch Management .NET 库)和 Azure 资源管理器发出的请求进行身份验证。Azure AD is required to authenticate requests made through any Azure resource provider client, including the Batch Management .NET library, and through Azure Resource Manager.

本文探讨如何使用 Azure AD,在使用 Batch 管理 .NET 库的应用程序中进行身份验证。In this article, we explore using Azure AD to authenticate from applications that use the Batch Management .NET library. 我们将演示如何使用 Azure AD 和集成身份验证对订阅管理员或协同管理员进行身份验证。We show how to use Azure AD to authenticate a subscription administrator or co-administrator, using integrated authentication. 我们使用 GitHub 上提供的 AccountManagement 示例项目来逐步讲解如何将 Azure AD 与 Batch Management .NET 库配合使用。We use the AccountManagement sample project, available on GitHub, to walk through using Azure AD with the Batch Management .NET library.

若要详细了解批处理管理 .NET 库的用法和 AccountManagement 示例,请参阅 Manage Batch accounts and quotas with the Batch Management client library for .NET(使用适用于 .NET 的批处理管理客户端库来管理批处理帐户和配额)。To learn more about using the Batch Management .NET library and the AccountManagement sample, see Manage Batch accounts and quotas with the Batch Management client library for .NET.

将应用程序注册到 Azure ADRegister your application with Azure AD

Azure Active Directory Authentication 库 (ADAL) 提供了一个编程接口,用于 Azure AD 在应用程序中使用。The Azure Active Directory Authentication Library (ADAL) provides a programmatic interface to Azure AD for use within your applications. 若要从应用程序调用 ADAL,必须在 Azure AD 租户中注册该应用程序。To call ADAL from your application, you must register your application in an Azure AD tenant. 注册应用程序时,请向 Azure AD 提供有关该应用程序的信息,包括该应用程序在 Azure AD 租户中的名称。When you register your application, you supply Azure AD with information about your application, including a name for it within the Azure AD tenant. 然后,Azure AD 将提供一个应用程序 ID,在运行时,可以使用该 ID 将应用程序与 Azure AD 相关联。Azure AD then provides an application ID that you use to associate your application with Azure AD at runtime. 若要详细信息应用程序 ID,请参阅 Azure Active Directory 中的应用程序对象和服务主体对象To learn more about the application ID, see Application and service principal objects in Azure Active Directory.

若要注册 AccountManagement 示例应用程序,请按照将应用程序与 Azure Active Directory 集成添加应用程序部分中的步骤进行操作。To register the AccountManagement sample application, follow the steps in the Adding an Application section in Integrating applications with Azure Active Directory. 指定“本机客户端应用程序”作为应用程序类型。Specify Native Client Application for the type of application. 用于重定向 URI 的行业标准 OAuth 2.0 URI 是 urn:ietf:wg:oauth:2.0:oobThe industry standard OAuth 2.0 URI for the Redirect URI is urn:ietf:wg:oauth:2.0:oob. 但是,可以为 http://myaccountmanagementsample 重定向 uri指定任何有效的 uri (如) ,因为它不需要是实际的终结点。However, you can specify any valid URI (such as http://myaccountmanagementsample) for the Redirect URI, as it does not need to be a real endpoint.

添加应用程序

完成注册过程后,将列出应用程序的应用程序 ID 和对象(服务主体)ID。Once you complete the registration process, you'll see the application ID and the object (service principal) ID listed for your application.

已完成注册过程

向 Azure 资源管理器 API 授予应用程序访问权限Grant the Azure Resource Manager API access to your application

接下来,需要将应用程序的访问权限委派给 Azure 资源管理器 API。Next, you'll need to delegate access to your application to the Azure Resource Manager API. Resource Manager API 的 Azure AD 标识符为 Windows Azure Service Management APIThe Azure AD identifier for the Resource Manager API is Windows Azure Service Management API.

在 Azure 门户中执行以下步骤:Follow these steps in the Azure portal:

  1. 在 Azure 门户的左侧导航窗格中,选择“所有服务”,单击“应用注册”,并单击“添加”。 In the left-hand navigation pane of the Azure portal, choose All services, click App Registrations, and click Add.

  2. 在应用注册列表中搜索应用程序名称:Search for the name of your application in the list of app registrations:

    搜索应用程序名称

  3. 此时会显示“设置”边栏选项卡。Display the Settings blade. 在“API 访问”部分中,选择“所需的权限”。 In the API Access section, select Required permissions.

  4. 单击“添加”添加新的所需权限。Click Add to add a new required permission.

  5. 在步骤 1 中输入 Windows Azure Service Management API,从结果列表中选择该 API,并单击“选择”按钮。In step 1, enter Windows Azure Service Management API, select that API from the list of results, and click the Select button.

  6. 在步骤 2 中,选中“以组织用户的身份访问 Azure 经典部署模型”旁边的复选框,并单击“选择”按钮。 In step 2, select the check box next to Access Azure classic deployment model as organization users, and click the Select button.

  7. 单击“完成”按钮。Click the Done button.

现在,“所需的权限”边栏选项卡会显示向 ADAL 和 Resource Manager API 授予的应用程序权限。The Required Permissions blade now shows that permissions to your application are granted to both the ADAL and Resource Manager APIs. 首先在 Azure AD 中注册应用程序时,默认向 ADAL 授予权限。Permissions are granted to ADAL by default when you first register your app with Azure AD.

向 Azure 资源管理器 API 委派权限

Azure AD 终结点Azure AD endpoints

要使用 Azure AD 对 Batch 管理解决方案进行身份验证,将需要两个已知的终结点。To authenticate your Batch Management solutions with Azure AD, you'll need two well-known endpoints.

  • Azure AD 常见终结点,未提供特定租户时(例如,集成身份验证),该终结点提供泛型凭据收集接口:The Azure AD common endpoint provides a generic credential gathering interface when a specific tenant is not provided, as in the case of integrated authentication:

    https://login.microsoftonline.com/common

  • Azure 资源管理器终结点,用于获取对 Batch 管理服务的请求进行身份验证的令牌:The Azure Resource Manager endpoint is used to acquire a token for authenticating requests to the Batch management service:

    https://management.core.windows.net/

AccountManagement 示例应用程序定义这些终结点的常量。The AccountManagement sample application defines constants for these endpoints. 请将以下常量保持不变:Leave these constants unchanged:

// Azure Active Directory "common" endpoint.
private const string AuthorityUri = "https://login.microsoftonline.com/common";
// Azure Resource Manager endpoint
private const string ResourceUri = "https://management.core.windows.net/";

引用应用程序 IDReference your application ID

在运行时,客户端应用程序使用应用程序 ID(也称为客户端 ID)来访问 Azure AD。Your client application uses the application ID (also referred to as the client ID) to access Azure AD at runtime. 在 Azure 门户中注册应用程序后,请更新代码,以使用 Azure AD 为已注册的应用程序提供的应用程序 ID。Once you've registered your application in the Azure portal, update your code to use the application ID provided by Azure AD for your registered application. 在 AccountManagement 示例应用程序中,将 Azure 门户上的应用程序 ID 复制到相应的常量中:In the AccountManagement sample application, copy your application ID from the Azure portal to the appropriate constant:

// Specify the unique identifier (the "Client ID") for your application. This is required so that your
// native client application (i.e. this sample) can access the Microsoft Graph API. For information
// about registering an application in Azure Active Directory, please see "Register an application with the Microsoft identity platform" here:
// https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app
private const string ClientId = "<application-id>";

此外,请复制在注册过程中指定的重定向 URI。Also copy the redirect URI that you specified during the registration process. 在代码中指定的重定向 URI 必须与注册应用程序时提供的重定向 URI 相匹配。The redirect URI specified in your code must match the redirect URI that you provided when you registered the application.

// The URI to which Azure AD will redirect in response to an OAuth 2.0 request. This value is
// specified by you when you register an application with AAD (see ClientId comment). It does not
// need to be a real endpoint, but must be a valid URI (e.g. https://accountmgmtsampleapp).
private const string RedirectUri = "http://myaccountmanagementsample";

获取 Azure AD 身份验证令牌Acquire an Azure AD authentication token

在 Azure AD 租户中注册 AccountManagement 示例并更新示例源代码中的值后,便可以使用 Azure AD 对该示例进行身份验证。After you register the AccountManagement sample in the Azure AD tenant and update the sample source code with your values, the sample is ready to authenticate using Azure AD. 运行该示例时,ADAL 会尝试获取身份验证令牌。When you run the sample, the ADAL attempts to acquire an authentication token. 执行此步骤时,系统会提示输入 Microsoft 凭据:At this step, it prompts you for your Microsoft credentials:

// Obtain an access token using the "common" AAD resource. This allows the application
// to query AAD for information that lies outside the application's tenant (such as for
// querying subscription information in your Azure account).
AuthenticationContext authContext = new AuthenticationContext(AuthorityUri);
AuthenticationResult authResult = authContext.AcquireToken(ResourceUri,
                                                        ClientId,
                                                        new Uri(RedirectUri),
                                                        PromptBehavior.Auto);

提供凭据后,示例应用程序可以继续向批处理管理服务发出身份验证的请求。After you provide your credentials, the sample application can proceed to issue authenticated requests to the Batch management service.

后续步骤Next steps