您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

设置 Azure 数字孪生实例和身份验证(脚本)Set up an Azure Digital Twins instance and authentication (scripted)

本文介绍设置新的 Azure 数字孪生实例的步骤,包括创建实例和设置身份验证。This article covers the steps to set up a new Azure Digital Twins instance, including creating the instance and setting up authentication. 完成本文后,你将拥有一个可开始对进行编程的 Azure 数字孪生实例。After completing this article, you will have an Azure Digital Twins instance ready to start programming against.

本文的此版本通过运行可简化过程的自动化部署脚本示例来完成这些步骤。This version of this article completes these steps by running an automated deployment script sample that streamlines the process. 若要查看脚本在幕后运行的手动步骤,请参阅本文的手动版本:操作方法:设置实例和身份验证(手动)To view the manual steps that the script runs through behind the scenes, see the manual version of this article: How-to: Set up an instance and authentication (manual).

备注

这些操作旨在由在 Azure 订阅上具有所有者角色的用户完成。These operations are intended to be completed by a user with an Owner role on the Azure subscription. 尽管有些部分可以在没有此提升权限的情况下完成,但需要所有者的合作来完全设置一个可用的实例。Although some pieces can be completed without this elevated permission, an owner's cooperation will be required to completely set up a usable instance. 有关详细信息,请查看下面的先决条件: Required 权限部分。View more information on this in the Prerequisites: Required permissions section below.

新的 Azure 数字孪生实例的完全安装由三个部分组成:Full setup for a new Azure Digital Twins instance consists of three parts:

  1. 创建实例Creating the instance
  2. 设置用户的访问权限: azure 用户需要在实例上具有Azure 数字孪生所有者(预览版) 角色才能执行管理活动。Setting up your user's access permissions: Your Azure user needs to have the Azure Digital Twins Owner (Preview) role on the instance in order to perform management activities. 在此步骤中,你将为自己分配此角色(如果你是 Azure 订阅中的所有者),或获取订阅的所有者,以将其分配给你。In this step, you will either assign yourself this role (if you are an Owner in the Azure subscription), or get an Owner on your subscription to assign it to you.
  3. 设置客户端应用程序的访问权限:通常会编写一个客户端应用程序,用于与实例进行交互。Setting up access permissions for client applications: It is common to write a client application that you use to interact with your instance. 为了使该客户端应用能够访问 Azure 数字孪生,需要在客户端应用程序将用于向实例进行身份验证的Azure Active Directory中设置应用注册In order for that client app to access your Azure Digital Twins, you need to set up an app registration in Azure Active Directory that the client application will use to authenticate to the instance.

若要继续,你将需要一个 Azure 订阅。To proceed, you will need an Azure subscription. 你可以在此处免费设置一个。You can set one up for free here.

使用 Azure Cloud ShellUse Azure Cloud Shell

Azure 托管 Azure Cloud Shell(一个可通过浏览器使用的交互式 shell 环境)。Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. 可以将 Bash 或 PowerShell 与 Cloud Shell 配合使用来使用 Azure 服务。You can use either Bash or PowerShell with Cloud Shell to work with Azure services. 可以使用 Azure Cloud Shell 预安装的命令来运行本文中的代码,而不必在本地环境中安装任何内容。You can use the Cloud Shell preinstalled commands to run the code in this article without having to install anything on your local environment.

若要启动 Azure Cloud Shell,请执行以下操作:To start Azure Cloud Shell:

选项Option 示例/链接Example/Link
选择代码块右上角的“试用”。Select Try It in the upper-right corner of a code block. 选择“试用”不会自动将代码复制到 Cloud Shell。Selecting Try It doesn't automatically copy the code to Cloud Shell. Azure Cloud Shell 的“试用”示例
转到 https://shell.azure.com 或选择“启动 Cloud Shell”按钮可在浏览器中打开 Cloud Shell。Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser. 在新窗口中启动 Cloud ShellLaunch Cloud Shell in a new window
选择 Azure 门户右上角菜单栏上的 Cloud Shell 按钮。Select the Cloud Shell button on the menu bar at the upper right in the Azure portal. Azure 门户中的“Cloud Shell”按钮

若要在 Azure Cloud Shell 中运行本文中的代码,请执行以下操作:To run the code in this article in Azure Cloud Shell:

  1. 启动 Cloud Shell。Start Cloud Shell.

  2. 选择代码块上的“复制”按钮以复制代码。Select the Copy button on a code block to copy the code.

  3. 在 Windows 和 Linux 上选择 Ctrl+Shift+V 将代码粘贴到 Cloud Shell 会话中,或在 macOS 上选择 Cmd+Shift+V 将代码粘贴到 Cloud Shell 会话中。Paste the code into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux or by selecting Cmd+Shift+V on macOS.

  4. 选择 Enter 运行此代码。Select Enter to run the code.

先决条件:权限要求Prerequisites: Permission requirements

若要完成本文中的所有步骤,需要在 Azure 订阅中将其作为所有者进行分类。To be able to complete all the steps in this article, you need to be classified as an Owner in your Azure subscription.

您可以通过在 Cloud Shell 中运行以下命令来检查您的权限级别:You can check your permission level by running this command in Cloud Shell:

az role assignment list --assignee <your-Azure-email>

如果你是所有者,则 roleDefinitionName 输出中的值为ownerIf you are an owner, the roleDefinitionName value in the output is Owner:

显示 az role 赋值 list 命令输出的 Cloud Shell 窗口

如果发现值为 "参与者" 或 "所有者" 以外的其他内容,则可以通过以下方式之一继续:If you find that the value is Contributor or something other than Owner, you can proceed in one of the following ways:

  • 请与订阅所有者联系,并请求所有者自行完成本文中所述的步骤Contact your subscription Owner and request for the Owner to complete the steps in this article on your behalf
  • 联系你的订阅所有者或订阅上具有用户访问管理员角色的某人,并请求他们将你提升为订阅的所有者,这样你就有权继续操作。Contact either your subscription Owner or someone with User Access Admin role on the subscription, and request that they elevate you to Owner on the subscription so that you will have the permissions to proceed yourself. 这是否合适取决于你的组织和其中的角色。Whether this is appropriate depends on your organization and your role within it.

运行部署脚本Run the deployment script

本文使用 Azure 数字孪生代码示例来完全自动部署 Azure 数字孪生实例和所需的身份验证。This article uses an Azure Digital Twins code sample to deploy an Azure Digital Twins instance and the required authentication semi-automatically. 它还可用作编写您自己的脚本交互的起点。It can also be used as a starting point for writing your own scripted interactions.

示例脚本用 PowerShell 编写。The sample script is written in PowerShell. 这是Azure 数字孪生示例的一部分,可通过导航到此示例链接并选择标题下面的 "下载 ZIP " 按钮,将其下载到计算机。It is part of the Azure Digital Twins samples, which you can download to your machine by navigating to that sample link and selecting the Download ZIP button underneath the title.

在下载的示例文件夹中,部署脚本位于_Azure_Digital_Twins_samples.zip > 脚本 > deploy.ps1 _。In the downloaded sample folder, the deployment script is located at Azure_Digital_Twins_samples.zip > scripts > deploy.ps1.

下面是在 Cloud Shell 中运行部署脚本的步骤。Here are the steps to run the deployment script in Cloud Shell.

  1. 在浏览器中转到Azure Cloud Shell窗口。Go to an Azure Cloud Shell window in your browser. 使用以下命令登录:Sign in using this command:

    az login
    

    如果 CLI 可以打开默认浏览器,它将这样做并加载 Azure 登录页。If the CLI can open your default browser, it will do so and load an Azure sign-in page. 否则,请在浏览器中打开 *https://aka.ms/devicelogin*,然后输入终端中显示的授权代码。Otherwise, open a browser page at https://aka.ms/devicelogin and enter the authorization code displayed in your terminal.

  2. 登录后,查看 "Cloud Shell 窗口" 图标栏。After signing in, look to the Cloud Shell window icon bar. 选择 "上传/下载文件" 图标,然后选择 "上传"。Select the "Upload/Download files" icon and choose "Upload".

    显示上传选项选择的 Cloud Shell 窗口

    导航到计算机上的_deploy.ps1_ 文件,并单击 "打开"。Navigate to the deploy.ps1 file on your machine and hit "Open." 这会将文件上传到 Cloud Shell,以便可以在 "Cloud Shell" 窗口中运行该文件。This will upload the file to Cloud Shell so that you can run it in the Cloud Shell window.

  3. 通过 ./deploy.ps1 在 "Cloud Shell" 窗口中发送命令来运行该脚本。Run the script by sending the ./deploy.ps1 command in the Cloud Shell window. 当脚本通过自动安装步骤运行时,系统会要求您传递以下值:As the script runs through the automated setup steps, you will be asked to pass in the following values:

    • 对于实例:要使用的 Azure 订阅的订阅 IDFor the instance: the subscription ID of your Azure subscription to use
    • 对于实例:要在其中部署实例的位置For the instance: a location where you'd like to deploy the instance. 若要查看哪些区域支持 Azure 数字孪生,请访问按区域提供的 azure 产品To see what regions support Azure Digital Twins, visit Azure products available by region.
    • 对于实例:资源组名称。For the instance: a resource group name. 你可以使用现有资源组,或者输入一个新名称来创建。You can use an existing resource group, or enter a new name of one to create.
    • 对于实例: Azure 数字孪生实例的名称For the instance: a name for your Azure Digital Twins instance. 新实例的名称在你的订阅的区域中必须是唯一的(也就是说,如果你的订阅在已使用所选名称的区域中有另一个 Azure 数字孪生实例,则会要求你选择其他名称)。The name of the new instance must be unique within the region for your subscription (meaning that if your subscription has another Azure Digital Twins instance in the region that's already using the name you choose, you'll be asked to pick a different name).
    • 对于应用注册:要与注册关联的Azure AD 应用程序显示名称For the app registration: an Azure AD application display name to associate with the registration. 通过此应用注册,你可以配置对Azure 数字孪生 api的访问权限。This app registration is where you configure access permissions to the Azure Digital Twins APIs. 以后,客户端应用程序将对应用程序注册进行身份验证,因此,会将配置的访问权限授予 Api。Later, the client app will authenticate against the app registration, and as a result be granted the configured access permissions to the APIs.
    • 对于应用注册: Azure AD 应用程序的Azure AD 应用程序答复 URLFor the app registration: an Azure AD application reply URL for the Azure AD application. 您可以使用 http://localhostYou can use http://localhost.

此脚本将创建一个 Azure 数字孪生实例,为你的 Azure 用户分配该实例上的Azure 数字孪生所有者(预览版) 角色,并设置 Azure AD 应用程序注册以供客户端应用程序使用。The script will create an Azure Digital Twins instance, assign your Azure user the Azure Digital Twins Owner (Preview) role on the instance, and set up an Azure AD app registration for your client app to use.

下面是该脚本的输出日志摘录:Here is an excerpt of the output log from the script:

显示通过运行部署脚本的输入和输出日志的 Cloud Shell 窗口

如果脚本成功完成,最终打印输出将显示 Deployment completed successfullyIf the script completes successfully, the final printout will say Deployment completed successfully. 否则,请解决错误消息,并重新运行该脚本。Otherwise, address the error message, and re-run the script. 它将跳过已完成的步骤,并在你离开的点再次开始请求输入。It will bypass the steps that you've already completed and start requesting input again at the point where you left off.

脚本完成后,现在可以使用 Azure 数字孪生实例,并设置权限来对其进行管理。Upon script completion, you now have an Azure Digital Twins instance ready to go and permissions set up to manage it.

收集重要值Collect important values

应用注册中有两个重要值,稍后需要对Azure 数字孪生 api 的客户端应用进行身份验证There are two important values from the app registration that will be needed later to authenticate a client app against the Azure Digital Twins APIs.

若要查找它们,请单击下面的链接以导航到 Azure 门户中的 Azure AD 应用注册概述页。To find them, follow this link to navigate to the Azure AD app registration overview page in the Azure portal. 此页显示已在你的订阅中创建的所有应用程序注册。This page shows all the app registrations that have been created in your subscription.

你应该会看到刚才在此列表中创建的应用注册。You should see the the app registration you just created in this list. 选择它以打开其详细信息:Select it to open up its details:

应用注册重要值的门户视图

记下显示在页面上应用程序(客户端) id目录(租户) idTake note of the Application (client) ID and Directory (tenant) ID shown on your page. 如果您不是将为客户端应用程序编写代码的人员,则需要与将要进行共享的人员共享这些值。If you are not the person who will be writing code for client applications, you'll need to share these values with the person who will be.

验证是否成功Verify success

如果要验证由脚本设置的资源和权限,可以在Azure 门户中查看这些资源和权限。If you would like to verify the creation of your resources and permissions set up by the script, you can look at them in the Azure portal.

验证实例Verify instance

若要验证是否已创建实例,请在 Azure 门户中转到Azure 数字孪生页面To verify that your instance was created, go to the Azure Digital Twins page in the Azure portal. 此页列出了所有 Azure 数字孪生实例。This page lists all your Azure Digital Twins instances. 在列表中查找新创建的实例的名称。Look for the name of your newly-created instance in the list.

验证用户角色分配Verify user role assignment

检查是否已成功设置角色分配的一种方法是在 Azure 门户中查看 Azure 数字孪生实例的角色分配。One way to check that you've successfully set up the role assignment is to view the role assignments for the Azure Digital Twins instance in the Azure portal. Azure 数字孪生实例的门户页中,选择要检查的实例的名称。From your portal page of Azure Digital Twins instances, select the name of the instance you want to check. 然后,在 "访问控制(IAM)" 下查看其分配的所有角色 > 角色分配。Then, view all of its assigned roles under Access control (IAM) > Role assignments. 用户应在列表中显示一个角色为 " Azure 数字孪生所有者(预览版)"。The user should show up in the list with a role of Azure Digital Twins Owner (Preview).

在 Azure 门户中查看 Azure 数字孪生实例的角色分配

验证应用注册Verify app registration

若要检查权限是否已正确配置,请单击以下链接以导航到 Azure 门户中的 "Azure AD 应用注册概述" 页。To check whether the permissions have been configured correctly, follow this link to navigate to the Azure AD app registration overview page in the Azure portal. 此页显示已在你的订阅中创建的所有应用程序注册。This page shows all the app registrations that have been created in your subscription.

你应该会在 "概述" 列表中看到你刚刚创建的应用注册。You should see the app registration you just created in the overview list. 选择它以打开其详细信息。Select it to open up its details.

首先,验证是否已正确设置注册上的 Azure 数字孪生权限设置。First, verify that the Azure Digital Twins permissions settings were properly set on the registration. 为此,请从菜单栏中选择 "清单",以查看应用注册的清单代码。To do this, select Manifest from the menu bar to view the app registration's manifest code. 滚动到代码窗口的底部,在下查找这些字段 requiredResourceAccessScroll to the bottom of the code window and look for these fields under requiredResourceAccess. 值应与以下屏幕截图中的值匹配:The values should match those in the screenshot below:

Azure AD 应用注册清单的门户视图

接下来,从菜单栏中选择 " API 权限",验证此应用注册是否包含 Azure 数字孪生的读/写权限。Next, select API permissions from the menu bar to verify that this app registration contains Read/Write permissions for Azure Digital Twins. 应会看到如下所示的条目:You should see an entry like this:

Azure AD 应用注册的 API 权限的门户视图,其中显示了 Azure 数字孪生的 读取/写入访问权限

组织的其他可能步骤Other possible steps for your organization

你的组织可能需要订阅所有者的其他操作才能成功设置应用注册(进而完成设置可用的 Azure 数字孪生实例)。It's possible that your organization requires additional actions from subscription Owners to successfully set up an app registration (and, consequently, to finish setting up a usable Azure Digital Twins instance). 根据组织的特定设置,所需的步骤可能会有所不同。The steps required may vary depending on your organization's specific settings.

下面是所有者可能需要执行的一些常见潜在活动。Here are some common potential activities that an Owner may need to perform. 这些操作和其他操作可以从 Azure 门户的 " Azure AD 应用注册" 页中执行。These and other operations can be performed from the Azure AD App registrations page in the Azure portal.

  • 向管理员授予对应用注册的许可。Grant admin consent for the app registration. 你的组织可能需要对订阅中的所有应用注册 Azure AD 全局启用 "管理员许可"。Your organization may have Admin Consent Required globally turned on in Azure AD for all app registrations within your subscription. 如果是这样,所有者需要在应用注册的 " API 权限" 页上为你的公司选择此按钮,以使应用注册有效:If so, the Owner will need to select this button for your company on the app registration's API permissions page for the app registration to be valid:

    :::image type="content" source="../articles/digital-twins/media/how-to-set-up-instance/grant-admin-consent.png" alt-text="API 权限下的 "授予管理员许可" 按钮的门户视图":::

    • 如果已成功授予同意,Azure 数字孪生的条目应显示 "同意" _ (你的公司) _的状态If consent was granted successfully, the entry for Azure Digital Twins should show a Status value of Granted for (your company)

      在 API 权限下为公司授予的管理员许可的门户视图

  • 激活公共客户端访问Activate public client access

  • 为 web 和桌面访问设置特定回复 UrlSet specific reply URLs for web and desktop access

  • 允许隐式 OAuth2 身份验证流Allow for implicit OAuth2 authentication flows

有关应用注册及其不同选项的详细信息,请参阅将应用程序注册到 Microsoft 标识平台For more information about app registration and its different options, see Register an application with the Microsoft identity platform.

现在,你已有一个 Azure 数字孪生实例准备就绪,已分配了管理它的权限,并为客户端应用程序设置了权限来访问它。You now have an Azure Digital Twins instance ready to go, have assigned permissions to manage it, and have set up permissions for a client app to access it.

后续步骤Next steps

请参阅如何通过编写客户端应用的身份验证代码将客户端应用程序连接到实例:See how to connect your client application to your instance by writing the client app's authentication code: