管理 Azure 註冊Manage Azure registration

適用于 Azure Stack HCI v20H2Applies to Azure Stack HCI v20H2

建立 Azure Stack HCI 叢集之後,您必須 向 Azure Arc 註冊叢集。叢集註冊之後,它會定期同步內部部署叢集與雲端之間的資訊。Once you've created an Azure Stack HCI cluster, you must register the cluster with Azure Arc. Once the cluster is registered, it periodically syncs information between the on-premises cluster and the cloud. 本主題說明如何瞭解您的註冊狀態、授與 Azure Active Directory 許可權,並在您準備好解除委任叢集時將其取消註冊。This topic explains how to understand your registration status, grant Azure Active Directory permissions, and unregister your cluster when you're ready to decommission it.

瞭解註冊狀態Understanding registration status

若要瞭解註冊狀態,請使用 Get-AzureStackHCI PowerShell Cmdlet 和 ClusterStatusRegistrationStatusConnectionStatus 屬性。To understand registration status, use the Get-AzureStackHCI PowerShell cmdlet and the ClusterStatus, RegistrationStatus, and ConnectionStatus properties. 例如,在安裝 Azure Stack HCI 作業系統之後,在建立或加入叢集之前, ClusterStatus 屬性會顯示「尚未」狀態:For example, after installing the Azure Stack HCI operating system, before creating or joining a cluster, the ClusterStatus property shows "not yet" status:

叢集建立之前的 Azure 註冊狀態

一旦建立叢集之後,就只會 RegistrationStatus 顯示「尚未」狀態:Once the cluster is created, only RegistrationStatus shows "not yet" status:

叢集建立後的 Azure 註冊狀態

Azure Stack HCI 必須在每個 Azure Online Services 條款的30天內進行註冊。Azure Stack HCI needs to register within 30 days of installation per the Azure Online Services Terms. 如果未在30天后叢集化,則 ClusterStatus 會顯示 OutOfPolicy ,如果未在30天后註冊,則 RegistrationStatus 會顯示 OutOfPolicyIf not clustered after 30 days, the ClusterStatus will show OutOfPolicy, and if not registered after 30 days, the RegistrationStatus will show OutOfPolicy.

註冊叢集之後,您可以看到 ConnectionStatusLastConnected 時間,這通常會在過去一天內,除非叢集暫時中斷與網際網路的連線。Once the cluster is registered, you can see the ConnectionStatus and LastConnected time, which is usually within the last day unless the cluster is temporarily disconnected from the Internet. Azure Stack HCI 叢集最多可在30天內完全離線運作。An Azure Stack HCI cluster can operate fully offline for up to 30 consecutive days.

註冊後的 Azure 註冊狀態

如果超過最大期限,則 ConnectionStatus 會顯示 OutOfPolicyIf that maximum period is exceeded, the ConnectionStatus will show OutOfPolicy.

Azure Active Directory 應用程式許可權Azure Active Directory app permissions

除了在您的訂用帳戶中建立 Azure 資源,註冊 Azure Stack HCI 會在 Azure Active Directory 租使用者中建立應用程式身分識別(概念上類似于使用者)。In addition to creating an Azure resource in your subscription, registering Azure Stack HCI creates an app identity, conceptually similar to a user, in your Azure Active Directory tenant. 應用程式識別會繼承叢集名稱。The app identity inherits the cluster name. 在您的訂用帳戶中,此身分識別會適當地代表 Azure Stack HCI 雲端服務執行動作。This identity acts on behalf on the Azure Stack HCI cloud service, as appropriate, within your subscription.

如果執行的使用者 Register-AzureStackHCI 是 Azure Active Directory 系統管理員或已被委派足夠的許可權,就會自動進行,且不需要進行其他動作。If the user who runs Register-AzureStackHCI is an Azure Active Directory administrator or has been delegated sufficient permissions, this all happens automatically, and no additional action is required. 如果沒有,您的 Azure Active Directory 系統管理員可能需要核准才能完成註冊。If not, approval may be needed from your Azure Active Directory administrator to complete registration. 您的系統管理員可以明確地將同意授與應用程式,也可以委派許可權,讓您可以將同意授與應用程式:Your administrator can either explicitly grant consent to the app, or they can delegate permissions so that you can grant consent to the app:

Azure Active Directory 許可權和身分識別圖表

若要授與同意,請開啟 portal.azure.com ,並使用在 Azure Active Directory 上具有足夠許可權的 azure 帳戶登入。To grant consent, open portal.azure.com and sign in with an Azure account that has sufficient permissions on the Azure Active Directory. 流覽至 Azure Active Directory,然後 應用程式註冊Navigate to Azure Active Directory, then App registrations. 選取以您的叢集命名的應用程式身分識別,然後流覽至 [ API 許可權]。Select the app identity named after your cluster and navigate to API permissions.

如需 (GA) 版本 Azure Stack HCI 的正式運作,應用程式需要下列許可權,與公開預覽中所需的應用程式許可權不同:For the General Availability (GA) release of Azure Stack HCI, the app requires the following permissions, which are different than the app permissions required in Public Preview:

https://azurestackhci-usage.trafficmanager.net/AzureStackHCI.Cluster.Read

https://azurestackhci-usage.trafficmanager.net/AzureStackHCI.Cluster.ReadWrite

https://azurestackhci-usage.trafficmanager.net/AzureStackHCI.ClusterNode.Read

https://azurestackhci-usage.trafficmanager.net/AzureStackHCI.ClusterNode.ReadWrite

在公開預覽中,應用程式許可權 (這些現在已被取代) :For Public Preview, the app permissions were (these are now deprecated):

https://azurestackhci-usage.trafficmanager.net/AzureStackHCI.Census.Sync

https://azurestackhci-usage.trafficmanager.net/AzureStackHCI.Billing.Sync

尋求 Azure Active Directory 系統管理員的核准可能需要一些時間,因此 Register-AzureStackHCI Cmdlet 會結束並讓註冊處於「擱置管理員同意」狀態,亦即部分已完成。Seeking approval from your Azure Active Directory administrator could take some time, so the Register-AzureStackHCI cmdlet will exit and leave the registration in status "pending admin consent," i.e. partially completed. 授與同意之後,只要重新執行 Register-AzureStackHCI 即可完成註冊。Once consent has been granted, simply re-run Register-AzureStackHCI to complete registration.

Azure Active Directory 使用者權限Azure Active Directory user permissions

執行 Register-AzStackHCI 的使用者需要 Azure AD 許可權才能:The user who runs Register-AzStackHCI needs Azure AD permissions to:

  • 建立/取得/設定/移除 Azure AD 的應用程式 (New/Get/Set/Remove-Get-azureadapplication) Create/Get/Set/Remove Azure AD applications (New/Get/Set/Remove-AzureADApplication)
  • 建立/取得 Azure AD 服務主體 (新的/新 Get-azureadserviceprincipal) Create/Get Azure AD service principal (New/Get-New-AzureADServicePrincipal)
  • (新的/取得/移除-AzureADApplicationKeyCredential) 管理 AD 應用程式秘密Manage AD application secrets (New/Get/Remove-AzureADApplicationKeyCredential)
  • 將同意授與使用特定應用程式許可權 (New/Get/Remove AzureADServiceAppRoleAssignments) Grant consent to use specific application permissions (New/Get/Remove AzureADServiceAppRoleAssignments)

有三種方式可以完成這項作業。There are three ways in which this can be accomplished.

選項1:允許任何使用者註冊應用程式Option 1: Allow any user to register applications

在 Azure Active Directory 中,流覽至 [ 使用者設定] > 應用程式註冊In Azure Active Directory, navigate to User settings > App registrations. 在 [ 使用者可以註冊應用程式] 下,選取 [是]Under Users can register applications, select Yes.

這可讓任何使用者註冊應用程式。This will allow any user to register applications. 不過,使用者仍需要 Azure AD 系統管理員在叢集註冊期間授與同意。However, the user will still require the Azure AD admin to grant consent during cluster registration. 請注意,這是租使用者層級設定,因此可能不適合大型企業客戶。Note that this is a tenant level setting, so it may not be suitable for large enterprise customers.

選項2:指派雲端應用程式管理角色Option 2: Assign Cloud Application Administration role

將內建的「雲端應用程式管理」 Azure AD 角色指派給使用者。Assign the built-in "Cloud Application Administration" Azure AD role to the user. 這可讓使用者註冊叢集,而不需要額外的 AD 系統管理員同意。This will allow the user to register clusters without the need for additional AD admin consent.

最嚴格的選項是使用自訂的同意原則來建立自訂 AD 角色,以將租使用者的系統管理員同意委派給 Azure Stack HCI 服務的必要許可權。The most restrictive option is to create a custom AD role with a custom consent policy that delegates tenant-wide admin consent for required permissions to the Azure Stack HCI Service. 當指派此自訂角色時,使用者可以註冊並授與同意,而不需要額外的 AD 系統管理員同意。When assigned this custom role, users are able to both register and grant consent without the need for additional AD admin consent.

注意

此選項需要 Azure AD Premium 授權,並使用自訂 AD 角色和自訂的同意原則功能,這些功能目前處於公開預覽狀態。This option requires an Azure AD Premium license and uses custom AD roles and custom consent policy features which are currently in public preview.

  1. 連線到 Azure AD:Connect to Azure AD:

    Connect-AzureAD
    
  2. 建立自訂同意原則:Create a custom consent policy:

    New-AzureADMSPermissionGrantPolicy -Id "AzSHCI-registration-consent-policy" -DisplayName "Azure Stack HCI registration admin app consent policy" -Description "Azure Stack HCI registration admin app consent policy"
    
  3. 新增條件,其中包含 Azure Stack HCI 服務的必要應用程式許可權,這些許可權會攜帶應用程式識別碼1322e676-dee7-41ee-a874-ac923822781c。Add a condition that includes required app permissions for Azure Stack HCI service, which carries the app ID 1322e676-dee7-41ee-a874-ac923822781c. 請注意,下列許可權適用于 GA 版本的 Azure Stack HCI,除非您已套用 2020 年11月23日的預覽更新 (KB4586852) 至叢集中的每一部伺服器,並已下載 Az. StackHCI 模組版本0.4.1 或更新版本,否則將無法使用公開預覽。Note that the following permissions are for the GA release of Azure Stack HCI, and will not work with Public Preview unless you have applied the November 23, 2020 Preview Update (KB4586852) to every server in your cluster and have downloaded the Az.StackHCI module version 0.4.1 or later.

    New-AzureADMSPermissionGrantConditionSet -PolicyId "AzSHCI-registration-consent-policy" -ConditionSetType "includes" -PermissionType "application" -ResourceApplication "1322e676-dee7-41ee-a874-ac923822781c" -Permissions "bbe8afc9-f3ba-4955-bb5f-1cfb6960b242","8fa5445e-80fb-4c71-a3b1-9a16a81a1966","493bd689-9082-40db-a506-11f40b68128f","2344a320-6a09-4530-bed7-c90485b5e5e2"
    
  4. 授與允許註冊 Azure Stack HCI 的許可權,請注意在步驟2中建立的自訂同意原則:Grant permissions to allow registering Azure Stack HCI, noting the custom consent policy created in Step 2:

    $displayName = "Azure Stack HCI Registration Administrator "
    $description = "Custom AD role to allow registering Azure Stack HCI "
    $templateId = (New-Guid).Guid
    $allowedResourceAction =
    @(
           "microsoft.directory/applications/createAsOwner",
           "microsoft.directory/applications/delete",
           "microsoft.directory/applications/standard/read",
           "microsoft.directory/applications/credentials/update",
           "microsoft.directory/applications/permissions/update",
           "microsoft.directory/servicePrincipals/appRoleAssignedTo/update",
           "microsoft.directory/servicePrincipals/appRoleAssignedTo/read",
           "microsoft.directory/servicePrincipals/appRoleAssignments/read",
           "microsoft.directory/servicePrincipals/createAsOwner",
           "microsoft.directory/servicePrincipals/credentials/update",
           "microsoft.directory/servicePrincipals/permissions/update",
           "microsoft.directory/servicePrincipals/standard/read",
           "microsoft.directory/servicePrincipals/managePermissionGrantsForAll.AzSHCI-registration-consent-policy"
    )
    $rolePermissions = @{'allowedResourceActions'= $allowedResourceAction}
    
  5. 建立新的自訂 AD 角色:Create the new custom AD role:

    $customADRole = New-AzureADMSRoleDefinition -RolePermissions $rolePermissions -DisplayName $displayName -Description $description -TemplateId $templateId -IsEnabled $true
    
  6. 依照下列 指示,將新的自訂 AD 角色指派給將向 Azure 註冊 Azure Stack HCI 叢集的使用者。Assign the new custom AD role to the user who will register the Azure Stack HCI cluster with Azure by following these instructions.

使用 Azure 取消註冊 Azure Stack HCIUnregister Azure Stack HCI with Azure

當您準備好要解除委任 Azure Stack HCI 叢集時,請使用 Unregister-AzStackHCI Cmdlet 來取消註冊。When you're ready to decommission your Azure Stack HCI cluster, use the Unregister-AzStackHCI cmdlet to unregister. 這會透過 Azure Arc 停止所有監視、支援和帳單功能。代表叢集和 Azure Active Directory 應用程式身分識別的 Azure 資源會遭到刪除,但資源群組不是,因為它可能包含其他不相關的資源。This stops all monitoring, support, and billing functionality through Azure Arc. The Azure resource representing the cluster and the Azure Active Directory app identity are deleted, but the resource group is not, because it may contain other unrelated resources.

如果在叢集 Unregister-AzStackHCI 節點上執行此 Cmdlet,請使用此語法,並指定您的 Azure 訂用帳戶識別碼,以及您想要取消註冊之 Azure Stack HCI 叢集的資源名稱:If running the Unregister-AzStackHCI cmdlet on a cluster node, use this syntax and specify your Azure subscription ID as well as the resource name of the Azure Stack HCI cluster you wish to unregister:

Unregister-AzStackHCI -SubscriptionId "e569b8af-6ecc-47fd-a7d5-2ac7f23d8bfe" -ResourceName HCI001

系統會提示您在其他裝置 ((例如您的電腦或電話) )上流覽 microsoft.com/devicelogin、輸入程式碼,然後在該處登入,以向 Azure 進行驗證。You'll be prompted to visit microsoft.com/devicelogin on another device (like your PC or phone), enter the code, and sign in there to authenticate with Azure.

如果從管理電腦執行 Cmdlet,您也必須指定叢集中的伺服器名稱:If running the cmdlet from a management PC, you'll also need to specify the name of a server in the cluster:

Unregister-AzStackHCI -ComputerName ClusterNode1 -SubscriptionId "e569b8af-6ecc-47fd-a7d5-2ac7f23d8bfe" -ResourceName HCI001

[互動式 Azure 登入] 視窗隨即出現。An interactive Azure login window will pop up. 您看到的確切提示會根據您的安全性設定而有所不同 (例如,雙因素驗證) 。The exact prompts you see will vary depending on your security settings (e.g. two-factor authentication). 遵循提示進行登入。Follow the prompts to log in.

後續步驟Next steps

如需相關資訊,另請參閱:For related information, see also: