使用應用程式身分識別來存取 Azure Stack Hub 資源Use an app identity to access Azure Stack Hub resources

需要透過 Azure Resource Manager 部署或設定資源的應用程式,必須以其本身的身分識別來表示。An application that needs to deploy or configure resources through Azure Resource Manager must be represented by its own identity. 如同使用者會以名為使用者主體的安全性主體來代表,應用程式會以服務主體來表示。Just as a user is represented by a security principal called a user principal, an app is represented by a service principal. 服務主體會為應用程式提供身分識別,讓您只對該應用程式委派必要權限。The service principal provides an identity for your app, allowing you to delegate only the necessary permissions to the app.

舉例來說,您可能有使用 Azure Resource Manager 來清查 Azure 資源的組態管理應用程式。As an example, you may have a configuration management app that uses Azure Resource Manager to inventory Azure resources. 在此案例中,您可以建立服務主體、為該服務主體授與「讀取者」角色,以及將組態管理應用程式限定為唯讀存取權。In this scenario, you can create a service principal, grant the "reader" role to that service principal, and limit the configuration management app to read-only access.

概觀Overview

和使用者一樣,應用程式也必須在驗證期間出示認證。Like a user, an app must present credentials during authentication. 此驗證由兩個元素組成:This authentication consists of two elements:

  • 應用程式識別碼,有時也稱為用戶端識別碼。An Application ID, sometimes referred to as a Client ID. 可唯一識別 Active Directory 租用戶中的應用程式註冊的 GUID。A GUID that uniquely identifies the app's registration in your Active Directory tenant.
  • 與應用程式識別碼相關聯的 祕密A secret associated with the application ID. 您可以產生用戶端密碼字串 (類似於密碼),也可以指定 X509 憑證 (這會使用其公開金鑰)。You can either generate a client secret string (similar to a password), or specify an X509 certificate (which uses its public key).

以應用程式本身的身分識別加以執行,優於以使用者的身分識別執行應用程式,原因如下:Running an app under its own identity is preferable to running it under the user's identity for the following reasons:

  • 認證較強 - 應用程式可使用 X509 憑證登入,而不是文字共用祕密/密碼。Stronger credentials - an app can sign in using an X509 certificate, instead of a textual shared secret/password.
  • 可將 較嚴格的權限 指派給應用程式。More restrictive permissions can be assigned to an app. 一般而言,這些權限會限制為只能進行應用程式需要進行的動作,也就是所謂的「最低權限原則」。Typically, these permissions are restricted to only what the app needs to do, known as the principle of least privilege.
  • 應用程式的 認證和權限變更頻率 不像使用者認證那麼高。Credentials and permissions don't change as frequently for an app as user credentials. 例如,當使用者的職責變更、密碼需求規定要變更,或使用者從公司離職時。For example, when the user's responsibilities change, password requirements dictate a change, or when a user leaves the company.

首先請在目錄中建立新的應用程式註冊,這會建立相關聯的服務主體物件來代表應用程式在目錄內的身分識別。You start by creating a new app registration in your directory, which creates an associated service principal object to represent the app's identity within the directory.

本文首先會說明建立和管理服務主體的程序,這具體上取決於您為 Azure Stack Hub 執行個體選擇的目錄:This article begins with the process of creating and managing a service principal, depending on the directory you chose for your Azure Stack Hub instance:

  • Azure Active Directory (Azure AD)Azure Active Directory (Azure AD). Azure AD 是一個多租用戶雲端式目錄和身分識別管理服務。Azure AD is a multi-tenant, cloud-based directory, and identity management service. 您可以將 Azure AD 與已連線的 Azure Stack Hub 執行個體搭配使用。You can use Azure AD with a connected Azure Stack Hub instance.
  • Active Directory 同盟服務 (AD FS)Active Directory Federation Services (AD FS). AD FS 提供簡化、安全的身分識別同盟和 Web 單一登入 (SSO) 功能。AD FS provides simplified, secured identity federation, and web single sign-on (SSO) capabilities. 您可以將 AD FS 與已連線和中斷連線的 Azure Stack Hub 執行個體搭配使用。You can use AD FS with both connected and disconnected Azure Stack Hub instances.

然後,您將了解如何為角色指派服務主體,以限制其對資源的存取權。Then you learn how to assign the service principal to a role, limiting its resource access.

管理 Azure AD 應用程式身分識別Manage an Azure AD app identity

如果您已部署 Azure Stack Hub 與 Azure AD 來作為身分識別管理服務,您可以像對 Azure 那樣建立服務主體。If you deployed Azure Stack Hub with Azure AD as your identity management service, you create service principals just like you do for Azure. 本節說明如何透過 Azure 入口網站執行這些步驟。This section shows you how to perform the steps through the Azure portal. 開始之前,請確認您有必要的 Azure AD 權限Check that you have the required Azure AD permissions before beginning.

建立會使用用戶端密碼認證的服務主體Create a service principal that uses a client secret credential

在本節中,您會使用 Azure 入口網站註冊應用程式,而這會在 Azure AD 租用戶中建立服務主體物件。In this section, you register your app using the Azure portal, which creates the service principal object in your Azure AD tenant. 在此範例中,您會指定用戶端密碼認證,但入口網站也支援 X509 憑證型認證。In this example, you specify a client secret credential, but the portal also supports X509 certificate-based credentials.

  1. 使用 Azure 帳戶登入 Azure 入口網站Sign in to the Azure portal using your Azure account.

  2. 選取 [Azure Active Directory] > [應用程式註冊] > [新註冊]。Select Azure Active Directory > App registrations > New registration.

  3. 提供應用程式的 名稱Provide a name for the app.

  4. 選取適當的 [支援的帳戶類型]。Select the appropriate Supported account types.

  5. 在 [重新導向 URI] 底下,選取 [Web] 作為應用程式類型,並 (選擇性地) 指定重新導向 URI (如果應用程式有此需要)。Under Redirect URI, select Web as the app type, and (optionally) specify a redirect URI if your app requires it.

  6. 設定值之後,選取 [註冊]。After setting the values, select Register. 隨即會建立應用程式註冊,並顯示 [概觀] 頁面。The app registration is created and the Overview page displays.

  7. 複製 [應用程式識別碼] 以便用於應用程式的程式碼中。Copy the Application ID for use in your app code. 此值也稱為「用戶端識別碼」。This value is also referred to as the Client ID.

  8. 若要產生用戶端密碼,請選取 [憑證和祕密] 頁面。To generate a client secret, select the Certificates & secrets page. 選取 [新增用戶端密碼]。Select New client secret.

  9. 提供祕密的 說明,以及 到期 持續時間。Provide a description for the secret, and an expires duration.

  10. 完成時,選取 [新增] 。When done, select Add.

  11. 隨即會顯示祕密的值。The value of the secret displays. 複製此值並儲存到其他位置,否則之後就無法再擷取。Copy and save this value in another location, because you can't retrieve it later. 登入期間,您必須在用戶端應用程式中提供祕密與應用程式識別碼。You provide the secret with the Application ID in your client app for sign-in.

    用戶端密碼中所儲存的金鑰

現在,請繼續進行指派角色,以了解如何為應用程式的身分識別建立角色型存取控制。Now proceed to Assign a role to learn how to establish role-based access control for the app's identity.

管理 AD FS 應用程式身分識別Manage an AD FS app identity

如果您已部署 Azure Stack Hub 與 AD FS 作為身分識別管理服務,就必須使用 PowerShell 來管理應用程式的身分識別。If you deployed Azure Stack Hub with AD FS as your identity management service, you must use PowerShell to manage your app's identity. 下面會提供範例來說明如何管理服務主體認證,並同時示範 X509 憑證和用戶端密碼。Examples are provided below for managing service principal credentials, demonstrating both an X509 certificate and a client secret.

指令碼必須在提升權限 (「以系統管理員身分執行」) 的 PowerShell 主控台中執行,以開啟另一個工作階段來連線至裝載了 Azure Stack Hub 執行個體特殊權限端點的 VM。The scripts must be run in an elevated ("Run as administrator") PowerShell console, which opens another session to a VM that hosts a privileged endpoint for your Azure Stack Hub instance. 建立了特殊權限端點工作階段後,其他 Cmdlet 便會執行並管理服務主體。Once the privileged endpoint session has been established, additional cmdlets will execute and manage the service principal. 如需有關具特殊權限端點的詳細資訊,請參閱使用 Azure Stack Hub 中具有特殊權限的端點For more information about the privileged endpoint, see Using the privileged endpoint in Azure Stack Hub.

建立會使用憑證認證的服務主體Create a service principal that uses a certificate credential

在建立憑證認證時,必須符合下列需求:When creating a certificate credential, the following requirements must be met:

  • 針對生產環境,憑證必須由內部憑證授權單位或公用憑證授權單位發出。For production, the certificate must be issued from either an internal Certificate Authority or a Public Certificate Authority. 使用公用授權單位時,您必須將授權單位作為 Microsoft 受信任的根授權單位方案的一部分,包含在基礎作業系統映像中。When using a public authority, you must include the authority in the base operating system image as part of the Microsoft Trusted Root Authority Program. 您可以在下列文章中找到完整清單:Microsoft 受信任的根憑證計劃:參與者You can find the full list at Microsoft Trusted Root Certificate Program: Participants. 稍後在更新憑證認證期間,也會顯示建立「自我簽署」測試憑證的範例。An example of creating a "self-signed" test certificate will also be shown later during Update a certificate credential.
  • 密碼編譯提供者必須指定為 Microsoft 舊版密碼編譯服務提供者 (CSP) 金鑰提供者。The cryptographic provider must be specified as a Microsoft legacy Cryptographic Service Provider (CSP) key provider.
  • 憑證格式必須是 PFX 檔案,因為需要公用與私密金鑰。The certificate format must be in PFX file, as both the public and private keys are required. Windows 伺服器會使用包含公用金鑰檔案 (TLS/SSL 憑證檔案) 及相關私密金鑰檔案的 .pfx 檔案。Windows servers use .pfx files that contain the public key file (TLS/SSL certificate file) and the associated private key file.
  • 您的 Azure Stack Hub 基礎結構必須能透過網路來存取憑證中所發佈憑證授權單位的憑證撤銷清單 (CRL) 位置。Your Azure Stack Hub infrastructure must have network access to the certificate authority's Certificate Revocation List (CRL) location published in the certificate. 這個 CRL 必須是 HTTP 端點。This CRL must be an HTTP endpoint.

擁有憑證後,請使用下列 PowerShell 指令碼來註冊應用程式,並建立服務主體。Once you have a certificate, use the PowerShell script below to register your app and create a service principal. 您也要使用服務主體來登入 Azure。You also use the service principal to sign in to Azure. 以您自己的值取代下列預留位置:Substitute your own values for the following placeholders:

預留位置Placeholder 描述Description 範例Example
<PepVM> Azure Stack Hub 執行個體上特殊權限端點 VM 的名稱。The name of the privileged endpoint VM on your Azure Stack Hub instance. "AzS-ERCS01""AzS-ERCS01"
<YourCertificateLocation> X509 憑證在本機憑證存放區中的位置。The location of your X509 certificate in the local certificate store. "Cert:\CurrentUser\My\AB5A8A3533CC7AA2025BF05120117E06DE407B34""Cert:\CurrentUser\My\AB5A8A3533CC7AA2025BF05120117E06DE407B34"
<YourAppName> 新應用程式註冊的描述性名稱。A descriptive name for the new app registration. "My management tool""My management tool"
  1. 開啟提升許可權的 Windows PowerShell 會話,然後執行下列腳本。Open an elevated Windows PowerShell session, and run the following script.

    # Sign in to PowerShell interactively, using credentials that have access to the VM running the Privileged Endpoint (typically <domain>\cloudadmin)
    $Creds = Get-Credential
    
    # Create a PSSession to the Privileged Endpoint VM
    $Session = New-PSSession -ComputerName "<PepVm>" -ConfigurationName PrivilegedEndpoint -Credential $Creds
    
    # Use the Get-Item cmdlet to retrieve your certificate.
    # If you don't want to use a managed certificate, you can produce a self signed cert for testing purposes: 
    # $Cert = New-SelfSignedCertificate -CertStoreLocation "cert:\CurrentUser\My" -Subject "CN=<YourAppName>" -KeySpec KeyExchange
    $Cert = Get-Item "<YourCertificateLocation>"
    
    # Use the privileged endpoint to create the new app registration (and service principal object)
    $SpObject = Invoke-Command -Session $Session -ScriptBlock {New-GraphApplication -Name "<YourAppName>" -ClientCertificates $using:cert}
    $AzureStackInfo = Invoke-Command -Session $Session -ScriptBlock {Get-AzureStackStampInformation}
    $Session | Remove-PSSession
    
    # Using the stamp info for your Azure Stack Hub instance, populate the following variables:
    # - Az endpoint used for Azure Resource Manager operations 
    # - Audience for acquiring an OAuth token used to access Graph API 
    # - GUID of the directory tenant
    $ArmEndpoint = $AzureStackInfo.TenantExternalEndpoints.TenantResourceManager
    $GraphAudience = "https://graph." + $AzureStackInfo.ExternalDomainFQDN + "/"
    $TenantID = $AzureStackInfo.AADTenantID
    
    # Register and set an Az environment that targets your Azure Stack Hub instance
    Add-AzEnvironment -Name "AzureStackUser" -ArmEndpoint $ArmEndpoint
    
    # Sign in using the new service principal
    $SpSignin = Connect-AzAccount -Environment "AzureStackUser" `
    -ServicePrincipal `
    -CertificateThumbprint $SpObject.Thumbprint `
    -ApplicationId $SpObject.ClientId `
    -TenantId $TenantID
    
    # Output the service principal details
    $SpObject
    
    
  2. 指令碼完成後便會顯示應用程式註冊資訊,包括服務主體的認證。After the script finishes, it displays the app registration info, including the service principal's credentials. ClientIDThumbprint 在經過驗證後,將獲得授權而可存取 Azure Resource Manager 所管理的資源。The ClientID and Thumbprint are authenticated, and later authorized for access to resources managed by Azure Resource Manager.

    ApplicationIdentifier : S-1-5-21-1512385356-3796245103-1243299919-1356
    ClientId              : 3c87e710-9f91-420b-b009-31fa9e430145
    Thumbprint            : 30202C11BE6864437B64CE36C8D988442082A0F1
    ApplicationName       : Azurestack-MyApp-c30febe7-1311-4fd8-9077-3d869db28342
    ClientSecret          :
    PSComputerName        : azs-ercs01
    RunspaceId            : a78c76bb-8cae-4db4-a45a-c1420613e01b
    

請讓 PowerShell 主控台工作階段保持開啟,以便在下一節與 ApplicationIdentifier 值搭配使用。Keep your PowerShell console session open, as you use it with the ApplicationIdentifier value in the next section.

更新憑證認證Update a certificate credential

由於您已建立服務主體,本節會示範如何:Now that you created a service principal, this section will show you how to:

  1. 建立新的自我簽署 X509 憑證以便用於測試。Create a new self-signed X509 certificate for testing.
  2. 更新服務主體的認證,方法是更新其 指紋 屬性,使其符合新的憑證。Update the service principal's credentials, by updating its Thumbprint property to match the new certificate.

使用 PowerShell 更新憑證認證,並以您自己的值取代下列預留位置:Update the certificate credential using PowerShell, substituting your own values for the following placeholders:

預留位置Placeholder 描述Description 範例Example
<PepVM> Azure Stack Hub 執行個體上特殊權限端點 VM 的名稱。The name of the privileged endpoint VM on your Azure Stack Hub instance. "AzS-ERCS01""AzS-ERCS01"
<YourAppName> 新應用程式註冊的描述性名稱。A descriptive name for the new app registration. "My management tool""My management tool"
<YourCertificateLocation> X509 憑證在本機憑證存放區中的位置。The location of your X509 certificate in the local certificate store. "Cert:\CurrentUser\My\AB5A8A3533CC7AA2025BF05120117E06DE407B34""Cert:\CurrentUser\My\AB5A8A3533CC7AA2025BF05120117E06DE407B34"
<AppIdentifier> 指派給應用程式註冊的識別碼。The identifier assigned to the application registration. "S-1-5-21-1512385356-3796245103-1243299919-1356""S-1-5-21-1512385356-3796245103-1243299919-1356"
  1. 使用已提升權限的 Windows PowerShell 工作階段來執行下列 Cmdlet:Using your elevated Windows PowerShell session, run the following cmdlets:

    # Create a PSSession to the PrivilegedEndpoint VM
    $Session = New-PSSession -ComputerName "<PepVM>" -ConfigurationName PrivilegedEndpoint -Credential $Creds
    
    # Create a self-signed certificate for testing purposes. 
    $NewCert = New-SelfSignedCertificate -CertStoreLocation "cert:\CurrentUser\My" -Subject "CN=<YourAppName>" -KeySpec KeyExchange
    # In production, use Get-Item and a managed certificate instead.
    # $Cert = Get-Item "<YourCertificateLocation>"
    
    # Use the privileged endpoint to update the certificate thumbprint, used by the service principal associated with <AppIdentifier>
    $SpObject = Invoke-Command -Session $Session -ScriptBlock {Set-GraphApplication -ApplicationIdentifier "<AppIdentifier>" -ClientCertificates $using:NewCert}
    $Session | Remove-PSSession
    
    # Output the updated service principal details
    $SpObject
    
  2. 指令碼完成後,便會顯示更新後的應用程式註冊資訊,包括新自我簽署憑證的指紋值。After the script finishes, it displays the updated app registration info, including the thumbprint value for the new self-signed certificate.

    ApplicationIdentifier : S-1-5-21-1512385356-3796245103-1243299919-1356
    ClientId              : 
    Thumbprint            : AF22EE716909041055A01FE6C6F5C5CDE78948E9
    ApplicationName       : Azurestack-MyApp-c30febe7-1311-4fd8-9077-3d869db28342
    ClientSecret          : 
    PSComputerName        : azs-ercs01
    RunspaceId            : a580f894-8f9b-40ee-aa10-77d4d142b4e5
    

建立會使用用戶端密碼認證的服務主體Create a service principal that uses client secret credentials

警告

使用用戶端密碼的安全性不如使用 X509 憑證認證。Using a client secret is less secure than using an X509 certificate credential. 其不只是驗證機制較不安全,一般還必須在用戶端應用程式的原始程式碼中內嵌祕密。Not only is the authentication mechanism less secure, but it also typically requires embedding the secret in the client app source code. 因此對於生產應用程式來說,強烈建議您使用憑證認證。As such, for production apps, you're strongly encouraged to use a certificate credential.

現在您會建立另一個應用程式註冊,但這次請指定用戶端密碼認證。Now you create another app registration, but this time specify a client secret credential. 不同於憑證認證,目錄能夠產生用戶端密碼認證。Unlike a certificate credential, the directory has the ability to generate a client secret credential. 您不必指定用戶端密碼,而是會使用 -GenerateClientSecret 參數來要求產生用戶端密碼。Instead of specifying the client secret, you use the -GenerateClientSecret switch to request that it be generated. 以您自己的值取代下列預留位置:Substitute your own values for the following placeholders:

預留位置Placeholder 描述Description 範例Example
<PepVM> Azure Stack Hub 執行個體上特殊權限端點 VM 的名稱。The name of the privileged endpoint VM on your Azure Stack Hub instance. "AzS-ERCS01""AzS-ERCS01"
<YourAppName> 新應用程式註冊的描述性名稱。A descriptive name for the new app registration. "My management tool""My management tool"
  1. 開啟已提升權限的 Windows PowerShell 工作階段,然後執行下列 Cmdlet:Open an elevated Windows PowerShell session, and run the following cmdlets:

    # Sign in to PowerShell interactively, using credentials that have access to the VM running the Privileged Endpoint (typically <domain>\cloudadmin)
    $Creds = Get-Credential
    
    # Create a PSSession to the Privileged Endpoint VM
    $Session = New-PSSession -ComputerName "<PepVM>" -ConfigurationName PrivilegedEndpoint -Credential $Creds
    
    # Use the privileged endpoint to create the new app registration (and service principal object)
    $SpObject = Invoke-Command -Session $Session -ScriptBlock {New-GraphApplication -Name "<YourAppName>" -GenerateClientSecret}
    $AzureStackInfo = Invoke-Command -Session $Session -ScriptBlock {Get-AzureStackStampInformation}
    $Session | Remove-PSSession
    
    # Using the stamp info for your Azure Stack Hub instance, populate the following variables:
    # - Az endpoint used for Azure Resource Manager operations 
    # - Audience for acquiring an OAuth token used to access Graph API 
    # - GUID of the directory tenant
    $ArmEndpoint = $AzureStackInfo.TenantExternalEndpoints.TenantResourceManager
    $GraphAudience = "https://graph." + $AzureStackInfo.ExternalDomainFQDN + "/"
    $TenantID = $AzureStackInfo.AADTenantID
    
    # Register and set an Az environment that targets your Azure Stack Hub instance
    Add-AzEnvironment -Name "AzureStackUser" -ArmEndpoint $ArmEndpoint
    
    # Sign in using the new service principal
    $securePassword = $SpObject.ClientSecret | ConvertTo-SecureString -AsPlainText -Force
    $credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $SpObject.ClientId, $securePassword
    $SpSignin = Connect-AzAccount -Environment "AzureStackUser" -ServicePrincipal -Credential $credential -TenantId $TenantID
    
    # Output the service principal details
    $SpObject
    
  2. 指令碼完成後便會顯示應用程式註冊資訊,包括服務主體的認證。After the script finishes, it displays the app registration info, including the service principal's credentials. ClientIDClientSecret 在經過驗證後,將獲得授權而可存取 Azure Resource Manager 所管理的資源。The ClientID and ClientSecret are authenticated, and later authorized for access to resources managed by Azure Resource Manager.

    ApplicationIdentifier : S-1-5-21-1634563105-1224503876-2692824315-2623
    ClientId              : 8e0ffd12-26c8-4178-a74b-f26bd28db601
    Thumbprint            : 
    ApplicationName       : Azurestack-YourApp-6967581b-497e-4f5a-87b5-0c8d01a9f146
    ClientSecret          : 6RUWLRoBw3EebBLgaWGiowCkoko5_j_ujIPjA8dS
    PSComputerName        : azs-ercs01
    RunspaceId            : 286daaa1-c9a6-4176-a1a8-03f543f90998
    

請讓 PowerShell 主控台工作階段保持開啟,以便在下一節與 ApplicationIdentifier 值搭配使用。Keep your PowerShell console session open, as you use it with the ApplicationIdentifier value in the next section.

更新用戶端密碼Update a client secret

使用 PowerShell 以 ResetClientSecret 參數更新用戶端密碼認證,以立即變更用戶端密碼。Update the client secret credential using PowerShell, using the ResetClientSecret parameter, which immediately changes the client secret. 以您自己的值取代下列預留位置:Substitute your own values for the following placeholders:

預留位置Placeholder 描述Description 範例Example
<PepVM> Azure Stack Hub 執行個體上特殊權限端點 VM 的名稱。The name of the privileged endpoint VM on your Azure Stack Hub instance. "AzS-ERCS01""AzS-ERCS01"
<AppIdentifier> 指派給應用程式註冊的識別碼。The identifier assigned to the application registration. "S-1-5-21-1634563105-1224503876-2692824315-2623""S-1-5-21-1634563105-1224503876-2692824315-2623"
  1. 使用已提升權限的 Windows PowerShell 工作階段來執行下列 Cmdlet:Using your elevated Windows PowerShell session, run the following cmdlets:

    # Create a PSSession to the PrivilegedEndpoint VM
    $Session = New-PSSession -ComputerName "<PepVM>" -ConfigurationName PrivilegedEndpoint -Credential $Creds
    
    # Use the privileged endpoint to update the client secret, used by the service principal associated with <AppIdentifier>
    $SpObject = Invoke-Command -Session $Session -ScriptBlock {Set-GraphApplication -ApplicationIdentifier "<AppIdentifier>" -ResetClientSecret}
    $Session | Remove-PSSession
    
    # Output the updated service principal details
    $SpObject
    
  2. 指令碼完成後,便會顯示更新後的應用程式註冊資訊,包括新產生的用戶端密碼。After the script finishes, it displays the updated app registration info, including the newly generated client secret.

    ApplicationIdentifier : S-1-5-21-1634563105-1224503876-2692824315-2623
    ClientId              : 8e0ffd12-26c8-4178-a74b-f26bd28db601
    Thumbprint            : 
    ApplicationName       : Azurestack-YourApp-6967581b-497e-4f5a-87b5-0c8d01a9f146
    ClientSecret          : MKUNzeL6PwmlhWdHB59c25WDDZlJ1A6IWzwgv_Kn
    PSComputerName        : azs-ercs01
    RunspaceId            : 6ed9f903-f1be-44e3-9fef-e7e0e3f48564
    

移除服務主體Remove a service principal

現在,您會了解如何使用 PowerShell 從目錄移除/刪除應用程式註冊和其相關聯的服務主體物件。Now you'll see how to remove/delete an app registration from your directory, and its associated service principal object, using PowerShell.

以您自己的值取代下列預留位置:Substitute your own values for the following placeholders:

預留位置Placeholder 描述Description 範例Example
<PepVM> Azure Stack Hub 執行個體上特殊權限端點 VM 的名稱。The name of the privileged endpoint VM on your Azure Stack Hub instance. "AzS-ERCS01""AzS-ERCS01"
<AppIdentifier> 指派給應用程式註冊的識別碼。The identifier assigned to the application registration. "S-1-5-21-1634563105-1224503876-2692824315-2623""S-1-5-21-1634563105-1224503876-2692824315-2623"
# Sign in to PowerShell interactively, using credentials that have access to the VM running the Privileged Endpoint (typically <domain>\cloudadmin)
$Creds = Get-Credential

# Create a PSSession to the PrivilegedEndpoint VM
$Session = New-PSSession -ComputerName "<PepVM>" -ConfigurationName PrivilegedEndpoint -Credential $Creds

# OPTIONAL: Use the privileged endpoint to get a list of applications registered in AD FS
$AppList = Invoke-Command -Session $Session -ScriptBlock {Get-GraphApplication}

# Use the privileged endpoint to remove the application and associated service principal object for <AppIdentifier>
Invoke-Command -Session $Session -ScriptBlock {Remove-GraphApplication -ApplicationIdentifier "<AppIdentifier>"}

在特殊權限端點上呼叫 Remove-GraphApplication Cmdlet 不會傳回任何輸出,但在執行 Cmdlet 期間,您會看到一字不漏的確認內容輸出到主控台:There will be no output returned from calling the Remove-GraphApplication cmdlet on the privileged endpoint, but you'll see verbatim confirmation output to the console during execution of the cmdlet:

VERBOSE: Deleting graph application with identifier S-1-5-21-1634563105-1224503876-2692824315-2623.
VERBOSE: Remove-GraphApplication : BEGIN on AZS-ADFS01 on ADFSGraphEndpoint
VERBOSE: Application with identifier S-1-5-21-1634563105-1224503876-2692824315-2623 was deleted.
VERBOSE: Remove-GraphApplication : END on AZS-ADFS01 under ADFSGraphEndpoint configuration

指派角色Assign a role

您可以透過角色型存取控制 (RBAC) 來授權使用者和應用程式存取 Azure 資源。Access to Azure resources by users and apps is authorized through Role-Based Access Control (RBAC). 若要讓應用程式能夠存取您訂用帳戶中的資源,您必須將其服務主體「指派」給某個「角色」以存取特定「資源」。To allow an app to access resources in your subscription, you must assign its service principal to a role for a specific resource. 請先決定哪個角色代表應用程式的正確「權限」。First decide which role represents the right permissions for the app. 若要了解可用的角色,請參閱 Azure 資源的內建角色To learn about the available roles, see Built-in roles for Azure resources.

您選擇的資源類型也會建立適用於該應用程式的「存取範圍」。The type of resource you choose also establishes the access scope for the app. 您可以將存取範圍設定在訂用帳戶、資源群組或資源的層級。You can set the access scope at the subscription, resource group, or resource level. 較低的範圍層級會繼承較高層級的權限。Permissions are inherited to lower levels of scope. 例如,為資源群組的「讀取者」角色新增應用程式,代表該角色可以讀取資源群組及其所包含的任何資源。For example, adding an app to the "Reader" role for a resource group, means it can read the resource group and any resources it contains.

  1. 根據您在 Azure Stack Hub 安裝期間所指定的目錄,登入適當的入口網站 (例如,Azure AD 請登入 Azure 入口網站,AD FS 請登入 Azure Stack Hub 使用者入口網站)。Sign in to the appropriate portal, based on the directory you specified during Azure Stack Hub installation (the Azure portal for Azure AD, or the Azure Stack Hub user portal for AD FS, for example). 在此範例中,我們會示範讓使用者登入 Azure Stack Hub 使用者入口網站。In this example, we show a user signed in to the Azure Stack Hub user portal.

    注意

    若要新增給定資源的角色指派,使用者帳戶必須屬於會宣告 Microsoft.Authorization/roleAssignments/write 權限的角色。To add role assignments for a given resource, your user account must belong to a role that declares the Microsoft.Authorization/roleAssignments/write permission. 例如,擁有者使用者存取系統管理員內建角色。For example, either the Owner or User Access Administrator built-in roles.

  2. 瀏覽至您想要允許應用程式存取的資源。Navigate to the resource you wish to allow the app to access. 在此範例中,請將應用程式的服務主體指派給訂用帳戶範圍的角色,方法是選取 [訂用帳戶],然後選取特定訂用帳戶。In this example, assign the app's service principal to a role at the subscription scope, by selecting Subscriptions, then a specific subscription. 您也可以改為選取資源群組,或是虛擬機器之類的特定資源。You could instead select a resource group, or a specific resource like a virtual machine.

    選取要指派的訂用帳戶

  3. 選取 [存取控制 (IAM)] 頁面,只要是支援 RBAC 的資源,就會有此通用頁面。Select the Access Control (IAM) page, which is universal across all resources that support RBAC.

  4. 選取 [+ 新增]Select + Add

  5. 在 [角色] 底下,挑選您想要將應用程式指派給哪個角色。Under Role, pick the role you wish to assign to the app.

  6. 在 [選取] 底下,使用完整或部分的應用程式名稱來搜尋應用程式。Under Select, search for your app using a full or partial Application Name. 在註冊期間,產生的應用程式名稱會是 Azurestack-<YourAppName>-<ClientId>During registration, the Application Name is generated as Azurestack-<YourAppName>-<ClientId>. 例如,如果您使用的應用程式名稱為「App2」,而且在建立期間指派的 ClientId 為「2bbe67d8-3fdb-4b62-87cf-cc41dd4344ff」,則完整名稱會是「Azurestack-App2-2bbe67d8-3fdb-4b62-87cf-cc41dd4344ff」。For example, if you used an application name of App2, and ClientId 2bbe67d8-3fdb-4b62-87cf-cc41dd4344ff was assigned during creation, the full name would be Azurestack-App2-2bbe67d8-3fdb-4b62-87cf-cc41dd4344ff. 您可以搜尋確切字串,也可以只搜尋其中的一部分,例如「Azurestack」或「Azurestack-App2」。You can search for either the exact string, or a portion, like Azurestack or Azurestack-App2.

  7. 找到應用程式後請加以選取,其便會顯示在 [選取的成員] 底下。Once you find the app, select it and it will show under Selected members.

  8. 選取 [儲存] 以完成角色指派。Select Save to finish assigning the role.

    指派角色Assign role

  9. 完成時,應用程式便會顯示在指派給目前範圍、適用於給定角色的主體清單。When finished, the app will show in the list of principals assigned for the current scope, for the given role.

    指派的角色Assigned role

現在您已為應用程式提供身分識別,並為其授與資源存取權,接下來您可以啟用指令碼或程式碼,以進行登入並安全地存取 Azure Stack Hub 資源。Now that you've given your app an identity and authorized it for resource access, you can enable your script or code to sign in and securely access Azure Stack Hub resources.

後續步驟Next steps

管理使用者權限Manage user permissions
Azure Active Directory 文件Azure Active Directory Documentation
Active Directory 同盟服務 (英文)Active Directory Federation Services