Azure Active Directory 中的應用程式和服務主體物件Application and service principal objects in Azure Active Directory

在 Azure Active Directory (Azure AD) 的內容中使用「應用程式」這個詞彙時,有時會誤解其意義。Sometimes, the meaning of the term "application" can be misunderstood when used in the context of Azure Active Directory (Azure AD). 本文釐清 Azure AD 應用程式整合的概念和具體層面,並舉例說明如何註冊和同意多租用戶應用程式,提供更清楚的說明。This article clarifies the conceptual and concrete aspects of Azure AD application integration, with an illustration of registration and consent for a multi-tenant application.

概觀Overview

已與 Azure AD 整合的應用程式,其含意已超出軟體層面。An application that has been integrated with Azure AD has implications that go beyond the software aspect. 「應用程式」經常當作概念詞彙,不僅指應用程式軟體,在執行階段的驗證/授權「對話」中,也是指其 Azure AD 註冊和角色。"Application" is frequently used as a conceptual term, referring to not only the application software, but also its Azure AD registration and role in authentication/authorization "conversations" at runtime.

根據定義,應用程式可以這些角色運作:By definition, an application can function in these roles:

  • 用戶端角色 (取用資源)Client role (consuming a resource)
  • 資源伺服器角色 (對用戶端公開 API)Resource server role (exposing APIs to clients)
  • 用戶端角色和資源伺服器角色Both client role and resource server role

OAuth 2.0 授權授與流程定義對話通訊協定,可讓用戶端/資源各自存取/保護資源的資料。An OAuth 2.0 Authorization Grant flow defines the conversation protocol, which allows the client/resource to access/protect a resource's data, respectively.

在下列各節中,您會看到 Azure AD 應用程式模型在設計階段和執行階段是如何代表應用程式。In the following sections, you'll see how the Azure AD application model represents an application at design-time and run-time.

應用程式註冊Application registration

當您在 Azure 入口網站註冊 Azure AD 應用程式時,Azure AD 租用戶中會建立兩個物件︰When you register an Azure AD application in the Azure portal, two objects are created in your Azure AD tenant:

  • 應用程式物件,以及An application object, and
  • 服務主體物件A service principal object

應用程式物件Application object

Azure AD 應用程式是由其唯一一個應用程式物件所定義,該物件位於應用程式註冊所在的 Azure AD 租用戶,也稱為應用程式的「主要」租用戶。An Azure AD application is defined by its one and only application object, which resides in the Azure AD tenant where the application was registered, known as the application's "home" tenant. Microsoft Graph應用程式實體定義應用程式物件的屬性結構描述。The Microsoft Graph Application entity defines the schema for an application object's properties.

服務主體物件Service principal object

若要存取受到 Azure AD 租用戶保護的資源,需要存取權的實體必須以安全性主體呈現。To access resources that are secured by an Azure AD tenant, the entity that requires access must be represented by a security principal. 這同時適用於使用者 (使用者主體) 和應用程式 (服務主體)。This is true for both users (user principal) and applications (service principal).

安全性主體會定義 Azure AD 租用戶中使用者/應用程式的存取原則和權限。The security principal defines the access policy and permissions for the user/application in the Azure AD tenant. 此動作可啟用核心功能,例如登入期間的使用者/應用程式驗證,以及資源存取期間的授權。This enables core features such as authentication of the user/application during sign-in, and authorization during resource access.

當應用程式擁有權限可存取租用戶中的資源時 (通過註冊時或同意),服務主體物件就會隨即建立。When an application is given permission to access resources in a tenant (upon registration or consent), a service principal object is created. Microsoft Graph ServicePrincipal 實體定義的服務主體物件屬性的結構描述。The Microsoft Graph ServicePrincipal entity defines the schema for a service principal object's properties.

應用程式和服務主體關聯性Application and service principal relationship

將應用程式物件視為應用程式的「全域」代表 (用於所有租用戶),而將服務主體看做是「本機」代表 (用於特定租用戶)。Consider the application object as the global representation of your application for use across all tenants, and the service principal as the local representation for use in a specific tenant.

應用程式物件就像範本,可從中「衍生」通用和預設屬性,用以建立相對應的服務主體物件。The application object serves as the template from which common and default properties are derived for use in creating corresponding service principal objects. 因此,應用程式物件與軟體應用程式之間存在 1:1 關聯性,而與其對應的服務主體物件之間存在一對多關聯性。An application object therefore has a 1:1 relationship with the software application, and a 1:many relationships with its corresponding service principal object(s).

每一個會用到應用程式的租用戶中必須建立服務主體,才能讓它建立身分識別來登入及/或存取租用戶所保護的資源。A service principal must be created in each tenant where the application is used, enabling it to establish an identity for sign-in and/or access to resources being secured by the tenant. 單一租用戶的應用程式只能有一個服務主體 (在其主租用戶中),並在應用程式註冊期間建立和同意使用。A single-tenant application has only one service principal (in its home tenant), created and consented for use during application registration. 如果是多租用戶 Web 應用程式/API,則在使用者已同意使用它的每個租用戶中,還會建立服務主體。A multi-tenant Web application/API also has a service principal created in each tenant where a user from that tenant has consented to its use.

注意

您對應用程式物件所做的任何變更也只會反映於它在應用程式的主要租用戶 (其註冊所在租用戶) 中的服務主體物件。Any changes you make to your application object, are also reflected in its service principal object in the application's home tenant only (the tenant where it was registered). 就多租用戶應用程式而言,對應用程式物件所做的變更,必須等到透過應用程式存取面板移除存取權再重新授權之後,才會反映在任何取用者租用戶的服務主體物件中。For multi-tenant applications, changes to the application object are not reflected in any consumer tenants' service principal objects, until the access is removed through the Application Access Panel and granted again.

也請注意,依預設,原生應用程式會註冊為多租用戶。Also note that native applications are registered as multi-tenant by default.

範例Example

下圖說明應用程式的應用程式物件與對應的服務主體物件之間的關係,是以一個稱為「HR 應用程式」 的範例多租用戶應用程式為背景。The following diagram illustrates the relationship between an application's application object and corresponding service principal objects, in the context of a sample multi-tenant application called HR app. 此範例案例中有三個 Azure AD 租用戶︰There are three Azure AD tenants in this example scenario:

  • Adatum - 開發 HR 應用程式的公司所使用的租用戶Adatum - The tenant used by the company that developed the HR app
  • Contoso - Contoso 組織所使用的租用戶,其為 HR 應用程式的取用者Contoso - The tenant used by the Contoso organization, which is a consumer of the HR app
  • Fabrikam - Fabrikam 組織所使用的租用戶,其亦會取用 HR 應用程式Fabrikam - The tenant used by the Fabrikam organization, which also consumes the HR app

應用程式物件和服務主體物件之間的關聯性

在此範例案例中:In this example scenario:

步驟Step 說明Description
11 在應用程式的主要租用戶中建立應用程式和服務主體物件的程序。Is the process of creating the application and service principal objects in the application's home tenant.
22 當 Contoso 和 Fabrikam 的系統管理員完成同意,系統就會在其公司的 Azure AD 租用戶中建立服務主體物件,並指派系統管理員所授與的權限。When Contoso and Fabrikam administrators complete consent, a service principal object is created in their company's Azure AD tenant and assigned the permissions that the administrator granted. 也請注意,HR 應用程式可能會設定/設計為允許由使用者同意以進行個人使用。Also note that the HR app could be configured/designed to allow consent by users for individual use.
33 HR 應用程式的取用者租用戶 (Contoso 和 Fabrikam) 都分別擁有自己的服務主體物件。The consumer tenants of the HR application (Contoso and Fabrikam) each have their own service principal object. 每個均代表他們在執行階段的應用程式執行個體使用,其中皆受到個別系統管理員所同意的權限控管。Each represents their use of an instance of the application at runtime, governed by the permissions consented by the respective administrator.

後續步驟Next steps