Azure Active Directory 同意架構Azure Active Directory consent framework

Azure Active Directory (Azure AD) 同意架構可讓您輕鬆地開發多租用戶的 Web 應用程式和原生用戶端應用程式。The Azure Active Directory (Azure AD) consent framework makes it easy to develop multi-tenant web and native client applications. 這些應用程式允許與應用程式註冊所在租用戶不同的 Azure AD 租用戶中的使用者帳戶登入。These applications allow sign-in by user accounts from an Azure AD tenant that's different from the one where the application is registered. 這些應用程式除了存取自己的 Web API 之外,可能也需要存取 Microsoft Graph API 之類的 Web API (用以存取 Azure AD、Intune 及 Office 365 服務) 以及其他 Microsoft 服務的 API。They may also need to access web APIs such as the Microsoft Graph API (to access Azure AD, Intune, and services in Office 365) and other Microsoft services' APIs, in addition to your own web APIs.

此架構以使用者或系統管理員為根據,他們可同意讓應用程式在他們的目錄中註冊,並可能包括存取目錄資料。The framework is based on a user or an administrator giving consent to an application that asks to be registered in their directory, which may involve accessing directory data. 例如,如果 Web 用戶端應用程式需要從 Office 365 讀取有關使用者的行事曆資訊,該使用者必須先同意此用戶端應用程式。For example, if a web client application needs to read calendar information about the user from Office 365, that user is required to consent to the client application first. 取得同意之後,用戶端應用程式可以代表使用者呼叫 Microsoft Graph API,並視需要使用行事曆資訊。After consent is given, the client application will be able to call the Microsoft Graph API on behalf of the user, and use the calendar information as needed. Microsoft Graph API 可供存取 Office 365 中的資料 (例如 Exchange 中的行事曆和訊息、SharePoint 中的網站和清單、OneDrive 中的文件、OneNote 中的筆記本、Planner 中的工作,以及 Excel 中的活頁簿),以及 Azure AD 中的使用者和群組和多項 Microsoft 雲端服務中的其他資料物件。The Microsoft Graph API provides access to data in Office 365 (like calendars and messages from Exchange, sites and lists from SharePoint, documents from OneDrive, notebooks from OneNote, tasks from Planner, and workbooks from Excel), as well as users and groups from Azure AD and other data objects from more Microsoft cloud services.

同意架構建置在 OAuth 2.0 和各種不同流程上,例如授權碼授與和用戶端認證授與,使用公用或機密的用戶端。The consent framework is built on OAuth 2.0 and its various flows, such as authorization code grant and client credentials grant, using public or confidential clients. 藉由使用 OAuth 2.0,Azure AD 就可以建置許多不同類型的用戶端應用程式 (例如在電話、平板電腦、伺服器或 web 應用程式上),並且存取所需的資源。By using OAuth 2.0, Azure AD makes it possible to build many different types of client applications--such as on a phone, tablet, server, or a web application--and gain access to the required resources.

如需搭配 OAuth2.0 授權授與使用同意架構的詳細資訊,請參閱使用 OAuth 2.0 和 Azure AD 授權存取 Web 應用程式Azure AD 的驗證案例For more info about using the consent framework with OAuth2.0 authorization grants, see Authorize access to web applications using OAuth 2.0 and Azure AD and Authentication scenarios for Azure AD. 如需透過 Microsoft Graph 取得 Office 365 的授權存取權的相關資訊,請參閱使用 Microsoft Graph 進行應用程式驗證For info about getting authorized access to Office 365 through Microsoft Graph, see App authentication with Microsoft Graph.

下列步驟會示範如何將同意體驗用於應用程式開發人員和使用者。The following steps show you how the consent experience works for both the application developer and the user.

  1. 假設您擁有一個 Web 用戶端應用程式,它需要要求特定權限以存取資源/API。Assume you have a web client application that needs to request specific permissions to access a resource/API. 您會在下一節了解如何進行這項設定,但基本上會使用 Azure 入口網站在設定階段宣告權限要求。You'll learn how to do this configuration in the next section, but essentially the Azure portal is used to declare permission requests at configuration time. 就和其他組態設定一樣,它們會成為應用程式之 Azure AD 註冊的一部分:Like other configuration settings, they become part of the application's Azure AD registration:

    其他應用程式的權限

  2. 請考量您的應用程式權限是否已更新、是否正在執行應用程式,以及使用者是否即將第一次使用它。Consider that your application’s permissions have been updated, the application is running, and a user is about to use it for the first time. 首先,應用程式必須從 Azure AD 的 /authorize 端點取得授權碼。First, the application needs to obtain an authorization code from Azure AD’s /authorize endpoint. 授權碼接著可用來取得新的存取權和重新整理權杖。The authorization code can then be used to acquire a new access and refresh token.

  3. 如果使用者尚未經過驗證,Azure AD 的 /authorize 端點會提示使用者進行登入。If the user is not already authenticated, Azure AD's /authorize endpoint prompts the user to sign in.

    使用者或系統管理員登入 Azure AD

  4. 使用者登入之後,Azure AD 會判斷是否需要向使用者顯示同意頁面。After the user has signed in, Azure AD will determine if the user needs to be shown a consent page. 此判斷根據使用者 (或其組織的系統管理員) 是否已經同意應用程式。This determination is based on whether the user (or their organization’s administrator) has already granted the application consent. 如果尚未授與同意,Azure AD 會提示使用者取得同意,並顯示其運作所需的必要權限。If consent has not already been granted, Azure AD prompts the user for consent and displays the required permissions it needs to function. 同意對話方塊中顯示的權限集,會和在 Azure 入口網站 [委派的權限] 中選取的權限相符。The set of permissions that are displayed in the consent dialog match the ones selected in the Delegated permissions in the Azure portal.

    顯示在同意對話方塊中顯示的許可權範例

  5. 使用者同意後,授權碼會傳回您的應用程式,藉以兌換取得存取權杖和重新整理權杖。After the user grants consent, an authorization code is returned to your application, which is redeemed to acquire an access token and refresh token. 如需此流程的詳細資訊,請參閱 Web API 應用程式類型For more information about this flow, see Web API app type.

  6. 身為系統管理員,您也可以代表租用戶中的所有使用者,同意應用程式的委派權限。As an administrator, you can also consent to an application's delegated permissions on behalf of all the users in your tenant. 系統管理員同意可避免對租用戶的每個使用者都顯示同意對話方塊,並且可由具有系統管理員角色的使用者在 Azure 入口網站中完成。Administrative consent prevents the consent dialog from appearing for every user in the tenant, and can be done in the Azure portal by users with the administrator role. 若要了解哪些系統管理員角色可同意委派權限,請參閱 Azure AD 中的系統管理員角色權限To learn which administrator roles can consent to delegated permissions, see Administrator role permissions in Azure AD.

    同意應用程式的委派權限To consent to an app's delegated permissions

    1. 前往應用程式的 [ API 許可權] 頁面Go to the API permissions page for your application

    2. 按一下 [授與系統管理員同意] 按鈕。Click on the Grant admin consent button.

      授與明確的系統管理員同意權限

    重要

    使用 ADAL.js 的單頁應用程式 (SPA) 目前必須使用 [授與權限] 按鈕來授與明確的同意。Granting explicit consent using the Grant permissions button is currently required for single-page applications (SPA) that use ADAL.js. 否則,應用程式會在要求存取權杖時失敗。Otherwise, the application fails when the access token is requested.

後續步驟Next steps