操作說明:使用入口網站來建立可存取資源的 Azure AD 應用程式和服務主體How to: Use the portal to create an Azure AD application and service principal that can access resources

本文說明如何建立新的 Azure Active Directory (Azure AD 可與角色型存取控制搭配使用的) 應用程式和服務主體。This article shows you how to create a new Azure Active Directory (Azure AD) application and service principal that can be used with the role-based access control. 當您擁有需要存取或修改資源的應用程式、託管服務或自動化工具時,您可以建立應用程式的身分識別。When you have applications, hosted services, or automated tools that needs to access or modify resources, you can create an identity for the app. 此身分識別就是所謂的服務主體。This identity is known as a service principal. 資源的存取權受限於指派給服務主體的角色,讓您控制可存取哪些資源,以及在哪個層級進行存取。Access to resources is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level. 基於安全理由,我們建議您一律搭配自動化工具使用服務主體,而不是讓服務主體透過使用者身分識別來登入。For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.

本文說明如何使用入口網站,在 Azure 入口網站中建立服務主體。This article shows you how to use the portal to create the service principal in the Azure portal. 其中著重在說明單一租用戶應用程式,此應用程式的目的是只在一個組織內執行。It focuses on a single-tenant application where the application is intended to run within only one organization. 您通常會將單一租用戶應用程式用在組織內執行的企業營運系統應用程式。You typically use single-tenant applications for line-of-business applications that run within your organization. 您也可以 使用 Azure PowerShell 來建立服務主體You can also use Azure PowerShell to create a service principal.

重要

若不要建立服務主體,可考慮使用 Azure 資源的受控識別作為應用程式識別碼。Instead of creating a service principal, consider using managed identities for Azure resources for your application identity. 如果您的程式碼在支援受控識別的服務上執行,並存取支援 Azure AD authentication 的資源,則受控識別會是更好的選擇。If your code runs on a service that supports managed identities and accesses resources that support Azure AD authentication, managed identities are a better option for you. 若要深入了解 Azure 資源的受控識別,包含目前哪些服務支援該功能,請參閱什麼是適用於 Azure 資源的受控識別?To learn more about managed identities for Azure resources, including which services currently support it, see What is managed identities for Azure resources?.

應用程式註冊、應用程式物件和服務主體App registration, app objects, and service principals

沒有任何方法可以使用 Azure 入口網站直接建立服務主體。There is no way to directly create a service principal using the Azure portal. 當您透過 Azure 入口網站註冊應用程式時,會自動在您的主目錄或租使用者中建立應用程式物件和服務主體。When you register an application through the Azure portal, an application object and service principal are automatically created in your home directory or tenant. 如需應用程式註冊、應用程式物件和服務主體之間關聯性的詳細資訊,請參閱 Azure Active Directory 中的應用程式和服務主體物件For more information on the relationship between app registration, application objects, and service principals, read Application and service principal objects in Azure Active Directory.

註冊應用程式所需的許可權Permissions required for registering an app

您必須擁有足夠的許可權,才能向 Azure AD 租使用者註冊應用程式,並將您的 Azure 訂用帳戶中的角色指派給應用程式。You must have sufficient permissions to register an application with your Azure AD tenant, and assign to the application a role in your Azure subscription.

檢查 Azure AD 權限Check Azure AD permissions

  1. 選取 Azure Active DirectorySelect Azure Active Directory.

  2. 記下您的角色。Note your role. 如果您具有 [使用者]**** 角色,則必須確定非系統管理員可以註冊應用程式。If you have the User role, you must make sure that non-administrators can register applications.

    尋找您的角色。

  3. 在左窗格中,選取 [ 使用者設定]。In the left pane, select User settings.

  4. 檢查 [應用程式註冊]**** 設定。Check the App registrations setting. 此值只能由系統管理員設定。This value can only be set by an administrator. 若設定為 [是]****,則 Azure AD 租用戶中的任何使用者都可以註冊應用程式。If set to Yes, any user in the Azure AD tenant can register an app.

如果應用程式註冊設定設為 [否]****,則只有具備系統管理員角色的使用者才能註冊這些類型的應用程式。If the app registrations setting is set to No, only users with an administrator role may register these types of applications. 若要了解 Azure AD 中可用的系統管理員角色及賦予每個角色的特定權限,請參閱可用的角色角色權限See available roles and role permissions to learn about available administrator roles and the specific permissions in Azure AD that are given to each role. 如果您的帳戶已獲指派使用者角色,但應用程式註冊設定僅限於系統管理員使用者,請要求系統管理員為您指派其中一個系統管理員角色,以建立和管理應用程式註冊的所有層面,或讓使用者可以註冊應用程式。If your account is assigned the User role, but the app registration setting is limited to admin users, ask your administrator to either assign you one of the administrator roles that can create and manage all aspects of app registrations, or to enable users to register apps.

檢查 Azure 訂用帳戶權限Check Azure subscription permissions

在您的 Azure 訂用帳戶中,您的帳戶必須具有 Microsoft.Authorization/*/Write 可將角色指派給 AD 應用程式的存取權。In your Azure subscription, your account must have Microsoft.Authorization/*/Write access to assign a role to an AD app. 此動作是擁有者角色或使用者存取系統管理員角色來授與。This action is granted through the Owner role or User Access Administrator role. 如果您的帳戶被指派「 參與者 」角色,則您沒有足夠的許可權。If your account is assigned the Contributor role, you don't have adequate permission. 當您嘗試將角色指派給服務主體時,您將會收到錯誤。You will receive an error when attempting to assign the service principal a role.

若要檢查訂用帳戶權限:To check your subscription permissions:

  1. 搜尋並選取訂用帳戶,或選取****首頁上的訂閱Search for and select Subscriptions, or select Subscriptions on the Home page.

    搜尋

  2. 選取您要在其中建立服務主體的訂用帳戶。Select the subscription you want to create the service principal in.

    選取要指派的訂用帳戶

    如果您未看見所尋找的訂用帳戶,請選取 [全域訂閱篩選]****。If you don't see the subscription you're looking for, select global subscriptions filter. 確定您想要的訂用帳戶已針對入口網站選取。Make sure the subscription you want is selected for the portal.

  3. 選取 [我的權限]。Select My permissions. 然後,選取 [按一下這裡以詳細檢視此訂用帳戶的完整存取權]。Then, select Click here to view complete access details for this subscription.

    選取您要在其中建立服務主體的訂用帳戶

  4. 選取 [角色指派] 中的 [ view ] 以查看您指派的角色,並判斷您是否有足夠的許可權可將角色指派給 AD 應用程式。Select View in Role assignments to view your assigned roles, and determine if you have adequate permissions to assign a role to an AD app. 如果沒有,請洽詢訂用帳戶管理員,將您新增至「使用者存取系統管理員」角色。If not, ask your subscription administrator to add you to User Access Administrator role. 在下圖中,使用者已獲指派擁有者角色,這表示該使用者具有足夠的許可權。In the following image, the user is assigned the Owner role, which means that user has adequate permissions.

    此範例顯示已將擁有者角色指派給使用者

使用 Azure AD 註冊應用程式並建立服務主體Register an application with Azure AD and create a service principal

讓我們直接跳到建立身分識別。Let's jump straight into creating the identity. 如果您遇到問題,請檢查必要的權限,以確定您的帳戶可以建立身分識別。If you run into a problem, check the required permissions to make sure your account can create the identity.

  1. 透過 Azure 入口網站登入您的 Azure 帳戶。Sign in to your Azure Account through the Azure portal.

  2. 選取 Azure Active DirectorySelect Azure Active Directory.

  3. 選取 應用程式註冊Select App registrations.

  4. 選取 [新增註冊]。Select New registration.

  5. 為應用程式命名。Name the application. 選取支援的帳戶類型,以決定可以使用此應用程式的人員。Select a supported account type, which determines who can use the application. 在 [重新 導向 URI] 下,針對您要建立的應用程式類型選取 [ Web ]。Under Redirect URI, select Web for the type of application you want to create. 輸入傳送存取權杖的目標 URI。Enter the URI where the access token is sent to. 您無法建立原生應用程式的認證。You can't create credentials for a Native application. 您無法將該類型使用於自動化應用程式。You can't use that type for an automated application. 設定值之後,選取 [註冊]****。After setting the values, select Register.

    輸入應用程式的名稱

您已建立 Azure AD 應用程式和服務主體。You've created your Azure AD application and service principal.

將角色指派給應用程式Assign a role to the application

若要存取訂用帳戶中的資源,您必須將角色指派給應用程式。To access resources in your subscription, you must assign a role to the application. 決定哪個角色可提供應用程式的適當權限。Decide which role offers the right permissions for the application. 若要瞭解可用的角色,請參閱 Azure 內建角色To learn about the available roles, see Azure built-in roles.

您可以針對訂用帳戶、資源群組或資源的層級設定範圍。You can set the scope at the level of the subscription, resource group, or resource. 較低的範圍層級會繼承較高層級的權限。Permissions are inherited to lower levels of scope. 例如,將應用程式新增至資源群組的「 讀取 者」角色,表示它可以讀取資源群組及其包含的任何資源。For example, adding an application to the Reader role for a resource group means it can read the resource group and any resources it contains.

  1. 在 [Azure 入口網站中,選取您要指派應用程式的範圍層級。In the Azure portal, select the level of scope you wish to assign the application to. 例如,若要在訂用帳戶範圍指派角色,請搜尋並選取訂用帳戶,或在****首頁****上選取訂用帳戶。For example, to assign a role at the subscription scope, search for and select Subscriptions, or select Subscriptions on the Home page.

    例如,在訂用帳戶範圍指派角色

  2. 選取指派應用程式時作為對象的特定訂用帳戶。Select the particular subscription to assign the application to.

    選取要指派的訂用帳戶

    如果您未看見所尋找的訂用帳戶,請選取 [全域訂閱篩選]****。If you don't see the subscription you're looking for, select global subscriptions filter. 確定您想要的訂用帳戶已針對入口網站選取。Make sure the subscription you want is selected for the portal.

  3. 選取 [存取控制 (IAM)] 。Select Access control (IAM).

  4. 選取 [新增角色指派]。Select Add role assignment.

  5. 選取您想要將應用程式指派給哪個角色。Select the role you wish to assign to the application. 例如,若要允許應用程式執行 重新開機啟動停止 實例等動作,請選取 [ 參與者 ] 角色。For example, to allow the application to execute actions like reboot, start and stop instances, select the Contributor role. 依預設,請閱讀 可用角色 的詳細資訊,Azure AD 的應用程式不會顯示在可用的選項中。Read more about the available roles By default, Azure AD applications aren't displayed in the available options. 若要尋找您的應用程式,請搜尋名稱並加以選取。To find your application, search for the name and select it.

    選取要指派給應用程式的角色

  6. 選取 [儲存] 以完成角色指派。Select Save to finish assigning the role. 您會在使用者清單中看到您的應用程式,並具有該範圍的角色。You see your application in the list of users with a role for that scope.

您的服務主體已設定。Your service principal is set up. 您可以開始使用它來執行指令碼或應用程式。You can start using it to run your scripts or apps. 若要管理您的服務主體 (許可權、使用者同意許可權、查看哪些使用者已同意、評論許可權、查看登入資訊,以及其他) ,請前往 企業應用程式To manage your service principal (permissions, user consented permissions, see which users have consented, review permissions, see sign in information, and more), go to Enterprise applications.

下節說明如何取得以程式設計方式登入時所需的值。The next section shows how to get values that are needed when signing in programmatically.

取得用來登入的租使用者和應用程式識別碼值Get tenant and app ID values for signing in

以程式設計方式登入時,您需要將租使用者識別碼與您的驗證要求和應用程式識別碼一起傳遞。When programmatically signing in, you need to pass the tenant ID with your authentication request and the application ID. 您也需要憑證或驗證金鑰 (下一節) 所述。You also need a certificate or an authentication key (described in the following section). 若要取得這些值,請使用下列步驟︰To get those values, use the following steps:

  1. 選取 Azure Active DirectorySelect Azure Active Directory.

  2. 在 Azure AD 中,從 [應用程式註冊]**** 選取您的應用程式。From App registrations in Azure AD, select your application.

  3. 複製 (租使用者) 識別碼的目錄,並將它儲存在您的應用程式程式碼中。Copy the Directory (tenant) ID and store it in your application code.

    複製目錄 (租用戶) 識別碼並將它儲存在您的應用程式程式碼中。

    您也可以在 [預設目錄] 總覽頁面中找到 (租使用者) 識別碼的目錄。The directory (tenant) ID can also be found in the default directory overview page.

  4. 複製 [應用程式識別碼]**** 並儲存在您的應用程式碼中。Copy the Application ID and store it in your application code.

    複製應用程式 (用戶端) 識別碼

驗證:兩個選項Authentication: Two options

有兩種類型的驗證可用於服務主體:密碼型驗證 (應用程式密碼) 和憑證型驗證。There are two types of authentication available for service principals: password-based authentication (application secret) and certificate-based authentication. 我們建議使用憑證,但您也可以建立應用程式秘密。We recommend using a certificate, but you can also create an application secret.

選項1:上傳憑證Option 1: Upload a certificate

您可以使用現有的憑證(如果有的話)。You can use an existing certificate if you have one. (選擇性)您可以建立自我簽署憑證以供 測試之用。Optionally, you can create a self-signed certificate for testing purposes only. 若要建立自我簽署憑證,請開啟 PowerShell,並使用下列參數執行 new-selfsignedcertificate ,以在您電腦上的使用者憑證存放區中建立憑證:To create a self-signed certificate, open PowerShell and run New-SelfSignedCertificate with the following parameters to create the cert in the user certificate store on your computer:

$cert=New-SelfSignedCertificate -Subject "CN=DaemonConsoleCert" -CertStoreLocation "Cert:\CurrentUser\My"  -KeyExportPolicy Exportable -KeySpec Signature

使用可從 Windows 主控台存取的 [ 管理使用者憑證 ] MMC 嵌入式管理單元,將此憑證匯出至檔案。Export this certificate to a file using the Manage User Certificate MMC snap-in accessible from the Windows Control Panel.

  1. 從 [開始] 功能表選取 [執行],然後輸入certmgr.msc。Select Run from the Start menu, and then enter certmgr.msc.

    目前使用者的憑證管理員工具隨即出現。The Certificate Manager tool for the current user appears.

  2. 若要查看您的憑證,請在左窗格的 [ 憑證-目前的使用者 ] 底下,展開 [ 個人 ] 目錄。To view your certificates, under Certificates - Current User in the left pane, expand the Personal directory.

  3. 以滑鼠右鍵按一下您建立的憑證,選取 [ 所有工作->匯出]。Right-click on the cert you created, select All tasks->Export.

  4. 遵循「憑證匯出嚮導」。Follow the Certificate Export wizard. 請勿匯出私密金鑰,並匯出至。.CER 檔案。Do not export the private key, and export to a .CER file.

若要上傳憑證:To upload the certificate:

  1. 選取 Azure Active DirectorySelect Azure Active Directory.

  2. 在 Azure AD 中,從 [應用程式註冊]**** 選取您的應用程式。From App registrations in Azure AD, select your application.

  3. 選取 [憑證和秘密] 。Select Certificates & secrets.

  4. 選取 [ 上傳憑證 ],然後選取憑證 (現有憑證或您匯出) 的自我簽署憑證。Select Upload certificate and select the certificate (an existing certificate or the self-signed certificate you exported).

    選取 [上傳憑證],然後選取您想要新增的憑證

  5. 選取 [新增] 。Select Add.

在應用程式註冊入口網站中向應用程式註冊憑證之後,您必須啟用用戶端應用程式程式碼,才能使用該憑證。After registering the certificate with your application in the application registration portal, you need to enable the client application code to use the certificate.

選項2:建立新的應用程式密碼Option 2: Create a new application secret

如果您選擇不使用憑證,您可以建立新的應用程式密碼。If you choose not to use a certificate, you can create a new application secret.

  1. 選取 Azure Active DirectorySelect Azure Active Directory.

  2. 在 Azure AD 中,從 [應用程式註冊]**** 選取您的應用程式。From App registrations in Azure AD, select your application.

  3. 選取 [憑證和秘密] 。Select Certificates & secrets.

  4. 選取 [用戶端秘密] -> [新增用戶端密碼] 。Select Client secrets -> New client secret.

  5. 提供秘密的描述及持續時間。Provide a description of the secret, and a duration. 完成時,選取 [新增] 。When done, select Add.

    儲存用戶端秘密之後,就會顯示用戶端秘密的值。After saving the client secret, the value of the client secret is displayed. 複製此值,因為您稍後將無法取得金鑰。Copy this value because you won't be able to retrieve the key later. 您會提供金鑰值和應用程式識別碼,以應用程式的形式登入。You will provide the key value with the application ID to sign in as the application. 將金鑰值儲存在應用程式可擷取的地方。Store the key value where your application can retrieve it.

    複製秘密值,因為您之後無法取得此值

設定資源的存取原則Configure access policies on resources

請記住,您可能需要在應用程式需要存取的資源上設定額外的許可權。Keep in mind, you might need to configure additional permissions on resources that your application needs to access. 例如,您也必須 更新金鑰保存庫的存取原則 ,讓您的應用程式能夠存取金鑰、秘密或憑證。For example, you must also update a key vault's access policies to give your application access to keys, secrets, or certificates.

  1. Azure 入口網站中,流覽至您的金鑰保存庫,然後選取 [ 存取原則]。In the Azure portal, navigate to your key vault and select Access policies.
  2. 選取 [ 新增存取原則],然後選取您想要授與應用程式的金鑰、秘密和憑證許可權。Select Add access policy, then select the key, secret, and certificate permissions you want to grant your application. 選取您先前建立的服務主體。Select the service principal you created previously.
  3. 選取 [ 新增 ] 以新增存取原則,然後 儲存 以認可您的變更。Select Add to add the access policy, then Save to commit your changes. 新增存取原則Add access policy

後續步驟Next steps