HOW TO:使用入口網站來建立可存取資源的 Azure AD 應用程式和服務主體How to: Use the portal to create an Azure AD application and service principal that can access resources

本文說明如何建立可與角色型存取控制搭配使用的新 Azure Active Directory (Azure AD) 應用程式和服務主體。This article shows you how to create a new Azure Active Directory (Azure AD) application and service principal that can be used with the role-based access control. 如果您擁有需要存取或修改資源的程式碼,則可以建立應用程式的身分識別。When you have code that needs to access or modify resources, you can create an identity for the app. 此身分識別就是所謂的服務主體。This identity is known as a service principal. 然後,您可以將必要的權限指派給服務主體。You can then assign the required permissions to the service principal. 本文說明如何使用入口網站來建立服務主體。This article shows you how to use the portal to create the service principal. 其中著重在說明單一租用戶應用程式,此應用程式的目的是只在一個組織內執行。It focuses on a single-tenant application where the application is intended to run within only one organization. 您通常會將單一租用戶應用程式用在組織內執行的企業營運系統應用程式。You typically use single-tenant applications for line-of-business applications that run within your organization.

重要

若不要建立服務主體,可考慮使用 Azure 資源的受控識別作為應用程式識別碼。Instead of creating a service principal, consider using managed identities for Azure resources for your application identity. 如果您的程式碼在支援受控識別的服務上執行, 並存取支援 Azure AD authentication 的資源, 則受控識別會是較好的選項。If your code runs on a service that supports managed identities and accesses resources that support Azure AD authentication, managed identities are a better option for you. 若要深入了解 Azure 資源的受控識別,包含目前哪些服務支援該功能,請參閱什麼是適用於 Azure 資源的受控識別?To learn more about managed identities for Azure resources, including which services currently support it, see What is managed identities for Azure resources?.

建立 Azure Active Directory 應用程式Create an Azure Active Directory application

讓我們直接跳到建立身分識別。Let's jump straight into creating the identity. 如果您遇到問題,請檢查必要的權限,以確定您的帳戶可以建立身分識別。If you run into a problem, check the required permissions to make sure your account can create the identity.

  1. 透過 Azure 入口網站登入您的 Azure 帳戶。Sign in to your Azure Account through the Azure portal.

  2. 選取 Azure Active DirectorySelect Azure Active Directory.

  3. 選取 [應用程式註冊] 。Select App registrations.

  4. 選取 [新增註冊] 。Select New registration.

  5. 為應用程式命名。Name the application. 選取支援的帳戶類型, 以決定可以使用應用程式的人員。Select a supported account type, which determines who can use the application. 在 [重新導向 URI] 下, 針對您想要建立的應用程式類型選取 [ Web ]。Under Redirect URI, select Web for the type of application you want to create. 輸入要在其中傳送存取權杖的 URI。Enter the URI where the access token is sent to. 您無法建立原生應用程式的認證。You can't create credentials for a Native application. 您無法將該類型使用於自動化應用程式。You can't use that type for an automated application. 設定值之後,選取 [註冊] 。After setting the values, select Register.

    輸入應用程式的名稱

您已建立 Azure AD 應用程式和服務主體。You've created your Azure AD application and service principal.

指派角色給應用程式Assign the application to a role

若要存取您的訂用帳戶中的資源,您必須將應用程式指派給角色。To access resources in your subscription, you must assign the application to a role. 決定哪個角色可提供應用程式的適當權限。Decide which role offers the right permissions for the application. 若要深入了解可用的角色,請參閱 RBAC:內建角色To learn about the available roles, see RBAC: Built in Roles.

您可以針對訂用帳戶、資源群組或資源的層級設定範圍。You can set the scope at the level of the subscription, resource group, or resource. 較低的範圍層級會繼承較高層級的權限。Permissions are inherited to lower levels of scope. 例如,為資源群組的讀取者角色新增應用程式,代表該角色可以讀取資源群組及其所包含的任何資源。For example, adding an application to the Reader role for a resource group means it can read the resource group and any resources it contains.

  1. 瀏覽至您想要讓應用程式指派至的範圍層級。Navigate to the level of scope you wish to assign the application to. 例如,若要在訂用帳戶範圍指派角色,請選取 [所有服務] 和 [訂用帳戶] 。For example, to assign a role at the subscription scope, select All services and Subscriptions.

    例如, 在訂用帳戶範圍指派角色

  2. 選取指派應用程式時作為對象的特定訂用帳戶。Select the particular subscription to assign the application to.

    選取要指派的訂用帳戶

    如果您未看見所尋找的訂用帳戶,請選取 [全域訂閱篩選] 。If you don't see the subscription you're looking for, select global subscriptions filter. 確定您想要的訂用帳戶已針對入口網站選取。Make sure the subscription you want is selected for the portal.

  3. 選取 [存取控制 (IAM)] 。Select Access control (IAM).

  4. 選取 [新增角色指派] 。Select Add role assignment.

  5. 選取您想要將應用程式指派給哪個角色。Select the role you wish to assign to the application. 若要允許應用程式執行動作 (例如,重新啟動開始停止執行個體),請選取 [參與者] 角色。To allow the application to execute actions like reboot, start and stop instances, select the Contributor role. 根據預設,Azure AD 應用程式不會顯示在可用選項中。By default, Azure AD applications aren't displayed in the available options. 若要尋找您的應用程式,請搜尋名稱並加以選取。To find your application, search for the name and select it.

    選取要指派給應用程式的角色

  6. 選取 [儲存] 以完成角色指派。Select Save to finish assigning the role. 您在使用者清單中看到應用程式已指派給該範圍的角色。You see your application in the list of users assigned to a role for that scope.

您的服務主體已設定。Your service principal is set up. 您可以開始使用它來執行指令碼或應用程式。You can start using it to run your scripts or apps. 下節說明如何取得以程式設計方式登入時所需的值。The next section shows how to get values that are needed when signing in programmatically.

取得值以便登入Get values for signing in

以程式設計方式登入時,您需要將租用戶識別碼與驗證要求一起傳送。When programmatically signing in, you need to pass the tenant ID with your authentication request. 您也需要應用程式識別碼和驗證金鑰。You also need the ID for your application and an authentication key. 若要取得這些值,請使用下列步驟︰To get those values, use the following steps:

  1. 選取 Azure Active DirectorySelect Azure Active Directory.

  2. 在 Azure AD 中,從 [應用程式註冊] 選取您的應用程式。From App registrations in Azure AD, select your application.

  3. 複製目錄 (租使用者) 識別碼, 並將它儲存在您的應用程式代碼中。Copy the Directory (tenant) ID and store it in your application code.

    複製目錄 (租使用者識別碼), 並將它儲存在您的應用程式程式碼中

  4. 複製 [應用程式識別碼] 並儲存在您的應用程式碼中。Copy the Application ID and store it in your application code.

    複製應用程式 (用戶端) 識別碼

憑證和秘密Certificates and secrets

Daemon 應用程式可以使用兩種形式的認證來驗證 Azure AD: 憑證和應用程式秘密。Daemon applications can use two forms of credentials to authenticate with Azure AD: certificates and application secrets. 我們建議使用憑證, 但您也可以建立新的應用程式密碼。We recommend using a certificate, but you can also create a new application secret.

上傳憑證Upload a certificate

您可以使用現有的憑證 (如果有的話)。You can use an existing certificate if you have one. (選擇性) 您可以建立自我簽署憑證以供測試之用。Optionally, you can create a self-signed certificate for testing purposes. 開啟 PowerShell 並使用下列參數執行SelfSignedCertificate , 以在您電腦的使用者憑證存放區中建立自我簽署憑證: $cert=New-SelfSignedCertificate -Subject "CN=DaemonConsoleCert" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec SignatureOpen PowerShell and run New-SelfSignedCertificate with the following parameters to create a self-signed certificate in the user certificate store on your computer: $cert=New-SelfSignedCertificate -Subject "CN=DaemonConsoleCert" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature. 使用 [管理使用者憑證] mmc 嵌入式管理單元, 從 Windows [控制台] 中匯出此憑證。Export this certificate using the Manage User Certificate MMC snap-in accessible from the Windows Control Panel.

若要上傳憑證:To upload the certificate:

  1. 選取 [憑證 & 密碼]。Select Certificates & secrets.

  2. 選取 [上傳憑證], 然後選取憑證 (現有的憑證或您匯出的自我簽署憑證)。Select Upload certificate and select the certificate (an existing certificate or the self-signed certificate you exported).

    選取 [上傳憑證], 然後選取您想要新增的憑證

  3. 選取 [新增] 。Select Add.

在應用程式註冊入口網站中向應用程式註冊憑證之後, 您必須啟用用戶端應用程式程式碼以使用憑證。After registering the certificate with your application in the application registration portal, you need to enable the client application code to use the certificate.

建立新的應用程式密碼Create a new application secret

如果您選擇不使用憑證, 您可以建立新的應用程式密碼。If you choose not to use a certificate, you can create a new application secret.

  1. 選取 [憑證 & 密碼]。Select Certificates & secrets.

  2. 選取 [用戶端密碼]-[> 新的用戶端密碼]。Select Client secrets -> New client secret.

  3. 提供密碼的描述和持續時間。Provide a description of the secret, and a duration. 完成時,選取 [新增] 。When done, select Add.

    儲存用戶端密碼之後, 就會顯示用戶端密碼的值。After saving the client secret, the value of the client secret is displayed. 請複製此值,因為您之後就無法擷取金鑰。Copy this value because you aren't able to retrieve the key later. 您需要提供金鑰值和應用程式識別碼,以應用程式身分登入。You provide the key value with the application ID to sign in as the application. 將金鑰值儲存在應用程式可擷取的地方。Store the key value where your application can retrieve it.

    複製秘密值, 因為您稍後無法加以抓取

所需的權限Required permissions

您必須有足夠權限向 Azure AD 租用戶註冊應用程式,並將應用程式指派給 Azure 訂用帳戶中的角色。You must have sufficient permissions to register an application with your Azure AD tenant, and assign the application to a role in your Azure subscription.

檢查 Azure AD 權限Check Azure AD permissions

  1. 選取 Azure Active DirectorySelect Azure Active Directory.

  2. 記下您的角色。Note your role. 如果您具有 [使用者] 角色,則必須確定非系統管理員可以註冊應用程式。If you have the User role, you must make sure that non-administrators can register applications.

    尋找您的角色。

  3. 選取 [使用者設定] 。Select User settings.

  4. 檢查 [應用程式註冊] 設定。Check the App registrations setting. 此值只能由系統管理員設定。This value can only be set by an administrator. 若設定為 [是] ,則 Azure AD 租用戶中的任何使用者都可以註冊應用程式。If set to Yes, any user in the Azure AD tenant can register an app.

如果應用程式註冊設定設為 [否] ,則只有具備系統管理員角色的使用者才能註冊這些類型的應用程式。If the app registrations setting is set to No, only users with an administrator role may register these types of applications. 若要了解 Azure AD 中可用的系統管理員角色及賦予每個角色的特定權限,請參閱可用的角色角色權限See available roles and role permissions to learn about available administrator roles and the specific permissions in Azure AD that are given to each role. 如果您的帳戶已指派給「使用者」角色,但應用程式註冊設定僅限於系統管理員使用者,請洽詢系統管理員將您指派給其中一個可建立和管理所有應用程式註冊層面的系統管理員角色,或是讓使用者能夠註冊應用程式。If your account is assigned to the User role, but the app registration setting is limited to admin users, ask your administrator to either assign you to one of the administrator roles that can create and manage all aspects of app registrations, or to enable users to register apps.

檢查 Azure 訂用帳戶權限Check Azure subscription permissions

在您的 Azure 訂用帳戶中,您的帳戶必須具有 Microsoft.Authorization/*/Write 存取權,才能將 AD 應用程式指派給角色。In your Azure subscription, your account must have Microsoft.Authorization/*/Write access to assign an AD app to a role. 此動作是擁有者角色或使用者存取系統管理員角色來授與。This action is granted through the Owner role or User Access Administrator role. 如果您的帳戶已指派給 [參與者] 角色,則您沒有足夠的權限。If your account is assigned to the Contributor role, you don't have adequate permission. 當您嘗試將服務主體指派給角色時,您會收到錯誤。You receive an error when attempting to assign the service principal to a role.

若要檢查訂用帳戶權限:To check your subscription permissions:

  1. 在右上角選取您的帳戶, 然後選取 [ ...]-> [我的許可權]。Select your account in the upper right corner, and select ... -> My permissions.

    選取您的帳戶和您的使用者權限

  2. 從下拉式清單中,選取您想要用以建立服務主體的訂用帳戶。From the drop-down list, select the subscription you want to create the service principal in. 然後,選取 [按一下這裡以詳細檢視此訂用帳戶的完整存取權] 。Then, select Click here to view complete access details for this subscription.

    選取您想要在其中建立服務主體的訂用帳戶

  3. 選取 [角色指派] 以查看您指派的角色, 並判斷您是否有足夠的許可權可將 AD 應用程式指派給角色。Select Role assignments to view your assigned roles, and determine if you have adequate permissions to assign an AD app to a role. 如果沒有,請洽詢訂用帳戶管理員,將您新增至「使用者存取系統管理員」角色。If not, ask your subscription administrator to add you to User Access Administrator role. 在下圖中,使用者已指派給「擁有者」角色,這表示該使用者具有足夠的權限。In the following image, the user is assigned to the Owner role, which means that user has adequate permissions.

    此範例顯示將使用者指派給擁有者角色

後續步驟Next steps