作法:使用入口網站來建立可存取資源的 Azure AD 應用程式和服務主體How to: Use the portal to create an Azure AD application and service principal that can access resources

這篇文章會示範如何建立新的 Azure Active Directory (Azure AD) 應用程式和服務主體,可以搭配角色型存取控制。This article shows you how to create a new Azure Active Directory (Azure AD) application and service principal that can be used with the role-based access control. 如果您擁有需要存取或修改資源的程式碼,則可以建立應用程式的身分識別。When you have code that needs to access or modify resources, you can create an identity for the app. 此身分識別就是所謂的服務主體。This identity is known as a service principal. 然後,您可以將必要的權限指派給服務主體。You can then assign the required permissions to the service principal. 本文說明如何使用入口網站來建立服務主體。This article shows you how to use the portal to create the service principal. 其中著重在說明單一租用戶應用程式,此應用程式的目的是只在一個組織內執行。It focuses on a single-tenant application where the application is intended to run within only one organization. 您通常會將單一租用戶應用程式用在組織內執行的企業營運系統應用程式。You typically use single-tenant applications for line-of-business applications that run within your organization.

重要

若不要建立服務主體,可考慮使用 Azure 資源的受控識別作為應用程式識別碼。Instead of creating a service principal, consider using managed identities for Azure resources for your application identity. 如果您的程式碼執行於支援受管理的身分識別和支援 Azure AD 驗證的存取資源的服務,受管理的身分識別會是更好的選項,為您。If your code runs on a service that supports managed identities and accesses resources that support Azure AD authentication, managed identities are a better option for you. 若要深入了解 Azure 資源的受控識別,包含目前哪些服務支援該功能,請參閱什麼是適用於 Azure 資源的受控識別?To learn more about managed identities for Azure resources, including which services currently support it, see What is managed identities for Azure resources?.

建立 Azure Active Directory 應用程式Create an Azure Active Directory application

讓我們直接跳到建立身分識別。Let's jump straight into creating the identity. 如果您遇到問題,請檢查必要的權限,以確定您的帳戶可以建立身分識別。If you run into a problem, check the required permissions to make sure your account can create the identity.

  1. 透過 Azure 入口網站登入您的 Azure 帳戶。Sign in to your Azure Account through the Azure portal.

  2. 選取 Azure Active DirectorySelect Azure Active Directory.

  3. 選取 [應用程式註冊]。Select App registrations.

    選取應用程式註冊

  4. 選取 [新增應用程式註冊]。Select New application registration.

    新增應用程式

  5. 提供應用程式的名稱和 URL。Provide a name and URL for the application. 針對您想要建立的應用程式類型,選取 [Web 應用程式/API]。Select Web app / API for the type of application you want to create. 您無法建立原生應用程式的認證。You can't create credentials for a Native application. 您無法將該類型使用於自動化應用程式。You can't use that type for an automated application. 設定值之後,選取 [建立]。After setting the values, select Create.

    名稱應用程式

您已建立 Azure AD 應用程式和服務主體。You've created your Azure AD application and service principal.

指派角色給應用程式Assign the application to a role

若要存取您的訂用帳戶中的資源,您必須將應用程式指派給角色。To access resources in your subscription, you must assign the application to a role. 決定哪個角色可提供應用程式的適當權限。Decide which role offers the right permissions for the application. 若要深入了解可用的角色,請參閱 RBAC:內建角色To learn about the available roles, see RBAC: Built in Roles.

您可以針對訂用帳戶、資源群組或資源的層級設定範圍。You can set the scope at the level of the subscription, resource group, or resource. 較低的範圍層級會繼承較高層級的權限。Permissions are inherited to lower levels of scope. 例如,為資源群組的讀取者角色新增應用程式,代表該角色可以讀取資源群組及其所包含的任何資源。For example, adding an application to the Reader role for a resource group means it can read the resource group and any resources it contains.

  1. 瀏覽至您想要讓應用程式指派至的範圍層級。Navigate to the level of scope you wish to assign the application to. 例如,若要在訂用帳戶範圍指派角色,請選取 [所有服務] 和 [訂用帳戶]。For example, to assign a role at the subscription scope, select All services and Subscriptions.

    選取訂用帳戶

  2. 選取指派應用程式時作為對象的特定訂用帳戶。Select the particular subscription to assign the application to.

    選取要指派的訂用帳戶

    如果您未看見所尋找的訂用帳戶,請選取 [全域訂閱篩選]。If you don't see the subscription you're looking for, select global subscriptions filter. 確定您想要的訂用帳戶已針對入口網站選取。Make sure the subscription you want is selected for the portal.

  3. 選取 [存取控制 (IAM)]。Select Access control (IAM).

  4. 選取 [新增角色指派]。Select Add role assignment.

    選取新增角色指派

  5. 選取您想要將應用程式指派給哪個角色。Select the role you wish to assign to the application. 若要允許應用程式執行動作 (例如,重新啟動開始停止執行個體),請選取 [參與者] 角色。To allow the application to execute actions like reboot, start and stop instances, select the Contributor role. 根據預設,Azure AD 應用程式不會顯示在可用選項中。By default, Azure AD applications aren't displayed in the available options. 若要尋找您的應用程式,請搜尋名稱並加以選取。To find your application, search for the name and select it.

    選取角色

  6. 選取 [儲存] 以完成角色指派。Select Save to finish assigning the role. 您在使用者清單中看到應用程式已指派給該範圍的角色。You see your application in the list of users assigned to a role for that scope.

您的服務主體已設定。Your service principal is set up. 您可以開始使用它來執行指令碼或應用程式。You can start using it to run your scripts or apps. 下節說明如何取得以程式設計方式登入時所需的值。The next section shows how to get values that are needed when signing in programmatically.

取得值以便登入Get values for signing in

取得租用戶識別碼Get tenant ID

以程式設計方式登入時,您需要將租用戶識別碼與驗證要求一起傳送。When programmatically signing in, you need to pass the tenant ID with your authentication request.

  1. 選取 Azure Active DirectorySelect Azure Active Directory.

  2. 選取 [屬性] 。Select Properties.

    選取 Azure AD 屬性

  3. 複製 [目錄識別碼] 以取得您的租用戶識別碼。Copy the Directory ID to get your tenant ID.

    租用戶識別碼

取得應用程式識別碼和驗證金鑰Get application ID and authentication key

您也需要應用程式識別碼和驗證金鑰。You also need the ID for your application and an authentication key. 若要取得這些值,請使用下列步驟︰To get those values, use the following steps:

  1. 在 Azure AD 中,從 [應用程式註冊] 選取您的應用程式。From App registrations in Azure AD, select your application.

    選取應用程式

  2. 複製 [應用程式識別碼] 並儲存在您的應用程式碼中。Copy the Application ID and store it in your application code.

    用戶端識別碼

  3. 選取 [Settings] (設定) 。Select Settings.

    選取 [設定]

  4. 選取 [金鑰]。Select Keys.

  5. 提供金鑰的描述和金鑰的持續時間。Provide a description of the key, and a duration for the key. 完成時,選取 [儲存]。When done, select Save.

    儲存金鑰

    儲存金鑰之後會顯示金鑰的值。After saving the key, the value of the key is displayed. 請複製此值,因為您之後就無法擷取金鑰。Copy this value because you aren't able to retrieve the key later. 您需要提供金鑰值和應用程式識別碼,以應用程式身分登入。You provide the key value with the application ID to sign in as the application. 將金鑰值儲存在應用程式可擷取的地方。Store the key value where your application can retrieve it.

    儲存的金鑰

所需的權限Required permissions

您必須有足夠權限向 Azure AD 租用戶註冊應用程式,並將應用程式指派給 Azure 訂用帳戶中的角色。You must have sufficient permissions to register an application with your Azure AD tenant, and assign the application to a role in your Azure subscription.

檢查 Azure AD 權限Check Azure AD permissions

  1. 選取 Azure Active DirectorySelect Azure Active Directory.

  2. 記下您的角色。Note your role. 如果您具有 [使用者] 角色,則必須確定非系統管理員可以註冊應用程式。If you have the User role, you must make sure that non-administrators can register applications.

    尋找使用者

  3. 選取 [使用者設定]。Select User settings.

    選取使用者設定

  4. 檢查 [應用程式註冊] 設定。Check the App registrations setting. 此值只能由系統管理員設定。This value can only be set by an administrator. 若設定為 [是],則 Azure AD 租用戶中的任何使用者都可以註冊應用程式。If set to Yes, any user in the Azure AD tenant can register an app.

    檢視應用程式註冊

如果應用程式註冊設定設為 [否],則只有具備系統管理員角色的使用者才能註冊這些類型的應用程式。If the app registrations setting is set to No, only users with an administrator role may register these types of applications. 若要了解 Azure AD 中可用的系統管理員角色及賦予每個角色的特定權限,請參閱可用的角色角色權限See available roles and role permissions to learn about available administrator roles and the specific permissions in Azure AD that are given to each role. 如果您的帳戶已指派給「使用者」角色,但應用程式註冊設定僅限於系統管理員使用者,請洽詢系統管理員將您指派給其中一個可建立和管理所有應用程式註冊層面的系統管理員角色,或是讓使用者能夠註冊應用程式。If your account is assigned to the User role, but the app registration setting is limited to admin users, ask your administrator to either assign you to one of the administrator roles that can create and manage all aspects of app registrations, or to enable users to register apps.

檢查 Azure 訂用帳戶權限Check Azure subscription permissions

在您的 Azure 訂用帳戶中,您的帳戶必須具有 Microsoft.Authorization/*/Write 存取權,才能將 AD 應用程式指派給角色。In your Azure subscription, your account must have Microsoft.Authorization/*/Write access to assign an AD app to a role. 此動作是擁有者角色或使用者存取系統管理員角色來授與。This action is granted through the Owner role or User Access Administrator role. 如果您的帳戶已指派給 [參與者] 角色,則您沒有足夠的權限。If your account is assigned to the Contributor role, you don't have adequate permission. 當您嘗試將服務主體指派給角色時,您會收到錯誤。You receive an error when attempting to assign the service principal to a role.

若要檢查訂用帳戶權限:To check your subscription permissions:

  1. 在右上角中,選取您的帳戶,然後選取 [我的權限]。Select your account in the upper right corner, and select My permissions.

    選取使用者權限

  2. 從下拉式清單中,選取您想要用以建立服務主體的訂用帳戶。From the drop-down list, select the subscription you want to create the service principal in. 然後,選取 [按一下這裡以詳細檢視此訂用帳戶的完整存取權]。Then, select Click here to view complete access details for this subscription.

    尋找使用者

  3. 檢視指派的角色,並判斷是否有足夠的權限可將 AD 應用程式指派給角色。View your assigned roles, and determine if you have adequate permissions to assign an AD app to a role. 如果沒有,請洽詢訂用帳戶管理員,將您新增至「使用者存取系統管理員」角色。If not, ask your subscription administrator to add you to User Access Administrator role. 在下圖中,使用者已指派給「擁有者」角色,這表示該使用者具有足夠的權限。In the following image, the user is assigned to the Owner role, which means that user has adequate permissions.

    顯示權限

後續步驟Next steps