在 Azure Active Directory 設定使用者同意應用程式的方式Configure the way end-users consent to an application in Azure Active Directory

了解如何設定使用者同意應用程式權限的方式。Learn how to configure the way users consent to application permissions. 您可以授與管理員同意,以簡化使用者體驗。You can simplify the user experience by granting admin consent. 本文提供不同的方式供您設定使用者同意。This article gives the different ways you can configure user consent. 這些方法適用於 Azure Active Directory (Azure AD) 租用戶中的所有使用者。The methods apply to all end users in your Azure Active Directory (Azure AD) tenant.

如需同意應用程式的詳細資訊,請參閱 Azure Active Directory 同意架構For more information on consenting to applications, see Azure Active Directory consent framework.

先決條件Prerequisites

授與管理員同意時,您需要以全域管理員、應用程式管理員或雲端應用程式管理員的身分登入。Granting admin consent requires you to sign in as global administrator, an application administrator, or a cloud application administrator.

若要限制應用程式的存取權,您必須要求指派使用者,然後將使用者或群組指派給應用程式。To restrict access to applications, you need to require user assignment and then assign users or groups to the application. 如需詳細資訊,請參閱指派使用者和群組的方法For more information, see Methods for assigning users and groups.

若要授與管理員同意企業應用程式:To grant admin consent to an enterprise app:

  1. 以全域管理員、應用程式管理員或雲端應用程式管理員的身分登入 Azure 入口網站Sign in to the Azure portal as a global administrator, an application administrator, or a cloud application administrator.
  2. 按一下左側導覽功能表頂端的 [所有服務]。Click All services at the top of the left-hand navigation menu. [Azure Active Directory 擴充功能] 隨即開啟。The Azure Active Directory Extension opens.
  3. 在篩選搜尋方塊中,輸入[Azure Active Directory],然後選取 [Azure Active Directory] 項目。In the filter search box, type "Azure Active Directory" and select the Azure Active Directory item.
  4. 從導覽功能表中,按一下 [企業應用程式]。From the navigation menu, click Enterprise applications.
  5. 選取應用程式以取得同意。Select the app for consent.
  6. 選取 [許可權],然後按一下 [授與系統管理員同意]。Select Permissions and then click Grant admin consent. 系統會提示您登入以管理應用程式。You'll be prompted to sign in to administrate the application.
  7. 使用有權限授與管理員同意應用程式的帳戶登入。Sign in with an account that has permissions to grant admin consent for the application.
  8. 同意應用程式權限。Consent to the application permissions.

此選項僅適用於下列情況的應用程式:This option only works if the application is:

  • 已在您的租用戶中註冊,或Registered in your tenant, or
  • 已在另一部的 Azure AD 租用戶中註冊,並由至少一個使用者同意。Registered in another Azure AD tenant, and consented by at least one end user. 在使用者已同意應用程式之後,Azure AD 會在 在 Azure 入口網站中的 [企業應用程式] 之下列出該應用程式。Once an end user has consented to an application, Azure AD lists the application under Enterprise apps in the Azure portal.

若要在註冊應用程式時授與管理員同意:To grant admin consent when registering an app:

  1. 以系統管理員身分登入 Azure 入口網站Sign in to the Azure portal as a global administrator.
  2. 瀏覽至 [應用程式註冊] 刀鋒視窗。Navigate to the App Registrations blade.
  3. 選取同意的應用程式。Select the application for the consent.
  4. 選取 [API 權限]。Select API permissions.
  5. 按一下 [授與系統管理員同意]。Click Grant admin consent.

若要透過 URL 要求授與管理員同意:To grant admin consent through a URL request:

  1. 利用您的應用程式組態來建構對 login.microsoftonline.com 的要求,並附加於 &prompt=admin_consent 上。Construct a request to login.microsoftonline.com with your app configurations and append on &prompt=admin_consent. 此 URL 看起來會像這樣: https://login.microsoftonline.com/<tenant-id>/oauth2/authorize?client_id=<client id>&response_type=code&redirect_uri=<Your-Redirect-URI-Https-Encoded>&nonce=1234&resource=<your-resource-Https-encoded>&prompt=admin_consentThis URL will look like: https://login.microsoftonline.com/<tenant-id>/oauth2/authorize?client_id=<client id>&response_type=code&redirect_uri=<Your-Redirect-URI-Https-Encoded>&nonce=1234&resource=<your-resource-Https-encoded>&prompt=admin_consent
  2. 使用系統管理員認證登入之後,就已同意所有使用者使用應用程式。After signing in with admin credentials, the app has been granted consent for all users.

若要要求使用者在每次驗證時同意應用程式,請將 &prompt=consent 附加至驗證要求 URL。To require end users to consent to an application each time they authenticate, append &prompt=consent to the authentication request URL. 此 URL 看起來會像這樣: https://login.microsoftonline.com/<tenant-id>/oauth2/authorize?client_id=<client id>&response_type=code&redirect_uri=<Your-Redirect-URI-Https-Encoded>&nonce=1234&resource=<your-resource-Https-encoded>&prompt=consentThis URL will look like: https://login.microsoftonline.com/<tenant-id>/oauth2/authorize?client_id=<client id>&response_type=code&redirect_uri=<Your-Redirect-URI-Https-Encoded>&nonce=1234&resource=<your-resource-Https-encoded>&prompt=consent

後續步驟Next steps

同意並將應用程式整合到 AzureADConsent and Integrating Apps to AzureAD

適用於 AzureAD v2.0 交集應用程式的同意與權限Consent and Permissioning for AzureAD v2.0 converged Apps

AzureAD StackOverflow (英文)AzureAD StackOverflow