將使用者和群組指派至 Azure Active Directory 中的應用程式Assign users and groups to an application in Azure Active Directory

本文說明如何將使用者和群組指派至 Azure Active Directory (Azure AD) 中的應用程式。This article shows you how to assign users or groups to an application in Azure Active Directory (Azure AD). 首先,務必將使用者指派至應用程式,這樣管理員才能授予他們執行以下操作的存取權限:Users must first be assigned to an application before an administrator can grant them access to do the following:

  • 直接瀏覽至應用程式的 URL 以存取應用程式 (也稱為 SP 初始化登入)。Access an application by navigating to the application’s URL directly (also known as SP-initiated sign-on).

  • 使用應用程式 [屬性] 頁面上的 [使用者存取 URL] 以存取應用程式 (也稱為 IDP 初始化登入)。Access an application by using the User Access URL on an application’s Properties page (also known as IDP-initiated sign on).

  • 看到應用程式出現在其應用程式存取面板或行動應用程式上。See an application appear on their Application Access Panel or mobile application.

  • 看到應用程式出現在其 Office 365 應用程式啟動程式上。See an application appear on their Office 365 Application Launcher.

以群組為基礎之指派的可用性取決於您的授權合約。The availability of group-based assignment is determined by your license agreement. 僅安全性群組支援以群組為基礎的指派。Group-based assignment is supported for Security groups only. 目前不支援嵌套群組成員資格和 O365 群組。Nested group memberships and O365 groups are not currently supported.

必要條件Prerequisites

在將使用者和群組指派給應用程式之前,您必須先要求使用者指派。Before you can assign users and groups to an application, you must require user assignment. 若需要使用者指派:To require user assignment:

  1. 使用系統管理員帳戶登入 Azure 入口網站。Log in to the Azure portal with an administrator account.
  2. 在主功能表中,按一下 [所有服務] 項目。Click on the All services item in the main menu.
  3. 選擇您要為應用程式使用的目錄。Choose the directory you are using for the application.
  4. 按一下 [企業應用程式] 索引標籤。Click on the Enterprise applications tab.
  5. 從與此目錄相關聯的應用程式清單中選取應用程式。Select the application from the list of applications associated with this directory.
  6. 按一下 [屬性] 索引標籤。Click the Properties tab.
  7. 將 [需要使用者指派嗎?] 切換變更為 [是]。Change the User assignment required? toggle to Yes.
  8. 按一下畫面頂端的 [儲存] 按鈕。Click the Save button at the top of the screen.

指派使用者Assign users

若要直接將一或多個使用者指派至應用程式,請依照下列步驟執行︰To assign one or more users to an application directly, follow the steps below:

  1. 開啟Azure 入口網站,並以全域管理員或非系統管理員應用程式擁有者身分登入。Open the Azure portal and sign in as a Global Administrator or as a non-admin application owner.

  2. 按一下左側主導覽功能表底部的 [所有服務],以開啟 [Azure Active Directory 延伸模組]。Open the Azure Active Directory Extension by clicking All services at the top of the main left hand navigation menu.

  3. 在篩選搜尋方塊中輸入 “Azure Active Directory”,然後選取 [Azure Active Directory] 項目。Type in “Azure Active Directory” in the filter search box and select the Azure Active Directory item.

  4. 從 Azure Active Directory 左邊瀏覽功能表,按一下 [企業應用程式]。click Enterprise Applications from the Azure Active Directory left hand navigation menu.

  5. 按一下 [所有應用程式],以檢視所有應用程式的清單。click All Applications to view a list of all your applications.

    • 若在這裡沒看到您要顯示的應用程式,請使用 [所有應用程式清單] 頂端的 [篩選] 控制項,並將 [顯示] 選項設定為 [所有應用程式]。If you do not see the application you want show up here, use the Filter control at the top of the All Applications List and set the Show option to All Applications.
  6. 從清單中選取您想要指派使用者的應用程式。Select the application you want to assign a user to from the list.

  7. 應用程式載入之後,按一下應用程式左邊瀏覽功能表中的 [使用者和群組]。Once the application loads, click Users and Groups from the application’s left hand navigation menu.

  8. 按一下 [使用者和群組] 清單頂端的 [新增] 按鈕,以開啟 [新增指派] 窗格。Click the Add button on top of the Users and Groups list to open the Add Assignment pane.

  9. 按一下 [新增指派] 窗格中的 [使用者和群組] 選取器。click the Users and groups selector from the Add Assignment pane.

  10. 在 [依姓名或電子郵件地址搜尋] 搜尋方塊中,輸入您有興趣指派之使用者的全名電子郵件地址Type in the full name or email address of the user you are interested in assigning into the Search by name or email address search box.

  11. 將滑鼠停留在清單中的使用者上方,以顯示核取方塊Hover over the user in the list to reveal a checkbox. 按一下使用者設定檔照片或標誌旁邊的核取方塊,將使用者新增至 [已選取] 清單。Click the checkbox next to the user’s profile photo or logo to add your user to the Selected list.

  12. 選擇性: 如果您想要新增多位使用者,請在 [依姓名或電子郵件地址搜尋] 搜尋方塊中,輸入另一個全名電子郵件地址,然後按一下核取方塊,將此使用者新增至 [已選取] 清單。Optional: If you would like to add more than one user, type in another full name or email address into the Search by name or email address search box, and click the checkbox to add this user to the Selected list.

  13. 當您完成選取使用者時,按一下 [選取] 按鈕,將他們新增到要指派至應用程式的使用者和群組清單。When you are finished selecting users, click the Select button to add them to the list of users and groups to be assigned to the application.

  14. 選擇性︰ 按一下 [新增指派] 窗格中的 [選取角色] 選取器,以選取要指派給您已選取之使用者的角色。Optional: click the Select Role selector in the Add Assignment pane to select a role to assign to the users you have selected.

  15. 按一下 [指派] 按鈕,將應用程式指派給選取的使用者。Click the Assign button to assign the application to the selected users.

一小段時間之後,您選取的使用者就能夠使用解決方案描述一節中所述的方法來啟動這些應用程式。After a short period of time, the users you have selected will be able to launch these applications using the methods described in the solution description section.

指派群組Assign groups

若要將一或多個群組直接指派給應用程式,請依照下列步驟執行:To assign one or more groups to an application directly, follow the steps below:

  1. 開啟Azure 入口網站,並以全域管理員身分登入,或以已指派 Azure AD Premium 授權的非系統管理員應用程式擁有者身分登入。Open the Azure portal and sign in as a Global Administrator or as a non-admin application owner with an Azure AD Premium license assigned.

  2. 按一下左側主導覽功能表底部的 [所有服務],以開啟 [Azure Active Directory 延伸模組]。Open the Azure Active Directory Extension by clicking All services at the top of the main left hand navigation menu.

  3. 在篩選搜尋方塊中輸入 “Azure Active Directory”,然後選取 [Azure Active Directory] 項目。Type in “Azure Active Directory” in the filter search box and select the Azure Active Directory item.

  4. 從 Azure Active Directory 左邊瀏覽功能表,按一下 [企業應用程式]。click Enterprise Applications from the Azure Active Directory left hand navigation menu.

  5. 按一下 [所有應用程式],以檢視所有應用程式的清單。click All Applications to view a list of all your applications.

    • 若在這裡沒看到您要顯示的應用程式,請使用 [所有應用程式清單] 頂端的 [篩選] 控制項,並將 [顯示] 選項設定為 [所有應用程式]。If you do not see the application you want show up here, use the Filter control at the top of the All Applications List and set the Show option to All Applications.
  6. 從清單中選取您想要指派使用者的應用程式。Select the application you want to assign a user to from the list.

  7. 應用程式載入之後,按一下應用程式左邊瀏覽功能表中的 [使用者和群組]。Once the application loads, click Users and Groups from the application’s left hand navigation menu.

  8. 按一下 [使用者和群組] 清單頂端的 [新增] 按鈕,以開啟 [新增指派] 窗格。Click the Add button on top of the Users and Groups list to open the Add Assignment pane.

  9. 按一下 [新增指派] 窗格中的 [使用者和群組] 選取器。click the Users and groups selector from the Add Assignment pane.

  10. 在 [依姓名或電子郵件地址搜尋] 搜尋方塊中,輸入您有興趣指派之群組的完整群組名稱Type in the full group name of the group you are interested in assigning into the Search by name or email address search box.

  11. 將滑鼠停留在清單中的群組上方,以顯示核取方塊Hover over the group in the list to reveal a checkbox. 按一下群組設定檔照片或標誌旁邊的核取方塊,將使用者新增至 [已選取] 清單。Click the checkbox next to the group’s profile photo or logo to add your user to the Selected list.

  12. 選擇性: 如果您想要新增多個群組,請在 [依姓名或電子郵件地址搜尋] 搜尋方塊中,輸入另一個完整群組名稱,然後按一下核取方塊,將此群組新增至 [已選取] 清單。Optional: If you would like to add more than one group, type in another full group name into the Search by name or email address search box, and click the checkbox to add this group to the Selected list.

  13. 當您完成選取群組時,按一下 [選取] 按鈕,將它們新增到要指派給應用程式的使用者和群組清單。When you are finished selecting groups, click the Select button to add them to the list of users and groups to be assigned to the application.

  14. 選擇性︰ 按一下 [新增指派] 窗格中的 [選取角色] 選取器,以選取要指派給您已選取之群組的角色。Optional: click the Select Role selector in the Add Assignment pane to select a role to assign to the groups you have selected.

  15. 按一下 [指派] 按鈕,將應用程式指派給選取的群組。Click the Assign button to assign the application to the selected groups.

一小段時間之後,您所選取之群組中的使用者就能夠使用解決方案描述一節中所述的方法來啟動這些應用程式。After a short period of time, the users within the groups you have selected will be able to launch these applications using the methods described in the solution description section. 如果這些都是動態群組,對於這些指派的群組內的使用者,這些指派可能會出現一些額外的處理延遲。If these are dynamic groups, there may be some additional processing delay in these assignments appearing for users within these assigned groups.

啟用自助應用程式存取Enable self-service application access

自助應用程式存取是讓使用者自行探索應用程式的絕佳方式,還可讓商務群組核准對那些應用程式的存取。Self-service application access is a great way to allow users to self-discover applications, optionally allow the business group to approve access to those applications. 您可以讓商務群組直接從其存取面板,管理指派給「密碼單一登入應用程式」使用者的認證。You can allow the business group to manage the credentials assigned to those users for Password Single-Sign On Applications right from their access panels.

若要啟用對應用程式的自助存取,請依照下列步驟執行:To enable self-service application access to an application, follow the steps below:

  1. 開啟 Azure 入口網站,以全域管理員身分登入。Open the Azure portal and sign in as a Global Administrator.

  2. 按一下左側主導覽功能表底部的 [所有服務],以開啟 [Azure Active Directory 延伸模組]。Open the Azure Active Directory Extension by clicking All services at the top of the main left hand navigation menu.

  3. 在篩選搜尋方塊中輸入 “Azure Active Directory”,然後選取 [Azure Active Directory] 項目。Type in “Azure Active Directory” in the filter search box and select the Azure Active Directory item.

  4. 從 Azure Active Directory 左邊瀏覽功能表,按一下 [企業應用程式]。click Enterprise Applications from the Azure Active Directory left hand navigation menu.

  5. 按一下 [所有應用程式],以檢視所有應用程式的清單。click All Applications to view a list of all your applications.

    • 若在這裡沒看到您要顯示的應用程式,請使用 [所有應用程式清單] 頂端的 [篩選] 控制項,並將 [顯示] 選項設定為 [所有應用程式]。If you do not see the application you want show up here, use the Filter control at the top of the All Applications List and set the Show option to All Applications.
  6. 從該清單選取您要啟用自助存取的應用程式。Select the application you want to enable Self-service access to from the list.

  7. 應用程式載入之後,按一下應用程式左邊瀏覽功能表中的 [自助]。Once the application loads, click Self-service from the application’s left hand navigation menu.

  8. 若要啟用此應用程式的自助式應用程式存取,請將 [要允許使用者要求此應用程式的存取權嗎?] 切換開關切換為 [是]。To enable Self-service application access for this application, turn the Allow users to request access to this application? toggle to Yes.

  9. 接著,若要為要求存取此應用程式的使用者指派群組,請按一下 [要將指派的使用者新增至哪個群組呢?] 標籤旁的選取控制項,然後選取一個群組。Next, to select the group to which users who request access to this application should be added, click the selector next to the label To which group should assigned users be added? and select a group.

  10. 選擇性: 若要將使用者設定為必須經過商務核准才能存取應用程式,請將 [需要核准才能授予此應用程式的存取權嗎?] 切換開關設定為 [是]。Optional: If you wish to require a business approval before users are allowed access, set the Require approval before granting access to this application? toggle to Yes.

  11. 選擇性:對於只使用密碼單一登入的應用程式, 若要讓那些商務核准者為核准的使用者指定傳送給此應用程式的密碼,請將 [要允許核准者為此應用程式設定使用者的密碼嗎?] 切換開關設定為 [是]。Optional: For applications using password single-sign on only, if you wish to allow those business approvers to specify the passwords that are sent to this application for approved users, set the Allow approvers to set user’s passwords for this application? toggle to Yes.

  12. 選擇性: 若要指定商務核准者以核准此應用程式存取權,請按一下 [哪些人員可核准此應用程式的存取權?] 標籤旁的選取控制項以選取最多 10 個商務核准者。Optional: To specify the business approvers who are allowed to approve access to this application, click the selector next to the label Who is allowed to approve access to this application? to select up to 10 individual business approvers.

    注意

    不支援群組。Groups are not supported.

  13. 選擇性: 對於公開角色的應用程式 ,若要將已獲得自助存取核准的使用者指派給角色,請按一下 [在此應用程式中應為使用者指派的角色為?] 旁的選取控制項,以選取要為這些使用者指派的角色。Optional: For applications which expose roles, if you wish to assign self-service approved users to a role, click the selector next to the To which role should users be assigned in this application? to select the role to which these users should be assigned.

  14. 按一下窗格頂端的 [儲存] 按鈕以完成此動作。Click the Save button at the top of the pane to finish.

完成自助應用程式設定之後,使用者可以瀏覽到其應用程式存取面板並按一下 [+新增] 按鈕以尋找您已啟用自助存取的應用程式。Once you complete Self-service application configuration, users can navigate to their Application Access Panel and click the +Add button to find the apps to which you have enabled Self-service access. 商務核准者在其應用程式存取面板中也會看到通知。Business approvers also see a notification in their Application Access Panel. 您可以啟用電子郵件,通知他們有使用者已要求存取應用程式,需要他們核准。You can enable an email notifying them when a user has requested access to an application that requires their approval.

這些核准只支援單一核准工作流程,這表示若您指定多個核准者,任何核准者都可以核准應用程式存取。These approvals support single approval workflows only, meaning that if you specify multiple approvers, any single approver may approve access to the application.

後續步驟Next steps

使用應用程式 Proxy 提供單一登入應用程式Provide single sign-on to your apps with Application Proxy