Azure Active Directory B2C 的新应用注册体验The new App registrations experience for Azure Active Directory B2C

Azure Active Directory B2C (Azure AD B2C) 的新应用注册体验现已正式发布。The new App registrations experience for Azure Active Directory B2C (Azure AD B2C) is now generally available. 如果你更熟悉 Azure AD B2C 应用程序注册过程的应用程序体验(此处称为“旧体验”),可借助本指南了解如何使用新体验。If you're more familiar with the Applications experience for registering applications for Azure AD B2C, referred to here as the "legacy experience," this guide will get you started using the new experience.

概述Overview

以前,你需要使用旧体验将 Azure AD B2C 面向使用者的应用程序与其余的应用程序分开管理。Previously, you had to manage your Azure AD B2C consumer-facing applications separately from the rest of your apps using the legacy experience. 这意味着在 Azure 中,不同的位置可能有不同的应用创建体验。That meant different app creation experiences across different places in Azure.

新体验在一个位置显示所有 Azure AD B2C 应用注册和 Azure AD 应用注册,并提供一致的管理方法。The new experience shows all Azure AD B2C app registrations and Azure AD app registrations in one place and provides a consistent way to manage them. 从创建面向使用者的应用到使用 Microsoft Graph 资源管理权限管理应用,你只需要掌握一种方法就能执行全部操作。From creating a customer-facing app to managing an app with Microsoft Graph permissions for resource management, you only need to learn one way to do things.

获得新体验的方法是从 Azure 门户中的 Azure AD B2C 或 Azure Active Directory 服务导航到 Azure AD B2C 租户中的“应用注册” 。You can reach the new experience by navigating to App registrations in an Azure AD B2C tenant from both the Azure AD B2C or the Azure Active Directory services in the Azure portal.

Azure AD B2C 应用注册体验在适用于所有 Azure AD 租户的常规应用注册体验的基础上构建,是专为 Azure AD B2C 租户设计的。The Azure AD B2C App registrations experience is based on the general App Registration experience for any Azure AD tenant, but is tailored for Azure AD B2C tenants.

哪些未更改?What's not changing?

  • 你的应用程序和相关配置在新体验中按原样保留。Your applications and related configurations can be found as-is in the new experience. 无需再次注册应用程序,而且应用程序的用户无需再次登录。You do not need to register the applications again and users of your applications will not need to sign-in again.

备注

若要查看所有以前创建的应用程序,可导航到“应用注册”边栏选项卡,然后选择“所有应用程序”选项卡 。随即会显示曾在旧体验中、新体验中以及 Azure AD 服务中创建的所有应用。To view all your previously created applications, navigate to the App registrations blade and select the All applications tab. This will display apps created in the legacy experience, the new experience, and those created in the Azure AD service.

主要的新功能Key new features

  • 统一的应用列表 会在一个便利位置显示所有使用 Azure AD B2C 和 Azure AD 进行身份验证的应用程序。A unified app list shows all your applications that authenticate with Azure AD B2C and Azure AD in one convenient place. 此外,可以利用已可用于 Azure AD 应用程序的功能,包括“创建时间”、“证书和密码”状态、搜索栏等等 。In addition, you can take advantage of features already available for Azure AD applications, including the Created on date, Certificates & secrets status, search bar, and much more.

  • 组合的应用注册 可帮助你快速注册应用,无论该应用是面向客户的还是用于访问 Microsoft Graph 的应用。Combined app registration allows you to quickly register an app, whether it's a customer-facing app or an app to access Microsoft Graph.

  • 终结点 窗格有助于快速识别方案的相关终结点,包括 OpenID connect 配置、SAML 元数据、Microsoft Graph API 和 OAuth 2.0 用户流终结点The Endpoints pane lets you quickly identify the relevant endpoints for your scenario, including OpenID connect configuration, SAML metadata, Microsoft Graph API, and OAuth 2.0 user flow endpoints.

  • API 权限公开 API 提供更广泛的范围、权限和同意管理。API permissions and Expose an API provide more extensive scope, permission, and consent management. 现在还可将 MS Graph 和 Azure AD Graph 权限分配给应用。You can now also assign MS Graph and Azure AD Graph permissions to an app.

  • 所有者清单 现可用于使用 Azure AD B2C 进行身份验证的应用。Owners and Manifest are now available for apps that authenticate with Azure AD B2C. 可为注册添加所有者,并使用清单编辑器直接编辑应用程序属性。You can add owners for your registrations and directly edit application properties using the manifest editor.

新的受支持的帐户类型New supported account types

在新体验中,从以下选项中选择支持帐户类型:In the new experience, you select a support account type from the following options:

  • 仅此组织目录中的帐户Accounts in this organizational directory only
  • 任何组织目录(任何 Azure AD 目录 - 多租户)中的帐户Accounts in any organizational directory (Any Azure AD directory - Multitenant)
  • 任何标识提供者或组织目录中的帐户(用于通过用户流对用户进行身份验证)Accounts in any identity provider or organizational directory (for authenticating users with user flows)

若要了解不同的帐户类型,请选择创建体验中的“帮我选择”。To understand the different account types, select Help me choose in the creation experience.

在旧体验中,创建的应用始终是面向客户的应用程序。In the legacy experience, apps were always created as customer-facing applications. 对于这些应用,帐户类型将设置为“任何标识提供者或组织目录中的帐户(用于通过用户流对用户进行身份验证)”。For those apps, the account type is set to Accounts in any identity provider or organizational directory (for authenticating users with user flows).

备注

若要对此应用程序的用户进行身份验证,需要此选项才能运行 Azure AD B2C 用户流。This option is required to be able to run Azure AD B2C user flows to authenticate users for this application. 了解如何注册应用程序以便能使用用户流。Learn how to register an application for use with user flows.

还可以使用此选项,以便使用 Azure AD B2C 作为 SAML 服务提供程序。You can also use this option to use Azure AD B2C as a SAML service provider.

适用于 DevOps 方案的应用程序Applications for DevOps scenarios

可使用其他帐户类型来创建用于管理 DevOps 方案(如使用 Microsoft Graph 上传 Identity Experience Framework 策略或预配用户)的应用。You can use the other account types to create an app to manage your DevOps scenarios, like using Microsoft Graph to upload Identity Experience Framework policies or provision users. 了解如何注册 Microsoft Graph 应用程序来管理 Azure AD B2C 资源Learn how register a Microsoft Graph application to manage Azure AD B2C resources.

你可能看不到所有 Microsoft Graph 权限,因为其中许多权限不适用于 Azure B2C 使用者用户。You might not see all Microsoft Graph permissions, because many of these permissions don't apply to Azure B2C consumer users. 详细了解如何使用 Microsoft Graph 管理用户Read more about managing users using Microsoft Graph.

Openid 范围是 Azure AD B2C 成功将用户登录到应用所必需的。The openid scope is necessary so that Azure AD B2C can sign users in to an app. 若要为用户颁发刷新令牌,则需要 offline_access 范围。The offline_access scope is needed to issue refresh tokens for a user. 这些范围在默认情况下已添加并获得管理员同意。These scopes were previously added and given admin consent by default. 现在,可以在创建过程中轻松地为这些范围添加权限,方法是确保已选中“向 openid 和 offline_access 权限授予管理员同意”选项。Now, you can easily add permissions for these scopes during the creation process by ensuring the Grant admin consent to openid and offline_access permissions option is selected. 另外,可以在现有应用的“API 权限”设置中,在已获得管理员同意的情况下,添加 Microsoft Graph 权限。Else, the Microsoft Graph permissions can be added with admin consent in the API permissions settings for an existing app.

详细了解权限和同意Learn more about permissions and consent.

平台/身份验证:回复 URL/重定向 URIPlatforms/Authentication: Reply URLs/redirect URIs

在旧体验中,各种平台类型在“属性”下作为 Web 应用/API 的回复 URL 和本机客户端的重定向 URI 进行管理。In the legacy experience, the various platform types were managed under Properties as reply urls for web apps/APIs and Redirect URI for Native clients. “本机客户端”也称为“公共客户端”,包括 iOS、macOS、Android 应用以及其他移动和桌面应用程序类型的应用。"Native clients" are also known as "Public clients" and include apps for iOS, macOS, Android, and other mobile and desktop application types.

在新体验中,回复 URL 和重定向 URI 均称为重定向 URI,可在应用的“身份验证”部分中查看。In the new experience, reply URLs and redirect URIs are both referred to as Redirect URIs and can be found in an app's Authentication section. 应用注册不局限于 Web 应用 或本机应用。App registrations aren't limited to being either a web app or a native application. 注册相应的重定向 URI,即可对所有这些平台类型使用同一个应用注册。You can use the same app registration for all of these platform types by registering the respective redirect URIs.

重定向 URI 需要与应用类型(web 或公共,即移动和桌面)相关联。Redirect URIs are required to be associated with an app type, either web or Public (mobile and desktop). 详细了解重定向 URILearn more about redirect URIs

iOS/macOS 和 Android 平台是公共客户端 。The iOS/macOS and Android platforms are a type of public client. 它们提供了一种简单的方法来配置 iOS/macOS 或 Android 应用(使用相应的重定向 URI),使其能与 MSAL 配合使用。They provide an easy way to configure iOS/macOS or Android apps with corresponding Redirect URIs for use with MSAL. 详细了解应用程序配置选项Learn more about Application configuration options.

应用程序证书和密码Application certificates & secrets

在新体验中,可使用“证书和密码”边栏选项卡(而不是“密钥”)来管理证书和密码 。In the new experience, instead of Keys, you use the Certificates & secrets blade to manage certificates and secrets. 借助证书和密码,当在 Web 可寻址位置接收令牌时(使用 HTTPS 方案),应用程序能够向身份验证服务证明身份。Certificates & secrets enable applications to identify themselves to the authentication service when receiving tokens at a web addressable location (using an HTTPS scheme). 在进行 Azure AD 身份验证时,建议为客户端凭据方案使用证书而不是客户端密码。We recommend using a certificate instead of a client secret for client credential scenarios when authenticating against Azure AD. 不能使用证书对 Azure AD B2C 进行身份验证。Certificates can't be used to authenticate against Azure AD B2C.

不适用于 Azure AD B2C 租户的功能Features not applicable in Azure AD B2C tenants

以下 Azure AD 应用注册功能不适用或不可用于 Azure AD B2C 租户:The following Azure AD app registrations capabilities are not applicable to or available in Azure AD B2C tenants:

  • 角色和管理员 - 当前不可用于 Azure AD B2C。Roles and administrators - Not currently available for Azure AD B2C.
  • 品牌 - UI/UX 自定义在“公司品牌”体验中配置或作为用户流的一部分进行配置。Branding - UI/UX customization is configured in the Company branding experience or as part of a user flow. 了解如何自定义 Azure Active Directory B2C 中的用户界面Learn to customize the user interface in Azure Active Directory B2C.
  • 发布服务器域验证 - 你的应用在 .partner.onmschina.cn 上注册,该域未经过验证。Publisher domain verification - Your app is registered on .partner.onmschina.cn, which isn't a verified domain. 此外,发布服务器域主要用于授予用户同意,这对于 Azure AD B2C 应用进行用户身份验证并不适用。Additionally, the publisher domain is primarily used for granting user consent, which doesn't apply to Azure AD B2C apps for user authentication. 详细了解发布服务器域Learn more about publisher domain.
  • 令牌配置 - 令牌配置为用户流而不是应用的一部分。Token configuration - The token is configured as part of a user flow rather than an app.
  • 快速入门 体验目前不适用于 Azure AD B2C 租户。The Quickstarts experience is currently not available for Azure AD B2C tenants.

限制Limitations

新体验具有以下限制:The new experience has the following limitations:

  • 目前,Azure AD B2C 并不区分可以为隐式流颁发访问令牌还是 ID 令牌;如果在“身份验证”边栏选项卡中选择“ID 令牌”选项,则这两种类型的令牌都可用于隐式授权流 。At this time, Azure AD B2C doesn't differentiate between being able to issue access or ID tokens for implicit flows; both types of tokens are available for implicit grant flow if the ID tokens option is selected in the Authentication blade.
  • 不支持在 UI 中更改受支持帐户的值。Changing the value for supported accounts isn't supported in the UI. 除非在 Azure AD 单租户与多租户之间切换,否则需要使用应用清单。You'll need to use the app manifest, unless you're switching between Azure AD single-tenant and multi-tenant.

后续步骤Next steps

若要开始使用新的应用注册体验:To get started with the new app registration experience: