与 Azure Active Directory 集成Integrating with Azure Active Directory

在本文中,你将了解将你的应用程序与 Azure Active Directory (Azure AD) 进行集成的优势,并获取用于集成的资源。In this article, you learn about the benefits of integrating your application with Azure Active Directory (Azure AD) and get resources for integration. Azure AD 为组织的云应用程序提供企业级标识管理。Azure AD provides organizations with enterprise-grade identity management for cloud applications. Azure AD 集成可以简化用户登录体验,并帮助应用程序符合 IT 策略。Azure AD integration gives your users a streamlined sign-in experience, and helps your application conform to IT policy.

如何集成How to integrate

应用程序可通过多种方式与 Azure AD 集成。There are several ways for your application to integrate with Azure AD. 请根据应用程序,利用其中的一个或多个方案。Take advantage of as many or as few of these scenarios as is appropriate for your application.

支持使用 Azure AD 作为登录应用程序的方式Support Azure AD as a way to sign in to your application

减少登录问题并降低支持成本。Reduce sign in friction and reduce support costs. 如果使用 Azure AD 登录应用程序,用户不需要记住更多的名称和密码。By using Azure AD to sign in to your application, your users won't have one more name and password to remember. 作为开发人员,可以减少要存储和保护的密码。As a developer, you'll have one less password to store and protect. 无需重置忘记的密码,单凭这一点就能节省不少的精力。Not having to handle forgotten password resets may be a significant savings alone. 使用 Azure AD 可以登录世界上最热门的一些云应用程序,包括 Office 365 和 Azure。Azure AD powers sign in for some of the world's most popular cloud applications, including Office 365 and Azure. Azure AD 包含了来自数百万家组织的几亿个用户,用户很可能已经登录到了 Azure AD。With hundreds of millions users from millions of organizations, chances are your user is already signed in to Azure AD. 深入了解如何添加 Azure AD 登录支持Learn more about adding support for Azure AD sign in.

简化应用程序注册。Simplify sign up for your application. 在注册应用程序期间,Azure AD 可以发送有关用户的基本信息,以便可以预先填写注册表单,或者完全清除表单。During sign up for your application, Azure AD can send essential information about a user so that you can pre-fill your sign up form or eliminate it completely. 用户可以使用其 Azure AD 帐户,通过社交媒体和移动应用程序中常见的许可体验注册应用程序。Users can sign up for your application using their Azure AD account via a familiar consent experience similar to those found in social media and mobile applications. 任何用户在不需要 IT 人员的情况下都可以注册和登录与 Azure AD 集成的应用程序。Any user can sign up and sign in to an application that is integrated with Azure AD without requiring IT involvement. 深入了解如何注册应用程序进行 Azure AD 帐户登录Learn more about signing-up your application for Azure AD Account login.

浏览用户,管理用户预配,以及控制对应用程序的访问Browse for users, manage user provisioning, and control access to your application

浏览目录中的用户。Browse for users in the directory. 在邀请其他人或授予访问权限时,可以使用图形 API 来帮助用户搜索和浏览其组织中的其他人员,而无需键入电子邮件地址。Use the Graph API to help users search and browse for other people in their organization when inviting others or granting access, instead of requiring them to type email addresses. 用户可以使用熟悉的通讯簿样式界面进行浏览,包括查看组织层次结构的详细信息。Users can browse using a familiar address book style interface, including viewing the details of the organizational hierarchy. 深入了解图形 APILearn more about the Graph API.

重复使用客户正在管理的 Active Directory 组和通讯组列表。Re-use Active Directory groups and distribution lists your customer is already managing. Azure AD 包含客户已用于电子邮件分发和管理访问权限的组。Azure AD contains the groups that your customer is already using for email distribution and managing access. 使用图形 API 时,可以重复使用这些组,而无需要求客户在应用程序中创建并管理一系列不同的组。Using the Graph API, re-use these groups instead of requiring your customer to create and manage a separate set of groups in your application. 还可以在登录令牌中向应用程序发送组信息。Group information can also be sent to your application in sign in tokens. 了解有关 图形 API的详细信息。Learn more about the Graph API.

使用 Azure AD 控制谁有权访问应用程序。Use Azure AD to control who has access to your application. Azure AD 中的管理员和应用程序所有者可以将应用程序访问权限分配给特定的用户和组。Administrators and application owners in Azure AD can assign access to applications to specific users and groups. 使用图形 API,可以读取此列表并使用它来控制资源的设置和取消设置,以及应用程序中的访问权限。Using the Graph API, you can read this list and use it to control provisioning and de-provisioning of resources and access within your application.

使用 Azure AD 进行基于角色的访问控制。Use Azure AD for Roles Based Access Control. 管理员和应用程序所有者可以向你在 Azure AD 中注册应用程序时定义的角色分配用户和组。Administrators and application owners can assign users and groups to roles that you define when you register your application in Azure AD. 角色信息会在登录令牌中发送到应用程序,并可使用图形 API 来读取。Role information is sent to your application in sign in tokens and can also be read using the Graph API. 了解有关 使用 Azure AD 进行授权的详细信息。Learn more about using Azure AD for authorization.

获取对用户配置文件、日历、电子邮件、联系人、文件等的访问权限Get access to user's profile, calendar, email, contacts, files, and more

Azure AD 是 Office 365 和其他 Microsoft 业务服务的授权服务器。Azure AD is the authorization server for Office 365 and other Microsoft business services. 如果支持使用 Azure AD 登录到应用程序,或者支持将当前用户帐户链接到使用 OAuth 2.0 的 Azure AD 用户帐户,则可以请求对用户配置文件、日历、电子邮件、联系人、文件和其他信息的读取和写入访问权限。If you support Azure AD for sign in to your application or support linking your current user accounts to Azure AD user accounts using OAuth 2.0, you can request read and write access to a user's profile, calendar, email, contacts, files, and other information. 可以一气呵成地将事件写入用户日历,并在其 OneDrive 中读取或写入文件。You can seamlessly write events to user's calendar, and read or write files to their OneDrive. 了解有关 访问 Office 365 API的详细信息。Learn more about accessing the Office 365 APIs.

在 Azure 和 Office 365 市场中推广你的应用程序Promote your application in the Azure and Office 365 Marketplaces

向数百万个已在使用 Azure AD 的组织推广应用程序。Promote your application to the millions of organizations who are already using Azure AD. 搜索和浏览这些市场的用户已在使用一个或多个云服务,这让他们成为合格的云服务客户。Users who search and browse these marketplaces are already using one or more cloud services, making them qualified cloud service customers. 深入了解如何在 Azure 市场中推广应用程序。Learn more about promoting your application in the Azure Marketplace.

用户注册应用程序后,该程序会在其 Azure AD 访问面板和 Office 365 应用启动器中显示。When users sign up for your application, it will appear in their Azure AD access panel and Office 365 app launcher. 之后,用户能够快速轻松地返回应用程序,提高了用户参与度。Users will be able to quickly and easily return to your application later, improving user engagement.

保护设备与服务之间以及服务与服务之间的通信Secure device-to-service and service-to-service communication

使用 Azure AD 进行服务和设备的标识管理可以减少编写代码以及让 IT 人员管理访问权限产生的成本。Using Azure AD for identity management of services and devices reduces the code you need to write and enables IT to manage access. 服务和设备可以使用 OAuth 从 Azure AD 获取令牌,并使用这些令牌来访问 Web API。Services and devices can get tokens from Azure AD using OAuth and use those tokens to access web APIs. 使用 Azure AD 可以避免编写复杂的身份验证代码。Using Azure AD you can avoid writing complex authentication code. 由于服务和设备的标识存储在 Azure AD 中,IT 人员可以在一个位置管理密钥和吊销,而无需单独在应用程序中执行此操作。Since the identities of the services and devices are stored in Azure AD, IT can manage keys and revocation in one place instead of having to do this separately in your application.

集成的好处Benefits of integration

与 Azure AD 集成带来的好处是无需编写额外的代码。Integration with Azure AD comes with benefits that do not require you to write additional code.

与企业标识管理集成Integration with enterprise identity management

帮助应用程序符合 IT 策略。Help your application comply with IT policies. 组织可将其企业标识管理系统与 Azure AD 集成,这样,在员工离开组织后,他们将自动失去对应用程序的访问权限,而不需要 IT 人员采取额外的措施。Organizations integrate their enterprise identity management systems with Azure AD, so when a person leaves an organization, they will automatically lose access to your application without IT needing to take extra steps. IT 人员可以控制谁可以访问应用程序,并确定需要哪些访问策略(例如多重身份验证),这就减少了为遵守复杂的企业策略而要编写的代码量。IT can manage who can access your application and determine what access policies are required - for example multi-factor authentication - reducing your need to write code to comply with complex corporate policies. Azure AD 为管理员提供详细的审核日志,其中记录了哪些人登录了应用程序,IT 人员可以跟踪使用情况。Azure AD provides administrators with a detailed audit log of who signed in to your application so IT can track usage.

Azure AD 已将 Active Directory 扩展到云中,以便应用程序可与 AD 集成。Azure AD extends Active Directory to the cloud so that your application can integrate with AD. 世界各地的许多组织都在使用 Active Directory 作为首要登录和标识管理系统,并要求它们的应用程序与 AD 配合使用。Many organizations around the world use Active Directory as their principal sign-in and identity management system, and require their applications to work with AD. 与 Azure AD 集成可将应用与 Active Directory 相集成。Integrating with Azure AD integrates your app with Active Directory.

高级安全功能Advanced security features

多重身份验证。Multi-factor authentication. Azure AD 提供本机多重身份验证。Azure AD provides native multi-factor authentication. IT 管理员可以要求访问应用程序之前经过多重身份验证,因此,无需编写此项支持的代码。IT administrators can require multi-factor authentication to access your application, so that you do not have to code this support yourself. 深入了解多重身份验证Learn more about Multi-Factor Authentication.

异常登录检测。Anomalous sign in detection. Azure AD 每天要处理十亿次以上的登录,同时,使用机器学习算法来检测可疑活动,并通知 IT 管理员可能存在的问题。Azure AD processes more than a billion sign-ins a day, while using machine learning algorithms to detect suspicious activity and notify IT administrators of possible problems. 通过支持 Azure AD 登录,你的应用程序可以从这种保护中受益。By supporting Azure AD sign-in, your application gets the benefit of this protection. 深入了解如何查看 Azure Active Directory 访问报告Learn more about viewing Azure Active Directory access report.

易于开发Easy development

行业标准协议。Industry standard protocols. Microsoft 承诺支持行业标准。Microsoft is committed to supporting industry standards. Microsoft 标识平台支持行业标准协议 OAuth 2.0 和 OpenID Connect 1.0。The Microsoft identity platform supports the industry-standard OAuth 2.0 and OpenID Connect 1.0 protocols. 详细了解 Microsoft 标识平台身份验证协议Learn more about Microsoft identity platform authentication protocols.

开放源代码库。Open source libraries. Microsoft 为主流语言和平台提供完全支持的开源代码库以加速开发。Microsoft provides fully supported open source libraries for popular languages and platforms to speed development. 这些源代码已获 Apache 2.0 的授权,可以在项目中任意衍生和改写。The source code is licensed under Apache 2.0, and you are free to fork and contribute back to the projects. 详细了解 Microsoft 身份验证库 (MSAL)Learn more about Microsoft Authentication Library (MSAL).

全球存在和高可用性Worldwide presence and high availability

Azure AD 已部署在世界各地的数据中心,并受到全天候的管理和监视。Azure AD is deployed in datacenters around the world and is managed and monitored around the clock. Azure AD 是 Azure 和 Office 365 的标识管理系统,已在世界各地的 28 个数据中心部署。Azure AD is the identity management system for Azure and Office 365 and is deployed in 28 datacenters around the world. 我们保证至少将目录数据复制到三个数据中心。Directory data is guaranteed to be replicated to at least three datacenters. 全局负载均衡器确保用户访问包含其数据的最近 Azure AD 副本,如果检测到问题,会自动将请求重新路由到其他数据中心。Global load balancers ensure users access the closest copy of Azure AD containing their data, and automatically re-route requests to other datacenters if a problem is detected.

后续步骤Next steps

开始编写代码Get started writing code.

使用 Microsoft 标识平台将用户登录Sign users in using Microsoft identity platform