Azure Active Directory 中的应用程序对象和服务主体对象Application and service principal objects in Azure Active Directory

有时在 Azure Active Directory (Azure AD) 的上下文中使用时,术语“应用程序”的含义可能会被误解。Sometimes, the meaning of the term "application" can be misunderstood when used in the context of Azure Active Directory (Azure AD). 本文澄清了 Azure AD 应用程序集成的概念和具体层面,并演示了如何注册和同意多租户应用程序This article clarifies the conceptual and concrete aspects of Azure AD application integration, with an illustration of registration and consent for a multi-tenant application.

概述Overview

已与 Azure AD 集成的应用程序具有超出软件方面的含意。An application that has been integrated with Azure AD has implications that go beyond the software aspect. “应用程序”常作为一个概念性术语,不仅指应用程序软件,而且还指其 Azure AD 注册和运行时在身份验证/授权“对话”中的角色。"Application" is frequently used as a conceptual term, referring to not only the application software, but also its Azure AD registration and role in authentication/authorization "conversations" at runtime.

根据定义,应用程序能够使用以下角色:By definition, an application can function in these roles:

  • 客户端角色(使用资源)Client role (consuming a resource)
  • 资源服务器角色(向客户端公开 API)Resource server role (exposing APIs to clients)
  • 客户端角色和资源服务器角色Both client role and resource server role

OAuth 2.0 授权流定义了对话协议,对话协议允许客户端/资源各自访问/保护资源的数据。An OAuth 2.0 Authorization Grant flow defines the conversation protocol, which allows the client/resource to access/protect a resource's data, respectively.

在下面的各部分中,你将了解 Azure AD 应用程序模型在设计时和运行时如何表示应用程序。In the following sections, you'll see how the Azure AD application model represents an application at design-time and run-time.

应用程序注册Application registration

Azure 门户中注册 Azure AD 应用程序时,会在 Azure AD 租户中创建两个对象:When you register an Azure AD application in the Azure portal, two objects are created in your Azure AD tenant:

  • 一个应用程序对象An application object, and
  • 和一个服务主体对象。A service principal object

应用程序对象Application object

Azure AD 应用程序由其唯一一个应用程序对象来定义,该对象位于应用程序注册到的 Azure AD 租户(称为应用程序的“宿主”租户)中。An Azure AD application is defined by its one and only application object, which resides in the Azure AD tenant where the application was registered, known as the application's "home" tenant. Microsoft Graph Application 实体定义应用程序对象属性的架构。The Microsoft Graph Application entity defines the schema for an application object's properties.

服务主体对象Service principal object

若要访问受 Azure AD 租户保护的资源,需要访问的实体必须由安全主体来表示。To access resources that are secured by an Azure AD tenant, the entity that requires access must be represented by a security principal. 这同时适用于用户(用户主体)和应用程序(服务主体)。This is true for both users (user principal) and applications (service principal).

安全主体定义 Azure AD 租户中用户/应用程序的访问策略和权限。The security principal defines the access policy and permissions for the user/application in the Azure AD tenant. 这样便可实现核心功能,如在登录时对用户/应用程序进行身份验证,在访问资源时进行授权。This enables core features such as authentication of the user/application during sign-in, and authorization during resource access.

当应用程序被授予了对租户中资源的访问权限时(根据注册或许可),将创建一个服务主体对象。When an application is given permission to access resources in a tenant (upon registration or consent), a service principal object is created. Microsoft Graph ServicePrincipal 实体定义服务主体对象属性的架构。The Microsoft Graph ServicePrincipal entity defines the schema for a service principal object's properties.

应用程序和服务主体的关系Application and service principal relationship

可以将应用程序对象视为应用程序的全局表示形式(供所有租户使用),将服务主体视为本地表示形式(在特定租户中使用)。Consider the application object as the global representation of your application for use across all tenants, and the service principal as the local representation for use in a specific tenant.

应用程序对象用作模板,常见属性和默认属性从其中派生,以便在创建相应服务主体对象时使用。The application object serves as the template from which common and default properties are derived for use in creating corresponding service principal objects. 因此,应用程序对象与软件应用程序存在 1 对 1 关系,而与其对应的服务主体对象存在 1 对多关系。An application object therefore has a 1:1 relationship with the software application, and a 1:many relationships with its corresponding service principal object(s).

必须在将使用应用程序的每个租户中创建服务主体,让它能够建立用于登录和/或访问受租户保护的资源的标识。A service principal must be created in each tenant where the application is used, enabling it to establish an identity for sign-in and/or access to resources being secured by the tenant. 单租户应用程序只有一个服务主体(在其宿主租户中),在应用程序注册期间创建并被允许使用。A single-tenant application has only one service principal (in its home tenant), created and consented for use during application registration. 多租户 Web 应用程序/API 还会在租户中的某个用户已同意使用它的每个租户中创建服务主体。A multi-tenant Web application/API also has a service principal created in each tenant where a user from that tenant has consented to its use.

Note

对应用程序对象所做的任何更改也只反映在该对象在应用程序宿主租户(其注册所在的租户)的服务主体对象中。Any changes you make to your application object, are also reflected in its service principal object in the application's home tenant only (the tenant where it was registered).

另请注意,默认情况下本机应用程序注册为多租户应用程序。Also note that native applications are registered as multi-tenant by default.

示例Example

下图演示了应用程序的应用程序对象和对应的服务主体对象之间的关系,其上下文是在名为 HR 应用的示例多租户应用程序中。The following diagram illustrates the relationship between an application's application object and corresponding service principal objects, in the context of a sample multi-tenant application called HR app. 此示例方案中有三个 Azure AD 租户:There are three Azure AD tenants in this example scenario:

  • Adatum - 开发 HR 应用的公司使用的租户Adatum - The tenant used by the company that developed the HR app
  • Contoso - Contoso 组织使用的租户,即 HR 应用的使用者Contoso - The tenant used by the Contoso organization, which is a consumer of the HR app
  • Fabrikam - Fabrikam 组织使用的租户,它也使用 HR 应用Fabrikam - The tenant used by the Fabrikam organization, which also consumes the HR app

应用对象与服务主体对象之间的关系

在此示例方案中:In this example scenario:

步骤Step 说明Description
11 是在应用程序的宿主租户中创建应用程序对象和服务主体对象的过程。Is the process of creating the application and service principal objects in the application's home tenant.
22 当 Contoso 和 Fabrikam 的管理员完成同意并向应用程序授予访问权限时,会在其公司的 Azure AD 租户中创建服务主体对象,并向其分配管理员所授予的权限。When Contoso and Fabrikam administrators complete consent, a service principal object is created in their company's Azure AD tenant and assigned the permissions that the administrator granted. 另请注意,HR 应用可能配置/设计为允许由用户同意以供个人使用。Also note that the HR app could be configured/designed to allow consent by users for individual use.
33 HR 应用程序的使用者租户(例如 Contoso 和 Fabrikam)各有自己的服务主体对象。The consumer tenants of the HR application (Contoso and Fabrikam) each have their own service principal object. 每个对象代表其在运行时使用的应用程序实例,该实例受相关管理员同意的权限控制。Each represents their use of an instance of the application at runtime, governed by the permissions consented by the respective administrator.

后续步骤Next steps