Azure Active Directory 中的应用程序对象和服务主体对象Application and service principal objects in Azure Active Directory

本文介绍 Azure Active Directory 中的应用程序注册、应用程序对象和服务主体:它们是什么、它们的使用方式以及它们彼此之间的关系。This article describes application registration, application objects, and service principals in Azure Active Directory: what they are, how they're used, and how they are related to each other. 还展示了多租户示例方案,用于说明应用程序的应用程序对象和对应的服务主体对象之间的关系。A multi-tenant example scenario is also presented to illustrate the relationship between an application's application object and corresponding service principal objects.

应用程序注册Application registration

为了将标识和访问管理功能委托给 Azure AD,应用程序必须使用 Azure AD 租户进行注册。In order to delegate Identity and Access Management functions to Azure AD, an application must be registered with an Azure AD tenant. 将应用程序注册到 Azure AD 时,需要创建应用程序的标识配置,使其能够与 Azure AD 集成。When you register your application with Azure AD, you are creating an identity configuration for your application that allows it to integrate with Azure AD. Azure 门户中注册应用时,可以选择单租户(只能在自己的租户中访问)或多租户(可在其他租户中访问),也可以选择设置重定向 URI (将访问令牌发送到的位置)。When you register an app in the Azure portal, you choose whether it's single tenant (only accessible in your tenant) or multi-tenant (accessible to in other tenants) and can optionally set a redirect URI (where the access token is sent to).

完成应用注册后,你将拥有应用(应用程序对象)的全局唯一实例,该实例存在于你的主租户或目录中。When you've completed the app registration, you have a globally unique instance of the app (the application object) which lives within your home tenant or directory. 而且你的应用拥有全局唯一 ID(应用或客户端 ID)。You also have a globally unique ID for your app (the app or client ID). 然后,在门户中,你便可以添加机密或证书和作用域以使应用正常工作,在登录对话框中自定义应用的品牌等等。In the portal, you can then add secrets or certificates and scopes to make your app work, customize the branding of your app in the sign-in dialog, and more.

如果在门户中注册应用程序,会在主租户中自动创建应用程序对象以及服务主体对象。If you register an application in the portal, an application object as well as a service principal object are automatically created in your home tenant. 如果使用 Microsoft Graph API 注册/创建应用程序,则通过一个单独步骤创建服务主体对象。If you register/create an application using the Microsoft Graph APIs, creating the service principal object is a separate step.

应用程序对象Application object

Azure AD 应用程序由其唯一一个应用程序对象进行定义,该对象位于应用程序注册到 Azure AD 租户(称为应用程序的“宿主”租户)中。An Azure AD application is defined by its one and only application object, which resides in the Azure AD tenant where the application was registered (known as the application's "home" tenant). 使用了一个应用程序对象来充当模板或蓝图,用于创建一个或多个服务主体对象。An application object is used as a template or blueprint to create one or more service principal objects. 在使用应用程序的每个租户中创建了一个服务主体。A service principal is created in every tenant where the application is used. 与面向对象的编程中的类类似,应用程序对象具有一些静态属性,应用于所有已创建的服务主体(或应用程序实例)。Similar to a class in object oriented programming, the application object has some static properties which are applied to all the created service principals (or application instances).

该应用程序对象描述应用程序的三个方面:服务如何发出令牌来访问应用程序、应用程序可能需要访问的资源以及应用程序可以执行的操作。The application object describes three aspects of an application: how the service can issue tokens in order to access the application, resources that the application might need to access, and the actions that the application can take.

Azure 门户中的“应用注册”边栏选项卡用于在主租户中列出和管理应用程序对象。The App registrations blade in the Azure portal is used to list and manage the application objects in your home tenant.

Microsoft Graph Application 实体定义应用程序对象属性的架构。The Microsoft Graph Application entity defines the schema for an application object's properties.

服务主体对象Service principal object

若要访问受 Azure AD 租户保护的资源,需要访问的实体必须由安全主体来表示。To access resources that are secured by an Azure AD tenant, the entity that requires access must be represented by a security principal. 这同时适用于用户(用户主体)和应用程序(服务主体)。This is true for both users (user principal) and applications (service principal). 安全主体定义 Azure AD 租户中用户/应用程序的访问策略和权限。The security principal defines the access policy and permissions for the user/application in the Azure AD tenant. 这样便可实现核心功能,如在登录时对用户/应用程序进行身份验证,在访问资源时进行授权。This enables core features such as authentication of the user/application during sign-in, and authorization during resource access.

服务主体是单个租户或目录中某个全局应用程序对象的本地表示形式或应用程序实例。A service principal is the local representation, or application instance, of a global application object in a single tenant or directory. 服务主体是从应用程序对象中创建的具体实例,并从该应用程序对象继承某些属性。A service principal is a concrete instance created from the application object and inherits certain properties from that application object. 服务主体是在使用应用程序的每个租户中创建的,并引用全局唯一应用对象。A service principal is created in each tenant where the application is used and references the globally unique app object. 服务主体对象定义应用可在特定租户中实际执行的操作、可访问应用的用户以及应用可访问的资源。The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access.

当应用程序被授予了对租户中资源的访问权限时(根据注册或许可),将创建一个服务主体对象。When an application is given permission to access resources in a tenant (upon registration or consent), a service principal object is created. 还可使用 Azure PowerShell、Azure CLI、Microsoft GraphAzure 门户和其他工具在租户中创建服务主体对象。You can also create service principal object in a tenant using Azure PowerShell, Azure CLI, Microsoft Graph, the Azure portal, and other tools. 如果使用门户,会在注册应用程序时自动创建服务主体。When using the portal, a service principal is created automatically when you register an application.

门户中的“企业应用程序”边栏选项卡用于在租户中列出和管理服务主体。The Enterprise applications blade in the portal is used to list and manage the service principals in a tenant. 可查看服务主体的权限、用户已同意的权限、提供了相应同意的用户、登录信息等等。You can see the a service principal's permissions, user consented permissions, which users have done that consent, sign in information, and more.

Microsoft Graph ServicePrincipal 实体定义服务主体对象属性的架构。The Microsoft Graph ServicePrincipal entity defines the schema for a service principal object's properties.

应用程序对象与服务主体之间的关系Relationship between application objects and service principals

应用程序对象是应用程序的全局表示形式,可供所有租户使用,而服务主体是本地表示形式,在特定租户中使用 。The application object is the global representation of your application for use across all tenants, and the service principal is the local representation for use in a specific tenant.

应用程序对象用作模板,常见属性和默认属性从其中派生,以便在创建相应服务主体对象时使用。The application object serves as the template from which common and default properties are derived for use in creating corresponding service principal objects. 因此,应用程序对象与软件应用程序存在 1 对 1 关系,而与其对应的服务主体对象存在 1 对多关系。An application object therefore has a 1:1 relationship with the software application, and a 1:many relationship with its corresponding service principal object(s).

必须在将使用应用程序的每个租户中创建服务主体,让它能够建立用于登录和/或访问受租户保护的资源的标识。A service principal must be created in each tenant where the application is used, enabling it to establish an identity for sign-in and/or access to resources being secured by the tenant. 单租户应用程序只有一个服务主体(在其宿主租户中),在应用程序注册期间创建并被允许使用。A single-tenant application has only one service principal (in its home tenant), created and consented for use during application registration. 多租户 Web 应用程序/API 还会在租户中的某个用户已同意使用它的每个租户中创建服务主体。A multi-tenant Web application/API also has a service principal created in each tenant where a user from that tenant has consented to its use.

备注

对应用程序对象所做的任何更改也只反映在该对象在应用程序宿主租户(其注册所在的租户)的服务主体对象中。Any changes you make to your application object, are also reflected in its service principal object in the application's home tenant only (the tenant where it was registered). 对于多租户应用程序,在通过应用程序访问面板删除该访问权限并重新授予访问权限之前,对应用程序对象所做的更改不会反映在任何使用者租户的服务主体对象中。For multi-tenant applications, changes to the application object are not reflected in any consumer tenants' service principal objects, until the access is removed through the Application Access Panel and granted again.

另请注意,默认情况下本机应用程序注册为多租户应用程序。Also note that native applications are registered as multi-tenant by default.

示例Example

下图演示了应用程序的应用程序对象和对应的服务主体对象之间的关系,其上下文是在名为 HR 应用的示例多租户应用程序中。The following diagram illustrates the relationship between an application's application object and corresponding service principal objects, in the context of a sample multi-tenant application called HR app. 此示例方案中有三个 Azure AD 租户:There are three Azure AD tenants in this example scenario:

  • Adatum - 开发 HR 应用的公司使用的租户Adatum - The tenant used by the company that developed the HR app
  • Contoso - Contoso 组织使用的租户,即 HR 应用的使用者Contoso - The tenant used by the Contoso organization, which is a consumer of the HR app
  • Fabrikam - Fabrikam 组织使用的租户,它也使用 HR 应用Fabrikam - The tenant used by the Fabrikam organization, which also consumes the HR app

应用对象与服务主体对象之间的关系

在此示例方案中:In this example scenario:

步骤Step 说明Description
11 是在应用程序的宿主租户中创建应用程序对象和服务主体对象的过程。Is the process of creating the application and service principal objects in the application's home tenant.
22 当 Contoso 和 Fabrikam 的管理员完成同意并向应用程序授予访问权限时,会在其公司的 Azure AD 租户中创建服务主体对象,并向其分配管理员所授予的权限。When Contoso and Fabrikam administrators complete consent, a service principal object is created in their company's Azure AD tenant and assigned the permissions that the administrator granted. 另请注意,HR 应用可能配置/设计为允许由用户同意以供个人使用。Also note that the HR app could be configured/designed to allow consent by users for individual use.
33 HR 应用程序的使用者租户(例如 Contoso 和 Fabrikam)各有自己的服务主体对象。The consumer tenants of the HR application (Contoso and Fabrikam) each have their own service principal object. 每个对象代表其在运行时使用的应用程序实例,该实例受相关管理员同意的权限控制。Each represents their use of an instance of the application at runtime, governed by the permissions consented by the respective administrator.

后续步骤Next steps