如何:配置应用程序的发布者域How to: Configure an application's publisher domain

应用程序的发布者域将在应用程序的许可提示中显示给用户,以告知用户其信息将发送到何处。An application’s publisher domain is displayed to users on the application’s consent prompt to let users know where their information is being sent. 在 2019 年 5 月 21 日之后注册的且没有发布者域的多租户应用程序将显示为 unverifiedMulti-tenant applications that are registered after May 21, 2019 that don't have a publisher domain show up as unverified. 多租户应用程序是支持单个组织目录外部的帐户的应用程序;例如,它们支持所有 Azure AD 帐户。Multi-tenant applications are applications that support accounts outside of a single organizational directory; for example, support all Azure AD accounts.

新应用程序New applications

注册新应用时,应用的发布者域可设置为默认值。When you register a new app, the publisher domain of your app may be set to a default value. 该值取决于应用的注册位置,具体而言,取决于该应用是否已在某个租户中注册,以及该租户是否具有租户验证的域。The value depends on where the app is registered, particularly whether the app is registered in a tenant and whether the tenant has tenant verified domains.

如果存在租户验证的域,则应用的发布者域将默认为该租户的主要已验证域。If there are tenant-verified domains, the app’s publisher domain will default to the primary verified domain of the tenant. 如果不存在租户验证的域(应用程序未在租户中注册时会存在这种情况),则应用的发布者域将设置为 null。If there are no tenant verified domains (which is the case when the application is not registered in a tenant), the app’s publisher domain will be set to null.

下表汇总了发布者域值的默认行为。The following table summarizes the default behavior of the publisher domain value.

租户验证的域Tenant-verified domains 发布者域的默认值Default value of publisher domain
Nullnull Nullnull
*.partner.onmschina.cn*.partner.onmschina.cn *.partner.onmschina.cn*.partner.onmschina.cn
- *.partner.onmschina.cn- *.partner.onmschina.cn
- domain1.com- domain1.com
- domain2.com(主要)- domain2.com (primary)
domain2.comdomain2.com

如果未设置多租户应用程序的发布者域,或者该域设置为以 .partner.onmschina.cn 结尾的域,则应用的许可提示将显示 unverified 而不是发布者域。If a multi-tenant application's publisher domain isn't set, or if it's set to a domain that ends in .partner.onmschina.cn, the app's consent prompt will show unverified in place of the publisher domain.

祖父应用程序Grandfathered applications

如果应用是在 2019 年 5 月 21 日之前注册的,而你尚未设置发布者域,则应用程序的许可提示将不显示 unverifiedIf your app was registered before May 21, 2019, your application's consent prompt will not show unverified if you have not set a publisher domain. 我们建议设置发布者域值,使用户能够在应用的许可提示中看到此信息。We recommend that you set the publisher domain value so that users can see this information on your app's consent prompt.

使用 Azure 门户配置发布者域Configure publisher domain using the Azure portal

若要设置应用的发布者域,请执行以下步骤。To set your app's publisher domain, follow these steps.

  1. 使用工作或学校帐户登录到 Azure 门户Sign in to the Azure portal using a work or school account.

  2. 如果你的帐户在多个 Azure AD 租户中存在:If your account is present in more than one Azure AD tenant:

    1. 从页面右上角的菜单中选择你的个人资料,然后选择“切换目录”。 Select your profile from the menu on the top-right corner of the page, and then Switch directory.
    2. 将会话切换到要在其中创建应用程序的 Azure AD 租户。Change your session to the Azure AD tenant where you want to create your application.
  3. 导航到“Azure Active Directory”>“应用注册”,找到并选择要配置的应用。Navigate to Azure Active Directory > App registrations to find and select the app that you want to configure.

    选择应用后,会看到该应用的“概述”页。 Once you've selected the app, you'll see the app's Overview page.

  4. 在应用的“概述”页中,选择“品牌”部分。 From the app's Overview page, select the Branding section.

  5. 找到“发布者域”字段并选择以下选项之一: Find the Publisher domain field and select one of the following options:

    • 如果尚未配置域,请选择“配置域”。 Select Configure a domain if you haven't configured a domain already.
    • 如果已配置域,请选择“更新域”。 Select Update domain if a domain has already been configured.

如果应用已在租户中注册,则你会看到两个可供选择的选项卡:“选择已验证的域”和“验证新域”。 If your app is registered in a tenant, you'll see two tabs to select from: Select a verified domain and Verify a new domain.

如果应用尚未在租户中注册,则你只会看到用来为应用程序验证新域的选项。If your app isn't registered in a tenant, you'll only see the option to verify a new domain for your application.

验证应用的新域To verify a new domain for your app

  1. 创建名为 microsoft-identity-association.json 的文件并粘贴以下 JSON 代码片段。Create a file named microsoft-identity-association.json and paste the following JSON code snippet.

    {
       "associatedApplications": [
          {
             "applicationId": "{YOUR-APP-ID-HERE}"
          },
          {
             "applicationId": "{YOUR-OTHER-APP-ID-HERE}"
          }
       ]
     }
    
  2. 请将占位符 {YOUR-APP-ID-HERE} 替换为对应于应用的应用程序(客户端)ID。Replace the placeholder {YOUR-APP-ID-HERE} with the application (client) ID that corresponds to your app.

  3. 将该文件托管在 https://{YOUR-DOMAIN-HERE}.com/.well-known/microsoft-identity-association.json 中。Host the file at: https://{YOUR-DOMAIN-HERE}.com/.well-known/microsoft-identity-association.json. 请替换占位符 {YOUR-DOMAIN-HERE} ,使之与已验证的域相匹配。Replace the placeholder {YOUR-DOMAIN-HERE} to match the verified domain.

  4. 单击“验证并保存域”按钮。 Click the Verify and save domain button.

选择已验证的域To select a verified domain

  • 如果租户包含已验证的域,请从“选择已验证的域”下拉列表中选择一个域。 If your tenant has verified domains, select one of the domains from the Select a verified domain dropdown.

备注

应返回的所需“Content-Type”标头为 application/jsonThe expected 'Content-Type' header that should be returned is application/json. 如果使用类似 application/json; charset=utf-8 的其他任何内容,则可能会收到如下所述的错误You may get an error as mentioned below if you use anything else like application/json; charset=utf-8

"Verification of publisher domain failed. Error getting JSON file from https:///.well-known/microsoft-identity-association. The server returned an unexpected content type header value. "

配置发布者域会影响用户在应用许可提示中看到的内容。Configuring the publisher domain has an impact on what users see on the app consent prompt. 若要完全了解许可提示的组件,请参阅了解应用程序许可体验To fully understand the components of the consent prompt, see Understanding the application consent experiences.

下表描述了在 2019 年 5 月 21 日之前创建的应用程序的行为。The following table describes the behavior for applications created before May 21, 2019.

在 2019 年 5 月 21 日之前创建的应用的许可提示

在 2019 年 5 月 21 日之后创建的新应用程序的行为取决于发布者域和应用程序的类型。The behavior for new applications created after May 21, 2019 will depend on the publisher domain and the type of application. 下表描述了使用不同的配置组合时预期看到的更改。The following table describes the changes you should expect to see with the different combinations of configurations.

在 2019 年 5 月 21 日之后创建的应用的许可提示

对重定向 URI 的影响Implications on redirect URIs

指定重定向 URI 时,可让用户使用任何工作或学校帐户登录的应用程序存在几项限制。Applications that sign in users with any work or school account are subject to few restrictions when specifying redirect URIs.

单个根域限制Single root domain restriction

当多租户应用的发布者域值设置为 null 时,应用仅限于共享重定向 URI 的单个根域。When the publisher domain value for multi-tenant apps is set to null, apps are restricted to share a single root domain for the redirect URIs. 例如,不允许以下值的组合,因为根域 contoso.com 与 fabrikam.com 不匹配。For example, the following combination of values isn't allowed because the root domain, contoso.com, doesn't match fabrikam.com.

"https://contoso.com",
"https://fabrikam.com",

子域限制Subdomain restrictions

允许子域,但必须显式注册根域。Subdomains are allowed, but you must explicitly register the root domain. 例如,尽管以下 URI 共享单个根域,但不允许将其组合。For example, while the following URIs share a single root domain, the combination isn't allowed.

"https://app1.contoso.com",
"https://app2.contoso.com",

但是,如果开发人员显式添加根域,则允许组合。However, if the developer explicitly adds the root domain, the combination is allowed.

"https://contoso.com",
"https://app1.contoso.com",
"https://app2.contoso.com",

异常Exceptions

以下方案存在单个根域的限制:The following cases aren't subject to the single root domain restriction:

  • 单租户应用,或者面向单个目录中的帐户的应用Single tenant apps, or apps that target accounts in a single directory
  • 使用 localhost 作为重定向 URIUse of localhost as redirect URIs
  • 使用自定义方案(非 HTTP 或 HTTPS)的重定向 URIRedirect URIs with custom schemes (non-HTTP or HTTPS)

以编程方式配置发布者域Configure publisher domain programmatically

目前,不支持使用 REST API 或 PowerShell 以编程方式配置发布者域。Currently, there is no REST API or PowerShell support to configure publisher domain programmatically.