如何:使用门户创建可访问资源的 Azure AD 应用程序和服务主体How to: Use the portal to create an Azure AD application and service principal that can access resources

本文介绍如何创建新的 Azure Active Directory (Azure AD) 应用程序和服务主体,后者可以与基于角色的访问控制配合使用。This article shows you how to create a new Azure Active Directory (Azure AD) application and service principal that can be used with the role-based access control. 如果有需要访问或修改资源的代码,则可以为应用创建标识。When you have code that needs to access or modify resources, you can create an identity for the app. 此标识称为服务主体。This identity is known as a service principal. 可以将所需权限分配给服务主体。You can then assign the required permissions to the service principal. 本文介绍如何使用门户创建服务主体。This article shows you how to use the portal to create the service principal. 重点介绍单租户应用程序,其中应用程序只应在一个组织内运行。It focuses on a single-tenant application where the application is intended to run within only one organization. 通常会将单租户应用程序作为在组织中运行的业务线应用程序使用。You typically use single-tenant applications for line-of-business applications that run within your organization.


请考虑使用 Azure 资源的托管标识作为应用程序标识,而不是创建服务主体。Instead of creating a service principal, consider using managed identities for Azure resources for your application identity. 如果代码在支持托管标识的服务上运行并访问支持 Azure AD 身份验证的资源,则托管标识是更好的选择。If your code runs on a service that supports managed identities and accesses resources that support Azure AD authentication, managed identities are a better option for you. 若要详细了解 Azure 资源的托管标识(包括当前支持它的服务),请参阅什么是 Azure 资源的托管标识?To learn more about managed identities for Azure resources, including which services currently support it, see What is managed identities for Azure resources?.

创建 Azure Active Directory 应用程序Create an Azure Active Directory application

我们直接介绍如何创建标识。Let's jump straight into creating the identity. 如果遇到问题,请查看所需权限,确保帐户可以创建标识。If you run into a problem, check the required permissions to make sure your account can create the identity.

  1. 通过 Azure 门户登录到 Azure 帐户。Sign in to your Azure Account through the Azure portal.

  2. 选择“Azure Active Directory” 。Select Azure Active Directory.

  3. 选择“应用注册” 。Select App registrations.

  4. 选择“新注册”。 Select New registration.

  5. 为应用程序命名。Name the application. 选择支持的帐户类型,它决定了谁可以使用应用程序。Select a supported account type, which determines who can use the application. 在“重定向 URI” 下,选择“Web” 作为要创建的应用程序类型。Under Redirect URI, select Web for the type of application you want to create. 输入访问令牌将发送到的 URI。Enter the URI where the access token is sent to. 该类型不能用于自动化应用程序。You can't use that type for an automated application. 设置这些值后,选择“注册” 。After setting the values, select Register.


现已创建了 Azure AD 应用程序和服务主体。You've created your Azure AD application and service principal.

将应用程序分配给角色Assign the application to a role

要访问订阅中的资源,必须将应用程序分配到角色。To access resources in your subscription, you must assign the application to a role. 判定哪个角色能为应用程序提供适当的权限。Decide which role offers the right permissions for the application. 若要了解有关可用角色的信息,请参阅 RBAC:内置角色To learn about the available roles, see RBAC: Built in Roles.

可将作用域设置为订阅、资源组或资源级别。You can set the scope at the level of the subscription, resource group, or resource. 较低级别的作用域会继承权限。Permissions are inherited to lower levels of scope. 例如,将某个应用程序添加到资源组的“读取者”角色意味着该应用程序可以读取该资源组及其包含的所有资源。For example, adding an application to the Reader role for a resource group means it can read the resource group and any resources it contains.

  1. 在 Azure 门户中,选择希望将应用程序分配到的范围级别。In the Azure portal, select the level of scope you wish to assign the application to. 例如,若要在订阅范围内分配角色,请搜索并选择“订阅” ,或在“主页” 页上选择“订阅” 。For example, to assign a role at the subscription scope, search for and select Subscriptions, or select Subscriptions on the Home page.


  2. 选择要将应用程序分配到的特定订阅。Select the particular subscription to assign the application to.


    如果未看到所需订阅,请选择“全局订阅筛选器” 。If you don't see the subscription you're looking for, select global subscriptions filter. 请确保已为该门户选择所需的订阅。Make sure the subscription you want is selected for the portal.

  3. 选择“访问控制(IAM)” 。Select Access control (IAM).

  4. 选择“添加角色分配” 。Select Add role assignment.

  5. 选择要分配到应用程序的角色。Select the role you wish to assign to the application. 例如,若要允许应用程序执行诸如“重新启动”、“启动”和“停止”实例之类的操作,请选择“参与者”角色 。For example, to allow the application to execute actions like reboot, start and stop instances, select the Contributor role. 详细阅读可用角色,默认情况下,Azure AD 应用程序不会显示在可用选项中。Read more about the available roles By default, Azure AD applications aren't displayed in the available options. 若要查找应用程序,请搜索其名称并选中它。To find your application, search for the name and select it.


  6. 选择“保存” 完成角色分配。Select Save to finish assigning the role. 该应用程序会显示在分配到该范围角色的用户列表中。You see your application in the list of users assigned to a role for that scope.

服务主体已设置完毕。Your service principal is set up. 可以开始使用它运行脚本或应用。You can start using it to run your scripts or apps. 下一部分演示如何获取以编程方式登录时所需的值。The next section shows how to get values that are needed when signing in programmatically.

获取用于登录的值Get values for signing in

以编程方式登录时,需要随身份验证请求传递租户 ID。When programmatically signing in, you need to pass the tenant ID with your authentication request. 还需要应用程序 ID 和身份验证密钥。You also need the ID for your application and an authentication key. 若要获取这些值,请使用以下步骤:To get those values, use the following steps:

  1. 选择“Azure Active Directory” 。Select Azure Active Directory.

  2. 从 Azure AD 中的“应用注册” ,选择应用程序。From App registrations in Azure AD, select your application.

  3. 复制“目录(租户) ID”并将其存储在应用程序代码中。Copy the Directory (tenant) ID and store it in your application code.

    复制目录(租户)ID 并将其存储在应用代码中

  4. 复制“应用程序 ID” 并将其存储在应用程序代码中。Copy the Application ID and store it in your application code.


证书和机密Certificates and secrets

守护程序应用程序可以使用两种形式的凭据来向 Azure AD 进行身份验证:证书和应用程序机密。Daemon applications can use two forms of credentials to authenticate with Azure AD: certificates and application secrets. 我们建议使用证书,但你也可以创建新的应用程序机密。We recommend using a certificate, but you can also create a new application secret.

上传证书Upload a certificate

可以使用现有证书(如果有)。You can use an existing certificate if you have one. (可选)可以创建自签名证书以进行测试。Optionally, you can create a self-signed certificate for testing purposes. 打开 PowerShell 并使用以下参数运行 New-SelfSignedCertificate,以在计算机上的用户证书存储中创建自签名证书:Open PowerShell and run New-SelfSignedCertificate with the following parameters to create a self-signed certificate in the user certificate store on your computer:

$cert=New-SelfSignedCertificate -Subject "CN=DaemonConsoleCert" -CertStoreLocation "Cert:\CurrentUser\My"  -KeyExportPolicy Exportable -KeySpec Signature

使用可从 Windows 控制面板访问的管理用户证书 MMC 管理单元将此证书导出到文件。Export this certificate to a file using the Manage User Certificate MMC snap-in accessible from the Windows Control Panel.

若要上传证书,请执行以下操作:To upload the certificate:

  1. 选择“证书和机密” 。Select Certificates & secrets.

  2. 选择“上传证书” 并选择证书(现有证书或导出的自签名证书)。Select Upload certificate and select the certificate (an existing certificate or the self-signed certificate you exported).


  3. 选择“添加” 。Select Add.

在门户中将证书注册到应用程序后,需要启用客户端应用程序代码才能使用该证书。After registering the certificate with your application in the portal, you need to enable the client application code to use the certificate.

创建新的应用程序机密Create a new application secret

如果选择不使用证书,则可以创建新的应用程序机密。If you choose not to use a certificate, you can create a new application secret.

  1. 选择“证书和机密” 。Select Certificates & secrets.

  2. 选择“客户端机密”->“新建客户端机密”。 Select Client secrets -> New client secret.

  3. 提供机密的说明和持续时间。Provide a description of the secret, and a duration. 完成后,选择“添加”。 When done, select Add.

    保存客户端机密后,将显示客户端机密的值。After saving the client secret, the value of the client secret is displayed. 复制此值,因为稍后不能检索密钥。Copy this value because you aren't able to retrieve the key later. 提供密钥值及应用程序 ID,以该应用程序的身份登录。You provide the key value with the application ID to sign in as the application. 将密钥值存储在应用程序可检索的位置。Store the key value where your application can retrieve it.


在资源上配置访问策略Configure access policies on resources

请记住,你可能需要对应用程序需要访问的资源配置附加权限。Keep in mind, you might need to configure addition permissions on resources that your application needs to access. 例如,你还必须更新密钥保管库的访问策略,以使应用程序能够访问密钥、机密或证书。For example, you must also update a key vault's access policies to give your application access to keys, secrets, or certificates.

  1. Azure 门户中,导航到密钥保管库并选择“访问策略” 。In the Azure portal, navigate to your key vault and select Access policies.
  2. 选择“添加访问策略” ,然后选择要授予应用程序的密钥、机密和证书权限。Select Add access policy, then select the key, secret, and certificate permissions you want to grant your application. 选择之前创建的服务主体。Select the service principal you created previously.
  3. 选择“添加” 以添加访问策略,然后选择“保存” 以提交更改。Select Add to add the access policy, then Save to commit your changes. 添加访问策略Add access policy

所需的权限Required permissions

必须具有足够的权限向 Azure AD 租户注册应用程序,并将应用程序分配到 Azure 订阅中的角色。You must have sufficient permissions to register an application with your Azure AD tenant, and assign the application to a role in your Azure subscription.

检查 Azure AD 权限Check Azure AD permissions

  1. 选择“Azure Active Directory” 。Select Azure Active Directory.

  2. 记下你的角色。Note your role. 如果角色为“用户”,则必须确保非管理员可以注册应用程序 。If you have the User role, you must make sure that non-administrators can register applications.


  3. 在左侧窗格中,选择“用户设置” 。In the left pane, select User settings.

  4. 检查“应用注册” 设置。Check the App registrations setting. 只有管理员可设置此值。This value can only be set by an administrator. 如果设置为“是”,则 Active AD 租户中的任何用户都可以注册应用 。If set to Yes, any user in the Azure AD tenant can register an app.

如果应用注册设置设定为“否” ,则只有具有管理员角色的用户才能注册这些类型的应用程序。If the app registrations setting is set to No, only users with an administrator role may register these types of applications. 请参阅可用角色角色权限来了解 Azure AD 中的可用管理员角色以及授予每个角色的具体权限。See available roles and role permissions to learn about available administrator roles and the specific permissions in Azure AD that are given to each role. 如果将帐户分配到“用户”角色,但应用注册设置仅限于管理员用户,请要求管理员为你分配可以创建和管理应用注册的所有方面的管理员角色之一,或者让用户能够注册应用。If your account is assigned to the User role, but the app registration setting is limited to admin users, ask your administrator to either assign you to one of the administrator roles that can create and manage all aspects of app registrations, or to enable users to register apps.

检查 Azure 订阅权限Check Azure subscription permissions

在 Azure 订阅中,帐户必须具有 Microsoft.Authorization/*/Write 访问权限才能向角色分配 AD 应用。In your Azure subscription, your account must have Microsoft.Authorization/*/Write access to assign an AD app to a role. 通过所有者角色或用户访问管理员角色授权此操作。This action is granted through the Owner role or User Access Administrator role. 如果将帐户分配到“参与者”角色,则没有足够权限 。If your account is assigned to the Contributor role, you don't have adequate permission. 尝试将服务主体分配到角色时,将收到错误。You receive an error when attempting to assign the service principal to a role.

检查订阅权限的方法如下:To check your subscription permissions:

  1. 在右上角选择自己的帐户,然后选择“...”->“我的权限”。 Select your account in the upper right corner, and select ... -> My permissions.


  2. 从下拉列表中,选择要在其中创建服务主体的订阅。From the drop-down list, select the subscription you want to create the service principal in. 然后,选择“单击此处查看此订阅的完整访问详细信息” 。Then, select Click here to view complete access details for this subscription.


  3. 选择“角色分配” 以查看分配到的角色,并确定你是否拥有足够的权限来向角色分配 AD 应用。Select Role assignments to view your assigned roles, and determine if you have adequate permissions to assign an AD app to a role. 如果没有,请要求订阅管理员将你添加到用户访问管理员角色。If not, ask your subscription administrator to add you to User Access Administrator role. 在下图中,用户分配到了“所有者”角色,这意味着该用户具有足够的权限。In the following image, the user is assigned to the Owner role, which means that user has adequate permissions.


后续步骤Next steps