快速入门:修改应用程序支持的帐户Quickstart: Modify the accounts supported by an application

在 Microsoft 标识平台中注册应用程序时,可能会希望系统只允许你组织中的用户访问你的应用程序。When registering an application in the Microsoft identity platform, you may want your application to be accessed only by users in your organization.

本快速入门介绍如何修改应用程序的配置,更改能够访问应用程序的人或具体帐户。In this quickstart, you'll learn how to modify your application's configuration to change who, or what accounts, can access the application.

先决条件Prerequisites

若要开始,请确保满足下列先决条件:To get started, make sure you complete these prerequisites:

登录到 Azure 门户,并选择应用Sign in to the Azure portal and select the app

在配置应用之前,请执行以下步骤:Before you can configure the app, follow these steps:

  1. 使用工作或学校帐户登录到 Azure 门户Sign in to the Azure portal using a work or school account.
  2. 如果你的帐户有权访问多个租户,请在右上角选择该帐户,并将门户会话设置为所需的 Azure AD 租户。If your account gives you access to more than one tenant, select your account in the top right corner, and set your portal session to the desired Azure AD tenant.
  3. 在左侧导航窗格中,选择“Azure Active Directory”服务,然后选择“应用注册”。In the left-hand navigation pane, select the Azure Active Directory service and then select App registrations.
  4. 找到并选择要配置的应用程序。Find and select the application you want to configure. 选择应用以后,会看到应用程序的“概览”页或主注册页。Once you've selected the app, you'll see the application's Overview or main registration page.
  5. 按步骤更改应用程序注册以支持不同的帐户Follow the steps to change the application registration to support different accounts.
  6. 如果有单页应用程序,请启用 OAuth 2.0 隐式授权If you have a single-page application, enable OAuth 2.0 implicit grant.

更改应用程序注册以支持不同的帐户Change the application registration to support different accounts

如果正在编写一个要供组织外部的客户或合作伙伴使用的应用程序,则需要在 Azure 门户中更新应用程序定义。If you are writing an application that you want to make available to your customers or partners outside of your organization, you need to update the application definition in the Azure portal.

重要

Azure AD 要求多租户应用程序的应用程序 ID URI 全局唯一。Azure AD requires the Application ID URI of multi-tenant applications to be globally unique. 应用 ID URI 是在协议消息中标识应用程序的方式之一。The App ID URI is one of the ways an application is identified in protocol messages. 就单租户应用程序而言,应用 ID URI 在该租户中保持唯一便已足够。For a single-tenant application, it is sufficient for the App ID URI to be unique within that tenant. 就多租户应用程序而言,该 URI 必须全局唯一,以便 Azure AD 能够在所有租户中找到该应用程序。For a multi-tenant application, it must be globally unique so Azure AD can find the application across all tenants. 系统通过要求应用 ID URI 必须具有与已验证 Azure AD 租户域匹配的主机名,来强制实施全局唯一性。Global uniqueness is enforced by requiring the App ID URI to have a host name that matches a verified domain of the Azure AD tenant. 例如,如果租户的名称为 contoso.onmicrosoft.cn,则有效的应用 ID URI 为 https://contoso.partner.onmschina.cn/myappFor example, if the name of your tenant is contoso.partner.onmschina.cn, then a valid App ID URI would be https://contoso.partner.onmschina.cn/myapp. 如果租户具有已验证的域 contoso.com,则有效的应用 ID URI 也是 https://contoso.com/myappIf your tenant has a verified domain of contoso.com, then a valid App ID URI would also be https://contoso.com/myapp. 如果应用程序 ID URI 不遵循此模式,则将应用程序设置为多租户就会失败。If the App ID URI doesn’t follow this pattern, setting an application as multi-tenant fails.

更改谁能够访问你的应用程序To change who can access your application

  1. 在应用的“概览”页中,选择“身份验证”部分,然后更改在“支持的帐户类型”下选择的值。 From the app's Overview page, select the Authentication section and change the value selected under Supported account types.
    • 若要生成业务线 (LOB) 应用程序,请选择“仅此目录中的帐户”。Select Accounts in this directory only if you are building a line-of-business (LOB) application. 如果未在目录中注册应用程序,则此选项不可用。This option is not available if the application is not registered in a directory.
    • 若要以所有企业和教育客户为目标,请选择“任何组织目录中的帐户”。Select Accounts in any organizational directory if you would like to target all business and educational customers.
  2. 选择“保存” 。Select Save.

为单页应用程序启用 OAuth 2.0 隐式授权Enable OAuth 2.0 implicit grant for single-page applications

通常将单页应用程序 (SPA) 构建为一个在浏览器中运行的 JavaScript 重型前端,该前端调用应用程序的 Web API 后端来执行其业务逻辑。Single-page applications (SPAs) are typically structured with a JavaScript-heavy front end that runs in the browser, which calls the application’s web API back-end to perform its business logic. 对于托管在 Azure AD 中的 SPA,可以使用 OAuth 2.0 隐式授权对具有 Azure AD 的用户进行身份验证,并获取可用来保护从应用程序 JavaScript 客户端到其后端 Web API 的调用的令牌。For SPAs hosted in Azure AD, you use OAuth 2.0 Implicit Grant to authenticate the user with Azure AD and obtain a token that you can use to secure calls from the application's JavaScript client to its back-end web API.

用户授予同意之后,可以使用同一个身份验证协议来获取令牌以保护客户端与针对应用程序配置的其他 Web API 资源之间的调用。After the user has granted consent, this same authentication protocol can be used to obtain tokens to secure calls between the client and other web API resources configured for the application. 若要了解有关隐式授权的详细信息,并确定其是否适合应用程序方案,请了解 Azure AD v1.0v2.0 中的 OAuth 2.0 隐式授权流。To learn more about the implicit authorization grant, and help you decide whether it's right for your application scenario, learn about the OAuth 2.0 implicit grant flow in Azure AD v1.0 and v2.0.

默认情况下,为应用程序禁用了 OAuth 2.0 隐式授权。By default, OAuth 2.0 implicit grant is disabled for applications. 可以执行下述步骤,为应用程序启用 OAuth 2.0 隐式授权。You can enable OAuth 2.0 implicit grant for your application by following the steps outlined below.

启用 OAuth 2.0 隐式授权To enable OAuth 2.0 implicit grant

  1. 在左侧导航窗格中,选择“Azure Active Directory”服务,然后选择“应用注册”。In the left-hand navigation pane, select the Azure Active Directory service and then select App registrations.
  2. 找到并选择要配置的应用程序。Find and select the application you want to configure. 选择应用以后,会看到应用程序的“概览”页或主注册页。Once you've selected the app, you'll see the application's Overview or main registration page.
  3. 在应用的“概览”页中,选择“身份验证”部分。 From the app's Overview page, select the Authentication section.
  4. 在“高级设置”下找到“隐式授权”部分。 Under Advanced settings, locate the Implicit grant section.
  5. 选择“ID 令牌”和/或“访问令牌”。 Select ID tokens, Access tokens, or both.
  6. 选择“保存” 。Select Save.

后续步骤Next steps

了解下述其他相关的应用管理快速入门:Learn about these other related app management quickstarts for apps:

了解有关表示已注册应用程序的两个 Azure AD 对象及它们之间的关系的详细信息,请参阅应用程序对象和服务主体对象To learn more about the two Azure AD objects that represent a registered application and the relationship between them, see Application objects and service principal objects.

深入了解使用 Azure Active Directory 开发应用程序时应使用的品牌准则,请参阅应用程序的品牌准则To learn more about the branding guidelines you should use when developing applications with Azure Active Directory, see Branding guidelines for applications.