调用 Web API 的守护程序应用 - 应用注册Daemon app that calls web APIs - app registration

对于守护程序应用程序,在注册该应用时需了解下面这些内容。For a daemon application, here's what you need to know when registering the app.

支持的帐户类型Supported account types

由于守护程序应用程序只能用在 Azure AD 租户中,因此在创建该应用程序时,需选择:Given that daemon applications only make sense in Azure AD tenant, when you create the application you will need to choose:

  • 仅此组织目录中的帐户either Accounts in this organizational directory only. 此选择是最常见的,因为守护程序应用程序通常是由业务线 (LOB) 开发人员编写的。This choice is the most common case, as daemon applications are usually written by line-of-business (LOB) developers.
  • 或者任何组织目录中的帐户or Accounts in any organizational directory. 如果你是 ISV,需向客户提供实用程序工具,则可进行此选择。You'll make this choice if you're an ISV providing a utility tool to your customers. 需要获得客户的租户管理员批准。You'll need customer's tenants admins to approve it.

身份验证 - 不需回复 URIAuthentication - no Reply URI needed

如果机密客户端应用程序使用客户端凭据流,则不需注册回复 URL。In the case where your confidential client application uses only the client credentials flow, the reply URL doesn't need to be registered. 应用程序配置/构造也不需要它。It's not needed either for the application configuration/construction. 客户端凭据流不使用它。The client credentials flow doesn't use it.

守护程序应用程序只能请求针对 API 的应用程序权限(非委托权限)。A daemon application can only request application permissions to APIs (not delegated permissions). 在应用程序注册的“API 权限”页中, 在选择“添加权限”并选择 API 系列以后,请在选择“应用程序权限”后再选择权限 In the API Permission page for the application registration, after you've selected Add a permission and chosen the API family, choose Application permissions, and then select your permissions

应用权限和管理员许可

守护程序应用程序需要获得租户管理员的预先许可,然后该应用程序才能调用 Web API。Daemon applications require have a tenant admin pre-consent to the application calling the web API. 此许可在同一“API 权限”页中提供, 由租户管理员选择“向我们的组织授予管理员许可”即可。 This consent is provided in the same API Permission page, by a tenant admin selecting Grant admin consent to our organization

如果你是构建多租户应用程序的 ISV,则需查看部署 - 多租户守护程序应用的示例段落。If you're an ISV building a multi-tenant application, you'd want to check the Deployment - case of multi-tenant daemon apps paragraph.

机密或证书的注册Registration of secrets or certificates

与任何机密客户端应用程序一样,你需要注册机密或证书。Like for any confidential client application, you need to register a secret or certificate. 可以通过 Azure 门户中的交互体验或使用命令行工具(如 PowerShell)注册应用程序机密You can register your application secrets either through the interactive experience in the Azure portal, or using command-line tools (like PowerShell)

在 Azure 门户中注册客户端机密Registering client secrets in Azure portal

在应用程序的“证书和机密” 页中管理客户端凭据:The management of client credentials happens in the certificates & secrets page for an application:

图像

  • 应用程序机密(也称为客户端密码)由 Azure AD 在机密客户端应用程序注册期间生成。the application secret (also named client secret) is generated by Azure AD, during the registration of the confidential client application. 选择“新建客户端密码” 时,将发生此生成。This generation happens when you select New client secret. 此时,你必须将机密字符串复制到剪贴板中以便在应用中使用,然后再选择“保存” 。At that point, you must copy the secret string in the clipboard for use in your app, before selecting Save. 此字符串将不再显示。This string won't be presented any longer.
  • 使用“上传证书” 按钮将证书上传到应用程序注册中the certificate is uploaded in the application registration using the Upload certificate button

有关详细信息,请参阅快速入门:将客户端应用程序配置为访问 Web API | 将凭据添加到应用程序For details, see Quickstart: Configure a client application to access web APIs | Add credentials to your application

使用 PowerShell 注册客户端密码Registering client secrets using PowerShell

或者,可以使用命令行工具向 Azure AD 注册应用程序。Alternatively, you can register your application with Azure AD using command-line tools. active-directory-dotnetcore-daemon-v2 示例显示如何向 Azure AD 应用程序注册应用程序机密或证书:The active-directory-dotnetcore-daemon-v2 sample shows how to register an application secret or a certificate with an Azure AD application:

后续步骤Next steps