调用 Web API 的守护程序应用 - 应用注册Daemon app that calls web APIs - app registration

对于守护程序应用程序,在注册该应用时需了解下面这些内容。For a daemon application, here's what you need to know when you register the app.

支持的帐户类型Supported account types

守护程序应用程序只能在 Azure AD 租户中使用。Daemon applications make sense only in Azure AD tenants. 因此,在创建应用程序时,需要选择以下选项之一:So when you create the application, you need to choose one of the following options:

  • 仅此组织目录中的帐户Accounts in this organizational directory only. 此选择是最常见的,因为守护程序应用程序通常是由业务线 (LOB) 开发人员编写的。This choice is the most common one because daemon applications are usually written by line-of-business (LOB) developers.
  • 任何组织目录中的帐户Accounts in any organizational directory. 如果你是 ISV,需向客户提供实用程序工具,则可进行此选择。You'll make this choice if you're an ISV providing a utility tool to your customers. 需要获得客户的租户管理员批准。You'll need your customers' tenant admins to approve it.

身份验证 - 不需回复 URIAuthentication - no reply URI needed

如果机密客户端应用程序仅 使用客户端凭据流,则不需注册回复 URI。In the case where your confidential client application uses only the client credentials flow, the reply URI doesn't need to be registered. 应用程序配置或构造不需要它。It's not needed for the application configuration or construction. 客户端凭据流不使用它。The client credentials flow doesn't use it.

守护程序应用程序只能请求针对 API 的应用程序权限(非委托权限)。A daemon application can request only application permissions to APIs (not delegated permissions). 在应用程序注册的“API 权限”页上, 在选择“添加权限”并选择 API 系列以后,请在选择“应用程序权限”后再选择权限 。On the API permissions page for the application registration, after you've selected Add a permission and chosen the API family, choose Application permissions, and then select your permissions.

应用权限和管理员许可

备注

要调用的 Web API 需要定义应用程序权限(应用角色) ,而不是委托的权限。The web API that you want to call needs to define application permissions (app roles), not delegated permissions. 有关如何公开此类 API 的详细信息,请参阅受保护的 Web API:应用注册 - 当守护程序应用调用 Web API 时For details on how to expose such an API, see Protected web API: App registration - when your web API is called by a daemon app.

守护程序应用程序需要获得租户管理员的预先许可,然后该应用程序才能调用 Web API。Daemon applications require that a tenant admin pre-consent to the application calling the web API. 租户管理员在同一“API 权限”页中提供此许可, 只需选择“向我们的组织授予管理员许可”即可 Tenant admins provide this consent on the same API permission page by selecting Grant admin consent to our organization

如果你是构建多租户应用程序的 ISV,则应阅读部署 - 多租户守护程序应用的示例部分。If you're an ISV building a multitenant application, you should read the section Deployment - case of multitenant daemon apps.

添加客户端机密或证书Add a client secret or certificate

与任何机密客户端应用程序一样,你需要添加一个机密或证书来充当该应用程序的凭据,以便它可以自行进行身份验证,而无需用户交互。As with any confidential client application, you need to add a secret or certificate to act as that application's credentials so it can authenticate as itself, without user interaction.

可以使用 Azure 门户或使用 PowerShell 之类的命令行工具向客户端应用的注册添加凭据。You can add credentials to your client app's registration by using the Azure portal or by using a command-line tool like PowerShell.

使用 Azure 门户添加客户端凭据Add client credentials by using the Azure portal

若要将凭据添加到机密客户端应用程序的应用注册,请按照快速入门:将应用程序注册到 Microsoft 标识平台中的步骤针对你要添加的凭据类型进行操作:To add credentials to your confidential client application's app registration, follow the steps in Quickstart: Register an application with the Microsoft identity platform for the type of credential you want to add:

使用 PowerShell 添加客户端凭据Add client credentials by using PowerShell

另外,也可以在使用 PowerShell 将应用程序注册到 Microsoft 标识平台时添加凭据。Alternatively, you can add credentials when you register your application with the Microsoft identity platform by using PowerShell.

GitHub 上的 active-directory-dotnetcore-daemon-v2 代码示例显示了如何在注册应用程序时添加应用程序机密或证书:The active-directory-dotnetcore-daemon-v2 code sample on GitHub shows how to add an application secret or certificate when registering an application:

后续步骤Next steps