Azure Active Directory 中的租户Tenancy in Azure Active Directory

Azure Active Directory (Azure AD) 将用户和应用之类的对象组织到称为“租户”的组中。 Azure Active Directory (Azure AD) organizes objects like users and apps into groups called tenants. 租户允许管理员针对组织中的用户以及组织拥有的应用设置策略,以满足其安全和运营策略。Tenants allow an administrator to set policies on the users within the organization and the apps that the organization owns to meet their security and operational policies.

谁可以登录到你的应用?Who can sign in to your app?

在开发应用时,在 Azure 门户中注册应用期间,开发人员可以选择将其应用配置为单租户的还是多租户的。When it comes to developing apps, developers can choose to configure their app to be either single-tenant or multi-tenant during app registration in the Azure portal.

  • 单租户应用仅可在它们在其中注册的租户(也称为宿主租户)中使用。Single-tenant apps are only available in the tenant they were registered in, also known as their home tenant.
  • 多租户应用可供其宿主租户以及其他租户中的用户使用。Multi-tenant apps are available to users in both their home tenant and other tenants.

在 Azure 门户中,可以通过如下所述设置受众来将应用配置为单租户或多租户的。In the Azure portal, you can configure your app to be single-tenant or multi-tenant by setting the audience as follows.

读者Audience 单/多租户Single/multi-tenant 谁可以登录Who can sign in
仅此目录中的帐户Accounts in this directory only 单租户Single tenant 目录中的所有用户和来宾帐户都可以使用应用程序或 API。All user and guest accounts in your directory can use your application or API.
如果目标受众在组织内部,请使用此选项。Use this option if your target audience is internal to your organization.
任何 Azure AD 目录中的帐户Accounts in any Azure AD directory 多租户Multi-tenant 拥有 Microsoft 工作或学校帐户的所有用户和来宾都可以使用应用程序或 API。All users and guests with a work or school account from Microsoft can use your application or API. 这包括使用 Microsoft 365 的学校和企业。This includes schools and businesses that use Microsoft 365.
如果目标受众是企业或教育行业客户,请使用此选项。Use this option if your target audience is business or educational customers.

适用于多租户应用的最佳做法Best practices for multi-tenant apps

由于 IT 管理员可能会在其租户中设置大量的不同策略,因此,构建优秀的多租户应用可能很难。Building great multi-tenant apps can be challenging because of the number of different policies that IT administrators can set in their tenants. 如果你选择构建多租户应用,请遵循以下最佳做法:If you choose to build a multi-tenant app, follow these best practices:

  • 在配置了条件访问策略的租户中测试应用。Test your app in a tenant that has configured Conditional Access policies.
  • 遵循最小用户访问权限的原则,确保应用只请求它实际需要的权限。Follow the principle of least user access to ensure that your app only requests permissions it actually needs.
  • 为作为应用的一部分公开的任何权限提供合适的名称和说明。Provide appropriate names and descriptions for any permissions you expose as part of your app. 这可帮助用户和管理员了解当他们尝试使用应用的 API 时他们要同意什么。This helps users and admins know what they are agreeing to when they attempt to use your app's APIs. 有关详细信息,请参阅权限指南中的最佳做法部分。For more information, see the best practices section in the permissions guide.

后续步骤Next steps