在 Azure Active Directory 中向企业应用分配用户Assign a user to an enterprise app in Azure Active Directory

若要将用户分配到企业应用,你应该分配了以下任一管理员角色:全局管理员、应用程序管理员、云应用程序管理员或被分配为企业应用的所有者。To assign a user to an enterprise app, you should have assigned any of these admin roles: global administrator, application administrator, cloud application administrator or be assigned as the owner of the enterprise app. 对于 Microsoft 应用程序(例如 Office 365 应用),请使用 PowerShell 将用户分配到企业应用。For Microsoft Applications (such as Office 365 apps), use PowerShell to assign users to an enterprise app.

备注

有关本文中讨论的功能的许可要求,请参阅 Azure Active Directory 定价页For licensing requirements for the features discussed in this article, see the Azure Active Directory pricing page.

将用户分配到应用 - 门户Assign a user to an app - portal

  1. 使用目录全局管理员的帐户登录到 Azure 门户Sign in to the Azure portal with an account that's a global admin for the directory.

  2. 选择“所有服务”,在文本框中输入 Azure Active Directory,并选择“Enter”。Select All services, enter Azure Active Directory in the text box, and then select Enter.

  3. 选择“企业应用程序”。Select Enterprise applications.

  4. 在“企业应用程序 - 所有应用程序”窗格上,你会看到你可以管理的应用的列表。On the Enterprise applications - All applications pane, you see a list of the apps you can manage. 选择一个应用。Select an app.

  5. appname 窗格(即标题中包含所选应用的名称的窗格)中,选择“用户和组”。On the appname pane (that is, the pane with the name of the selected app in the title), select Users & Groups.

  6. 在“appname - 用户和组”窗格中,选择“添加用户”。 On the appname - User and groups pane, select Add user.

  7. 在“添加分配”窗格中选择“用户” 。On the Add Assignment pane, select Users.

    将用户分配到应用

  8. 在“用户”窗格的列表中选择一个或多个用户,然后选择窗格底部的“选择”按钮。 On the Users pane, select one or more users from the list and then choose the Select button at the bottom of the pane.

  9. 在“添加分配”窗格中选择“角色” 。On the Add Assignment pane, select Role. 然后,在“选择角色”窗格中选择一个需要应用到所选用户的角色,然后选择窗格底部的“确定”。 Then, on the Select Role pane, select a role to apply to the selected users, then select OK at the bottom of the pane.

  10. 在“添加分配”窗格中,选择窗格底部的“分配”按钮。 On the Add Assignment pane, select the Assign button at the bottom of the pane. 已分配用户的权限将是该企业应用的选定角色所定义的权限。The assigned users have the permissions defined by the selected role for this enterprise app.

允许所有用户访问某个应用 - 门户Allow all users to access an app - portal

  1. 使用目录全局管理员的帐户登录到 Azure 门户Sign in to the Azure portal with an account that's a global admin for the directory.
  2. 选择“所有服务”,在文本框中输入 Azure Active Directory,并选择“Enter”。Select All services, enter Azure Active Directory in the text box, and then select Enter.
  3. 选择“企业应用程序”。Select Enterprise applications.
  4. 在“企业应用程序”窗格中,选择“所有应用程序”。On the Enterprise applications pane, select All applications. 随后会列出你可以管理的应用。This lists the apps you can manage.
  5. 在“企业应用程序 - 所有应用程序”窗格中,选择一个应用。On the Enterprise applications - All applications pane, select an app.
  6. 在“appname”窗格上,选择“属性”。On the appname pane, select Properties.
  7. 在“appname - 属性”窗格上,将“需要进行用户分配?”设置设置为“否” 。On the appname - Properties pane, set the User assignment required? setting to No.

“需要进行用户分配?”选项:The User assignment required? option:

  • 如果此选项设置为“是”,则必须先将用户分配到此应用程序,然后用户才能访问它。If this option is set to yes, then users must first be assigned to this application before being able to access it.
  • 如果此选项设置为“否”,则任何直接导航到应用程序深层链接 URL 或应用程序 URL 的用户都将被授予访问权限If this option is set to no, then any users who navigate to the application deep-link URL or application URL directly will be granted access

将用户分配到应用 - PowerShellAssign a user to an app - PowerShell

  1. 以提升的权限打开 Windows PowerShell 命令提示符。Open an elevated Windows PowerShell command prompt.

    备注

    需要安装 AzureAD 模块(使用命令 Install-Module -Name AzureAD)。You need to install the AzureAD module (use the command Install-Module -Name AzureAD). 出现安装 NuGet 模块或新的 Azure Active Directory V2 PowerShell 模块的提示时,请键入 Y,然后按 ENTER。If prompted to install a NuGet module or the new Azure Active Directory V2 PowerShell module, type Y and press ENTER.

  2. 运行 Connect-AzureAD -AzureEnvironmentName AzureChinaCloud 并使用全局管理员用户帐户登录。Run Connect-AzureAD -AzureEnvironmentName AzureChinaCloud and sign in with a Global Admin user account.

  3. 使用以下脚本将用户和角色分配到应用程序:Use the following script to assign a user and role to an application:

    # Assign the values to the variables
    $username = "<You user's UPN>"
    $app_name = "<Your App's display name>"
    $app_role_name = "<App role display name>"
    
    # Get the user to assign, and the service principal for the app to assign to
    $user = Get-AzureADUser -ObjectId "$username"
    $sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
    $appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }
    
    # Assign the user to the app role
    New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
    

有关如何将用户分配到应用程序角色的详细信息,请参阅 New-AzureADUserAppRoleAssignment 的文档。For more information about how to assign a user to an application role, see the documentation for New-AzureADUserAppRoleAssignment.

示例Example

此示例使用 PowerShell 将用户 Britta Simon 分配到 Microsoft Workplace Analytics 应用程序。This example assigns the user Britta Simon to the Microsoft Workplace Analytics application using PowerShell.

  1. 在 PowerShell 中,将相应的值分配到变量 $username、$app_name 和 $app_role_name。In PowerShell, assign the corresponding values to the variables $username, $app_name and $app_role_name.

    # Assign the values to the variables
    $username = "britta.simon@contoso.com"
    $app_name = "Workplace Analytics"
    
  2. 在此示例中,我们并不确切地知道要将哪个应用程序角色名称分配给 Britta Simon。In this example, we don't know what is the exact name of the application role we want to assign to Britta Simon. 运行以下命令,使用用户 UPN 和服务主体显示名称获取用户 ($user) 和服务主体 ($sp)。Run the following commands to get the user ($user) and the service principal ($sp) using the user UPN and the service principal display names.

    # Get the user to assign, and the service principal for the app to assign to
    $user = Get-AzureADUser -ObjectId "$username"
    $sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
    
  3. 运行命令 $sp.AppRoles,显示可用于 Workplace Analytics 应用程序的角色。Run the command $sp.AppRoles to display the roles available for the Workplace Analytics application. 在此示例中,我们要为 Britta Simon 分配“分析员”(访问权限受限)角色。In this example, we want to assign Britta Simon the Analyst (Limited access) Role.

    显示使用 Workplace Analytics 角色的用户可用的角色

  4. 将角色名称分配到 $app_role_name 变量。Assign the role name to the $app_role_name variable.

    # Assign the values to the variables
    $app_role_name = "Analyst (Limited access)"
    $appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }
    
  5. 运行以下命令,将用户分配到应用角色:Run the following command to assign the user to the app role:

    # Assign the user to the app role
    New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
    

后续步骤Next steps