在 Azure Active Directory 中管理应用的用户分配Manage user assignment for an app in Azure Active Directory

本文介绍如何通过 Azure 门户或 PowerShell 在 Azure Active Directory (Azure AD) 中将用户分配到企业应用程序。This article shows you how to assign users to enterprise applications in Azure Active Directory (Azure AD), either from within the Azure portal or by using PowerShell. 将某个用户分配到某个应用程序时,该应用程序会显示在该用户的我的应用中以方便访问。When you assign a user to an application, the application appears in the user's My Apps for easy access. 如果应用程序公开角色,则你还可以将特定的角色分配给用户。If the application exposes roles, you can also assign a specific role to the user.

为了提高控制度,可将某些类型的企业应用程序配置为需要进行用户分配For greater control, certain types of enterprise applications can be configured to require user assignment.

将应用程序配置为需要进行用户分配Configure an application to require user assignment

对于以下类型的应用程序,可以选择要求先将用户分配到该应用程序,然后他们才能访问该应用程序:With the following types of applications, you have the option of requiring users to be assigned to the application before they can access it:

  • 在 Azure AD 应用程序平台上生成且使用 OAuth 2.0/OpenID Connect 身份验证的应用程序(前提是用户或管理员已许可该应用程序)。Applications built on the Azure AD application platform that use OAuth 2.0 / OpenID Connect Authentication after a user or admin has consented to that application.

需要进行用户分配时,只有(通过直接用户分配或基于组成员身份)显式分配到应用程序的用户才能登录。When user assignment is required, only those users you explicitly assign to the application (either through direct user assignment or based on group membership) will be able to sign in. 他们可以在“我的应用”页上或者使用直接链接来访问该应用。They can access the app on their My Apps page or by using a direct link.

不需要分配时(由于已将此选项设置为“否”,或者应用程序使用另一种 SSO 模式),任何获得了应用程序的直接链接或应用程序“属性”页中的“用户访问 URL”的用户都可以访问该应用程序。 When assignment is not required, either because you've set this option to No or because the application uses another SSO mode, any user will be able to access the application if they have a direct link to the application or the User Access URL in the application’s Properties page.

应用程序是否显示在“我的应用”上不受此设置的影响。This setting doesn't affect whether or not an application appears on My Apps. 将某个用户分配到应用程序后,应用程序会显示在用户的“我的应用”访问面板上。Applications appear on users' My Apps access panels once you've assigned a user to the application.

若要要求为应用程序分配用户,请执行以下操作:To require user assignment for an application:

  1. 使用管理员帐户或以应用程序所有者的身份登录到 Azure 门户Sign in to the Azure portal with an administrator account or as an owner of the application.
  2. 选择“Azure Active Directory”。Select Azure Active Directory. 在左侧导航菜单中,选择“企业应用程序”。In the left navigation menu, select Enterprise applications.
  3. 从列表中选择应用。Select the application from the list. 如果看不到该应用程序,请在搜索框中键入其名称。If you don't see the application, start typing its name in the search box. 或者使用筛选控件选择应用程序类型、状态或可见性,然后选择“应用”。Or use the filter controls to select the application type, status, or visibility, and then select Apply.
  4. 在左侧导航菜单中,选择“属性”。In the left navigation menu, select Properties.
  5. 确保“需要进行用户分配?”切换开关设置为“是”。 Make sure the User assignment required? toggle is set to Yes.

    备注

    如果“需要进行用户分配?”切换开关不可用,可以使用 PowerShell 设置服务主体的 appRoleAssignmentRequired 属性。If the User assignment required? toggle isn't available, you can use PowerShell to set the appRoleAssignmentRequired property on the service principal.

  6. 选择屏幕顶部的“保存”按钮。Select the Save button at the top of the screen.

使用图形 API 为应用分配或取消分配用户Assign or unassign users for an app using the Graph API

可以使用图形 API 为应用分配或取消分配用户。You can use the Graph API to assign or unassign users for an app. 若要了解详细信息,请参阅应用角色分配To learn more, see App role assignments.

使用 PowerShell 将用户分配到应用Assign users to an app using PowerShell

  1. 以提升的权限打开 Windows PowerShell 命令提示符。Open an elevated Windows PowerShell command prompt.

    备注

    需要安装 AzureAD 模块(使用命令 Install-Module -Name AzureAD)。You need to install the AzureAD module (use the command Install-Module -Name AzureAD). 出现安装 NuGet 模块或新的 Azure Active Directory V2 PowerShell 模块的提示时,请键入 Y,然后按 ENTER。If prompted to install a NuGet module or the new Azure Active Directory V2 PowerShell module, type Y and press ENTER.

  2. 运行 Connect-AzureAD -AzureEnvironmentName AzureChinaCloud 并使用全局管理员用户帐户登录。Run Connect-AzureAD -AzureEnvironmentName AzureChinaCloud and sign in with a Global Admin user account.

  3. 使用以下脚本将用户和角色分配到应用程序:Use the following script to assign a user and role to an application:

    # Assign the values to the variables
    $username = "<Your user's UPN>"
    $app_name = "<Your App's display name>"
    $app_role_name = "<App role display name>"
    
    # Get the user to assign, and the service principal for the app to assign to
    $user = Get-AzureADUser -ObjectId "$username"
    $sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
    $appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }
    
    # Assign the user to the app role
    New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
    

有关如何将用户分配到应用程序角色的详细信息,请参阅 New-AzureADUserAppRoleAssignment 的文档。For more information about how to assign a user to an application role, see the documentation for New-AzureADUserAppRoleAssignment.

示例Example

此示例使用 PowerShell 将用户 Britta Simon 分配到 Microsoft Workplace Analytics 应用程序。This example assigns the user Britta Simon to the Microsoft Workplace Analytics application using PowerShell.

  1. 在 PowerShell 中,将相应的值分配到变量 $username、$app_name 和 $app_role_name。In PowerShell, assign the corresponding values to the variables $username, $app_name and $app_role_name.

    # Assign the values to the variables
    $username = "britta.simon@contoso.com"
    $app_name = "Workplace Analytics"
    
  2. 在此示例中,我们并不确切地知道要将哪个应用程序角色名称分配给 Britta Simon。In this example, we don't know what is the exact name of the application role we want to assign to Britta Simon. 运行以下命令,使用用户 UPN 和服务主体显示名称获取用户 ($user) 和服务主体 ($sp)。Run the following commands to get the user ($user) and the service principal ($sp) using the user UPN and the service principal display names.

    # Get the user to assign, and the service principal for the app to assign to
    $user = Get-AzureADUser -ObjectId "$username"
    $sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
    
  3. 运行命令 $sp.AppRoles,显示可用于 Workplace Analytics 应用程序的角色。Run the command $sp.AppRoles to display the roles available for the Workplace Analytics application. 在此示例中,我们要为 Britta Simon 分配“分析员”(访问权限受限)角色。In this example, we want to assign Britta Simon the Analyst (Limited access) Role. 显示使用 Workplace Analytics 角色的用户可用的角色Shows the roles available to a user using Workplace Analytics Role

  4. 将角色名称分配到 $app_role_name 变量。Assign the role name to the $app_role_name variable.

    # Assign the values to the variables
    $app_role_name = "Analyst (Limited access)"
    $appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }
    
  5. 运行以下命令,将用户分配到应用角色:Run the following command to assign the user to the app role:

    # Assign the user to the app role
    New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
    

使用 PowerShell 从应用中取消分配用户Unassign users from an app using PowerShell

  1. 以提升的权限打开 Windows PowerShell 命令提示符。Open an elevated Windows PowerShell command prompt.

    备注

    需要安装 AzureAD 模块(使用命令 Install-Module -Name AzureAD)。You need to install the AzureAD module (use the command Install-Module -Name AzureAD). 出现安装 NuGet 模块或新的 Azure Active Directory V2 PowerShell 模块的提示时,请键入 Y,然后按 ENTER。If prompted to install a NuGet module or the new Azure Active Directory V2 PowerShell module, type Y and press ENTER.

  2. 运行 Connect-AzureAD -AzureEnvironmentName AzureChinaCloud 并使用全局管理员用户帐户登录。Run Connect-AzureAD -AzureEnvironmentName AzureChinaCloud and sign in with a Global Admin user account.

  3. 使用以下脚本将用户和角色从应用程序中删除:Use the following script to remove a user and role from an application:

    # Store the proper parameters
    $user = get-azureaduser -ObjectId <objectId>
    $spo = Get-AzureADServicePrincipal -ObjectId <objectId>
    
    #Get the ID of role assignment 
    $assignments = Get-AzureADServiceAppRoleAssignment -ObjectId $spo.ObjectId | Where {$_.PrincipalDisplayName -eq $user.DisplayName}
    
    #if you run the following, it will show you what is assigned what
    $assignments | Select *
    
    #To remove the App role assignment run the following command.
    Remove-AzureADServiceAppRoleAssignment -ObjectId $spo.ObjectId -AppRoleAssignmentId $assignments[assignment #].ObjectId
    

后续步骤Next steps