Azure Active Directory 中的应用程序注册子类型和权限Application registration subtypes and permissions in Azure Active Directory

本文包含 Azure Active Directory (Azure AD) 中的自定义角色定义当前可用的应用注册权限。This article contains the currently available app registration permissions for custom role definitions in Azure Active Directory (Azure AD).

用于管理单目录应用程序的权限Permissions for managing single-directory applications

选择自定义角色的权限时,可以选择授予仅管理单目录应用程序的访问权限。When choosing the permissions for your custom role, you have the option to grant access to manage only single-directory applications. 单目录应用程序仅适用于该应用程序已注册到的 Azure AD 组织中的用户。Single-directory applications are available only to users in the Azure AD organization where the application is registered. 单目录应用程序定义为将“支持的帐户类型”设置为“仅限此组织目录中的帐户”。 Single-directory applications are defined as having Supported account types set to "Accounts in this organizational directory only." 在图形 API 中,单目录应用程序的 signInAudience 属性设置为“AzureADMyOrg”。In the Graph API, single-directory applications have the signInAudience property set to "AzureADMyOrg."

若要授予仅管理单目录应用程序的访问权限,请对子类型 applications.myOrganization 使用以下权限。To grant access to manage only single-directory applications, use the permissions below with the subtype applications.myOrganization. 例如 microsoft.directory/applications.myOrganization/basic/update。For example, microsoft.directory/applications.myOrganization/basic/update.

有关一般术语“子类型”、“权限”和“属性集”的含义,请参阅自定义角色概述See the custom roles overview for an explanation of what the general terms subtype, permission, and property set mean. 以下信息特定于应用程序注册。The following information is specific to application registrations.

create 和 deleteCreate and delete

可以使用两个权限来授予创建应用程序注册的能力,这两个权限各自有不同的行为:There are two permissions available for granting the ability to create application registrations, each with different behavior:

microsoft.directory/applications/createAsOwnermicrosoft.directory/applications/createAsOwner

分配此权限会导致将创建者添加为所创建应用注册的第一个所有者,创建的应用注册将计入到创建者的“创建 250 个对象”配额中。Assigning this permission results in the creator being added as the first owner of the created app registration, and the created app registration will count against the creator's 250 created objects quota.

microsoft.directory/applications/createmicrosoft.directory/applications/create

分配此权限会导致不将创建者添加为所创建应用注册的第一个所有者,创建的应用注册不会计入到创建者的“创建 250 个对象”配额中。Assigning this permission results in the creator not being added as the first owner of the created app registration, and the created app registration will not count against the creator's 250 created objects quota. 请慎用此权限,因为在达到目录级配额之前,没有任何办法可阻止被分配者创建应用注册。Use this permission carefully, because there is nothing preventing the assignee from creating app registrations until the directory-level quota is hit. 如果同时分配上述两个权限,此权限优先。If both permissions are assigned, this permission takes precedence.

如果同时分配上述两个权限,/create 权限优先。If both permissions are assigned, the /create permission will take precedence. 尽管 /createAsOwner 权限不会自动将创建者添加为第一个所有者,但使用图形 API 或 PowerShell cmdlet 时,可以在创建应用注册期间指定所有者。Though the /createAsOwner permission does not automatically add the creator as the first owner, owners can be specified during the creation of the app registration when using Graph APIs or PowerShell cmdlets.

create 权限授予对“新建注册”命令的访问权限。 Create permissions grant access to the New registration command.

这些权限授予对“新建注册”门户命令的访问权限These permissions grant access to the New Registration portal command

可使用两个权限授予删除应用注册的能力:There are two permissions available for granting the ability to delete app registrations:

microsoft.directory/applications/deletemicrosoft.directory/applications/delete

不管子类型是什么(单租户和多租户应用程序),都授予删除应用注册的能力。Grants the ability to delete app registrations regardless of subtype; that is, both single-tenant and multi-tenant applications.

microsoft.directory/applications.myOrganization/deletemicrosoft.directory/applications.myOrganization/delete

授予删除仅供组织中帐户或单租户应用程序(myOrganization 子类型)访问的应用注册的能力。Grants the ability to delete app registrations restricted to those that are accessible only to accounts in your organization or single-tenant applications (myOrganization subtype).

这些权限授予对“删除应用注册”命令的访问权限

Note

分配包含 create 权限的角色时,必须在目录范围进行角色分配。When assigning a role that contains create permissions, the role assignment must be made at the directory scope. 在资源范围分配的 create 权限不会授予创建应用注册的能力。A create permission assigned at a resource scope does not grant the ability to create app registrations.

读取Read

默认情况下,组织中的所有成员用户都可以读取应用注册信息。All member users in the organization can read app registration information by default. 但是,来宾用户和应用程序服务主体无法读取这些信息。However, guest users and application service principals can't. 如果你打算将某个角色分配给来宾用户或应用程序,必须包含相应的 read 权限。If you plan to assign a role to a guest user or application, you must include the appropriate read permissions.

microsoft.directory/applications/allProperties/readmicrosoft.directory/applications/allProperties/read

能够读取单租户和多租户应用程序在任何情况下都无法读取的属性(如凭据)之外的所有属性。Ability to read all properties of single-tenant and multi-tenant applications outside of properties that cannot be read in any situation like credentials.

microsoft.directory/applications.myOrganization/allProperties/readmicrosoft.directory/applications.myOrganization/allProperties/read

授予的权限与 microsoft.directory/applications/allProperties/read 相同,但仅适用于单租户应用程序。Grants the same permissions as microsoft.directory/applications/allProperties/read, but only for single-tenant applications.

microsoft.directory/applications/owners/readmicrosoft.directory/applications/owners/read

授予读取单租户和多租户应用程序中的所有者属性的能力。Grants the ability to read owners property on single-tenant and multi-tenant applications. 授予对应用程序注册所有者页上的所有字段的访问权限:Grants access to all fields on the application registration owners page:

此权限授予对应用注册所有者页的访问权限

microsoft.directory/applications/standard/readmicrosoft.directory/applications/standard/read

授予读取标准应用程序注册属性的访问权限。Grants access to read standard application registration properties. 这包括跨应用程序注册页的属性。This includes properties across application registration pages.

microsoft.directory/applications.myOrganization/standard/readmicrosoft.directory/applications.myOrganization/standard/read

授予的权限与 microsoft.directory/applications/standard/read 相同,但仅适用于单租户应用程序。Grants the same permissions as microsoft.directory/applications/standard/read, but for only single-tenant applications.

更新Update

microsoft.directory/applications/allProperties/updatemicrosoft.directory/applications/allProperties/update

能够更新单目录和多目录应用程序的所有属性。Ability to update all properties on single-directory and multi-directory applications.

microsoft.directory/applications.myOrganization/allProperties/updatemicrosoft.directory/applications.myOrganization/allProperties/update

授予的权限与 microsoft.directory/applications/allProperties/update 相同,但仅适用于单租户应用程序。Grants the same permissions as microsoft.directory/applications/allProperties/update, but only for single-tenant applications.

microsoft.directory/applications/audience/updatemicrosoft.directory/applications/audience/update

能够更新单目录和多目录应用程序支持的帐户类型 (SignInAudience) 属性。Ability to update the supported account type (signInAudience) property on single-directory and multi-directory applications.

此权限授予对身份验证页上应用注册支持的帐户类型属性的访问权限

microsoft.directory/applications.myOrganization/audience/updatemicrosoft.directory/applications.myOrganization/audience/update

授予的权限与 microsoft.directory/applications/audience/update 相同,但仅适用于单租户应用程序。Grants the same permissions as microsoft.directory/applications/audience/update, but only for single-tenant applications.

microsoft.directory/applications/authentication/updatemicrosoft.directory/applications/authentication/update

可更新单租户和多租户应用程序中的回复 URL、注销 URL、隐式流和发布者域属性。Ability to update the reply URL, sign-out URL, implicit flow, and publisher domain properties on single-tenant and multi-tenant applications. 授予对应用程序注册身份验证页上的所有字段(支持的帐户类型除外)的访问权限:Grants access to all fields on the application registration authentication page except supported account types:

授予对应用注册身份验证(支持的帐户类型除外)的访问权限

microsoft.directory/applications.myOrganization/authentication/updatemicrosoft.directory/applications.myOrganization/authentication/update

授予的权限与 microsoft.directory/applications/authentication/update 相同,但仅适用于单租户应用程序。Grants the same permissions as microsoft.directory/applications/authentication/update, but only for single-tenant applications.

microsoft.directory/applications/basic/updatemicrosoft.directory/applications/basic/update

可更新单租户和多租户应用程序中的名称、徽标、主页 URL、服务条款 URL 和隐私声明 URL 属性。Ability to update the name, logo, homepage URL, terms of service URL, and privacy statement URL properties on single-tenant and multi-tenant applications. 授予对应用程序注册品牌页上的所有字段的访问权限:Grants access to all fields on the application registration branding page:

此权限授予对应用注册品牌页的访问权限

microsoft.directory/applications.myOrganization/basic/updatemicrosoft.directory/applications.myOrganization/basic/update

授予的权限与 microsoft.directory/applications/basic/update 相同,但仅适用于单租户应用程序。Grants the same permissions as microsoft.directory/applications/basic/update, but only for single-tenant applications.

microsoft.directory/applications/credentials/updatemicrosoft.directory/applications/credentials/update

可更新单租户和多租户应用程序中的证书和客户端机密属性。Ability to update the certificates and client secrets properties on single-tenant and multi-tenant applications. 授予对应用程序注册证书和机密页上的所有字段的访问权限:Grants access to all fields on the application registration certificates & secrets page:

此权限授予对应用注册证书和机密页的访问权限

microsoft.directory/applications.myOrganization/credentials/updatemicrosoft.directory/applications.myOrganization/credentials/update

授予的权限与 microsoft.directory/applications/credentials/update 相同,但仅适用于单目录应用程序。Grants the same permissions as microsoft.directory/applications/credentials/update, but only for single-directory applications.

microsoft.directory/applications/owners/updatemicrosoft.directory/applications/owners/update

可更新单租户和多租户应用程序中的所有者属性。Ability to update the owner property on single-tenant and multi-tenant. 授予对应用程序注册所有者页上的所有字段的访问权限:Grants access to all fields on the application registration owners page:

此权限授予对应用注册所有者页的访问权限

microsoft.directory/applications.myOrganization/owners/updatemicrosoft.directory/applications.myOrganization/owners/update

授予的权限与 microsoft.directory/applications/owners/update 相同,但仅适用于单租户应用程序。Grants the same permissions as microsoft.directory/applications/owners/update, but only for single-tenant applications.

microsoft.directory/applications/permissions/updatemicrosoft.directory/applications/permissions/update

可更新单租户和多租户应用程序中的委托权限、应用程序权限、已授权的客户端应用程序、所需权限和授予许可属性。Ability to update the delegated permissions, application permissions, authorized client applications, required permissions, and grant consent properties on single-tenant and multi-tenant applications. 不授予执行许可的能力。Does not grant the ability to perform consent. 授予对应用程序注册 API 权限和公开 API 页上的所有字段的访问权限:Grants access to all fields on the application registration API permissions and Expose an API pages:

此权限授予对应用注册 API 权限页的访问权限

此权限授予对应用注册公开 API 页的访问权限

microsoft.directory/applications.myOrganization/permissions/updatemicrosoft.directory/applications.myOrganization/permissions/update

授予的权限与 microsoft.directory/applications/permissions/update 相同,但仅适用于单租户应用程序。Grants the same permissions as microsoft.directory/applications/permissions/update, but only for single-tenant applications.

所需的许可计划Required license plan

使用此功能需要 Azure AD Premium P1 许可证。Using this feature requires an Azure AD Premium P1 license. 若要根据需要查找合适的许可证,请参阅 比较免费版、基本版和高级版的正式发布功能To find the right license for your requirements, see Comparing generally available features of the Free, Basic, and Premium editions.

后续步骤Next steps