在 Azure Active Directory 中委托应用注册权限Delegate app registration permissions in Azure Active Directory

本文介绍如何使用 Azure Active Directory (Azure AD) 中的自定义角色授予的权限来满足应用程序管理需求。This article describes how to use permissions granted by custom roles in Azure Active Directory (Azure AD) to address your application management needs. 在 Azure AD中,可以通过以下方式委托应用程序创建和管理权限:In Azure AD, you can delegate Application creation and management permissions in the following ways:

  • 限制谁可以创建应用程序和管理他们创建的应用程序。Restricting who can create applications and manage the applications they create. 默认情况下,Azure AD 中的所有用户都可以注册应用程序,并全方面地管理他们创建的应用程序。By default in Azure AD, all users can register application registrations and manage all aspects of applications they create. 可将此权限限制为选定的人员。This can be restricted to only allow selected people that permission.
  • 将一个或多个所有者分配到应用程序Assigning one or more owners to an application. 这是向用户授予全方面管理特定应用程序的 Azure AD 配置的权限的一种简单方法。This is a simple way to grant someone the ability to manage all aspects of Azure AD configuration for a specific application.
  • 分配内置管理角色,以授予管理 Azure AD 中所有应用程序的配置的访问权限。Assigning a built-in administrative role that grants access to manage configuration in Azure AD for all applications. 建议通过此方法向 IT 专家授予管理广泛应用程序配置权限的访问权限,此方法无需授予管理与应用程序配置无关的其他 Azure AD 部分的访问权限。This is the recommended way to grant IT experts access to manage broad application configuration permissions without granting access to manage other parts of Azure AD not related to application configuration.
  • 创建自定义角色,定义非常具体的权限并在单个应用程序的范围将其分配给受限所有者,或者在目录(所有应用程序)范围将其分配给受限管理员。Creating a custom role defining very specific permissions and assigning it to someone either to the scope of a single application as a limited owner, or at the directory scope (all applications) as a limited administrator.

出于以下两种原因,必须考虑使用上述方法之一授予访问权限。It's important to consider granting access using one of the above methods for two reasons. 首先,委托执行管理任务的权限可以减少全局管理员开销。First, delegating the ability to perform administrative tasks reduces global administrator overhead. 其次,使用受限权限可以改善安全态势,并减少未经授权访问的可能性。Second, using limited permissions improves your security posture and reduces the potential for unauthorized access.

限制谁可以创建应用程序Restrict who can create applications

默认情况下,Azure AD 中的所有用户都可以注册应用程序,并全方面地管理他们创建的应用程序。By default in Azure AD, all users can register application registrations and manage all aspects of applications they create. 每个用户还可以许可代表其访问公司数据的应用。Everyone also has the ability to consent to apps accessing company data on their behalf. 可以通过将全局开关设置为“否”并将选定用户添加到“应用程序开发人员”角色,有选择地授予这些权限。You can choose to selectively grant those permissions by setting the global switches to 'No' and adding the selected users to the Application Developer role.

  1. 使用符合 Azure AD 组织中“全局管理员”角色条件的帐户登录到 Azure AD 组织。Sign in to your Azure AD organization with an account that eligible for the Global administrator role in your Azure AD organization.

  2. 设置下列一项或两项:Set one or both of the following:

    • 在 组织的“用户设置”页上,将“用户可以注册应用程序”设置为“否”。On the User settings page for your organization, set the Users can register applications setting to No. 这会禁用用户用来创建应用程序注册的默认权限。This will disable the default ability for users to create application registrations.
    • 在 企业应用程序的用户设置中,将“用户可以许可代表其访问公司数据的应用程序”设置为“否”。On the user settings for enterprise applications, set the Users can consent to applications accessing company data on their behalf setting to No. 这会禁用用户用来许可代表其访问公司数据的应用程序的默认权限。This will disable the default ability for users to consent to applications accessing company data on their behalf.

分配“应用程序开发人员”角色,以便在“用户可以注册应用程序”设置为“否”时,授予创建应用程序注册的权限。Assign the Application developer role to grant the ability to create application registrations when the Users can register applications setting is set to No. 当“用户可以许可代表其访问公司数据的应用”设置设为“否”时,此角色还能够代表自己授权许可权限。This role also grants permission to consent on one's own behalf when the Users can consent to apps accessing company data on their behalf setting is set to No. 作为一种系统行为,当用户创建新的应用程序注册时,他们将自动添加为第一个所有者。As a system behavior, when a user creates a new application registration, they are automatically added as the first owner. 所有权权限可让用户全方面管理其拥有的应用程序注册或企业应用程序。Ownership permissions give the user the ability to manage all aspects of an application registration or enterprise application that they own.

分配应用程序所有者Assign application owners

分配所有者是授予全方面管理特定应用程序注册或企业应用程序的 Azure AD 配置权限的一种简单方法。Assigning owners is a simple way to grant the ability to manage all aspects of Azure AD configuration for a specific application registration or enterprise application. 作为一种系统行为,当用户创建新的应用程序注册时,他们将自动添加为第一个所有者。As a system behavior, when a user creates a new application registration they are automatically added as the first owner. 所有权权限可让用户全方面管理其拥有的应用程序注册或企业应用程序。Ownership permissions give the user the ability to manage all aspects of an application registration or enterprise application that they own. 可以删除原始所有者,可以添加其他所有者。The original owner can be removed and additional owners can be added.

企业应用程序所有者Enterprise application owners

身为所有者的用户可以管理企业应用程序的组织特定配置,例如预配和用户分配。As an owner, a user can manage the organization-specific configuration of the enterprise application, such as the provisioning, and user assignments. 所有者还可以添加或删除其他所有者。An owner can also add or remove other owners. 与全局管理员不同,所有者只能管理他们拥有的企业应用程序。Unlike Global administrators, owners can manage only the enterprise applications they own.

在某些情况下,从应用程序库创建的企业应用程序包括企业应用程序和应用程序注册。In some cases, enterprise applications created from the application gallery include both an enterprise application and an application registration. 如果存在这种情况,则将某个所有者添加到企业应用程序会自动将该所有者添加为相应应用程序注册的所有者。When this is true, adding an owner to the enterprise application automatically adds the owner to the corresponding application registration as an owner.

向企业应用程序分配所有者To assign an owner to an enterprise application

  1. 使用符合组织中应用管理员或云应用管理员条件的帐户登录到 Azure AD 组织Sign in to your Azure AD organization with an account that eligible for the Application administrator or Cloud application administrator for the organization.
  2. 在组织的 应用注册页上,选择某个应用以打开该应用的“概述”页。 On the App registrations page for the organization, select an app to open the Overview page for the app.
  3. 选择“所有者”,以查看应用所有者列表。Select Owners to see the list of the owners for the app.
  4. 选择“添加”,以选择一个或多个要添加到应用的所有者。Select Add to select one or more owners to add to the app.

重要

用户和服务主体可以是应用程序注册的所有者。Users and service principals can be owners of application registrations. 只有用户才能是企业应用程序的所有者。Only users can be owners of enterprise applications. 无法将组分配为任何应用程序的所有者。Groups cannot be assigned as owners of either.

所有者可将凭据添加到应用程序,并使用这些凭据来模拟应用程序的标识。Owners can add credentials to an application and use those credentials to impersonate the application’s identity. 应用程序拥有的权限可能多于所有者,因此,与身为用户或服务主体的所有者的访问权限相比,应用程序的特权将会提升。The application may have more permissions than the owner, and thus would be an elevation of privilege over what the owner has access to as a user or service principal. 在模拟应用程序时,根据应用程序的权限,应用程序所有者可能会创建或更新用户或其他对象。An application owner could potentially create or update users or other objects while impersonating the application, depending on the application's permissions.

分配内置的应用程序管理员角色Assign built-in application admin roles

Azure AD 提供一组内置的管理员角色,用于授予 Azure AD 中所有应用程序的配置管理访问权限。Azure AD has a set of built-in admin roles for granting access to manage configuration in Azure AD for all applications. 建议使用这些角色向 IT 专家授予管理广泛应用程序配置权限的访问权限,这样就无需授予管理与应用程序配置无关的其他 Azure AD 部分的访问权限。These roles are the recommended way to grant IT experts access to manage broad application configuration permissions without granting access to manage other parts of Azure AD not related to application configuration.

  • 应用程序管理员:具有此角色的用户可以创建和管理企业应用程序和应用程序注册的所有方面。Application Administrator: Users in this role can create and manage all aspects of enterprise applications and application registrations. 此角色还授予同意委派权限和应用程序权限(不包括 Microsoft Graph)的能力。This role also grants the ability to consent to delegated permissions, and application permissions excluding Microsoft Graph. 在创建新应用程序注册或企业应用程序时,不会将分配到此角色的用户添加为所有者。Users assigned to this role are not added as owners when creating new application registrations or enterprise applications.
  • 云应用程序管理员:具有此角色的用户具有与应用程序管理员角色相同的权限。Cloud Application Administrator: Users in this role have the same permissions as the Application Administrator role. 在创建新应用程序注册或企业应用程序时,不会将分配到此角色的用户添加为所有者。Users assigned to this role are not added as owners when creating new application registrations or enterprise applications.

有关详细信息以及如何查看这些角色的说明,请参阅 可用的角色For more information and to view the description for these roles, see Available roles.

遵照使用 Azure Active Directory 向用户分配角色操作指南中的说明分配“应用程序管理员”或“云应用程序管理员”角色。Follow the instructions in the Assign roles to users with Azure Active Directory how-to guide to assign the Application Administrator or Cloud Application Administrator roles.

重要

应用程序管理员和云应用程序管理员可向应用程序添加凭据,并使用这些凭据来模拟应用程序的标识。Application Administrators and Cloud Application Administrators can add credentials to an application and use those credentials to impersonate the application’s identity. 与管理员角色的权限相比,应用程序的权限可能已提升。The application may have permissions that are an elevation of privilege over the admin role's permissions. 在模拟应用程序时,根据应用程序的权限,充当此角色的管理员可能会创建或更新用户或其他对象。An admin in this role could potentially create or update users or other objects while impersonating the application, depending on the application's permissions. 任何一个角色都不授权管理“条件访问”设置。Neither role grants the ability to manage Conditional Access settings.

创建和分配自定义角色(预览版)Create and assign a custom role (preview)

创建自定义角色和分配自定义角色是不同的步骤:Creating custom roles and assigning custom roles are separate steps:

借助这种隔离可以创建单个角色定义,然后在不同的范围多次分配该角色。This separation allows you to create a single role definition and then assign it many times at different scopes. 可以在组织范围分配自定义角色,或者在单个 Azure AD 对象范围分配自定义角色。A custom role can be assigned at organization-wide scope, or it can be assigned at the scope if a single Azure AD object. 例如,单个应用注册就属于对象范围。An example of an object scope is a single app registration. 使用不同的范围可为 Sally 分配对组织中所有应用注册的相同角色定义,并只为 Naveen 分配对 Contoso Expense Reports 应用注册的角色定义。Using different scopes, the same role definition can be assigned to Sally over all app registrations in the organization and then to Naveen over only the Contoso Expense Reports app registration.

创建和使用用于委托应用程序管理权的自定义角色时的提示:Tips when creating and using custom roles for delegating application management:

  • 自定义角色只会在 Azure AD 门户的“最近的应用注册”边栏选项卡授予访问权限。Custom roles only grant access in the most current app registration blades of the Azure AD portal. 他们不会在“旧应用注册”边栏选项卡中授予访问权限。They do not grant access in the legacy app registrations blades.
  • 当“限制访问 Azure AD 管理门户”用户设置指定为“是”时,自定义角色不会授予对 Azure AD 门户的访问权限。Custom roles do not grant access to the Azure AD portal when the “Restrict access to Azure AD administration portal” user setting is set to Yes.
  • 用户有权使用角色分配访问的应用注册只会显示在“应用注册”页上的“所有应用程序”选项卡中。App registrations the user has access to using role assignments only show up in the ‘All applications’ tab on the App registration page. 它们不会显示在“拥有的应用程序”选项卡中。They do not show up in the ‘Owned applications’ tab.

若要详细了解自定义角色的基础知识,请参阅自定义角色概述,以及创建自定义角色分配角色For more information on the basics of custom roles, see the custom roles overview, as well as how to create a custom role and how to assign a role.

后续步骤Next steps