身份验证和用户权限Authentication and user permissions

Azure Analysis Services 使用 Azure Active Directory (Azure AD) 进行身份管理和用户身份验证。Azure Analysis Services uses Azure Active Directory (Azure AD) for identity management and user authentication. 在相同订阅中,创建、管理或连接到 Azure Analysis Services 服务器的任何用户均需具备 Azure AD 租户中的有效用户标识。Any user creating, managing, or connecting to an Azure Analysis Services server must have a valid user identity in an Azure AD tenant in the same subscription.

Azure Analysis Services 身份验证体系结构

AuthenticationAuthentication

所有客户端应用程序和工具都使用一个或多个 Analysis Services 客户端库(AMO、MSOLAP、ADOMD)连接到服务器。All client applications and tools use one or more of the Analysis Services client libraries (AMO, MSOLAP, ADOMD) to connect to a server.

所有 3 个客户端库均支持 Azure AD 交互流和非交互式身份验证方法。All three client libraries support both Azure AD interactive flow, and non-interactive authentication methods. 可在利用 AMOMD 和 MSOLAP 的应用程序中使用两种非交互式方法,即 Active Directory 密码和 Active Directory 集成身份验证方法。The two non-interactive methods, Active Directory Password and Active Directory Integrated Authentication methods can be used in applications utilizing AMOMD and MSOLAP. 这两种方法绝对不会产生弹出式对话框。These two methods never result in pop-up dialog boxes.

客户端应用程序(如 Excel 和 Power BI Desktop)和工具(如适用于 Visual Studio 的 SSMS 和 Analysis Services 项目扩展)更新到最新版时,会安装最新版本的库。Client applications like Excel and Power BI Desktop, and tools like SSMS and Analysis Services projects extension for Visual Studio install the latest versions of the libraries when updated to the latest release. 每月更新 Power BI Desktop、SSMS 和 Analysis Services 项目扩展。Power BI Desktop, SSMS, and Analysis Services projects extension are updated monthly. Excel 随 Office 365 一起更新Excel is updated with Office 365. Office 365 更新频率较低,并且某些组织会使用延期频道将更新延迟 3 个月。Office 365 updates are less frequent, and some organizations use the deferred channel, meaning updates are deferred up to three months.

根据使用的客户端应用程序或工具,身份验证类型和登录方式可能有所不同。Depending on the client application or tool you use, the type of authentication and how you sign in may be different. 每个应用程序可能支持连接到云服务(如 Azure Analysis Services)的不同功能。Each application may support different features for connecting to cloud services like Azure Analysis Services.

Power BI Desktop、Visual Studio 和 SSMS 支持 Active Directory 通用身份验证,该通用身份验证是一种交互式方法,还支持 Azure 多重身份验证 (MFA)。Power BI Desktop, Visual Studio, and SSMS support Active Directory Universal Authentication, an interactive method that also supports Azure Multi-Factor Authentication (MFA). Azure MFA 可帮助保护对数据和应用程序的访问,同时提供简单的登录过程。Azure MFA helps safeguard access to data and applications while providing a simple sign-in process. 它利用一些验证选项提供强身份验证,这些选项包括电话、短信、含有 PIN 码的智能卡或移动应用通知。It delivers strong authentication with several verification options (phone call, text message, smart cards with pin, or mobile app notification). 配合使用 Azure AD 和交互式 MFA 时会出现用于验证的弹出式对话框。Interactive MFA with Azure AD can result in a pop-up dialog box for validation. 建议使用通用身份验证 。Universal Authentication is recommended.

如果使用 Windows 帐户登录到 Azure 并且通用身份验证未选中或不可用 (Excel),则需要 Active Directory 联合身份验证服务 (AD FS)。If signing in to Azure by using a Windows account, and Universal Authentication is not selected or available (Excel), Active Directory Federation Services (AD FS) is required. 使用联合身份验证,Azure AD 和 Office 365 用户可使用本地凭据进行身份验证,并且可访问 Azure 资源。With Federation, Azure AD and Office 365 users are authenticated using on-premises credentials and can access Azure resources.

SQL Server Management Studio (SSMS)SQL Server Management Studio (SSMS)

Azure Analysis Services 服务器通过以下方式支持来自 SSMS V17.1 及更高版本的连接:使用 Windows 身份验证、Active Directory 密码验证和 Active Directory 通用身份验证。Azure Analysis Services servers support connections from SSMS V17.1 and higher by using Windows Authentication, Active Directory Password Authentication, and Active Directory Universal Authentication. 通常,建议使用 Active Directory 通用身份验证,原因如下:In general, it's recommended you use Active Directory Universal Authentication because:

  • 支持交互式和非交互式身份验证方法。Supports interactive and non-interactive authentication methods.

  • 支持邀请 Azure B2B 来宾用户加入 Azure AS 租户。Supports Azure B2B guest users invited into the Azure AS tenant. 连接到服务器时,来宾用户必须选择 Active Directory 通用身份验证。When connecting to a server, guest users must select Active Directory Universal Authentication when connecting to the server.

  • 支持多重身份验证 (MFA)。Supports Multi-Factor Authentication (MFA). Azure MFA 有助于通过一系列验证选项来保护对数据和应用程序的访问:电话呼叫、短信、含有 PIN 码的智能卡或移动应用通知。Azure MFA helps safeguard access to data and applications with a range of verification options: phone call, text message, smart cards with pin, or mobile app notification. 配合使用 Azure AD 和交互式 MFA 时会出现用于验证的弹出式对话框。Interactive MFA with Azure AD can result in a pop-up dialog box for validation.

Visual StudioVisual Studio

Visual Studio 通过使用支持 MFA 的 Active Directory 通用身份验证来连接 Azure Analysis Services。Visual Studio connects to Azure Analysis Services by using Active Directory Universal Authentication with MFA support. 首次部署时,系统会提示用户登录 Azure。Users are prompted to sign in to Azure on the first deployment. 用户必须使用帐户登录 Azure,该帐户需具备针对部署目标服务器的服务器管理员权限。Users must sign in to Azure with an account with server administrator permissions on the server they are deploying to. 首次登录 Azure 时,系统会分配令牌。When signing in to Azure the first time, a token is assigned. 令牌将缓存在内存中,以便将来重新连接。The token is cached in-memory for future reconnects.

Power BI DesktopPower BI Desktop

Power BI Desktop 使用支持 MFA 的 Active Directory 通用身份验证来连接 Azure Analysis Services。Power BI Desktop connects to Azure Analysis Services using Active Directory Universal Authentication with MFA support. 首次连接时,系统会提示用户登录 Azure。Users are prompted to sign in to Azure on the first connection. 用户必须使用帐户登录 Azure,该帐户包括在服务器管理员或数据库角色中。Users must sign in to Azure with an account that is included in a server administrator or database role.

ExcelExcel

Excel 用户可使用 Windows 帐户、组织 ID(电子邮件地址)或外部电子邮件地址连接到服务器。Excel users can connect to a server by using a Windows account, an organization ID (email address), or an external email address. 外部电子邮件标识必须作为来宾用户存在于 Azure AD 中。External email identities must exist in the Azure AD as a guest user.

用户权限User permissions

服务器管理员特定于 Azure Analysis Services 服务器实例 。Server administrators are specific to an Azure Analysis Services server instance. 他们通过连接 Azure 门户、SSMS 和 Visual Studio 等工具,执行诸如添加数据库和管理用户角色等任务。They connect with tools like Azure portal, SSMS, and Visual Studio to perform tasks like adding databases and managing user roles. 默认情况下,创建服务器的用户将被自动添加为 Analysis Services 服务器管理员。By default, the user that creates the server is automatically added as an Analysis Services server administrator. 可使用 Azure 门户或 SSMS 添加其他管理员。Other administrators can be added by using Azure portal or SSMS. 在相同订阅中,服务器管理员必须具有 Azure AD 租户中的帐户。Server administrators must have an account in the Azure AD tenant in the same subscription. 若要了解详细信息,请参阅管理服务器管理员To learn more, see Manage server administrators.

数据库用户通过使用 Excel 或 Power BI 等客户端应用程序,连接模型数据库 。Database users connect to model databases by using client applications like Excel or Power BI. 必须将用户添加到数据库角色。Users must be added to database roles. 数据库角色为数据库确定管理员、进程或读取权限。Database roles define administrator, process, or read permissions for a database. 具有管理员权限的数据库用户与服务器管理员不同,请务必了解这一点。It's important to understand database users in a role with administrator permissions is different than server administrators. 但默认情况下,服务器管理员也是数据库管理员。However, by default, server administrators are also database administrators. 若要了解详细信息,请参阅管理数据库角色和用户To learn more, see Manage database roles and users.

Azure 资源所有者 。Azure resource owners. 资源所有者管理 Azure 订阅的资源。Resource owners manage resources for an Azure subscription. 资源所有者可通过以下方式在订阅中向“所有者角色”或“参与者角色”添加 Azure AD 用户标识:在 Azure 门户中使用访问控制或使用 Azure 资源管理器模板 。Resource owners can add Azure AD user identities to Owner or Contributor Roles within a subscription by using Access control in Azure portal, or with Azure Resource Manager templates.

Azure 门户中的访问控制

此级别的角色适用于符合以下条件的用户或帐户:需要执行可在门户中完成或使用 Azure 资源管理器模板完成的任务。Roles at this level apply to users or accounts that need to perform tasks that can be completed in the portal or by using Azure Resource Manager templates. 若要了解详细信息,请参阅基于角色的访问控制To learn more, see Role-Based Access Control.

数据库角色Database roles

为表格模型定义的角色是数据库角色。Roles defined for a tabular model are database roles. 也就是说,此类角色包含由 Azure AD 用户和安全组构成的成员,并拥有特定权限来定义这些成员可以对模型数据库执行的操作。That is, the roles contain members consisting of Azure AD users and security groups that have specific permissions that define the action those members can take on a model database. 数据库角色作为数据库中的单独对象创建,并且仅适用于创建该角色的数据库。A database role is created as a separate object in the database, and applies only to the database in which that role is created.

默认情况下,当您创建某一新的表格模型项目时,该模型项目不具有任何角色。By default, when you create a new tabular model project, the model project does not have any roles. 可使用 Visual Studio 中的“角色管理器”对话框定义角色。Roles can be defined by using the Role Manager dialog box in Visual Studio. 如果在模型项目设计期间定义了角色,则这些角色仅适用于模型工作区数据库。When roles are defined during model project design, they are applied only to the model workspace database. 部署模型时,应对已部署模型使用相同的角色。When the model is deployed, the same roles are applied to the deployed model. 部署模型后,服务器和数据库管理员就可以使用 SSMS 管理角色和成员。After a model has been deployed, server and database administrators can manage roles and members by using SSMS. 若要了解详细信息,请参阅管理数据库角色和用户To learn more, see Manage database roles and users.

后续步骤Next steps

使用 Azure Active Directory 组管理对资源的访问权限 Manage access to resources with Azure Active Directory groups
管理数据库角色和用户Manage database roles and users
管理服务器管理员Manage server administrators
基于角色的访问控制Role-Based Access Control