在 Azure API 管理中使用 Azure Active Directory 授权开发人员帐户Authorize developer accounts by using Azure Active Directory in Azure API Management

本文介绍如何为 Azure Active Directory (Azure AD) 中的用户启用对开发人员门户的访问。This article shows you how to enable access to the developer portal for users from Azure Active Directory (Azure AD). 本指南还介绍如何通过添加包含用户的外部组管理 Azure AD 用户组。This guide also shows you how to manage groups of Azure AD users by adding external groups that contain the users.

先决条件Prerequisites

可用性Availability

Important

此功能在 API 管理的“高级”、“标准”和“开发人员”层中可用。This feature is available in the Premium, Standard and Developer tiers of API Management.

使用 Azure AD 为开发人员帐户授权Authorize developer accounts by using Azure AD

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 选择Select 箭头上获取。.

  3. 在搜索框中键入 apiType api in the search box.

  4. 选择“API 管理服务”。 Select API Management services.

  5. 选择自己的 API 管理服务实例。Select your API Management service instance.

  6. 在“安全性” 下,选择“标识” 。Under Security, select Identities.

  7. 在顶部选择“+添加” 。Select +Add from the top.

    此时将在右侧显示“添加标识提供者” 窗格。The Add identity provider pane appears on the right.

  8. 在“提供者类型” 下,选择 Azure Active DirectoryUnder Provider type, select Azure Active Directory.

    此时将在窗格中显示用于输入其他必要信息的控件。Controls that enable you to enter other necessary information appear in the pane. 控件包括“客户端 ID”和“客户端机密” 。The controls include Client ID and Client secret. (本文稍后将介绍有关这些控件的信息。)(You get information about these controls later in the article.)

  9. 记下“重定向 URL”的内容 。Make a note of the content of Redirect URL.

    在 Azure 门户中添加标识提供者的步骤

  10. 在浏览器中,打开另一个标签页。In your browser, open a different tab.

  11. 导航到 Azure 门户 - 应用注册,在 Active Directory 中注册应用。Navigate to the Azure portal - App registrations to register an app in Active Directory.

  12. 在“管理” 下,选择“应用注册” 。Under Manage, select App registrations.

  13. 选择“新注册”。 Select New registration. 在“注册应用程序”页上,将值设置如下: On the Register an application page, set the values as follows:

  • 将“名称”设置为一个有意义的名称。 Set Name to a meaningful name. 例如,developer-portale.g., developer-portal
  • 将“支持的帐户类型”设置为“仅限此组织目录中的帐户”。 Set Supported account types to Accounts in this organizational directory only.
  • 将“重定向 URI”设置为从步骤 9 获取的值。 Set Redirect URI to the value you got from step 9.
  • 选择“注册” 。Choose Register.
  1. 注册应用程序以后,从“概览”页复制“应用程序(客户端) ID” 。 After the application is registered, copy the Application (client) ID from the Overview page.

  2. 回到你的 API 管理实例。Go back to your API Management instance. 在“添加标识提供者” 窗口中,将“应用程序(客户端) ID”值粘贴到“客户端 ID” 框中 。In the Add identity provider window, paste the Application (client) ID value into the Client ID box.

  3. 切换回 Azure AD 配置,在“管理”下选择“证书和机密” 。 Switch back to the Azure AD configuration, Select Certificates & secrets under Manage. 选择“新建客户端机密”按钮。 Select the New client secret button. 在“说明”中输入一个值, 针对“过期”选择任意选项,然后选择“添加”。 Enter a value in Description, select any option for Expires and choose Add. 在离开此页之前复制客户端机密值。Copy the client secret value before leaving the page. 在下一步中将要使用它。You will need it in the next step.

  4. 在“管理” 下选择“身份验证” ,然后在“隐式授权” 下选择“ID 令牌” Under Manage, select Authentication and then select ID tokens under Implicit Grant

  5. 回到你的 API 管理实例,将机密粘贴到“客户端机密”框中。 Go back to your API Management instance, paste the secret into the Client secret box.

    Important

    请确保在密钥过期前更新“客户端机密” 。Please make sure to update the Client secret before the key expires.

  6. “添加标识提供者”窗口还包含“允许的租户”文本框 。The Add identity provider window also contains the Allowed Tenants text box. 可在此框中指定要授予 API 管理服务实例的 API 对哪些 Azure AD 实例域的访问权限。There, specify the domains of the Azure AD instances to which you want to grant access to the APIs of the API Management service instance. 可使用换行符、空格或逗号分隔多个域。You can separate multiple domains with newlines, spaces, or commas.

Note

可在“允许的租户” 部分中指定多个域。You can specify multiple domains in the Allowed Tenants section. 在任何用户可以从注册应用程序的原始域以外的其他域登录之前,不同域的全局管理员必须先授予权限以使应用程序访问目录数据。Before any user can sign in from a different domain than the original domain where the application was registered, a global administrator of the different domain must grant permission for the application to access directory data. 若要授予权限,全局管理员应执行以下操作:a.To grant permission, the global administrator should: a. 转到 https://<URL of your developer portal>/aadadminconsent(例如, https://contoso.portal.azure-api.cn/aadadminconsent) 。Go to https://<URL of your developer portal>/aadadminconsent (for example, https://contoso.portal.azure-api.cn/aadadminconsent). b.b. 键入他们想要授权访问的 Azure AD 租户域名。Type in the domain name of the Azure AD tenant that they want to give access to. c.c. 选择“提交”。 Select Submit.

  1. 指定所需配置后,选择“添加” 。After you specify the desired configuration, select Add.

保存更改后,指定的 Azure AD 实例中的用户便可按照使用 Azure AD 帐户登录开发人员门户中的步骤登录到开发人员门户。After the changes are saved, users in the specified Azure AD instance can sign in to the developer portal by following the steps in Sign in to the developer portal by using an Azure AD account.

添加外部 Azure AD 组Add an external Azure AD group

在为 Azure AD 实例中的用户启用访问之后,可将 Azure AD 组添加到 API 管理中。After you enable access for users in an Azure AD instance, you can add Azure AD groups in API Management. 然后,可以更轻松地管理具有所需产品的组中的开发人员关联。Then, you can more easily manage the association of the developers in the group with the desired products.

Important

若要添加外部 Azure AD 组,必须先按照之前部分中的过程在“标识”选项卡中配置 Azure AD 实例 。To add an external Azure AD group, you must first configure the Azure AD instance on the Identities tab by following the procedure in the previous section. 另外,必须通过 Directory.Read.All 权限为应用程序授予范围 Azure AD 图形 API 的权限。Additionally, the application must be granted access to Azure AD Graph API with Directory.Read.All permission.

可从 API 管理实例的“组” 选项卡添加外部 Azure AD 组。You add external Azure AD groups from the Groups tab of your API Management instance.

  1. 选择“组”选项卡 。Select the Groups tab.

  2. 选择“添加 AAD 组” 按钮。Select the Add AAD group button.

    “添加 AAD 组”按钮

  3. 选择要添加的组。Select the group that you want to add.

  4. 按“选择” 按钮。Press the Select button.

创建外部 Azure AD 组之后,可以查看和配置其属性。After you add an external Azure AD group, you can review and configure its properties. 从“组”选项卡中选择该组的名称。 在此处,可以编辑该组的“名称”和“说明”信息 。Select the name of the group from the Groups tab. From here, you can edit Name and Description information for the group.

配置的 Azure AD 实例中的用户现在可以登录开发人员门户。Users from the configured Azure AD instance can now sign in to the developer portal. 他们可以查看和订阅可见的任何组。They can view and subscribe to any groups for which they have visibility.

使用 Azure AD 帐户登录开发人员门户Sign in to the developer portal by using an Azure AD account

使用前面部分中配置的 Azure AD 帐户登录开发人员门户:To sign in to the developer portal by using an Azure AD account that you configured in the previous sections:

  1. 使用 Active Directory 应用程序配置中的登录 URL 打开新的浏览器窗口,并选择“Azure Active Directory” 。Open a new browser window by using the sign-in URL from the Active Directory application configuration, and select Azure Active Directory.

    登录页

  2. 输入 Azure Active Directory 中某个用户的凭据,并选择“登录” 。Enter the credentials of one of the users in Azure AD, and select Sign in.

    使用用户名和密码登录

  3. 如果需要其他信息,可能出现注册表单的提示。You might be prompted with a registration form if any additional information is required. 完成注册表单并选择“登录” 。Complete the registration form, and select Sign up.

    注册窗体中的“注册”按钮

用户现已登录到 API 管理服务实例的开发人员门户。Your user is now signed in to the developer portal for your API Management service instance.

完成注册后的开发人员门户