将应用服务应用配置为使用 Azure Active Directory 登录Configure your App Service app to use Azure Active Directory sign-in

本文说明如何将 Azure 应用服务配置为使用 Azure Active Directory 作为身份验证提供程序。This article shows you how to configure Azure App Services to use Azure Active Directory as an authentication provider.

使用快速设置进行配置 Configure with express settings

  1. Azure 门户中,导航到应用服务应用。In the Azure portal, navigate to your App Service app. 在左侧导航栏中,选择“身份验证/授权”。In the left navigation, select Authentication / Authorization.
  2. 如果尚未启用“身份验证/授权”,请选择“启用”。If Authentication / Authorization is not enabled, select On.
  3. 选择“Azure Active Directory”,然后选择“管理模式”下的“快速”。Select Azure Active Directory, and then select Express under Management Mode.
  4. 选择“确定”,在 Azure Active Directory 中注册应用服务应用。Select OK to register the App Service app in Azure Active Directory. 这会创建一个新的应用注册。This creates a new app registration. 如果想要选择现有应用注册,请单击“选择现有应用”,并在租户中搜索以前创建的应用注册的名称。If you want to choose an existing app registration instead, click Select an existing app and then search for the name of a previously created app registration within your tenant. 单击应用注册将其选中,然后单击“确定”。Click the app registration to select it and click OK. 然后在 Azure Active Directory 设置页上单击“确定”。Then click OK on the Azure Active Directory settings page. 默认情况下,应用服务提供身份验证但不限制对站点内容和 API 的已授权访问。By default, App Service provides authentication but does not restrict authorized access to your site content and APIs. 必须在应用代码中为用户授权。You must authorize users in your app code.
  5. (可选)若要限制只有通过 Azure Active Directory 身份验证的用户可以访问站点,请将“请求未经身份验证时需执行的操作”设置为“使用 Azure Active Directory 登录”。(Optional) To restrict access to your site to only users authenticated by Azure Active Directory, set Action to take when request is not authenticated to Log in with Azure Active Directory. 这会要求对所有请求进行身份验证,而所有未经身份验证的请求都将被重定向到 Azure Active Directory 进行身份验证。This requires that all requests be authenticated, and all unauthenticated requests are redirected to Azure Active Directory for authentication.
  6. 单击“保存” 。Click Save.

现在,可以使用 Azure Active Directory 在应用服务应用中进行身份验证。You are now ready to use Azure Active Directory for authentication in your App Service app.

使用高级设置进行配置 Configure with advanced settings

也可以手动提供配置设置。You can also provide configuration settings manually. 如果要使用的 Azure Active Directory 租户不同于登录 Azure 所用的租户,这是较好的解决方案。This is the preferred solution if the Azure Active Directory tenant you wish to use is different from the tenant with which you sign into Azure. 如果要完成配置,必须先在 Azure Active Directory 中创建注册,然后向应用服务提供一些注册详细信息。To complete the configuration, you must first create a registration in Azure Active Directory, and then you must provide some of the registration details to App Service.

向 Azure Active Directory 注册应用服务应用 Register your App Service app with Azure Active Directory

  1. 登录 Azure 门户,并导航到应用服务应用。Sign in to the Azure portal, and navigate to your App Service app. 复制应用 URL。Copy your app URL. 稍后要使用此信息配置 Azure Active Directory 应用注册。You will use this to configure your Azure Active Directory app registration.
  2. 导航到“Active Directory”,选择“应用注册”,然后单击顶部的“新建应用程序注册”,开始新的应用注册。Navigate to Active Directory, then select the App registrations, then click New application registration at the top to start a new app registration.
  3. 在“创建”页中,输入应用注册的“名称”,选择“Web 应用/API”类型,在“登录 URL”框中粘贴应用程序 URL(来自于步骤 1)。In the Create page, enter a Name for your app registration, select the Web App / API type, in the Sign-on URL box paste the application URL (from step 1). 然后单击“创建”。Then click to Create.
  4. 几秒钟后即可看到刚刚创建的新应用注册。In a few seconds, you should see the new app registration you just created.
  5. 添加应用注册后,单击应用注册名称,单击顶部的“设置”,然后单击“属性”Once the app registration has been added, click on the app registration name, click on Settings at the top, then click on Properties
  6. 在“应用 ID URI”框中,粘贴应用程序 URL(参见步骤 1),并在“主页 URL”中粘贴应用程序 URL(参见步骤 1),然后单击“保存”In the App ID URI box, paste in the Application URL (from step 1), also in the Home Page URL paste in the Application URL (from step 1) as well, then click Save
  7. 现在,单击“答复 URL”,编辑“答复 URL”,粘贴应用程序 URL(来自于步骤 1),然后在 URL 末尾追加 /.auth/login/aad/callback(例如 https://contoso.chinacloudsites.cn/.auth/login/aad/callback)。Now click on the Reply URLs, edit the Reply URL, paste in the Application URL (from step 1), then appended to the end of the URL, /.auth/login/aad/callback (For example, https://contoso.chinacloudsites.cn/.auth/login/aad/callback). 单击“保存” 。Click Save.
  8. 此时请复制应用的应用程序 ID。At this point, copy the Application ID for the app. 保留此 ID 供将来使用。Keep it for later use. 需要使用它来配置应用服务应用。You will need it to configure your App Service app.
  9. 关闭“已注册应用”页。Close the Registered app page. 在“应用注册”页中,单击顶部的“终结点”按钮,然后复制“联合元数据文档”URL。On the App registrations page, click on the Endpoints button at the top, then copy the Federation Metadata Document URL.
  10. 打开新的浏览器窗口并导航到该 URL,只需进行粘贴并浏览到 XML 页即可。Open a new browser window and navigate to the URL by pasting and browsing to the XML page. 文档顶部是 EntityDescriptor 元素。At the top of document is an EntityDescriptor element. 找到 entityID 属性,并复制其值。Find the entityID attribute and copy its value. 它可作为颁发者 URLIt serves as your Issuer URL. 稍后配置应用程序时要用到此信息。You will configure your application to use it later.

将 Azure Active Directory 信息添加到应用服务应用 Add Azure Active Directory information to your App Service app

  1. 返回 Azure 门户,导航到应用服务应用。Back in the Azure portal, navigate to your App Service app. 单击“身份验证/授权”。Click Authentication/Authorization. 如果未启用“身份验证/授权”功能,请将开关切换为“开启”。If the Authentication/Authorization feature is not enabled, turn the switch to On. 单击验证提供程序下的“Azure Active Directory”,配置应用。Click on Azure Active Directory, under Authentication Providers, to configure your app. (可选)默认情况下,应用服务提供身份验证但不限制对站点内容和 API 的已授权访问。(Optional) By default, App Service provides authentication but does not restrict authorized access to your site content and APIs. 必须在应用代码中为用户授权。You must authorize users in your app code. 将“请求未经身份验证时需执行的操作”设置为“使用 Azure Active Directory 登录”。Set Action to take when request is not authenticated to Log in with Azure Active Directory. 此选项会要求对所有请求进行身份验证,所有未经身份验证的请求都重定向到 Azure Active Directory 进行身份验证。This option requires that all requests be authenticated, and all unauthenticated requests are redirected to Azure Active Directory for authentication.
  2. 在 Active Directory 身份验证配置中,单击“管理模式”下的“高级”。In the Active Directory Authentication configuration, click Advanced under Management Mode. 将应用程序 ID(参见步骤 8)粘贴到“客户端 ID”框中,将 entityId(参见步骤 10)粘贴到“颁发者 URL”值中。Paste the Application ID into the Client ID box (from step 8) and paste in the entityId (from step 10) into the Issuer URL value. Then click OK.
  3. 在 Active Directory 身份验证配置页上,单击“保存”。On the Active Directory Authentication configuration page, click Save.

现在,可以使用 Azure Active Directory 在应用服务应用中进行身份验证。You are now ready to use Azure Active Directory for authentication in your App Service app.

配置本机客户端应用程序Configure a native client application

可以注册权限映射控制度更高的本机客户端。You can register native clients, which provides greater control over permissions mapping. 如果想要使用 Active Directory 身份验证库等客户端库进行登录,则需要这种注册。You need this if you wish to perform sign-ins using a client library such as the Active Directory Authentication Library.

  1. Azure 门户中,导航到“Active Directory”。Navigate to Azure Active Directory in the Azure portal.
  2. 在左侧导航栏中,选择“应用注册”。In the left navigation, select App registrations. 在顶部单击“新建应用注册”。Click New app registration at the top.
  3. 在“创建”页中,为应用注册输入“名称”。In the Create page, enter a Name for your app registration. 在“应用程序类型”中选择“本机”。Select Native in Application type.
  4. 在“重定向 URI”框中,使用 HTTPS 方案输入站点的 /.auth/login/done 终结点。In the Redirect URI box, enter your site's /.auth/login/done endpoint, using the HTTPS scheme. 此值应类似于 *https://contoso.chinacloudsites.cn/.auth/login/done*。This value should be similar to https://contoso.chinacloudsites.cn/.auth/login/done. 如果要创建 Windows 应用程序,请改为使用包 SID 作为 URI。If creating a Windows application, instead use the package SID as the URI.
  5. 单击创建Click Create.
  6. 在成功添加应用注册后,选择该应用注册将其打开。Once the app registration has been added, select it to open it. 找到应用程序 ID 并记下此值。Find the Application ID and make a note of this value.
  7. 单击“所有设置” > “所需的权限” > “添加” > “选择 API”。Click All settings > Required permissions > Add > Select an API.
  8. 键入先前注册的应用服务应用的名称进行搜索,然后选中该应用并单击“选择”。Type the name of the App Service app that you registered earlier to search for it, then select it and click Select.
  9. 选择“访问 <app_name>”。Select Access <app_name>. 然后单击“选择” 。Then click Select. 然后单击“完成”。Then click Done.

现已配置可以访问应用服务应用的本机客户端应用程序。You have now configured a native client application that can access your App Service app.