将应用服务应用配置为使用 Azure AD 登录Configure your App Service app to use Azure AD login

本文介绍如何将 Azure 应用服务配置为使用 Azure Active Directory (Azure AD) 作为身份验证提供程序。This article shows you how to configure Azure App Service to use Azure Active Directory (Azure AD) as an authentication provider.

设置应用和身份验证时,请遵循以下最佳做法:Follow these best practices when setting up your app and authentication:

  • 为每个应用服务应用提供其自身的权限和许可。Give each App Service app its own permissions and consent.
  • 为每个应用服务应用配置其自身的注册。Configure each App Service app with its own registration.
  • 避免通过对不同的部署槽使用不同的应用注册,在环境之间共享权限。Avoid permission sharing between environments by using separate app registrations for separate deployment slots. 测试新代码时,这种做法有助于防止问题影响到生产应用。When testing new code, this practice can help prevent issues from affecting the production app.

使用快速设置进行配置 Configure with express settings

  1. Azure 门户中搜索并选择“应用服务” ,然后选择应用。In the Azure portal, search for and select App Services, and then select your app.

  2. 从左侧导航栏选择“身份验证/授权” > “启用”。From the left navigation, select Authentication / Authorization > On.

  3. 选择“Azure Active Directory” > “快速”。 Select Azure Active Directory > Express.

    若要改为选择现有的应用注册:If you want to choose an existing app registration instead:

    1. 选择“选择现有 AD 应用”,然后单击“Azure AD 应用”。 Choose Select Existing AD app, then click Azure AD App.
    2. 选择现有的应用注册,然后单击“确定”。 Choose an existing app registration and click OK.
  4. 选择“确定”,在 Azure Active Directory 中注册应用服务应用 。Select OK to register the App Service app in Azure Active Directory. 随即会创建一个新的应用注册。A new app registration is created.

    Azure Active Directory 中的快速设置

  5. (可选)默认情况下,应用服务提供身份验证但不限制对站点内容和 API 的授权访问。(Optional) By default, App Service provides authentication but doesn't restrict authorized access to your site content and APIs. 必须在应用代码中为用户授权。You must authorize users in your app code. 若只允许经 Azure Active Directory 身份验证的用户访问应用,请将“请求未经身份验证时需执行的操作” 设置为“使用 Azure Active Directory 登录” 。To restrict app access only to users authenticated by Azure Active Directory, set Action to take when request is not authenticated to Log in with Azure Active Directory. 设置此功能时,应用会要求对所有请求进行身份验证。When you set this functionality, your app requires all requests to be authenticated. 它还将所有未经身份验证的用户重定向到 Azure Active Directory 进行身份验证。It also redirects all unauthenticated to Azure Active Directory for authentication.

    Caution

    以这种方式限制访问适用于对应用的所有调用,对于主页公开可用的应用程序来说,这可能是不可取的,就像在许多单页应用程序中一样。Restricting access in this way applies to all calls to your app, which might not be desirable for apps that have a publicly available home page, as in many single-page applications. 对于此类应用程序,“允许匿名请求(无操作)” 可能是首选,应用本身手动启动登录。For such applications, Allow anonymous requests (no action) might be preferred, with the app manually starting login itself. 有关详细信息,请参阅身份验证流For more information, see Authentication flow.

  6. 选择“保存” 。Select Save.

使用高级设置进行配置 Configure with advanced settings

若要使用另一 Azure AD 租户中的应用注册,可以手动配置应用设置。You can configure app settings manually if you want to use an app registration from a different Azure AD tenant. 若要完成此自定义配置,请执行以下操作:To complete this custom configuration:

  1. 在 Azure AD 中创建一个注册。Create a registration in Azure AD.
  2. 向应用服务提供一些注册详细信息。Provide some of the registration details to App Service.

在 Azure AD 中为应用服务应用创建应用注册 Create an app registration in Azure AD for your App Service app

配置应用服务应用时,需要提供以下信息:You'll need the following information when you configure your App Service app:

  • 客户端 IDClient ID
  • 租户 IDTenant ID
  • 客户端机密(可选)Client secret (optional)
  • 应用程序 ID URIApplication ID URI

执行以下步骤:Perform the following steps:

  1. 登录到 Azure 门户,搜索并选择“应用服务” ,然后选择应用。Sign in to the Azure portal, search for and select App Services, and then select your app. 记下应用的“URL”。 Note your app's URL. 稍后要使用此 URL 来配置 Azure Active Directory 应用注册。You'll use it to configure your Azure Active Directory app registration.

  2. 选择“Azure Active Directory” > “应用注册” > “新建注册”。 Select Azure Active Directory > App registrations > New registration.

  3. 在“注册应用程序”页中,输入应用注册的名称In the Register an application page, enter a Name for your app registration.

  4. 在“重定向 URI” 中,选择“Web” 并键入 <app-url>/.auth/login/aad/callbackIn Redirect URI, select Web and type <app-url>/.auth/login/aad/callback. 例如,https://contoso.chinacloudsites.cn/.auth/login/aad/callbackFor example, https://contoso.chinacloudsites.cn/.auth/login/aad/callback.

  5. 选择“创建” 。Select Create.

  6. 创建应用注册后,复制“应用程序(客户端) ID”和“目录(租户) ID”供稍后使用。 After the app registration is created, copy the Application (client) ID and the Directory (tenant) ID for later.

  7. 选择“品牌”。 Select Branding. 在“主页 URL”中,输入应用服务应用的 URL,然后选择“保存”。 In Home page URL, enter the URL of your App Service app and select Save.

  8. 选择“公开 API” > “设置”。 Select Expose an API > Set. 粘贴应用服务应用的 URL,然后选择“保存”。 Paste in the URL of your App Service app and select Save.

    Note

    此值是应用注册的“应用程序 ID URI”。 This value is the Application ID URI of the app registration. 如果 Web 应用需要访问云中的 API,则在配置云应用服务资源时,需要提供该 Web 应用的“应用程序 ID URI”。 If your web app requires access to an API in the cloud, you need the Application ID URI of the web app when you configure the cloud App Service resource. 例如,如果你希望云服务显式向该 Web 应用授予访问权限,则可以使用此 URI。You can use this, for example, if you want the cloud service to explicitly grant access to the web app.

  9. 选择“添加范围”。 Select Add a scope.

    1. 在“范围名称”中输入 user_impersonationIn Scope name, enter user_impersonation.
    2. 在文本框中,输入许可范围名称,以及希望在许可页上向用户显示的说明。In the text boxes, enter the consent scope name and description you want users to see on the consent page. 例如,输入“访问我的应用”。 For example, enter Access my app.
    3. 选择“添加作用域”。 Select Add scope.
  10. (可选)若要创建客户端机密,请选择“证书和机密” > “新建客户端机密” > “添加”。 (Optional) To create a client secret, select Certificates & secrets > New client secret > Add. 复制页面中显示的客户端机密值。Copy the client secret value shown in the page. 它不会再次显示。It won't be shown again.

  11. (可选)若要添加多个“回复 URL”,请选择“身份验证”。 (Optional) To add multiple Reply URLs, select Authentication.

在应用服务应用中启用 Azure Active Directory Enable Azure Active Directory in your App Service app

  1. Azure 门户中搜索并选择“应用服务” ,然后选择应用。In the Azure portal, search for and select App Services, and then select your app.

  2. 在左窗格中的“设置”下,选择“身份验证/授权” > “启用”。 In the left pane, under Settings, select Authentication / Authorization > On.

  3. (可选)默认情况下,应用服务身份验证允许在未经过身份验证的情况下访问应用。(Optional) By default, App Service authentication allows unauthenticated access to your app. 若要强制用户身份验证,请将“请求未经身份验证时需执行的操作”设置为“使用 Azure Active Directory 登录” 。To enforce user authentication, set Action to take when request is not authenticated to Log in with Azure Active Directory.

  4. 在“验证提供程序”下,选择“Azure Active Directory” 。Under Authentication Providers, select Azure Active Directory.

  5. 在“管理模式”中,选择“高级”并根据下表配置应用服务身份验证: In Management mode, select Advanced and configure App Service authentication according to the following table:

    字段Field 说明Description
    客户端 IDClient ID 使用应用注册的“应用程序(客户端) ID”。 Use the Application (client) ID of the app registration.
    颁发者 IDIssuer ID 使用 https://login.partner.microsoftonline.cn/<tenant-id>,并将 <tenant-id> 替换为应用注册的“目录(租户) ID”。 Use https://login.partner.microsoftonline.cn/<tenant-id>, and replace <tenant-id> with the Directory (tenant) ID of the app registration.
    客户端机密(可选)Client Secret (Optional) 使用在应用注册中生成的客户端机密。Use the client secret you generated in the app registration.
    允许的令牌受众Allowed Token Audiences 如果这是一个云应用或服务器应用,而你希望允许来自 Web 应用的身份验证令牌,请在此处添加该 Web 应用的“应用程序 ID URI”。 If this is a cloud or server app and you want to allow authentication tokens from a web app, add the Application ID URI of the web app here. 系统始终会将配置的“客户端 ID”隐式视为允许的受众。 The configured Client ID is always implicitly considered to be an allowed audience.
  6. 选择“确定”,然后选择“保存” 。Select OK, and then select Save.

现在,可以使用 Azure Active Directory 在应用服务应用中进行身份验证。You're now ready to use Azure Active Directory for authentication in your App Service app.

配置本机客户端应用程序Configure a native client application

可以注册本机客户端,以允许使用 Active Directory 身份验证库等客户端库进行身份验证。You can register native clients to allow authentication using a client library such as the Active Directory Authentication Library.

  1. Azure 门户中,选择“Active Directory” > “应用注册” > “新建注册” 。In the Azure portal, select Active Directory > App registrations > New registration.

  2. 在“注册应用程序”页中,输入应用注册的名称In the Register an application page, enter a Name for your app registration.

  3. 在“重定向 URI”中选择“公共客户端(移动和桌面)”,然后键入 URL <app-url>/.auth/login/aad/callbackIn Redirect URI, select Public client (mobile & desktop) and type the URL <app-url>/.auth/login/aad/callback. 例如,https://contoso.chinacloudsites.cn/.auth/login/aad/callbackFor example, https://contoso.chinacloudsites.cn/.auth/login/aad/callback.

    Note

    对于 Windows 应用程序,请改用包 SID 作为 URI。For a Windows application, use the package SID as the URI instead.

  4. 选择“创建” 。Select Create.

  5. 创建应用注册后,复制“应用程序(客户端) ID”的值。 After the app registration is created, copy the value of Application (client) ID.

  6. 选择“API 权限” > “添加权限” > “我的 API”。 Select API permissions > Add a permission > My APIs.

  7. 选择前面为应用服务应用创建的应用注册。Select the app registration you created earlier for your App Service app. 如果未看到该应用注册,请确保在在 Azure AD 中为应用服务应用创建应用注册部分已添加 user_impersonation 范围。If you don't see the app registration, make sure that you've added the user_impersonation scope in Create an app registration in Azure AD for your App Service app.

  8. 依次选择“user_impersonation”、“添加权限”。 Select user_impersonation, and then select Add permissions.

现已配置可以访问应用服务应用的本机客户端应用程序。You have now configured a native client application that can access your App Service app.

后续步骤 Next steps