将应用服务应用配置为使用 Azure Active Directory 登录Configure your App Service app to use Azure Active Directory sign-in

Note

目前,Azure 应用服务和 Azure Functions 不支持 AAD V2(包括 MSAL)。At this time, AAD V2 (including MSAL) is not supported for Azure App Services and Azure Functions. 请回头查看是否有更新。Please check back for updates.

本文说明如何将 Azure 应用服务配置为使用 Azure Active Directory 作为身份验证提供程序。This article shows you how to configure Azure App Services to use Azure Active Directory as an authentication provider.

使用快速设置进行配置 Configure with express settings

  1. Azure 门户中,导航到应用服务应用。In the Azure portal, navigate to your App Service app. 在左侧导航栏中,选择“身份验证/授权” 。In the left navigation, select Authentication / Authorization.
  2. 如果尚未启用“身份验证/授权”,请选择“启用” 。If Authentication / Authorization is not enabled, select On.
  3. 选择“Azure Active Directory”,然后选择“管理模式”下的“快速” 。Select Azure Active Directory, and then select Express under Management Mode.
  4. 选择“确定”,在 Azure Active Directory 中注册应用服务应用 。Select OK to register the App Service app in Azure Active Directory. 这会创建一个新的应用注册。This creates a new app registration. 如果想要选择现有应用注册,请单击“选择现有应用”,并在租户中搜索以前创建的应用注册的名称 。If you want to choose an existing app registration instead, click Select an existing app and then search for the name of a previously created app registration within your tenant. 单击应用注册将其选中,然后单击“确定” 。Click the app registration to select it and click OK. 然后在 Azure Active Directory 设置页上单击“确定” 。Then click OK on the Azure Active Directory settings page. 默认情况下,应用服务提供身份验证但不限制对站点内容和 API 的已授权访问。By default, App Service provides authentication but does not restrict authorized access to your site content and APIs. 必须在应用代码中为用户授权。You must authorize users in your app code.
  5. (可选)若要限制只有通过 Azure Active Directory 身份验证的用户可以访问站点,请将“请求未经身份验证时需执行的操作” 设置为“使用 Azure Active Directory 登录” 。(Optional) To restrict access to your site to only users authenticated by Azure Active Directory, set Action to take when request is not authenticated to Log in with Azure Active Directory. 这会要求对所有请求进行身份验证,而所有未经身份验证的请求都将被重定向到 Azure Active Directory 进行身份验证。This requires that all requests be authenticated, and all unauthenticated requests are redirected to Azure Active Directory for authentication.

Caution

以这种方式限制访问适用于对应用的所有调用,对于想要主页公开可用的应用程序来说,这可能是不可取的,就像在许多单页应用程序中一样。Restricting access in this way applies to all calls to your app, which may not be desirable for apps wanting a publicly available home page, as in many single-page applications. 对于此类应用程序,“允许匿名请求(无操作)” 可能是首选,应用本身手动启动登录,如此处所述。For such applications, Allow anonymous requests (no action) may be preferred, with the app manually starting login itself, as described here.

  1. 单击“保存” 。Click Save.

使用高级设置进行配置 Configure with advanced settings

也可以手动提供配置设置。You can also provide configuration settings manually. 如果要使用的 Azure Active Directory 租户不同于登录 Azure 所用的租户,这是较好的解决方案。This is the preferred solution if the Azure Active Directory tenant you wish to use is different from the tenant with which you sign into Azure. 如果要完成配置,必须先在 Azure Active Directory 中创建注册,然后向应用服务提供一些注册详细信息。To complete the configuration, you must first create a registration in Azure Active Directory, and then you must provide some of the registration details to App Service.

向 Azure Active Directory 注册应用服务应用 Register your App Service app with Azure Active Directory

  1. 登录 Azure 门户,并导航到应用服务应用。Sign in to the Azure portal, and navigate to your App Service app. 复制应用 URL 。Copy your app URL. 稍后要使用此信息配置 Azure Active Directory 应用注册。You will use this to configure your Azure Active Directory app registration.

  2. 导航到“Active Directory”,选择“应用注册”,然后单击顶部的“新建应用程序注册”,开始新的应用注册。Navigate to Active Directory, then select the App registrations, then click New application registration at the top to start a new app registration.

  3. 在“创建”页中,输入应用注册的“名称”,选择“Web 应用/API”类型,在“登录 URL”框中粘贴应用程序 URL(来自于步骤 1) 。In the Create page, enter a Name for your app registration, select the Web App / API type, in the Sign-on URL box paste the application URL (from step 1). 然后单击“创建”。 Then click to Create.

  4. 几秒钟后即可看到刚刚创建的新应用注册。In a few seconds, you should see the new app registration you just created.

  5. 添加应用注册后,单击应用注册名称,单击顶部的“设置”,然后单击“属性” Once the app registration has been added, click on the app registration name, click on Settings at the top, then click on Properties

  6. 在“应用 ID URI”框中,粘贴应用程序 URL(参见步骤 1),并在“主页 URL”中粘贴应用程序 URL(参见步骤 1),然后单击“保存” In the App ID URI box, paste in the Application URL (from step 1), also in the Home Page URL paste in the Application URL (from step 1) as well, then click Save

  7. 现在,单击“答复 URL”,编辑“答复 URL”,粘贴应用程序 URL(来自于步骤 1),然后在该 URL 的末尾追加“/.auth/login/aad/callback”(例如 https://contoso.chinacloudsites.cn/.auth/login/aad/callback) 。Now click on the Reply URLs, edit the Reply URL, paste in the Application URL (from step 1), then append it to the end of the URL, /.auth/login/aad/callback (For example, https://contoso.chinacloudsites.cn/.auth/login/aad/callback). 单击“保存” 。Click Save.

    Note

    通过添加其他答复 URL,可以对多个域使用相同的应用注册。You can use the same app registration for multiple domains by adding additional Reply URLs. 请确保使用其自己的注册为每个应用服务实例建模,以便它具有自己的权限和许可。Make sure to model each App Service instance with its own registration, so it has its own permissions and consent. 还应考虑对单独的站点槽使用单独的应用注册。Also consider using separate app registrations for separate site slots. 这是为了避免在环境之间共享权限,以便所测试的新代码中的 bug 不会影响生产。This is to avoid permissions being shared between environments, so that a bug in new code you are testing does not affect production.

  8. 此时请复制应用的 应用程序 ID。At this point, copy the Application ID for the app. 保留此 ID 供将来使用。Keep it for later use. 需要使用它来配置应用服务应用。You will need it to configure your App Service app.

  9. 关闭“已注册应用”页 。Close the Registered app page. 在“应用注册”页中,单击顶部的“终结点”按钮,然后复制“WS-FEDERATION SIGN-ON ENDPOINT”URL,但要从 URL 中删除 /wsfed 末尾 。On the App registrations page, click on the Endpoints button at the top, then copy the WS-FEDERATION SIGN-ON ENDPOINT URL but remove the /wsfed ending from the URL. 最终结果应类似于 https://login.chinacloudapi.cn/00000000-0000-0000-0000-000000000000The end result should look like https://login.chinacloudapi.cn/00000000-0000-0000-0000-000000000000. 主权云的域名可能有所不同。The domain name may be different for a sovereign cloud. 这将作为更高版本的颁发者 URL。This will serve as the Issuer URL for later.

将 Azure Active Directory 信息添加到应用服务应用 Add Azure Active Directory information to your App Service app

  1. 返回 Azure 门户,导航到应用服务应用。Back in the Azure portal, navigate to your App Service app. 单击“身份验证/授权”。 Click Authentication/Authorization. 如果未启用“身份验证/授权”功能,请将开关切换为“开启” 。If the Authentication/Authorization feature is not enabled, turn the switch to On. 单击验证提供程序下的“Azure Active Directory”,配置应用 。Click on Azure Active Directory, under Authentication Providers, to configure your app.

    (可选)默认情况下,应用服务提供身份验证但不限制对站点内容和 API 的已授权访问。(Optional) By default, App Service provides authentication but does not restrict authorized access to your site content and APIs. 必须在应用代码中为用户授权。You must authorize users in your app code. 将“请求未经身份验证时需执行的操作”设置为“使用 Azure Active Directory 登录” 。Set Action to take when request is not authenticated to Log in with Azure Active Directory. 此选项会要求对所有请求进行身份验证,所有未经身份验证的请求都重定向到 Azure Active Directory 进行身份验证。This option requires that all requests be authenticated, and all unauthenticated requests are redirected to Azure Active Directory for authentication.

  2. 在 Active Directory 身份验证配置中,单击“管理模式” 下的“高级” 。In the Active Directory Authentication configuration, click Advanced under Management Mode. 将应用程序 ID(来自于步骤 8)粘贴到“客户端 ID”框中,并将 URL(来自于步骤 9)粘贴到证书颁发者 URL 值。Paste the Application ID into the Client ID box (from step 8) and paste in the URL (from step 9) into the Issuer URL value. Then click OK.

  3. 在 Active Directory 身份验证配置页上,单击“保存” 。On the Active Directory Authentication configuration page, click Save.

现在,可以使用 Azure Active Directory 在应用服务应用中进行身份验证。You are now ready to use Azure Active Directory for authentication in your App Service app.

配置本机客户端应用程序Configure a native client application

可以注册权限映射控制度更高的本机客户端。You can register native clients, which provides greater control over permissions mapping. 如果想要使用 Active Directory 身份验证库等客户端库进行登录,则需要这种注册 。You need this if you wish to perform sign-ins using a client library such as the Active Directory Authentication Library.

  1. Azure 门户中,导航到“Active Directory” 。Navigate to Azure Active Directory in the Azure portal.
  2. 在左侧导航栏中,选择“应用注册” 。In the left navigation, select App registrations. 在顶部单击“新建应用注册” 。Click New app registration at the top.
  3. 在“创建”页中,为应用注册输入“名称” 。In the Create page, enter a Name for your app registration. 在“应用程序类型”中选择“本机” 。Select Native in Application type.
  4. 在“重定向 URI” 框中,使用 HTTPS 方案输入站点的 /.auth/login/done 终结点。In the Redirect URI box, enter your site's /.auth/login/done endpoint, using the HTTPS scheme. 此值应类似于 https://contoso.chinacloudsites.cn/.auth/login/doneThis value should be similar to https://contoso.chinacloudsites.cn/.auth/login/done. 如果要创建 Windows 应用程序,请改为使用包 SID 作为 URI。If creating a Windows application, instead use the package SID as the URI.
  5. 单击创建Click Create.
  6. 在成功添加应用注册后,选择该应用注册将其打开。Once the app registration has been added, select it to open it. 找到应用程序 ID 并记下此值 。Find the Application ID and make a note of this value.
  7. 单击“所有设置” > “所需的权限” > “添加” > “选择 API” 。Click All settings > Required permissions > Add > Select an API.
  8. 键入先前注册的应用服务应用的名称进行搜索,然后选中该应用并单击“选择” 。Type the name of the App Service app that you registered earlier to search for it, then select it and click Select.
  9. 选择“访问 <app_name>” 。Select Access <app_name>. 然后单击“选择” 。Then click Select. 然后单击“完成”。 Then click Done.

现已配置可以访问应用服务应用的本机客户端应用程序。You have now configured a native client application that can access your App Service app.