将应用服务或 Azure Functions 应用配置为使用 Azure AD 登录Configure your App Service or Azure Functions app to use Azure AD login

本文介绍如何配置 Azure 应用服务或 Azure Functions,以便将 Azure Active Directory (Azure AD) 用作身份验证提供程序。This article shows you how to configure Azure App Service or Azure Functions to use Azure Active Directory (Azure AD) as an authentication provider.

备注

快速设置流会设置 AAD V1 应用程序注册。The express settings flow sets up an AAD V1 application registration. 如果想使用 Azure Active Directory v2.0(包括 MSAL),请按照高级配置说明操作。If you wish to use Azure Active Directory v2.0 (including MSAL), please follow the advanced configuration instructions.

在设置应用和身份验证时,请遵循以下最佳做法:Follow these best practices when setting up your app and authentication:

  • 为每个应用服务应用提供其自身的权限和许可。Give each App Service app its own permissions and consent.
  • 为每个应用服务应用配置其自身的注册。Configure each App Service app with its own registration.
  • 避免通过对不同的部署槽使用不同的应用注册,在环境之间共享权限。Avoid permission sharing between environments by using separate app registrations for separate deployment slots. 测试新代码时,这种做法有助于防止问题影响到生产应用。When testing new code, this practice can help prevent issues from affecting the production app.

备注

此功能暂不适用于 Azure Functions 的 Linux 消耗计划This feature is currently not available on Linux Consumption plan for Azure Functions

使用高级设置进行配置 Configure with advanced settings

若要使用另一 Azure AD 租户中的应用注册,可以手动配置应用设置。You can configure app settings manually if you want to use an app registration from a different Azure AD tenant. 若要完成此自定义配置,请执行以下操作:To complete this custom configuration:

  1. 在 Azure AD 中创建注册。Create a registration in Azure AD.
  2. 向应用服务提供一些注册详细信息。Provide some of the registration details to App Service.

在 Azure AD 中为应用服务应用创建应用注册 Create an app registration in Azure AD for your App Service app

配置应用服务应用时,需要提供以下信息:You'll need the following information when you configure your App Service app:

  • 客户端 IDClient ID
  • 租户 IDTenant ID
  • 客户端机密(可选)Client secret (optional)
  • 应用程序 ID URIApplication ID URI

执行以下步骤:Perform the following steps:

  1. 登录到 Azure 门户,搜索并选择“应用服务”,然后选择应用。Sign in to the Azure portal, search for and select App Services, and then select your app. 记下应用的 URL。Note your app's URL. 稍后要使用此 URL 来配置 Azure Active Directory 应用注册。You'll use it to configure your Azure Active Directory app registration.

  2. 选择“Azure Active Directory” > “应用注册” > “新建注册”。 Select Azure Active Directory > App registrations > New registration.

  3. 在“注册应用”页上的“名称”中,输入应用注册的名称。In the Register an application page, enter a Name for your app registration.

  4. 在“重定向 URI”中,选择“Web”并键入 <app-url>/.auth/login/aad/callbackIn Redirect URI, select Web and type <app-url>/.auth/login/aad/callback. 例如,https://contoso.chinacloudsites.cn/.auth/login/aad/callbackFor example, https://contoso.chinacloudsites.cn/.auth/login/aad/callback.

  5. 选择“创建”。Select Create.

  6. 在应用注册创建后,复制“应用(客户端) ID”和“目录(租户) ID”,以供稍后使用。After the app registration is created, copy the Application (client) ID and the Directory (tenant) ID for later.

  7. 选择“身份验证”。Select Authentication. 在“隐式授权”下,启用“ID 令牌”以允许 OpenID Connect 用户从应用服务登录。Under Implicit grant, enable ID tokens to allow OpenID Connect user sign-ins from App Service.

  8. (可选)选择“品牌”。(Optional) Select Branding. 在“主页 URL”中,输入应用服务应用的 URL,然后选择“保存”。In Home page URL, enter the URL of your App Service app and select Save.

  9. 依次选择“公开 API” > “设置”。Select Expose an API > Set. 对于单租户应用,请粘贴应用服务应用的 URL 并选择“保存”;对于多租户应用,请粘贴基于某个租户验证域的 URL,然后选择“保存”。For single-tenant app, paste in the URL of your App Service app and select Save and for multi-tenant app, paste in the URL which is based on one of tenant verified domains and then select Save.

    备注

    此值是应用注册的应用 ID URI。This value is the Application ID URI of the app registration. 如果 Web 应用需要访问云中的 API,则在配置云应用服务资源时,需要提供该 Web 应用的“应用程序 ID URI”。If your web app requires access to an API in the cloud, you need the Application ID URI of the web app when you configure the cloud App Service resource. 例如,如果你希望云服务显式向该 Web 应用授予访问权限,则可以使用此 URI。You can use this, for example, if you want the cloud service to explicitly grant access to the web app.

  10. 选择“添加范围”。 Select Add a scope.

    1. 在“范围名称”中输入 user_impersonationIn Scope name, enter user_impersonation.
    2. 在文本框中,输入许可范围名称,以及希望在许可页上向用户显示的说明。In the text boxes, enter the consent scope name and description you want users to see on the consent page. 例如,输入“访问我的应用”。For example, enter Access my app.
    3. 选择“添加范围”。Select Add scope.
  11. (可选)若要创建客户端机密,请选择“证书和机密” > “新建客户端机密” > “添加”。 (Optional) To create a client secret, select Certificates & secrets > New client secret > Add. 复制页面中显示的客户端机密值。Copy the client secret value shown in the page. 它不会再次显示。It won't be shown again.

  12. (可选)若要添加多个回复 URL,请选择“身份验证”。(Optional) To add multiple Reply URLs, select Authentication.

在应用服务应用中启用 Azure Active Directory Enable Azure Active Directory in your App Service app

  1. Azure 门户中搜索并选择“应用服务”,然后选择应用。In the Azure portal, search for and select App Services, and then select your app.

  2. 在左窗格中的“设置”下,选择“身份验证/授权” > “启用”。 In the left pane, under Settings, select Authentication / Authorization > On.

  3. (可选)默认情况下,应用服务身份验证允许未经身份验证的用户访问你的应用。(Optional) By default, App Service authentication allows unauthenticated access to your app. 若要强制执行用户身份验证,请将“请求未经验证时需执行的操作”设置为“使用 Azure Active Directory 登录”。To enforce user authentication, set Action to take when request is not authenticated to Log in with Azure Active Directory.

  4. 在“身份验证提供程序”下,选择“Azure Active Directory”。Under Authentication Providers, select Azure Active Directory.

  5. 在“管理模式”中,选择“高级”,然后根据下表来配置应用服务身份验证:In Management mode, select Advanced and configure App Service authentication according to the following table:

    字段Field 说明Description
    客户端 IDClient ID 使用应用注册的应用(客户端)ID。Use the Application (client) ID of the app registration.
    颁发者 URLIssuer Url 使用 <authentication-endpoint>/<tenant-id>/v2.0,然后将 <authentication-endpoint> 替换为云环境的身份验证终结点(例如 China Azure 的“https://login.chinacloudapi.cn”),同时将 <tenant-id> 替换为其中创建了应用注册的“目录(租户) ID” 。Use <authentication-endpoint>/<tenant-id>/v2.0, and replace <authentication-endpoint> with the authentication endpoint for your cloud environment (e.g., "https://login.chinacloudapi.cn" for China Azure), also replacing <tenant-id> with the Directory (tenant) ID in which the app registration was created. 例如,此值用于将用户重定向到相应的 Azure AD 租户,以及下载适当的元数据,以便确定相应的令牌签名密钥和令牌颁发者声明值。This value is used to redirect users to the correct Azure AD tenant, as well as to download the appropriate metadata to determine the appropriate token signing keys and token issuer claim value for example. 对于使用 Azure AD v1 的应用程序以及对于 Azure Functions 应用,请在 URL 中省略 /v2.0For applications that use Azure AD v1 and for Azure Functions apps, omit /v2.0 in the URL.
    客户端密码(可选)Client Secret (Optional) 使用在应用注册中生成的客户端机密。Use the client secret you generated in the app registration.
    允许的令牌受众Allowed Token Audiences 如果这是云应用或服务器应用,并且你希望允许使用 Web 应用中的身份验证令牌,请在此处添加 Web 应用的应用 ID URI。If this is a cloud or server app and you want to allow authentication tokens from a web app, add the Application ID URI of the web app here. 系统始终会将配置的“客户端 ID”隐式视为允许的受众。The configured Client ID is always implicitly considered to be an allowed audience.
  6. 选择“确定”,然后选择“保存” 。Select OK, and then select Save.

现在,可以使用 Azure Active Directory 在应用服务应用中进行身份验证。You're now ready to use Azure Active Directory for authentication in your App Service app.

配置本机客户端应用程序Configure a native client application

可以注册本地客户端,以使用客户端库(例如 Active Directory 身份验证库)对应用中托管的 Web API 进行身份验证。You can register native clients to allow authentication to Web API's hosted in your app using a client library such as the Active Directory Authentication Library.

  1. Azure 门户中,选择“Active Directory” > “应用注册” > “新建注册”。In the Azure portal, select Active Directory > App registrations > New registration.

  2. 在“注册应用”页上的“名称”中,输入应用注册的名称。In the Register an application page, enter a Name for your app registration.

  3. 在“重定向 URI”中选择“公共客户端(移动和桌面)”,然后键入 URL <app-url>/.auth/login/aad/callbackIn Redirect URI, select Public client (mobile & desktop) and type the URL <app-url>/.auth/login/aad/callback. 例如,https://contoso.chinacloudsites.cn/.auth/login/aad/callbackFor example, https://contoso.chinacloudsites.cn/.auth/login/aad/callback.

    备注

    对于Microsoft Store 应用程序,请改用包 SID 作为 URI。For a Microsoft Store application, use the package SID as the URI instead.

  4. 选择“创建”。Select Create.

  5. 创建应用注册后,复制“应用程序(客户端) ID”的值。After the app registration is created, copy the value of Application (client) ID.

  6. 选择“API 权限” > “添加权限” > “我的 API”。 Select API permissions > Add a permission > My APIs.

  7. 选择前面为应用服务应用创建的应用注册。Select the app registration you created earlier for your App Service app. 如果未看到该应用注册,请确保在在 Azure AD 中为应用服务应用创建应用注册部分已添加 user_impersonation 范围。If you don't see the app registration, make sure that you've added the user_impersonation scope in Create an app registration in Azure AD for your App Service app.

  8. 在“委托的权限”下,依次选择“user_impersonation”和“添加权限”。Under Delegated permissions, select user_impersonation, and then select Add permissions.

现在,你已配置了可以代表用户访问应用服务应用的本机客户端应用程序。You have now configured a native client application that can access your App Service app on behalf of a user.

为服务到服务调用配置后台程序客户端应用程序Configure a daemon client application for service-to-service calls

应用程序可以获取令牌,代表自身(不代表用户)调用应用服务或 Functions 应用中托管的 Web API。Your application can acquire a token to call a Web API hosted in your App Service or Function app on behalf of itself (not on behalf of a user). 此方案适用于在没有登录用户的情况下执行任务的非守护程序应用程序。This scenario is useful for non daemon applications that perform tasks without a logged in user. 它使用标准 OAuth 2.0 客户端凭据授权。It uses the standard OAuth 2.0 client credentials grant.

  1. Azure 门户中,选择“Active Directory” > “应用注册” > “新建注册”。In the Azure portal, select Active Directory > App registrations > New registration.
  2. 在“注册应用程序”页上的“名称”中,输入后台程序应用注册的名称。In the Register an application page, enter a Name for your daemon app registration.
  3. 对于后台应用程序,不需要“重定向 URI”,因此可将其保留为空。For a daemon application, you don't need a Redirect URI so you can keep that empty.
  4. 选择“创建”。Select Create.
  5. 创建应用注册后,复制“应用程序(客户端) ID”的值。After the app registration is created, copy the value of Application (client) ID.
  6. 选择“证书和机密” > “新建客户端机密” > “添加”。Select Certificates & secrets > New client secret > Add. 复制页面中显示的客户端机密值。Copy the client secret value shown in the page. 它不会再次显示。It won't be shown again.

现在可以通过将 resource 参数设置为目标应用的“应用程序 ID URI”,使用客户端 ID 和客户端机密请求访问令牌You can now request an access token using the client ID and client secret by setting the resource parameter to the Application ID URI of the target app. 然后,可以使用标准 OAuth 2.0 授权标头将生成的访问令牌提供给目标应用,应用服务身份验证/授权将像平常一样验证和使用该令牌,以指示调用方(在本例中是应用程序,不是用户)已进行身份验证。The resulting access token can then be presented to the target app using the standard OAuth 2.0 Authorization header, and App Service Authentication / Authorization will validate and use the token as usual to now indicate that the caller (an application in this case, not a user) is authenticated.

目前,这允许 Azure AD 租户中的_任何_客户端应用程序请求访问令牌,并向目标应用进行身份验证。At present, this allows any client application in your Azure AD tenant to request an access token and authenticate to the target app. 如果还想要强制_授权_以只允许某些客户端应用程序,则必须执行一些附加配置。If you also want to enforce authorization to allow only certain client applications, you must perform some additional configuration.

  1. 在表示要保护的应用服务或 Functions 应用的应用注册清单中定义应用角色Define an App Role in the manifest of the app registration representing the App Service or Function app you want to protect.
  2. 在表示需要获得授权的客户端的应用注册上,选择“API 权限” > “添加权限” > “我的 API”。On the app registration representing the client that needs to be authorized, select API permissions > Add a permission > My APIs.
  3. 选择之前创建的应用注册。Select the app registration you created earlier. 如果看不到应用注册,请确保已添加应用角色If you don't see the app registration, make sure that you've added an App Role.
  4. 在“应用程序权限”下,选择之前创建的应用角色,然后选择“添加权限”。Under Application permissions, select the App Role you created earlier, and then select Add permissions.
  5. 确保单击“授予管理员同意”以授权客户端应用程序请求权限。Make sure to click Grant admin consent to authorize the client application to request the permission.
  6. 与前面的方案(添加任何角色之前)类似,现在可以为同一目标 resource 请求访问令牌,而访问令牌将包括一个 roles 声明,其中包含授权给客户端应用程序的应用角色。Similar to the previous scenario (before any roles were added), you can now request an access token for the same target resource, and the access token will include a roles claim containing the App Roles that were authorized for the client application.
  7. 在目标应用服务或 Functions 应用代码中,现在可以验证令牌中是否存在预期的角色(这不是由应用服务身份验证/授权执行的)。Within the target App Service or Function app code, you can now validate that the expected roles are present in the token (this is not performed by App Service Authentication / Authorization). 有关详细信息,请参阅访问用户声明For more information, see Access user claims.

现已配置可以使用自己的标识访问应用服务应用的后台程序客户端应用程序。You have now configured a daemon client application that can access your App Service app using its own identity.

后续步骤 Next steps