将应用服务应用配置为使用 Microsoft 帐户登录Configure your App Service app to use Microsoft Account login

本主题说明如何将 Azure 应用服务配置为使用 AAD 来支持个人 Microsoft 帐户登录。This topic shows you how to configure Azure App Service to use AAD to support personal Microsoft account logins.

备注

个人 Microsoft 帐户和组织帐户都使用 AAD 标识提供者。Both personal Microsoft accounts and organizational accounts use the AAD identity provider. 目前无法将此标识提供者配置为支持两种类型的登录。At this time, is not possible to configure this identity provider to support both types of log-ins.

将应用注册到 Microsoft 帐户 Register your app with Microsoft Account

  1. 在 Azure 门户中转到应用注册Go to App registrations in the Azure portal. 根据需要使用 Microsoft 帐户登录。If needed, sign in with your Microsoft account.

  2. 选择“新建注册” ,然后输入应用程序名称。Select New registration, then enter an application name.

  3. 在“支持的帐户类型”下,选择“任何组织目录(任何 Azure AD 目录 - 多租户)中的帐户和个人 Microsoft 帐户(例如,Skype、Xbox)” Under Supported account types, select Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)

  4. 在“重定向 URI” 中,选择 Web,然后输入 https://<app-domain-name>/.auth/login/aad/callbackIn Redirect URIs, select Web, and then enter https://<app-domain-name>/.auth/login/aad/callback. 将“<app-domain-name>” 替换为应用的域名。Replace <app-domain-name> with the domain name of your app. 例如,https://contoso.chinacloudsites.cn/.auth/login/aad/callbackFor example, https://contoso.chinacloudsites.cn/.auth/login/aad/callback. 确保在 URL 中使用 HTTPS 方案。Be sure to use the HTTPS scheme in the URL.

  5. 选择“注册” 。Select Register.

  6. 复制应用程序(客户端) IDCopy the Application (Client) ID. 稍后需要用到此信息。You'll need it later.

  7. 在左窗格中,选择“证书和机密” > “新建客户端机密”。From the left pane, select Certificates & secrets > New client secret. 输入说明,选择有效期,然后选择“添加” 。Enter a description, select the validity duration, and select Add.

  8. 复制“证书和机密” 页上显示的值。Copy the value that appears on the Certificates & secrets page. 离开页面后,就不再显示该值。After you leave the page, it won't be displayed again.

    重要

    客户端机密值(密码)是重要的安全凭据。The client secret value (password) is an important security credential. 请不要与任何人共享密码或者在客户端应用程序中分发它。Do not share the password with anyone or distribute it within a client application.

将 Microsoft 帐户信息添加到应用服务应用程序 Add Microsoft Account information to your App Service application

  1. Azure 门户中转到你的应用程序。Go to your application in the Azure portal.

  2. 选择“设置” > “身份验证/授权” ,并确保“应用服务身份验证” 为“启用” 。Select Settings > Authentication / Authorization, and make sure that App Service Authentication is On.

  3. 在“验证提供程序”下,选择“Azure Active Directory” 。Under Authentication Providers, select Azure Active Directory. 在“管理模式”下,选择“高级”。 Select Advanced under Management mode. 粘贴前面获取的应用程序(客户端)ID 和客户端机密。Paste in the Application (client) ID and client secret that you obtained earlier. 对于“颁发者 URL”字段,请使用 https://login.partner.microsoftonline.cn/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0Use https://login.partner.microsoftonline.cn/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0 for the Issuer Url field.

  4. 选择“确定” 。Select OK.

    应用服务提供身份验证但不限制对站点内容和 API 的已授权访问。App Service provides authentication, but doesn't restrict authorized access to your site content and APIs. 必须在应用代码中为用户授权。You must authorize users in your app code.

  5. (可选)若要限制只有 Microsoft 帐户用户可以访问,请将“请求未经身份验证时需执行的操作” 设置为“使用 Azure Active Directory 登录” 。(Optional) To restrict access to Microsoft account users, set Action to take when request is not authenticated to Log in with Azure Active Directory. 设置此功能时,应用会要求对所有请求进行身份验证。When you set this functionality, your app requires all requests to be authenticated. 它还将所有未经身份验证的请求重定向,以便使用 AAD 进行身份验证。It also redirects all unauthenticated requests to use AAD for authentication. 请注意,由于已将“颁发者 URL” 配置为使用 Microsoft 帐户租户,因此只有个人帐户才能成功进行身份验证。Note that becuase you have configured your Issuer Url to use the Microsoft Account tenant, only personal acccounts will successfully authenticate.

    注意

    以这种方式限制访问适用于对应用的所有调用,对于主页公开可用的应用程序来说,这可能是不可取的,就像在许多单页应用程序中一样。Restricting access in this way applies to all calls to your app, which might not be desirable for apps that have a publicly available home page, as in many single-page applications. 对于此类应用程序,“允许匿名请求(无操作)” 可能是首选,因此应用会以手动方式自行启动身份验证。For such applications, Allow anonymous requests (no action) might be preferred so that the app manually starts authentication itself. 有关详细信息,请参阅身份验证流For more information, see Authentication flow.

  6. 选择“保存” 。Select Save.

现在,可以使用 Microsoft 帐户在应用中进行身份验证。You are now ready to use Microsoft Account for authentication in your app.

后续步骤 Next steps