教程:向 Azure 应用服务上运行的 Web 应用添加身份验证Tutorial: Add authentication to your web app running on Azure App Service

了解如何为 Azure 应用服务上运行的 Web 应用启用身份验证,并仅限组织中的用户访问应用。Learn how to enable authentication for your web app running on Azure App Service and limit access to users in your organization.

显示用户登录的示意图。

应用服务提供内置的身份验证和授权支持。只需在 Web 应用中编写少量的代码或根本无需编写代码,就能让用户登录和访问数据。App Service provides built-in authentication and authorization support, so you can sign in users and access data by writing minimal or no code in your web app. 不要求使用应用服务身份验证/授权模块,但使用该模块有助于简化应用的身份验证和授权。Using the App Service authentication/authorization module isn't required, but helps simplify authentication and authorization for your app. 本文介绍如何将 Azure Active Directory (Azure AD) 用作标识提供者,使用应用服务身份验证/授权模块保护 Web 应用。This article shows how to secure your web app with the App Service authentication/authorization module by using Azure Active Directory (Azure AD) as the identity provider.

身份验证/授权模块通过 Azure 门户和应用设置进行启用和配置。The authentication/authorization module is enabled and configured through the Azure portal and app settings. 不需要任何 SDK、特定语言,或者对应用程序代码进行更改。No SDKs, specific languages, or changes to application code are required. 支持多种标识提供者,包括 Azure AD、Microsoft 帐户、Facebook、Google 和 Twitter。A variety of identity providers are supported, which includes Azure AD, Microsoft Account, Facebook, Google, and Twitter. 启用身份验证/授权模块后,每个传入的 HTTP 请求将通过此模块,然后由应用代码处理。When the authentication/authorization module is enabled, every incoming HTTP request passes through it before being handled by app code. 若要了解详细信息,请参阅 Azure 应用服务中的身份验证和授权To learn more, see Authentication and authorization in Azure App Service.

在本教程中,你将了解:In this tutorial, you learn how to:

  • 为 Web 应用配置身份验证。Configure authentication for the web app.
  • 仅限组织中的用户访问 Web 应用。Limit access to the web app to users in your organization.

如果没有 Azure 试用版订阅,请在开始前创建一个试用版订阅If you don't have an Azure trail subscription, create a trial subscription before you begin.

在应用服务上创建并发布一个 Web 应用Create and publish a web app on App Service

对于本教程,你需要一个部署到应用服务的 Web 应用。For this tutorial, you need a web app deployed to App Service. 可使用现有的 Web 应用,也可按照 ASP.NET Core 快速入门创建新的 Web 应用并将其发布到应用服务。You can use an existing web app, or you can follow the ASP.NET Core quickstart to create and publish a new web app to App Service.

无论是使用现有的 Web 应用还是创建新的 Web 应用,请记下 Web 应用名称以及 Web 应用部署到的资源组的名称。Whether you use an existing web app or create a new one, take note of the web app name and the name of the resource group that the web app is deployed to. 在本教程中,需要用到这些名称。You need these names throughout this tutorial. 在本教程中,过程和屏幕截图中的示例名称包含 SecureWebApp。Throughout this tutorial, example names in procedures and screenshots contain SecureWebApp.

配置身份验证和授权Configure authentication and authorization

现在,你有一个在应用服务上运行的 Web 应用。You now have a web app running on App Service. 接下来将为 Web 应用启用身份验证和授权。Next, you enable authentication and authorization for the web app. 请将 Azure AD 用作标识提供者。You use Azure AD as the identity provider. 有关详细信息,请参阅为应用服务应用程序配置 Azure AD 身份验证For more information, see Configure Azure AD authentication for your App Service application.

Azure 门户菜单上,选择“资源组”,或在任意页面中搜索并选择“资源组”。In the Azure portal menu, select Resource groups or search for and select Resource groups from any page.

在“资源组”中,查找并选择资源组。In Resource groups, find and select your resource group. 在“概述”中,选择应用的管理页。In Overview, select your app's management page.

显示如何选择应用的管理页面的屏幕截图。

在应用的左侧菜单中,选择“身份验证/授权”,然后选择“启用”以启用应用服务身份验证 。On your app's left menu, select Authentication / Authorization, and then enable App Service Authentication by selecting On.

在“请求未经身份验证时需执行的操作”中,选择“使用 Azure Active Directory 登录”。 In Action to take when request is not authenticated, select Log in with Azure Active Directory.

在“身份验证提供程序”下,选择“Azure Active Directory”。Under Authentication Providers, select Azure Active Directory. 选择“快速”,然后接受创建新 Active Directory 应用所需的默认设置。Select Express, and then accept the default settings to create a new Active Directory app. 选择“确定”。Select OK.

显示快速身份验证的屏幕截图。

在“身份验证/授权”页中,选择“保存” 。On the Authentication / Authorization page, select Save.

看到包含消息“Successfully saved the Auth Settings for <app-name> App”的通知后,刷新门户页。When you see the notification with the message Successfully saved the Auth Settings for <app-name> App, refresh the portal page.

现在,你有一个受应用服务身份验证和授权保护的应用。You now have an app that's secured by the App Service authentication and authorization.

验证对 Web 应用的受限访问Verify limited access to the web app

启用应用服务身份验证/授权模块后,系统会在 Azure AD 租户中创建应用注册。When you enabled the App Service authentication/authorization module, an app registration was created in your Azure AD tenant. 应用注册的显示名称与 Web 应用的相同。The app registration has the same display name as your web app. 若要检查设置,请从门户菜单中选择“Azure Active Directory”,然后选择“应用注册” 。To check the settings, select Azure Active Directory from the portal menu, and select App registrations. 选择已创建的应用注册。Select the app registration that was created. 在“概述”中,验证“支持的帐户类型”是否设置为“仅限我的组织” 。In the overview, verify that Supported account types is set to My organization only.

显示如何验证访问权限的屏幕截图。

若要验证是否仅限组织中的用户访问应用,请在隐匿或私密模式下启动浏览器,然后转到 https://<app-name>.chinacloudsites.cnTo verify that access to your app is limited to users in your organization, start a browser in incognito or private mode and go to https://<app-name>.chinacloudsites.cn. 应会定向到安全的登录页面,以验证未经身份验证的用户是否不被允许访问该站点。You should be directed to a secured sign-in page, verifying that un-authenticated users aren't allowed access to the site. 以组织中用户的身份登录,获取对站点的访问权限。Sign in as a user in your organization to gain access to the site. 你还可以启动新的浏览器并尝试使用个人帐户登录,以验证组织外部的用户是否没有访问权限。You can also start up a new browser and try to sign in by using a personal account to verify that users outside the organization don't have access.

清理资源Clean up resources

如果已完成本教程,并且不再需要 Web 应用或相关资源,请清理创建的资源If you're finished with this tutorial and no longer need the web app or associated resources, clean up the resources you created.

后续步骤Next steps

在本教程中,你将了解:In this tutorial, you learned how to:

  • 为 Web 应用配置身份验证。Configure authentication for the web app.
  • 仅限组织中的用户访问 Web 应用。Limit access to the web app to users in your organization.