使用应用标识访问资源Use an app identity to access resources

适用于:Azure Stack 集成系统和 Azure Stack 开发工具包 (ASDK)Applies to: Azure Stack integrated systems and Azure Stack Development Kit (ASDK)

需要通过 Azure 资源管理器部署或配置资源的应用程序必须以服务主体来表示。An application that needs to deploy or configure resources through Azure Resource Manager must be represented by a service principal. 如同用户以用户主体来表示,服务主体是一种代表应用的安全主体。Just as a user is represented by a user principal, a service principal is a type of security principal that represents an app. 服务主体为应用提供标识,可让你只对该服务主体委托必要的权限。The service principal provides an identity for your app, allowing you to delegate only the necessary permissions to that service principal.

例如,你可能有一个使用 Azure 资源管理器来清点 Azure 资源的配置管理应用。As an example, you may have a configuration management app that uses Azure Resource Manager to inventory Azure resources. 在此方案中,可以创建服务主体,向该服务主体授予读者角色,并将配置管理应用限制为只能进行只读访问。In this scenario, you can create a service principal, grant the reader role to that service principal, and limit the configuration management app to read-only access.

概述Overview

与用户主体一样,服务主体在身份验证期间必须出示凭据。Like a user principal, a service principal must present credentials during authentication. 这种身份验证由两个要素构成:This authentication consists of two elements:

  • 应用程序 ID,有时也称为客户端 ID。An Application ID, sometimes referred to as a Client ID. 这是一个用于唯一标识 Active Directory 租户中应用的注册的 GUID。This is a GUID that uniquely identifies the app's registration in your Active Directory tenant.
  • 与应用程序 ID 关联的机密A secret associated with the application ID. 你可以生成客户端机密字符串(类似于密码),也可以指定 X509 证书(使用其公钥)。You can either generate a client secret string (similar to a password), or specify an X509 certificate (which uses its public key).

在服务主体的标识下运行应用程序比在用户主体下运行应用程序更有利,因为:Running an app under the identity of a service principal is preferable to running it under a user principal because:

  • 服务主体可以使用 X509 证书来提供更强的凭据A service principal can use an X509 certificate for stronger credentials.
  • 可对服务主体分配限制更高的权限You can assign more restrictive permissions to a service principal. 一般而言,这些权限限制为只能执行应用程序需要执行的操作,即所谓的“最低特权原则”。 Typically, these permissions are restricted to only what the app needs to do, known as the principle of least privilege.
  • 服务主体凭据和权限的更改频率不像用户凭据那么高Service principal credentials and permissions don't change as frequently as user credentials. 例如,当用户的职责发生变化、密码要求规定要更改,或用户从公司离职时。For example, when the user's responsibilities change, password requirements dictate a change, or a user leaves the company.

首先请在目录中创建新的应用注册,这会创建关联的服务主体对象来代表应用在目录中的标识。You start by creating a new app registration in your directory, which creates an associated service principal object to represent the app's identity within the directory. 本文档将根据你为 Azure Stack 实例选择的目录介绍创建和管理服务主体的过程:This document describes the process of creating and managing a service principal, depending on the directory you chose for your Azure Stack instance:

  • Azure Active Directory (Azure AD)。Azure Active Directory (Azure AD). Azure AD 是基于云的多租户目录和标识管理服务。Azure AD is a multi-tenant, cloud-based directory, and identity management service. 可将 Azure AD 与联网 Azure Stack 实例配合使用。You can use Azure AD with a connected Azure Stack instance.
  • Active Directory 联合身份验证服务 (AD FS)。Active Directory Federation Services (AD FS). AD FS 提供简化、安全的标识联合与 Web 单一登录 (SSO) 功能。AD FS provides simplified, secured identity federation, and web single sign-on (SSO) capabilities. 可将 AD FS 与联网和离线 Azure Stack 实例配合使用。You can use AD FS with both connected and disconnected Azure Stack instances.

首先,你将了解如何管理服务主体,然后了解如何为角色分配服务主体,以限制其对资源的访问权限。First you learn how to manage a service principal, then how to assign the service principal to a role, limiting its resource access.

管理 Azure AD 服务主体Manage an Azure AD service principal

如果你在使用 Azure AD 作为标识管理服务的情况下部署了 Azure Stack,可以像在 Azure 中那样创建服务主体。If you deployed Azure Stack with Azure AD as your identity management service, you can create service principals just like you do for Azure. 本部分介绍如何通过 Azure 门户执行这些步骤。This section shows you how to perform the steps through the Azure portal. 在开始之前,请检查是否具有所需的 Azure AD 权限Check that you have the required Azure AD permissions before beginning.

创建使用客户端机密凭据的服务主体Create a service principal that uses a client secret credential

在本部分,你将使用 Azure 门户注册应用,这会在 Azure AD 租户中创建服务主体对象。In this section, you register your app using the Azure portal, which creates the service principal object in your Azure AD tenant. 本示例使用客户端机密凭据创建服务主体,但门户也支持基于 X509 证书的凭据。In this example, the service principal is created with a client secret credential, but the portal also supports X509 certificate-based credentials.

  1. 使用 Azure 帐户登录到 Azure 门户Sign in to the Azure portal using your Azure account.

  2. 选择“Azure Active Directory” > “应用注册” > “新建注册”。 Select Azure Active Directory > App registrations > New registration.

  3. 为应用提供一个名称Provide a name for the app.

  4. 选择相应的受支持帐户类型Select the appropriate Supported account types.

  5. 在“重定向 URI”下,选择“Web”作为应用类型,并(可选)指定重定向 URI(如果应用需要它)。 Under Redirect URI, select Web as the app type, and (optionally) specify a redirect URI if your app requires it.

  6. 设置这些值后,选择“注册” 。After setting the values, select Register. 随即会创建应用注册,并显示“概述”页。 The app registration is created and the Overview page displays.

  7. 复制“应用程序 ID”以便在应用代码中使用。 Copy the Application ID for use in your app code. 此值也称为“客户端 ID”。This value is also referred to as the Client ID.

  8. 若要生成客户端机密,请选择“证书和机密”页。 To generate a client secret, select the Certificates & secrets page. 选择“新建客户端机密”。 Select New client secret.

  9. 提供机密的说明以及过期时间。Provide a description for the secret, and an expires duration.

  10. 完成后,选择“添加” 。When done, select Add.

  11. 此时会显示机密值。The value of the secret displays. 请复制此值并将其保存到另一位置,因为以后无法检索它。Copy and save this value in another location, because you can't retrieve it later. 在服务主体登录期间,你要在客户端应用中提供机密与应用程序 ID。You provide the secret with the Application ID in your client app during service principal sign-in.

    客户端机密中保存的密钥

管理 AD FS 服务主体Manage an AD FS service principal

如果你已部署 Azure Stack 与 AD FS 作为标识管理服务,则必须使用 PowerShell 来管理服务主体。If you deployed Azure Stack with AD FS as your identity management service, you must use PowerShell to manage the service principal. 以下示例说明如何管理服务主体凭据,同时演示 X509 证书和客户端机密。Examples are provided below for managing service principal credentials, demonstrating both an X509 certificate and a client secret.

脚本必须在权限提升(“以管理员身份运行”)的 PowerShell 控制台中运行,这会打开另一个会话来连接到托管了 Azure Stack 实例特权终结点的 VM。The scripts must be run in an elevated ("Run as administrator") PowerShell console, which opens another session to a VM that hosts a privileged endpoint for your Azure Stack instance. 建立特权终结点会话后,其他 cmdlet 将会执行并管理服务主体。Once the privileged endpoint session has been established, additional cmdlets will execute and manage the service principal. 有关特权终结点的详细信息,请参阅使用 Azure Stack 中的特权终结点For more information about the privileged endpoint, see Using the privileged endpoint in Azure Stack.

创建使用证书凭据的服务主体Create a service principal that uses a certificate credential

为服务主体凭据创建证书时,必须符合以下要求:When creating a certificate for a service principal credential, the following requirements must be met:

  • 对于生产环境,证书必须由内部证书颁发机构或公共证书颁发机构颁发。For production, the certificate must be issued from either an internal Certificate Authority or a Public Certificate Authority. 如果你使用公共证书颁发机构,则必须将基础操作系统映像中的颁发机构包括为 Microsoft 受信任根颁发机构计划的一部分。If you use a public certificate authority, you must include the authority in the base operating system image as part of the Microsoft Trusted Root Authority Program. 可以在 Microsoft 信任根证书计划:参与者中找到完整列表。You can find the full list at Microsoft Trusted Root Certificate Program: Participants. 稍后在更新服务主体的证书凭据期间,还将显示创建“自签名”测试证书的示例。An example of creating a "self-signed" test certificate will also be shown later during Update a service principal's certificate credential.
  • 加密提供程序必须指定为 Microsoft 旧版加密服务提供程序 (CSP) 密钥提供程序。The cryptographic provider must be specified as a Microsoft legacy Cryptographic Service Provider (CSP) key provider.
  • 证书格式必须是 PFX 文件,因为公钥和私钥都是必需的。The certificate format must be in PFX file, as both the public and private keys are required. Windows 服务器使用包含公钥文件(SSL 证书文件)和关联的私钥文件的 .pfx 文件。Windows servers use .pfx files that contain the public key file (SSL certificate file) and the associated private key file.
  • Azure Stack 基础结构必须能够通过网络访问证书中发布的证书颁发机构的证书吊销列表 (CRL) 位置。Your Azure Stack infrastructure must have network access to the certificate authority's Certificate Revocation List (CRL) location published in the certificate. 此 CRL 必须是一个 HTTP 终结点。This CRL must be an HTTP endpoint.

创建证书后,使用以下 PowerShell 脚本来注册应用,并创建服务主体。Once you have a certificate, use the PowerShell script below to register your app and create a service principal. 还要使用服务主体登录到 Azure。You also use the service principal to sign in to Azure. 请将以下占位符替换为自己的值:Substitute your own values for the following placeholders:

占位符Placeholder 说明Description 示例Example
<PepVM><PepVM> Azure Stack 实例上特权终结点 VM 的名称。The name of the privileged endpoint VM on your Azure Stack instance. "AzS-ERCS01""AzS-ERCS01"
<YourCertificateLocation><YourCertificateLocation> X509 证书在本地证书存储中的位置。The location of your X509 certificate in the local certificate store. "Cert:\CurrentUser\My\AB5A8A3533CC7AA2025BF05120117E06DE407B34""Cert:\CurrentUser\My\AB5A8A3533CC7AA2025BF05120117E06DE407B34"
<YourAppName><YourAppName> 新应用注册的描述性名称。A descriptive name for the new app registration. "My management tool""My management tool"
  1. 打开权限提升的 Windows PowerShell 会话,并运行以下脚本:Open an elevated Windows PowerShell session, and run the following script:

     # Sign in to PowerShell interactively, using credentials that have access to the VM running the Privileged Endpoint (typically <domain>\cloudadmin)
     $Creds = Get-Credential
    
     # Create a PSSession to the Privileged Endpoint VM
     $Session = New-PSSession -ComputerName "<PepVm>" -ConfigurationName PrivilegedEndpoint -Credential $Creds
    
     # Use the Get-Item cmdlet to retrieve your certificate.
     # If you don't want to use a managed certificate, you can produce a self signed cert for testing purposes: 
     # $Cert = New-SelfSignedCertificate -CertStoreLocation "cert:\CurrentUser\My" -Subject "CN=<YourAppName>" -KeySpec KeyExchange
     $Cert = Get-Item "<YourCertificateLocation>"
    
     # Use the privileged endpoint to create the new app registration (and service principal object)
     $SpObject = Invoke-Command -Session $Session -ScriptBlock {New-GraphApplication -Name "<YourAppName>" -ClientCertificates $using:cert}
     $AzureStackInfo = Invoke-Command -Session $Session -ScriptBlock {Get-AzureStackStampInformation}
     $Session | Remove-PSSession
    
     # Using the stamp info for your Azure Stack instance, populate the following variables:
     # - AzureRM endpoint used for Azure Resource Manager operations 
     # - Audience for acquiring an OAuth token used to access Graph API 
     # - GUID of the directory tenant
     $ArmEndpoint = $AzureStackInfo.TenantExternalEndpoints.TenantResourceManager
     $GraphAudience = "https://graph." + $AzureStackInfo.ExternalDomainFQDN + "/"
     $TenantID = $AzureStackInfo.AADTenantID
    
     # Register and set an AzureRM environment that targets your Azure Stack instance
     Add-AzureRMEnvironment -Name "AzureStackUser" -ArmEndpoint $ArmEndpoint
     Set-AzureRmEnvironment -Name "AzureStackUser" -GraphAudience $GraphAudience -EnableAdfsAuthentication:$true
    
     # Sign in using the new service principal identity
     $SpSignin = Connect-AzureRmAccount -Environment "AzureStackUser" `
     -ServicePrincipal `
     -CertificateThumbprint $SpObject.Thumbprint `
     -ApplicationId $SpObject.ClientId `
     -TenantId $TenantID
    
     # Output the service principal details
     $SpObject
    
    
  2. 脚本完成后,会显示应用注册信息,包括服务主体的凭据。After the script finishes, it displays the app registration info, including the service principal's credentials. 演示中使用了 ClientIDThumbprint 在服务主体的标识下登录。As demonstrated, the ClientID and Thumbprint are used to sign in under the service principal's identity. 成功登录后,服务主体标识将用于后续对 Azure 资源管理器所管理的资源进行授权和访问。Upon successful sign-in, the service principal identity will be used for subsequent authorization and access to resources managed by Azure Resource Manager.

    ApplicationIdentifier : S-1-5-21-1512385356-3796245103-1243299919-1356
    ClientId              : 3c87e710-9f91-420b-b009-31fa9e430145
    Thumbprint            : 30202C11BE6864437B64CE36C8D988442082A0F1
    ApplicationName       : Azurestack-MyApp-c30febe7-1311-4fd8-9077-3d869db28342
    ClientSecret          :
    PSComputerName        : azs-ercs01
    RunspaceId            : a78c76bb-8cae-4db4-a45a-c1420613e01b
    

请将 PowerShell 控制台会话保持打开状态,因为在下一部分要将它与 ApplicationIdentifier 值配合使用。Keep your PowerShell console session open, as you use it with the ApplicationIdentifier value in the next section.

更新服务主体的证书凭据Update a service principal's certificate credential

本部分介绍在创建服务主体后如何执行以下操作:Now that you created a service principal, this section will show you how to:

  1. 创建新的自签名 X509 证书用于测试。Create a new self-signed X509 certificate for testing.
  2. 更新服务主体的凭据,方法是更新其 Thumbprint 属性,以匹配新的证书。Update the service principal's credentials, by updating its Thumbprint property to match the new certificate.

使用 PowerShell 更新证书凭据(请将以下占位符替换为自己的值):Update the certificate credential using PowerShell, substituting your own values for the following placeholders:

占位符Placeholder 说明Description 示例Example
<PepVM><PepVM> Azure Stack 实例上特权终结点 VM 的名称。The name of the privileged endpoint VM on your Azure Stack instance. "AzS-ERCS01""AzS-ERCS01"
<YourAppName><YourAppName> 新应用注册的描述性名称。A descriptive name for the new app registration. "My management tool""My management tool"
<YourCertificateLocation><YourCertificateLocation> X509 证书在本地证书存储中的位置。The location of your X509 certificate in the local certificate store. "Cert:\CurrentUser\My\AB5A8A3533CC7AA2025BF05120117E06DE407B34""Cert:\CurrentUser\My\AB5A8A3533CC7AA2025BF05120117E06DE407B34"
<AppIdentifier><AppIdentifier> 分配给应用程序注册的标识符。The identifier assigned to the application registration. "S-1-5-21-1512385356-3796245103-1243299919-1356""S-1-5-21-1512385356-3796245103-1243299919-1356"
  1. 使用权限提升的 Windows PowerShell 会话运行以下 cmdlet:Using your elevated Windows PowerShell session, run the following cmdlets:

    # Create a PSSession to the PrivilegedEndpoint VM
    $Session = New-PSSession -ComputerName "<PepVM>" -ConfigurationName PrivilegedEndpoint -Credential $Creds
    
    # Create a self-signed certificate for testing purposes. 
    $NewCert = New-SelfSignedCertificate -CertStoreLocation "cert:\CurrentUser\My" -Subject "CN=<YourAppName>" -KeySpec KeyExchange
    # In production, use Get-Item and a managed certificate instead.
    # $Cert = Get-Item "<YourCertificateLocation>"
    
    # Use the privileged endpoint to update the certificate thumbprint, used by the service principal associated with <AppIdentifier>
    $SpObject = Invoke-Command -Session $Session -ScriptBlock {Set-GraphApplication -ApplicationIdentifier "<AppIdentifier>" -ClientCertificates $using:NewCert}
    $Session | Remove-PSSession
    
    # Output the updated service principal details
    $SpObject
    
  2. 脚本完成后,会显示更新后的应用注册信息,包括新的自签名证书的指纹值。After the script finishes, it displays the updated app registration info, including the thumbprint value for the new self-signed certificate.

    ApplicationIdentifier : S-1-5-21-1512385356-3796245103-1243299919-1356
    ClientId              : 
    Thumbprint            : AF22EE716909041055A01FE6C6F5C5CDE78948E9
    ApplicationName       : Azurestack-MyApp-c30febe7-1311-4fd8-9077-3d869db28342
    ClientSecret          : 
    PSComputerName        : azs-ercs01
    RunspaceId            : a580f894-8f9b-40ee-aa10-77d4d142b4e5
    

创建使用客户端机密凭据的服务主体Create a service principal that uses client secret credentials

Important

使用客户端机密不如使用 X509 证书凭据那么安全。Using a client secret is less secure than using an X509 certificate credential. 这不仅会降低身份验证机制的安全性,而且通常还要求在客户端应用的源代码中嵌入机密。Not only is the authentication mechanism less secure, but it also typically requires embedding the secret in the client app source code. 因此,我们强烈建议在生产应用中使用证书凭据。As such, for production apps, you're strongly encouraged to use a certificate credential.

现在你将创建另一个应用注册,但这次需要指定客户端机密凭据。Now you create another app registration, but this time specify a client secret credential. 不同于证书凭据,目录能够生成客户端机密凭据。Unlike a certificate credential, the directory has the ability to generate a client secret credential. 无需指定客户端机密,而可以使用 -GenerateClientSecret 开关来请求生成客户端机密。Instead of specifying the client secret, you use the -GenerateClientSecret switch to request that it be generated. 请将以下占位符替换为自己的值:Substitute your own values for the following placeholders:

占位符Placeholder 说明Description 示例Example
<PepVM><PepVM> Azure Stack 实例上特权终结点 VM 的名称。The name of the privileged endpoint VM on your Azure Stack instance. "AzS-ERCS01""AzS-ERCS01"
<YourAppName><YourAppName> 新应用注册的描述性名称。A descriptive name for the new app registration. "My management tool""My management tool"
  1. 打开权限提升的 Windows PowerShell 会话,并运行以下 cmdlet:Open an elevated Windows PowerShell session, and run the following cmdlets:

    # Sign in to PowerShell interactively, using credentials that have access to the VM running the Privileged Endpoint (typically <domain>\cloudadmin)
    $Creds = Get-Credential
    
    # Create a PSSession to the Privileged Endpoint VM
    $Session = New-PSSession -ComputerName "<PepVM>" -ConfigurationName PrivilegedEndpoint -Credential $Creds
    
    # Use the privileged endpoint to create the new app registration (and service principal object)
    $SpObject = Invoke-Command -Session $Session -ScriptBlock {New-GraphApplication -Name "<YourAppName>" -GenerateClientSecret}
    $AzureStackInfo = Invoke-Command -Session $Session -ScriptBlock {Get-AzureStackStampInformation}
    $Session | Remove-PSSession
    
    # Using the stamp info for your Azure Stack instance, populate the following variables:
    # - AzureRM endpoint used for Azure Resource Manager operations 
    # - Audience for acquiring an OAuth token used to access Graph API 
    # - GUID of the directory tenant
    $ArmEndpoint = $AzureStackInfo.TenantExternalEndpoints.TenantResourceManager
    $GraphAudience = "https://graph." + $AzureStackInfo.ExternalDomainFQDN + "/"
    $TenantID = $AzureStackInfo.AADTenantID
    
    # Register and set an AzureRM environment that targets your Azure Stack instance
    Add-AzureRMEnvironment -Name "AzureStackUser" -ArmEndpoint $ArmEndpoint
    Set-AzureRmEnvironment -Name "AzureStackUser" -GraphAudience $GraphAudience -EnableAdfsAuthentication:$true
    
    # Sign in using the new service principal identity
    $securePassword = $SpObject.ClientSecret | ConvertTo-SecureString -AsPlainText -Force
    $credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $SpObject.ClientId, $securePassword
    $SpSignin = Connect-AzureRmAccount -Environment "AzureStackUser" -ServicePrincipal -Credential $credential -TenantId $TenantID
    
    # Output the service principal details
    $SpObject
    
  2. 脚本完成后,会显示应用注册信息,包括服务主体的凭据。After the script finishes, it displays the app registration info, including the service principal's credentials. 演示中使用了 ClientID 和生成的 ClientSecret 在服务主体的标识下登录。As demonstrated, the ClientID and generated ClientSecret are used to sign in under the service principal's identity. 成功登录后,服务主体标识将用于后续对 Azure 资源管理器所管理的资源进行授权和访问。Upon successful sign-in, the service principal identity will be used for subsequent authorization and access to resources managed by Azure Resource Manager.

    ApplicationIdentifier : S-1-5-21-1634563105-1224503876-2692824315-2623
    ClientId              : 8e0ffd12-26c8-4178-a74b-f26bd28db601
    Thumbprint            : 
    ApplicationName       : Azurestack-YourApp-6967581b-497e-4f5a-87b5-0c8d01a9f146
    ClientSecret          : 6RUWLRoBw3EebBLgaWGiowCkoko5_j_ujIPjA8dS
    PSComputerName        : azs-ercs01
    RunspaceId            : 286daaa1-c9a6-4176-a1a8-03f543f90998
    

请将 PowerShell 控制台会话保持打开状态,因为在下一部分要将它与 ApplicationIdentifier 值配合使用。Keep your PowerShell console session open, as you use it with the ApplicationIdentifier value in the next section.

更新服务主体的客户端机密Update a service principal's client secret

在 PowerShell 中使用 ResetClientSecret 参数更新客户端机密凭据,以立即更改客户端机密。Update the client secret credential using PowerShell, using the ResetClientSecret parameter, which immediately changes the client secret. 请将以下占位符替换为自己的值:Substitute your own values for the following placeholders:

占位符Placeholder 说明Description 示例Example
<PepVM><PepVM> Azure Stack 实例上特权终结点 VM 的名称。The name of the privileged endpoint VM on your Azure Stack instance. "AzS-ERCS01""AzS-ERCS01"
<AppIdentifier><AppIdentifier> 分配给应用程序注册的标识符。The identifier assigned to the application registration. "S-1-5-21-1634563105-1224503876-2692824315-2623""S-1-5-21-1634563105-1224503876-2692824315-2623"
  1. 使用权限提升的 Windows PowerShell 会话运行以下 cmdlet:Using your elevated Windows PowerShell session, run the following cmdlets:

    # Create a PSSession to the PrivilegedEndpoint VM
    $Session = New-PSSession -ComputerName "<PepVM>" -ConfigurationName PrivilegedEndpoint -Credential $Creds
    
    # Use the privileged endpoint to update the client secret, used by the service principal associated with <AppIdentifier>
    $SpObject = Invoke-Command -Session $Session -ScriptBlock {Set-GraphApplication -ApplicationIdentifier "<AppIdentifier>" -ResetClientSecret}
    $Session | Remove-PSSession
    
    # Output the updated service principal details
    $SpObject
    
  2. 脚本完成后,会显示更新后的应用注册信息,包括新生成的客户端机密。After the script finishes, it displays the updated app registration info, including the newly generated client secret.

    ApplicationIdentifier : S-1-5-21-1634563105-1224503876-2692824315-2623
    ClientId              : 8e0ffd12-26c8-4178-a74b-f26bd28db601
    Thumbprint            : 
    ApplicationName       : Azurestack-YourApp-6967581b-497e-4f5a-87b5-0c8d01a9f146
    ClientSecret          : MKUNzeL6PwmlhWdHB59c25WDDZlJ1A6IWzwgv_Kn
    PSComputerName        : azs-ercs01
    RunspaceId            : 6ed9f903-f1be-44e3-9fef-e7e0e3f48564
    

删除服务主体Remove a service principal

现在介绍如何使用 PowerShell 从目录中删除应用注册及其关联的服务主体对象。Now you'll see how to remove/delete an app registration from your directory, and its associated service principal object, using PowerShell.

请将以下占位符替换为自己的值:Substitute your own values for the following placeholders:

占位符Placeholder 说明Description 示例Example
<PepVM><PepVM> Azure Stack 实例上特权终结点 VM 的名称。The name of the privileged endpoint VM on your Azure Stack instance. "AzS-ERCS01""AzS-ERCS01"
<AppIdentifier><AppIdentifier> 分配给应用程序注册的标识符。The identifier assigned to the application registration. "S-1-5-21-1634563105-1224503876-2692824315-2623""S-1-5-21-1634563105-1224503876-2692824315-2623"
# Sign in to PowerShell interactively, using credentials that have access to the VM running the Privileged Endpoint (typically <domain>\cloudadmin)
$Creds = Get-Credential

# Create a PSSession to the PrivilegedEndpoint VM
$Session = New-PSSession -ComputerName "<PepVM>" -ConfigurationName PrivilegedEndpoint -Credential $Creds

# OPTIONAL: Use the privileged endpoint to get a list of applications registered in AD FS
$AppList = Invoke-Command -Session $Session -ScriptBlock {Get-GraphApplication}

# Use the privileged endpoint to remove the application and associated service principal object for <AppIdentifier>
Invoke-Command -Session $Session -ScriptBlock {Remove-GraphApplication -ApplicationIdentifier "<AppIdentifier>"}

在特权终结点上调用 Remove-GraphApplication cmdlet 后不会返回任何输出,但在运行 cmdlet 期间,控制台中会显示原义确认输出:There will be no output returned from calling the Remove-GraphApplication cmdlet on the privileged endpoint, but you'll see verbatim confirmation output to the console during execution of the cmdlet:

VERBOSE: Deleting graph application with identifier S-1-5-21-1634563105-1224503876-2692824315-2623.
VERBOSE: Remove-GraphApplication : BEGIN on AZS-ADFS01 on ADFSGraphEndpoint
VERBOSE: Application with identifier S-1-5-21-1634563105-1224503876-2692824315-2623 was deleted.
VERBOSE: Remove-GraphApplication : END on AZS-ADFS01 under ADFSGraphEndpoint configuration

分配角色Assign a role

可以通过基于角色的访问控制 (RBAC) 来授权用户和应用访问 Azure 资源。Access to Azure resources by users and apps is authorized through Role-Based Access Control (RBAC). 若要允许应用使用其服务主体访问订阅中的资源,必须将该服务主体分配到特定资源的某个角色。 To allow an app to access resources in your subscription using its service principal, you must assign the service principal to a role for a specific resource. 首先决定哪个角色表示应用的相应权限。 First decide which role represents the right permissions for the app. 若要了解可用的角色,请参阅 Azure 资源的内置角色To learn about the available roles, see Built-in roles for Azure resources.

选择的资源类型也会建立适用于该服务主体的访问范围。 The type of resource you choose also establishes the access scope for the service principal. 可将访问范围设置为订阅、资源组或资源级别。You can set the access scope at the subscription, resource group, or resource level. 较低级别的作用域会继承权限。Permissions are inherited to lower levels of scope. 例如,将某个应用添加到资源组的“读取者”角色意味着该应用程序可以读取该资源组及其包含的所有资源。For example, adding an app to the "Reader" role for a resource group, means it can read the resource group and any resources it contains.

  1. 根据在安装 Azure Stack 期间指定的目录登录到相应的门户(例如,如果指定了 Azure AD,则登录到 Azure 门户;如果指定了 AD FS,则登录到 Azure Stack 用户门户)。Sign in to the appropriate portal, based on the directory you specified during Azure Stack installation (the Azure portal for Azure AD, or the Azure Stack user portal for AD FS, for example). 在本示例中,用户已登录到 Azure Stack 用户门户。In this example, we show a user signed in to the Azure Stack user portal.

    Note

    若要为给定的资源添加角色分配,你的用户帐户必须属于声明 Microsoft.Authorization/roleAssignments/write 权限的角色。To add role assignments for a given resource, your user account must belong to a role that declares the Microsoft.Authorization/roleAssignments/write permission. 例如,所有者用户访问管理员内置角色。For example, either the Owner or User Access Administrator built-in roles.

  2. 导航到你要允许服务主体访问的资源。Navigate to the resource you wish to allow the service principal to access. 本示例选择“订阅”,然后选择特定的订阅,以将服务主体分配到订阅范围的角色。 In this example, assign the service principal to a role at the subscription scope, by selecting Subscriptions, then a specific subscription. 也可以改为选择资源组,或者虚拟机之类的特定资源。You could instead select a resource group, or a specific resource like a virtual machine.

    选择要分配的订阅

  3. 选择“访问控制(IAM)”页。支持 RBAC 的所有资源都会提供此页。 Select the Access Control (IAM) page, which is universal across all resources that support RBAC.

  4. 选择“+ 添加”。 Select + Add

  5. 在“角色”下,选择要将应用分配到哪个角色。 Under Role, pick the role you wish to assign to the app.

  6. 在“选择”下,使用完整或部分应用名称来搜索你的应用程序。 Under Select, search for your app using a full or partial Application Name. 在注册期间,生成的应用程序名称为 Azurestack-<应用名称>-<客户端 ID>During registration, the Application Name is generated as Azurestack-<YourAppName>-<ClientId>. 例如,如果使用的应用程序名为 App2,在创建期间分配的客户端 ID 为 2bbe67d8-3fdb-4b62-87cf-cc41dd4344ff,则完整名称为 Azurestack-App2-2bbe67d8-3fdb-4b62-87cf-cc41dd4344ffFor example, if you used an application name of App2, and ClientId 2bbe67d8-3fdb-4b62-87cf-cc41dd4344ff was assigned during creation, the full name would be Azurestack-App2-2bbe67d8-3fdb-4b62-87cf-cc41dd4344ff. 可以搜索确切的字符串,也可以只搜索其一部分,例如 AzurestackAzurestack-App2You can search for either the exact string, or a portion, like Azurestack or Azurestack-App2.

  7. 找到应用后,请选择它,然后它会显示在“已选择的成员”下。 Once you find the app, select it and it will show under Selected members.

  8. 选择“保存” 完成角色分配。Select Save to finish assigning the role.

    分配角色Assign role

  9. 完成后,在当前范围分配到给定角色的主体列表中会显示该应用。When finished, the app will show in the list of principals assigned for the current scope, for the given role.

    已分配角色Assigned role

创建服务主体并分配角色后,接下来可以开始在应用中使用此服务主体访问 Azure Stack 资源。Now that you've created a service principal and assigned a role, you can begin using this service principal within your app to access Azure Stack resources.

后续步骤Next steps

为 AD FS 添加用户Add users for AD FS
管理用户权限Manage user permissions
Azure Active Directory 文档Azure Active Directory Documentation
Active Directory 联合身份验证服务Active Directory Federation Services