在 Azure Stack 中配置多租户Configure multi-tenancy in Azure Stack

适用于:Azure Stack 集成系统和 Azure Stack 开发工具包Applies to: Azure Stack integrated systems and Azure Stack Development Kit

可以配置 Azure Stack,以支持多个 Azure Active Directory (Azure AD) 租户中的用户,允许他们使用 Azure Stack 中的服务。You can configure Azure Stack to support users from multiple Azure Active Directory (Azure AD) tenants, allowing them to use services in Azure Stack. 例如,考虑以下方案:For example, consider the following scenario:

  • 你是安装了 Azure Stack 的 contoso.partner.onmschina.cn 的服务管理员。You're the service administrator of contoso.partner.onmschina.cn, where Azure Stack is installed.
  • Mary 是来宾用户所在的 fabrikam.partner.onmschina.cn 的目录管理员。Mary is the directory administrator of fabrikam.partner.onmschina.cn, where guest users are located.
  • Mary 的公司收到你的公司提供的 IaaS 和 PaaS 服务,并需要允许来宾目录 (fabrikam.partner.onmschina.cn) 中的用户登录 contoso.partner.onmschina.cn 并使用其中的 Azure Stack 资源。Mary's company receives IaaS and PaaS services from your company and needs to allow users from the guest directory (fabrikam.partner.onmschina.cn) to sign in and use Azure Stack resources in contoso.partner.onmschina.cn.

本指南提供了此方案上下文中所需的步骤,用于在 Azure Stack 中配置多租户。This guide provides the steps required, in the context of this scenario, to configure multi-tenancy in Azure Stack. 在此方案中,你和 Mary 必须完成相关步骤以使 Fabrikam 中的用户能够登录并使用 Contoso 中部署的 Azure Stack 提供的服务。In this scenario, you and Mary must complete steps to enable users from Fabrikam to sign in and consume services from the Azure Stack deployment in Contoso.

启用多租户Enable multi-tenancy

在 Azure Stack 中配置多租户之前,需要考虑几个先决条件:There are a few prerequisites to account for before you configure multi-tenancy in Azure Stack:

  • 你和 Mary 必须在安装 Azure Stack 的目录 (Contoso) 和来宾目录 (Fabrikam) 之间协调管理步骤。You and Mary must coordinate administrative steps across both the directory Azure Stack is installed in (Contoso), and the guest directory (Fabrikam).

  • 确保已安装配置适用于 Azure Stack 的 PowerShell。Make sure you've installed and configured PowerShell for Azure Stack.

  • 下载 Azure Stack Tools,并导入“连接和标识”模块:Download the Azure Stack Tools, and import the Connect and Identity modules:

    Import-Module .\Connect\AzureStack.Connect.psm1
    Import-Module .\Identity\AzureStack.Identity.psm1
    

配置 Azure Stack 目录Configure Azure Stack directory

在本部分中,将配置 Azure Stack 以允许从 Fabrikam Azure AD 目录租户登录。In this section, you configure Azure Stack to allow sign-ins from Fabrikam Azure AD directory tenants.

通过将 Azure 资源管理器配置为接受来自来宾目录租户的用户和服务主体,将来宾目录租户 (Fabrikam) 加入到 Azure Stack。Onboard the guest directory tenant (Fabrikam) to Azure Stack by configuring Azure Resource Manager to accept users and service principals from the guest directory tenant.

contoso.partner.onmschina.cn 的服务管理员运行以下命令:The service admin of contoso.partner.onmschina.cn runs the following commands:

## The following Azure Resource Manager endpoint is for the ASDK. If you're in a multinode environment, contact your operator or service provider to get the endpoint.
$adminARMEndpoint = "https://adminmanagement.local.azurestack.external"

## Replace the value below with the Azure Stack directory
$azureStackDirectoryTenant = "contoso.partner.onmschina.cn"

## Replace the value below with the guest tenant directory. 
$guestDirectoryTenantToBeOnboarded = "fabrikam.partner.onmschina.cn"

## Replace the value below with the name of the resource group in which the directory tenant registration resource should be created (resource group must already exist).
$ResourceGroupName = "system.local"

## Replace the value below with the region location of the resource group.
$location = "local"

# Subscription Name
$SubscriptionName = "Default Provider Subscription"

Register-AzSGuestDirectoryTenant -AdminResourceManagerEndpoint $adminARMEndpoint `
 -DirectoryTenantName $azureStackDirectoryTenant `
 -GuestDirectoryTenantName $guestDirectoryTenantToBeOnboarded `
 -Location $location `
 -ResourceGroupName $ResourceGroupName `
 -SubscriptionName $SubscriptionName

配置来宾目录Configure guest directory

在 Azure Stack 操作员使得 Fabrikam 目录能够与 Azure Stack 一起使用后,Mary 必须向 Fabrikam 的目录租户注册 Azure Stack。Once the Azure Stack operator has enabled the Fabrikam directory to be used with Azure Stack, Mary must register Azure Stack with Fabrikam's directory tenant.

将 Azure Stack 注册到来宾目录Registering Azure Stack with the guest directory

Mary(Fabrikam 的目录管理员)在来宾目录 fabrikam.partner.onmschina.cn 中运行以下命令。Mary (directory admin of Fabrikam) runs the following commands in the guest directory fabrikam.partner.onmschina.cn.

## The following Azure Resource Manager endpoint is for the ASDK. If you're in a multinode environment, contact your operator or service provider to get the endpoint.
$tenantARMEndpoint = "https://management.local.azurestack.external"
    
## Replace the value below with the guest tenant directory.
$guestDirectoryTenantName = "fabrikam.partner.onmschina.cn"

Register-AzSWithMyDirectoryTenant `
 -TenantResourceManagerEndpoint $tenantARMEndpoint `
 -DirectoryTenantName $guestDirectoryTenantName `
 -Verbose

Important

如果你的 Azure Stack 管理员将来安装新服务或更新,则你可能需要再次运行此脚本。If your Azure Stack admin installs new services or updates in the future, you may need to run this script again.

随时可以再次运行此脚本来检查目录中的 Azure Stack 应用的状态。Run this script again at any time to check the status of the Azure Stack apps in your directory.

如果已注意到在托管磁盘中创建 VM 时存在的问题(在 1808 更新中引入),则已添加新的磁盘资源提供程序,从而需要再次运行此脚本。If you've noticed issues with creating VMs in Managed Disks (introduced in the 1808 update), a new Disk Resource Provider was added requiring this script to be run again.

指导用户登录Direct users to sign in

现在,你和 Mary 已完成到加入 Mary 目录的步骤,Mary 可以指导 Fabrikam 用户登录。Now that you and Mary have completed the steps to onboard Mary's directory, Mary can direct Fabrikam users to sign in. Fabrikam 用户(即,具有 fabrikam.partner.onmschina.cn 后缀的用户)通过访问 https://portal.local.azurestack.external 登录。Fabrikam users (users with the fabrikam.partner.onmschina.cn suffix) sign in by visiting https://portal.local.azurestack.external.

Mary 将指导 Fabrikam 目录中的任何外部主体(Fabrikam 目录中没有 fabrikam.partner.onmschina.cn 后缀的用户)使用 https://portal.local.azurestack.external/fabrikam.partner.onmschina.cn 登录。Mary will direct any foreign principals in the Fabrikam directory (users in the Fabrikam directory without the suffix of fabrikam.partner.onmschina.cn) to sign in using https://portal.local.azurestack.external/fabrikam.partner.onmschina.cn. 如果他们未使用此 URL,则将被发送到其默认目录 (Fabrikam),并收到一个错误,指出其管理员未许可。If they don't use this URL, they're sent to their default directory (Fabrikam) and receive an error that says their admin hasn't consented.

禁用多租户Disable multi-tenancy

如果 Azure Stack 中不再需要有多个租户,可以按顺序执行以下步骤来禁用多租户:If you no longer want multiple tenants in Azure Stack, you can disable multi-tenancy by doing the following steps in order:

  1. 以来宾目录的管理员身份(在此场景中为 Mary)运行 Unregister-AzsWithMyDirectoryTenantAs the admin of the guest directory (Mary in this scenario), run Unregister-AzsWithMyDirectoryTenant. 该 cmdlet 从新目录中卸载所有 Azure Stack 应用。The cmdlet uninstalls all the Azure Stack apps from the new directory.

    ## The following Azure Resource Manager endpoint is for the ASDK. If you're in a multinode environment, contact your operator or service provider to get the endpoint.
    $tenantARMEndpoint = "https://management.local.azurestack.external"
    
    ## Replace the value below with the guest tenant directory.
    $guestDirectoryTenantName = "fabrikam.partner.onmschina.cn"
    
    Unregister-AzsWithMyDirectoryTenant `
     -TenantResourceManagerEndpoint $tenantARMEndpoint `
     -DirectoryTenantName $guestDirectoryTenantName `
     -Verbose 
    
  2. 以 Azure Stack 的服务管理员身份(在此场景中是你)运行 Unregister-AzSGuestDirectoryTenantAs the service admin of Azure Stack (you in this scenario), run Unregister-AzSGuestDirectoryTenant.

    ## The following Azure Resource Manager endpoint is for the ASDK. If you're in a multinode environment, contact your operator or service provider to get the endpoint.
    $adminARMEndpoint = "https://adminmanagement.local.azurestack.external"
    
    ## Replace the value below with the Azure Stack directory
    $azureStackDirectoryTenant = "contoso.partner.onmschina.cn"
    
    ## Replace the value below with the guest tenant directory. 
    $guestDirectoryTenantToBeDecommissioned = "fabrikam.partner.onmschina.cn"
    
    ## Replace the value below with the name of the resource group in which the directory tenant registration resource should be created (resource group must already exist).
    $ResourceGroupName = "system.local"
    
    Unregister-AzSGuestDirectoryTenant -AdminResourceManagerEndpoint $adminARMEndpoint `
     -DirectoryTenantName $azureStackDirectoryTenant `
     -GuestDirectoryTenantName $guestDirectoryTenantToBeDecommissioned `
     -ResourceGroupName $ResourceGroupName
    

    Warning

    禁用多租户步骤必须按顺序执行。The disable multi-tenancy steps must be performed in order. 如果首先完成步骤 1,则步骤 2 将失败。Step #1 fails if step #2 is completed first.

后续步骤Next steps