向应用添加参与者Add contributors to your app

应用所有者可以向应用添加参与者。An app owner can add contributors to apps. 这些参与者可以修改模型,训练并发布应用。These contributors can modify the model, train, and publish the app. 迁移帐户以后,可以在 Azure 门户中通过“访问控制(IAM)”页管理该创作资源的参与者。Once you have migrated your account, contributors are managed in the Azure portal for the authoring resource, using the Access control (IAM) page. 使用协作者的电子邮件地址和“参与者”角色添加用户。Add a user, using the collaborator's email address and the contributor role.

向 Azure 创作资源添加参与者Add contributor to Azure authoring resource

如果你的 LUIS 创作体验已绑定到 LUIS 门户中“管理 -> Azure 资源”页上的某个创作资源,则表明你已完成迁移。You have migrated if your LUIS authoring experience is tied to an Authoring resource on the Manage -> Azure resources page in the LUIS portal.

  1. 在 Azure 门户中,找到语言理解 (LUIS) 创作资源。In the Azure portal, find the Language Understanding (LUIS) authoring resource. 它的类型为 LUIS.AuthoringIt has the type LUIS.Authoring.

  2. 在该资源的“访问控制(标识和访问管理)”页上选择“+ 添加”,然后选择“添加角色分配”。On this resource's Access Control (IAM) page, select +Add then select Add role assignment.

    在 Azure 门户中,在创作资源上添加角色分配。

  3. 在“添加角色分配”窗口中,选择“参与者”作为“角色”。In the Add role assignment window, select the Role of Contributor. 在“分配访问权限至”选项中,选择“Azure AD 用户、组或服务主体”。In the Assign access to option, select Azure AD user, group, or service principal. 在“选择”选项中,输入用户的电子邮件地址。In the Select option, enter the user's email address. 如果已知用户有同一个域的多个电子邮件地址,请确保输入主电子邮件帐户。If the user is known by more than 1 email address for the same domain, make sure the enter the primary email account.

    将用户的电子邮件添加到 Azure AD 的参与者角色

    找到用户的电子邮件以后,请选择该帐户,然后选择“保存”。When the user's email is found, select the account and select Save.

    如果无法进行此角色分配,请查看分配 Azure 角色Azure 访问控制故障排除If you have trouble with this role assignment, review Assign Azure roles and Azure access control troubleshooting.

以参与者身份查看应用View the app as a contributor

被添加为参与者后,请登录到 LUIS 门户After you have been added as a contributor, sign in to the LUIS portal.

如果没有看到你创建的应用或与你共享的应用,则可能需要切换到其他 Azure 目录。If you don't see an app that was created by you or shared with you, you may need to switch to a different Azure directory.

  1. 单击屏幕右上角的头像。Click the avatar in the top right corner of the screen. 然后单击“切换到其他 Azure 目录”。Then click Switch to a different Azure directory.

  2. 在出现的窗口中,确保选择包含与你共享的 LUIS 资源的 Azure 目录。In the window that appears, be sure to select the Azure directory that contains the LUIS resource that was shared with you.

    切换到另一个 Azure 目录

有多个电子邮件的用户Users with multiple emails

如果将参与者添加到 LUIS 应用,则需指定确切的电子邮件地址。If you add contributors to a LUIS app, you are specifying the exact email address. 虽然 Azure Active Directory (Azure AD) 允许单个用户交替使用多个电子邮件帐户,但 LUIS 要求用户使用在添加参与者时指定的电子邮件地址登录。While Azure Active Directory (Azure AD) allows a single user to have more than one email account used interchangeably, LUIS requires the user to sign in with the email address specified when adding the contributor.

Azure Active Directory 资源Azure Active Directory resources

如果你在组织中使用了 Azure Active Directory (Azure AD),则在用户希望使用语言理解 (LUIS) 时,LUIS 需要有权访问用户的访问权限相关信息。If you use Azure Active Directory (Azure AD) in your organization, Language Understanding (LUIS) needs permission to the information about your users' access when they want to use LUIS. LUIS 需要的资源是最少的。The resources that LUIS requires are minimal.

尝试使用已获得管理员同意或不需要管理员同意的帐户进行登录时,你将看到详细说明,例如管理员同意:You see the detailed description when you attempt to sign up with an account that has admin consent or does not require admin consent, such as administrator consent:

  • 允许你使用组织帐户登录到应用并让应用读取你的配置文件。Allows you to sign in to the app with your organizational account and let the app read your profile. 它还允许应用读取基本的公司信息。It also allows the app to read basic company information. 这将授权 LUIS 读取基本的配置文件数据,例如用户 ID、电子邮件、姓名This gives LUIS permission to read basic profile data, such as user ID, email, name
  • 允许应用查看和更新你的数据,即使你当前未使用应用。Allows the app to see and update your data, even when you are not currently using the app. 此权限是刷新用户的访问令牌时所必需的。The permission is required to refresh the access token of the user.

Azure Active Directory 租户用户Azure Active Directory tenant user

LUIS 使用标准的 Azure Active Directory (Azure AD) 许可流程。LUIS uses standard Azure Active Directory (Azure AD) consent flow.

租户管理员直接处理需要访问权限才能在 Azure AD 中使用 LUIS 的用户。The tenant admin should work directly with the user who needs access granted to use LUIS in the Azure AD.

  • 用户首先要登录 LUIS,此时看到需要管理员批准的弹出对话框。First, the user signs into LUIS, and sees the pop-up dialog needing admin approval. 继续操作之前,用户需联系租户管理员。The user contacts the tenant admin before continuing.
  • 然后,租户管理员登录 LUIS,并看到一个“同意流”弹出对话框。Second, the tenant admin signs into LUIS, and sees a consent flow pop-up dialog. 管理员需在此对话框中向用户授予权限。This is the dialog the admin needs to give permission for the user. 管理员接受权限后,用户才能够继续使用 LUIS。Once the admin accepts the permission, the user is able to continue with LUIS. 如果租户管理员不登录 LUIS,还可访问 LUIS 的同意部分。If the tenant admin will not sign in to LUIS, the admin can access consent for LUIS. 在此页上,可以将列表筛选到包含名称 LUIS 的项。On this page you can filter the list to items that include the name LUIS.

如果租户管理员只希望某些用户使用 LUIS,则有几种可能的解决方案:If the tenant admin only wants certain users to use LUIS, there are a couple of possible solutions:

  • 给予“管理员同意”(同意 Azure AD 的所有用户),但随后在“企业应用程序属性”下将“需要进行用户分配”设置为“是”,最后仅将所需用户分配/添加到应用程序。Giving the "admin consent" (consent to all users of the Azure AD), but then set to "Yes" the "User assignment required" under Enterprise Application Properties, and finally assign/add only the wanted users to the Application. 使用此方法,管理员仍然向应用提供“管理员同意”,但是,可以控制可以访问应用的用户。With this method, the Administrator is still providing "admin consent" to the App, however, it's possible to control the users that can access it.
  • 另一种解决方法是使用 Microsoft Graph 中的 Azure AD 标识和访问管理 API 向每个特定用户提供许可。A second solution, is by using the Azure AD identity and access management API in Microsoft Graph to provide consent to each specific user.

详细了解 Azure Active Directory 用户和同意:Learn more about Azure active directory users and consent:

后续步骤Next steps