为用户 VPN OpenVPN 协议连接准备 Azure Active Directory 租户Prepare Azure Active Directory tenant for User VPN OpenVPN protocol connections

通过 IKEv2 协议连接到虚拟中心时,可使用基于证书的身份验证或 RADIUS 身份验证。When connecting to your Virtual Hub over the IKEv2 protocol, you can use certificate-based authentication or RADIUS authentication. 但在使用 OpenVPN 协议时,还可使用 Azure Active Directory 身份验证。However, when you use the OpenVPN protocol, you can also use Azure Active Directory authentication. 本文可帮助你使用 OpenVPN 身份验证为虚拟 WAN 用户 VPN(点到站点)设置 Azure AD 租户。This article helps you set up an Azure AD tenant for Virtual WAN User VPN (point-to-site) using OpenVPN authentication.

备注

仅 OpenVPN® 协议连接支持 Azure AD 身份验证。Azure AD authentication is supported only for OpenVPN® protocol connections.

1.创建 Azure AD 租户1. Create the Azure AD tenant

验证你是否有 Azure AD 租户。Verify that you have an Azure AD tenant. 如果没有 Azure AD 租户,可以按照创建新租户一文中的步骤创建一个:If you don't have an Azure AD tenant, you can create one using the steps in the Create a new tenant article:

  • 组织名称Organization name
  • 初始域名Initial domain name

示例:Example:

新 Azure AD 租户

2.创建 Azure AD 租户用户2. Create Azure AD tenant users

接下来,在新建的 Azure AD 租户创建两个用户帐户:一个全局管理员帐户和一个用户帐户。Next, create two user accounts in the newly created Azure AD tenant, one Global administrator account and one user account. 用户帐户可用于测试 OpenVPN 身份验证,全局管理员帐户将用于向 Azure VPN 应用注册授予许可。The user account can be used to test OpenVPN authentication and the Global administrator account will be used to grant consent to the Azure VPN app registration. 创建 Azure AD 用户帐户后,向用户分配目录角色来委派管理权限。After you have created an Azure AD user account, you assign a Directory Role to the user in order to delegate administrative permissions.

按照本文中的步骤为 Azure AD 租户创建两个用户。Use the steps in this article to create the two users for your Azure AD tenant. 请确保将其中一个已创建的帐户的目录角色更改为“全局管理员” 。Be sure to change the Directory Role on one of the created accounts to Global administrator .

  1. 以具有全局管理员角色的用户身份登录到 Azure 门户。Sign in to the Azure Portal as a user that is assigned the Global administrator role.

  2. 接下来,向组织授予管理员许可,使 Azure VPN 应用程序能够登录和读取用户配置文件。Next, grant admin consent for your organization, this allows the Azure VPN application to sign in and read user profiles. 在浏览器的地址栏中复制并粘贴与部署位置相关的 URL:Copy and paste the URL that pertains to your deployment location in the address bar of your browser:

    公共Public

    https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent
    

    Azure GovernmentAzure Government

    https://login-us.microsoftonline.com/common/oauth2/authorize?client_id=51bb15d4-3a4f-4ebf-9dca-40096fe32426&response_type=code&redirect_uri=https://portal.azure.us&nonce=1234&prompt=admin_consent
    

    Azure 德国云Azure Cloud Germany

    https://login.microsoftonline.de/common/oauth2/authorize?client_id=538ee9e6-310a-468d-afef-ea97365856a9&response_type=code&redirect_uri=https://portal.microsoftazure.de&nonce=1234&prompt=admin_consent
    

    Azure 中国世纪互联Azure China 21Vianet

    https://login.chinacloudapi.cn/common/oauth2/authorize?client_id=49f817b6-84ae-4cc0-928c-73f27289b3aa&response_type=code&redirect_uri=https://portal.azure.cn&nonce=1234&prompt=admin_consent
    
  3. 出现提示时,请选择“全局管理员”帐户。Select the Global administrator account if prompted.

    Directory ID

  4. 出现提示时选择“接受”。Select Accept when prompted.

    屏幕截图显示“为你的组织请求接受的权限”的消息和其他信息的对话框。

  5. 在 Azure AD 下的“企业应用程序”中,你现会发现已列出 Azure VPN 。Under your Azure AD, in Enterprise applications , you should now see Azure VPN listed.

    Azure VPN

后续步骤Next steps

若要使用 Azure AD 身份验证连接到虚拟网络,必须创建用户 VPN 配置,并将其与虚拟中心关联。In order to connect to your virtual networks using Azure AD authentication, you must create a User VPN configuration and associate it to a Virtual Hub. 请参阅为与 Azure 的点到站点连接配置 Azure AD 身份验证See Configure Azure AD authentication for Point-to-Site connection to Azure.