为 P2S OpenVPN 协议连接创建 Azure Active Directory 租户Create an Azure Active Directory tenant for P2S OpenVPN protocol connections

连接到 VNet 时,可以使用基于证书的身份验证或 RADIUS 身份验证。When connecting to your VNet, you can use certificate-based authentication or RADIUS authentication. 但是,在使用开放 VPN 协议时,还可以使用 Azure Active Directory 身份验证。However, when you use the Open VPN protocol, you can also use Azure Active Directory authentication. 本文帮助设置用于 P2S Open VPN 身份验证的 Azure AD 租户。This article helps you set up an Azure AD tenant for P2S Open VPN authentication.

备注

Azure AD 身份验证仅支持用于 OpenVPN®协议连接。Azure AD authentication is supported only for OpenVPN® protocol connections.

1.创建 Azure AD 租户1. Create the Azure AD tenant

使用创建新租户一文中的步骤创建 Azure AD 租户:Create an Azure AD tenant using the steps in the Create a new tenant article:

  • 组织名称Organizational name

  • 初始域名Initial domain name

    示例:Example:

    新 Azure AD 租户

2.创建 Azure AD 租户用户2. Create Azure AD tenant users

接下来,创建两个用户帐户。Next, create two user accounts. 创建一个全局管理员帐户和一个主要用户帐户。Create one Global Admin account and one master user account. 主要用户帐户用作主要嵌入帐户(服务帐户)。The master user account is used as your master embedding account (service account). 创建 Azure AD 租户用户帐户时,可以根据要创建的用户类型调整目录角色。When you create an Azure AD tenant user account, you adjust the Directory role for the type of user that you want to create.

使用此文中的步骤为 Azure AD 租户创建至少两个用户。Use the steps in this article to create at least two users for your Azure AD tenant. 若要创建帐户类型,请务必更改“目录角色”: Be sure to change the Directory Role to create the account types:

  • 全局管理员Global Admin
  • UserUser

3.在 VPN 网关上启用 Azure AD 身份验证3. Enable Azure AD authentication on the VPN gateway

  1. 找到要用于身份验证的目录的目录 ID。Locate the Directory ID of the directory that you want to use for authentication. 此 ID 在“Active Directory”页的“属性”部分中列出。It is listed in the properties section of the Active Directory page.

    Directory ID

  2. 复制“目录 ID”。Copy the Directory ID.

  3. 以拥有“全局管理员”角色的用户身份登录到 Azure 门户。 Sign in to the Azure portal as a user that is assigned the Global administrator role.

  4. 接下来,做出管理员许可。Next, give admin consent. 在浏览器的地址栏中复制并粘贴与部署位置相关的 URL:Copy and paste the URL that pertains to your deployment location in the address bar of your browser:

    公共Public

    https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent
    

    Azure GovernmentAzure Government

    https://login-us.microsoftonline.com/common/oauth2/authorize?client_id=51bb15d4-3a4f-4ebf-9dca-40096fe32426&response_type=code&redirect_uri=https://portal.azure.us&nonce=1234&prompt=admin_consent
    

    德国 Microsoft 云Microsoft Cloud Germany

    https://login-us.microsoftonline.de/common/oauth2/authorize?client_id=538ee9e6-310a-468d-afef-ea97365856a9&response_type=code&redirect_uri=https://portal.microsoftazure.de&nonce=1234&prompt=admin_consent
    

    Azure 中国世纪互联Azure China 21Vianet

    https://login.chinacloudapi.cn/common/oauth2/authorize?client_id=49f817b6-84ae-4cc0-928c-73f27289b3aa&response_type=code&redirect_uri=https://portal.azure.cn&nonce=1234&prompt=admin_consent
    
  5. 出现提示时,请选择“全局管理员”帐户。 Select the Global Admin account if prompted.

    Directory ID

  6. 出现提示时,请选择“接受”。 Select Accept when prompted.

    Accept

  7. 在 Azure AD 下的“企业应用程序”中,将会发现已列出“Azure VPN”。 Under your Azure AD, in Enterprise applications, you see Azure VPN listed.

    Azure VPN

  8. 按照为与 Azure 的点到站点连接配置 Azure AD 身份验证中的步骤,为用户 VPN 配置 Azure AD 身份验证并将其分配给虚拟中心Configure Azure AD authentication for User VPN and assign it to a Virtual Hub by following the steps in Configure Azure AD authentication for Point-to-Site connection to Azure

后续步骤Next steps

若要连接到虚拟网络,必须创建并配置 VPN 客户端配置文件,并将其与虚拟中心关联。In order to connect to your virtual network, you must create and configure a VPN client profile and associate it to a Virtual Hub. 请参阅为与 Azure 的点到站点连接配置 Azure AD 身份验证See Configure Azure AD authentication for Point-to-Site connection to Azure.