为 P2S OpenVPN 协议连接创建 Azure Active Directory 租户Create an Azure Active Directory tenant for P2S OpenVPN protocol connections

连接到 VNet 时,可以使用基于证书的身份验证或 RADIUS 身份验证。When connecting to your VNet, you can use certificate-based authentication or RADIUS authentication. 但是,在使用开放 VPN 协议时,还可以使用 Azure Active Directory 身份验证。However, when you use the Open VPN protocol, you can also use Azure Active Directory authentication. 本文帮助设置用于 P2S Open VPN 身份验证的 Azure AD 租户。This article helps you set up an Azure AD tenant for P2S Open VPN authentication.

备注

Azure AD 身份验证仅支持 OpenVPN® 协议连接,并且需要 Azure VPN 客户端,后者仅适用于 Windows 10。Azure AD authentication is supported only for OpenVPN® protocol connections and requires the Azure VPN client, which is available only for Windows 10.

1.验证 Azure AD 租户1. Verify Azure AD tenant

验证你是否有 Azure AD 租户。Verify that you have an Azure AD tenant. 如果没有 Azure AD 租户,可以按照创建新租户一文中的步骤创建一个:If you don't have an Azure AD tenant, you can create one using the steps in the Create a new tenant article:

  • 组织名称Organizational name
  • 初始域名Initial domain name

示例:Example:

新 Azure AD 租户

2.创建 Azure AD 租户用户2. Create Azure AD tenant users

Azure AD 租户需要以下帐户:全局管理员帐户和主用户帐户。Your Azure AD tenant needs the following accounts: a Global Admin account and a master user account. 主要用户帐户用作主要嵌入帐户(服务帐户)。The master user account is used as your master embedding account (service account). 创建 Azure AD 租户用户帐户时,可以根据要创建的用户类型调整目录角色。When you create an Azure AD tenant user account, you adjust the Directory role for the type of user that you want to create.

使用此文中的步骤为 Azure AD 租户创建至少两个用户。Use the steps in this article to create at least two users for your Azure AD tenant. 若要创建帐户类型,请务必更改“目录角色”:Be sure to change the Directory Role to create the account types:

  • 全局管理员Global Admin
  • UserUser

3.在 VPN 网关上启用 Azure AD 身份验证3. Enable Azure AD authentication on the VPN gateway

  1. 找到要用于身份验证的目录的目录 ID。Locate the Directory ID of the directory that you want to use for authentication. 此 ID 在“Active Directory”页的“属性”部分中列出。It is listed in the properties section of the Active Directory page.

    Directory ID

  2. 复制“目录 ID”。Copy the Directory ID.

  3. 以拥有“全局管理员”角色的用户身份登录到 Azure 门户。Sign in to the Azure portal as a user that is assigned the Global administrator role.

  4. 接下来,做出管理员许可。Next, give admin consent. 在浏览器的地址栏中复制并粘贴与部署位置相关的 URL:Copy and paste the URL that pertains to your deployment location in the address bar of your browser:

    Azure 中国世纪互联Azure China 21Vianet

    https://login.chinacloudapi.cn/common/oauth2/authorize?client_id=49f817b6-84ae-4cc0-928c-73f27289b3aa&response_type=code&redirect_uri=https://portal.azure.cn&nonce=1234&prompt=admin_consent
    
  5. 如果出现提示,请选择“全局管理员”帐户。Select the Global Admin account if prompted.

    Directory ID

  6. 出现提示时选择“接受”。Select Accept when prompted.

    Accept

  7. 在 Azure AD 下的“企业应用程序”中,将会发现已列出“Azure VPN”。Under your Azure AD, in Enterprise applications, you see Azure VPN listed.

    Azure VPN

  8. 如果还没有正常运行的“点到站点”环境,请按照说明创建一个。If you don't already have a functioning point-to-site environment, follow the instruction to create one. 请参阅创建点到站点 VPN,以创建和配置点到站点 VPN 网关。See Create a point-to-site VPN to create and configure a point-to-site VPN gateway.

    重要

    OpenVPN 不支持基本 SKU。The Basic SKU is not supported for OpenVPN.

  9. 通过导航到“点到站点配置”并选取“OpenVPN (SSL)”作为“隧道类型”,在 VPN 网关上启用 Azure AD 身份验证。Enable Azure AD authentication on the VPN gateway by navigating to Point-to-site configuration and picking OpenVPN (SSL) as the Tunnel type. 选择“Azure Active Directory”作为“身份验证类型”,然后在“Azure Active Directory”部分填写信息。Select Azure Active Directory as the Authentication type then fill in the information under the Azure Active Directory section.

    Azure VPN

    备注

    请确保在 AadIssuerUri 值的末尾包含尾随斜杠。Make sure you include a trailing slash at the end of the AadIssuerUri value. 否则,连接可能会失败。Otherwise, the connection may fail.

  10. 通过单击“下载 VPN 客户端”链接来创建和下载配置文件。Create and download the profile by clicking on the Download VPN client link.

  11. 解压缩已下载的 zip 文件。Extract the downloaded zip file.

  12. 浏览到解压缩后的“AzureVPN”文件夹。Browse to the unzipped “AzureVPN” folder.

  13. 记下“azurevpnconfig.xml”文件的位置。Make a note of the location of the “azurevpnconfig.xml” file. azurevpnconfig.xml 包含 VPN 连接的设置,可以直接导入到 Azure VPN 客户端应用程序中。The azurevpnconfig.xml contains the setting for the VPN connection and can be imported directly into the Azure VPN Client application. 还可以将此文件分发给需要通过电子邮件或其他方式建立连接的所有用户。You can also distribute this file to all the users that need to connect via e-mail or other means. 用户需有有效的 Azure AD 凭据才能成功建立连接。The user will need valid Azure AD credentials to connect successfully.

后续步骤Next steps

若要连接到虚拟网络,必须创建并配置 VPN 客户端配置文件。In order to connect to your virtual network, you must create and configure a VPN client profile. 请参阅配置 VPN 客户端以建立 P2S VPN 连接See Configure a VPN client for P2S VPN connections.