为 P2S OpenVPN 协议连接创建 Azure Active Directory 租户Create an Azure Active Directory tenant for P2S OpenVPN protocol connections

连接到 VNet 时,可以使用基于证书的身份验证或 RADIUS 身份验证。When connecting to your VNet, you can use certificate-based authentication or RADIUS authentication. 但是,在使用开放 VPN 协议时,还可以使用 Azure Active Directory 身份验证。However, when you use the Open VPN protocol, you can also use Azure Active Directory authentication. 如果你希望一组不同的用户能够连接到不同的 VPN 网关,可以在 AD 中注册多个应用,并将这些应用链接到不同的 VPN 网关。If you want different set of users to be able to connect to different VPN gateways, you can register multiple apps in AD and link them to different VPN gateways. 本文帮助你设置用于 P2S OpenVPN 身份验证的 Azure AD 租户,并在 Azure AD 中创建和注册多个应用,使不同的用户和组能够以不同的方式进行访问。This article helps you set up an Azure AD tenant for P2S OpenVPN authentication and create and register multiple apps in Azure AD for allowing different access for different users and groups.

Note

Azure AD 身份验证仅支持用于 OpenVPN®协议连接。Azure AD authentication is supported only for OpenVPN® protocol connections.

1.创建 Azure AD 租户1. Create the Azure AD tenant

使用创建新租户一文中的步骤创建 Azure AD 租户:Create an Azure AD tenant using the steps in the Create a new tenant article:

  • 组织名称Organizational name

  • 初始域名Initial domain name

    示例:Example:

    新 Azure AD 租户

2.创建租户用户2. Create tenant users

在此步骤中,你将创建两个 Azure AD 租户用户:一个全局管理员帐户和一个主要用户帐户。In this step, you create two Azure AD tenant users: One Global Admin account and one master user account. 主要用户帐户用作主要嵌入帐户(服务帐户)。The master user account is used as your master embedding account (service account). 创建 Azure AD 租户用户帐户时,可以根据要创建的用户类型调整目录角色。When you create an Azure AD tenant user account, you adjust the Directory role for the type of user that you want to create. 使用此文中的步骤为 Azure AD 租户创建至少两个用户。Use the steps in this article to create at least two users for your Azure AD tenant. 若要创建帐户类型,请务必更改“目录角色”: Be sure to change the Directory Role to create the account types:

  • 全局管理员Global Admin
  • UserUser

3.注册 VPN 客户端3. Register the VPN Client

在 Azure AD 租户中注册 VPN 客户端。Register the VPN client in the Azure AD tenant.

  1. 找到要用于身份验证的目录的目录 ID。Locate the Directory ID of the directory that you want to use for authentication. 此 ID 在“Active Directory”页的“属性”部分中列出。It is listed in the properties section of the Active Directory page.

    Directory ID

  2. 复制“目录 ID”。Copy the Directory ID.

  3. 以拥有“全局管理员”角色的用户身份登录到 Azure 门户。 Sign in to the Azure portal as a user that is assigned the Global administrator role.

  4. 接下来,做出管理员许可。Next, give admin consent. 在浏览器的地址栏中复制并粘贴与部署位置相关的 URL:Copy and paste the URL that pertains to your deployment location in the address bar of your browser:

    公共Public

    https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent
    

    Azure GovernmentAzure Government

    https://login-us.microsoftonline.com/common/oauth2/authorize?client_id=51bb15d4-3a4f-4ebf-9dca-40096fe32426&response_type=code&redirect_uri=https://portal.azure.us&nonce=1234&prompt=admin_consent
    

    德国 Microsoft 云Microsoft Cloud Germany

    https://login-us.microsoftonline.de/common/oauth2/authorize?client_id=538ee9e6-310a-468d-afef-ea97365856a9&response_type=code&redirect_uri=https://portal.microsoftazure.de&nonce=1234&prompt=admin_consent
    

    Azure 中国世纪互联Azure China 21Vianet

    https://login.chinacloudapi.cn/common/oauth2/authorize?client_id=49f817b6-84ae-4cc0-928c-73f27289b3aa&response_type=code&redirect_uri=https://portal.azure.cn&nonce=1234&prompt=admin_consent
    
  5. 出现提示时,请选择“全局管理员”帐户。 Select the Global Admin account if prompted.

    Directory ID

  6. 出现提示时,请选择“接受”。 Select Accept when prompted.

    Accept

  7. 在 Azure AD 下的“企业应用程序”中,将会发现已列出“Azure VPN”。 Under your Azure AD, in Enterprise applications, you will see Azure VPN listed.

    Azure VPN

4.注册其他应用程序4. Register additional applications

在此步骤中,你将为各个用户和组注册其他应用程序。In this step, you register additional applications for various users and groups.

  1. 在 Azure Active Directory 下,依次单击“应用注册”、“+ 新建注册”。 Under your Azure Active Directory, click App registrations and then + New registration.

    Azure VPN

  2. 在“注册应用程序”页上,输入名称。 On the Register an application page, enter the Name. 选择所需“支持的帐户类型” ,然后单击“注册” 。Select the desired Supported account types, then click Register.

    Azure VPN

  3. 注册新应用后,单击应用边栏选项卡下的“公开 API”。 Once the new app has been registered, click Expose an API under the app blade.

  4. 单击“+ 添加作用域”。 Click + Add a scope.

  5. 保留默认的“应用程序 ID URI” 。Leave the default Application ID URI. 单击“保存并继续” 。Click Save and continue.

    Azure VPN

  6. 填写必填字段,确保“状态”为“已启用”。 Fill in the required fields and ensure that State is Enabled. 单击“添加作用域”。 Click Add scope.

    Azure VPN

  7. 单击“公开 API” ,然后单击“+ 添加客户端应用程序”。 Click Expose an API then + Add a client application. 对于“客户端 ID”,请根据云输入以下值: For Client ID, enter the following values depending on the cloud:

    • 对于“Azure 公共” ,请输入 41b23e61-6c1e-4545-b367-cd054e0ed4b4Enter 41b23e61-6c1e-4545-b367-cd054e0ed4b4 for Azure Public
    • 对于“Azure 政府” ,请输入 51bb15d4-3a4f-4ebf-9dca-40096fe32426Enter 51bb15d4-3a4f-4ebf-9dca-40096fe32426 for Azure Government
    • 对于“Azure 德国” ,请输入 538ee9e6-310a-468d-afef-ea97365856a9Enter 538ee9e6-310a-468d-afef-ea97365856a9 for Azure Germany
    • 对于“Azure 中国世纪互联”,请输入 49f817b6-84ae-4cc0-928c-73f27289b3aa Enter 49f817b6-84ae-4cc0-928c-73f27289b3aa for Azure China 21Vianet
  8. 单击“添加应用程序” 。Click Add application.

    Azure VPN

  9. 复制“概述”页中的“应用程序(客户端) ID”。 Copy the Application (client) ID from the Overview page. 你需要使用此信息来配置 VPN 网关。You will need this information to configure your VPN gateway(s).

    Azure VPN

  10. 重复注册其他应用程序中的步骤,根据安全要求创建所需数量的应用程序。Repeat the steps in this register additional applications section to create as many applications that are needed for your security requirement. 每个应用程序将关联到某个 VPN 网关,并可以包含一组不同的用户。Each application will be associated to a VPN gateway and can have a different set of users. 只能将一个应用程序关联到一个网关。Only one application can be associated to a gateway.

5.将用户分配给应用程序5. Assign users to applications

将用户分配到应用程序。Assign the users to your applications.

  1. 在 Azure AD 下的“企业应用程序”中,选择新注册的应用程序并单击“属性”。 Under Azure AD -> Enterprise applications, select the newly registered application and click Properties. 确保“需要用户分配?”设置为“是”。 Ensure that User assignment required? is set to yes. 单击“保存” 。Click Save.

    Azure VPN

  2. 在应用页上,依次单击“用户和组”、“+添加用户”。 On the app page, click Users and groups, and then click +Add user.

    Azure VPN

  3. 在“添加分配”下,单击“用户和组”。 Under Add Assignment, click Users and groups. 选择希望其能够访问此 VPN 应用程序的用户。Select the users that you want to be able to access this VPN application. 单击“选择”。 Click Select.

    Azure VPN

6.在网关上启用身份验证6. Enable authentication on the gateway

在此步骤中,将在 VPN 网关上启用 Azure AD 身份验证。In this step, you enable Azure AD authentication on the VPN gateway.

  1. 通过运行以下命令,在 VPN 网关上启用 Azure AD 身份验证。Enable Azure AD authentication on the VPN gateway by running the following commands. 请确保修改这些命令以反映自己的环境:Be sure to modify the commands to reflect your own environment:

    $gw = Get-AzVirtualNetworkGateway -Name <name of VPN gateway> -ResourceGroupName <Resource group>
    Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -VpnClientRootCertificates @()
    Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -AadTenantUri "https://login.partner.microsoftonline.cn/<your Directory ID>" -AadAudienceId "application ID from previous section" -AadIssuerUri "https://sts.chinacloudapi.cn/<your Directory ID>/" -VpnClientAddressPool 192.168.0.0/24
    

    Note

    请不要在上述命令中使用 Azure VPN 客户端的应用程序 ID:它会向所有用户授予对 VPN 网关的访问权限。Do not use the Azure VPN client's application ID in the commands above: It will grant all users access to the VPN gateway. 使用注册的应用程序的 ID。Use the ID of the application(s) you registered.

  2. 运行以下命令来创建并下载配置文件。Create and download the profile by running the following commands. 请更改 -ResourcGroupName 和 -Name 值,使之与你自己的值匹配。Change the -ResourcGroupName and -Name values to match your own.

    $profile = New-AzVpnClientConfiguration -Name <name of VPN gateway> -ResourceGroupName <Resource group> -AuthenticationMethod "EapTls"
    $PROFILE.VpnProfileSASUrl
    
  3. 运行这些命令后,会看到如下所示的结果。After running the commands, you see a result similar to the one below. 将结果 URL 复制到浏览器,以下载 zip 配置文件。Copy the result URL to your browser to download the profile zip file.

    Azure VPN

  4. 解压缩已下载的 zip 文件。Extract the downloaded zip file.

  5. 浏览到解压缩后的“AzureVPN”文件夹。Browse to the unzipped “AzureVPN” folder.

  6. 记下“azurevpnconfig.xml”文件的位置。Make a note of the location of the “azurevpnconfig.xml” file. azurevpnconfig.xml 包含 VPN 连接的设置,可以直接导入到 Azure VPN 客户端应用程序中。The azurevpnconfig.xml contains the setting for the VPN connection and can be imported directly into the Azure VPN Client application. 还可以将此文件分发给需要通过电子邮件或其他方式建立连接的所有用户。You can also distribute this file to all the users that need to connect via e-mail or other means. 用户需有有效的 Azure AD 凭据才能成功建立连接。The user will need valid Azure AD credentials to connect successfully.

后续步骤Next steps

若要连接到虚拟网络,必须创建并配置 VPN 客户端配置文件。In order to connect to your virtual network, you must create and configure a VPN client profile. 请参阅配置 VPN 客户端以建立 P2S VPN 连接See Configure a VPN client for P2S VPN connections.