为 P2S OpenVPN 协议连接创建 Active Directory (AD) 租户Create an Active Directory (AD) tenant for P2S OpenVPN protocol connections

连接到 VNet 时,可以使用基于证书的身份验证或 RADIUS 身份验证。When connecting to your VNet, you can use certificate-based authentication or RADIUS authentication. 但是,在使用开放 VPN 协议时,还可以使用 Azure Active Directory 身份验证。However, when you use the Open VPN protocol, you can also use Azure Active Directory authentication. 如果你希望一组不同的用户能够连接到不同的 VPN 网关,可以在 AD 中注册多个应用,并将这些应用链接到不同的 VPN 网关。If you want different set of users to be able to connect to different VPN gateways, you can register multiple apps in AD and link them to different VPN gateways. 本文帮助你设置用于 P2S OpenVPN 身份验证的 Azure AD 租户,并在 Azure AD 中创建和注册多个应用,使不同的用户和组能够以不同的方式进行访问。This article helps you set up an Azure AD tenant for P2S OpenVPN authentication and create and register multiple apps in Azure AD for allowing different access for different users and groups.

备注

  • Azure AD 身份验证仅支持用于 OpenVPN®协议连接。Azure AD authentication is supported only for OpenVPN® protocol connections.
  • Azure AD 身份验证需要 Azure VPN 客户端,该客户端仅适用于 Windows 10。Azure AD authentication requires the Azure VPN client, which is available only for Windows 10.

1.创建 Azure AD 租户1. Create the Azure AD tenant

使用创建新租户一文中的步骤创建 Azure AD 租户:Create an Azure AD tenant using the steps in the Create a new tenant article:

  • 组织名称Organizational name

  • 初始域名Initial domain name

    示例:Example:

    新 Azure AD 租户

2.创建租户用户2. Create tenant users

在此步骤中,你将创建两个 Azure AD 租户用户:一个全局管理员帐户和一个主要用户帐户。In this step, you create two Azure AD tenant users: One Global Admin account and one master user account. 主要用户帐户用作主要嵌入帐户(服务帐户)。The master user account is used as your master embedding account (service account). 创建 Azure AD 租户用户帐户时,可以根据要创建的用户类型调整目录角色。When you create an Azure AD tenant user account, you adjust the Directory role for the type of user that you want to create. 使用此文中的步骤为 Azure AD 租户创建至少两个用户。Use the steps in this article to create at least two users for your Azure AD tenant. 若要创建帐户类型,请务必更改“目录角色”:Be sure to change the Directory Role to create the account types:

  • 全局管理员Global Admin
  • UserUser

3.注册 VPN 客户端3. Register the VPN Client

在 Azure AD 租户中注册 VPN 客户端。Register the VPN client in the Azure AD tenant.

  1. 找到要用于身份验证的目录的目录 ID。Locate the Directory ID of the directory that you want to use for authentication. 此 ID 在“Active Directory”页的“属性”部分中列出。It is listed in the properties section of the Active Directory page.

    Directory ID

  2. 复制“目录 ID”。Copy the Directory ID.

  3. 以拥有“全局管理员”角色的用户身份登录到 Azure 门户。Sign in to the Azure portal as a user that is assigned the Global administrator role.

  4. 接下来,做出管理员许可。Next, give admin consent. 在浏览器的地址栏中复制并粘贴与部署位置相关的 URL:Copy and paste the URL that pertains to your deployment location in the address bar of your browser:

    公共Public

    https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.cn&nonce=1234&prompt=admin_consent
    

    Azure GovernmentAzure Government

    https://login-us.microsoftonline.com/common/oauth2/authorize?client_id=51bb15d4-3a4f-4ebf-9dca-40096fe32426&response_type=code&redirect_uri=https://portal.azure.us&nonce=1234&prompt=admin_consent
    

    Azure 德国云Azure Cloud Germany

    https://login.microsoftonline.de/common/oauth2/authorize?client_id=538ee9e6-310a-468d-afef-ea97365856a9&response_type=code&redirect_uri=https://portal.microsoftazure.de&nonce=1234&prompt=admin_consent
    

    Azure 中国世纪互联Azure China 21Vianet

    https://login.chinacloudapi.cn/common/oauth2/authorize?client_id=49f817b6-84ae-4cc0-928c-73f27289b3aa&response_type=code&redirect_uri=https://portal.azure.cn&nonce=1234&prompt=admin_consent
    

备注

如果你使用的全局管理员帐户不是 Azure AD 租户的本机帐户来提供许可,请在 URL 中将“common”替换为 Azure AD Directory ID。If you using a global admin account that is not native to the Azure AD tenant to provide consent, please replace "common" with the Azure AD directory id in the URL. 在某些其他情况下,你可能还需要将“common”替换为你的 Directory ID。You may also have to replace "common" with your directory id in certain other cases as well.

  1. 如果出现提示,请选择“全局管理员”帐户。Select the Global Admin account if prompted.

    Directory ID

  2. 出现提示时选择“接受”。Select Accept when prompted.

    屏幕截图显示了“为你的组织请求接受的权限”消息和关于请求信息的窗口。

  3. 在 Azure AD 下的“企业应用程序”中,你将看到“Azure VPN”已列出 。Under your Azure AD, in Enterprise applications , you will see Azure VPN listed.

    Azure VPN

4.注册其他应用程序4. Register additional applications

在此步骤中,你将为各个用户和组注册其他应用程序。In this step, you register additional applications for various users and groups.

  1. 在 Azure Active Directory 下单击“应用注册”,然后单击“+ 新建注册” 。Under your Azure Active Directory, click App registrations and then + New registration .

    Azure VPN

  2. 在“注册应用程序”页上,输入名称 。On the Register an application page, enter the Name . 选择所需的支持的帐户类型,然后单击“注册” Select the desired Supported account types , then click Register .

    Azure VPN

  3. 注册新应用后,请单击应用边栏选项卡下的“公开 API”。Once the new app has been registered, click Expose an API under the app blade.

  4. 单击“+ 添加范围”。Click + Add a scope .

  5. 保留默认的“应用程序 ID URI”。Leave the default Application ID URI . 单击“保存并继续”。Click Save and continue .

    Azure VPN

  6. 填写必填字段,确保“状态”为“已启用”。Fill in the required fields and ensure that State is Enabled . 单击“添加范围”。Click Add scope .

    Azure VPN

  7. 单击“公开 API”,然后单击“+ 添加客户端应用程序” 。Click Expose an API then + Add a client application . 对于“客户端 ID”,根据云输入以下值:For Client ID , enter the following values depending on the cloud:

    • 对于 Azure 公有云,输入“41b23e61-6c1e-4545-b367-cd054e0ed4b4” Enter 41b23e61-6c1e-4545-b367-cd054e0ed4b4 for Azure Public
    • 对于 Azure 政府,输入“51bb15d4-3a4f-4ebf-9dca-40096fe32426” Enter 51bb15d4-3a4f-4ebf-9dca-40096fe32426 for Azure Government
    • 对于 Azure 德国,输入“538ee9e6-310a-468d-afef-ea97365856a9” Enter 538ee9e6-310a-468d-afef-ea97365856a9 for Azure Germany
    • 对于 Azure 中国世纪互联,输入“49f817b6-84ae-4cc0-928c-73f27289b3aa” Enter 49f817b6-84ae-4cc0-928c-73f27289b3aa for Azure China 21Vianet
  8. 单击“添加应用程序”。Click Add application .

    Azure VPN

  9. 复制“概述”页中的应用程序客户端 ID 。Copy the Application (client) ID from the Overview page. 你将需要使用此信息来配置 VPN 网关。You will need this information to configure your VPN gateway(s).

    Azure VPN

  10. 重复此注册其他应用程序部分中的步骤,创建安全要求所需的多个应用程序。Repeat the steps in this register additional applications section to create as many applications that are needed for your security requirement. 每个应用程序都将关联到一个 VPN 网关,并且可以有不同的用户集。Each application will be associated to a VPN gateway and can have a different set of users. 只能将一个应用程序关联到一个网关。Only one application can be associated to a gateway.

5.将用户分配给应用程序5. Assign users to applications

将用户分配到应用程序。Assign the users to your applications.

  1. 在“Azure AD > 企业应用程序”下,选择新注册的应用程序,然后单击“属性” 。Under Azure AD -> Enterprise applications , select the newly registered application and click Properties . 确保“需要进行用户分配?”设置为“是”。 Ensure that User assignment required? is set to yes . 单击“保存” 。Click Save .

    Azure VPN

  2. 在应用页上,单击“用户和组”,然后单击“+添加用户” 。On the app page, click Users and groups , and then click +Add user .

    Azure VPN

  3. 在“添加分配”下,单击“用户和组” 。Under Add Assignment , click Users and groups . 选择希望能够访问此 VPN 应用程序的用户。Select the users that you want to be able to access this VPN application. 单击“选择”。Click Select .

    Azure VPN

6.在网关上启用身份验证6. Enable authentication on the gateway

在此步骤中,将在 VPN 网关上启用 Azure AD 身份验证。In this step, you will enable Azure AD authentication on the VPN gateway.

  1. 通过导航到“点到站点配置”并选取“OpenVPN (SSL)”作为“隧道类型”,在 VPN 网关上启用 Azure AD 身份验证。Enable Azure AD authentication on the VPN gateway by navigating to Point-to-site configuration and picking OpenVPN (SSL) as the Tunnel type. 选择“Azure Active Directory”作为“身份验证类型”,然后在“Azure Active Directory”部分填写信息。Select Azure Active Directory as the Authentication type then fill in the information under the Azure Active Directory section.

    Azure 门户视图

    备注

    请不要使用 Azure VPN 客户端的应用程序 ID:它会向所有用户授予对 VPN 网关的访问权限。Do not use the Azure VPN client's application ID: It will grant all users access to the VPN gateway. 使用注册的应用程序的 ID。Use the ID of the application(s) you registered.

  2. 通过单击“下载 VPN 客户端”链接来创建和下载配置文件。Create and download the profile by clicking on the Download VPN client link.

  3. 解压缩已下载的 zip 文件。Extract the downloaded zip file.

  4. 浏览到解压缩后的“AzureVPN”文件夹。Browse to the unzipped “AzureVPN” folder.

  5. 记下“azurevpnconfig.xml”文件的位置。Make a note of the location of the “azurevpnconfig.xml” file. azurevpnconfig.xml 包含 VPN 连接的设置,可以直接导入到 Azure VPN 客户端应用程序中。The azurevpnconfig.xml contains the setting for the VPN connection and can be imported directly into the Azure VPN Client application. 还可以将此文件分发给需要通过电子邮件或其他方式建立连接的所有用户。You can also distribute this file to all the users that need to connect via e-mail or other means. 用户需有有效的 Azure AD 凭据才能成功建立连接。The user will need valid Azure AD credentials to connect successfully.

后续步骤Next steps

若要连接到虚拟网络,必须创建并配置 VPN 客户端配置文件。In order to connect to your virtual network, you must create and configure a VPN client profile. 请参阅配置 VPN 客户端以建立 P2S VPN 连接See Configure a VPN client for P2S VPN connections.