限制Azure Active Directory应用访问特定租户 [英] Restrict Azure Active Directory app access to specific tenants
问题描述
我希望使用Microsoft Identity Platform(Azure Active Directory)来管理我的应用程序的身份验证。
I'm hoping to use the Microsoft Identity Platform - Azure Active Directory - to manage authentication for my app.
我使用v2.0终结点。
I using the v2.0 endpoint.
我已经在新的应用程序注册门户( apps.dev.microsoft.com )中注册了我的应用程序,现在显示在 Azure Active Directory>下的主要Azure门户中。应用注册
I've registered my application in the new Application Registration Portal (apps.dev.microsoft.com), and it is now showing up in the main Azure portal under Azure Active Directory > App registrations
我需要限制对某些组织的访问权限-我正在假设这意味着我需要允许访问
I need to restrict access to my application to certain organisations - I'm working on the assumption this means I need to allow access to a specific set of AD tenants.
在应用程序清单中,有一个 signInAudience 属性,是 AzureADMyOrg , AzureADMultipleOrgs 和 AzureADandPersonalMicrosoftAccount
In the application manifest, there's a signInAudience property, the options for which are AzureADMyOrg, AzureADMultipleOrgs and AzureADandPersonalMicrosoftAccount
AzureADMultipleOrgs 听起来最接近我要查找的内容,但到目前为止,这意味着拥有AD帐户的任何人都可以访问我的应用程序。
AzureADMultipleOrgs sounds the closest to what I'm looking for, but so far it means anyone with an AD account can access my app.
我遇到过 orgRestrictions 属性的文档( https://github.com/microsoftgraph/microsoft-graph-docs/blob /master/api-reference/beta/resources/application.md ),虽然听起来很有用,但只是说保留以供将来使用
I've come across documentation for an orgRestrictions property (https://github.com/microsoftgraph/microsoft-graph-docs/blob/master/api-reference/beta/resources/application.md) which sounds useful but it just says Reserved for future use
我认为这是一个常见用例,例如只允许访问订阅您产品的组织,但我看不到一种简单的方法。
I assume this is a common use case e.g. only allow access to organisations that subscribe to your product, but I don't see a straightforward way to do it.
推荐答案
我认为这是一个常见的用例,例如只允许访问订阅您产品的组织,但是我看不到一种简单的方法。
I assume this is a common use case e.g. only allow access to organisations that subscribe to your product, but I don't see a straightforward way to do it.
是的,大多数多租户示例都展示了这一点。
当前无法说给定的应用程序应允许X和Y登录,因此它必须允许所有Azure AD租户。
(尽管这是一个被大量要求的功能)
然后,在身份验证之后,您的应用程序可以检查 tid 声明。
例如,您可以从数据库中检查此租户是否具有有效的订阅。
如果不这样做,请将其重定向到错误页面,并且不要登录。
Yes it is, and most multi-tenant samples showcase this.
Currently there is no way to say that a given app should allow login from X and Y, so it'll have to allow all Azure AD tenants.
(though that is a feature that has been heavily requested)
Then after authentication, your app can check the tid claim.
You could for example check from a database if this tenant has a valid subscription.
If they don't, redirect them to an error page and don't log them in.
这篇关于限制Azure Active Directory应用访问特定租户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
