AZURE Active Directory - 服务主体和企业应用程序有什么区别? [英] AZURE Active Directory - What is the difference between a Service Principal and an Enterprise Application?
问题描述
Azure AD 中的三个主题我一直很困惑:
Three topics in Azure AD I'm constantly confused on:
- 服务负责人
- 企业应用
- 应用注册
有什么区别?
我可以轻松进入应用注册"并注册一个应用",而该应用"甚至不需要存在.它所需要的只是一个也可以是完全随机的 URL.然后,此应用注册将成为服务主体,例如,您可以使用它从 PowerShell 连接到 Azure?为什么?我不明白这个.
I can easily go into "App Registrations" and register an "app" while that "app" doesn't even need to exist. All it requires is a URL which can also be totally random. This app registration then becomes a service principal which you can use to connect to Azure to from PowerShell for instance? Why? I don't understand this.
请告知,正如您可能知道的那样,我是 Azure 的新手 :)
Please advise, and as you can probably tell, I'm new to Azure :)
推荐答案
当您作为开发人员编写应用程序时,您将在给定的租户中注册它,并指定它的属性.这发生在 Azure AD 的应用注册刀片中.我敢打个比方,应用程序就像面向对象语言中的类"(具有一些静态属性,所有实例都通用)
When you write an application as a developer, you will register it in a given tenant, and will specify it's properties. This happens in the App Registration blade in Azure AD. I'll dare an analogy by saying that the app is like a "class" in object oriented languages (with some static properties, which will be common to all instances)
通过在给定租户中注册应用程序,如果您使用门户,这还会自动为此应用程序创建一个服务主体,您可以在 Azure 门户的企业应用程序"刀片中找到该服务主体.继续我的类比,门户创建了该类的一种实例.此服务主体包含与应用程序和租户及其用户相关的信息.例如,它包含用户的活动,特别是他们同意的内容.
By registering the application, in that given tenant if you use the portal this also automatically created a service principal for this application, which you can find in the "Enterprise Applications" blade of the Azure portal. To continue with my analogy the portal creates a kind of instance of that class. This service principal contains information which are related to both the application and the tenants and its users. For instance it contain the activity of the users, what they have consented to in particular.
现在,如果在应用注册/应用管理期间,您决定您的应用是多租户",那么当其他租户访问该应用时,将在该租户中创建另一个服务主体(记住这个实例).
Now if during the app registration / app management, you decide that your application is "multi-tenant", then, when the application is accessed in other tenants, another service principal (remember this instance) will be created in that tenant.
顺便说一句,您转到新的 应用注册(预览版) 刀片在 azure 门户中,当您创建应用程序时,您现在可以看到按类别很好地分组应用程序的所有属性(所有服务主体共有的所有属性).现在,如果在应用程序的概述"选项卡中,单击链接本地目录中的托管应用程序",您将到达同一租户中的相应服务主体(您将在其中看到哪些用户访问了应用程序,您可以在何时、何地授予管理员同意(如果您是租户管理员),并查看活动和审核日志)
BTW, you go to the new App Registration (Preview) blade in the azure portal, when you create an application, you can now see nicely grouped by categories all the properties of the app (all the properties which are common to all the service principal). Now if, in the "Overview" tab of the app, you click on the link "Managed application in local directory", you'll get to the corresponding service principal in the same tenant (where you'll see which users have accessed the app, when, where you can grant admin consent - if you are tenant admin -, and see the activity and the audit logs)
这篇关于AZURE Active Directory - 服务主体和企业应用程序有什么区别?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
