为什么我需要创建多租户应用程序? [英] Why do i need to create a Multi-Tenant App?

问题描述

我一直在做一些关于使用 MicrosoftGraphAPI 获取我的组织订阅的 sku 的研发工作.

I have been doing some R&D on using the MicrosoftGraphAPI to fetch the skus subscribed by my organization.

我已经按照描述创建了一个应用程序 在文档中.除了将应用程序分配给角色"之外，我完成了上述链接中的所有步骤.

I have created an app as described in the documentation. I did all the steps in the above link except 'Assign application to role'.

使用邮递员可以通过使用链接发送发布请求来获取 oauth2 令牌https://login.microsoftonline.com/<mytenantid>/oauth2/token带有 client_id、client_secret、resource(https://graph.microsoft.com) 和 grant_type(client_credentials) 参数.

Using postman am able to get the oauth2 token by sending a post request using the link https://login.microsoftonline.com/<mytenantid>/oauth2/token with the client_id, client_secret, resource(https://graph.microsoft.com) and grant_type(client_credentials) parameters.

获得此令牌后，我可以触发获取请求 https://graph.microsoft.com/v1.0/subscribedSkus，其中 Authorization 标头设置为 Bearer {token} 将返回我的组织订阅的 SKU.到现在为止还挺好.:-)

After this token is obtained I can fire a get request https://graph.microsoft.com/v1.0/subscribedSkus with the Authorization header set as Bearer {token} which will return the SKUs subscribed by my organization. So far so good. :-)

现在的要求是我需要由我的组织的一位客户(假设拥有 azure 广告租户 ID 'ABCDEFG')获取订阅的 SKU.通过使用与上述相同的步骤在客户的租户ABCDEFG"中注册一个应用程序，我可以成功地做到这一点.如果我的组织有 1 或 2 个客户，这种方法很好.但是，如果客户端数量超过 30 个，这种在每个 Azure AD 实例中注册应用程序的方法是不可行的.

Now the requirement is I need to fetch the subscribed SKUs by one of the client (let's say having the azure ad tenant id 'ABCDEFG') of my organization. I can successfully do that by registering an app in the client's tenant 'ABCDEFG' with the same steps as above. This approach is fine if my organization has say 1 or 2 clients. However, if the client numbers are more than say 30 this approach of registering an application in each Azure AD instance is not feasible.

如果我在我的组织 AAD 中注册的应用程序是多租户的，那么它应该如何帮助我?为每个租户获取访问令牌所需的步骤是什么?有人可以帮忙详细解释一下吗?

If the application that I registered in my organizations AAD was multi-tenant then how should it help me? What will be the steps needed to obtain the access token for each tenant? Can somebody assist with some detailed explanation?

推荐答案

由于您需要应用程序级别的访问权限，您将分配文档中列出的应用程序权限之一以获取 SKU:https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/subscribedsku_list.

Since you need application-level access, you would assign one of the Application permissions listed in the documentation for getting SKUs: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/subscribedsku_list.

Directory.Read.All、Directory.ReadWrite.All

Directory.Read.All, Directory.ReadWrite.All

在这种情况下，您应该需要读取目录数据 (Directory.Read.All) 应用程序权限.

In this case you should require the Read Directory Data (Directory.Read.All) application permission.

然后您将您的应用标记为多租户.

Then you mark your app as multi-tenanted.

现在，为了让其他组织使用您的应用，他们必须加入.您将需要某种页面，他们的管理员可以在其中单击按钮/链接以开始使用您的应用程序.这应该将管理员重定向到:

Now then in order for another org to use your app, they will have to be on-boarded. You will need some kind of page where their administrator can click a button/link to start using your app. This should redirect the admin to:

https://login.microsoftonline.com/common/oauth2/authorize?client_id=your-client-id&prompt=admin_consent&response_type=code+id_token&redirect_uri=url-where-to-send-user-back

他们登录后会看到一个同意屏幕，他们可以在其中批准您的应用所需的权限.如果他们这样做了，他们将被重定向回您的应用程序(到您指定的 URL)，您可以使用 Id 令牌了解注册了哪个 Azure AD 租户.

Once they sign in, they will be presented with a consent screen, where they can approve the permissions that your app requires. If and when they do that, they will be redirected back to your app (to the URL you specified) and you can use the Id token to know which Azure AD tenant registered.

在此过程中，会在其租户中为您的应用创建一个服务主体，并为其授予所需的权限.这意味着您可以从以下位置获取租户的访问令牌:(使用相同的凭据)

During this process a service principal for your app is created in their tenant, and the required permission is granted to it. This means you can then get an access token for their tenant from: (using the same credentials)

https://login.microsoftonline.com/their-tenant-id/oauth2/token

请记住，访问令牌特定于 Azure AD 租户，因此您必须为每个租户获取一个访问令牌.

Remember that access tokens are specific to an Azure AD tenant, so you will have to get an access token for each tenant.

我想指出的一件事是，如果可能，您应该尝试使用委派权限.此处提供的应用程序权限为您的应用程序提供了相当大的访问权限，一些管理员可能不会仅出于这个原因使用您的服务.委派的权限处理起来更复杂，但允许您的应用代表用户而不是纯粹作为自己行事.

One thing I would like to point out is that you should instead try to use delegated permissions if possible. The application permission given here gives quite large access to your app, and some admins might not use your service for that reason alone. Delegated permissions are more complex to handle, but allow your app to act on behalf of a user instead of purely as itself.

这篇关于为什么我需要创建多租户应用程序?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！