多租户的Azure AD非管理员登陆 [英] Multi Tenant Azure AD non admin login
问题描述
我有我想要添加的Office 365整合现有的Web应用程序。我希望所有用户都能够使用的OAuth2登入,而管理员用户可以从目录中读取用户。
I have an existing web app which I am trying to add Office 365 integration. I want all users to be able to log in with OAuth2, and admin users to be able to read users from the directory.
所以,我创建了一个Azure的AD应用程序,并授予启用登录和阅读用户配置文件和读目录数据委派权限。
So I created an Azure AD app, and granted the "Enable sign-on and read users profiles" and "Read directory data" delegate permissions.
当一个O365管理员用户登录时,它按预期工作。但是,当在O365非管理员用户登录时,他们得到的错误。AADSTS90093:调用主体可以不同意,由于缺乏权限
When an O365 admin user logs in, it works as expected. But when a O365 non-admin user logs in, they get the error "AADSTS90093: Calling principal cannot consent due to lack of permissions.".
多的试验和错误(该文档是什么,但清楚的)之后,我想我需要提示= admin_consent追加到验证网址。通过这种附加的验证网址,如果我有一个管理员登录,则后续的非管理员的注册工作。
After much trial and error (the docs are anything but clear), I figured that I need to append prompt=admin_consent to the auth url. By appending this to the auth URL, if I log in with an admin, then subsequent non-admin logins work as expected.
问题是,我不知道用户是否点击登录与Office 365我的登录页面上的按钮是管理员或没有。似乎谁登录到从O365域应用程序必须是管理员O365的第一人,并且认证URL必须有提示= admin_consent。如果一个非管理员尝试登录之前管理员的话,那么他们得到的AADSTS90093错误,并且似乎没有任何办法为我的应用程序优雅地处理这种情况。更糟糕的是 - 他们根本无法登录
The problem is, that I don't know whether the user about to click the "Login with Office 365" button on my login page is an admin or not. It seems that the first person who logs into the app from the O365 domain MUST be a O365 admin, AND the auth url MUST have prompt=admin_consent. If a non-admin tries to login BEFORE an admin does, then they get the AADSTS90093 error, and there doesn't seem to be any way for my app to gracefully handle this scenario. Even worse - they can't log in at all.
我真正需要的这里,就是有1登录按钮,这将记录非管理员用户,但没有进入目录,将与访问目录登录管理员用户,但是这似乎并没有是可能的。谷歌有范围的概念,但这似乎没有从微软的实现。
What I really need here, is to have 1 login button, that will log non-admin users in but without access to the directory, and will log admin users in with access to the directory, but this doesn't seem to be possible. Google have the concept of scopes, but this seems absent from Microsofts implementation.
我看到2个潜在的解决方案,这两者都不是伟大的:
I see 2 potential solutions, neither of which are great:
- 添加标记在登录页面上一个复选框作为Office 365的管理员登录。如果被选中,那么我追加提示= admin_consent的验证网址。与此问题(除了塞满了我的登录页),是它并不满足非管理员尝试登录管理员面前。因此,大多数用户仍然无法登录。 - 不是很大
- 创建2 Azure的AD应用程序。一个既启用登录和阅读用户配置文件和读目录数据的权限,另一个只有启用登录和阅读用户配置文件的权限。登录页面被链接到第一个应用程序,这将使这两个管理员与非管理员用户在任何时间登录。然后,在我的应用的配置页面上,我必须这样做,这presents链接与O365完全集成与第二AAD应用验证的选项。这样的话,我可以保证所有用户都可以进行基本的日志,当管理员点击第二个按钮,我可以与目录和日历集成。这种方法的缺点是,即使登录的第一个用户是O365管理员,我将无法直到第二身份验证已经完成访问目录。其次,我的应用程序将在两次客户AAD应用程序列表中出现。
好像我想在这里实现这样一个平凡的事情 - 是能够登录的所有用户,但如果管理员日志,那么他们可以访问该目录。那么,你如何与AAD应用程序实现这一目标?
It seems like I am trying to achieve such a trivial thing here - to be able to log all users in, but if an admin logs in then they can access the directory. So how do you achieve this with AAD apps?
推荐答案
您的解决方案#1是我们在我们的样本中推荐的人,举个例子的 https://github.com/AzureADSamples/WebApp-MultiTenant-OpenIdConnect-DotNet 和注册控制器。作为Azure的AD今天同意的是一个全有或全无的一揽子交易,因此需要管理员同意,必须由管理员来第一个批准的应用程序。我们正在努力做的同意动态的,感谢你就可以在非管理员用户登录无需目录查询的权力和推迟的能力,直到管理员授予的同意 - 但是这仍然是相当一段时间了,因此暂且#1是支持的方法。
Your solution #1 is the one we recommend in our samples, take for example https://github.com/AzureADSamples/WebApp-MultiTenant-OpenIdConnect-DotNet and the sign up controllers. As of today consent in Azure AD is an "all-or-nothing" package deal, hence apps that require admin consent must be first approved by an administrator. We are working on making the consent dynamic, thanks to which you'll be able to sign in non-admin users without directory querying powers and defer that ability until an admin grants consent - but that's still quite some time out hence for the time being #1 is the supported approach.
这篇关于多租户的Azure AD非管理员登陆的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
