多租户应用程序注册 [英] Multi-Tenant App Registrations

问题描述

我一直在阅读有关多租户应用程序身份验证的文档，https://docs.microsoft.com/zh-cn/azure/active-directory/develop/active-directory-devhowto-multi-租户概述，还有以下其他问题:

I have been reading the documentation on authentication for multi-tenant applications https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview and had the following additional questions:

2. 使用B2B对多租户场景有何影响?当使用B2B时，当邀请客户帐户时，为他们创建类型为访客"的帐户.在邀请目录(应用程序所在的目录)中.这个来宾"可以吗? 帐户可用于通过托管应用程序的目录中的注册来访问应用程序?

1. In the multi-tenant scenario, is the customer admin not able to "add" the provider application by using the Non-Gallery option in Enterprise Apps? Or is the only way to have the custom admin do the initial consent?
2. Once the customer has the app in their AAD, can it be added to the /myapps page for users in their directory?
3. How is the multi-tenant scenario impacted by using B2B? When using B2B, when a customer account is invited an account gets created for them of type "Guest" in the inviting directory (where the app lives).  Can this "Guest" account be used to access the application via the registration that is in the directory hosting the application?
4. What about the scenario where a Web App (UI) that is registered is accessing Function Apps? Do the Function Apps need to be registered as well?

推荐答案

1. 在多租户方案中，客户管理员是否无法添加通过使用Enterprise Apps中的非图库"选项来提供提供商应用程序?还是唯一的 使自定义管理员获得初步同意的方法是什么?

1. In the multi-tenant scenario, is the customer admin not able to "add" the provider application by using the Non-Gallery option in Enterprise Apps? Or is the only way to have the custom admin do the initial consent?

答案:另一位租户中的管理员必须首次同意该应用程序. 管理员 在其他租户中始终可以禁用 默认情况下，将基于每个用户授予同意.每个登录的用户都会看到同意页面.但是，Azure AD还支持管理员同意，这允许AD管理员同意整个组织.当使用管理员同意流程时， 同意页面指出，AD管理员代表整个租户授予权限.

Ans: An administrator in the other tenant must consent for the app for the first time. Administrator in the other tenant can always disable end-user consent in which case they would always require admin consent for every app. By default, consent is granted on a per-user basis. Every user who signs in sees the consent page. However, Azure AD also supports admin consent, which allows an AD administrator to consent for an entire organization. When the admin consent flow is used, the consent page states that the AD admin is granting permission on behalf of the entire tenant. 

2.客户在其AAD中拥有该应用后，可以将其添加到 /myapps页面中是否有目录中的用户?

2. Once the customer has the app in their AAD, can it be added to the /myapps page for users in their directory?

回答:您需要先将它们分配给应用程序才能授予他们访问权限.

参考: https://docs.microsoft.com/zh-CN/azure/active-directory/application-access-assignment-how-to-add-assignment

Refer : https://docs.microsoft.com/en-us/azure/active-directory/application-access-assignment-how-to-add-assignment

3. 使用B2B对多租户方案有何影响?当使用B2B时，当邀请客户帐户时，为他们创建类型为访客"的帐户.在邀请目录(应用程序所在的目录)中.这个来宾"可以吗?帐户 可以通过托管应用程序的目录中的注册来访问该应用程序?

3. How is the multi-tenant scenario impacted by using B2B? When using B2B, when a customer account is invited an account gets created for them of type "Guest" in the inviting directory (where the app lives).  Can this "Guest" account be used to access the application via the registration that is in the directory hosting the application?

答案:当来自另一个租户的来宾用户尝试使用您的Web App/API时，将需要对此应用程序表示同意.如果此应用需要在需要管理员的情况下使用权限 同意，则还需要该租户的管理员对此应用程序表示同意.然后，该应用程序将出现在该租户的企业应用程序中..

Ans: when the guest user from another tenant tries to use your Web App/API, he will be requires to do consent for this app. If this app needs to use permissions with needing admin consent, it also need admin in that tenant to do consent for this app. Then the App will occur in the Enterprise Application of that tenant.

参考: https://stackoverflow.com/questions/49763765/does-app-need-to-be-multi-tenant-when-using-b2b-invite

Refer : https://stackoverflow.com/questions/49763765/does-app-need-to-be-multi-tenant-when-using-b2b-invite

4. 注册的Web应用程序(UI)访问功能应用程序的情况如何?功能应用程序也需要注册吗?

4. What about the scenario where a Web App (UI) that is registered is accessing Function Apps? Do the Function Apps need to be registered as well?

Ans:

参考: https://blogs.msdn.microsoft.com/hmahrt/2017/03/07/azure-active-directory-b2c-and-azure-functions/

Refer : https://blogs.msdn.microsoft.com/hmahrt/2017/03/07/azure-active-directory-b2c-and-azure-functions/

-------------- -------------------------------------------------- ----------------------------------

如果此答案有帮助，点击"标记为答案"或 投票.要提供有关您的论坛体验的其他反馈，请单击 此处

If this answer was helpful, click "Mark as Answer" or Up-Vote. To provide additional feedback on your forum experience, click here

这篇关于多租户应用程序注册的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！