为什么我需要创建一个多租户应用程序? [英] Why do i need to create a Multi-Tenant App?

问题描述

我一直在进行一些使用MicrosoftGraphAPI来获取我的组织订阅的skus的研究与开发.

I have been doing some R&D on using the MicrosoftGraphAPI to fetch the skus subscribed by my organization.

我已经按照 .我做了上面链接中的所有步骤，除了将应用程序分配给角色".

I have created an app as described in the documentation. I did all the steps in the above link except 'Assign application to role'.

使用邮递员能够通过使用链接发送发帖请求来获取oauth2令牌 https://login.microsoftonline.com/<mytenantid>/oauth2/token 带有client_id，client_secret，resource(https://graph.microsoft.com)和grant_type(client_credentials)参数.

Using postman am able to get the oauth2 token by sending a post request using the link https://login.microsoftonline.com/<mytenantid>/oauth2/token with the client_id, client_secret, resource(https://graph.microsoft.com) and grant_type(client_credentials) parameters.

获得此令牌后，我可以激发一个将授权标头设置为Bearer {token}的获取请求https://graph.microsoft.com/v1.0/subscribedSkus，该请求将返回我的组织订阅的SKU. 到目前为止，一切都很好. :-)

After this token is obtained I can fire a get request https://graph.microsoft.com/v1.0/subscribedSkus with the Authorization header set as Bearer {token} which will return the SKUs subscribed by my organization. So far so good. :-)

现在的要求是，我需要通过我组织的一位客户(例如，拥有天蓝色广告租户ID"ABCDEFG")来获取已订阅的SKU. 我可以通过与上述相同的步骤在客户端的租户"ABCDEFG"中注册一个应用程序来成功完成此操作. 如果我的组织有1个或2个客户，则此方法很好. 但是，如果客户端数量超过30个，则在每个Azure AD实例中注册应用程序的方法将不可行.

Now the requirement is I need to fetch the subscribed SKUs by one of the client (let's say having the azure ad tenant id 'ABCDEFG') of my organization. I can successfully do that by registering an app in the client's tenant 'ABCDEFG' with the same steps as above. This approach is fine if my organization has say 1 or 2 clients. However, if the client numbers are more than say 30 this approach of registering an application in each Azure AD instance is not feasible.

如果我在我的组织AAD中注册的应用程序是多租户，那么应该如何帮助我? 为每个租户获取访问令牌需要采取什么步骤? 有人可以协助您进行详细的解释吗?

If the application that I registered in my organizations AAD was multi-tenant then how should it help me? What will be the steps needed to obtain the access token for each tenant? Can somebody assist with some detailed explanation?

推荐答案

由于需要应用程序级别的访问权限，因此您将分配文档中列出的应用程序"权限之一以获取SKU:

Since you need application-level access, you would assign one of the Application permissions listed in the documentation for getting SKUs: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/subscribedsku_list.

Directory.Read.All，Directory.ReadWrite.All

Directory.Read.All, Directory.ReadWrite.All

在这种情况下，您应该需要读取目录数据(Directory.Read.All)应用程序权限.

In this case you should require the Read Directory Data (Directory.Read.All) application permission.

然后将您的应用标记为多租户.

Then you mark your app as multi-tenanted.

现在，为了让另一个组织使用您的应用，必须先注册他们. 您将需要某种页面，管理员可以在其中单击按钮/链接以开始使用您的应用程序. 这应该将管理员重定向到:

Now then in order for another org to use your app, they will have to be on-boarded. You will need some kind of page where their administrator can click a button/link to start using your app. This should redirect the admin to:

https://login.microsoftonline.com/common/oauth2/authorize?client_id=your-client-id&prompt=admin_consent&response_type=code+id_token&redirect_uri=url-where-to-send-user-back

登录后，他们会看到一个同意屏幕，他们可以在其中批准您的应用所需的权限. 如果这样做的时间和时间，它们将被重定向回您的应用程序(重定向到您指定的URL)，并且您可以使用Id令牌来知道注册了哪个Azure AD租户.

Once they sign in, they will be presented with a consent screen, where they can approve the permissions that your app requires. If and when they do that, they will be redirected back to your app (to the URL you specified) and you can use the Id token to know which Azure AD tenant registered.

在此过程中，将在其租户中为您的应用创建服务主体，并为其授予必需的权限. 这意味着您可以从以下位置获取其租户的访问令牌:(使用相同的凭据)

During this process a service principal for your app is created in their tenant, and the required permission is granted to it. This means you can then get an access token for their tenant from: (using the same credentials)

https://login.microsoftonline.com/their-tenant-id/oauth2/token

请记住访问令牌是特定于Azure AD租户的，因此您将必须获取每个租户的访问令牌.

Remember that access tokens are specific to an Azure AD tenant, so you will have to get an access token for each tenant.

我想指出的一件事是，您应该尽可能尝试使用委派权限. 此处授予的应用程序权限可让您对应用程序具有相当大的访问权限，并且某些管理员可能仅出于该原因而无法使用您的服务. 委派的权限要处理起来更为复杂，但可以让您的应用代表用户执行操作，而不是纯粹代表用户执行操作.

One thing I would like to point out is that you should instead try to use delegated permissions if possible. The application permission given here gives quite large access to your app, and some admins might not use your service for that reason alone. Delegated permissions are more complex to handle, but allow your app to act on behalf of a user instead of purely as itself.

这篇关于为什么我需要创建一个多租户应用程序?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！