如何使用单个应用程序访问Azure AD中多个租户中的资源?
我的客户端应用程序(托管在不在Azure上的Web服务器上)需要访问各种组织的Azure存储帐户.
My client application ( hosted on a web server which is not on Azure ), needs to access Azure Storage accounts for various Organizations.
假设存在三个组织-Org1,Org2和Org3.对于这3个组织中的每一个,我都会在服务器上运行一个应用程序实例,因此基本上它们是隔离的实例.组织可以使用基于UI的表单来输入其详细信息(例如订阅ID,存储帐户名称等).
Say there are three Organizations - Org1, Org2 and Org3. I would have one instance of my application running on my server for each of these 3 organizations, so basically they are isolated instances. There would be a UI based form for an organization to enter their details ( like subscription id, storage account name etc ).
给我留下了两个选择的印象.
I was under the impression that I have two options.
选项A -在每个单位中创建应用注册.因此,将创建3个应用程序(本组织的每个租户中一个).每个组织都必须赋予其各自应用程序的服务负责人一个角色,以便能够访问其存储帐户.因此共有3个应用程序和3个服务主体.
Option A - Create an app registration in each Organization. So there would be 3 apps created ( one in each of the Organization's tenant ). Each Organization would have to give their respective app's service principal a role to be able to access their Storage Accounts. So 3 apps and 3 service principals in total.
选项B -在我的单位(租户)中创建应用注册.为了便于理解,我们将其称为SomanshOrg. 我们可以在Org 1,Org2,Org3中创建服务主体吗,每个组织都必须赋予其各自应用程序的服务主体一个角色,以便能够访问其存储帐户.然后,从我的客户端应用程序中,我将能够访问他们的资源.因此,总共1个应用程序和4个服务主体(3个Org + mine).
Option B - Create an app registration in my Organization ( tenant ). For ease of understanding let us call this SomanshOrg. Can we create a service principal in Org 1, Org2, Org3 where each Organization would have to give their respective app's service principal a role to be able to access their Storage Accounts. And then from my client application I would be able to access their resources. So 1 app and 4 service principals ( 3 Org + mine ) in total.
最终目标是仅以初始UI形式从用户获取凭据.然后,我们可以在没有更多用户参与的情况下访问其Azure存储.
The end goal is to only take credentials from the User in the initial UI form. And then we can access their Azure Storages without any more user involvement.
以下哪个选项会更好?还是其他选项更适合我的用例?
Which of these options would be better? Or is a different option more suitable for my use case?
以下哪个选项会更好?还是其他选项更适合我的用例?
Which of these options would be better? Or is a different option more suitable for my use case?
选项B更好,我认为在这种情况下,它应该是最合适的方法.
Option B is better and I think it should be the most suitable way in this case.
您只需要创建一个同意相应租户的应用程序
You just need to create a multi-tenant app in the SomanshOrg, then use the respective admin accounts of the Org1, Org2, Org3 to consent the app for the respective tenants.
After the consent, the service principals will locate in the respective tenants, then you just need to add the RBAC roles for them on the storage account scope.
最后一步是访问存储帐户,如果要在没有任何用户参与的情况下执行此操作,只需使用 在SomanshOrg 中创建),该秘密可用于所有服务主体的应用程序.
The last step is to access the storage accounts, if you want to do this without any user involvement, just use the client credential flow to get the token to access the storage accounts. The advantage of option B is that we just need one application ID and one client secret(create it in the SomanshOrg), the secret can be used for all the service principals of the app.