entra-app-registration
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseOverview
概述
Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based identity and access management service. App registrations allow applications to authenticate users and access Azure resources securely.
Microsoft Entra ID(原Azure Active Directory)是微软基于云的身份与访问管理服务。应用注册允许应用程序安全地对用户进行认证并访问Azure资源。
Key Concepts
核心概念
| Concept | Description |
|---|---|
| App Registration | Configuration that allows an app to use Microsoft identity platform |
| Application (Client) ID | Unique identifier for your application |
| Tenant ID | Unique identifier for your Azure AD tenant/directory |
| Client Secret | Password for the application (confidential clients only) |
| Redirect URI | URL where authentication responses are sent |
| API Permissions | Access scopes your app requests |
| Service Principal | Identity created in your tenant when you register an app |
| 概念 | 描述 |
|---|---|
| App Registration | 允许应用使用Microsoft身份平台的配置 |
| Application (Client) ID | 应用程序的唯一标识符 |
| Tenant ID | Azure AD租户/目录的唯一标识符 |
| Client Secret | 应用程序的密码(仅适用于保密客户端) |
| Redirect URI | 发送认证响应的URL |
| API Permissions | 应用请求的访问范围 |
| Service Principal | 注册应用时在租户中创建的身份 |
Application Types
应用类型
| Type | Use Case |
|---|---|
| Web Application | Server-side apps, APIs |
| Single Page App (SPA) | JavaScript/React/Angular apps |
| Mobile/Native App | Desktop, mobile apps |
| Daemon/Service | Background services, APIs |
| 类型 | 适用场景 |
|---|---|
| Web Application | 服务器端应用、API |
| Single Page App (SPA) | JavaScript/React/Angular应用 |
| Mobile/Native App | 桌面、移动应用 |
| Daemon/Service | 后台服务、API |
Core Workflow
核心流程
Step 1: Register the Application
步骤1:注册应用
Create an app registration in the Azure portal or using Azure CLI.
Portal Method:
- Navigate to Azure Portal → Microsoft Entra ID → App registrations
- Click "New registration"
- Provide name, supported account types, and redirect URI
- Click "Register"
CLI Method: See references/CLI-COMMANDS.md
IaC Method: See references/BICEP-EXAMPLE.bicep
It's highly recommended to use the IaC to manage Entra app registration if you already use IaC in your project, need a scalable solution for managing lots of app registrations or need fine-grained audit history of the configuration changes.
在Azure门户或使用Azure CLI创建应用注册。
门户操作方法:
- 导航至Azure门户 → Microsoft Entra ID → 应用注册
- 点击“新注册”
- 填写名称、支持的账户类型及重定向URI
- 点击“注册”
CLI操作方法: 参见references/CLI-COMMANDS.md
基础设施即代码(IaC)方法: 参见references/BICEP-EXAMPLE.bicep
如果你的项目已使用IaC、需要可扩展的多应用注册管理方案,或需要配置变更的细粒度审计记录,强烈建议使用IaC来管理Entra应用注册。
Step 2: Configure Authentication
步骤2:配置认证
Set up authentication settings based on your application type.
- Web Apps: Add redirect URIs, enable ID tokens if needed
- SPAs: Add redirect URIs, enable implicit grant flow if necessary
- Mobile/Desktop: Use or custom URI scheme
http://localhost - Services: No redirect URI needed for client credentials flow
根据应用类型设置认证参数。
- Web应用:添加重定向URI,按需启用ID令牌
- SPA:添加重定向URI,必要时启用隐式授权流
- 移动/桌面应用:使用或自定义URI方案
http://localhost - 服务:客户端凭证流无需重定向URI
Step 3: Configure API Permissions
步骤3:配置API权限
Grant your application permission to access Microsoft APIs or your own APIs.
Common Microsoft Graph Permissions:
- - Read user profile
User.Read - - Read and write all users
User.ReadWrite.All - - Read directory data
Directory.Read.All - - Send mail as a user
Mail.Send
Details: See references/API-PERMISSIONS.md
为应用授予访问Microsoft API或自定义API的权限。
常用Microsoft Graph权限:
- - 读取用户配置文件
User.Read - - 读取和写入所有用户数据
User.ReadWrite.All - - 读取目录数据
Directory.Read.All - - 以用户身份发送邮件
Mail.Send
详细信息: 参见references/API-PERMISSIONS.md
Step 4: Create Client Credentials (if needed)
步骤4:创建客户端凭证(如有需要)
For confidential client applications (web apps, services), create a client secret, certificate or federated identity credential.
Client Secret:
- Navigate to "Certificates & secrets"
- Create new client secret
- Copy the value immediately (only shown once)
- Store securely (Key Vault recommended)
Certificate: For production environments, use certificates instead of secrets for enhanced security. Upload certificate via "Certificates & secrets" section.
Federated Identity Credential: For dynamically authenticating the confidential client to Entra platform.
对于保密客户端应用(Web应用、服务),创建客户端密钥、证书或联合身份凭证。
客户端密钥:
- 导航至“证书和密钥”
- 创建新客户端密钥
- 立即复制密钥值(仅显示一次)
- 安全存储(推荐使用Key Vault)
证书: 生产环境中,建议使用证书替代密钥以提升安全性。通过“证书和密钥”部分上传证书。
联合身份凭证: 用于为保密客户端提供动态认证至Entra平台的能力。
Step 5: Implement OAuth Flow
步骤5:实现OAuth流
Integrate the OAuth flow into your application code.
See:
- references/OAUTH-FLOWS.md - OAuth 2.0 flow details
- references/CONSOLE-APP-EXAMPLE.md - Console app implementation
在应用代码中集成OAuth流。
参考文档:
- references/OAUTH-FLOWS.md - OAuth 2.0流详细说明
- references/CONSOLE-APP-EXAMPLE.md - 控制台应用实现示例
Common Patterns
常见模式
Pattern 1: First-Time App Registration
模式1:首次应用注册
Walk user through their first app registration step-by-step.
Required Information:
- Application name
- Application type (web, SPA, mobile, service)
- Redirect URIs (if applicable)
- Required permissions
Script: See references/FIRST-APP-REGISTRATION.md
引导用户完成首次应用注册的全步骤。
所需信息:
- 应用名称
- 应用类型(Web、SPA、移动、服务)
- 重定向URI(如适用)
- 所需权限
脚本: 参见references/FIRST-APP-REGISTRATION.md
Pattern 2: Console Application with User Authentication
模式2:带用户认证的控制台应用
Create a .NET/Python/Node.js console app that authenticates users.
Required Information:
- Programming language (C#, Python, JavaScript, etc.)
- Authentication library (MSAL recommended)
- Required permissions
Example: See references/CONSOLE-APP-EXAMPLE.md
创建.NET/Python/Node.js控制台应用以实现用户认证。
所需信息:
- 编程语言(C#、Python、JavaScript等)
- 认证库(推荐使用MSAL)
- 所需权限
示例: 参见references/CONSOLE-APP-EXAMPLE.md
Pattern 3: Service-to-Service Authentication
模式3:服务间认证
Set up daemon/service authentication without user interaction.
Required Information:
- Service/app name
- Target API/resource
- Whether to use secret or certificate
Implementation: Use Client Credentials flow (see references/OAUTH-FLOWS.md#client-credentials-flow)
设置无需用户交互的守护进程/服务认证。
所需信息:
- 服务/应用名称
- 目标API/资源
- 是否使用密钥或证书
实现方法: 使用客户端凭证流(参见references/OAUTH-FLOWS.md#client-credentials-flow)
MCP Tools and CLI
MCP工具与CLI
Azure CLI Commands
Azure CLI命令
| Command | Purpose |
|---|---|
| Create new app registration |
| List app registrations |
| Show app details |
| Add API permission |
| Generate new client secret |
| Create service principal |
Complete reference: See references/CLI-COMMANDS.md
| 命令 | 用途 |
|---|---|
| 创建新应用注册 |
| 列出应用注册 |
| 查看应用详情 |
| 添加API权限 |
| 生成新客户端密钥 |
| 创建服务主体 |
完整参考: 参见references/CLI-COMMANDS.md
Microsoft Authentication Library (MSAL)
Microsoft Authentication Library (MSAL)
MSAL is the recommended library for integrating Microsoft identity platform.
Supported Languages:
- .NET/C# -
Microsoft.Identity.Client - JavaScript/TypeScript - ,
@azure/msal-browser@azure/msal-node - Python -
msal
Examples: See references/CONSOLE-APP-EXAMPLE.md
MSAL是集成Microsoft身份平台的推荐库。
支持语言:
- .NET/C# -
Microsoft.Identity.Client - JavaScript/TypeScript - ,
@azure/msal-browser@azure/msal-node - Python -
msal
示例: 参见references/CONSOLE-APP-EXAMPLE.md
Security Best Practices
安全最佳实践
| Practice | Recommendation |
|---|---|
| Never hardcode secrets | Use environment variables, Azure Key Vault, or managed identity |
| Rotate secrets regularly | Set expiration, automate rotation |
| Use certificates over secrets | More secure for production |
| Least privilege permissions | Request only required API permissions |
| Enable MFA | Require multi-factor authentication for users |
| Use managed identity | For Azure-hosted apps, avoid secrets entirely |
| Validate tokens | Always validate issuer, audience, expiration |
| Use HTTPS only | All redirect URIs must use HTTPS (except localhost) |
| Monitor sign-ins | Use Entra ID sign-in logs for anomaly detection |
| 实践 | 建议 |
|---|---|
| 切勿硬编码密钥 | 使用环境变量、Azure Key Vault或托管身份 |
| 定期轮换密钥 | 设置过期时间,自动轮换 |
| 优先使用证书而非密钥 | 生产环境中更安全 |
| 最小权限原则 | 仅请求必要的API权限 |
| 启用MFA | 要求用户使用多因素认证 |
| 使用托管身份 | 对于Azure托管应用,完全避免使用密钥 |
| 验证令牌 | 始终验证颁发者、受众及过期时间 |
| 仅使用HTTPS | 所有重定向URI必须使用HTTPS(localhost除外) |
| 监控登录行为 | 使用Entra ID登录日志检测异常 |
References
参考文档
- OAuth Flows - Detailed OAuth 2.0 flow explanations
- CLI Commands - Azure CLI reference for app registrations
- Console App Example - Complete working examples
- First App Registration - Step-by-step guide for beginners
- API Permissions - Understanding and configuring permissions
- Troubleshooting - Common issues and solutions
- OAuth Flows - OAuth 2.0流详细说明
- CLI Commands - 应用注册相关Azure CLI参考
- Console App Example - 完整可运行示例
- First App Registration - 面向初学者的分步指南
- API Permissions - 权限的理解与配置
- Troubleshooting - 常见问题与解决方案