目前是否可以在我的Azure AD租户中创建应用程序,并允许客户授予其更改其资源组的权限。
我基本上想要创建一个Web应用程序,允许任何azure资源所有者允许我的应用程序向他们选择的资源组添加内容。
我无法弄清楚客户是否需要具备全局管理员角色?
是否有可能创建一个允许客户登录我的webapp的流程,并为此选择的资源组授予权限,而无需他作为全局管理员。
是否有可能在azure门户中选择他的资源组添加允许我的azure广告应用程序访问他的资源组,或者客户需要什么才能实现这一点?
Is it possible currently to make an application in my Azure AD tenant and allow customers to give it permission to alter their resource groups.
I basically want to create an web application that allows any azure resource owner to allow my application to add something to a resource group of their choosing.
I cant figure out if its required for the customer to have the global administrator role for this to work?
Is it possible to make a flow that lets the customer sign in to my webapp, and give permission for a resource group of this choose, without him being the global administrator.
Is it possible for something in the azure portal to select his resource group add allow my azure ad application to get access to his resource group, or what is needed from the customer for this to be possible?
最满意答案
第三方应用程序可以通过两种方式访问用户的订阅:
委托权限(用户模仿) :Azure门户就是一个很好的例子。 基本上在这种情况下,用户通过对Azure AD进行身份验证来登录您的应用程序,然后您的应用程序代表登录用户进行ARM API调用。 如果用户有权执行某些操作,则您的应用程序将执行此操作,否则您的用户将收到错误。 应用程序权限 :这基本上更适用于在用户未登录时在后台运行的东西。本质上,这就是Service Principal的概念所在。在这种情况下,具有管理权限的人授予您的应用程序某些权限,然后是应用程序将能够执行允许的操作。 用户无需出现在此方案中。现在回答你的问题:
我基本上想要创建一个Web应用程序,允许任何azure资源所有者允许我的应用程序向他们选择的资源组添加内容。
我无法弄清楚客户是否需要具备全局管理员角色?
是的,您可以创建这样的Web应用程序,并且客户无需成为使用此类应用程序的全局管理员。 实际上,这就是我们在Cloud Portam中提供Azure订阅管理的方式。 Azure门户以相同的方式工作。 登录Azure Portal时,您只能执行您有权访问的内容。 要查看此操作,只需使用处于Reader角色的用户登录Azure Portal并尝试创建一些资源。
是否有可能创建一个允许客户登录我的webapp的流程,并为此选择的资源组授予权限,而无需他作为全局管理员。
是的,完全有可能从Azure的角度来看,许可是在订阅级别,而不是在资源组级别。 再次,因为您将冒充用户,用户无需授予您访问某些资源的明确许可。 Azure RBAC将为您解决此问题。
是否有可能在azure门户中选择他的资源组添加允许我的azure广告应用程序访问他的资源组,或者客户需要什么才能实现这一点?
是的,有可能这样做。 但是,在这种情况下,授予应用程序权限的用户应该具有允许她/他执行此操作的角色。 他们应该拥有Microsoft.Authorization资源提供者的写权限。 但请记住,一旦您的应用程序(也称为Service Principal )被授予访问用户订阅中的资源的权限,则无需用户登录。 您通常希望将此方法用于后台进程类型的应用程序。
There are two ways by which a 3rd party application can access a user's subscription:
Delegated Permission (User Impersonation): Azure Portal is a good example of that. Basically in this scenario, a user logs in into your application by authenticating herself/himself against their Azure AD and then your application makes ARM API calls on behalf of the logged in user. If the user has permission to do something, your application will do that otherwise your user will get an error. Application Permission: This is basically more for running things in the background when the user is not logged in. Essentially this is where the concept of Service Principal comes in. In this scenario, someone with administrative privileges grant certain permissions to your application and then your application will be able to do things it is permitted to do. The user need not be present in this scenario.Now coming to your questions:
I basically want to create an web application that allows any azure resource owner to allow my application to add something to a resource group of their choosing.
I cant figure out if its required for the customer to have the global administrator role for this to work?
Yes, it is possible for your to create such a web application and the customer need not be a global administrator to use such an application. In fact, this is how we're providing Azure Subscription management in Cloud Portam. Azure Portal works the same way. When you login into Azure Portal, you only do things you have permissions to. To see this in action, just login into Azure Portal using a user who is in Reader role and try to create some resources.
Is it possible to make a flow that lets the customer sign in to my webapp, and give permission for a resource group of this choose, without him being the global administrator.
Yes, it is entirely possible however the permission from Azure's perspective will be at Subscription level and not at a resource group level. Again since you would be impersonating the user, the user need not give you explicit permission to access certain resources. Azure RBAC will take care of this for you.
Is it possible for something in the azure portal to select his resource group add allow my azure ad application to get access to his resource group, or what is needed from the customer for this to be possible?
Yes, it is possible to do so. However in this case, the user who's granting the permission to your application should be in a role that allows her/him to perform this operation. They should have write permission on Microsoft.Authorization resource provider. However please do keep in mind that once your application (also known as Service Principal) is granted access to a resource in your user's subscription, there's no need for a user to login. You typically would want to use this approach for background process kind of applications.
更多推荐
发布评论