带有多租户Azure Active Directory的ADAL.js

本文介绍了带有多租户Azure Active Directory的ADAL.js的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

使用ADAL.js提供的示例代码如下：

The sample code provided for using ADAL.js looks something like this:

window.config = { instance: 'login.microsoftonline/', tenant: '[Enter your tenant here, e.g. contoso.onmicrosoft]', clientId: '[Enter your client_id here, e.g. g075edef-0efa-453b-997b-de1337c29185]', postLogoutRedirectUri: window.location.origin, cacheLocation: 'localStorage', localhost. }; var authContext = new AuthenticationContext(config);

这很好，但是我试图允许多租户应用程序的访问-来自组织只有在其帐户管理员授予该应用程序访问权限的情况下才能登录。

This works fine, but I'm trying to allow access for a multi-tenant application - users from an organisation should only be able to sign in if the application has been granted access by their account administrator.

我已经实现了第一部分-允许管理员用户启用- 根据此示例。

I've implemented the first part - allowing admin users to enable - as per this example.

因此，此时我的应用程序已列在第三方的Active Directory中。

So at this point my application is listed in the third party's Active Directory.

我我不确定租户的正确设置。我尝试使用公共，但随后显示一个对话框，询问单个用户是否要授予对应用程序的访问权限，这不是我要查找的内容。

I'm not sure what the correct settings should be for the tenant. I tried using 'common', but then it shows a dialog asking an individual user if they would like to grant access to the application, which is not what I'm looking for.

如果我要制作一个简单的MVC应用程序，则继续上面的示例，在服务器上使用app.UseOpenIdConnectAuthentication。但是我的应用程序是带有Web Api后端的SPA，并且我无法找到这种情况下的多租户示例。

If I was making a straight MVC app, I'd continue on with the example above, using app.UseOpenIdConnectAuthentication on the server. But my app is a SPA, with Web Api backend, and I haven't been able to find a multi-tenant example for this scenario.

推荐答案

配置应用程序以与任何租户进行身份验证的正确方法（这是您在方案中想要的）是使用common。 每个用户的同意是预配置注意事项。如果您希望管理员代表整个组织同意该应用程序，则可以通过触发身份验证请求并向其附加 prompt = admin_consent 来实施管理员同意流程。假设管理员响应该请求执行身份验证流程，则Azure AD将向管理员提供代表组织中每个人同意应用程序的机会。

The correct way of configuring your app for authenticating with any tenant, which is what you want in your scenario, is to use common. The per-user consent is a provisioning consideration. If you want an administrator to consent for the app on behalf of the entire organization, you can implement the admin consent flow by triggering an authentication request and appending prompt=admin_consent to it. Provided that an administrator performs an authentication flow in response to that request, Azure AD will offer to the admin the chance to consent for the app on behalf of everybody in the organization.