
To register Azure AD, you need to sign up for a free Azure account. This will give you access to Azure AD, which is a cloud-based identity and access management system.
Azure AD is a free service that comes with an Azure account, so you don't need to pay extra to get started. You can sign up for an Azure account in just a few minutes.
Once you have an Azure account, you can create an Azure AD tenant, which is a single instance of Azure AD that contains all your users, groups, and applications. This is the foundation for your Azure AD configuration.
To create an Azure AD tenant, you'll need to provide some basic information, such as your name and email address.
For more insights, see: Azure Ad Unlock Account
先决条件
To register for Azure AD, you'll need a few things set up first. You'll need a Microsoft Entra ID tenant, so if you don't have one, you can create a free Azure account to get started.
To access Azure AD, you'll need an account with at least the Cloud Application Administrator role.
Here's a quick rundown of the requirements:
- Microsoft Entra ID tenant
- Account with Cloud Application Administrator role
应用程序
When registering an application in Azure AD, you'll need to specify who can use it. You can choose from four account types: only accounts in your organization's directory, any organization directory accounts, any organization directory accounts and Microsoft personal accounts, or only Microsoft personal accounts.
The account type you choose will determine whether your application is a single-tenant or multi-tenant application. If you choose to allow only accounts in your organization's directory, your application will be a single-tenant application, also known as a business line (LOB) application. If you choose to allow any organization directory accounts or Microsoft personal accounts, your application will be a multi-tenant application.
Here are the account types and their corresponding application types:
Verify Publisher Domain
If you're publishing a new application, you'll need to verify your publisher domain. This is a requirement that started in November 2020.
To do this, you'll need to use the Microsoft Partner Network (MPN) to verify your company's identity. This process will check your company's and main contact's information.
You'll need to complete the publisher verification process using one of the following options:
Register IdentityExperienceFramework Application
To register an IdentityExperienceFramework application, you need to choose the correct account type. For this type of application, select "仅此组织目录中的帐户" (Only accounts in this organization directory) as the supported account type.
The application name should be ProxyIdentityExperienceFramework. You'll also need to specify the redirect URI, which should be myapp://auth for a public client/native (mobile and desktop) application.
You'll need to grant the administrator permission to allow the openid and office_access permissions. Once you've registered the application, you'll need to specify that it should be treated as a public client. To do this, enable the "允许公共客户端流" (Allow public client flows) setting in the advanced settings.
Here's a summary of the steps to register an IdentityExperienceFramework application:
配置
To configure Azure AD, you'll need to log in to Rancher and navigate to the user authentication settings.
In Rancher UI, you'll need to input your AD instance information. This involves clicking on ☰ > 用户 & 认证, then selecting 认证 and finally AzureAD.
You'll need to fill out a form with the information you copied from Azure, including the Directory ID, Application ID, Key Value, and the endpoint https://login.microsoftonline.com/.
For custom endpoints, you'll need to map your custom configuration values to Rancher fields, including the Graph endpoint, Token endpoint, and Auth endpoint.
It's essential to note that when inputting the Graph endpoint, you should remove the Tenant ID from the URL.
Once you've completed the form, click Enable to configure Azure AD authentication.
Here's a summary of the fields you'll need to map for standard or China endpoints:
添加 Microsoft Entra
Adding Microsoft Entra to Azure AD involves several steps. You can add Microsoft Entra to your user flow by going to Azure AD B2C, selecting "User flows", and clicking on the user flow where you want to add Microsoft Entra.
To make Microsoft Entra available for users, go to the user flow settings, select "Identity providers", and choose "Custom identity providers." From there, select "Contoso Microsoft Entra ID" and save your changes.
Explore further: Get Azure Ad User
You can test your policy by running the user flow and selecting the Web app you previously registered. The "Reply URL" should be populated.
To use Microsoft Entra for login, you need to define Microsoft Entra ID as a claims provider in Azure AD B2C. This involves adding Microsoft Entra ID to the ClaimsProvider element in the policy's extension file.
Microsoft Entra ID can be defined as a claims provider by adding it to the ClaimsProvider element in the policy's extension file. This allows Azure AD B2C to communicate with Microsoft Entra using a specific endpoint that provides a set of claims used to verify a user's authentication status.
Here are the steps to add Microsoft Entra to your user flow in detail:
- Go to Azure AD B2C and select "User flows."
- Click on the user flow where you want to add Microsoft Entra.
- Select "Identity providers" in the settings.
- Choose "Custom identity providers" and select "Contoso Microsoft Entra ID."
- Save your changes.
- Run the user flow and select the Web app you previously registered.
- Verify that the "Reply URL" is populated.
后续步骤
Now that you've registered your Azure AD, it's time to explore the next steps.
To start using the new application registration experience, you'll need to understand how to register a web application.
Check this out: Azure Ad Application
To register a web API, you'll need to follow a similar process to registering a web application, but with some additional considerations.
There are several types of applications you can register, including web applications, web APIs, native client applications, and Microsoft Graph applications.
If you're planning to manage Azure AD B2C resources, you'll need to register a Microsoft Graph application.
If you're using Azure AD B2C as a SAML service provider, you'll need to understand the specific requirements for this setup.
Here are the different types of applications you can register:
新功能
统一的应用列表让你可以在一个地方看到所有使用 Azure AD B2C 和 Microsoft Entra ID 进行身份验证的应用程序。
组合的应用注册可以帮助你快速注册应用,无论该应用是面向客户的还是用于访问 Microsoft Graph 的应用。
终结点窗格有助于快速识别方案的相关终结点,包括 OpenID connect 配置、SAML 元数据、Microsoft Graph API 和 OAuth 2.0 用户流终结点。
API 权限和公开 API 提供更广泛的范围、权限和同意管理,你现在还可以向应用分配 MS Graph 权限。
注册的所有者和清单现可用于使用 Azure AD B2C 进行身份验证的应用,你可以为注册添加所有者,并使用清单编辑器直接编辑应用程序属性。
For your interest: Azure Active Directory Graph Api
用户设置
After you've registered Azure AD, you can set up your user settings to suit your needs.
You can add a profile picture to your Azure AD account, which will be displayed on the Azure portal. This is optional, but it can help you recognize yourself in the portal.
To add a profile picture, go to the Azure portal and click on your username in the top right corner, then select "Profile" from the dropdown menu.
Broaden your view: Azure Active Directory Management Portal
新的支持的账户类型

In the new experience, you can choose from three supported account types: only accounts in the organization directory, any accounts in the organization directory (any Microsoft Entra directory - multi-tenant), or any accounts in the identity provider or organization directory (used for user flow authentication).
To understand the differences between these account types, select the "Help me choose" option in the create experience.
The old experience always creates an application that's client-facing, and the account type is set to "any identity provider or organization directory account (used for user flow authentication)".
You need this option to run Azure AD B2C user flow for authentication, which requires registering the application to use user flow.
Here are the three supported account types:
- Only accounts in the organization directory
- Any accounts in the organization directory (any Microsoft Entra directory - multi-tenant)
- Any accounts in the identity provider or organization directory (used for user flow authentication)
New User Settings
To set up new user settings, you need to configure Azure AD external authentication in both Azure and Rancher.
If you're hosting an Active Directory instance in Azure, you can allow your users to log in with their AD account by setting up Azure AD external authentication in Rancher.
You'll need to manually input Graph, Token, and Auth Endpoints in both Azure and Rancher for this to work.
This process can be a bit tedious, but it's a crucial step in getting your users set up with the right permissions.
创建客户端密文
To create a client secret in Azure, you'll need to follow these steps. First, open the App registrations service using the search function, then find and open the Rancher item you created earlier.
You'll need to click on Certificates & secrets in the navigation pane, and then click on New client secret. Give the secret a description, like "Rancher", and choose an expiration time from the dropdown menu.
Note that the shorter the expiration time, the safer your secret will be, but you'll need to create new secrets more frequently. If you don't, users won't be able to log in to Rancher if the secret expires.
Here are the steps to create a client secret in more detail:
- Click on New client secret.
- Input Description (e.g. Rancher).
- From Expires, select a duration.
- Click on Add (no value needed, it will be auto-filled after saving).
Keep this window open for now, as you'll need to copy the secret value later. Since you won't be able to access it again in the Azure UI, it's essential to keep it visible during the rest of the setup process.
Rancher 配置
To configure Rancher for Azure AD authentication, you need to follow these steps. First, open two browser tabs: one for Rancher and another for the Azure portal. This will allow you to copy and paste configuration values from the portal into Rancher.
To begin, log in to Microsoft Azure as a management user. You'll need administrative access for the subsequent configuration steps. Next, use the search function to open the App registrations service.
You'll need to create a new registration, which involves filling out a form. Don't worry, this process can take up to five minutes to complete, so be patient if you encounter any issues with authentication afterwards.
To find the necessary endpoints, click on Endpoints within the App registrations service. You'll need to note the following values:
These endpoints will be your Rancher endpoint values, so be sure to use the v1 version.
Featured Images: pexels.com


