本机应用程序是 OAuth2 用语中的公共客户端.这些应用程序旨在在设备上运行，并且不被信任来维护秘密 - 因此，它们在目录中的条目没有相应的属性.没有秘密，就无法断言应用程序的身份 - 因此此类应用程序无法获得应用程序级别的权限，而门户用户体验反映了这一点.相反，在 OAuth2 中，Web 应用程序也是机密客户端.他们可以为他们的用户获取委托的令牌，但他们也可以使用客户端凭据来获取自己的令牌.原生应用可以通过 OAuth2 授权为用户获取令牌.您可以在 https://azure 找到所有受支持拓扑的完整概述.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/.每个场景描述都指向更多以实施为导向的指导.

Native applications are public clients in OAuth2 parlance. Those apps are meant to run on a device and aren't trusted to maintain a secret - hence, their entry in the directory does not have the corresponding property. Without a secret, there is no way to assert the identity of the app - hence such apps cannot gain app level permissions and the portal UX reflects that. Conversely web apps are, again in OAuth2 parlance, confidential clients. They can get delegated tokens for their users, but they can also use client credentials to get tokens as themselves. Native apps can obtain tokens for the user via the OAuth2 authorization grant. You can find a complete overview of all supported topologies at https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/. Each scenario description point to more implementation oriented guidance.