使用 Azure Active Directory 组管理应用和资源访问Manage app and resource access using Azure Active Directory groups

Azure Active Directory (Azure AD) 可以帮助你使用组织的组来管理基于云的应用、本地应用和资源。Azure Active Directory (Azure AD) helps you to manage your cloud-based apps, on-premises apps, and your resources using your organization's groups. 资源可以是目录中的资源(例如用于通过目录中的角色管理对象的权限)、目录外部的资源(例如软件即 Azure 服务和 SharePoint 站点)和本地资源。Your resources can be part of the directory, such as permissions to manage objects through roles in the directory, or external to the directory, such as for Software as Azure services, SharePoint sites, and on-premises resources.

Note

要使用 Azure Active Directory,需要一个 Azure 帐户。To use Azure Active Directory, you need an Azure account. 如果没有帐户,可以注册 Azure 帐户If you don't have an account, you can sign up for a Azure account.

Azure AD 中的访问管理的工作原理How does access management in Azure AD work?

Azure AD 通过向单个用户或整个 Azure AD 组提供访问权限,帮助你授予组织资源的访问权限。Azure AD helps you give access to your organization's resources by providing access rights to a single user or to an entire Azure AD group. 资源所有者(或 Azure AD 目录所有者)可以使用组将一组访问权限分配给组的所有成员,而无需逐个地提供权限。Using groups lets the resource owner (or Azure AD directory owner), assign a set of access permissions to all the members of the group, instead of having to provide the rights one-by-one. 资源或目录所有者还可将成员列表的管理权限授予其他某人(例如部门经理或支持管理员),让此人根据需要添加和删除成员。The resource or directory owner can also give management rights for the member list to someone else, such as a department manager or a Helpdesk administrator, letting that person add and remove members, as needed. 有关如何管理组所有者的详细信息,请参阅管理组所有者For more information about how to manage group owners, see Manage group owners

Azure Active Directory 访问管理示意图

分配访问权限的方式Ways to assign access rights

可通过四种方式将资源访问权限分配给用户:There are four ways to assign resource access rights to your users:

  • 直接分配。Direct assignment. 资源所有者直接将用户分配到资源。The resource owner directly assigns the user to the resource.

  • 组分配。Group assignment. 资源所有者将 Azure AD 组分配到资源,这会自动向所有组成员授予对该资源的访问权限。The resource owner assigns an Azure AD group to the resource, which automatically gives all of the group members access to the resource. 组成员身份由组所有者和资源所有者管理,允许任一所有者在该组中添加或删除成员。Group membership is managed by both the group owner and the resource owner, letting either owner add or remove members from the group. 有关添加或删除组成员的详细信息,请参阅如何:使用 Azure Active Directory 门户在一个组中添加或删除另一个组For more information about adding or removing group membership, see How to: Add or remove a group from another group using the Azure Active Directory portal.

  • External authority assignment(外部机构分配)。External authority assignment. 访问来自外部源,例如本地目录。Access comes from an external source, such as an on-premises directory. 在这种情况下,资源所有者将分配一个组以提供资源访问权限,外部源将管理组成员。In this situation, the resource owner assigns a group to provide access to the resource and then the external source manages the group members.

    访问管理示意图概览

后续步骤Next steps

大致了解如何使用组进行访问管理之后,可以开始管理资源和应用。Now that you have a bit of an introduction to access management using groups, you start to manage your resources and apps.

[Sync an on-premises group to Azure using Azure AD Connect](../hybrid/whatis-hybrid-identity.md)