使用 Azure Active Directory 组管理应用和资源访问Manage app and resource access using Azure Active Directory groups

通过 Azure Active Directory (Azure AD) 可以使用组来管理基于云的应用、本地应用和资源。Azure Active Directory (Azure AD) lets you use groups to manage access to your cloud-based apps, on-premises apps, and your resources. 资源可以是 Azure AD 组织的一部分(例如用于通过 Azure AD 中的角色管理对象的权限),也可以是组织外部的资源(Azure 服务、SharePoint 站点和本地资源)。Your resources can be part of the Azure AD organization, such as permissions to manage objects through roles in Azure AD, or external to the organization, Azure services, SharePoint sites, and on-premises resources.

Note

在 Azure 门户中,可以看到一些组,其成员身份和组详细信息无法在门户中进行管理:In the Azure portal, you can see some groups whose membership and group details you can't manage in the portal:

  • 从本地 Active Directory 同步的组只能在本地 Active Directory 中进行管理。Groups synced from on-premises Active Directory can be managed only in on-premises Active Directory.
  • 其他组类型(如通讯组列表和启用了邮件的安全组)仅在 Exchange 管理中心或 Microsoft 365 管理中心进行管理。Other group types such as distribution lists and mail-enabled security groups are managed only in Exchange admin center or Microsoft 365 admin center. 必须登录到 Exchange 管理中心或 Microsoft 365 管理中心才能管理这些组。You must sign in to Exchange admin center or Microsoft 365 admin center to manage these groups.

Azure AD 中的访问管理如何工作How access management in Azure AD works

Azure AD 通过向单个用户或整个 Azure AD 组提供访问权限,帮助你授予组织资源的访问权限。Azure AD helps you give access to your organization's resources by providing access rights to a single user or to an entire Azure AD group. 资源所有者(或 Azure AD 目录所有者)可以使用组将一组访问权限分配给组的所有成员,而无需逐个地提供权限。Using groups lets the resource owner (or Azure AD directory owner), assign a set of access permissions to all the members of the group, instead of having to provide the rights one-by-one. 资源或目录所有者还可将成员列表的管理权限授予其他某人(例如部门经理或支持管理员),让此人根据需要添加和删除成员。The resource or directory owner can also give management rights for the member list to someone else, such as a department manager or a Helpdesk administrator, letting that person add and remove members, as needed. 有关如何管理组所有者的详细信息,请参阅管理组所有者For more information about how to manage group owners, see Manage group owners

Azure Active Directory 访问管理示意图

分配访问权限的方式Ways to assign access rights

可通过四种方式将资源访问权限分配给用户:There are four ways to assign resource access rights to your users:

  • 直接分配。Direct assignment. 资源所有者直接将用户分配到资源。The resource owner directly assigns the user to the resource.

  • 组分配。Group assignment. 资源所有者将 Azure AD 组分配到资源,这会自动向所有组成员授予对该资源的访问权限。The resource owner assigns an Azure AD group to the resource, which automatically gives all of the group members access to the resource. 组成员身份由组所有者和资源所有者管理,允许任一所有者在该组中添加或删除成员。Group membership is managed by both the group owner and the resource owner, letting either owner add or remove members from the group. 有关添加或删除组成员的详细信息,请参阅如何:使用 Azure Active Directory 门户在一个组中添加或删除另一个组For more information about adding or removing group membership, see How to: Add or remove a group from another group using the Azure Active Directory portal.

  • 基于规则的分配。Rule-based assignment. 资源所有者创建一个组,并使用一条规则来定义要将哪些用户分配到特定的资源。The resource owner creates a group and uses a rule to define which users are assigned to a specific resource. 该规则基于分配给单个用户的属性。The rule is based on attributes that are assigned to individual users. 资源所有者管理该规则,确定需要提供哪些属性和值才能访问该资源。The resource owner manages the rule, determining which attributes and values are required to allow access the resource.

  • External authority assignment(外部机构分配)。External authority assignment. 访问来自外部源,例如本地目录。Access comes from an external source, such as an on-premises directory. 在这种情况下,资源所有者将分配一个组以提供资源访问权限,外部源将管理组成员。In this situation, the resource owner assigns a group to provide access to the resource and then the external source manages the group members.

    访问管理示意图概览

后续步骤Next steps

大致了解如何使用组进行访问管理之后,可以开始管理资源和应用。Now that you have a bit of an introduction to access management using groups, you start to manage your resources and apps.