为具有 Azure Active Directory 的用户分配管理员和非管理员角色Assign administrator and non-administrator roles to users with Azure Active Directory

在 Azure Active Directory (Azure AD) 中,如果用户之一需要管理 Azure AD 资源的权限,你必须将其分配给提供所需权限的角色。In Azure Active Directory (Azure AD), if one of your users needs permission to manage Azure AD resources, you must assign them to a role that provides the permissions they need. 若要了解哪些角色管理 Azure 资源以及哪些角色管理 Azure AD 资源,请参阅经典订阅管理员角色、Azure 角色和 Azure AD 角色For info on which roles manage Azure resources and which roles manage Azure AD resources, see Classic subscription administrator roles, Azure roles, and Azure AD roles.

有关可用的 Azure AD 角色的详细信息,请参阅在 Azure Active Directory 中分配管理员角色For more information about the available Azure AD roles, see Assigning administrator roles in Azure Active Directory. 若要添加用户,请参阅向 Azure Active Directory 添加新用户To add users, see Add new users to Azure Active Directory.

分配角色Assign roles

向用户分配 Azure AD 角色的一种常用方式是使用用户的“分配的角色”页面。A common way to assign Azure AD roles to a user is on the Assigned roles page for a user. 还可以使用 Privileged Identity Management (PIM) 将用户资格配置为即时提升为某个角色。You can also configure the user eligibility to be elevated just-in-time into a role using Privileged Identity Management (PIM). 若要详细了解如何使用 PIM,请参阅 Privileged Identity ManagementFor more information about how to use PIM, see Privileged Identity Management.

备注

如果你有 Azure AD Premium P2 许可计划并已使用 PIM,则所有角色管理任务都在 Privileged Identity Management 体验中执行。If you have an Azure AD Premium P2 license plan and already use PIM, all role management tasks are performed in the Privileged Identity Management experience. 此功能当前限制为一次只分配一个角色。This feature is currently limited to assigning only one role at a time. 当前不能同时选择多个角色并将它们分配给用户。You can't currently select multiple roles and assign them to a user all at once.

在 PIM 中为已使用 PIM 且具有 Premium P2 许可证的用户管理的 Azure AD 角色

向用户分配角色Assign a role to a user

  1. 转到 Azure 门户,使用目录的全局管理员帐户登录。Go to the Azure portal and sign in using a Global administrator account for the directory.

  2. 搜索并选择“Azure Active Directory”。Search for and select Azure Active Directory.

    在 Azure 门户中搜索 Azure Active Directory

  3. 选择“用户”。Select Users.

  4. 搜索并选择获得角色分配的用户。Search for and select the user getting the role assignment. 例如,Alain CharonFor example, Alain Charon.

    “所有用户”页 - 选择用户

  5. 在“Alain Charon - 个人资料”页上,选择“分配的角色”。On the Alain Charon - Profile page, select Assigned roles.

    此时会显示“Alain Charon - 管理角色”页。The Alain Charon - Administrative roles page appears.

  6. 选择“添加分配”,选择要分配给 Alain 的角色(例如“应用程序管理员”),然后选择“选择”。Select Add assignments, select the role to assign to Alain (for example, Application administrator), and then choose Select.

    “分配的角色”页 - 显示所选角色

    “应用程序管理员”角色将分配给 Alain Charon,并将显示在“Alain Charon - 管理角色”页上。The Application administrator role is assigned to Alain Charon and it appears on the Alain Charon - Administrative roles page.

删除角色分配Remove a role assignment

如果需要删除用户的角色分配,也可从“Alain Charon - 管理角色”页执行该操作。If you need to remove the role assignment from a user, you can also do that from the Alain Charon - Administrative roles page.

从用户删除角色分配To remove a role assignment from a user

  1. 选择“Azure Active Directory”,选择“用户”,然后搜索并选择删除分配了角色的用户。Select Azure Active Directory, select Users, and then search for and select the user getting the role assignment removed. 例如,Alain CharonFor example, Alain Charon.

  2. 选择“分配的角色”,选择“应用程序管理员”,然后选择“删除分配”。Select Assigned roles, select Application administrator, and then select Remove assignment.

    “分配的角色”页,其中显示了所选角色和删除选项

    “应用程序管理员”角色将从 Alain Charon 中删除,不再显示在“Alain Charon - 管理角色”页上。The Application administrator role is removed from Alain Charon and it no longer appears on the Alain Charon - Administrative roles page.

后续步骤Next steps

可以查看的其他用户管理任务在 Azure Active Directory 用户管理文档中提供。Other user management tasks you can check out are available in Azure Active Directory user management documentation.