Azure Active Directory 中的默认用户权限是什么?What are the default user permissions in Azure Active Directory?

在 Azure Active Directory (Azure AD) 中,所有用户都被授予一组默认权限。In Azure Active Directory (Azure AD), all users are granted a set of default permissions. 用户的访问权限由用户的类型、其角色分配及其对单个对象的所有权构成。A user’s access consists of the type of user, their role assignments, and their ownership of individual objects. 本文将会介绍这些默认权限,并将成员和来宾用户的默认权限进行比较。This article describes those default permissions and contains a comparison of the member and guest user defaults. 只能在 Azure AD 的用户设置中更改默认用户权限。The default user permissions can be changed only in user settings in Azure AD.

成员和来宾用户Member and guest users

获得的默认权限集取决于用户是租户的本机成员(成员用户),还是用户作为 B2B 协作来宾(来宾用户)从另一个目录转入。The set of default permissions received depends on whether the user is a native member of the tenant (member user) or if the user is brought over from another directory as a B2B collaboration guest (guest user). 有关添加来宾用户的详细信息,请参阅什么是 Azure AD B2B 协作?See What is Azure AD B2B collaboration? for more information about adding guest users.

  • 成员用户可以注册应用程序、管理自己的个人资料照片和手机号码、更改自己的密码,以及邀请 B2B 来宾。Member users can register applications, manage their own profile photo and mobile phone number, change their own password, and invite B2B guests. 此外,用户可以读取所有目录信息(少数用户除外)。In addition, users can read all directory information (with a few exceptions).
  • 来宾用户的目录权限受到限制。Guest users have restricted directory permissions. 他们可以管理自己的个人资料、更改自己的密码并检索其他用户、组和应用的某些信息,但无法读取所有目录信息。They can manage their own profile, change their own password and retrieve some information about other users, groups and apps, however, they cannot read all directory information. 例如,来宾用户无法枚举所有用户、组和其他 Directory 对象的列表。For example, guest users cannot enumerate the list of all users, groups and other directory objects. 可将来宾添加到管理员角色,从而向他们授予角色中包含的完全读取和写入权限。Guests can be added to administrator roles, which grant them full read and write permissions contained in the role. 来宾还可以邀请其他来宾。Guests can also invite other guests.

比较成员和来宾的默认权限Compare member and guest default permissions

区域Area 成员用户权限Member user permissions 默认来宾用户权限Default guest user permissions 受限来宾用户权限(预览)Restricted guest user permissions (Preview)
用户和联系人Users and contacts
  • 枚举所有用户和联系人的列表Enumerate list of all users and contacts
  • 读取用户和联系人的所有公共属性Read all public properties of users and contacts
  • 邀请来宾Invite guests
  • 更改自己的密码Change own password
  • 管理自己的手机号码Manage own mobile phone number
  • 管理自己的照片Manage own photo
  • 使自己的刷新令牌失效Invalidate own refresh tokens
  • 读取自己的属性Read own properties
  • 读取其他用户和联系人的显示名称、电子邮件、登录名、照片、用户主体名称和用户类型属性Read display name, email, sign in name, photo, user principal name, and user type properties of other users and contacts
  • 更改自己的密码Change own password
  • 按显示名称、用户主体名称或 ObjectId(如果允许)搜索另一个用户Search for another user by Display Name, User Principal Name or ObjectId (if allowed)
  • 读取其他用户的管理员信息和直接报表信息Read manager and direct report information of other users
  • 读取自己的属性Read own properties
  • 更改自己的密码Change own password
Groups
  • 创建安全组Create security groups
  • 创建 Microsoft 365 组Create Microsoft 365 groups
  • 枚举所有组的列表Enumerate list of all groups
  • 读取组的所有属性Read all properties of groups
  • 读取非隐藏的组成员身份Read non-hidden group memberships
  • 读取加入的组的隐藏 Microsoft 365 组成员身份Read hidden Microsoft 365 group memberships for joined group
  • 管理用户拥有的组的属性、所有权和成员身份Manage properties, ownership, and membership of groups the user owns
  • 将来宾添加到拥有的组Add guests to owned groups
  • 管理动态成员身份设置Manage dynamic membership settings
  • 删除拥有的组Delete owned groups
  • 还原拥有的 Microsoft 365 组Restore owned Microsoft 365 groups
  • 读取非隐藏组的属性,包括成员身份和所有权(甚至是未加入的组)Read properties of non-hidden groups, including membership and ownership (even non-joined groups)
  • 读取加入的组的隐藏 Microsoft 365 组成员身份Read hidden Microsoft 365 group memberships for joined groups
  • 按显示名称或 ObjectId(如果允许)搜索组Search for groups by Display Name or ObjectId (if allowed)
  • 读取加入的组的对象 IDRead object id for joined groups
  • 在某些 Microsoft 365 应用中读取加入的组的成员身份和所有权(如果允许)Read membership and ownership of joined groups in some Microsoft 365 apps (if allowed)
应用程序Applications
  • 注册(创建)新应用程序Register (create) new application
  • 枚举所有应用程序的列表Enumerate list of all applications
  • 读取已注册的应用程序和企业应用程序的属性Read properties of registered and enterprise applications
  • 管理拥有的应用程序的应用程序属性、分配和凭据Manage application properties, assignments, and credentials for owned applications
  • 创建或删除用户的应用程序密码Create or delete application password for user
  • 删除拥有的应用程序Delete owned applications
  • 还原拥有的应用程序Restore owned applications
  • 读取已注册的应用程序和企业应用程序的属性Read properties of registered and enterprise applications
  • 读取已注册的应用程序和企业应用程序的属性Read properties of registered and enterprise applications
设备Devices
  • 枚举所有设备的列表Enumerate list of all devices
  • 读取设备的所有属性Read all properties of devices
  • 管理拥有的设备的所有属性Manage all properties of owned devices
无权限No permissions 无权限No permissions
DirectoryDirectory
  • 读取所有公司信息Read all company information
  • 读取所有域Read all domains
  • 读取所有合作伙伴协定Read all partner contracts
  • 读取公司显示名称Read company display name
  • 读取所有域Read all domains
  • 读取公司显示名称Read company display name
  • 读取所有域Read all domains
角色和范围Roles and Scopes
  • 读取所有管理角色和成员身份Read all administrative roles and memberships
  • 读取管理单元的所有属性和成员身份Read all properties and membership of administrative units
无权限No permissions 无权限No permissions
订阅Subscriptions
  • 读取所有订阅Read all subscriptions
  • 启用服务计划成员Enable Service Plan Member
无权限No permissions 无权限No permissions
策略Policies
  • 读取策略的所有属性Read all properties of policies
  • 管理拥有的策略的所有属性Manage all properties of owned policy
无权限No permissions 无权限No permissions

限制成员用户的默认权限Restrict member users default permissions

可通过以下方式限制成员用户的默认权限:Default permissions for member users can be restricted in the following ways:

权限Permission 设置说明Setting explanation
用户可以注册应用程序Users can register application 将此选项设置为“否”可阻止用户创建应用程序注册。Setting this option to No prevents users from creating application registrations. 然后,通过将特定的个人添加到“应用程序开发人员”角色,可以将该能力重新授予这些个人。The ability can then be granted back to specific individuals by adding them to the Application Developer role.
允许用户使用 LinkedIn 连接工作或学校帐户Allow users to connect work or school account with LinkedIn 将此选项设置为“否”可阻止用户使用其 LinkedIn 帐户连接其工作或学校帐户。Setting this option to No prevents users from connecting their work or school account with their LinkedIn account.
能够创建安全组Ability to create security groups 将此选项设置为“否”可阻止用户创建安全组。Setting this option to No prevents users from creating security groups. 全局管理员和用户管理员仍可创建安全组。Global administrators and User administrators can still create security groups. 有关操作方法,请参阅用于配置组设置的 Azure Active Directory cmdletSee Azure Active Directory cmdlets for configuring group settings to learn how.
能够创建 Microsoft 365 组Ability to create Microsoft 365 groups 将此选项设置为“否”可阻止用户创建 Microsoft 365 组。Setting this option to No prevents users from creating Microsoft 365 groups. 将此选项设置为“某些”可让选定的一组用户创建 Microsoft 365 组。Setting this option to Some allows a select set of users to create Microsoft 365 groups. 全局管理员和用户管理员仍可创建 Microsoft 365 组。Global administrators and User administrators will still be able to create Microsoft 365 groups. 有关操作方法,请参阅用于配置组设置的 Azure Active Directory cmdletSee Azure Active Directory cmdlets for configuring group settings to learn how.
限制访问 Azure AD 管理门户Restrict access to Azure AD administration portal 如果将此选项设为“否”,则允许非管理员使用 Azure AD 管理门户读取和管理 Azure AD 资源。Setting this option to No lets non-administrators use the Azure AD administration portal to read and manage Azure AD resources. 如果设为“是”,则限制所有非管理员在管理门户中访问任何 Azure AD 数据。Yes restricts all non-administrators from accessing any Azure AD data in the administration portal.

注意:此设置不限制通过 PowerShell 或其他客户端(例如 Visual Studio)对 Azure AD 数据的访问。设为“是”时,若要向特定的非管理员用户授予使用 Azure AD 管理门户的权限,请分配任何管理角色(如“目录读取者者”角色)。Note: this setting does not restrict access to Azure AD data using PowerShell or other clients such as Visual Studio.When set to Yes, to grant a specific non-admin user the ability to use the Azure AD administration portal assign any administrative role such as the Directory Readers role.

此角色允许读取基本目录信息,默认情况下成员用户有这些信息(来宾和服务主体没有)。This role allows reading basic directory information, which member users have by default (guests and service principals do not).

能够读取其他用户Ability to read other users 此设置仅可在 PowerShell 中使用。This setting is available in PowerShell only. 将此标记设置为 $false 可阻止所有非管理员用户从目录读取用户信息。Setting this flag to $false prevents all non-admins from reading user information from the directory. 此标记不会阻止读取其他 Microsoft 服务(如 Exchange Online)中的用户信息。This flag does not prevent reading user information in other Microsoft services like Exchange Online. 此设置适用于特殊情况,因此不建议将此标记设置为 $false。This setting is meant for special circumstances, and setting this flag to $false is not recommended.

限制来宾用户的默认权限Restrict guest users default permissions

可通过以下方式限制来宾用户的默认权限:Default permissions for guest users can be restricted in the following ways:

备注

来宾用户访问限制设置已替换“来宾用户权限受限”设置。The guests user access restrictions setting replaced the Guest users permissions are limited setting. 有关此功能的用法指南,请参阅限制 Azure Active Directory 中的来宾访问权限(预览)For guidance on using this feature, see Restrict guest access permissions (preview) in Azure Active Directory.

权限Permission 设置说明Setting explanation
来宾用户访问限制(预览)Guests user access restrictions (Preview) 如果将此选项设置为“来宾用户与成员用户具有相同访问权限”,则默认向来宾用户授予所有成员用户权限。Setting this option to Guest users have the same access as members grants all member user permissions to guest users by default.

如果将此选项设置为“来宾用户仅能访问自己的目录对象的属性和成员身份”,则默认将来宾用户限制为仅可访问自己的用户配置文件。Setting this option to Guest user access is restricted to properties and memberships of their own directory objects restricts guest access to only their own user profile by default. 即使按用户主体名称、ObjectId 或显示名称进行搜索,也不再允许访问其他用户。Access to other users are no longer allowed even when searching by User Principal Name, ObjectId or Display Name. 同样也不再允许访问组信息,包括组成员身份。Access to groups information including groups memberships is also no longer allowed.

注意:此设置不会阻止对某些 Microsoft 365 服务(例如 Microsoft Teams)中已加入的组的访问。Note: This setting does not prevent access to joined groups in some Microsoft 365 services like Microsoft Teams. 有关详细信息,请参阅 Microsoft Teams 来宾访问See Microsoft Teams Guest access to learn more.

无论此权限设置如何,仍可将来宾用户添加到管理员角色。Guest users can still be added to administrator roles regardless of this permission settings.

来宾可发出邀请Guests can invite 如果将此选项设置为“是”,则允许来宾邀请其他来宾。Setting this option to Yes allows guests to invite other guests. 有关详细信息,请参阅委托 B2B 协作邀请See Delegate invitations for B2B collaboration to learn more.
成员可发出邀请Members can invite 如果将此选项设置为“是”,则允许目录的非管理员成员邀请来宾。Setting this option to Yes allows non-admin members of your directory to invite guests. 有关详细信息,请参阅委托 B2B 协作邀请See Delegate invitations for B2B collaboration to learn more.
拥有来宾邀请者角色的管理员和用户可发出邀请Admins and users in the guest inviter role can invite 如果将此选项设置为“是”,则允许管理员和具有“来宾邀请者”角色的用户邀请来宾。Setting this option to Yes allows admins and users in the "Guest Inviter" role to invite guests. 如果设置为“是”,则无论“成员可发出邀请”设置如何,具有“来宾邀请者”角色的用户仍可以邀请来宾。When set to Yes, users in the Guest inviter role will still be able to invite guests, regardless of the Members can invite setting. 有关详细信息,请参阅委托 B2B 协作邀请See Delegate invitations for B2B collaboration to learn more.

对象所有权Object ownership

应用程序注册所有者权限Application registration owner permissions

当某个用户注册某个应用程序时,该用户将自动添加为该应用程序的所有者。When a user registers an application, they are automatically added as an owner for the application. 所有者可以管理应用程序的元数据,例如应用请求的名称和权限。As an owner, they can manage the metadata of the application, such as the name and permissions the app requests. 他们还可以管理应用程序的特定于租户的配置,例如用户分配。They can also manage the tenant-specific configuration of the application, such as the user assignments. 所有者还可以添加或删除其他所有者。An owner can also add or remove other owners. 与全局管理员不同,所有者只能管理他们拥有的应用程序。Unlike Global Administrators, owners can only manage applications they own.

企业应用程序所有者权限Enterprise application owner permissions

当某个用户添加新的企业应用程序时,系统会将该用户自动添加为所有者。When a user adds a new enterprise application, they are automatically added as an owner. 作为所有者,用户可以管理应用程序的特定于租户的配置,例如用户分配。As an owner, they can manage the tenant-specific configuration of the application, such as the user assignments. 所有者还可以添加或删除其他所有者。An owner can also add or remove other owners. 与全局管理员不同,所有者只能管理他们拥有的应用程序。Unlike Global Administrators, owners can manage only the applications they own.

组所有者权限Group owner permissions

当某个用户创建某个组时,该用户将自动添加为该组的所有者。When a user creates a group, they are automatically added as an owner for that group. 所有者可以管理组的属性(例如名称),以及管理组成员身份。As an owner, they can manage properties of the group such as the name, as well as manage group membership. 所有者还可以添加或删除其他所有者。An owner can also add or remove other owners. 与全局管理员和用户管理员不同,所有者只能管理他们拥有的组。Unlike Global administrators and User administrators, owners can only manage groups they own. 若要分配组所有者,请参阅管理组的所有者To assign a group owner, see Managing owners for a group.

所有权权限Ownership Permissions

下表描述成员用户在 Azure Active Directory 中具有的针对所拥有对象的特定权限。The following tables describe the specific permissions in Azure Active Directory member users have over owned objects. 用户仅在所拥有的对象上具有这些权限。The user only has these permissions on objects they own.

拥有的应用程序注册Owned application registrations

用户可以在拥有的应用程序注册上执行以下操作。Users can perform the following actions on owned application registrations.

操作Actions 说明Description
microsoft.directory/applications/audience/updatemicrosoft.directory/applications/audience/update 更新 Azure Active Directory 中的 applications.audience 属性。Update applications.audience property in Azure Active Directory.
microsoft.directory/applications/authentication/updatemicrosoft.directory/applications/authentication/update 更新 Azure Active Directory 中的 applications.authentication 属性。Update applications.authentication property in Azure Active Directory.
microsoft.directory/applications/basic/updatemicrosoft.directory/applications/basic/update 更新 Azure Active Directory 中应用程序的基本属性。Update basic properties on applications in Azure Active Directory.
microsoft.directory/applications/credentials/updatemicrosoft.directory/applications/credentials/update 更新 Azure Active Directory 中的 applications.credentials 属性。Update applications.credentials property in Azure Active Directory.
microsoft.directory/applications/deletemicrosoft.directory/applications/delete 删除 Azure Active Directory 中的应用程序。Delete applications in Azure Active Directory.
microsoft.directory/applications/owners/updatemicrosoft.directory/applications/owners/update 更新 Azure Active Directory 中的 applications.owners 属性。Update applications.owners property in Azure Active Directory.
microsoft.directory/applications/permissions/updatemicrosoft.directory/applications/permissions/update 更新 Azure Active Directory 中的 applications.permissions 属性。Update applications.permissions property in Azure Active Directory.
microsoft.directory/applications/policies/updatemicrosoft.directory/applications/policies/update 更新 Azure Active Directory 中的 applications.policies 属性。Update applications.policies property in Azure Active Directory.
microsoft.directory/applications/restoremicrosoft.directory/applications/restore 还原 Azure Active Directory 中的应用程序。Restore applications in Azure Active Directory.

拥有的企业应用程序Owned enterprise applications

用户可以在拥有的企业应用程序上执行以下操作。Users can perform the following actions on owned enterprise applications. 企业应用程序包含服务主体、一个或多个应用程序策略,有时还包含应用程序对象,该对象与服务主体位于同一租户中。An enterprise application is made up of service principal, one or more application policies, and sometimes an application object in the same tenant as the service principal.

操作Actions 说明Description
microsoft.directory/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 读取 Azure Active Directory 中 auditLogs 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on auditLogs in Azure Active Directory.
microsoft.directory/policies/basic/updatemicrosoft.directory/policies/basic/update 更新 Azure Active Directory 中策略的基本属性。Update basic properties on policies in Azure Active Directory.
microsoft.directory/policies/deletemicrosoft.directory/policies/delete 删除 Azure Active Directory 中的策略。Delete policies in Azure Active Directory.
microsoft.directory/policies/owners/updatemicrosoft.directory/policies/owners/update 更新 Azure Active Directory 中的 policies.owners 属性。Update policies.owners property in Azure Active Directory.
microsoft.directory/servicePrincipals/appRoleAssignedTo/updatemicrosoft.directory/servicePrincipals/appRoleAssignedTo/update 更新 Azure Active Directory 中的 servicePrincipals.appRoleAssignedTo 属性。Update servicePrincipals.appRoleAssignedTo property in Azure Active Directory.
microsoft.directory/servicePrincipals/appRoleAssignments/updatemicrosoft.directory/servicePrincipals/appRoleAssignments/update 更新 Azure Active Directory 中的 users.appRoleAssignments 属性。Update users.appRoleAssignments property in Azure Active Directory.
microsoft.directory/servicePrincipals/audience/updatemicrosoft.directory/servicePrincipals/audience/update 更新 Azure Active Directory 中的 servicePrincipals.audience 属性。Update servicePrincipals.audience property in Azure Active Directory.
microsoft.directory/servicePrincipals/authentication/updatemicrosoft.directory/servicePrincipals/authentication/update 更新 Azure Active Directory 中的 servicePrincipals.authentication 属性。Update servicePrincipals.authentication property in Azure Active Directory.
microsoft.directory/servicePrincipals/basic/updatemicrosoft.directory/servicePrincipals/basic/update 更新 Azure Active Directory 中 servicePrincipals 的基本属性。Update basic properties on servicePrincipals in Azure Active Directory.
microsoft.directory/servicePrincipals/credentials/updatemicrosoft.directory/servicePrincipals/credentials/update 更新 Azure Active Directory 中的 servicePrincipals.credentials 属性。Update servicePrincipals.credentials property in Azure Active Directory.
microsoft.directory/servicePrincipals/deletemicrosoft.directory/servicePrincipals/delete 删除 Azure Active Directory 中的 servicePrincipals。Delete servicePrincipals in Azure Active Directory.
microsoft.directory/servicePrincipals/owners/updatemicrosoft.directory/servicePrincipals/owners/update 更新 Azure Active Directory 中的 servicePrincipals.owners 属性。Update servicePrincipals.owners property in Azure Active Directory.
microsoft.directory/servicePrincipals/permissions/updatemicrosoft.directory/servicePrincipals/permissions/update 更新 Azure Active Directory 中的 servicePrincipals.permissions 属性。Update servicePrincipals.permissions property in Azure Active Directory.
microsoft.directory/servicePrincipals/policies/updatemicrosoft.directory/servicePrincipals/policies/update 更新 Azure Active Directory 中的 servicePrincipals.policies 属性。Update servicePrincipals.policies property in Azure Active Directory.
microsoft.directory/signInReports/allProperties/readmicrosoft.directory/signInReports/allProperties/read 读取 Azure Active Directory 中 signInReports 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on signInReports in Azure Active Directory.

拥有的设备Owned devices

用户可以在拥有的设备上执行以下操作。Users can perform the following actions on owned devices.

操作Actions 说明Description
microsoft.directory/devices/bitLockerRecoveryKeys/readmicrosoft.directory/devices/bitLockerRecoveryKeys/read 读取 Azure Active Directory 中的 devices.bitLockerRecoveryKeys 属性。Read devices.bitLockerRecoveryKeys property in Azure Active Directory.
microsoft.directory/devices/disablemicrosoft.directory/devices/disable 禁用 Azure Active Directory 中的设备。Disable devices in Azure Active Directory.

拥有的组Owned groups

用户可以在拥有的组上执行以下操作。Users can perform the following actions on owned groups.

操作Actions 说明Description
microsoft.directory/groups/appRoleAssignments/updatemicrosoft.directory/groups/appRoleAssignments/update 更新 Azure Active Directory 中的 groups.appRoleAssignments 属性。Update groups.appRoleAssignments property in Azure Active Directory.
microsoft.directory/groups/basic/updatemicrosoft.directory/groups/basic/update 更新 Azure Active Directory 中组的基本属性。Update basic properties on groups in Azure Active Directory.
microsoft.directory/groups/deletemicrosoft.directory/groups/delete 删除 Azure Active Directory 中的组。Delete groups in Azure Active Directory.
microsoft.directory/groups/dynamicMembershipRule/updatemicrosoft.directory/groups/dynamicMembershipRule/update 更新 Azure Active Directory 中的 groups.dynamicMembershipRule 属性。Update groups.dynamicMembershipRule property in Azure Active Directory.
microsoft.directory/groups/members/updatemicrosoft.directory/groups/members/update 更新 Azure Active Directory 中的 groups.members 属性。Update groups.members property in Azure Active Directory.
microsoft.directory/groups/owners/updatemicrosoft.directory/groups/owners/update 更新 Azure Active Directory 中的 groups.owners 属性。Update groups.owners property in Azure Active Directory.
microsoft.directory/groups/restoremicrosoft.directory/groups/restore 还原 Azure Active Directory 中的组。Restore groups in Azure Active Directory.
microsoft.directory/groups/settings/updatemicrosoft.directory/groups/settings/update 更新 Azure Active Directory 中的 groups.settings 属性。Update groups.settings property in Azure Active Directory.

后续步骤Next steps