Azure AD 访问评审是什么?What are Azure AD access reviews?

Azure Active Directory (Azure AD) 访问评审可以使组织有效地管理组成员身份、对企业应用程序的访问权限,以及角色分配。Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. 可以定期评审用户的访问权限,确保相应人员持续拥有访问权限。User's access can be reviewed on a regular basis to make sure only the right people have continued access.

访问评审为何重要?Why are access reviews important?

使用 Azure AD 可以与组织内部的用户和外部用户进行协作。Azure AD enables you to collaborate with users from inside your organization and with external users. 用户可以加入组、邀请来宾、连接到云应用以及通过工作或个人设备远程工作。Users can join groups, invite guests, connect to cloud apps, and work remotely from their work or personal devices. 自助服务的便捷性使人们需要更好的访问管理功能。The convenience of using self-service has led to a need for better access management capabilities.

  • 新员工加入时,如何确保他们获得有助于提高工作效率的访问权限?As new employees join, how do you ensure they have the access they need to be productive?
  • 当员工在团队间调动或离开公司时,如何确保删除旧的访问权限?As people move teams or leave the company, how do you make sure that their old access is removed?
  • 访问权限过多可能会导致利益受损。Excessive access rights can lead to compromises.
  • 访问权限过多还可能影响审计结果,因为此类情况表示对访问权限缺乏控制。Excessive access right may also lead audit findings as they indicate a lack of control over access.
  • 需要主动与资源所有者联系,确保他们定期评审有权访问其资源的用户。You have to proactively engage with resource owners to ensure they regularly review who has access to their resources.

何时应使用访问评审?When should you use access reviews?

  • 特权角色用户过多: 建议检查多少用户具有管理访问权限,其中有多少用户是全局管理员,以及检查是否存在向其分配管理任务后未将其删除的受邀来宾和合作伙伴。Too many users in privileged roles: It's a good idea to check how many users have administrative access, how many of them are Global Administrators, and if there are any invited guests or partners that have not been removed after being assigned to do an administrative task. 可以重新验证 Azure AD 角色(例如全局管理员)或 Azure 资源角色(例如 Azure AD Privileged Identity Management (PIM) 体验中的用户访问权限管理员)中的角色分配用户。You can recertify the role assignment users in Azure AD roles such as Global Administrators, or Azure resources roles such as User Access Administrator in the Azure AD Privileged Identity Management (PIM) experience.
  • 自动化不可行: 可针对安全组或 Office 365 组中的动态成员资格创建规则,但如果人力资源数据不在 Azure AD 中或者如果用户在离开组后仍需访问权限来培训其接任者应该怎么办?When automation is not possible: You can create rules for dynamic membership on security groups or Office 365 Groups, but what if the HR data is not in Azure AD or if users still need access after leaving the group to train their replacement? 对于此类情况,可以对该组创建评审,确保仍需访问权限的用户能够继续获得访问权限。You can then create a review on that group to ensure those who still need access should have continued access.
  • 将组用于新用途: 如果要将组同步到 Azure AD,或计划为所有销售团队组成员启用 Salesforce 应用程序,则要求组所有者在将组用于其他风险内容前评审组成员资格会非常有用。When a group is used for a new purpose: If you have a group that is going to be synced to Azure AD, or if you plan to enable the application Salesforce for everyone in the Sales team group, it would be useful to ask the group owner to review the group membership prior to the group being used in a different risk content.
  • 业务关键数据访问权限: 对于特定资源,可能出于审核目的要求 IT 以外的人员定期注销并提供需要访问权限的正当理由。Business critical data access: for certain resources, it might be required to ask people outside of IT to regularly sign out and give a justification on why they need access for auditing purposes.
  • 要维护策略的例外列表: 在理想情况下,所有用户都会遵循访问策略来保护对组织资源的访问。To maintain a policy's exception list: In an ideal world, all users would follow the access policies to secure access to your organization's resources. 但是,有时,某些业务案例要求例外处理。However, sometimes there are business cases that require you to make exceptions. IT 管理员可以管理此任务、避免忽视策略例外情况,为审核员提供定期评审这些例外情况的证明。As the IT admin, you can manage this task, avoid oversight of policy exceptions, and provide auditors with proof that these exceptions are reviewed regularly.
  • 要求组所有者确认他们在组中是否仍需要来宾: 员工访问可能会通过一些本地标识和访问管理 (IAM) 自动执行,但不会邀请来宾。Ask group owners to confirm they still need guests in their groups: Employee access might be automated with some on premises Identity and Access Management (IAM), but not invited guests. 如果组为来宾授予了业务敏感内容的访问权限,则由组所有者负责确认来宾是否仍有对访问权限的合法业务需求。If a group gives guests access to business sensitive content, then it's the group owner's responsibility to confirm the guests still have a legitimate business need for access.
  • 定期重复评审: 可以设置按设定频率(例如每周、每月、每季度或每年)定期对用户进行访问评审,审阅者将在每次评审开始前收到通知。Have reviews recur periodically: You can set up recurring access reviews of users at set frequencies such as weekly, monthly, quarterly or annually, and the reviewers will be notified at the start of each review. 审阅者可以借助友好界面和智能建议的帮助,批准或拒绝访问权限。Reviewers can approve or deny access with a friendly interface and with the help of smart recommendations.

备注

如果已准备好尝试访问评审,请参阅创建组或应用程序的访问评审If you are ready to try Access reviews take a look at Create an access review of groups or applications

在哪里创建评审?Where do you create reviews?

可在 Azure AD 访问评审、Azure AD 企业应用(预览版)或 Azure AD PIM 中创建访问评审,具体取决于要评审的内容。Depending on what you want to review, you will create your access review in Azure AD access reviews, Azure AD enterprise apps (in preview), or Azure AD PIM.

用户访问权限Access rights of users 审阅者身份Reviewers can be 评审创建位置Review created in 审阅者体验Reviewer experience
安全组成员Security group members
Office 组成员Office group members
指定的审阅者Specified reviewers
组所有者Group owners
自我评审Self-review
Azure AD 访问评审Azure AD access reviews
Azure AD 组Azure AD groups
访问面板Access panel
分配联网应用Assigned to a connected app 指定的审阅者Specified reviewers
自我评审Self-review
Azure AD 访问评审Azure AD access reviews
Azure AD 企业应用(预览版)Azure AD enterprise apps (in preview)
访问面板Access panel
Azure AD 角色Azure AD role 指定的审阅者Specified reviewers
自我评审Self-review
Azure AD PIMAzure AD PIM Azure 门户Azure portal
Azure 资源角色Azure resource role 指定的审阅者Specified reviewers
自我评审Self-review
Azure AD PIMAzure AD PIM Azure 门户Azure portal

许可要求License requirements

使用此功能需要 Azure AD Premium P2 许可证。Using this feature requires an Azure AD Premium P2 license. 若要根据需要查找合适的许可证,请参阅 比较免费版、Office 365 应用版和高级版的正式发布功能To find the right license for your requirements, see Comparing generally available features of the Free, Office 365 Apps, and Premium editions.

必须拥有多少个许可证?How many licenses must you have?

目录需要的 Azure AD Premium P2 许可证至少与要执行以下任务的员工数相同:Your directory needs at least as many Azure AD Premium P2 licenses as the number of employees who will be performing the following tasks:

  • 指定为审阅者的成员和来宾用户Member and guest users who are assigned as reviewers
  • 执行自我评审的成员和来宾用户Member and guest users who perform a self-review
  • 执行访问评审的组所有者Group owners who perform an access review
  • 执行访问评审的应用程序所有者Application owners who perform an access review

具有全局管理员或用户管理员角色的用户不需要 Azure AD Premium P2 许可证,这些用户可设置访问评审、配置设置或根据评审作出决策。Azure AD Premium P2 licenses are not required for users with the Global Administrator or User Administrator roles who set up access reviews, configure settings, or apply the decisions from the reviews.

对于你分配给自己组织的用户之一的每个付费 Azure AD Premium P2 许可证,你可以使用 Azure AD 企业到企业 (B2B) 在“外部用户限额”下最多邀请五名来宾用户。For each paid Azure AD Premium P2 license that you assign to one of your own organization's users, you can use Azure AD business-to-business (B2B) to invite up to five guest users under the External User Allowance. 这些来宾用户也可以使用 Azure AD Premium P2 功能。These guest users can also use Azure AD Premium P2 features. 有关详细信息,请参阅 Azure AD B2B 协作许可指南For more information, see Azure AD B2B collaboration licensing guidance.

有关许可证的详细信息,请参阅使用 Azure Active Directory 门户分配或删除许可证For more information about licenses, see Assign or remove licenses using the Azure Active Directory portal.

许可证场景示例Example license scenarios

下面是一些许可证场景示例,可帮助你确定必须拥有的许可证数量。Here are some example license scenarios to help you determine the number of licenses you must have.

方案Scenario 计算Calculation 许可证数量Number of licenses
管理员创建组 A 的访问评审,该组包含 75 个用户和 1 个组所有者,并将该组所有者指定为审阅者。An administrator creates an access review of Group A with 75 users and 1 group owner, and assigns the group owner as the reviewer. 作为审阅者的组所有者需要 1 个许可证1 license for the group owner as reviewer 11
管理员创建组 B 的访问评审,该组包含 500 个用户和 3 个组所有者,并将这 3 个组所有者指定为审阅者。An administrator creates an access review of Group B with 500 users and 3 group owners, and assigns the 3 group owners as reviewers. 作为审阅者的各个组所有者共需 3 个许可证3 licenses for each group owner as reviewers 33
管理员创建具有 500 个用户的组 B 的访问评审。An administrator creates an access review of Group B with 500 users. 并使其成为自我评审。Makes it a self-review. 各个用户进行自我评审共需 500 个许可证500 licenses for each user as self-reviewers 500500
管理员创建具有 50 个成员用户和 25 个来宾用户的组 C 的访问评审。An administrator creates an access review of Group C with 50 member users and 25 guest users. 并使其成为自我评审。Makes it a self-review. 各个用户进行自我评审共需 50 个许可证。50 licenses for each user as self-reviewers.
(来宾用户已涵盖在要求的 1:5 比例内)。(guest users are covered in the required 1:5 ratio)
5050
管理员创建具有 6 个成员用户和 108 个来宾用户的组 D 的访问评审。An administrator creates an access review of Group D with 6 member users and 108 guest users. 并使其成为自我评审。Makes it a self-review. 充当自我审阅者的各个用户共需 6 个许可证 + 按所要求的 1:5 比例涵盖所有 108 位来宾用户需要 16 个额外的许可证。6 licenses for each user as self-reviewers + 16 additional licenses to cover all 108 guest users in the required 1:5 ratio. 6 个许可证,涵盖 6*5=30 个来宾用户。6 licenses, which cover 6*5=30 guest users. 对于余下的 (108-6*5)=78 位来宾用户,需要 78/5=16 个额外的许可证。For the remaining (108-6*5)=78 guest users, 78/5=16 additional licenses are required. 因此,总共需要 22 个许可证 (6+16)。Thus in total, 6+16=22 licenses are required. 2222

后续步骤Next steps