在 Azure AD 访问评审中完成对组和应用程序的访问评审Complete an access review of groups and applications in Azure AD access reviews

你以管理员身份创建对组或应用程序的访问评审,审阅者执行访问评审As an administrator, you create an access review of groups or applications and reviewers perform the access review. 本文介绍如何查看访问评审的结果并应用结果。This article describes how to see the results of the access review and apply the results.

备注

本文介绍如何删除设备或服务中的个人数据,并且可为 GDPR 下的任务提供支持。This article provides steps for how to delete personal data from the device or service and can be used to support your obligations under the GDPR. 如需关于 GDPR 的常规信息,请参阅服务信任门户的 GDPR 部分If you're looking for general info about GDPR, see the GDPR section of the Service Trust portal.

必备条件Prerequisites

  • Azure AD Premium P2Azure AD Premium P2
  • 全局管理员、用户管理员、安全管理员或安全读取者Global administrator, User administrator, Security administrator, or Security reader

有关详细信息,请参阅许可证要求For more information, see License requirements.

查看访问评审View an access review

审阅者完成评审时,你可以跟踪进度。You can track the progress as the reviewers complete their reviews.

  1. 登录到 Azure 门户并打开“标识治理”页Sign in to the Azure portal and open the Identity Governance page.

  2. 在左侧菜单中,单击“访问评审”。 In the left menu, click Access reviews.

  3. 在列表中,单击“访问评审”。In the list, click an access review.

    若要查看一系列访问评审,请导航到访问评审,此时会在“计划的评审”中找到即将进行的评审。To view a series of access reviews, navigate to the access review, and you will find upcoming occurrences in Scheduled reviews.

    在“概览”页上可以看到进度。 On the Overview page, you can see the progress. 在评审完成之前,目录中的任何访问权限都不会更改。No access rights are changed in the directory until the review is completed.

    访问评审进度

  4. 如果要在某个访问评审达到计划的结束日期之前停止它,请单击“停止”按钮。 If you want to stop an access review before it has reached the scheduled end date, click the Stop button.

    停止某个评审后,审阅者将再也不能提供回复。When stop a review, reviewers will no longer be able to give responses. 停止后将无法重新开始评审。You can't restart a review after it's stopped.

  5. 如果不再关注此访问评审,可以单击“删除”按钮将其删除。 If you're no longer interested in the access review, you can delete it by clicking the Delete button.

应用更改Apply the changes

如果“将结果自动应用到资源”选项已启用,并且该选项是基于你在“完成后操作”设置中所做的选择,则自动应用会在审阅者的结束日期之后执行,或在你手动停止评审后执行。 If Auto apply results to resource was enabled and based on your selections in Upon completion settings, auto-apply will be executed after the review's end date or when you manually stop the review.

如果未为评审启用“将结果自动应用到资源”,请单击“应用”,手动应用所做的更改。 If Auto apply results to resource wasn't enabled for the review, click Apply to manually apply the changes. 如果在评审中拒绝了某个用户的访问权限,则当你单击“应用”时,Azure AD 会删除该用户的成员资格或应用程序分配。 If a user's access was denied in the review, when you click Apply, Azure AD removes their membership or application assignment.

应用访问评审更改

评审状态将从“已完成”变为各种中间状态(例如“正在应用”),并最终变为“结果已应用”状态。 The status of the review will change from Completed through intermediate states such as Applying and finally to state Result applied. 几分钟后,应会看到被拒绝的用户(如果有)已从组成员身份或应用程序分配中删除。You should expect to see denied users, if any, being removed from the group membership or application assignment in a few minutes.

已配置的自动应用评审或者选择“应用”不会影响源自本地目录的组 。A configured auto applying review, or selecting Apply doesn't have an effect on a group that originates in an on-premises directory. 若要更改源自本地的组,请下载结果,并将这些更改应用到该目录中组的表示形式。If you want to change a group that originates on-premises, download the results and apply those changes to the representation of the group in that directory.

检索结果Retrieve the results

若要查看一次性访问评审的结果,请单击“结果”页。 To view the results for a one-time access review, click the Results page. 若只查看某个用户的访问,请在“搜索”框中键入其访问已进行评审的用户的显示名称或用户主体名称。To view just a user's access, in the Search box, type the display name or user principal name of a user whose access was reviewed.

检索访问评审结果

若要查看定期进行的活动访问评审的进度,请单击“结果” 页面。To view the progress of an active access review that is recurring, click on the Results page.

若要查看已完成的定期访问评审实例的结果,请单击“评审历史记录” ,然后根据实例的开始日期和结束日期,从已完成的访问评审实例列表中选择特定实例。To view the results of a completed instance of an access review that is recurring, click Review history, then select the specific instance from the list of completed access review instances, based on the instance's start and end date. 该实例的结果可以从“结果” 页面获得。The results of this instance can be obtained from the Results page.

若要检索某个访问评审的所有结果,请单击“下载” 按钮。To retrieve all the results of an access review, click the Download button. 可以在 Excel 中或在可打开 UTF-8 编码 CSV 文件的其他程序中查看生成的 CSV 文件。The resulting CSV file can be viewed in Excel or in other programs that open UTF-8 encoded CSV files.

从访问评审中删除用户Remove users from an access review

默认情况下,删除的用户将在 Azure AD 中保持删除状态 30 天,在此期间,管理员可以根据需要还原这些用户。By default, a deleted user will remain deleted in Azure AD for 30 days, during which time they can be restored by an administrator if necessary. 30 天后,该用户将被永久删除。After 30 days, that user is permanently deleted. 此外,使用 Azure Active Directory 门户,全局管理员可以在达到该时间段之前,显式地永久删除最近删除的用户In addition, using the Azure Active Directory portal, a Global Administrator can explicitly permanently delete a recently deleted user before that time period is reached. 某个用户被永久删除后,随后有关该用户的数据将从活动访问评审中删除。One a user has been permanently deleted, subsequently data about that user will be removed from active access reviews. 有关已删除用户的审核信息仍保留在审核日志中。Audit information about deleted users remains in the audit log.

后续步骤Next steps