在 Azure AD 访问评审中创建对组和应用程序的访问评审Create an access review of groups and applications in Azure AD access reviews

员工和来宾对组和应用程序的访问权限会不断变化。Access to groups and applications for employees and guests changes over time. 为了降低与过期访问权限分配相关的风险,管理员可以使用 Azure Active Directory (Azure AD) 针对组成员或应用程序访问权限创建访问评审。To reduce the risk associated with stale access assignments, administrators can use Azure Active Directory (Azure AD) to create access reviews for group members or application access. 如果需要定期评审访问权限,则还可以创建定期访问评审。If you need to routinely review access, you can also create recurring access reviews. 有关这些方案的详细信息,请参阅管理用户访问权限管理来宾访问权限For more information about these scenarios, see Manage user access and Manage guest access.

本文介绍如何针对组成员或应用程序访问权限创建一个或多个访问评审。This article describes how to create one or more access reviews for group members or application access.

必备条件Prerequisites

  • Azure AD Premium P2Azure AD Premium P2
  • 全局管理员或用户管理员Global administrator or User administrator

有关详细信息,请参阅许可证要求For more information, see License requirements.

创建一个或多个访问评审Create one or more access reviews

  1. 登录到 Azure 门户并打开“标识治理”页Sign in to the Azure portal and open the Identity Governance page.

  2. 在左侧菜单中,单击“访问评审”。 In the left menu, click Access reviews.

  3. 单击“新建访问评审”创建新的访问评审。 Click New access review to create a new access review.

    标识治理中的“访问评审”窗格

  4. 命名访问评审。Name the access review. 可选择为评审提供说明。Optionally, give the review a description. 名称和说明向评审者显示。The name and description are shown to the reviewers.

    创建访问评审 - 评审名称和说明

  5. 设置“开始日期”。 Set the Start date. 默认情况下,访问评审只进行一次,从创建的时候开始,在一个月内结束。By default, an access review occurs once, starts the same time it's created, and it ends in one month. 可以更改开始和结束日期,使访问评审在将来的时间开始,并持续所需的天数。You can change the start and end dates to have an access review start in the future and last however many days you want.

    创建访问评审 - 开始和结束日期

  6. 若要让访问评审定期进行,请将“频率”设置从“一次”更改为“每周”、“每月”、“每季”、“半年”或“每年”。 To make the access review recurring, change the Frequency setting from One time to Weekly, Monthly, Quarterly, Semi-annually, or Annually. 请使用“持续时间”滑块或文本框来定义定期进行的一系列评审每次的运行天数(可供审阅者输入)。 Use the Duration slider or text box to define how many days each review of the recurring series will be open for input from reviewers. 例如,每月评审的最长持续时间可以设置为 27 天,以免评审时间重叠。For example, the maximum duration that you can set for a monthly review is 27 days, to avoid overlapping reviews.

  7. 使用“结束”设置指定如何结束定期访问评审系列。 Use the End setting to specify how to end the recurring access review series. 可以下列三种方式结束序列:The series can end in three ways:

    1. 它连续运行以无限期地开始审阅It runs continuously to start reviews indefinitely
    2. 直到特定日期,Until a specific date,
    3. 直到定义的发生次数完成后。Until after a defined number of occurrences has completed.

    你、其他用户管理员或其他全局管理员可以在创建后停止此系列,只需在“设置”中更改日期,然后此系列就会在该日期结束。 You, another User administrator, or another Global administrator can stop the series after creation by changing the date in Settings, so that it ends on that date.

  8. 在“用户”部分,指定访问评审要应用到的用户。 In the Users section, specify the users that the access review applies to. 访问评审的对象可以是组成员,或者是已分配到应用程序的用户。Access reviews can be for the members of a group or for users who were assigned to an application. 可将访问评审的范围进一步限定为仅评审属于成员(或已分配到应用程序)的来宾用户,而不是评审属于成员或有权访问应用程序的所有用户。You can further scope the access review to review only the guest users who are members (or assigned to the application), rather than reviewing all the users who are members or who have access to the application.

    创建访问评审 - 用户

  9. 在“组”部分选择一个或多个组,以便查看其成员身份。 In the Group section, select one or more groups that you would like to review membership of.

    备注

    选择多个组会创建多个访问评审。Selecting more than one group will create multiple access reviews. 例如,选择五个组会创建五个单独的访问评审。For example, selecting five groups will create five separate access reviews.

    创建访问评审 - 选择组

  10. 在“应用程序”部分 (如果已在步骤 8 中选择了“分配到应用程序”) ,选择要评审对其的访问权限的应用程序。In the Applications section (if you selected Assigned to an application in step 8), select the applications that you would like to review access to.

    备注

    选择多个应用程序会创建多个访问评审。Selecting more than one application will create multiple access reviews. 例如,选择五个应用程序会创建五个单独的访问评审。For example, selecting five applications will create five separate access reviews.

    创建访问评审 - 选择应用程序

  11. 在“评审者”部分选择一人或多人来评审范围内的所有用户。 In the Reviewers section, select either one or more people to review all the users in scope. 也可以选择让成员评审自己的访问权限。Or you can select to have the members review their own access. 如果资源是一个组,可以要求组的所有者进行评审。If the resource is a group, you can ask the group owners to review. 还可以要求评审者在审批访问权限时提供原因。You also can require that the reviewers supply a reason when they approve access.

    创建访问评审 - 评审者

  12. 在“计划”部分选择要使用的计划。 In the Programs section, select the program you want to use. “默认计划”将始终存在 。Default Program is always present.

    创建访问评审 - 计划

    可以将访问评审组织到程序中,以简化其收集和跟踪。You can simplify the collection and tracking of access reviews by organizing them into programs. 可以将每个访问评审链接到一个计划。Each access review can be linked to a program. 然后,在为审核员准备报告时,可以将重点放在特定计划范围内的访问评审。Then when you prepare reports for an auditor, you can focus on the access reviews in scope for a particular initiative. “全局管理员”、“用户管理员”、“安全管理员”或“安全读取者者”角色中的用户可以看到计划和访问评审结果。Programs and access review results are visible to users in the Global administrator, User administrator, Security administrator, or Security reader role.

    若要查看计划列表,请转到访问评审页,选择“计划”。 To see a list of programs, go to the access reviews page and select Programs. 如果拥有全局管理员或用户管理员角色,则可以创建其他计划。If you're in a Global administrator or User administrator role, you can create additional programs. 例如,可以选择针对每个符合性措施或业务目标创建一个计划。For example, you can choose to have one program for each compliance initiative or business goal. 如果不再需要某个计划,且没有任何链接到它的控件,则可以将其删除。When you no longer need a program and it doesn't have any controls linked to it, you can delete it.

完成后的设置Upon completion settings

  1. 若要指定评审完成后发生的情况,请展开“完成后的设置”部分。 To specify what happens after a review completes, expand the Upon completion settings section.

    创建访问评审 -“完成后操作”设置

  2. 如果要自动删除被拒绝用户的访问权限,请将“将结果自动应用到资源”设置为“启用” 。If you want to automatically remove access for denied users, set Auto apply results to resource to Enable. 若要在评审完成后手动应用结果,请将开关设置为“禁用”。 If you want to manually apply the results when the review completes, set the switch to Disable.

  3. 使用“如果审阅者未答复”列表指定对于审阅者在评审期限内未评审的用户要执行的操作。Use the If reviewers don't respond list to specify what happens for users that are not reviewed by the reviewer within the review period. 此设置不影响审阅者已手动评审的用户。This setting does not impact users who have been reviewed by the reviewers manually. 如果最终的审阅者决策是“拒绝”,则会删除用户的访问权限。If the final reviewer's decision is Deny, then the user's access will be removed.

    • 不更改 - 将用户访问权限保持不变No change - Leave user's access unchanged
    • 删除访问权限 - 删除用户的访问权限Remove access - Remove user's access
    • 批准访问权限 - 批准用户的访问权限Approve access - Approve user's access
    • 采用建议 - 根据系统的建议拒绝或批准用户的持续访问权限Take recommendations - Take the system's recommendation on denying or approving the user's continued access

    创建访问评审 - 高级设置

  4. (预览版)使用将应用于被拒绝的用户的“操作”,以指定来宾用户被拒绝时发生的情况。(Preview) Use the Action to apply on denied users to specify what happens to guest users if they are denied.

    • 选项 1 会删除被拒绝用户对要评审的组或应用程序的访问权限,它们仍将能登录到租户。Option 1 will remove denied user’s access to the group or application being reviewed, they will still be able to sign-in to the tenant.
    • 选项 2 会阻止被拒绝用户登录到租户,无论他们是否有权访问其他资源。Option 2 will block the denied users from signing in to the tenant, regardless if they have access to other resources. 如果出现错误,或者管理员决定重新启用某人的访问权限,该管理员可以在用户被禁用后 30 天内执行此操作。If there was a mistake or if an admin decides to re-enable one’s access, they can do so within 30 days after the user has been disabled. 如果没有对禁用的用户执行任何操作,则会从租户中删除这些用户。If there is no action taken on the disabled users, they will be deleted from the tenant.

若要详细了解删除不能再访问你组织中资源的来宾用户的最佳做法,请阅读标题为使用 Azure AD Identity Governance 评审和删除不再具有资源访问权限的外部用户的文章。To learn more about best practices for removing guest users who no longer have access to resources in your organization read the article titled Use Azure AD Identity Governance to review and remove external users who no longer have resource access..

备注

只有你之前已将评审作用域设置为“仅来宾用户”时,应用于被拒绝用户的操作才起作用(请参阅创建一个或多个访问评审部分的步骤 8)Action to apply on denied users only works if you previously scoped a review to Guest users only (See Create one or more access reviews section step 8)

高级设置Advanced settings

  1. 若要指定其他设置,请展开“高级设置”部分。 To specify additional settings, expand the Advanced settings section.

  2. 将“显示建议”设置为“启用”,以基于用户的访问权限信息向评审者显示系统建议。 Set Show recommendations to Enable to show the reviewers the system recommendations based the user's access information.

  3. 将“需要提供审批原因”设置为“启用”,以要求审阅者提供批准原因。 Set Require reason on approval to Enable to require the reviewer to supply a reason for approval.

  4. 将“邮件通知”设置为“启用”,以便在访问评审开始时让 Azure AD 向评审者发送电子邮件通知,并在评审完成时向管理员发送电子邮件通知。 Set Mail notifications to Enable to have Azure AD send email notifications to reviewers when an access review starts, and to administrators when a review completes.

  5. 将“提醒”设置为“启用”,让 Azure AD 向尚未完成其审阅的审阅者发送访问评审正在进行的提醒。 Set Reminders to Enable to have Azure AD send reminders of access reviews in progress to reviewers who have not completed their review.

    备注

    默认情况下,Azure AD 自动在中途向还未作出回复的审阅者发送结束日期提醒By default, Azure AD automatically sends a reminder halfway to the end date to reviewers who haven't yet responded

  6. (预览)发送给审阅者的电子邮件的内容是根据审阅详细信息(如审阅名称、资源名称、截止日期等)自动生成的。如果你需要一种方式来传达其他信息(例如其他说明或联系人信息),则可在审阅者电子邮件的“其他内容”中指定这些详细信息,这些信息将包含在发送给分配的审阅者的邀请和提醒电子邮件中。(Preview) The content of the email sent to reviewers is autogenerated based on the review details, such as review name, resource name, due date, etc. If you need a way to communicate additional information such as additional instructions or contact information, you can specify these details in the Additional content for reviewer email which will be included in the invitation and reminder emails sent to assigned reviewers. 下面突出显示的部分是将要显示此信息的位置。The highlighted section below is where this information will be displayed.

    查看用户对组的访问权限

启动访问评审Start the access review

指定访问评审的设置后,单击“启动”。Once you have specified the settings for an access review, click Start. 访问评审将显示在列表中,并带有其状态指示器。The access review will appear in your list with an indicator of its status.

访问评审及其状态的列表

默认情况下,在评审开始后不久,Azure AD 会向评审者发送一封电子邮件。By default, Azure AD sends an email to reviewers shortly after the review starts. 如果选择不让 Azure AD 发送电子邮件,请务必通知评审者有一个访问评审任务等待他们完成。If you choose not to have Azure AD send the email, be sure to inform the reviewers that an access review is waiting for them to complete. 可以向他们显示有关如何评审对组或应用程序的访问权限的说明。You can show them the instructions for how to review access to groups or applications. 如果评审工作是让来宾评审他们自己的访问权限,则可以显示有关如何评审自己对组或应用程序的访问权限的说明。If your review is for guests to review their own access, show them the instructions for how to review access for yourself to groups or applications.

如果将来宾指定为评审者,但他们尚未接受邀请,则他们不会收到来自访问评审的电子邮件,因为在评审前必须先接受邀请。If you have assigned guests as reviewers and they have not accepted the invite, they will not receive an email from access reviews because they must first accept the invite prior to reviewing.

访问评审状态表Access review status table

状态Status 定义Definition
NotStartedNotStarted 已创建评审,用户发现正在等待启动。Review was created, user discovery is waiting to start.
正在初始化Initializing 正在进行用户发现,以标识属于评审的所有用户。User discovery is in progress to identify all users that are part of the review.
正在启动Starting 正在启动评审。Review is starting. 如果启用电子邮件通知,则会将电子邮件发送给评审者。If email notifications are enabled, emails are being sent to reviewers.
正在进行InProgress 已开始评审。Review has started. 如果启用电子邮件通知,则电子邮件已发送给评审者。If email notifications are enabled emails have been sent to reviewers. 评审者可以在截止日期之前提交决定。Reviewers can submit decisions until the due date.
正在完成Completing 评审正在完成,电子邮件将发送到评审所有者。Review is being completed and emails are being sent to the review owner.
正在自动评审Auto-Reviewing 评审处于系统评审阶段。Review is in a system reviewing stage. 系统正在为未根据建议或预先配置的决定评审的用户记录决定。The system is recording decisions for users who were not reviewed based on recommendations or pre-configured decisions.
已自动评审Auto-Reviewed 系统已为未评审的所有用户记录了决定。Decisions have been recorded by the system for all users who were not reviewed. 如果启用了“自动应用”,则评审可以进入“正在应用”阶段了。Review is ready to proceed to Applying if Auto-Apply is enabled.
正在应用Applying 对于已批准的用户,访问权限不会更改。There will be no change in access for users who were approved.
已应用Applied 已经从源或目录删除拒绝的用户(如果有)。Denied users, if any, have been removed from the resource or directory.

通过 API 创建评审Create reviews via APIs

也可以使用 API 创建访问评审。You can also create access reviews using APIs. 在 Azure 门户中管理组和应用程序用户的访问评审的方法也可以使用 Microsoft Graph API 来实现。What you do to manage access reviews of groups and application users in the Azure portal can also be done using Microsoft Graph APIs. 有关详细信息,请参阅 Azure AD 访问评审 API 参考For more information, see the Azure AD access reviews API reference. 有关代码示例,请参阅通过 Microsoft Graph 检索 Azure AD 访问评审的示例For a code sample, see Example of retrieving Azure AD access reviews via Microsoft Graph.

后续步骤Next steps