在 Azure AD 访问评审中创建对组和应用程序的访问评审Create an access review of groups and applications in Azure AD access reviews

员工和来宾对组和应用程序的访问权限会不断变化。Access to groups and applications for employees and guests changes over time. 为了降低与过期访问权限分配相关的风险,管理员可以使用 Azure Active Directory (Azure AD) 针对组成员或应用程序访问权限创建访问评审。To reduce the risk associated with stale access assignments, administrators can use Azure Active Directory (Azure AD) to create access reviews for group members or application access. 如果需要定期评审访问权限,则还可以创建定期访问评审。If you need to routinely review access, you can also create recurring access reviews. 有关这些方案的详细信息,请参阅管理用户访问权限管理来宾访问权限For more information about these scenarios, see Manage user access and Manage guest access.

本文介绍如何针对组成员或应用程序访问权限创建一个或多个访问评审。This article describes how to create one or more access reviews for group members or application access.

必备条件Prerequisites

  • Azure AD Premium P2Azure AD Premium P2
  • 全局管理员或用户管理员Global administrator or User administrator

有关详细信息,请参阅许可证要求For more information, see License requirements.

创建一个或多个访问评审Create one or more access reviews

  1. 登录到 Azure 门户并打开“标识治理”页Sign in to the Azure portal and open the Identity Governance page.

  2. 在左侧菜单中,单击“访问评审”。 In the left menu, click Access reviews.

  3. 单击“新建访问评审”创建新的访问评审。 Click New access review to create a new access review.

    标识治理中的“访问评审”窗格

  4. 在“步骤 1:选择要评审的内容”中,选择你要评审哪个资源。In Step 1: Select what to review select which resource you would like to review.

    创建访问评审 - 评审名称和说明

  5. 如果在步骤 1 中选择了“团队 + 组”,则步骤 2 中有两个选项If you selected Teams + Groups in Step 1, you have two options in Step 2

    • 所有包含来宾用户的 Microsoft 365 组。All Microsoft 365 groups with guest users. 如果你要针对组织中所有 Microsoft Teams 和 M365 组中的所有来宾用户创建定期评审,请选择此选项。Select this option if you would like to create recurring reviews on all your guest users across all your Microsoft Teams and M365 groups in your organization. 可以选择通过单击“选择要排除的组”来排除某些组。You can choose to exclude certain groups by clicking on ‘Select group(s) to exclude’.

    • 选择“团队 + 组”。Select teams + groups. 如果要指定需评审的一组有限团队和/或组,请选择此选项。Select this option if you would like to specify a finite set of teams and/or groups to review. 单击此选项后,你会在右侧看到要从中进行选择的组的列表。After clicking on this option, you will see a list of groups to the right to pick from.

      团队和组

      在用户界面中选择的团队和组

  6. 如果你在第 1 步中选择了“应用程序”,则在第 2 步中可以选择一个或多个应用程序。If you selected Applications in Step 1, you can then select one or more applications in Step 2.

    备注

    选择多个组和/或应用程序会导致创建多个访问评审。Selecting multiple groups and/or applications will result in multiple access reviews created. 例如,如果你选择 5 个要评审的组,则会导致创建 5 个单独的访问评审For example, if you select 5 groups to review, that will result in 5 separate access reviews

    当选择了应用程序而非组时显示的接口

  7. 接下来,你可以在第 3 步中选择评审范围。Next, in Step 3 you can select a scope for the review. 选项有:Your options are

    • 仅限来宾用户。Guest users only. 选择此选项可将访问评审限定为目录中的 Azure AD B2B 来宾用户。Selecting this option limits the access review to just the Azure AD B2B guest users in your directory.
    • 所有人。Everyone. 选择此选项可将访问评审的范围限定为与资源关联的所有用户对象。Selecting this option scopes the access review to all user objects associated with the resource.

    备注

    如果你在第 2 步中选择了“包含来宾用户的所有 Microsoft 365 组”,则第 3 步中唯一的选项是评审来宾用户If you selected All Microsoft 365 groups with guest users in Step 2, then your only option is to review Guest users in Step 3

  8. 单击“下一步:评审”Click on Next: Reviews

  9. 在“选择审阅者”部分,选择一人或多人来执行访问评审。In the Select reviewers section, select either one or more people to perform the access reviews. 可以选择:You can choose from:

    • 组所有者(仅在对团队或组执行评审时可用)Group owner(s) (Only available when performing a review on a Team or group)
    • 选定的用户或组Selected user(s) or groups(s)
    • 用户评审自己的访问权限Users review own access
    • (预览)用户的经理。(Preview) Managers of users. 如果你选择“用户的经理”或“组所有者”,则还可以指定回退审阅者。If you choose either Managers of users or Group owners you also have the option to specify a fallback reviewer. 当用户未在目录中指定任何经理或者组没有所有者时,系统会要求回退审阅者执行评审。Fallback reviewers are asked to do a review when the user has no manager specified in the directory or the group does not have an owner.

    新建访问评审

  10. 在“指定评审重复周期”部分,你可以指定一个频率,例如“每周”、“每月”、“每季”、“半年”、“每年”。In the Specify recurrence of review section, you can specify a frequency such as Weekly, Monthly, Quarterly, Semi-annually, Annually. 然后指定“持续时间”,用于定义评审将开放多长时间供审阅者进行输入。You then specify a Duration, which defines how long a review will be open for input from reviewers. 例如,每月评审的最长持续时间可以设置为 27 天,以免评审时间重叠。For example, the maximum duration that you can set for a monthly review is 27 days, to avoid overlapping reviews. 你可能希望缩短持续时间,以确保尽早应用你的审阅者输入。You might want to shorten the duration to ensure that your reviewers input is applied earlier. 接下来,你可以选择“开始日期”和“结束日期”。Next, you can select a Start date, and End date.

    选择评审的发生频率

  11. 单击“下一步:设置”按钮(位于页面底部)Click the Next: Settings button at the bottom of the page

  12. 在“完成后操作设置”中,你可以指定评审完成后发生的情况In the Upon completion settings you can specify what happens after the review completes

    创建访问评审 - 完成后操作设置

如果要自动删除被拒绝用户的访问权限,请将“将结果自动应用到资源”设置为“启用” 。If you want to automatically remove access for denied users, set Auto apply results to resource to Enable. 若要在评审完成后手动应用结果,请将开关设置为“禁用”。 If you want to manually apply the results when the review completes, set the switch to Disable. 使用“如果审阅者未答复”列表指定对于审阅者在评审期限内未评审的用户要执行的操作。Use the If reviewers don't respond list to specify what happens for users that are not reviewed by the reviewer within the review period. 此设置不影响审阅者已手动评审的用户。This setting does not impact users who have been reviewed by the reviewers manually. 如果最终的审阅者决策是“拒绝”,则会删除用户的访问权限。If the final reviewer's decision is Deny, then the user's access will be removed.

  • 不更改 - 将用户访问权限保持不变No change - Leave user's access unchanged

  • 删除访问权限 - 删除用户的访问权限Remove access - Remove user's access

  • 批准访问权限 - 批准用户的访问权限Approve access - Approve user's access

  • 采用建议 - 根据系统的建议拒绝或批准用户的持续访问权限Take recommendations - Take the system's recommendation on denying or approving the user's continued access

    完成后操作设置选项

使用将应用于被拒绝的来宾用户的“操作”,以指定来宾用户被拒绝时发生的情况。Use the Action to apply on denied guest users to specify what happens to guest users if they are denied.

  • 从资源中删除用户的成员身份会删除被拒绝用户对要评审的组或应用程序的访问权限,他们仍将能登录到租户。Remove user’s membership from the resource will remove denied user’s access to the group or application being reviewed, they will still be able to sign-in to the tenant.
  • 阻止用户在 30 天内登录,然后将用户从租户中删除,这样会阻止被拒绝用户登录到租户,无论他们是否有权访问其他资源。Block user from signing-in for 30 days, then remove user from the tenant will block the denied users from signing in to the tenant, regardless if they have access to other resources. 如果出现错误,或者管理员决定重新启用某人的访问权限,该管理员可以在用户被禁用后 30 天内执行此操作。If there was a mistake or if an admin decides to re-enable one’s access, they can do so within 30 days after the user has been disabled. 如果没有对禁用的用户执行任何操作,则会从租户中删除这些用户。If there is no action taken on the disabled users, they will be deleted from the tenant.

若要详细了解删除不能再访问你组织中资源的来宾用户的最佳做法,请阅读标题为使用 Azure AD Identity Governance 评审和删除不再具有资源访问权限的外部用户的文章。To learn more about best practices for removing guest users who no longer have access to resources in your organization read the article titled Use Azure AD Identity Governance to review and remove external users who no longer have resource access.

备注

对于范围超出来宾用户的评审,要对被拒绝的来宾用户应用的操作不可配置。Action to apply on denied guest users is not configurable on reviews scoped to more than guest users. 对于“包含来宾用户的所有 M365 组”的评审,此操作也不可配置。It is also not configurable for reviews of All M365 groups with guest users. 当不可配置时,将对被拒绝的用户使用从资源中删除用户的成员身份这一默认选项。When not configurable, the default option of removing user's membership from the resource is used on denied users.

  1. 在“启用评审决策助手”中,选择你是否希望审阅者在评审过程中收到建议。In the Enable review decision helpers choose whether you would like your reviewer to receive recommendations during the review process.

    启用决策助手选项

  2. 在“高级设置”部分,你可以执行以下操作:In the Advanced settings section you can choose the following

    • 将“必须提供理由”设置为“启用”,以要求审阅者提供批准原因。 Set Justification required to Enable to require the reviewer to supply a reason for approval.

    • 将“电子邮件通知”设置为“启用”,以便让 Azure AD 在访问评审开始时向审阅者发送电子邮件通知,在评审完成时向管理员发送电子邮件通知。 Set email notifications to Enable to have Azure AD send email notifications to reviewers when an access review starts, and to administrators when a review completes.

    • 将“提醒”设置为“启用”,让 Azure AD 向尚未完成其审阅的审阅者发送访问评审正在进行的提醒。 Set Reminders to Enable to have Azure AD send reminders of access reviews in progress to reviewers who have not completed their review. 这些提醒会在评审过程中自行出现。These reminders will be self half-way through the duration of the review.

    • 发送给审阅者的电子邮件的内容是根据评审详细信息(如评审名称、资源名称、截止日期等)自动生成的。如果你需要一种方式来传达其他信息(例如其他说明或联系人信息),则可在“审阅者电子邮件的其他内容”部分指定这些详细信息。The content of the email sent to reviewers is autogenerated based on the review details, such as review name, resource name, due date, etc. If you need a way to communicate additional information such as additional instructions or contact information, you can specify these details in the Additional content for reviewer email section. 你输入的信息包含在发送给分配的审阅者的邀请和提醒电子邮件中。The information that you enter is included in the invitation and reminder emails sent to assigned reviewers. 下图中突出显示的部分显示了此信息的显示位置。The section highlighted in the image below shows where this information is displayed.

      有关审阅者的其他内容

  3. 单击“下一步:查看 + 创建”以转到下一页Click on Next: Review + Create to move to the next page

  4. 命名访问评审。Name the access review. 可选择为评审提供说明。Optionally, give the review a description. 名称和说明向评审者显示。The name and description are shown to the reviewers.

  5. 查看信息并选择“创建”Review the information and select Create

    “创建评审”屏幕

启动访问评审Start the access review

指定访问评审的设置后,单击“启动”。Once you have specified the settings for an access review, click Start. 访问评审将显示在列表中,并带有其状态指示器。The access review will appear in your list with an indicator of its status.

访问评审及其状态的列表

默认情况下,在评审开始后不久,Azure AD 会向评审者发送一封电子邮件。By default, Azure AD sends an email to reviewers shortly after the review starts. 如果选择不让 Azure AD 发送电子邮件,请务必通知评审者有一个访问评审任务等待他们完成。If you choose not to have Azure AD send the email, be sure to inform the reviewers that an access review is waiting for them to complete. 可以向他们显示有关如何评审对组或应用程序的访问权限的说明。You can show them the instructions for how to review access to groups or applications. 如果评审工作是让来宾评审他们自己的访问权限,则可以显示有关如何评审自己对组或应用程序的访问权限的说明。If your review is for guests to review their own access, show them the instructions for how to review access for yourself to groups or applications.

如果将来宾指定为评审者,但他们尚未接受邀请,则他们不会收到来自访问评审的电子邮件,因为在评审前必须先接受邀请。If you have assigned guests as reviewers and they have not accepted the invite, they will not receive an email from access reviews because they must first accept the invite prior to reviewing.

访问评审状态表Access review status table

状态Status 定义Definition
NotStartedNotStarted 已创建评审,用户发现正在等待启动。Review was created, user discovery is waiting to start.
正在初始化Initializing 正在进行用户发现,以标识属于评审的所有用户。User discovery is in progress to identify all users that are part of the review.
正在启动Starting 正在启动评审。Review is starting. 如果启用电子邮件通知,则会将电子邮件发送给评审者。If email notifications are enabled, emails are being sent to reviewers.
正在进行InProgress 已开始评审。Review has started. 如果启用电子邮件通知,则电子邮件已发送给评审者。If email notifications are enabled emails have been sent to reviewers. 评审者可以在截止日期之前提交决定。Reviewers can submit decisions until the due date.
正在完成Completing 评审正在完成,电子邮件将发送到评审所有者。Review is being completed and emails are being sent to the review owner.
正在自动评审Auto-Reviewing 评审处于系统评审阶段。Review is in a system reviewing stage. 系统正在为未根据建议或预先配置的决定评审的用户记录决定。The system is recording decisions for users who were not reviewed based on recommendations or pre-configured decisions.
已自动评审Auto-Reviewed 系统已为未评审的所有用户记录了决定。Decisions have been recorded by the system for all users who were not reviewed. 如果启用了“自动应用”,则评审可以进入“正在应用”阶段了。Review is ready to proceed to Applying if Auto-Apply is enabled.
正在应用Applying 对于已批准的用户,访问权限不会更改。There will be no change in access for users who were approved.
已应用Applied 已经从源或目录删除拒绝的用户(如果有)。Denied users, if any, have been removed from the resource or directory.
失败Failed 无法进行评审。Review could not progress. 此错误可能与删除租户、进行许可证更改或进行其他内部租户更改相关。This error could be related to the deletion of the tenant, a change in licenses, or other internal tenant changes.

通过 API 创建评审Create reviews via APIs

也可以使用 API 创建访问评审。You can also create access reviews using APIs. 在 Azure 门户中管理组和应用程序用户的访问评审的方法也可以使用 Microsoft Graph API 来实现。What you do to manage access reviews of groups and application users in the Azure portal can also be done using Microsoft Graph APIs. 有关详细信息,请参阅 Azure AD 访问评审 API 参考For more information, see the Azure AD access reviews API reference. 有关代码示例,请参阅通过 Microsoft Graph 检索 Azure AD 访问评审的示例For a code sample, see Example of retrieving Azure AD access reviews via Microsoft Graph.

后续步骤Next steps