在 Azure AD 权利管理中创建新访问包Create a new access package in Azure AD entitlement management

使用访问包可以一次性设置好用于在访问包的生命周期内自动管理访问权限的资源和策略。An access package enables you to do a one-time setup of resources and policies that automatically administers access for the life of the access package. 本文介绍如何创建新的访问包。This article describes how to create a new access package.


所有访问包必须放入称作“目录”的容器中。All access packages must be put in a container called a catalog. 目录定义可将哪些资源添加到访问包。A catalog defines what resources you can add to your access package. 如果未指定目录,则访问包将会放入常规目录。If you don't specify a catalog, your access package will be put into the General catalog. 目前,无法将现有的访问包移到其他目录。Currently, you can't move an existing access package to a different catalog.

如果你是访问包管理者,那么你无法将自己拥有的资源添加到目录。If you are an access package manager, you cannot add resources you own to a catalog. 你只能使用目录中提供的资源。You are restricted to using the resources available in the catalog. 如果需要将资源添加到目录,可请求目录所有者。If you need to add resources to a catalog, you can ask the catalog owner.

所有访问包都必须至少有一个策略。All access packages must have at least one policy. 策略指定谁可以请求该访问包,并指定审批和生命周期设置。Policies specify who can request the access package and also approval and lifecycle settings. 创建新访问包时,可为目录中的用户、不在目录中的用户以及(仅限)管理员直接分配创建一个初始策略,或者,可以选择在以后创建策略。When you create a new access package, you can create an initial policy for users in your directory, for users not in your directory, for administrator direct assignments only, or you can choose to create the policy later.


下面是创建新访问包的概要步骤。Here are the high-level steps to create a new access package.

  1. 在 Identity Governance 中,启动创建新访问包的过程。In Identity Governance, start the process to create a new access package.

  2. 选择要在其中创建访问包的目录。Select the catalog you want to create the access package in.

  3. 将目录中的资源添加到访问包。Add resources from catalog to your access package.

  4. 为每个资源分配资源角色。Assign resource roles for each resource.

  5. 指定可以请求访问权限的用户。Specify users that can request access.

  6. 指定任何审批设置。Specify any approval settings.

  7. 指定生命周期设置。Specify lifecycle settings.

启动新访问包Start new access package

必备角色: 全局管理员、用户管理员、目录所有者或访问包管理员Prerequisite role: Global administrator, User administrator, Catalog owner, or Access package manager

  1. 登录 Azure 门户Sign in to the Azure portal.

  2. 依次单击“Azure Active Directory”、“标识监管”。 Click Azure Active Directory and then click Identity Governance.

  3. 在左侧菜单中,单击“访问包”。 In the left menu, click Access packages.

  4. 单击“新建访问包”。 Click New access package.

    Azure 门户中的权利管理


在“基本信息”选项卡上指定访问包的名称,并指定要在哪个目录中创建该访问包。On the Basics tab, you give the access package a name and specify which catalog to create the access package in.

  1. 输入访问包的显示名称和说明。Enter a display name and description for the access package. 当用户提交访问包请求时,会看到此信息。Users will see this information when they submit a request for the access package.

  2. 在“目录”下拉列表中,选择要在其中创建访问包的目录。In the Catalog drop-down list, select the catalog you want to create the access package in. 例如,你的某个目录所有者需要管理所有可请求的营销资源。For example, you might have a catalog owner that manages all the marketing resources that can be requested. 在这种情况下,你可以选择营销目录。In this case, you could select the marketing catalog.

    你只会看到你有权在中创建访问包的目录。You will only see catalogs you have permission to create access packages in. 若要在现有目录中创建访问包,你必须是全局管理员或用户管理员,或者你必须是该目录中的目录所有者或访问包管理者。To create an access package in an existing catalog, you must be a Global administrator or User administrator, or you must be a catalog owner or access package manager in that catalog.

    访问包 - 基本信息

    如果你是全局管理员、用户管理员或目录创建者,并且希望在未列出的新目录中创建访问包,请单击“创建新目录”。If you are a Global administrator, a User administrator, or catalog creator and you would like to create your access package in a new catalog that's not listed, click Create new catalog. 输入目录的名称和说明,然后单击“创建”。Enter the Catalog name and description and then click Create.

    正在创建的访问包及其包含的所有资源将添加到新目录中。The access package you are creating and any resources included in it will be added to the new catalog. 也可以稍后添加其他目录所有者。You can also add additional catalog owners later.

  3. 单击“下一步” 。Click Next.

资源角色Resource roles

在“资源角色”选项卡上,选择要包含在访问包中的资源。On the Resource roles tab, you select the resources to include in the access package. 请求并接收访问包的用户将接收访问包中的所有资源角色。Users who request and receive the access package will receive all the resource roles in the access package.

  1. 单击要添加的资源类型(“组和团队”、“应用程序”或“SharePoint 站点”) 。Click the resource type you want to add (Groups and Teams, Applications, or SharePoint sites).

  2. 在出现的“选择”窗格中,从列表中选择一个或多个资源。In the Select pane that appears, select one or more resources from the list.

    访问包 - 资源角色

    如果在常规目录或新目录中创建访问包,则可以从你拥有的目录中选择任何资源。If you are creating the access package in the General catalog or a new catalog, you will be able to pick any resource from the directory that you own. 你必须至少是全局管理员、用户管理员或目录创建者。You must be at least a Global administrator, a User administrator, or Catalog creator.

    如果在现有目录中创建访问包,则可以选择该目录中现有的任何资源,而无需拥有该目录。If you are creating the access package in an existing catalog, you can select any resource that is already in the catalog without owning it.

    如果你是全局管理员、用户管理员或目录所有者,可通过另外一个选项来选择你拥有的但尚未包含在该目录中的资源。If you are a Global administrator, a User administrator, or catalog owner, you have the additional option of selecting resources you own that are not yet in the catalog. 如果选择当前不在所选目录中的资源,则这些资源也会添加到该目录,供其他目录管理员用来生成访问包。If you select resources not currently in the selected catalog, these resources will also be added to the catalog for other catalog administrators to build access packages with. 若要查看可添加到目录中的所有资源,请选中“选择”窗格顶部的“全部查看”复选框。To see all the resources that can be added to the catalog, check the See all check box at the top of the Select pane. 如果只想选择目前位于所选目录中的资源,请让“全部查看”复选框处于取消选中状态(默认状态)。If you only want to select resources that are currently in the selected catalog, leave the check box See all unchecked (default state).

  3. 选择资源后,在“角色”列表中选择要将用户分配到的资源角色。Once you have selected the resources, in the Role list, select the role you want users to be assigned for the resource.

    访问包 - 资源角色选择

  4. 单击“下一步” 。Click Next.


可以将动态组添加到目录和访问包。You can add dynamic groups to a catalog and to an access package. 但是,在管理访问包中的动态组资源时,只能选择“所有者”角色。However, you will be able to select only the Owner role when managing a dynamic group resource in an access package.


在“请求”选项卡上,创建第一个策略来指定谁可以请求该访问包,并指定审批设置。On the Requests tab, you create the first policy to specify who can request the access package and also approval settings. 之后,可以创建更多的请求策略,以允许其他用户组使用其自己的审批设置来请求该访问包。Later, you can create more request policies to allow additional groups of users to request the access package with their own approval settings.

访问包 -“请求”选项卡

根据你希望谁能够请求此访问包,执行以下某一部分中的步骤。Depending on who you want to be able to request this access package, perform the steps in one of the following sections.

适用于目录中的用户For users in your directory

如果你希望目录中的用户可请求此访问包,请执行以下步骤。Follow these steps if you want to allow users in your directory to be able to request this access package. 定义请求策略时,可以指定单个用户,也可以指定用户组(通常做法)。When defining the request policy, you can specify individual users, or more commonly groups of users. 例如,组织可能已经有一个组(例如“所有员工”)。For example, your organization may already have a group such as All employees. 如果将该组添加到可以请求访问权限的用户的策略中,则该组的任何成员都可以请求访问权限。If that group is added in the policy for users who can request access, then any member of that group can then request access.

  1. 在“可以请求访问的用户”部分,单击“你目录中的用户”。In the Users who can request access section, click For users in your directory.

    选择此选项后,会出现新的选项以进一步优化目录中哪些用户可以请求此访问包。When you select this option, new options appear to further refine who in your directory can request this access package.

    访问包 - 请求 - 你目录中的用户

  2. 选择以下选项之一:Select one of the following options:

    特定用户和组Specific users and groups 如果只希望目录中的指定用户和组可以请求此访问包,请选择此选项。Choose this option if you want only the users and groups in your directory that you specify to be able to request this access package.
    所有成员(不包括来宾)All members (excluding guests) 如果希望目录中的所有成员用户都可以请求此访问包,请选择此选项。Choose this option if you want all member users in your directory to be able to request this access package. 此选项不包括你可能已邀请到目录中的任何来宾用户。This option doesn't include any guest users you might have invited into your directory.
    所有用户(包括来宾)All users (including guests) 如果希望目录中的所有成员用户和来宾用户都可以请求此访问包,请选择此选项。Choose this option if you want all member users and guest users in your directory to be able to request this access package.

    来宾用户是指通过 Azure AD B2B 邀请到目录中的外部用户。Guest users refer to external users that have been invited into your directory with Azure AD B2B. 有关成员用户和来宾用户之间差异的详细信息,请参阅 Azure Active Directory 中的默认用户权限是什么?For more information about the differences between member users and guest users, see What are the default user permissions in Azure Active Directory?.

  3. 如果已选择“特定用户和组”,请单击“添加用户和组” 。If you selected Specific users and groups, click Add users and groups.

  4. 在“选择用户和组”窗格中,选择要添加的用户和组。In the Select users and groups pane, select the users and groups you want to add.

    访问包 - 请求 - 选择用户和组

  5. 单击“选择”以添加用户和组。Click Select to add the users and groups.

  6. 跳到审批部分。Skip down to the Approval section.

适用于不在目录中的用户For users not in your directory

“不在目录中的用户”是指位于其他 Azure AD 目录或域中的用户。Users not in your directory refers to users who are in another Azure AD directory or domain. 这些用户可能尚未被邀请到目录中。These users may not have yet been invited into your directory. Azure AD 目录必须配置为允许”协作限制”中的邀请。Azure AD directories must be configured to be allow invitations in Collaboration restrictions. 有关详细信息,请参阅启用 B2B 外部协作并管理谁可以邀请来宾For more information, see Enable B2B external collaboration and manage who can invite guests.


将为不是目录中的其请求已审批或自动审批的用户创建来宾用户帐户。A guest user account will be created for a user not yet in your directory whose request is approved or auto-approved. 将邀请来宾,但他们不会收到邀请电子邮件。The guest will be invited, but will not receive an invite email. 传递其访问包分配时,他们将收到电子邮件。Instead, they will receive an email when their access package assignment is delivered. 默认情况下,当来宾用户不再有任何访问包分配时(因为他们的上次分配已过期或已取消),将会阻止该来宾用户帐户登录并随后将其删除。By default, later when that guest user no longer has any access package assignments, because their last assignment has expired or been cancelled, that guest user account will be blocked from sign in and subsequently deleted. 如果希望无限期地在目录中保留来宾用户(即使他们没有任何访问包分配),可以更改权利管理配置的设置。If you want to have guest users remain in your directory indefinitely, even if they have no access package assignments, you can change the settings for your entitlement management configuration. 有关来宾用户对象的详细信息,请参阅 Azure Active Directory B2B 协作用户的属性For more information about the guest user object, see Properties of an Azure Active Directory B2B collaboration user.

如果要允许不在目录中的用户请求此访问包,请执行以下步骤:Follow these steps if you want to allow users not in your directory to request this access package:

  1. 在“可以请求访问的用户”部分,单击“不在目录中的用户” 。In the Users who can request access section, click For users not in your directory.

    选择此选项时,将显示新选项。When you select this option, new options appear.

    访问包 - 请求 - 不在目录中的用户

  2. 选择以下选项之一:Select one of the following options:

    特定的已连接的组织Specific connected organizations 如果要从管理员之前添加的组织列表中选择,请选择此选项。Choose this option if you want to select from a list of organizations that your administrator previously added. 来自选定组织的所有用户都可以请求此访问包。All users from the selected organizations can request this access package.
    所有已连接的组织All connected organizations 如果所有已连接的组织的用户都可以请求此访问包,请选择此选项。Choose this option if all users from all your connected organizations can request this access package.
    所有用户(所有已连接的组织 + 任何新外部用户)All users (All connected organizations + any new external users) 如果来自所有已连接的组织的所有用户都可以请求此访问包,并且 B2B 允许或拒绝列表设置对于任何新的外部用户都应优先,请选择此选项。Choose this option if all users from all your connected organizations can request this access package and that the B2B allow or deny list settings should take precedence for any new external user.

    已连接的组织是与你有关系的外部 Azure AD 目录或域。A connected organization is an external Azure AD directory or domain that you have a relationship with.

  3. 如果选择了“特定连接的组织”,请单击“添加目录”,从管理员之前添加的已连接的组织列表中进行选择 。If you selected Specific connected organizations, click Add directories to select from a list of connected organizations that your administrator previously added.

  4. 键入要搜索的之前已连接的组织的名称或域名。Type the name or domain name to search for a previously connected organization.

    访问包 - 请求 - 选择目录

    如果要与之协作的组织不在列表中,则可以要求管理员将其添加为已连接的组织。If the organization you want to collaborate with isn't in the list, you can ask your administrator to add it as a connected organization. 有关详细信息,请参阅添加已连接的组织For more information, see Add a connected organization.

  5. 选择所有已连接的组织后,单击“选择”。Once you've selected all your connected organizations, click Select.


    来自选定已连接的组织的所有用户都将可以请求此访问包。All users from the selected connected organizations will be able to request this access package. 这包括来自与组织关联的所有子域的 Azure AD 中的用户,除非这些域被 Azure B2B 允许或拒绝列表阻止。This includes users in Azure AD from all subdomains associated with the organization, unless those domains are blocked by the Azure B2B allow or deny list. 有关详细信息,请参阅允许或阻止向特定组织中的 B2B 用户发送邀请For more information, see Allow or block invitations to B2B users from specific organizations.

  6. 跳到审批部分。Skip down to the Approval section.

无(仅限管理员直接分配)None (administrator direct assignments only)

如果希望绕过访问请求,并允许管理员直接将特定用户分配到访问包,请执行这些步骤。Follow these steps if you want to bypass access requests and allow administrators to directly assign specific users to this access package. 用户无需请求访问包。Users won't have to request the access package. 仍可以设置生命周期设置,但没有请求设置。You can still set lifecycle settings, but there are no request settings.

  1. 在“可以请求访问权限的用户”部分,单击“无(仅限管理员直接分配)” 。In the Users who can request access section, click None (administrator direct assignments only.

    访问包 - 请求 - 无(仅限管理员直接分配)

    创建访问包后,可以直接将特定的内部和外部用户分配到该访问包。After you create the access package, you can directly assign specific internal and external users to the access package. 如果指定外部用户,将在目录中创建来宾用户帐户。If you specify an external user, a guest user account will be created in your directory. 有关直接分配用户的详细信息,请参阅查看、添加和删除访问包的分配For information about directly assigning a user, see View, add, and remove assignments for an access package.

  2. 跳到启用请求部分。Skip down to the Enable requests section.


在“审批”部分中,指定用户请求此访问包时是否需要审批。In the Approval section, you specify whether an approval is required when users request this access package. 审批设置的工作方式如下:The approval settings work in the following way:

  • 只有一个选定审批者或后备审批者需要批准单阶段审批的请求。Only one of the selected approvers or fallback approvers needs to approve a request for single-stage approval.
  • 每个阶段中只有一个选定审批者需要批准两阶段审批的请求。Only one of the selected approvers from each stage needs to approve a request for 2-stage approval.
  • 审批者可以是管理员、内部发起人或外部发起人,具体取决于策略管理谁的访问权限。The approver can be a Manager, Internal sponsor, or External sponsor depending on who the policy is governing access.
  • 单阶段或两阶段审批不需要每个选定审批者的批准。Approval from every selected approver isn't required for single or 2-stage approval.
  • 审批决定以第一个评审请求的审批者为准。The approval decision is based on whichever approver reviews the request first.

请按照以下步骤指定请求访问包的审批设置:Follow these steps to specify the approval settings for requests for the access package:

  1. 若要要求对所选用户发起的请求进行审批,请将“需要审批”切换开关设置为“是”。To require approval for requests from the selected users, set the Require approval toggle to Yes. 或者,若要自动审批请求,请将切换开关设置为“否”。Or, to have requests automatically approved, set the toggle to No.

  2. 如果需要用户提供对请求访问包的论证,请将“需要请求者论证”切换开关设置为“是”。 。To require users to provide a justification to request the access package, set the Require requestor justification toggle to Yes.

  3. 现在确定请求是否需要单阶段或两阶段审批。Now determine if requests will require single or 2-stage approval. 对于单阶段审批,将”阶段数“切换开关设置为“1”,或者对于两阶段审批,将切换开关设置为“2” 。Set the How many stages toggle to 1 for single stage approval or set the toggle to 2 for 2-stage approval.

    访问包 - 请求 - 审批设置

选择所需的阶段数后,使用以下步骤添加审批者:Use the following steps to add approvers after selecting how many stages you require:

单阶段审批Single-stage approval

  1. 添加“第一位审批者”:Add the First Approver:

    如果策略设置为管理目录中的用户访问,可以选择“管理员充当审批者”。If the policy is set to govern access for users in your directory, you can select Manager as approver. 或者,在下拉菜单中选择“选择特定审批者”后,单击“添加审批者”,以添加特定用户。Or, add a specific user by clicking Add approvers after selecting Choose specific approvers from the dropdown menu.

    访问包 - 请求 - 目录中的用户 - 第一位审批者

    如果将此策略设置为管理不在目录中的用户的访问,则可以选择“外部发起人”或“内部发起人” 。If this policy is set to govern access for users not in your directory, you can select External sponsor or Internal sponsor. 或者,通过单击“选择特定审批者”下的“添加审批者”或组来添加特定用户。Or, add a specific user by clicking Add approvers or groups under Choose specific approvers.

    访问包 - 请求 - 目录外的用户 - 第一位审批者

  2. 如果你选择了“管理员”作为第一位审批者,请单击“添加后备审批者”,以选择目录中的一个或多个用户或组作为后备审批者 。If you selected Manager as the first approver, click Add fallback to select one or more users or groups in your directory to be a fallback approver. 如果权利管理找不到请求访问权限的用户的管理员,后备审批者将收到请求。Fallback approvers receive the request if entitlement management can't find the manager for the user requesting access.

    权利管理使用“管理员”属性找到管理员。The manager is found by entitlement management using the Manager attribute. 该属性位于 Azure AD 中的用户配置文件中。The attribute is in the user's profile in Azure AD. 有关详细信息,请参阅使用 Azure Active Directory 添加或更新用户的配置文件信息For more information, see Add or update a user's profile information using Azure Active Directory.

  3. 如果选择了“选择特定审批者”,请单击“添加审批者”以选择目录中的一个或多个用户或组作为审批者 。If you selected Choose specific approvers, click Add approvers to select one or more users or groups in your directory to be approvers.

  4. 在“必须在多少天内作出决定?”框下,指定审批者审阅对此访问包的请求的允许天数。In the box under Decision must be made in how many days?, specify the number of days that an approver has to review a request for this access package.

    如果请求在这段时间内未获批准,将自动被拒绝。If a request isn't approved within this time period, it will be automatically denied. 用户必须再提交一个访问包的请求。The user will have to submit another request for the access package.

  5. 如果需要审批者提供其决策论证,请将“需要审批者论证”设置为“是”。To require approvers to provide a justification for their decision, set Require approver justification to Yes.

    其他审批者和请求者都可以看到该论证。The justification is visible to other approvers and the requestor.

两阶段审批2-stage approval

如果选择了两阶段审批,则需要添加第二位审批者。If you selected a 2-stage approval, you'll need to add a second approver.

  1. 添加“第二位审批者”:Add the Second Approver:

    如果用户在目录中,可以通过单击“选择特定审批者”下的“添加审批者”添加特定用户作为第二位审批者。If the users are in your directory, add a specific user as the second approver by clicking Add approvers under Choose specific approvers.

    访问包 - 请求 - 目录中的用户 - 第二位审批者

    如果用户不在目录中,请选择“内部发起人”或“外部发起人”作为第二位审批者 。If the users aren't in your directory, select Internal sponsor or External sponsor as the second approver. 选择审批者后,添加后备审批者。After selecting the approver, add the fallback approvers.

    访问包 - 请求 - 目录外的用户 - 第二位审批者

  2. 在“必须在多少天内做出决策?”下的框中指定第二位审批者审批请求的允许天数。Specify the number of days the second approver has to approve the request in the box under Decision must be made in how many days?.

  3. 将“需要审批者论证”切换开关设置为“是”或“否” 。Set the Require approver justification toggle to Yes or No.

后备审批者Alternate approvers

可以指定后备审批者,类似于指定可以审批请求的第一位和第二位审批者。You can specify alternate approvers, similar to specifying the first and second approvers who can approve requests. 指定后备审批者将有助于确保请求在到期(超时)之前被批准或拒绝。Having alternate approvers will help ensure that the requests are approved or denied before they expire (timeout). 针对两阶段审批,可以为后备审批者列出第一位审批者和第二位审批者。You can list alternate approvers the first approver and second approver for 2-stage approval.

指定后备审批者后,在第一位或第二位审批者无法批准或拒绝请求的情况下,待处理的请求将根据你在策略设置期间指定的转发计划转发给后备审批者。By specifying alternate approvers, in the event that the first or second approvers were unable to approve or deny the request, the pending request gets forwarded to the alternate approvers, per the forwarding schedule you specified during policy setup. 他们会收到一封批准或拒绝待处理请求的电子邮件。They receive an email to approve or deny the pending request.

请求被转发给后备审批者后,第一位或第二位审批者仍可批准或拒绝该请求。After the request is forwarded to the alternate approvers, the first or second approvers can still approve or deny the request. 后备审批者使用同一个“我的访问权限”网站来批准或拒绝待处理的请求。Alternate approvers use the same My Access site to approve or deny the pending request.

我们可以列出要成为审批者和后备审批者的人员或组。We can list people or groups of people to be approvers and alternate approvers. 请确保列出不同的人员集作为第一位、第二位和后备审批者。Please ensure that you list different sets of people to be the first, second, and alternate approvers. 例如,如果将 Alice 和 Bob 列为第一位审批者,则将 Carol 和 Dave 列为后备审批者。For example, if you listed Alice and Bob as the First Approver(s), list Carol and Dave as the alternate approvers. 通过以下步骤将后备审批者添加到访问包中:Use the following steps to add alternate approvers to an access package:

  1. 在“第一位审批者”和/或“第二位审批者”下,单击“显示高级请求设置”。Under the First Approver, Second Approver, or both, click Show advanced request settings.

    访问包 - 策略 - 显示高级请求设置

  2. 将“若没有采取任何行动,转发给后备审批者们?”切换开关设置为“是” 。Set If no action taken, forward to alternate approvers? toggle to Yes.

  3. 单击“添加后备审批者”,然后从列表中选择后备审批者。Click Add alternate approvers and select the alternate approver(s) from the list.

    访问包 - 策略 - 添加后备审批者

    如果对于第一位审批者,选择“管理员”作为审批者,你将具有一个可在后备审批者字段中进行选择的额外选项“将二级管理员作为后备审批者”。If you select Manager as approver for the First Approver, you will have an additional option, Second level manager as alternate approver, available to choose in the alternate approver field. 如果选择此选项,则需要添加后备审批者,以便在系统找不到二级管理员的情况下将请求转发给该审批者。If you select this option, you need to add a fallback approver to forward the request to in case the system can't find the second level manager.

  4. 在“多少天后转发给后备审批者?”框中,输入审批者批准或拒绝请求的允许天数。In the Forward to alternate approver(s) after how many days box, put in the number of days the approvers have to approve or deny a request. 如果在请求持续期间没有审批者批准或拒绝请求,则请求将过期(超时),用户必须再提交一个访问包请求。If no approvers have approved or denied the request before the request duration, the request expires (timeout), and the user will have to submit another request for the access package.

    只有在请求持续时间已过一半后,请求才会被转发给后备审批者,主审批者的决策必须在至少 4 天后超时。Requests can only be forwarded to alternate approvers a day after the request duration reaches half-life, and the decision of the main approver(s) has to time-out after at least 4 days. 如果请求超时小于或等于 3,则没有足够的时间将请求转发给后备审批者。If the request time-out is less or equal than 3, there is not enough time to forward the request to alternate approver(s). 在本例中,请求的持续时间为 14 天。In this example, the duration of the request is 14 days. 因此,请求持续时间在第 7 天已达到一半。So, the request duration reaches half-life at day 7. 所以请求不能早于第 8 天转发。So the request can't be forwarded earlier than day 8. 此外,请求不能在请求持续时间的最后一天转发。Also, requests can't be forwarded on the last day of the request duration. 因此,在本例中,可以转发请求的最晚时间是第 13 天。So in the example, the latest the request can be forwarded is day 13.

启用请求Enable requests

  1. 如果希望访问包立即可供请求策略中的用户使用以进行请求,请将“启用”切换开关移动到“是”。If you want the access package to be made immediately available for users in the request policy to request, move the Enable toggle to Yes.

    创建完访问包后,将来始终可以启用该策略。You can always enable it in the future after you have finished creating the access package.

    如果选择了“无(仅限管理员直接分配)”,并且将“启用”设置为“否”,则管理员无法直接分配此访问包 。If you selected None (administrator direct assignments only) and you set enable to No, then administrators can't directly assign this access package.


  2. 单击“下一步” 。Click Next.

向访问包添加请求者信息(预览)Add Requestor information (preview) to an access package

  1. 转到“请求者信息”选项卡并单击“问题”子选项卡。Go to the Requestor information tab and click the Questions sub tab.

  2. 在“问题”框中键入要向请求者提问的内容,也称为“显示字符串”。Type in what you want to ask the requestor, also known as the display string, for the question in the Question box.

    访问包 - 策略 - 启用请求者信息设置

  3. 若要添加自己的本地化选项,请单击“添加本地化”。If you would like to add your own localization options, click add localization.

    1. 进入“添加问题的本地化文本”窗格后,为用于将问题本地化的语言选择“语言代码”。Once in the Add localizations for question pane, select the language code for the language in which you are localizing the question.
    2. 使用配置的语言,在“本地化文本”框中键入问题。In the language you configured, type the question in the Localized Text box.
    3. 添加完所需的所有本地化文本后,请单击“保存”。Once you have added all the localizations needed, click Save.

    访问包 - 策略 - 配置本地化文本

  4. 选择你希望请求者回答时使用的“答案格式”。Select the Answer format in which you would like requestors to answer. 答案格式包括:短文本、多选和长文本。Answer formats include: short text, multiple choice, and long text.

    访问包 - 策略 - 选择“查看和编辑多选答案格式”

  5. 如果选择“多选”,请单击“查看和编辑”按钮来配置答案选项。If selecting multiple choice, click on the view and edit button to configure the answer options.

    1. 选择“查看和编辑”后,“查看/编辑问题”窗格会打开。After selecting view and edit the View/edit question pane will open.
    2. 在“答案值”框中键入你希望在请求者回答问题时向请求者提供的响应选项。Type in the response options you wish to give the requestor when answering the question in the Answer values boxes.
    3. 键入所需的任意多个响应,然后单击“保存”。Type in as many responses as you need then click Save.

    访问包 - 策略 - 输入多选选项

  6. 若要要求请求者在请求访问某个访问包时回答此问题,请单击“必需”下的复选框。To require requestors to answer this question when requesting access to an access package, click the check box under Required.

  7. 单击“下一步”Click Next


在“生命周期”选项卡上,指定用户的访问包分配何时过期。On the Lifecycle tab, you specify when a user's assignment to the access package expires. 还可以指定是否允许用户将其分配延期。You can also specify whether users can extend their assignments.

  1. 在“过期时间”部分,将“访问包分配过期时间”设置为“日期”、“天数”或“永不”。 In the Expiration section, set Access package assignments expires to On date, Number of days, or Never.

    对于“日期”,请选择将来的过期日期。For On date, select an expiration date in the future.

    对于“天数”,请指定 0 到 3660 天的数字。For Number of days, specify a number between 0 and 3660 days.

    根据所做的选择,用户的访问包分配将在特定的日期过期、审批后经过特定的天数之后过期,或者永不过期。Based on your selection, a user's assignment to the access package expires on a certain date, a certain number of days after they are approved, or never.

  2. 单击“显示高级过期时间设置”以显示其他设置。Click Show advanced expiration settings to show additional settings.

    访问包 - 生命周期过期时间设置

  3. 若要允许用户延期其分配,请将“允许用户延期访问权限”设置为“是”。To allow user to extend their assignments, set Allow users to extend access to Yes.

    如果策略中允许延期,在将用户的访问包分配设置为过期之前的 14 天以及 1 天,用户会收到一封电子邮件,其中提示他们是否要延期分配。If extensions are allowed in the policy, the user will receive an email 14 days and also one day before their access package assignment is set to expire, prompting them to extend the assignment. 用户在请求扩展时必须仍在策略范围内。The user must still be in the scope of the policy at the time they request an extension. 如果策略有明确的分配结束日期,且用户提交将访问权限延期的请求,则请求中的延期日期不得迟于分配过期日期,如用于向用户授予访问包访问权限的策略中定义的那样。Also, if the policy has an explicit end date for assignments, and a user submits a request to extend access, the extension date in the request must be at or before when assignments expire, as defined in the policy that was used to grant the user access to the access package. 例如,如果策略指示分配设置为在 6 月 30 日过期,则用户最多可以请求延期到 6 月 30 日。For example, if the policy indicates that assignments are set to expire on June 30, the maximum extension a user can request is June 30.

    如果用户的访问延期,则用户将无法在指定的延期日期(在创建了策略的用户的时区中设置的日期)之后请求访问包。If a user's access is extended, they will not be able to request the access package after the specified extension date (date set in the time zone of the user who created the policy).

  4. 如果要求在获批后才能延迟,则请将“要求获批才能延期”设置为“是”。 To require approval to grant an extension, set Require approval to grant extension to Yes.

    将使用已在“请求”选项卡上指定的审批设置。The same approval settings that were specified on the Requests tab will be used.

  5. 单击“下一步”或“更新”。 Click Next or Update.

查看 + 创建Review + create

在“查看 + 创建”选项卡上,可以查看设置并检查是否存在任何验证错误。On the Review + create tab, you can review your settings and check for any validation errors.

  1. 查看访问包的设置Review the access package's settings

    访问包 - 启用策略设置

  2. 单击“创建”以创建访问包。Click Create to create the access package.

    新访问包将显示在访问包列表中。The new access package appears in the list of access packages.

以编程方式创建访问包Creating an access package programmatically

你也可以使用 Microsoft Graph 创建访问包。You can also create an access package using Microsoft Graph. 通过具有委托的 EntitlementManagement.ReadWrite.All 权限的应用程序,相应角色中的用户可以调用 API 来A user in an appropriate role with an application that has the delegated EntitlementManagement.ReadWrite.All permission can call the API to

  1. 列出目录中的 accessPackageResources 并为任何尚不在该目录中的资源创建 accessPackageResourceRequestList the accessPackageResources in the catalog and create an accessPackageResourceRequest for any resources that are not yet in the catalog.
  2. 列出 accessPackageCatalog 中每个 accessPackageResource 的 accessPackageResourceRolesList the accessPackageResourceRoles of each accessPackageResource in an accessPackageCatalog. 然后,在接下来创建 accessPackageResourceRoleScope 时将会使用此角色列表来选择角色。This list of roles will then be used to select a role, when subsequently creating an accessPackageResourceRoleScope.
  3. 创建访问包Create an accessPackage.
  4. 创建 accessPackageAssignmentPolicyCreate an accessPackageAssignmentPolicy.
  5. 为该访问包中所需的每个资源角色创建 accessPackageResourceRoleScopeCreate an accessPackageResourceRoleScope for each resource role needed in the access package.

后续步骤Next steps