在 Azure AD 权利管理中创建访问包的访问评审Create an access review of an access package in Azure AD entitlement management

为了降低访问权限过时的风险,应在 Azure AD 权利管理中为具有访问包的有效分配的用户启用定期评审。To reduce the risk of stale access, you should enable periodic reviews of users who have active assignments to an access package in Azure AD entitlement management. 可以在创建新的访问包或编辑现有访问包时启用评审。You can enable reviews when you create a new access package or edit an existing access package. 本文介绍如何启用访问包的访问评审。This article describes how to enable access reviews of access packages.

必备条件Prerequisites

若要启用访问包的评审,必须满足以下创建访问包的先决条件:To enable reviews of access packages, you must meet the prerequisites for creating an access package:

  • Azure AD Premium P2Azure AD Premium P2
  • 全局管理员、用户管理员、目录所有者或访问包管理员Global administrator, User administrator, Catalog owner, or Access package manager

有关详细信息,请参阅许可证要求For more information, see License requirements.

创建访问包的访问评审Create an access review of an access package

可以在创建新的访问包编辑现有访问包策略时启用访问评审。You can enable access reviews when creating a new access package or editing an existing access package policy. 请按照以下步骤启用访问包的访问评审:Follow these steps to enable access reviews of an access package:

  1. 打开访问包的“生命周期”选项卡,向下滚动到“访问评审”。Open the Lifecycle tab for an access package and scroll down to Access Reviews.

  2. 将“需要访问评审”开关移动到“是”。Move the Require access reviews toggle to Yes.

    添加访问评审

  3. 在“开始时间”旁边指定开始评审的日期。Specify the date the reviews will start next to Starting on.

  4. 接下来,将“评审频率”设置为“每年”、“每半年”、“每季度”或“每月”。Next, set the Review frequency to Annually, Bi-annually, Quarterly or Monthly. 此设置确定访问评审的发生频率。This setting determines how often access reviews will occur.

  5. 请设置“持续时间”,以定义定期进行的一系列评审中每次评审开放(接受审阅者输入)的天数。Set the Duration to define how many days each review of the recurring series will be open for input from reviewers. 例如,可以计划一个年度评审,该评审在 1 月 1 日开始并开放 30 天供评审,以便审阅者在该月结束前做出响应。For example, you might schedule an annual review that starts on January 1st and is open for review for 30 days so that reviewers have until the end of the month to respond.

  6. 如果希望用户执行其自己的访问评审,请在“审阅者”旁边选择“自我评审”;如果想要指定审阅者,请选择“特定审阅者”。Next to Reviewers, select Self-review if you want users to perform their own access review or select Specific reviewer(s) if you want to designate a reviewer.

    选择“添加审阅者”

  7. 如果选择了“特定审阅者”,请指定哪些用户将执行访问评审:If you selected Specific reviewer(s), specify which users will do the access review:

    1. 选择“添加审阅者”。Select Add reviewers.
    2. 在“选择审阅者”窗格中,搜索并选择要作为审阅者的用户。In the Select reviewers pane, search for and select the user(s) you want to be a reviewer.
    3. 选择了审阅者后,请单击“选择”按钮。When you've selected your reviewer(s), click the Select button.

    指定审阅者

  8. 如果要创建新的访问包,请在页面底部单击“查看 + 创建” ;如果要编辑访问包,请在页面底部单击“更新”。Click Review + Create if you are creating a new access package or Update if you are editing an access package, at the bottom of the page.

查看访问评审的状态View the status of the access review

开始日期之后,访问评审将在“访问评审”部分中列出。After the start date, an access review will be listed in the Access reviews section. 请按照以下步骤查看访问评审的状态:Follow these steps to view the status of an access review:

  1. 在“Identity Governance”中,单击“访问包”,然后选择带有要查看的访问评审状态的访问包。In Identity Governance, click Access packages then select the access package with the access review status you'd like to check.

  2. 进入访问包的“概述”后,请单击左侧菜单中的“访问评审”。Once you are on the access package overview, click Access reviews on the left menu.

    选择访问评审

  3. 此时将显示一个列表,其中包含所有与访问评审关联的策略。A list will appear that contains all of the policies that have access reviews associated with them. 单击该评审以查看其报表。Click the review to see its report.

    访问评审列表

  4. 查看报表时,报表会显示审阅者已评审的用户数以及审阅者对其执行的操作。When you view the report, it shows the number of users reviewed and the actions taken by the reviewer on them.

    查看评审状态

访问评审电子邮件通知Access reviews email notifications

你可以指定审阅者,或者让用户审阅他们自己的访问权限。You can designate reviewers, or users can review their access themselves. 默认情况下,在评审开始后不久,Azure AD 会向审阅者或自我审阅者发送一封电子邮件。By default, Azure AD will send an email to reviewers or self-reviewers shortly after the review starts.

该电子邮件将包含有关如何评审对访问包的访问权限的说明。The email will include instructions on how to review access to access packages. 如果该评审供用户评审他们自己的访问权限,请向他们显示有关如何对其访问包执行自我评审的说明。If the review is for users to review their access, show them the instructions on how to perform a self-review of their access packages.

如果已将来宾用户分配为审阅者,但他们未接受其 Azure AD 来宾邀请,则他们不会收到来自 Azure AD 访问评审的电子邮件。If you've assigned guest users as reviewers, and they haven't accepted their Azure AD guest invitation, they won't receive emails from Azure AD access reviews. 他们必须首先接受邀请,并使用 Azure AD 创建帐户,然后才能接收电子邮件。They must first accept the invite and create an account with Azure AD before they can receive the emails.

后续步骤Next steps