在 Azure AD 权利管理中评审访问包的访问权限Review access of an access package in Azure AD entitlement management

Azure AD 权利管理简化了企业管理组、应用程序和 SharePoint 站点访问权限的方式。Azure AD entitlement management simplifies how enterprises manage access to groups, applications, and SharePoint sites. 本文介绍如何针对作为指定审阅者分配到访问包的其他用户执行访问评审。This article describes how to perform access reviews for other users that are assigned to an access package as a designated reviewer.

必备条件Prerequisites

若要查看用户的有效访问包分配,必须满足执行访问评审的先决条件:To review users' active access package assignments, you must meet the prerequisites to do an access review:

  • Azure AD Premium P2Azure AD Premium P2
  • 全局管理员Global administrator
  • 指定的用户管理员、目录所有者或访问包管理者Designated User administrator, Catalog owner, or Access package manager

有关详细信息,请参阅许可证要求For more information, see License requirements.

打开访问评审Open the access review

请执行以下步骤找到并打开访问评审:Use the following steps to find and open the access review:

  1. 你可能会从 Microsoft 收到一封要求你进行访问评审的电子邮件。You may receive an email from Microsoft that asks you to review access. 请找到该电子邮件,打开访问评审。Locate the email to open the access review. 下面是用于评审访问权限的示例电子邮件:Here is an example email to review access:

    “访问评审”审阅者电子邮件

  2. 单击“评审用户访问权限”链接,打开访问评审。Click the Review user access link to open the access review.

  3. 如果未收到该电子邮件,可通过直接导航到 https://myaccess.microsoft.com 查找待处理的访问评审。If you don’t have the email, you can find your pending access reviews by navigating directly to https://myaccess.microsoft.com.

  4. 单击左侧导航栏上的“访问评审”,查看分配给你的待处理访问评审的列表。Click Access reviews on the left navigation bar to see a list of pending access reviews assigned to you.

    在“我的访问权限”上选择“访问评审”

  5. 单击要开始的评审。Click the review that you’d like to begin.

    选择访问评审

执行访问评审Perform the access review

打开访问评审后,你将看到需要评审的用户的名称。Once you open the access review, you will see the names of users for which you need to review. 可通过两种方式批准或拒绝访问权限:There are two ways that you can approve or deny access:

  • 可以手动批准或拒绝一个或多个用户的访问权限You can manually approve or deny access for one or more users
  • 可以接受系统建议You can accept the system recommendations

手动批准或拒绝一个或多个用户的访问权限Manually approve or deny access for one or more users

  1. 审阅用户的列表,并确定哪些用户需要继续拥有访问权限。Review the list of users and determine which users need to continue to have access.

    要审阅的用户的列表

  2. 若要批准或拒绝访问权限,请选择用户名称左侧的单选按钮。To approve or deny access, select the radio button to the left of the user’s name.

  3. 在用户名上方的栏中选择“批准”或“拒绝”。Select Approve or Deny in the bar above the user names.

    选择用户

  4. 如果不确定,可以单击“不知道”按钮。If you aren't sure, you can click the Don’t know button.

    如果做出这一选择,则用户将保留访问权限,并且此选择将记录在审核日志中。If you make this selection, the user maintains access, and this selection goes in the audit logs. 该日志会向任何其他审阅者显示你仍完成了评审。The log shows any other reviewers that you still completed the review.

  5. 你可能需要提供你做出决策的原因。You may be required to provide a reason for your decision. 请键入一个原因,然后单击“提交”。Type in a reason and click Submit.

    批准或拒绝访问权限

  6. 你可以在评审结束之前随时更改你的决策。You can change your decision at any time before the end of the review. 为此,请从列表中选择用户并更改决策。To do so, select the user from the list and change the decision. 例如,可以为以前已拒绝的用户批准访问权限。For example, you can approve access for a user you previously denied.

如果有多个评审者,将记录最后提交的响应。If there are multiple reviewers, the last submitted response is recorded. 举例而言,假设管理员指定了两位评审者 - Alice 和 Bob。Consider an example where an administrator designates two reviewers - Alice and Bob. Alice 首先打开该评审并批准了访问权限。Alice opens the review first and approves access. 在评审结束之前,Bob 打开该评审并拒绝了访问权限。Before the review ends, Bob opens the review and denies access. 在这种情况下,将记录上次的拒绝访问决策。In this case, the last deny access decision gets recorded.

备注

如果拒绝了某个用户的访问权限,不会立即从访问包中删除该用户。If a user is denied access, they aren't removed from the access package immediately. 当评审结束时,或在管理员结束评审时,系统会将该用户从访问包中删除。The user will be removed from the access package when the review ends, or an administrator ends the review.

使用系统生成的建议批准或拒绝访问权限Approve or deny access using the system-generated recommendations

若要更快地评审多个用户的访问权限,可以使用系统生成的建议,只需单击一下即可接受建议。To review access for multiple users more quickly, you can use the system-generated recommendations, accepting the recommendations with a single click. 建议是根据用户的登录活动生成的。The recommendations are generated based on the user's sign-in activity.

  1. 在页面底部的栏中,单击“接受建议”。In the bar at the top of the page, click Accept recommendations.

    选择“接受建议”

    你将看到建议操作的摘要。You'll see a summary of the recommended actions.

  2. 单击“提交”接受建议。Click Submit to accept the recommendations.

后续步骤Next steps