Azure AD 权利管理是什么?What is Azure AD entitlement management?

Azure Active Directory (Azure AD) 权利管理是一种标识治理功能,通过自动执行访问请求工作流、访问分配、审核和过期,使组织能够大规模管理标识和访问生命周期。Azure Active Directory (Azure AD) entitlement management is an identity governance feature that enables organizations to manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration.

组织中的员工需要访问各种组、应用程序和站点以执行其作业。Employees in organizations need access to various groups, applications, and sites to perform their job. 由于要求发生了更改(添加了新应用程序或用户需要额外的访问权限),因此管理此访问具有难度。Managing this access is challenging, as requirements change - new applications are added or users need additional access rights. 在与外部组织协作时,此场景会更为复杂 - 你可能不知道另一组织中的哪些人需要访问你的组织的资源,他们可能也不知道你的组织正在使用哪些应用程序、组或站点。This scenario gets more complicated when you collaborate with outside organizations - you may not know who in the other organization needs access to your organization's resources, and they won't know what applications, groups, or sites your organization is using.

Azure AD 权利管理可帮助你更加高效地管理内部用户及需要访问这些资源的组织外部的用户对组、应用程序和 SharePoint Online 站点的访问权限。Azure AD entitlement management can help you more efficiently manage access to groups, applications, and SharePoint Online sites for internal users, and also for users outside your organization who need access to those resources.

为什么要使用权利管理?Why use entitlement management?

企业组织在管理员工对资源的访问权限时经常会遇到困难,比如:Enterprise organizations often face challenges when managing employee access to resources such as:

  • 用户可能不知道他们应该具有哪些访问权限,即使知道,他们也可能很难找到相应的人员来审批他们的访问权限Users may not know what access they should have, and even if they do, they may have difficulty locating the right individuals to approve their access
  • 用户设法获得对某一资源的所需访问权限后,他们可能会将该访问权限保留很长一段时间,从而超出业务目的所需的时长Once users find and receive access to a resource, they may hold on to access longer than is required for business purposes

对于需要从其他组织进行访问的用户(例如来自供应链组织或其他业务合作伙伴的外部用户)而言,问题会变得更加复杂。These problems are compounded for users who need access from another organization, such as external users that are from supply chain organizations or other business partners. 例如:For example:

  • 没有人能够知晓其他组织目录中的所有特定个人,因此有可能无法邀请到他们No one person may know all of the specific individuals in other organization's directories to be able to invite them
  • 即使他们能够邀请这些用户,但该组织中可能没有人会记得以一致地方式管理用户的全部访问权限Even if they were able to invite these users, no one in that organization may remember to manage all of the users' access consistently

Azure AD 权利管理可以帮助解决这些难题。Azure AD entitlement management can help address these challenges. 若要了解有关客户如何使用 Azure AD 权利管理的详细信息,可以参阅 Avanade 案例研究Centrica 案例研究To learn more about how customers have been using Azure AD entitlement management, you can read the Avanade case study and the Centrica case study.

可以使用权利管理做什么?What can I do with entitlement management?

以下是权利管理的一些功能:Here are some of capabilities of entitlement management:

  • 将创建访问包的功能委托给非管理员。Delegate to non-administrators the ability to create access packages. 这些访问包包含用户可以请求的资源,并且接受委托的访问包管理员可以使用用户可以请求的规则来定义策略、谁必须审批其访问权限以及访问权限到期时间。These access packages contain resources that users can request, and the delegated access package managers can define policies with rules for which users can request, who must approve their access, and when access expires.
  • 选择哪些已连接的组织的用户可以请求访问权限。Select connected organizations whose users can request access. 当一个不属于你目录的用户请求了访问权限并获得批准后,系统将自动邀请他们进入你的目录并为其分配访问权限。When a user who is not yet in your directory requests access, and is approved, they are automatically invited into your directory and assigned access. 当他们的访问权限到期时,如果他们没有收到其他访问包分配,可以自动删除他们在你的目录中的 B2B 帐户。When their access expires, if they have no other access package assignments, their B2B account in your directory can be automatically removed.


如果你已准备好试用权利管理,可以从关于创建你的第一个访问包的教程开始。If you are ready to try Entitlement management you can get started with our tutorial to create your first access package.

什么是访问包,可使用它们管理哪些资源?What are access packages and what resources can I manage with them?

权利管理向 Azure AD 引入了“访问包”概念。Entitlement management introduces to Azure AD the concept of an access package. 访问包是包含用户在处理项目或执行其任务时所需的访问权限的所有资源的捆绑包。An access package is a bundle of all the resources with the access a user needs to work on a project or perform their task. 访问包用于管理内部员工以及组织外部用户的访问权限。Access packages are used to govern access for your internal employees, and also users outside your organization.

以下是可以使用权利管理来管理用户对其访问权限的资源类型:Here are the types of resources you can manage user's access to with entitlement management:

  • Azure AD 安全组的成员身份Membership of Azure AD security groups
  • Microsoft 365 组和团队的成员身份Membership of Microsoft 365 Groups and Teams
  • 分配到 Azure AD 企业应用程序的内容,包括 SaaS 应用程序和支持联合/单一登录和/或预配的自定义集成应用程序Assignment to Azure AD enterprise applications, including SaaS applications and custom-integrated applications that support federation/single sign-on and/or provisioning
  • SharePoint Online 站点的成员身份Membership of SharePoint Online sites

你还可以控制对依赖于 Azure AD 安全组或 Microsoft 365 组的其他资源的访问权限。You can also control access to other resources that rely upon Azure AD security groups or Microsoft 365 Groups. 例如:For example:

  • 可以通过在访问包中使用 Azure AD 安全组,并为该组配置基于组的许可,为用户提供 Microsoft 365 许可证You can give users licenses for Microsoft 365 by using an Azure AD security group in an access package and configuring group-based licensing for that group
  • 可以通过在访问包中使用 Azure AD 安全组,并为该组创建 Azure 角色分配,为用户提供管理 Azure 资源的权限You can give users access to manage Azure resources by using an Azure AD security group in an access package and creating an Azure role assignment for that group

如何控制谁获得访问权限?How do I control who gets access?

使用访问包时,管理员或受委托的访问包管理员会列出资源(组、应用和站点)以及用户需要用于这些资源的角色。With an access package, an administrator or delegated access package manager lists the resources (groups, apps, and sites), and the roles the users need for those resources.

访问包还包括一个或多个策略。Access packages also include one or more policies. 策略定义有关访问包分配的规则或准则。A policy defines the rules or guardrails for assignment to access package. 每个策略都可用于确保只有适当的用户才能请求访问权限、有审批者审批他们的请求,并且他们对这些资源的访问权限受时间限制(如果不续订,将会过期)。Each policy can be used to ensure that only the appropriate users are able to request access, that there are approvers for their request, and that their access to those resources is time-limited and will expire if not renewed.


在每个策略中,管理员或访问包管理员会定义Within each policy, an administrator or access package manager defines

  • 已有的用户(通常为员工或已邀请的来宾)或可以请求访问权限的来自合作伙伴组织的外部用户Either the already-existing users (typically employees or already-invited guests), or the partner organizations of external users, that are eligible to request access
  • 审批流程以及可以批准或拒绝访问的用户The approval process and the users that can approve or deny access
  • 用户的访问权限分配在获得批准后、分配到期之前的持续时间The duration of a user's access assignment, once approved, before the assignment expires

下图显示了权利管理中不同元素的示例。The following diagram shows an example of the different elements in entitlement management. 其中显示了一个包含两个示例访问包的目录。It shows one catalog with two example access packages.

  • 访问包 1 中只有一个组,并充当资源。Access package 1 includes a single group as a resource. 它通过一个策略定义访问权限,该策略允许目录中的一组用户请求访问权限。Access is defined with a policy that enables a set of users in the directory to request access.
  • 访问包 2 包含组、应用程序和 SharePoint Online 站点作为资源。Access package 2 includes a group, an application, and a SharePoint Online site as resources. 它通过两个不同策略定义访问权限。Access is defined with two different policies. 第一个策略允许目录中的一组用户请求访问权限。The first policy enables a set of users in the directory to request access. 第二个策略允许外部目录中的用户请求访问权限。The second policy enables users in an external directory to request access.


应在何时使用访问包?When should I use access packages?

访问包并不替代其他访问权限分配机制。Access packages do not replace other mechanisms for access assignment. 它们最适用于类似如下的情况:They are most appropriate in situations such as:

  • 员工需要用于特定任务的受时间限制的访问权限。Employees need time-limited access for a particular task.
  • 需要员工经理或其他指定人员批准的访问。Access that requires the approval of an employee's manager or other designated individuals.
  • 部门希望自己管理自己的资源访问策略,不希望 IT 参与。Departments wish to manage their own access policies for their resources without IT involvement.
  • 两个或多个组织在一个项目上进行协作,因此,需要通过 Azure AD B2B 引入一个组织中的多个用户,使其能够访问其他组织的资源。Two or more organizations are collaborating on a project, and as a result, multiple users from one organization will need to be brought in via Azure AD B2B to access another organization's resources.

如何委托访问权限?How do I delegate access?

在名为 catalogs 的容器中定义访问包。Access packages are defined in containers called catalogs. 可以为所有访问包使用单个目录,也可以指定某些个人来创建并拥有其自己的目录。You can have a single catalog for all your access packages, or you can designate individuals to create and own their own catalogs. 管理员可以将资源添加到任何目录,但非管理员只能将自己拥有的资源添加到目录。An administrator can add resources to any catalog, but a non-administrator can only add to a catalog the resources that they own. 目录所有者可以将其他用户添加为目录共同所有者或访问包管理员。A catalog owner can add other users as catalog co-owners, or as access package managers. 可通过 Azure AD 权利管理中的委托和角色一文进一步了解这些场景。These scenarios are described further in the article delegation and roles in Azure AD entitlement management.

术语摘要Summary of terminology

为了更好地理解权利管理及其文档,可以参考以下术语列表。To better understand entitlement management and its documentation, you can refer back to the following list of terms.

术语Term 说明Description
访问包access package 团队或项目所需的且受策略约束的资源的捆绑包。A bundle of resources that a team or project needs and is governed with policies. 访问包始终包含在目录中。An access package is always contained in a catalog. 对于用户需要请求访问权限的场景,需要创建一个新的访问包。You would create a new access package for a scenario in which users need to request access.
访问请求access request 请求访问访问包中的资源的请求。A request to access the resources in an access package. 通常会为请求执行审批工作流。A request typically goes through an approval workflow. 如果获得批准,请求的用户将收到访问包分配。If approved, the requesting user receives an access package assignment.
分配assignment 向用户分配访问包可确保该用户具有该访问包的所有资源角色。An assignment of an access package to a user ensures the user has all the resource roles of that access package. 访问包分配通常具有时间限制,也即会过期。Access package assignments typically have a time limit before they expire.
目录catalog 相关资源和访问包的容器。A container of related resources and access packages. 目录用于委托,以便非管理员可以创建自己的访问包。Catalogs are used for delegation, so that non-administrators can create their own access packages. 目录所有者可以将其拥有的资源添加到目录。Catalog owners can add resources they own to a catalog.
目录创建者catalog creator 有权创建新目录的用户的集合。A collection of users who are authorized to create new catalogs. 当已获授权成为目录创建者的非管理员用户创建新目录时,他们将自动成为该目录的所有者。When a non-administrator user who is authorized to be a catalog creator creates a new catalog, they automatically become the owner of that catalog.
连接的组织connected organization 你与之有关联的外部 Azure AD 目录或域。An external Azure AD directory or domain that you have a relationship with. 可以在策略中将连接的组织中的用户指定为有权请求访问权限。The users from a connected organization can be specified in a policy as being allowed to request access.
policypolicy 定义访问生命周期的一组规则,例如用户获取访问权限的方式、可以审批的人员以及用户通过分配具有的访问权限时长。A set of rules that defines the access lifecycle, such as how users get access, who can approve, and how long users have access through an assignment. 策略会链接到访问包。A policy is linked to an access package. 例如,访问包可以有两个策略,一个用于员工请求访问权限,另一个用于外部用户请求访问权限。For example, an access package could have two policies - one for employees to request access and a second for external users to request access.
resourceresource 一种资产(例如 Office 组、安全组、应用程序或 SharePoint Online 站点),包含可向用户授予(相应角色权限)的角色。An asset, such as an Office group, a security group, an application, or a SharePoint Online site, with a role that a user can be granted permissions to.
资源目录resource directory 包含一个或多个可共享的资源的目录。A directory that has one or more resources to share.
资源角色resource role 与资源关联并由资源定义的权限的集合。A collection of permissions associated with and defined by a resource. 组具有两种角色 - 成员和所有者。A group has two roles - member and owner. SharePoint 站点通常具有 3 种角色,但也可能具有其他自定义角色。SharePoint sites typically have 3 roles but may have additional custom roles. 应用程序可以具有自定义角色。Applications can have custom roles.

许可要求License requirements

使用此功能需要 Azure AD Premium P2 许可证。Using this feature requires an Azure AD Premium P2 license. 若要根据需要查找合适的许可证,请参阅 比较免费版、Office 365 应用版和高级版的正式发布功能To find the right license for your requirements, see Comparing generally available features of the Free, Office 365 Apps, and Premium editions.

专用云(例如 Azure 德国和 Azure 中国世纪互联)当前不可用。Specialized clouds, such as Azure Germany, and Azure China 21Vianet, are not currently available for use.

必须拥有多少个许可证?How many licenses must you have?

请确保目录中至少具有与以下项数量相同的 Azure AD Premium P2 许可证:Ensure that your directory has at least as many Azure AD Premium P2 licenses as you have:

  • 可以请求访问包的成员用户数。Member users who can request an access package.
  • 请求访问包的成员和来宾用户数。Member and guest users who request an access package.
  • 审批访问包请求的成员和来宾用户数。Member and guest users who approve requests for an access package.
  • 具有直接访问包分配的成员和来宾用户数。Member and guest users who have a direct assignment to an access package.

以下任务无需 Azure AD Premium P2 许可证:Azure AD Premium P2 licenses are not required for the following tasks:

  • 设置初始目录、访问包和策略并将管理任务委托给其他用户的、具有全局管理员角色的用户无需任何许可证。No licenses are required for users with the Global Administrator role who set up the initial catalogs, access packages, and policies, and delegate administrative tasks to other users.
  • 被委托了管理任务的用户(例如目录创建者、目录所有者和访问包管理员)无需任何许可证。No licenses are required for users who have been delegated administrative tasks, such as catalog creator, catalog owner, and access package manager.
  • 有权请求访问包但并不请求访问包的来宾无需任何许可证 。No licenses are required for guests who can request access packages, but do not request an access package.

Azure AD External Identities(来宾用户)定价基于月度活动用户数 (MAU),这是对一个日历月内具有身份验证活动的独立用户的计数。Azure AD External Identities (guest user) pricing is based on monthly active users (MAU), which is the count of unique users with authentication activity within a calendar month. 此模型将替换 1:5 比率计费模型,该模型允许租户中的每个 Azure AD Premium 许可证最多 5 个来宾用户。This model replaces the 1:5 ratio billing model, which allowed up to five guest users for each Azure AD Premium license in your tenant. 当你的租户链接到订阅时,如果使用 External Identities 功能与来宾用户协作,则将使用基于 MAU 的计费模型自动计费。When your tenant is linked to a subscription and you use External Identities features to collaborate with guest users, you'll be automatically billed using the MAU-based billing model. 有关详细信息,请参阅 Azure AD External Identities 的计费模型。For more information, see Billing model for Azure AD External Identities.

有关许可证的详细信息,请参阅使用 Azure Active Directory 门户分配或删除许可证For more information about licenses, see Assign or remove licenses using the Azure Active Directory portal.

许可证场景示例Example license scenarios

下面是一些许可证场景示例,可帮助你确定必须拥有的许可证数量。Here are some example license scenarios to help you determine the number of licenses you must have.

方案Scenario 计算Calculation 许可证数量Number of licenses
Woodgrove Bank 的全局管理员创建了初始目录,并将管理任务委托给了 6 个其他用户。A Global Administrator at Woodgrove Bank creates initial catalogs and delegates administrative tasks to 6 other users. 其中一个策略指定,所有员工(2000 名员工)都可以请求一组特定的访问包。One of the policies specifies that All employees (2,000 employees) can request a specific set of access packages. 150 名员工请求了访问包。150 employees request the access packages. 可以请求访问包的 2000 名员工2,000 employees who can request the access packages 2,0002,000
Woodgrove Bank 的全局管理员创建了初始目录,并将管理任务委托给了 6 个其他用户。A Global Administrator at Woodgrove Bank creates initial catalogs and delegates administrative tasks to 6 other users. 其中一个策略指定,所有员工(2000 名员工)都可以请求一组特定的访问包。One of the policies specifies that All employees (2,000 employees) can request a specific set of access packages. 另一个策略指定,来自“合作伙伴 Contoso 用户”(来宾)的某些用户可以经批准请求相同的访问包。Another policy specifies that some users from Users from partner Contoso (guests) can request the same access packages subject to approval. Contoso 有 30000 名用户。Contoso has 30,000 users. 150 名员工请求访问包,来自 Contoso 的 10500 名用户请求访问权限。150 employees request the access packages and 10,500 users from Contoso request access. 2000 名员工 + 比率超过 1:5 的来自 Contoso 的 500 名来宾用户 (10,500 - (2,000 * 5))2,000 employees + 500 guest users from Contoso that exceed the 1:5 ratio (10,500 - (2,000 * 5)) 2,5002,500

后续步骤Next steps