使用 Azure AD 访问评审管理用户访问权限Manage user access with Azure AD access reviews

使用 Azure Active Directory (Azure AD) 可以轻松确保用户有适当的访问权限。With Azure Active Directory (Azure AD), you can easily ensure that users have appropriate access. 为此,可让用户本人或决策人参与访问评审,鉴定(或“证明”)用户的访问权限。You can ask the users themselves or a decision maker to participate in an access review and recertify (or attest) to users' access. 审阅者可基于 Azure AD 的建议,针对每个用户就继续访问的需求提供意见。The reviewers can give their input on each user's need for continued access based on suggestions from Azure AD. 访问评审完成后,即可进行更改,并删除不再需要访问权限的用户的访问权限。When an access review is finished, you can then make changes and remove access from users who no longer need it.

备注

如果希望评审具有管理角色(如全局管理员)的用户成员身份,请参阅在 Azure AD Privileged Identity Management 中启动访问评审If you want to review users' membership in administrative roles such as global administrator, see Start an access review in Azure AD Privileged Identity Management.

必备条件Prerequisites

  • Azure AD Premium P2Azure AD Premium P2

有关详细信息,请参阅许可证要求For more information, see License requirements.

创建和执行访问评审Create and perform an access review

访问评审中可有一个或多个用户作为审阅者。You can have one or more users as reviewers in an access review.

  1. 在具有一个或多个成员的 Azure AD 中选择一个组。Select a group in Azure AD that has one or more members. 或者选择连接到 Azure AD(已为其分配一个或多个用户)的应用程序。Or select an application connected to Azure AD that has one or more users assigned to it.

  2. 决定是由每个用户评审自己的访问权限,还是由一个或多个用户评审每个人的访问权限。Decide whether to have each user review their own access or to have one or more users review everyone's access.

  3. 以全局管理员或用户管理员身份,转到“标识监管”页As a global administrator or user administrator, go to the Identity Governance page.

  4. 创建访问评审。Create the access review. 有关详细信息,请参阅创建组或应用程序的访问评审For more information, see Create an access review of groups or applications.

  5. 访问评审开始时,要求审阅者提供输入。When the access review starts, ask the reviewers to give input. 默认情况下,他们每个人都会收到来自 Azure AD 的电子邮件,其中包含指向访问面板的链接,他们将在访问面板中评审组或应用程序的访问权限By default, they each receive an email from Azure AD with a link to the access panel, where they review access to groups or applications.

  6. 如果审阅者尚未提供输入,可以要求 Azure AD 向他们发送提醒。If the reviewers haven't given input, you can ask Azure AD to send them a reminder. 默认情况下,Azure AD 自动在中途向还未作出回复的审阅者发送结束日期提醒。By default, Azure AD automatically sends a reminder halfway to the end date to reviewers who haven't yet responded.

  7. 审阅者提供输入后,将停止访问评审并应用更改。After the reviewers give input, stop the access review and apply the changes. 有关详细信息,请参阅完成组或应用程序的访问评审For more information, see Complete an access review of groups or applications.

后续步骤Next steps

创建组或应用程序的访问评审Create an access review of groups or applications