在 Azure AD 访问评审中评审对组和应用程序的访问权限Review access to groups and applications in Azure AD access reviews

Azure Active Directory (Azure AD) 借助称为“Azure AD 访问评审”的功能,简化了企业对 Azure AD 及其他 Microsoft Online Services 中的组和应用程序访问权限的管理方式。Azure Active Directory (Azure AD) simplifies how enterprises manage access to groups and applications in Azure AD and other Microsoft Online Services with a feature called Azure AD access reviews. 本文介绍指定的审阅者如何对有权访问应用程序的组成员或用户执行访问评审。This article will go over how a designated reviewer performs an access review for members of a group or users with access to an application.

使用“我的应用”执行访问评审Perform access review using My Apps

可以从通知电子邮件开始访问评审过程,也可以直接转到站点来开始。You can start the Access Review process from the notification email or by going directly to the site.

  • 电子邮件Email:

重要

接收电子邮件可能存在延迟,在某些情况下,可能需要长达 24 小时来接收。There could be delays in receiving email and it some cases it could take up to 24 hours. 将 azure-noreply@microsoft.com 添加到安全收件人列表以确保收到所有电子邮件。Add azure-noreply@microsoft.com to your safe recipients list to make sure that you are receiving all emails.

  1. 查找要求你执行访问评审的 Microsoft 电子邮件。Look for an email from Microsoft asking you to review access. 以下示例电子邮件要求评审对某个组的访问权限。Here is an example email to review the access for a group.

    要求评审对某个组的访问权限的 Microsoft 示例电子邮件

  2. 单击“开始评审”链接打开访问评审。Click the Start review link to open the access review.

  • 如果未收到该电子邮件,可按照以下步骤找到待处理的访问评审。If you don't have the email, you can find your pending access reviews by following these steps.

    1. 登录到“我的应用”门户 (https://account.activedirectory.windowsazure.cn/r#/applications)。Sign in to the My Apps portal at https://account.activedirectory.windowsazure.cn/r#/applications.

      “我的应用”门户,其中列出了你有权访问的应用

    2. 在页面右上角,单击你的名称和默认组织旁边的用户。In the upper-right corner of the page, click the user next to your name and default organization. 如果列出多个组织,请选择已请求访问评审的组织。If more than one organization is listed, select the organization that requested an access review.

    3. 单击“访问评审”磁贴,查看待处理的访问评审列表。Click the Access reviews tile to see a list of pending access reviews.

      备注

      如果“访问评审”磁贴不可见,则表明该组织没有要执行的访问评审,此时不需要执行任何操作。If the Access reviews tile isn't visible, there are no access reviews to perform for that organization and no action is needed at this time.

      应用和组的待处理访问评审列表

    4. 单击你要执行的访问评审对应的“开始评审”链接。Click the Begin review link for the access review you want to perform.

打开访问评审后,你会看到需要访问评审的用户的名称。Once you have opened the access review, you see the names of users who need to have their access reviewed.

如果请求是评审你自己的访问权限,则页面内容会有所不同。If the request is to review your own access, the page will look different. 有关详细信息,请参阅评审自己对组或应用程序的访问权限For more information, see Review access for yourself to groups or applications.

打开访问评审,其中会列出要评审的用户

可通过两种方式批准或拒绝访问权限:There are two ways that you can approve or deny access:

  • 可以针对每个用户请求选择适当的操作,通过这种方式“手动”批准或拒绝一个或多个用户的访问。You can approve or deny access for one or more users 'manually' by choosing the appropriate action for each user request.
  • 可以接受系统建议。You can accept the system recommendations.

批准或拒绝一个或多个用户的访问权限Approve or deny access for one or more users

  1. 评审用户列表并确定是批准还是拒绝其继续访问。Review the list of users and decide whether to approve or deny their continued access.

    • 若要批准或拒绝单个用户的访问权限,请单击相应的行打开一个窗口,以指定要执行的操作。To approve or deny access for a single user, click the row to open a window to specify the action to take.
    • 若要批准或拒绝多个用户的访问权限,请勾选这些用户,然后单击“评审 X 个用户”按钮打开一个窗口,以指定要执行的操作。To approve or deny access for multiple users, add check marks next to the users and then click the Review X user(s) button to open a window to specify the action to take.
  2. 单击“批准”或“拒绝”。 Click Approve or Deny.

    包括“批准”、“拒绝”和“不知道”选项的操作窗口

    备注

    如果不确定,可以单击“不知道”。If you are unsure, you can click Don't know. 用户可以保留其访问权限,而你的选择将记录在审核日志中。and the user gets to keep their access and your choice is recorded in the audit logs.

  3. 访问评审的管理员可能会要求你在“原因”框中提供做出决定的理由。The administrator of the access review may require that you supply a reason in the Reason box for your decision. 即使不需要提供理由,Even when a reason is not required. 你也可以为决策提供理由,而你提供的信息将可供其他审阅者使用。You can still provide a reason for your decision and the information that you include will be available to other reviewers.

  4. 指定要执行的操作后,单击“保存”。Once you have specified the action to take, click Save.

    备注

    在访问评审结束之前,随时可以更改响应。You can change your response at any time before the access review has ends. 若要更改响应,请选择相应的行并更新响应。If you want to change your response, select the row and update the response. 例如,可以批准以前已拒绝的用户,或者拒绝以前已批准的用户。For example, you can approve a previously denied user or deny a previously approved user.

    重要

    • 如果拒绝了某个用户的访问权限,不会立即删除该用户。If a user is denied access, they aren't removed immediately. 如果已启用自动应用,则在评审期结束或管理员停止评审时,这些用户将被删除。They are removed when the review period has ended or when an administrator stops the review if Auto apply is enabled.
    • 如果有多个评审者,将记录最后提交的响应。If there are multiple reviewers, the last submitted response is recorded. 举例而言,假设管理员指定了两位评审者 - Alice 和 Bob。Consider an example where an administrator designates two reviewers - Alice and Bob. Alice 首先打开访问评审并批准了用户的访问请求。Alice opens the access review first and approves a user's access request. 在评审期结束之前,Bob 打开访问评审,拒绝了 Alice 之前批准的同一请求中的访问权限。Before the review period ends, Bob opens the access review and denies access on the same request previously approved by Alice. 最后决定(即拒绝访问)是系统记录的响应。The last decision denying the access is the response that gets recorded.

根据建议批准或拒绝访问权限Approve or deny access based on recommendations

为了让你更轻松、更快捷地评审访问权限,我们还会提供建议,单击一下鼠标就能接受这些建议。To make access reviews easier and faster for you, we also provide recommendations that you can accept with a single click. 建议是根据用户的登录活动生成的。The recommendations are generated based on the user's sign-in activity.

  1. 在页面底部的蓝色栏中,单击“接受建议”。In the blue bar at the bottom of the page, click Accept recommendations.

    打开访问评审列表,其中会显示“接受建议”按钮

    你将看到建议操作的摘要。You see a summary of the recommended actions.

    显示建议操作摘要的窗口

  2. 单击“确定”接受建议。Click Ok to accept the recommendations.

后续步骤Next steps