配置权限分类Configure permission classifications

通过权限分类,可根据组织的策略和风险评估确定不同权限的影响。Permission classifications allow you to identify the impact that different permissions have according to your organization's policies and risk evaluations. 例如,可使用同意策略中的权限分类来确定允许用户同意哪一组权限。For example, you can use permission classifications in consent policies to identify the set of permissions that users are allowed to consent to.

管理权限分类Manage permission classifications

目前仅支持“影响较低”这一权限分类。Currently, only the "Low impact" permission classification is supported. 只有无需管理员同意的委托权限可被分类为“影响较低”。Only delegated permissions that don't require admin consent can be classified as "Low impact".

提示

执行基本登录所需的最小权限是 openidprofileemailUser.Readoffline_access,它们是 Microsoft Graph 上的所有委托的权限。The minimum permissions needed to do basic sign in are openid, profile, email, User.Read and offline_access, which are all delegated permissions on the Microsoft Graph. 应用可通过这些权限读取已登录用户的完整个人资料详细信息,即使用户不再使用该应用,也可保留此访问。With these permissions an app can read the full profile details of the signed-in user and can maintain this access even when the user is no longer using the app.

按照以下步骤使用 Azure 门户对权限进行分类:Follow these steps to classify permissions using the Azure portal:

  1. 全局管理员应用程序管理员云应用程序管理员的身份登录到 Azure 门户Sign in to the Azure portal as a Global Administrator, Application Administrator, or Cloud Application Administrator
  2. 选择“Azure Active Directory” > “企业应用程序” > “同意和权限” > “权限分类” 。Select Azure Active Directory > Enterprise applications > Consent and permissions > Permission classifications.
  3. 选择“添加权限”,再将一个权限分类为“影响较小”。Choose Add permissions to classify another permission as "Low impact".
  4. 选择 API,然后选择委托的权限。Select the API and then select the delegated permission(s).

后续步骤Next steps

若要了解详细信息,请访问以下链接:To learn more:

获取帮助或查找问题的答案:To get help or find answers to your questions: