在 Privileged Identity Management 中激活 Azure AD 自定义角色Activate an Azure AD custom role in Privileged Identity Management

Azure Active Directory (Azure AD) 中的 Privileged Identity Management 现在支持对自定义角色进行恰时分配和有时限的分配,这些自定义角色是在“标识和访问管理”管理体验中为了进行应用程序管理而创建的。Privileged Identity Management in Azure Active Directory (Azure AD) now supports just-in-time and time-bound assignment to custom roles created for Application Management in the Identity and Access Management administrative experience. 若要详细了解如何在 Azure AD 中创建自定义角色来委托应用程序管理,请参阅 Azure Active Directory 中的自定义管理员角色(预览)For more information about creating custom roles to delegate application management in Azure AD, see Custom administrator roles in Azure Active Directory (preview).

备注

在预览版中,Azure AD 自定义角色未集成内置的目录角色。Azure AD custom roles are not integrated with the built-in directory roles during preview. 此功能的正式版发布后,可在内置的角色体验中进行角色管理。Once the capability is generally available, role management will take place in the built-in roles experience. 如果看到以下横幅,则应在内置角色体验中管理这些角色,而本文不适用:If you see the following banner, these roles should be managed in the built-in roles experience and this article does not apply:

在 Azure AD 中选择 Privileged Identity Management。

激活角色Activate a role

需要激活 Azure AD 自定义角色时,请通过选择 Privileged Identity Management 中的“我的角色”导航选项来请求激活。When you need to activate an Azure AD custom role, request activation by selecting the My roles navigation option in Privileged Identity Management.

  1. 登录 Azure 门户Sign in to the Azure portal.

  2. 打开 Azure AD Privileged Identity ManagementOpen Azure AD Privileged Identity Management.

  3. 选择“Azure AD 自定义角色”查看符合条件的 Azure AD 自定义角色分配列表。Select Azure AD custom roles to see a list of your eligible Azure AD custom role assignments.

    查看符合条件的 Azure AD 自定义角色分配列表

备注

在分配角色之前,必须创建/配置角色。Before assigning a role, you must create/configure a role. 有关配置 AAD 自定义角色的详细信息,请参阅在 Privileged Identity Management 中配置 Azure AD 自定义角色For further information regarding configuring AAD Custom Roles, see Configure Azure AD custom roles in Privileged Identity Management.

  1. 在“Azure AD 自定义角色(预览版)”页上,找到所需的分配。On the Azure AD custom roles (Preview) page, find the assignment you need.

  2. 选择“激活角色”打开“激活”页。Select Activate your role to open the Activate page.

  3. 如果角色需要多重身份验证,请选择“验证你的身份,然后继续”。If your role requires multi-factor authentication, select Verify your identity before proceeding. 在每个会话中只需执行身份验证一次。You are required to authenticate only once per session.

  4. 选择“验证我的身份”,并遵照说明提供任何其他安全验证。Select Verify my identity and follow the instructions to provide any additional security verification.

  5. 若要指定自定义应用程序范围,请选择“范围”打开筛选器窗格。To specify a custom application scope, select Scope to open the filter pane. 应在所需的最小范围内请求对角色的访问权限。You should request access to a role at the minimum scope needed. 如果你的分配处于应用程序范围,则只能在该范围激活。If your assignment is at an application scope, you can activate only at that scope.

    分配角色分配的 Azure AD 资源范围

  6. 根据需要指定自定义的激活开始时间。If needed, specify a custom activation start time. 如果使用该选项,角色成员将在指定的时间激活。When used, the role member is activated at the specified time.

  7. 在“原因”框中,输入该激活请求的原因。In the Reason box, enter the reason for the activation request. 这些设置有时是必需的,有可能不是在角色设置中指定。These can be made required or not in the role setting.

  8. 选择“激活”。Select Activate.

如果该角色不需要审批,则它会根据设置激活,并添加到活动角色列表中。If the role doesn't require approval, it's activated according to your settings and is added to the list of active roles. 若要使用激活的角色,请从在 Privileged Identity Management 中分配 Azure AD 自定义角色中的步骤开始。If you want to use the activated role, start with the steps in Assign an Azure AD custom role in Privileged Identity Management.

如果激活角色需要审批,你将收到 Azure 通知,告知请求正在等待审批。If the role requires approval to activate, you will receive an Azure notification informing you that the request is pending approval.

后续步骤Next steps