在 Privileged Identity Management 中分配 Azure AD 自定义角色Assign an Azure AD custom role in Privileged Identity Management

本文介绍如何使用 Privileged Identity Management (PIM) 来创建对自定义角色进行的恰时分配和有时限的分配,这些自定义角色是在 Azure Active Directory (Azure AD) 管理体验中为了管理应用程序而创建的。This article tells you how to use Privileged Identity Management (PIM) to create just-in-time and time-bound assignment to custom roles created for managing applications in the Azure Active Directory (Azure AD) administrative experience.

备注

在预览版中,Azure AD 自定义角色未集成内置的目录角色。Azure AD custom roles are not integrated with the built-in directory roles during preview. 此功能的正式版发布后,可在内置的角色体验中进行角色管理。Once the capability is generally available, role management will take place in the built-in roles experience. 如果看到以下横幅,则应在内置角色体验中管理这些角色,而本文不适用:If you see the following banner, these roles should be managed in the built-in roles experience and this article does not apply:

选择“Azure AD”>“Privileged Identity Management”。Select Azure AD > Privileged Identity Management.

分配角色Assign a role

Privileged Identity Management 可以管理可在 Azure Active Directory (Azure AD) 应用程序管理中创建的自定义角色。Privileged Identity Management can manage custom roles you can create in Azure Active Directory (Azure AD) application management. 以下步骤对自定义目录角色进行符合条件的分配。The following steps make an eligible assignment to a custom directory role.

  1. 在 Azure 门户中使用分配给特权角色管理员角色的用户帐户登录到 Privileged Identity ManagementSign in to Privileged Identity Management in the Azure portal with a user account that is assigned to the Privileged role administrator role.

  2. 选择“Azure AD 自定义角色(预览版)”。Select Azure AD custom roles (Preview).

    选择 Azure AD 自定义角色预览版,查看符合条件的角色分配

  3. 选择“角色”以查看 Azure AD 应用程序的自定义角色的列表。Select Roles to see a list of custom roles for Azure AD applications.

    选择“角色”以查看符合条件的角色分配列表

  4. 选择“添加成员”打开分配页。Select Add member to open the assignment page.

  5. 若要将角色分配的范围限定为单个应用程序,请选择“范围”以指定应用程序范围。To restrict the scope of the role assignment to a single application, select Scope to specify an application scope.

    限制 Azure AD 中符合条件的角色分配的范围

  6. 选择“选择角色”打开“选择角色”列表。Select Select a role to open the Select a role list.

    选择要分配给用户的符合条件的角色

  7. 选择要分配的角色,然后单击“选择”。Select a role you want to assign and then click Select. 此时将打开“选择成员”列表。The Select a member list opens.

    选择要分配到该角色的用户

  8. 选择要分配到该角色的用户,然后单击“选择”。Select a user you want to assign to the role and then click Select. 此时将打开“成员身份设置”窗格。The Membership settings list opens.

    将角色分配类型设置为“符合条件”或“活动”

  9. 在“成员身份设置”页上,选择“符合条件”或“活动”:On the Membership settings page, select Eligible or Active:

    • “符合条件”分配要求分配到该角色的用户执行某个操作,然后该用户才能使用该角色。Eligible assignments require the user assigned to the role to perform an action before they can use the role. 操作可能包括通过多重身份验证检查、提供业务理由或请求获得指定审批者的批准。Actions might include passing a multi-factor authentication check, providing a business justification, or requesting approval from designated approvers.
    • “活动”分配不要求分配的用户执行任何操作便可使用该角色。Active assignments don't require the assigned user to perform any action to use the role. 活动用户始终具有分配给该角色的特权。Active users have the privileges assigned to the role at all times.
  10. 如果“永久”复选框已显示并且可选(具体取决于角色设置),可以指定该分配是否是永久性的。If the Permanent check box is present and available (depending on role settings), you can specify whether the assignment is permanent. 选中该复选框可使分配永久符合条件或永久进行分配。Select the check box to to make the assignment permanently eligible or permanently assigned. 清除该复选框可指定分配持续时间。Clear the check box to specify an assignment duration.

  11. 若要创建新的角色分配,请依次单击“保存”、“添加”。To create the new role assignment, click Save and then Add. 此时将显示分配过程状态的通知。A notification of the assignment process status is displayed.

若要验证角色分配,请在打开的角色中选择“分配” > “分配”,然后检查角色分配是否正确标识为“符合条件”或“活动”。 To verify the role assignment, in an open role, select Assignments > Assign and verify that your role assignment is properly identified as eligible or active.

检查角色分配是否显示为“符合条件”或“活动”

后续步骤Next steps