在 Privileged Identity Management 中配置 Azure AD 自定义角色Configure Azure AD custom roles in Privileged Identity Management

特权角色管理员可以更改当用户激活其自定义角色分配时应用到该用户的角色设置,以及适用于分配自定义角色的其他应用程序管理员的角色设置。A privileged role administrator can change the role settings that apply to a user when they activate their assignment to a custom role and for other application administrators that are assigning custom roles.

备注

在预览版中,Azure AD 自定义角色未集成内置的目录角色。Azure AD custom roles are not integrated with the built-in directory roles during preview. 此功能的正式版发布后,可在内置的角色体验中进行角色管理。Once the capability is generally available, role management will take place in the built-in roles experience. 如果看到以下横幅,则应在内置角色体验中管理这些角色,而本文不适用:If you see the following banner, these roles should be managed in the built-in roles experience and this article does not apply:

选择“Azure AD”>“Privileged Identity Management”Select Azure AD > Privileged Identity Management

打开角色设置Open role settings

遵循以下步骤打开 Azure AD 角色的设置。Follow these steps to open the settings for an Azure AD role.

  1. 在 Azure 门户中使用分配给特权角色管理员角色的用户帐户登录到 Privileged Identity ManagementSign in to Privileged Identity Management in the Azure portal with a user account that is assigned to the Privileged role administrator role.

  2. 选择“Azure AD 自定义角色(预览版)”。Select Azure AD custom roles (Preview).

    选择 Azure AD 自定义角色预览版,查看符合条件的角色分配

  3. 选择“设置”打开“设置”页。Select Setting to open the Settings page. 选择要配置其设置的角色。Select the role for the settings you want to configure.

  4. 选择“编辑”打开“角色设置”页。Select Edit to open the Role settings page.

    打开 Azure AD 自定义角色以编辑设置

角色设置Role settings

可以配置多个设置。There are several settings you can configure.

分配持续时间Assignment duration

配置角色的设置时,可以从用于每种分配类型(“符合条件”或“活动”)的两个分配持续时间选项中进行选择·。You can choose from two assignment duration options for each assignment type (eligible or active) when you configure settings for a role. 在 Privileged Identity Management 中将成员分配到角色时,这些选项将成为默认的最大持续时间。These options become the default maximum duration when a member is assigned to the role in Privileged Identity Management.

可以选择其中一个“符合条件”的分配持续时间选项:You can choose one of these eligible assignment duration options.

  • 允许永久性符合条件分配:管理员可以分配永久性符合条件成员身份。Allow permanent eligible assignment: Administrators can assign permanent eligible membership.
  • 使符合条件分配在以下时间后过期:管理员可以要求所有符合条件分配都具有指定的开始和结束日期。Expire eligible assignment after: Administrators can require that all eligible assignments have a specified start and end date.

此外,可以选择其中一个“活动”分配持续时间选项:**Also, you can choose one of these active assignment duration options:

  • 允许永久性活动分配:管理员可以分配永久性活动成员身份。Allow permanent active assignment: Administrators can assign permanent active membership.
  • 使活动分配在以下时间后过期:管理员可以要求所有活动分配都具有指定的开始和结束日期。Expire active assignment after: Administrators can require that all active assignments have a specified start and end date.

需要 Azure 多重身份验证Require Azure Multi-Factor Authentication

Privileged Identity Management 提供了两种不同的可选 Azure 多重身份验证强制执行方案。Privileged Identity Management provides optional enforcement of Azure Multi-Factor Authentication for two distinct scenarios.

  • 要求在活动分配时进行多重身份验证Require Multi-Factor Authentication on active assignment

    如果你只是想要短时间地(例如一天)将某个成员分配到某个角色,要求分配的成员请求激活可能需要花费较长时间。If you only want to assign a member to a role for a short duration (one day, for example), it might be too slow to require the assigned members to request activation. 在这种情况下,当用户激活其角色分配时,Privileged Identity Management 无法强制实施多重身份验证,因为从分配的那一刻,该用户的角色已处于活动状态。In this scenario, Privileged Identity Management can't enforce multi-factor authentication when the user activates their role assignment, because they are already active in the role from the moment they are assigned. 为确保负责分配角色的管理员是其本人,请选中“进行活动分配时要求执行多重身份验证”框。To ensure that the administrator fulfilling the assignment is who they say they are, select the Require Multi-Factor Authentication on active assignment box.

  • 要求在激活时进行多重身份验证Require Multi-Factor Authentication on activation

    可以要求分配到某个角色的符合条件用户在激活之前,先在 Azure 多重身份验证中进行注册。You can require eligible users assigned to a role to enroll in Azure Multi-Factor Authentication before they can activate. 此过程可确保请求激活的用户一定就是其本人。This process ensures that the user who is requesting activation is who they say they are with reasonable certainty. 强制执行此选项可以在用户帐户可能已遭入侵的情况下保护关键角色。Enforcing this option protects critical roles in situations when the user account might have been compromised. 若要要求符合条件的成员在激活之前运行 Azure 多重身份验证,请选中“在激活时要求进行多重身份验证” 框。To require an eligible member to run Azure Multi-Factor Authentication before activation, select the Require Multi-Factor Authentication on activation box.

有关详细信息,请参阅多重身份验证和 Privileged Identity ManagementFor more information, see Multi-factor authentication and Privileged Identity Management.

最长激活持续时间Activation maximum duration

使用“最长激活持续时间” 滑块是角色在过期前保持活动状态的最大时间(以小时为单位)。Use the Activation maximum duration slider to set the maximum time, in hours, that a role stays active before it expires. 此值可以是 1 到 24 个小时。This value can be from, 1 and 24 hours.

需要理由Require justification

可以要求成员在活动分配或激活时输入理由。You can require that members enter a justification on active assignment or when they activate. 若需要理由,请选中“在活动分配时需要理由” 复选框或“在激活时需要理由” 框。To require justification, select the Require justification on active assignment check box or the Require justification on activation box.

需要批准才能激活Require approval to activate

如果要求批准以激活角色,请按照以下步骤操作。If you want to require approval to activate a role, follow these steps.

  1. 选中“需要批准以激活” 复选框。Select the Require approval to activate check box.

  2. 选择“选择审批者”打开“选择成员或组”列表。Select Select approvers to open the Select a member or group list.

    打开 Azure AD 自定义角色以编辑设置

  3. 至少选择一个成员或组,然后单击“选择”。Select at least one member or group and then click Select. 必须至少选择 1 个审批者。You must select at least one approver. 没有默认的审批者。There are no default approvers. 所选项将出现在所选审批者列表中。Your selections will appear in the list of selected approvers.

  4. 指定角色设置后,选择“更新”以保存更改。Once you have specified the role settings, select Update to save your changes.

后续步骤Next steps