在 Privileged Identity Management 中批准或拒绝 Azure AD 角色的请求Approve or deny requests for Azure AD roles in Privileged Identity Management

利用 Azure Active Directory (Azure AD) Privileged Identity Management (PIM),可以将角色配置为需要审批才可激活,还可选择一个或多个用户或组作为委托的审批者。With Azure Active Directory (Azure AD) Privileged Identity Management (PIM), you can configure roles to require approval for activation, and choose one or multiple users or groups as delegated approvers. 委派的审批者有 24 小时可以审批请求。Delegated approvers have 24 hours to approve requests. 如果请求未在 24 小时内获得审批,则符合条件的用户必须重新提交新请求。If a request is not approved within 24 hours, then the eligible user must re-submit a new request. 24 小时的审批时间范围不可供配置。The 24 hour approval time window is not configurable.

确定 PIM 版本Determine your version of PIM

从 2019 年 11 月开始,Privileged Identity Management 的 Azure AD 角色部分将更新为与 Azure 角色体验匹配的新版本。Beginning in November 2019, the Azure AD roles portion of Privileged Identity Management is being updated to a new version that matches the experiences for Azure roles. 这将创建附加功能以及对现有 API 的更改This creates additional features as well as changes to the existing API. 在推出新版本时,本文中遵循的过程取决于当前拥有的 Privileged Identity Management 版本。While the new version is being rolled out, which procedures that you follow in this article depend on version of Privileged Identity Management you currently have. 按照本部分中的步骤确定所拥有的 Privileged Identity Management 的版本。Follow the steps in this section to determine which version of Privileged Identity Management you have. 了解 Privileged Identity Management 版本之后,可以选择本文中与该版本匹配的过程。After you know your version of Privileged Identity Management, you can select the procedures in this article that match that version.

  1. 以具有特权角色管理员角色的用户身份登录到 Azure 门户Sign in to the Azure portal with a user who is in the Privileged role administrator role.

  2. 打开“Azure AD Privileged Identity Management”。 Open Azure AD Privileged Identity Management. 如果在概述页的顶部有横幅,请按照本文“新版本”选项卡中的说明进行操作 。If you have a banner on the top of the overview page, follow the instructions in the New version tab of this article. 否则,请按照“先前版本”选项卡中的说明操作 。Otherwise, follow the instructions in the Previous version tab.

    选择“Azure AD”>“Privileged Identity Management”。Select Azure AD > Privileged Identity Management.

按照本文中的步骤,批准或拒绝 Azure AD 角色的请求。Follow the steps in this article to approve or deny requests for Azure AD roles.

查看待处理请求View pending requests

有 Azure AD 角色请求正在等待审批时,委托的审批者将收到电子邮件通知。As a delegated approver, you'll receive an email notification when an Azure AD role request is pending your approval. 可以在 Privileged Identity Management 中查看这些挂起的请求。You can view these pending requests in Privileged Identity Management.

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 打开“Azure AD Privileged Identity Management”。Open Azure AD Privileged Identity Management.

  3. 选择“审批请求”。Select Approve requests.

    审批请求 - 显示评审 Azure AD 角色的请求的页面

    在“请求激活角色”部分,将看到等待审批的请求列表。In the Requests for role activations section, you'll see a list of requests pending your approval.

审批请求Approve requests

  1. 找到并选择要审批的请求。Find and select the request that you want to approve. 此时将显示“批准或拒绝”页。An approve or deny page appears.

    “审批请求 - 批准或拒绝”窗格,其中包含详细信息和“理由”框

  2. 在“理由” 框中,输入业务理由。In the Justification box, enter the business justification.

  3. 选择“批准”。 Select Approve. 你将收到 Azure 批准通知。You will receive an Azure notification of your approval.

    显示请求已批准的批准通知))

拒绝请求Deny requests

  1. 找到并选择要拒绝的请求。Find and select the request that you want to deny. 此时将显示“批准或拒绝”页。An approve or deny page appears.

    “审批请求 - 批准或拒绝”窗格,其中包含详细信息和“理由”框

  2. 在“理由” 框中,输入业务理由。In the Justification box, enter the business justification.

  3. 选择“拒绝”。Select Deny. 拒绝后会出现一个通知。A notification appears with your denial.

工作流通知Workflow notifications

下面是一些有关工作流通知的信息:Here's some information about workflow notifications:

  • 当某个角色的请求等待审阅时,审批者将收到电子邮件通知。Approvers are notified by email when a request for a role is pending their review. 电子邮件通知包含请求的直接链接,审批者可通过此链接批准或拒绝请求。Email notifications include a direct link to the request, where the approver can approve or deny.
  • 请求由第一个批准或拒绝的审批者来解析。Requests are resolved by the first approver who approves or denies.
  • 当审批者响应请求时,会通知所有审批者该操作。When an approver responds to the request, all approvers are notified of the action.
  • 当获批准的用户在其角色中处于活动状态时,全局管理员和特权角色管理员会收到通知。Global admins and Privileged role admins are notified when an approved user becomes active in their role.

备注

如果全局管理员或特权角色管理员认为获批准的用户不应处于活动状态,则可在 Privileged Identity Management 中删除该活动角色分配。A Global admin or Privileged role admin who believes that an approved user should not be active can remove the active role assignment in Privileged Identity Management. 尽管管理员不会收到待处理请求的通知(除非他们是审批者),但他们可通过在 Privileged Identity Management 中查看待处理请求,来查看和取消所有用户的任何待处理请求。Although administrators are not notified of pending requests unless they are an approver, they can view and cancel any pending requests for all users by viewing pending requests in Privileged Identity Management.

后续步骤Next steps