Privileged Identity Management 中 Azure AD 角色的管理功能Management capabilities for Azure AD roles in Privileged Identity Management

Privileged Identity Management 中 Azure AD 角色的管理体验已更新,以统一 Azure AD 角色和 Azure 资源角色的管理方式。The management experience for Azure AD roles in Privileged Identity Management has been updated to unify how Azure AD roles and Azure resource roles are managed. 之前,Azure 资源角色的 Privileged Identity Management 具有几个 Azure AD 角色无法使用的关键功能。Previously, Privileged Identity Management for Azure resource roles has had a couple of key features that were not available for Azure AD roles.

通过当前推出的更新,我们将两者合并为一个单一的管理体验。在此体验中,你可获得与 Azure 资源角色相同的 Azure AD 角色功能。With the update being currently rolled out, we are merging the two into a single management experience, and in it you get the same functionality for Azure AD roles as for Azure resource roles. 本文将介绍已更新的功能和任何要求。This article informs you of the updated features and any requirements.

时限性分配Time-bound assignments

之前,角色分配有两种可能的状态:符合条件和永久 。Previously, there were two possible states for role assignments: eligible and permanent. 现在,你还可为每种类型的分配设置开始时间和结束时间。Now you can also set a start and end time for each type of assignment. 此新增功能提供了四种可能的状态,你可以在这些状态下进行分配:This addition gives you four possible states into which you can place an assignment:

  • 永久合格Eligible permanently
  • 永久活动Active permanently
  • 合格,具有指定的分配开始和结束日期Eligible, with specified start and end dates for assignment
  • 活动,具有指定的分配开始和结束日期Active, with specified start and end dates for assignment

在许多情况下,即使你不希望用户每次都具有合格的分配并激活角色,仍可通过设置分配的过期时间来保护 Azure AD 组织。In many cases, even if you don’t want users to have eligible assignment and activate roles every time, you can still protect your Azure AD organization by setting an expiration time for assignments. 例如,如果你有一些符合条件的临时用户,可考虑设置一个过期时间,以便在他们工作完成后自动将他们从角色分配中删除。For example, if you have some temporary users who are eligible, consider setting an expiration so to remove them automatically from the role assignment when their work is complete.

新角色设置New role settings

我们还为 Azure AD 角色添加了新的设置。We are also adding new settings for Azure AD roles.

  • 之前,你只能在每个角色的基础上配置激活设置。Previously, you could only configure activation settings on a per-role basis. 也就是说,已将诸如多重身份验证要求和事件/请求票证要求等激活设置应用于符合指定角色要求的所有用户。That is, activation settings such as multi-factor authentication requirements and incident/request ticket requirements were applied to all users eligible for a specified role.
  • 现在,你可以配置单个用户是否需要执行多重身份验证,然后才能激活角色。Now, you can configure whether an individual user needs to perform multi-factor authentication before they can activate a role. 此外,还可以对与特定角色相关的 Privileged Identity Management 电子邮件进行高级控制。Also, you can have advanced control over your Privileged Identity Management emails related to specific roles.

延期并续订分配Extend and renew assignments

在理解了有时限的分配后,你可能会问的第一个问题是,角色过期后会出现什么情况?As soon as you figure out time-bound assignment, the first question you might ask is what happens if a role is expired? 在此新版本中,我们针对此情况提供了两个选项:In this new version, we provide two options for this scenario:

  • 扩展:当角色分配接近其过期时间时,用户可以使用 Privileged Identity Management 请求对该角色分配进行延期Extend: When a role assignment nears its expiration, the user can use Privileged Identity Management to request an extension for that role assignment
  • 续订:当角色分配已到期时,用户可以使用 Privileged Identity Management 请求续订该角色分配Renew: When a role assignment has expired, the user can use Privileged Identity Management to request a renewal for that role assignment

这两个用户发起的操作都需要全局管理员或特权角色管理员的批准。Both user-initiated actions require an approval from a Global administrator or Privileged role administrator. 管理员将不再需要管理这些过期的分配。Admins will no longer need to be in the business of managing these expirations. 他们只需要等待延期或续订请求,并在请求有效的情况下批准它们即可。They just need to wait for the extension or renewal requests and approve them if the request is valid.

API 更改API changes

当客户将更新的版本推广到其 Azure AD 组织中时,现有的图形 API 将停止工作。When customers have the updated version rolled out to their Azure AD organization, the existing graph API will stop working. 必须转而使用 Azure 资源角色的图形 APIYou must transition to use the Graph API for Azure resource roles. 若要使用该 API 管理 Azure AD 角色,请在签名中将 /azureResources/aadroles 交换,并使用 resourceId 的目录 ID。To manage Azure AD roles using that API, swap /azureResources with /aadroles in the signature and use the Directory ID for the resourceId.

我们已经尽最大努力与所有使用以前的 API 的客户取得联系,让他们提前知道这项更改。We have tried our best to reach out to all customers who are using the previous API to let them know about this change ahead of time. 如果你的 Azure AD 组织已移至新版本,但你仍依赖于旧的 API,请在 与团队联系。If your Azure AD organization was moved on to the new version and you still depend on the old API, reach out to the team at

PowerShell 更改PowerShell change

对于使用 Azure AD 角色的 Privileged Identity Management PowerShell 模块的客户,PowerShell 将停止更新。For customers who are using the Privileged Identity Management PowerShell module for Azure AD roles, the PowerShell will stop working with the update. 必须使用 Azure AD 预览 PowerShell 模块中的 Privileged Identity Management cmdlet 来替换以前的 cmdlet。In place of the previous cmdlets you must use the Privileged Identity Management cmdlets inside the Azure AD Preview PowerShell module. 安装 PowerShell 库中的 Azure AD PowerShell 模块。Install the Azure AD PowerShell module from the PowerShell Gallery. 现在,可以在此 PowerShell 模块中阅读 PIM 操作的文档和示例You can now read the documentation and samples for PIM operations in this PowerShell module.

后续步骤Next steps