在 Privileged Identity Management 中分配特权访问组(预览)的资格Assign eligibility for a privileged access group (preview) in Privileged Identity Management

Azure Active Directory (Azure AD) Privileged Identity Management (PIM) 可以帮助你管理 Azure AD 中特权访问组分配的资格和激活。Azure Active Directory (Azure AD) Privileged Identity Management (PIM) can help you manage the eligibility and activation of assignments to privileged access groups in Azure AD. 可以为组的成员或所有者分配资格。You can assign eligibility to members or owners of the group.

备注

每个有资格成为特权访问组成员或所有者的用户都必须拥有 Azure AD Premium P2 许可证。Every user who is eligible for membership in or ownership of a privileged access group must have an Azure AD Premium P2 license. 有关详细信息,请参阅使用 Privileged Identity Management 的许可要求For more information, see License requirements to use Privileged Identity Management.

分配组的所有者或成员Assign an owner or member of a group

按照以下步骤操作,使用户有资格成为特权访问组的成员或所有者。Follow these steps to make a user eligible to be a member or owner of a privileged access group.

  1. 使用全局管理员或组所有者权限登录到 Azure ADSign in to Azure AD with Global Administrator or group Owner permissions.

  2. 选择“组”,然后选择要管理的可分配角色的组。Select Groups and then select the role-assignable group you want to manage. 可以搜索或筛选列表。You can search or filter the list.

    查找要在 PIM 中管理的可分配角色的组

  3. 打开组,选择“特权访问(预览)”。Open the group and select Privileged access (Preview).

    打开 Privileged Identity Management 体验

  4. 选择“添加分配”。Select Add assignments.

    “新建分配”窗格

  5. 选择要使其符合特权访问组资格的成员或所有者。Select the members or owners you want to make eligible for the privileged access group.

    此屏幕截图显示了“添加分配”页,其中的“选择成员或组”窗格已打开,并突出显示了“选择”按钮。

  6. 选择“下一步”以设置成员资格或所有权持续时间。Select Next to set the membership or ownership duration.

    “选择成员或组”窗格

  7. 在“分配类型”列表中,选择“合格”或“活动”。In the Assignment type list, select Eligible or Active. 特权访问组提供两种不同的分配类型:Privileged access groups provide two distinct assignment types:

    • “合格”分配要求该角色的成员执行某个操作才能使用该角色。Eligible assignments require the member of the role to perform an action to use the role. 操作可能包括执行多重身份验证 (MFA) 检查、提供业务理由或请求获得指定审批者的批准。Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.

    • “活动” 分配不要求成员执行任何操作便可使用该角色。Active assignments don't require the member to perform any action to use the role. 分配为“活动”的成员始终具有分配给该角色的权限。Members assigned as active have the privileges assigned to the role at all times.

  8. 如果分配应该是永久性的(永久合格或永久分配),请选中“永久”复选框。If the assignment should be permanent (permanently eligible or permanently assigned), select the Permanently checkbox. 根据组织的设置,该复选框可能不会显示或不可编辑。Depending on your organization's settings, the check box might not appear or might not be editable.

  9. 完成后,选择“分配”。When finished, select Assign.

  10. 若要创建新的角色分配,请选择“添加”。To create the new role assignment, select Add. 显示状态通知。A notification of the status is displayed.

    新建分配 - 通知

更新或删除现有的角色分配Update or remove an existing role assignment

按照以下步骤更新或删除现有的角色分配。Follow these steps to update or remove an existing role assignment.

  1. 使用全局管理员或组所有者权限登录到 Azure ADSign in to Azure AD with Global Administrator or group Owner permissions.

  2. 选择“组”,然后选择要管理的可分配角色的组。Select Groups and then select the role-assignable group you want to manage. 可以搜索或筛选列表。You can search or filter the list.

    查找要在 PIM 中管理的可分配角色的组

  3. 打开组,选择“特权访问(预览)”。Open the group and select Privileged access (Preview).

    打开 Privileged Identity Management 体验

  4. 选择要更新或删除的角色。Select the role that you want to update or remove.

  5. 在“合格角色”或“活动角色”选项卡上查找角色分配。Find the role assignment on the Eligible roles or Active roles tabs.

    更新或删除角色分配

  6. 选择“更新”或“删除”以更新或删除角色分配。Select Update or Remove to update or remove the role assignment.

    有关扩展角色分配的信息,请参阅在 Privileged Identity Management 中扩展或续订 Azure 资源角色For information about extending a role assignment, see Extend or renew Azure resource roles in Privileged Identity Management.

后续步骤Next steps