什么是 Azure AD Privileged Identity Management?What is Azure AD Privileged Identity Management?

Privileged Identity Management (PIM) 是 Azure Active Directory (Azure AD) 中用于管理、控制和监视对组织中重要资源的访问的服务。Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. 这些资源包括 Azure AD、Azure 和其他 Microsoft Online Services(例如 Microsoft 365 或 Microsoft Intune)中的资源。These resources include resources in Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune.

使用原因Reasons to use

组织希望尽量减少拥有访问权限的人员以保护信息或资源安全,因为这样可以减少恶意行动者获得相应访问权限,或者已授权用户无意中影响敏感资源的可能性。Organizations want to minimize the number of people who have access to secure information or resources, because that reduces the chance of a malicious actor getting that access, or an authorized user inadvertently impacting a sensitive resource. 但是,用户仍需在 Azure AD、Azure、Microsoft 365 或 SaaS 应用中执行特权操作。However, users still need to carry out privileged operations in Azure AD, Azure, Microsoft 365, or SaaS apps. 组织可以授予用户对 Azure 资源和 Azure AD 的实时特许访问权限。Organizations can give users just-in-time privileged access to Azure resources and Azure AD. 在这种情况下,需要监督这些用户使用其管理员特权执行了哪些操作。There is a need for oversight for what those users are doing with their administrator privileges.

它有什么作用?What does it do?

Privileged Identity Management 提供基于时间和基于审批的角色激活,用于缓解所关注资源上出现的访问权限过度、不必要或滥用的风险。Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. 下面是 Privileged Identity Management 的一些重要功能:Here are some of the key features of Privileged Identity Management:

  • 提供对 Azure AD 和 Azure 资源的实时特权访问权限Provide just-in-time privileged access to Azure AD and Azure resources
  • 使用开始和结束日期分配对资源的限时访问权限Assign time-bound access to resources using start and end dates
  • 要求获得批准才能激活特权角色Require approval to activate privileged roles
  • 强制要求在激活任何角色时执行多重身份验证Enforce multi-factor authentication to activate any role
  • 使用理由来了解用户激活角色的原因Use justification to understand why users activate
  • 激活特权角色时获取通知Get notifications when privileged roles are activated
  • 开展访问评审,以确保用户仍然需要角色Conduct access reviews to ensure users still need roles
  • 下载审核历史记录进行内部或外部审核Download audit history for internal or external audit

它的作用是什么?What can I do with it?

设置 Privileged Identity Management 时,左侧导航菜单中会显示“任务”、“管理”和“活动”选项。 Once you set up Privileged Identity Management, you'll see Tasks, Manage, and Activity options in the left navigation menu. 作为管理员,你将在管理 Azure AD 角色,管理 Azure 资源角色或特权访问组等选项之间进行选择 。As an administrator, you'll choose between options such as managing Azure AD roles, managing Azure resource roles, or privileged access groups. 选择要管理的选项时,将看到该选项的相应选项集。When you choose what you want to manage, you see the appropriate set of options for that option.

Azure 门户中 Privileged Identity Management 的屏幕截图

用户及其权限Who can do what?

对于 Privileged Identity Management 中的 Azure AD 角色,只有充当“特权角色管理员”或“全局管理员”角色的用户可以管理其他管理员分配。For Azure AD roles in Privileged Identity Management, only a user who is in the Privileged role administrator or Global administrator role can manage assignments for other administrators. 可以授予其他管理员访问权限以管理 Privileged Identity ManagementYou can grant access to other administrators to manage Privileged Identity Management. 全局管理员、安全管理员、全局读取者和安全读取者也可在 Privileged Identity Management 中查看 Azure AD 角色的分配。Global Administrators, Security Administrators, Global readers, and Security Readers can also view assignments to Azure AD roles in Privileged Identity Management.

对于 Privileged Identity Management 中的 Azure 资源角色,只有订阅管理员、资源所有者或资源用户访问管理员可以管理其他管理员的分配。For Azure resource roles in Privileged Identity Management, only a subscription administrator, a resource Owner, or a resource User Access administrator can manage assignments for other administrators. 默认情况下,充当特权角色管理员、安全管理员或安全读取者的用户无权在 Privileged Identity Management 中查看 Azure 资源角色的分配。Users who are Privileged Role Administrators, Security Administrators, or Security Readers do not by default have access to view assignments to Azure resource roles in Privileged Identity Management.

方案Scenarios

Privileged Identity Management 支持以下方案:Privileged Identity Management supports the following scenarios:

特权角色管理员权限Privileged Role administrator permissions

  • 启用对特定角色的审批Enable approval for specific roles
  • 指定要审批请求的审批者用户或组Specify approver users or groups to approve requests
  • 查看所有特权角色的请求和审批历史记录View request and approval history for all privileged roles

审批者权限Approver permissions

  • 查看挂起的审批(请求)View pending approvals (requests)
  • 批准或拒绝角色提升请求(单个和批量)Approve or reject requests for role elevation (single and bulk)
  • 提供批准或拒绝的理由Provide justification for my approval or rejection

有资格的角色用户权限Eligible role user permissions

  • 请求激活需要审批的角色Request activation of a role that requires approval
  • 查看要激活的请求的状态View the status of your request to activate
  • 批准激活后,在 Azure AD 中完成任务Complete your task in Azure AD if activation was approved

术语Terminology

为了更好地理解 Privileged Identity Management 及其文档,应查看以下术语。To better understand Privileged Identity Management and its documentation, you should review the following terms.

术语或概念Term or concept 角色分配类别Role assignment category 说明Description
符合条件eligible 类型Type 要求用户在使用角色之前执行一项或多项操作的角色分配。A role assignment that requires a user to perform one or more actions to use the role. 如果用户符合某个角色的条件,则意味着他们在需要执行特权任务时可以激活该角色。If a user has been made eligible for a role, that means they can activate the role when they need to perform privileged tasks. 用户无论具有永久角色分配还是合格角色分配,获得的访问权限并无差异。There's no difference in the access given to someone with a permanent versus an eligible role assignment. 唯一的差异在于,有些用户并不是一直需要该访问权限。The only difference is that some people don't need that access all the time.
活动active 类型Type 不要求用户在使用角色之前执行任何操作的角色分配。A role assignment that doesn't require a user to perform any action to use the role. 分配为“活动”的用户拥有分配给该角色的特权。Users assigned as active have the privileges assigned to the role.
激活activate 合格用户在使用角色之前执行一项或多项操作的过程。The process of performing one or more actions to use a role that a user is eligible for. 操作可能包括执行多重身份验证 (MFA) 检查、提供业务理由或请求获得指定审批者的批准。Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.
已分配assigned 状态State 具有活动角色分配的用户。A user that has an active role assignment.
已激活activated 状态State 具有符合条件的角色分配、已执行激活角色的操作且现在处于活动状态的用户。A user that has an eligible role assignment, performed the actions to activate the role, and is now active. 激活后,用户即可使用该角色,使用期限是预先配置的,过期之后需重新激活。Once activated, the user can use the role for a preconfigured period-of-time before they need to activate again.
永久符合条件permanent eligible DurationDuration 使用户始终有资格激活该角色的角色分配。A role assignment where a user is always eligible to activate the role.
永久活动permanent active DurationDuration 使用户无需执行任何操作,始终可以使用该角色的角色分配。A role assignment where a user can always use the role without performing any actions.
在过期之前符合条件expire eligible DurationDuration 使用户在指定的开始和结束日期范围内有资格激活该角色的角色分配。A role assignment where a user is eligible to activate the role within a specified start and end date.
在过期之前处于活动状态expire active DurationDuration 使用户无需执行任何操作,可在指定的开始和结束日期范围内使用该角色的角色分配。A role assignment where a user can use the role without performing any actions within a specified start and end date.
实时 (JIT) 访问just-in-time (JIT) access 一种访问模式。在此模式下,用户会收到执行特权任务的临时权限,防止恶意用户或未授权用户在权限过期后获得访问权限。A model in which users receive temporary permissions to perform privileged tasks, which prevents malicious or unauthorized users from gaining access after the permissions have expired. 只有在用户需要的情况下,才会授予访问权限。Access is granted only when users need it.
最低访问权限原则principle of least privilege access 一种建议的安全做法,仅为每个用户提供所需的最低权限,以便完成有权执行的任务。A recommended security practice in which every user is provided with only the minimum privileges needed to accomplish the tasks they are authorized to perform. 此做法会尽量减少全局管理员的数目,并使用适合特定方案的特定管理员角色。This practice minimizes the number of Global Administrators and instead uses specific administrator roles for certain scenarios.

许可要求License requirements

使用此功能需要 Azure AD Premium P2 许可证。Using this feature requires an Azure AD Premium P2 license. 若要根据需要查找合适的许可证,请参阅 比较免费版、Office 365 应用版和高级版的正式发布功能To find the right license for your requirements, see Comparing generally available features of the Free, Office 365 Apps, and Premium editions.

有关用户许可证的信息,请参阅使用 Privileged Identity Management 所要满足的许可证要求For information about licenses for users, see License requirements to use Privileged Identity Management.

后续步骤Next steps