部署 Azure AD Privileged Identity Management (PIM)Deploy Azure AD Privileged Identity Management (PIM)

本文是一个分步指南,介绍了如何在 Azure Active Directory (Azure AD) 组织中规划 Privileged Identity Management (PIM) 的部署。This article is a step-by-step guide describing how to plan the deployment of Privileged Identity Management (PIM) in your Azure Active Directory (Azure AD) organization. 你将尽可能将具有高特权角色的用户重新分配给权限较低的内置角色或自定义角色,并为最高特权角色规划实时角色分配。You'll reassign users in high-privileged roles to less powerful built-in or custom roles where possible, and plan for just-in-time role assignments for your most privileged roles. 本文提供了有关部署规划和实现的建议。In this article, we make recommendations for both deployment planning and implementation.

提示

本文中有许多带有以下标记的项:Throughout this article, you will see items marked as:

✔️Microsoft 建议Microsoft recommends

这些是常规建议,仅应在其适用于特定企业需求时才实现。These are general recommendations, and you should implement them only when they apply to your specific enterprise needs.

许可要求Licensing requirements

要使用 Privileged Identity Management,目录中必须具有以下付费或试用许可证之一。To use Privileged Identity Management, your directory must have one of the following paid or trial licenses. 有关详细信息,请参阅使用 Privileged Identity Management 的许可要求For more information, see License requirements to use Privileged Identity Management.

  • Azure AD Premium P2Azure AD Premium P2
  • 企业移动性 + 安全性 (EMS) E5Enterprise Mobility + Security (EMS) E5
  • Microsoft 365 Education A5Microsoft 365 Education A5
  • Microsoft 365 企业版 E5Microsoft 365 Enterprise E5

PIM 的工作原理How PIM works

本部分回顾了 Privileged Identity Management 过程的相关部分的规划目的。This section provides a review for planning purposes of the relevant portions of the Privileged Identity Management process. 有关详细信息,请参阅什么是 Azure AD Privileged Identity Management?For more information, see What is Azure AD Privileged Identity Management?

  1. 开始使用 Privileged Identity Management,以便用户有资格使用特权角色。Start using Privileged Identity Management so that users are eligible for privileged roles.

  2. 当符合条件的用户需要使用特权角色时,可在 Privileged Identity Management 中激活角色。When an eligible user needs to use their privileged role, they activate the role using Privileged Identity Management.

  3. 用户可能需要在设置中:The user can be required in settings to:

    • 使用多因素身份验证Use multi-factor authentication
    • 请求批准激活Request approval for activation
    • 提供激活的业务原因Provide a business reason for activation
  4. 用户成功激活其角色后,可在设置的持续时间内拥有角色权限。After the user successfully activates their role, they'll have the role permissions for a set duration.

  5. 管理员可以查看审核日志中所有 Privileged Identity Management 活动的历史记录。Administrators can view a history of all Privileged Identity Management activities in the audit log. 他们还可以进一步保护其 Azure AD 组织,并使用 Privileged Identity Management 功能(如访问评审和警报)来满足合规性需求。They can also further secure their Azure AD organizations and meet compliance using Privileged Identity Management features such as access reviews and alerts.

可以使用 PIM 管理的角色Roles that can be managed by PIM

“Azure AD 角色”都在 Azure Active Directory 中(例如全局管理员、Exchange 管理员和安全管理员)。Azure AD roles are all in Azure Active Directory (such as Global Administrator, Exchange Administrator, and Security Administrator). 可通过 Azure Active Directory 中的管理员角色权限,了解更多有关角色及其功能的信息。You can read more about the roles and their functionality in Administrator role permissions in Azure Active Directory. 如需帮助来确定向管理员分配哪个角色,请参阅按任务划分的最小特权角色For help with determining which roles to assign your administrators, see least privileged roles by task.

“Azure 角色”是指链接到 Azure 资源、资源组、订阅或管理组的角色。Azure roles are roles that are linked to an Azure resource, resource group, subscription, or management group. 可以使用 PIM 提供对内置 Azure 角色(如所有者、用户访问管理员和参与者)以及自定义角色的实时访问。You can use PIM to provide just-in-time access to built-in Azure roles like Owner, User Access Administrator, and Contributor, and also to custom roles. 有关 Azure 角色的详细信息,请参阅 Azure 基于角色的访问控制For more information about Azure roles, see Azure role-based access control.

有关详细信息,请参阅无法在 Privileged Identity Management 中管理的角色For more information, see Roles you can't manage in Privileged Identity Management.

部署计划Deployment plan

在组织中部署 Privileged Identity Management 之前,请按照说明操作并理解本部分中的概念,这有助于根据组织的特权标识要求创建计划。Before you deploy Privileged Identity Management in your organization, follow the instructions and understand the concepts in this section to help you create a plan tailored to your organization’s privileged identity requirements.

标识利益干系人Identify your stakeholders

以下部分可帮助标识与项目相关、需要签字、审核或随时了解情况的所有利益干系人。The following section helps you identify all the stakeholders that are involved in the project and need to sign out, review, or stay informed. 包括用于为 Azure AD 角色部署 PIM 和为 Azure 角色部署 PIM 的独立表格。It includes separate tables for deploying PIM for Azure AD roles and PIM for Azure roles. 根据组织情况,将利益干系者添加到下表中。Add stakeholders to the following table as appropriate for your organization.

  • SO = 就此项目签字表示同意SO = Sign off on this project
  • R = 审查此项目并提供输入R = Review this project and provide input
  • I = 了解此项目的新情况I = Informed of this project

利益干系人:针对 Azure AD 角色的 Privileged Identity ManagementStakeholders: Privileged Identity Management For Azure AD roles

名称Name 角色Role 操作Action
姓名和电子邮件Name and email 标识架构师或 Azure 全局管理员Identity architect or Azure Global Administrator
标识管理团队的一位代表,负责定义如何将此更改与组织中的核心标识管理基础结构保持一致。A representative from the identity management team in charge of defining how to align this change with the core identity management infrastructure in your organization.
SO/R/ISO/R/I
姓名和电子邮件Name and email 服务所有者/线路管理器Service owner / Line manager
某项服务或一组服务的 IT 所有者的代表。A representative from the IT owners of a service or a group of services. 他们在制定决策和帮助推出团队 Privileged Identity Management 中发挥关键作用。They're key in making decisions and helping to roll out Privileged Identity Management for their team.
SO/R/ISO/R/I
姓名和电子邮件Name and email 安全所有者Security owner
安全团队的代表,可以签署确认计划符合组织的安全要求。A representative from the security team who can sign off that the plan meets the security requirements of your organization.
SO/RSO/R
姓名和电子邮件Name and email IT 支持管理员/支持人员IT support manager / Helpdesk
IT 支持组织的代表,可以从服务支持的角度提供有关更改的可支持性的反馈。A representative from the IT support organization who can provide feedback on the supportability of this change from a helpdesk perspective.
R/IR/I
试点用户的姓名和电子邮件Name and email for pilot users 特权角色用户Privileged role users
要为其实施特权标识管理的用户组。The group of users for which privileged identity management is implemented. 他们需要知道如何在实现 Privileged Identity Management 后激活角色。They'll need to know how to activate their roles once Privileged Identity Management is implemented.
II

利益干系人:针对 Azure 角色的 Privileged Identity ManagementStakeholders: Privileged Identity Management For Azure roles

名称Name 角色Role 操作Action
姓名和电子邮件Name and email 订阅/资源所有者Subscription / Resource owner
要为其部署 Privileged Identity Management 的每个订阅或资源的 IT 所有者的代表A representative from the IT owners of each subscription or resource that you want to deploy Privileged Identity Management for
SO/R/ISO/R/I
姓名和电子邮件Name and email 安全所有者Security owner
安全团队的代表,可以签署确认计划符合组织的安全要求。A representative from the security team that can sign off that the plan meets the security requirements of your organization.
SO/RSO/R
姓名和电子邮件Name and email IT 支持管理员/支持人员IT support manager / Helpdesk
IT 支持组织的代表,可以从服务支持的角度提供有关更改的可支持性的反馈。A representative from the IT support organization who can provide feedback on the supportability of this change from a helpdesk perspective.
R/IR/I
试点用户的姓名和电子邮件Name and email for pilot users Azure 角色用户Azure role users
要为其实施特权标识管理的用户组。The group of users for which privileged identity management is implemented. 他们需要知道如何在实现 Privileged Identity Management 后激活角色。They'll need to know how to activate their roles once Privileged Identity Management is implemented.
II

开始使用 Privileged Identity ManagementStart using Privileged Identity Management

作为规划过程的一部分,应该按照开始使用 Privileged Identity Management 一文来准备 Privileged Identity Management。As part of the planning process, you should prepare Privileged Identity Management by following our start using Privileged Identity Management article. Privileged Identity Management 允许访问专为帮助部署而设计的某些功能。Privileged Identity Management gives you access to some features that are designed to help with your deployment.

如果目标是为 Azure 资源部署 Privileged Identity Management,则应按照发现要在 Privileged Identity Management 中管理的 Azure 资源一文中所述操作。If your goal is to deploy Privileged Identity Management for Azure resources, you should follow our discover Azure resources to manage in Privileged Identity Management article. 只有订阅和管理组的所有者才能使这些资源受 Privileged Identity Management 管理。Only owners of subscriptions and management groups can bring these resources under management by Privileged Identity Management. 资源受管理之后,PIM 功能可用于所有级别(包括管理组、订阅、资源组和资源)的所有者。After it is under management, the PIM functionality is available for owners at all levels including management group, subscription, resource group, and resource. 如果你是全局管理员并尝试为 Azure 资源部署 Privileged Identity Management,可以提升访问权限以管理所有 Azure 订阅,从而让自己可以访问目录中的所有 Azure 资源以进行发现。If you're a Global Administrator trying to deploy Privileged Identity Management for your Azure resources, you can elevate access to manage all Azure subscriptions to give yourself access to all Azure resources in the directory for discovery. 但是,建议在使用 Privileged Identity Management 管理其资源之前先获取每个订阅所有者的批准。However, we advise that you get approval from each of your subscription owners before managing their resources with Privileged Identity Management.

强制执行最低权限原则Enforce principle of least privilege

务必确保已在组织中为 Azure AD 和 Azure 角色强制执行最低权限原则。It's important to make sure that you've enforced the principle of least privilege in your organization for both your Azure AD and your Azure roles.

规划最低权限委派Plan least privilege delegation

对于 Azure AD 角色,当大多数管理员只需要一个或两个权限较低的特定管理员角色时,组织通常会将全局管理员角色分配给多个管理员。For Azure AD roles, it's common for organizations to assign the Global Administrator role to a number of administrators when most administrators only need one or two specific and less-powerful administrator roles. 如果有大量全局管理员或其他高权限角色,很难对特权角色分配进行足够密切的跟踪。With a large number of Global Administrators or other high-privilege roles, it's hard to track your privileged role assignments closely enough.

按照以下步骤为 Azure AD 角色实现最低权限原则。Follow these steps to implement the principle of least privilege for your Azure AD roles.

  1. 通过阅读和理解可用的 Azure AD 管理员角色来了解角色粒度。Understand the granularity of the roles by reading and understanding the available Azure AD administrator roles. 你和你的团队还应参阅 Azure AD 中按标识任务划分的管理员角色,其中解释了特定任务的最低权限角色。You and your team should also reference administrator roles by identity task in Azure AD, which explains the least privileged role for specific tasks.

  2. 列出组织中有特权角色的人员。List who has privileged roles in your organization. 可以使用 Privileged Identity Management 发现和见解(预览版)来降低曝光度。You can use the Privileged Identity Management Discovery and insights (preview) to get to reduce your exposure.

    “发现和见解(预览版)”页,可通过特权角色降低曝光度

  3. 对于组织中的所有全局管理员,找出他们需要该角色的原因。For all Global Administrators in your organization, find out why they need the role. 然后,将其从全局管理员角色中删除,并在 Azure Active Directory 中分配内置角色或权限较低的自定义角色。Then remove them from the Global Administrator role and assign built-in roles or custom roles with lower privilege inside Azure Active Directory. 仅供参考:Microsoft 目前只有 10 个管理员拥有全局管理员角色。FYI, Microsoft currently only has about 10 administrators with the Global Administrator role. Microsoft 如何使用 Privileged Identity Management 中了解详细信息。Learn more at how Microsoft uses Privileged Identity Management.

  4. 对于所有其他 Azure AD 角色,查看分配列表,确定不再需要该角色的管理员,并在分配中将其删除。For all other Azure AD roles, review the list of assignments, identify administrators who no longer need the role, and remove them from their assignments.

若要自动执行最后两个步骤,可以在 Privileged Identity Management 中使用访问评审。To automate the last two steps, you can use access reviews in Privileged Identity Management. 按照为 Privileged Identity Management 中的 Azure AD 启动访问评审中的步骤操作,可以为每一个拥有一个或多个成员的 Azure AD 角色设置访问评审。Following the steps in start an access review for Azure AD roles in Privileged Identity Management, you can set up an access review for every Azure AD role that has one or more members.

“为 Azure AD 角色创建访问评审”窗格

将审阅者设置为“成员(自评审)”。Set the reviewers to Members (self). 具有该角色的所有用户都将收到一封电子邮件,要求他们确认自己是否需要访问权限。All users in the role will receive an email asking them to confirm that they need the access. 另外,在高级设置中启用“需提供批准理由”,要求用户必须描述其需要该角色的原因。Also, turn on Require reason on approval in the advanced settings so that users must state why they need the role. 基于此信息,你可以将用户从不必要的角色中删除,或将其委派给更精细的管理员角色。Based on this information, you can remove users from unnecessary roles or delegate them to more granular administrator roles.

访问评审依赖电子邮件来通知人员查看其角色访问权限。Access reviews rely on emails to notify people to review their access to the roles. 如果拥有未链接电子邮件的特权帐户,请务必填写帐户中的备用电子邮件字段。If you have privileged accounts that don’t have emails linked, be sure to populate the secondary email field on those accounts. 有关详细信息,请参阅 Azure AD 中的 proxyAddresses 属性For more information, see proxyAddresses attribute in Azure AD.

规划 Azure 资源角色委派Plan Azure resource role delegation

对于 Azure 订阅和资源,可以设置类似的访问评审流程,用于评审每个订阅或资源中的角色。For Azure subscriptions and resources, you can set up a similar Access review process to review the roles in each subscription or resource. 此过程的目标是最大程度地减少附加到每个订阅或资源的所有者和用户访问管理员分配量,以及删除不必要的分配。The goal of this process is to minimize Owner and User Access Administrator assignments attached to each subscription or resource and to remove unnecessary assignments. 但是,组织通常会将此类任务委派给每个订阅或资源的所有者,因为他们对特定角色(尤其是自定义角色)有更深入的了解。However, organizations often delegate such tasks to the owner of each subscription or resource because they have a better understanding of the specific roles (especially custom roles).

如果你以全局管理员角色尝试为组织中的 Azure 角色部署 PIM,则可以提升访问权限以管理所有 Azure 订阅,从而获取每个订阅的访问权限。If you're in the Global Administrator role trying to deploy PIM for Azure roles in your organization, you can elevate access to manage all Azure subscriptions to get access to each subscription. 然后可以找到每个订阅的所有者,与其协作,删除不必要的分配,最大程度减少所有者角色分配量。You can then find each subscription owner and work with them to remove unnecessary assignments and minimize owner role assignment.

具有 Azure 订阅的所有者角色的用户还可以使用 Azure 资源的访问评审来审核和删除不必要的角色分配,此过程类似于之前用于 Azure AD 角色的过程。Users with the Owner role for an Azure subscription can also use access reviews for Azure resources to audit and remove unnecessary role assignments similar to the process described earlier for Azure AD roles.

确定 Privileged Identity Management 应保护哪些角色分配Decide which role assignments should be protected by Privileged Identity Management

在组织中清理特权角色分配后,需要决定使用 Privileged Identity Management 保护哪些角色。After cleaning up privileged role assignments in your organization, you'll need to decide which roles to protect with Privileged Identity Management.

如果某个角色受 Privileged Identity Management 保护,则分配给它的符合条件的用户必须提升权限才能使用该角色授予的权限。If a role is protected by Privileged Identity Management, eligible users assigned to it must elevate to use the privileges granted by the role. 权限提升过程还可能包括获取批准、使用多重身份验证和提供相应的激活原因。The elevation process might also include obtaining approval, using multi-factor authentication, and providing a reason why they're activating. Privileged Identity Management 还可以通过通知、Privileged Identity Management 和 Azure AD 审核事件日志来跟踪权限提升。Privileged Identity Management can also track elevations through notifications and the Privileged Identity Management and Azure AD audit event logs.

要选择使用 Privileged Identity Management 保护哪些角色可能存在一定困难,而且每个组织的情况都不一样。Choosing which roles to protect with Privileged Identity Management can be difficult and will be different for each organization. 本部分提供 Azure AD 和 Azure 角色的最佳做法建议。This section provides our best practice advice for Azure AD and Azure roles.

Azure AD 角色Azure AD roles

必须侧重于保护具有最多权限的 Azure AD 角色。It's important to prioritize protecting Azure AD roles that have the most permissions. 基于 Privileged Identity Management 客户的使用模式,排在前 10 位的 Privileged Identity Management 管理的 Azure AD 角色为:Based on usage patterns among all Privileged Identity Management customers, the top 10 Azure AD roles managed by Privileged Identity Management are:

  1. 全局管理员Global administrator
  2. 安全管理员Security administrator
  3. 用户管理员User administrator
  4. Exchange 管理员Exchange administrator
  5. SharePoint 管理员SharePoint administrator
  6. Intune 管理员Intune administrator
  7. 安全读取者Security reader
  8. 服务管理员Service administrator
  9. 计费管理员Billing administrator
  10. Skype for Business 管理员Skype for Business administrator

提示

✔️Microsoft 建议首先使用 Privileged Identity Management 管理所有全局管理员和安全管理员,因为它们是受到攻击后造成损失最大的用户。Microsoft recommends you manage all your Global Administrators and Security Administrators using Privileged Identity Management as a first step because they are the users who can do the most harm when compromised.

请务必考虑哪些数据和权限对组织而言最为敏感。It's important to consider what data and permission are most sensitive for your organization. 例如,某些组织可能希望使用 Privileged Identity Management 保护其 Power BI 管理员角色或其团队管理员角色,因为这些角色能够访问数据和更改核心工作流。As an example, some organizations may want to protect their Power BI Administrator role or their Teams Administrator role using Privileged Identity Management as they can access data and change core workflows.

如果有任何角色的成员中包含来宾用户,则这些角色很容易受到攻击。If there are any roles with guest users assigned, they're vulnerable to attack.

提示

✔️Microsoft 建议使用 Privileged Identity Management 管理含有来宾用户的所有角色,以降低与来宾用户帐户相关的攻击风险。Microsoft recommends you manage all roles with guest users using Privileged Identity Management to reduce risk associated with compromised guest user accounts.

诸如目录读取者、消息中心读取者和安全读取者等读取者角色有时被认为不如其他角色重要,因为这些角色没有写入权限。Reader roles like the Directory Reader, Message Center Reader, and Security Reader are sometimes regarded as less important than other roles because they don’t have write permission. 但我们的某些客户也会保护这些角色,因为获得这些帐户访问权限的攻击者可能读取敏感数据,例如个人数据。However, we have some customers who also protect these roles because attackers with access to these accounts might be able to read sensitive data, such as personal data. 在决定是否需要使用 Privileged Identity Management 管理组织中的读取者角色时,应考虑到这一点。Take this risk into consideration when deciding whether you want reader roles in your organization to be managed using Privileged Identity Management.

Azure 角色Azure roles

在决定应使用 Privileged Identity Management 为 Azure 资源管理哪些角色分配时,必须首先确定对组织而言最重要的订阅/资源。When deciding which role assignments should be managed using Privileged Identity Management for Azure resource, you must first identify the subscriptions/resources that are most vital for your organization. 此类订阅/资源的示例有:Examples of such subscriptions/resources are:

  • 托管最敏感数据的资源Resources that host the most sensitive data
  • 核心的、面向客户的应用程序所依赖的资源Resources that core, customer-facing applications depend on

如果你是全局管理员,且无法确定哪些订阅和资源最重要,则应与组织中的订阅所有者联系,收集每个订阅管理的资源的列表。If you're a Global Administrator having trouble deciding which subscriptions and resources are most important, you should contact subscription owners in your organization to gather a list of resources managed by each subscription. 然后与订阅所有者合作,基于其所面临风险的严重性级别(低,中,高)对资源进行分组。Then, work with the subscription owners to group the resources based on severity level in the case they're compromised (low, medium, high). 根据此严重性级别确定优先使用 Privileged Identity Management 管理的资源。Prioritize managing resources with Privileged Identity Management based on this severity level.

提示

✔️Microsoft 建议与关键服务的订阅/资源所有者合作,为敏感订阅/资源中的所有角色设置 Privileged Identity Management 工作流。Microsoft recommends you work with subscription/resource owners of critical services to set up Privileged Identity Management workflow for all roles inside sensitive subscriptions/resources.

Azure 资源的 Privileged Identity Management 支持时限服务帐户。Privileged Identity Management for Azure resources supports time-bound service accounts. 应以对待常规用户帐户的方式来对待服务帐户。You should treat service accounts exactly the same as how you would treat a regular user account.

对于非关键的订阅/资源,不需要为所有角色设置 Privileged Identity Management。For subscriptions/resources that are not as critical, you won’t need to set up Privileged Identity Management for all roles. 但是,仍应使用 Privileged Identity Management 保护所有者和用户访问管理员角色。However, you should still protect the Owner and User Access Administrator roles with Privileged Identity Management.

提示

✔️Microsoft 建议使用 Privileged Identity Management 管理所有订阅/资源的所有者角色和用户访问管理员角色。Microsoft recommends that you manage Owner roles and User Access Administrator roles of all subscriptions/resources using Privileged Identity Management.

决定是否使用组来分配角色Decide whether to use a group to assign roles

是否将角色分配给组(而不是单个用户)是一个战略决策。Whether to assign a role to a group instead of to individual users is a strategic decision. 规划时,在以下情况下考虑将角色分配给组,以便管理角色分配:When planning, consider assigning a role to a group to manage role assignments when:

  • 向一个角色分配了多个用户Many users are assigned to a role
  • 想要委托分配角色You want to delegate assigning the role

向一个角色分配了多个用户Many users are assigned to a role

如果手动完成跟踪向角色分配的用户以及根据用户需要管理其角色分配这一过程,可能会花费一些时间。Keeping track of who is assigned to a role and managing their assignments based on when they need it can take time when done manually.

想要委托分配角色You want to delegate assigning the role

组所有者可以管理组的成员身份。A group owner can manage membership for a group. 对于 Azure AD 可分配角色的组,只有特权角色管理员、全局管理员和组所有者可以管理组成员身份。For Azure AD role-assignable groups, only the Privileged Role Administrator, the Global Administrator, and the group owners can manage group membership. 通过将新成员添加到组中,无论分配是“合格”分配还是“活动”分配,该成员都可以访问为其分配了该组的角色。By adding new members to the group, the member gets access to the roles to which the group is assigned whether the assignment is eligible or active. 使用组所有者来委托管理所分配角色的组成员身份,可减少所需的权限范围。Use group owners to delegate the management of group membership for an assigned role to reduce the breadth of privilege required.

提示

✔️Microsoft 建议使用 Privileged Identity Management 来管理 Azure AD 可分配角色的组。Microsoft recommends that you bring Azure AD role-assignable groups under management by Privileged Identity Management. 在使用 PIM 管理可分配角色的组后,该组被称为特权访问组。After a role-assignable group is brought under management by PIM, it's called a privileged access group. 使用 PIM 要求组所有者先激活其所有者角色分配,然后再管理组成员身份。Use PIM to require group owners to activate their Owner role assignment before they can manage group membership. 有关使用 PIM 管理组的详细信息,请参阅将特权访问组(预览版)引入 Privileged Identity ManagementFor more information about bringing groups under PIM management, see Bring privileged access groups (preview) into Privileged Identity Management.

确定哪些角色分配应为永久分配或合格分配Decide which role assignments should be permanent or eligible

要使用 Privileged Identity Management 管理的角色的列表一经确定,须决定应将合格角色与永久活动角色分别分配给哪些用户。Once you have decided the list of roles to be managed by Privileged Identity Management, you must decide which users should get the eligible role versus the permanently active role. 永久活动角色是通过 Azure Active Directory 和 Azure 资源分配的常规角色,而合格角色只能在 Privileged Identity Management 中分配。Permanently active roles are the normal roles assigned through Azure Active Directory and Azure resources while eligible roles can only be assigned in Privileged Identity Management.

提示

✔️Microsoft 建议不向 Azure AD 角色和 Azure 角色分配永久活动角色,但推荐的两个紧急访问帐户除外,这两个帐户应具有永久的全局管理员角色。Microsoft recommends you have zero permanently active assignments for both Azure AD roles and Azure roles other than the recommended two break-glass emergency access accounts, which should have the permanent Global Administrator role.

虽然我们建议不设立长期管理员,但组织有时很难立即实现这一目标。Even though we recommend zero standing administrator, it is sometimes difficult for organizations to achieve this right away. 下面是做出此决定时要考虑的事项:Here are things to consider when making this decision:

  • 提升频率 - 如果用户只需要一次特权分配,他们不应拥有永久分配。Frequency of elevation - If the user only needs the privileged assignment once, they shouldn’t have the permanent assignment. 另一方面,如果用户需要某个角色来处理日常工作且使用 Privileged Identity Management 会极大降低其工作效率,则可考虑向其分配永久角色。On the other hand, if the user needs the role for their day-to-day job and using Privileged Identity Management would greatly reduce their productivity, they can be considered for the permanent role.
  • 特定于组织的案例 - 如果被授予合格角色的人员来自遥远的团队或为高级管理人员,不便沟通和执行提升过程,则可考虑为其分配永久角色。Cases specific to your organization - If the person being given the eligible role is from a distant team or a high-ranking executive to the point that communicating and enforcing the elevation process is difficult, they can be considered for the permanent role.

提示

✔️Microsoft建议为分配了永久角色的用户(如果有)设置定期访问评审。Microsoft recommends you to set up recurring access reviews for users with permanent role assignments (should you have any). 可通过此部署计划的最后一部分了解有关定期访问评审的详细信息Learn more about recurring access review in the final section of this deployment plan

草拟 Privileged Identity Management 设置Draft your Privileged Identity Management settings

实现 Privileged Identity Management 解决方案之前,一个很好的做法是为组织使用的每一个特权角色草拟 Privileged Identity Management 设置。Before you implement your Privileged Identity Management solution, it is good practice to draft your Privileged Identity Management settings for every privileged role your organization uses. 本部分包含一些用于特定角色的 Privileged Identity Management 设置的示例(仅供参考,与组织所需可能不同)。This section has some examples of Privileged Identity Management settings for particular roles (they are only for reference and might be different for your organization). 表格详细说明了前面提及的每一个设置并在表格后面提供了相关 Microsoft 建议。Each of these settings is explained in detail with Microsoft’s recommendations after the tables.

针对 Azure AD 角色的 Privileged Identity Management 设置Privileged Identity Management settings for Azure AD roles

角色Role 要求 MFARequire MFA 通知Notification 事件工单Incident ticket 需要审批Require approval 审批者Approver 激活持续时间Activation Duration 永久管理员Permanent admin
全局管理员角色Global Administrator ✔️ ✔️ ✔️ ✔️ 其他全局管理员Other Global Administrators 1 小时1 Hour 紧急访问帐户Emergency access accounts
Exchange 管理员Exchange Administrator ✔️ ✔️ None 2 小时2 Hour None
支持管理员Helpdesk Administrator ✔️ None 8 小时8 Hour None

针对 Azure 角色的 Privileged Identity Management 设置Privileged Identity Management settings for Azure roles

角色Role 要求 MFARequire MFA 通知Notification 需要审批Require approval 审批者Approver 激活持续时间Activation duration 活动管理员Active admin 活动期限Active expiration 合格期限Eligible expiration
关键订阅的所有者Owner of critical subscriptions ✔️ ✔️ ✔️ 订阅的其他所有者Other owners of the subscription 1 小时1 Hour None 不适用n/a 3 个月3 month
次要订阅的用户访问管理员User Access Administrator of less critical subscriptions ✔️ ✔️ None 1 小时1 Hour None 不适用n/a 3 个月3 month
虚拟机参与者Virtual Machine Contributor ✔️ None 3 个小时3 Hour None 不适用n/a 6 个月6 month

下表说明了每个设置。The following table describes each of the settings.

设置Setting 说明Description
角色Role 要为其定义设置的角色的名称。Name of the role you are defining the settings for.
要求 MFARequire MFA 符合条件的用户是否需要在激活角色之前执行 MFA。Whether the eligible user needs to perform MFA before activating the role.

✔️Microsoft 建议为所有管理员角色强制执行 MFA,尤其是在角色含有来宾用户的情况下。Microsoft recommends you enforce MFA for all administrator roles, especially if the roles have guest users.
通知Notification 如果设置为 true,当符合条件的用户激活角色时,组织中的全局管理员、特权角色管理员和安全管理员会收到电子邮件通知。If set to true, Global Administrator, Privileged Role Administrator, and Security Administrator in the organization will receive an email notification when an eligible user activates the role.

注意: 某些组织没有向管理员帐户绑定电子邮件地址来获取这些电子邮件通知,应该设置一个备用电子邮件地址,以便管理员收到这些电子邮件。Note: Some organizations don’t have an email address tied to their administrator accounts, to get these email notifications, you should go set an alternative email address so administrators will receive these emails.
事件工单Incident ticket 激活角色时符合条件的用户需要记录事件工单号。Whether the eligible user needs to record an incident ticket number when activating their role. 此设置可帮助组织使用内部事件编号识别每次激活,以减少无效激活的次数。This setting helps an organization identify each activation with an internal incident number to mitigate unwanted activations.

✔️Microsoft 建议利用事件工单号将 Privileged Identity Management 绑定到内部系统。Microsoft recommends taking advantage of incident ticket numbers to tie Privileged Identity Management into your internal system. 此方法对于需要激活上下文的审批者非常有用。This method can be useful for approvers who need context for the activation.
需要审批Require approval 符合条件的用户是否需要获取批准才能激活角色。Whether the eligible user needs to get approval to activate the role.

✔️Microsoft 建议为具有最多权限的角色设置审批操作。Microsoft recommends you to set up approval for roles with the most permission. 基于全体 Privileged Identity Management 客户的使用模式,全局管理员、用户管理员、Exchange 管理员、安全管理员和密码管理员是最常应用审批操作的角色。Based on usage patterns of all Privileged Identity Management customers, Global Administrator, User Administrator, Exchange Administrator, Security Administrator, and Password Administrator are the most common roles with approval setup.
审批者Approver 如果符合条件的角色需要执行审批操作来进行激活,应列出批准请求的人员。If approval is required to activate the eligible role, list out the people who should approve the request. 默认情况下,Privileged Identity Management 将审批者设置为身份是特权角色管理员的所有用户,无论他们是永久性角色还是合格角色。By default, Privileged Identity Management sets the approver to be all users who are a privileged role administrator whether they are permanent or eligible.

注意: 如果用户同时有资格拥有 Azure AD 角色和该角色的审批者身份,则无法为自己执行审批操作。Note: If a user is both eligible for an Azure AD role and an approver of the role, they will not be able to approve themselves.

✔️Microsoft 建议所选择的审批者应为最了解角色及其惯常用户的人员,而非全局管理员。Microsoft recommends that you choose approvers to be users who are most knowledgeable about the role and its frequent users rather than a Global Administrator.
激活持续时间Activation duration 在角色到期之前,用户拥有该角色的有效期。The length of time a user will be activated in the role before it will expire.
永久管理员Permanent admin 将成为某个角色的永久管理员的用户的列表(永远不必激活)。List of users who will be a permanent administrator for the role (never have to activate).

✔️Microsoft 建议所有角色(全局管理员除外)均不设立长期管理员。Microsoft recommends you have zero standing administrator for all roles except for Global Administrators. 请参阅本计划的“应向谁分配合格角色”和“应向谁分配永久活动角色”部分,了解更多相关信息。Read more about it in the who should be made eligible and who should be permanently active section of this plan.
活动管理员Active admin 对于 Azure 资源,活动管理员是永远不必激活角色便可使用角色的用户的列表。For Azure resources, active administrator is the list of users who will never have to activate to use the role. 与 Azure AD 角色中不同,该列表不称为永久管理员,因为可以设置此角色的失效时间。This list is not referred to as permanent administrator like in Azure AD roles because you can set an expiration time for when the user will lose this role.
活动期限Active expiration Azure 角色的活动角色分配在配置的期限后过期。Active role assignments for Azure roles expire after the configured duration. 可以选择 15 天、1 个月、3 个月、6 个月、1 年或永久活动。You can choose from 15 days, 1 month, 3 month, 6 month, 1 year or permanently active.
合格期限Eligible expiration Azure 角色的合格角色分配在此期限后过期。Eligible role assignments for Azure roles expire after this duration. 可以选择 15 天、1 个月、3 个月、6 个月、1 年或永久符合条件。You can choose from 15 days, 1 month, 3 month, 6 month, 1 year or permanently eligible.

实现规划Implementation plan

正确规划是使用 Azure Active Directory 成功部署应用程序的基础。The foundation of proper planning is the basis upon which you can deploy an application successfully with Azure Active Directory. 它提供智能安全性和集成,简化载入流程,同时减少成功部署的时间。It provides intelligent security and integration that simplifies onboarding while reducing the time for successful deployments. 此特性可确保轻松集成应用程序,同时减少最终用户的停机时间。This combination ensures that your application is integrated with ease while mitigating down time for your end users.

标识测试用户Identify test users

借助此部分标识一组用户和/或用户组以验证实现。Use this section to identify a set of users and or groups of users to validate the implementation. 基于在规划部分中选择的设置,确定要为每个角色测试的用户。Based on the settings that you selected in the planning section, identify the users that you want to test for each role.

提示

✔️Microsoft 建议将每个 Azure AD 角色的服务所有者设为测试用户,以便其能够熟悉该流程并成为解决方案的内部支持者。Microsoft recommends you make service owners of each Azure AD role to be the test users so they can become familiar with the process and become an internal advocator for the roll out.

在此表中,标识将验证角色设置是否有效的测试用户。In this table, identify the test users who will verify that the settings for the roles are working.

角色名称Role name 测试用户Test users
<角色名称><Role name> <要测试角色的用户><Users to test the role>
<角色名称><Role name> <要测试角色的用户><Users to test the role>

测试实现Test implementation

现已标识测试用户,请使用此步骤为测试用户配置 Privileged Identity Management。Now that you have identified the test users, use this step to configure Privileged Identity Management for your test users. 如果组织要将 Privileged Identity Management 工作流并入内部的应用程序中,而不是使用 Azure 门户内的 Privileged Identity Management,图形 API 也支持 Privileged Identity Management 中的所有操作。If your organization wants to incorporate Privileged Identity Management workflow into your own internal application instead of using Privileged Identity Management in the Azure portal, all the operations in Privileged Identity Management are also supported through our graph API.

针对 Azure AD 角色配置 Privileged Identity ManagementConfigure Privileged Identity Management for Azure AD roles

  1. 基于计划配置 Azure AD 角色设置Configure the Azure AD role settings based on what you planned.

  2. 导航到“Azure AD 角色”,选择“角色”,然后选择配置的角色 。Navigate to Azure AD roles, select Roles, and then select the role you configured.

  3. 对于测试用户组,如果他们已经是永久管理员,可以将其转换为合格管理员,方法是搜索他们,并通过选择其所在行中的三个点将其从永久性角色转换为合格角色。For the group of test users, if they are already a permanent administrator, you can make them eligible by searching for them and converting them from permanent to eligible by selecting the three dots on their row. 如果他们还未分配有角色,可以实施新的合格角色分配If they don’t have the role assignments yet, you can make a new eligible assignment.

  4. 为所有想要测试的角色重复步骤 1-3。Repeat steps 1-3 for all the roles you want to test.

  5. 测试用户一经设置,应向其发送有关如何激活 Azure AD 角色的链接。Once you have set up the test users, you should send them the link for how to activate their Azure AD role.

针对 Azure 角色配置 Privileged Identity ManagementConfigure Privileged Identity Management for Azure roles

  1. 为想要测试的订阅或资源中的角色配置 Azure 资源角色设置Configure the Azure resource role settings for a role inside a subscription or resource that you want to test.

  2. 导航到“Azure 资源”查找该订阅,选择“角色”,然后选择配置的角色 。Navigate to Azure resources for that subscription and select Roles, select the role you configured.

  3. 对于测试用户组,如果他们已是活动管理员,可以通过搜索他们并更新其角色分配,将其转变为合格管理员。For the group of test users, if they are already an active administrator, you can make them eligible by searching for them and update their role assignment. 如果他们还没有角色,可以分配新角色If they don’t have the role yet, you can assign a new role.

  4. 为所有想要测试的角色重复步骤 1-3。Repeat steps 1-3 for all the roles you want to test.

  5. 测试用户一经设置,应向其发送有关如何激活 Azure 资源角色的链接。Once you have set up the test users, you should send them the link for how to activate their Azure resource role.

应运用此阶段来验证为角色设置的所有配置是否均正常工作。You should use this stage to verify whether all the configuration you set up for the roles are working correctly. 使用下表来记录测试。Use the following table to document your tests. 应运用此阶段来优化与受影响用户之间的通信。You should also use this stage to optimize the communication with affected users.

角色Role 激活期间的预期行为Expected behavior during activation 实际结果Actual results
全局管理员角色Global Administrator (1) 要求 MFA(1) Require MFA
(2) 需要审批(2) Require Approval
(3) 审批者收到通知,并且可以批准(3) Approver receives notification and can approve
(4) 角色在预设时间后过期(4) Role expires after preset time
订阅所有者 XOwner of subscription X (1) 要求 MFA(1) Require MFA
(2) 分配的合格角色将在配置的时间段后过期(2) eligible assignment expires after configured time period

与受影响的利益干系人就 Privileged Identity Management 进行沟通Communicate Privileged Identity Management to affected stakeholders

部署 Privileged Identity Management 需要特权角色用户执行额外操作步骤。Deploying Privileged Identity Management will introduce additional steps for users of privileged roles. 虽然 Privileged Identity Management 极大地减少了与特权标识相关的安全问题,但在组织范围内进行部署之前,需要有效地传达相关变更。Although Privileged Identity Management greatly reduces security issues associated with privileged identities, the change needs to be effectively communicated before the organization-wide deployment. 根据受影响的管理员数量,组织通常会选择创建有关更改的内部文档、视频或电子邮件。Depending on the number of impacted administrators, organizations often elect to create an internal document, a video, or an email about the change. 这些通信内容中通常包含:Frequently included in these communications include:

  • 什么是 PIMWhat is PIM
  • 组织有什么好处What is the benefit for the organization
  • 谁会受到影响Who will be affected
  • PIM 何时推出When will PIM be rolled out
  • 用户需要执行哪些额外步骤才能激活其角色What additional steps will be required for users to activate their role
  • 用于咨询 PIM 问题的联系信息或支持链接Contact information or helpdesk link for any issues associated with PIM

提示

✔️Microsoft 建议你与支持团队确定时间,让其完整了解 Privileged Identity Management 工作流(如果组织有内部 IT 支持团队)。Microsoft recommends you to set up time with your helpdesk/support team to walk them through the Privileged Identity Management workflow (if your organization has an internal IT support team). 为他们提供合适的文档和联系信息。Provide them with the appropriate documentations as well as your contact information.

移到生产环境Move to production

一旦测试完成并成功,将 Privileged Identity Management 移至生产,方法是为 Privileged Identity Management 配置中定义的每个角色的所有用户重复测试阶段的所有步骤。Once your testing is complete and successful, move Privileged Identity Management to production by repeating all the steps in the testing phases for all the users of each role you defined in your Privileged Identity Management configuration. 对于针对 Azure AD 角色的 Privileged Identity Management,组织通常会先为全局管理员测试和推出 Privileged Identity Management,然后再为其他角色测试和推出 Privileged Identity Management。For Privileged Identity Management for Azure AD roles, organizations often test and roll out Privileged Identity Management for Global Administrators before testing and rolling out Privileged Identity Management for other roles. 同时,对于 Azure 资源,组织通常一次为一个 Azure 订阅测试和推出 Privileged Identity Management。Meanwhile for Azure resource, organizations normally test and roll out Privileged Identity Management one Azure subscription at a time.

如果需要回滚If a rollback is needed

如果 Privileged Identity Management 在生产环境中未按预期运行,可借助以下回滚步骤,恢复到设置 Privileged Identity Management 之前时的某个已知的良好状态:If Privileged Identity Management failed to work as desired in the production environment, the following rollback steps can assist you to revert back to a known good state before setting up Privileged Identity Management:

Azure AD 角色Azure AD roles

  1. 登录到 Azure 门户Sign in to the Azure portal.
  2. 打开“Azure AD Privileged Identity Management”。Open Azure AD Privileged Identity Management.
  3. 选择“Azure AD 角色”,然后选择“角色” 。Select Azure AD roles and then select Roles.
  4. 对于每个已配置的角色,为所有拥有合格分配的用户选择省略号 (…)。For each role that you have configured, select the ellipsis (...) for all users with an eligible assignment.
  5. 选择“指定永久”选项,将角色分配转换为永久分配。Select the Make permanent option to make the role assignment permanent.

Azure 角色Azure roles

  1. 登录到 Azure 门户Sign in to the Azure portal.
  2. 打开“Azure AD Privileged Identity Management”。Open Azure AD Privileged Identity Management.
  3. 选择“Azure 资源”,然后选择想要回滚的订阅或资源。Select Azure resources and then select a subscription or resource you want to roll back.
  4. 选择“角色” 。Select Roles.
  5. 对于每个已配置的角色,为所有拥有合格分配的用户选择省略号 (…)。For each role that you have configured, select the ellipsis (...) for all users with an eligible assignment.
  6. 选择“指定永久”选项,将角色分配转换为永久分配。Select the Make permanent option to make the role assignment permanent.

部署后的后续步骤Next steps after deploying

在生产中成功部署 Privileged Identity Management 意味着在保护组织特权标识方面迈出了重要一步。Successfully deploying Privileged Identity Management in production is a significant step forward in terms of securing your organization’s privileged identities. 通过部署 Privileged Identity Management,可额外获取用于实现安全性与合规性的 Privileged Identity Management 功能。With the deployment of Privileged Identity Management comes additional Privileged Identity Management features that you should use for security and compliance.

使用 Privileged Identity Management 警报来保护特权访问Use Privileged Identity Management alerts to safeguard your privileged access

有关使用 Privileged Identity Management 的内置警报功能来保护组织的详细信息,请参阅安全警报For more information on using Privileged Identity Management’s built-in alerting functionality to safeguard your organization, see security alerts. 这些警报包括:管理员不使用特权角色、角色被分配到 Privileged Identity Management 之外、角色激活过于频繁等等。These alerts include: administrators aren’t using privileged roles, roles are being assigned outside of Privileged Identity Management, roles are being activated too frequently and more. 若要充分保护组织,应定期查看警报列表,并解决问题。To fully protect your organization, you should regularly go through your list of alerts and fix the issues. 可以使用以下方法查看和解决警报问题:You can view and fix your alerts the following way:

  1. 登录到 Azure 门户Sign in to the Azure portal.
  2. 打开“Azure AD Privileged Identity Management”。Open Azure AD Privileged Identity Management.
  3. 选择“Azure AD 角色”,然后选择“警报” 。Select Azure AD roles and then select Alerts.

提示

✔️Microsoft 建议应立即处理所有标记为高严重级别的警报。Microsoft recommends you deal with all alerts marked with high severity immediately. 对于严重性为中等和低级别的警报,应随时获取最新相关信息并在认为存在安全威胁时采取措施。For medium and low severity alerts, you should stay informed and make changes if you believe there is a security threat.

如果某个警报无有用信息或不适用于组织,可以在通知页上将其消除。If any of the specific alerts aren’t useful or does not apply to your organization, you can always dismiss the alert on the alerts page. 且之后可以在 Azure AD 设置页中撤销此消除操作。You can always revert this dismissal later in the Azure AD settings page.

设置定期访问评审以定期审核组织的特权标识Set up recurring access reviews to regularly audit your organization’s privileged identities

访问评审是向分配有特权角色的用户或特定审阅者询问每个用户是否需要特权身份的最佳方式。Access reviews are the best way for you to ask users assigned with privileged roles or specific reviewers whether each user need the privileged identity. 如果想要减少攻击面并保持符合性,访问评审非常有用。Access reviews are great if you want to reduce attack surface and stay compliant. 有关启动访问评审的详细信息,请参阅 Azure AD 角色访问评审Azure 角色访问评审For more information about starting an access review, see Azure AD roles access reviews and Azure roles access reviews. 某些组织为遵守法律和法规,需要执行定期访问评审,而对于其他组织,访问评审是在整个组织中实施最低权限原则的最佳方式。For some organizations, performing periodic access review is required to stay compliant with laws and regulations while for others, access review is the best way to enforce the principal of least privilege throughout your organization.

提示

✔️Microsoft 建议为所有 Azure AD 和 Azure 角色设置季度访问评审。Microsoft recommends you set up quarterly access reviews for all your Azure AD and Azure roles.

在大多数情况下,Azure AD 角色的评审者是用户自己,而 Azure 角色的评审者是该角色所在订阅的所有者。In most cases, the reviewer for Azure AD roles is the users themselves while the reviewer for Azure roles is the owner of the subscription, which the role is in. 但是,通常情况下公司会拥有未与任何人员的电子邮件地址关联的特权帐户。However, it is often the case where companies have privileged accounts that are not linked with any particular person’s email address. 在这种情况下,无人审阅访问权限。In those cases, no one reads and reviews the access.

提示

✔️Microsoft 建议为所有拥有特权角色但未与定期检查的电子邮件地址相关联的帐户添加备用电子邮件地址Microsoft recommends you add a secondary email address for all accounts with privileged role assignments that are not linked to a regularly checked email address

充分利用审核日志,以提升安全性和符合性Get the most out of your audit log to improve security and compliance

借助审核日志,可始终掌握最新动态和遵守相关法规。The Audit log is the place where you can stay up-to-date and be compliant with regulations. Privileged Identity Management 目前在其审核日志中存储 30 天的完整组织历史记录,包括:Privileged Identity Management currently stores a 30-day history of all your organization’s history inside its audit log including:

  • 合格角色的激活/停用Activation/deactivation of eligible roles
  • Privileged Identity Management 内部和外部的角色分配活动Role assignment activities inside and outside of Privileged Identity Management
  • 角色设置更改Changes in role settings
  • 通过批准设置,请求/批准/拒绝角色激活活动Request/approve/deny activities for role activation with approval setup
  • 警报更新Update to alerts

全局管理员或特权角色管理员可以访问审核日志。You can access the audit logs if you are a Global Administrator or a privileged role administrator. 有关详细信息,请参阅 Azure AD 角色的审核历史记录Azure 角色的审核历史记录For more information, see audit history for Azure AD roles and audit history for Azure roles.

提示

✔️Microsoft 建议至少让一名管理员每周阅读所有审核事件,并按月导出审核事件。Microsoft recommends you to have at least one administrator read through all audit events on a weekly basis and export your audit events on a monthly basis.

如果要在较长时间内自动存储审核事件,Privileged Identity Management 的审核日志将自动同步到 Azure AD 审核日志中。If you want to automatically store your audit events for a longer period of time, Privileged Identity Management’s audit log is automatically synced into the Azure AD audit logs.

提示

✔️Microsoft 建议设置 Azure 日志监视以在 Azure 存储帐户中存档审核事件,从而提高安全性和符合性。Microsoft recommends you to set up Azure log monitoring to archive audit events in an Azure storage account for greater security and compliance.