PIM 中的电子邮件通知Email notifications in PIM

可以通过 Privileged Identity Management (PIM) 了解 Azure Active Directory (Azure AD) 组织中何时发生重要事件,例如何时分配或激活角色。Privileged Identity Management (PIM) lets you know when important events occur in your Azure Active Directory (Azure AD) organization, such as when a role is assigned or activated. Privileged Identity Management 通过向你和其他参与者发送电子邮件通知来让你随时了解情况。Privileged Identity Management keeps you informed by sending you and other participants email notifications. 这些电子邮件可能还包含指向相关任务的链接,比如激活或续订角色。These emails might also include links to relevant tasks, such activating or renewing a role. 本文介绍了这些电子邮件的外观、何时发送电子邮件,以及接收人员。This article describes what these emails look like, when they are sent, and who receives them.

发件人电子邮件地址和主题行Sender email address and subject line

从 Privileged Identity Management 针对 Azure AD 和 Azure 资源角色发送的电子邮件具有以下发件人电子邮件地址:Emails sent from Privileged Identity Management for both Azure AD and Azure resource roles have the following sender email address:

  • 电子邮件地址:azure-noreply@microsoft.comEmail address: azure-noreply@microsoft.com
  • 显示名称:AzureDisplay name: Azure

这些电子邮件在主题行中包括 PIM 前缀。These emails include a PIM prefix in the subject line. 下面是一个示例:Here's an example:

  • PIM:已为 Alain Charon 永久分配备份读取器角色PIM: Alain Charon was permanently assigned the Backup Reader role

Azure AD 角色的通知Notifications for Azure AD roles

当 Azure AD 角色发生以下事件时,Privileged Identity Management 将发送电子邮件:Privileged Identity Management sends emails when the following events occur for Azure AD roles:

  • 当特权角色激活时正在等待审批时When a privileged role activation is pending approval
  • 当特权角色激活请求已完成时When a privileged role activation request is completed
  • 当启用 Azure AD Privileged Identity Management 时When Azure AD Privileged Identity Management is enabled

接收这些 Azure AD 角色电子邮件的用户取决于角色、事件和通知设置:Who receives these emails for Azure AD roles depends on your role, the event, and the notifications setting:

UserUser 角色激活正在等待审批Role activation is pending approval 角色激活请求已完成Role activation request is completed PIM 已启用PIM is enabled
特权角色管理员Privileged Role Administrator
(激活/符合条件)(Activated/Eligible)
Yes
(仅当未指定明确审批者)(only if no explicit approvers are specified)
是*Yes* Yes
安全管理员Security Administrator
(激活/符合条件)(Activated/Eligible)
No 是*Yes* Yes
全局管理员角色Global Administrator
(激活/符合条件)(Activated/Eligible)
No 是*Yes* Yes

* 如果“通知”设置设置为“启用”。* If the Notifications setting is set to Enable.

下面显示了当用户激活虚构 Contoso 组织的 Azure AD 角色时发送的示例电子邮件。The following shows an example email that is sent when a user activates an Azure AD role for the fictional Contoso organization.

Azure AD 角色的新 Privileged Identity Management 电子邮件

Azure AD 角色的每周 Privileged Identity Management 摘要电子邮件Weekly Privileged Identity Management digest email for Azure AD roles

Azure AD 角色的每周 Privileged Identity Management 摘要电子邮件将发送给启用了 Privileged Identity Management 的特权角色管理员、安全管理员和全局管理员。A weekly Privileged Identity Management summary email for Azure AD roles is sent to Privileged Role Administrators, Security Administrators, and Global Administrators that have enabled Privileged Identity Management. 此每周电子邮件提供一周的 Privileged Identity Management 活动快照以及特权角色分配。This weekly email provides a snapshot of Privileged Identity Management activities for the week as well as privileged role assignments. 它仅适用于公有云上的 Azure AD 组织。It is only available for Azure AD organizations on the public cloud. 下面是电子邮件示例:Here's an example email:

Azure AD 角色的每周 Privileged Identity Management 摘要电子邮件

电子邮件包括四个磁贴:The email includes four tiles:

磁贴Tile 说明Description
已激活的用户Users activated 用户在组织内激活其符合条件角色的次数。Number of times users activated their eligible role inside the organization.
永久用户Users made permanent 用户符合资格的分配被设定为永久分配的次数。Number of times users with an eligible assignment is made permanent.
Privileged Identity Management 中的角色分配Role assignments in Privileged Identity Management 在 Privileged Identity Management 中为用户分配符合条件的角色的次数。Number of times users are assigned an eligible role inside Privileged Identity Management.
PIM 之外的角色分配Role assignments outside of PIM 在 Privileged Identity Management 外部(在 Azure AD 内部)为用户分配永久角色的次数。Number of times users are assigned a permanent role outside of Privileged Identity Management (inside Azure AD).

“热门角色概述”部分根据每个角色的永久和符合条件管理员的总数列出了组织中最热门的五个角色。The Overview of your top roles section lists the top five roles in your organization based on total number of permanent and eligible administrators for each role. 采取措施链接打开 PIM 向导,可以将永久管理员批量转换为符合条件的管理员。The Take action link opens the PIM wizard where you can convert permanent administrators to eligible administrators in batches.

激活审批的电子邮件发送时机Email timing for activation approvals

当用户激活其角色且角色设置需要审批时,审批者每次审批会收到两封电子邮件:When users activate their role and the role setting requires approval, approvers will receive two emails for each approval:

  • 请求批准或拒绝用户的激活请求(由请求批准引擎发送)Request to approve or deny the user's activation request (sent by the request approval engine)
  • 已批准用户请求(由请求批准引擎发送)The user's request is approved (sent by the request approval engine)

此外,全局管理员和特权角色管理员每次审批会收到一封电子邮件:Also, Global administrators and Privileged Role administrators receive an email for each approval:

  • 已激活用户角色(由 Privileged Identity Management 发送)The user's role is activated (sent by Privileged Identity Management)

请求批准引擎发送的前两封电子邮件可以延迟。The first two emails sent by the request approval engine can be delayed. 目前,90% 的电子邮件需要三到十分钟才能送达,但是对于 1% 的客户来说,可能需要更长时间,最多十五分钟。Currently, 90% of emails take three to ten minutes, but for 1% customers it can be much longer, up to fifteen minutes.

如果在发送第一封电子邮件之前在 Azure 门户中批准了审批请求,则将不再触发第一封电子邮件,并且不会通过电子邮件将审批请求通知其他审批者。If an approval request is approved in the Azure portal before the first email is sent, the first email will no longer be triggered and other approvers won't be notified by email of the approval request. 这可能会表现为这些审批者没有收到电子邮件,但这是预期行为。It might appear as if the they didn't get an email but it's the expected behavior.

用于 Azure 资源角色的 PIM 电子邮件PIM emails for Azure resource roles

当 Azure 资源角色发生以下事件时,Privileged Identity Management 会向所有者和用户访问管理员发送电子邮件:Privileged Identity Management sends emails to Owners and User Access Administrators when the following events occur for Azure resource roles:

  • 角色分配正在等待审批时When a role assignment is pending approval
  • 分配角色时When a role is assigned
  • 角色即将到期When a role is soon to expire
  • 角色有资格扩展When a role is eligible to extend
  • 最终用户续订角色When a role is being renewed by an end user
  • 角色激活请求已完成When a role activation request is completed

当 Azure 资源角色发生以下事件时,Privileged Identity Management 会向最终用户发送电子邮件:Privileged Identity Management sends emails to end users when the following events occur for Azure resource roles:

  • 向用户分配角色时When a role is assigned to the user
  • 用户角色已过期When a user's role is expired
  • 用户角色已扩展When a user's role is extended
  • 用户角色激活请求已完成When a user's role activation request is completed

下面显示了当为用户分配了虚构 Contoso 组织的 Azure 资源角色时发送的示例电子邮件。The following shows an example email that is sent when a user is assigned an Azure resource role for the fictional Contoso organization.

Azure 资源角色的新 Privileged Identity Management 电子邮件

后续步骤Next steps