开始使用 Privileged Identity ManagementStart using Privileged Identity Management

本文介绍如何启用 Privileged Identity Management (PIM) 并开始使用它。This article describes how to enable Privileged Identity Management (PIM) and get started using it.

使用 Privileged Identity Management (PIM) 可管理、控制和监视 Azure Active Directory (Azure AD) 组织内的访问。Use Privileged Identity Management (PIM) to manage, control, and monitor access within your Azure Active Directory (Azure AD) organization. 使用 PIM,可以根据需要及时提供对 Azure 资源、Azure AD 资源和其他 Microsoft 联机服务(如 Office 365 或 Microsoft Intune)的访问。With PIM you can provide as-needed and just-in-time access to Azure resources, Azure AD resources, and other Microsoft online services like Office 365 or Microsoft Intune.

先决条件Prerequisites

若要使用 Privileged Identity Management,则必须具有以下许可证之一:To use Privileged Identity Management, you must have one of the following licenses:

  • Azure AD Premium P2Azure AD Premium P2
  • 企业移动性 + 安全性 (EMS) E5Enterprise Mobility + Security (EMS) E5

有关详细信息,请参阅使用 Privileged Identity Management 的许可要求For more information, see License requirements to use Privileged Identity Management.

准备将 PIM 用于 Azure AD 角色Prepare PIM for Azure AD roles

为目录启用 Privileged Identity Management 后,就可以准备 Privileged Identity Management 来管理 Azure AD 角色。Once you have enabled Privileged Identity Management for your directory, you can prepare Privileged Identity Management to manage Azure AD roles.

以下是我们建议你在为 Azure AD 角色做准备时执行的任务,顺序如下:Here are the tasks we recommend for you to prepare for Azure AD roles, in order:

  1. 配置 Azure AD 角色设置Configure Azure AD role settings.
  2. 指定符合条件的分配Give eligible assignments.
  3. 允许符合条件的用户实时激活其 Azure AD 角色Allow eligible users to activate their Azure AD role just-in-time.

准备将 PIM 用于 Azure 角色Prepare PIM for Azure roles

为目录启用 Privileged Identity Management 后,就可以准备 Privileged Identity Management 来管理在订阅上进行 Azure 资源访问的 Azure 角色。Once you have enabled Privileged Identity Management for your directory, you can prepare Privileged Identity Management to manage Azure roles for Azure resource access on a subscription.

以下是我们建议你在为 Azure 角色做准备时执行的任务,顺序如下:Here are the tasks we recommend for you to prepare for Azure roles, in order:

  1. 发现 Azure 资源Discover Azure resources
  2. 配置 Azure 角色设置Configure Azure role settings.
  3. 指定符合条件的分配Give eligible assignments.
  4. 允许符合条件的用户实时激活其 Azure 角色Allow eligible users to activate their Azure roles just-in-time.

设置 Privileged Identity Management 后,即可熟悉其用法。Once Privileged Identity Management is set up, you can learn your way around.

Privileged Identity Management 中的导航窗口,其中显示“任务”和“管理”选项

任务 + 管理Task + Manage 说明Description
我的角色My roles 显示已向你分配的符合条件的活动角色列表。Displays a list of eligible and active roles assigned to you. 可以在此处激活任何符合条件的已分配角色。This is where you can activate any assigned eligible roles.
我的请求My requests 显示要激活符合条件的角色分配的挂起的请求。Displays your pending requests to activate eligible role assignments.
审批请求Approve requests 按用户显示你的目录中指定由你进行审批的要激活符合条件的角色的请求列表。Displays a list of requests to activate eligible roles by users in your directory that you are designated to approve.
审阅访问权限Review access 列出指定要由你完成的活动访问审阅(无论你是审阅自己还是审阅其他人的访问权限)。Lists active access reviews you are assigned to complete, whether you're reviewing access for yourself or someone else.
Azure AD 角色Azure AD roles 为特权角色管理员显示用来管理 Azure AD 角色分配的仪表板和设置。Displays a dashboard and settings for Privileged role administrators to manage Azure AD role assignments. 此仪表板对非特权角色管理员禁用。This dashboard is disabled for anyone who isn't a privileged role administrator. 这些用户可以访问标题为“我的视图”的特殊仪表板。These users have access to a special dashboard titled My view. “我的视图”仪表板仅显示访问此仪表板的用户的相关信息,而非整个组织的相关信息。The My view dashboard only displays information about the user accessing the dashboard, not the entire organization.
Azure 资源Azure resources 为特权角色管理员显示用来管理 Azure 资源角色分配的仪表板和设置。Displays a dashboard and settings for Privileged role administrators to manage Azure resource role assignments. 此仪表板对非特权角色管理员禁用。This dashboard is disabled for anyone who isn't a privileged role administrator. 这些用户可以访问标题为“我的视图”的特殊仪表板。These users have access to a special dashboard titled My view. “我的视图”仪表板仅显示访问此仪表板的用户的相关信息,而非整个组织的相关信息。The My view dashboard only displays information about the user accessing the dashboard, not the entire organization.

将 PIM 磁贴添加到仪表板Add a PIM tile to the dashboard

为了更轻松地打开 Privileged Identity Management,请将 PIM 磁贴添加到 Azure 门户仪表板。To make it easier to open Privileged Identity Management, add a PIM tile to your Azure portal dashboard.

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 选择“所有服务”,并查找“Azure AD Privileged Identity Management”服务。Select All services and find the Azure AD Privileged Identity Management service.

    “所有服务”中的 Azure AD Privileged Identity Management

  3. 选择“Privileged Identity Management 快速入门”。Select the Privileged Identity Management Quickstart.

  4. 选中“将边栏选项卡固定到仪表板”可将“Privileged Identity Management 快速入门”边栏选项卡固定到仪表板。Check Pin blade to dashboard to pin the Privileged Identity Management Quickstart blade to the dashboard.

    用于将 Privileged Identity Management 边栏选项卡固定到仪表板的图钉图标

    在 Azure 仪表板上,你将看到如下所示的一个磁贴:On the Azure dashboard, you'll see a tile like this:

    仪表板上的 Privileged Identity Management 快速入门磁贴

后续步骤Next steps