开始使用 Privileged Identity ManagementStart using Privileged Identity Management

使用 Privileged Identity Management (PIM),可以管理、控制和监视 Azure Active Directory (Azure AD) 组织内的访问。With Privileged Identity Management (PIM), you can manage, control, and monitor access within your Azure Active Directory (Azure AD) organization. 此范围包括访问 Azure 资源、Azure AD 和其他 Microsoft 联机服务(如 Office 365 或 Microsoft Intune)。This scope includes access to Azure resources, Azure AD, and other Microsoft online services like Office 365 or Microsoft Intune.

本文介绍了如何启用并开始使用 Privileged Identity Management。This article describes how to enable and get started using Privileged Identity Management.

先决条件Prerequisites

若要使用 Privileged Identity Management,则必须具有以下许可证之一:To use Privileged Identity Management, you must have one of the following licenses:

  • Azure AD Premium P2Azure AD Premium P2
  • 企业移动性 + 安全性 (EMS) E5Enterprise Mobility + Security (EMS) E5

有关详细信息,请参阅使用 Privileged Identity Management 的许可要求For more information, see License requirements to use Privileged Identity Management.

要使用 PIM 的第一个人First person to use PIM

如果你是第一个在目录中使用 Privileged Identity Management 的人,系统会自动在目录中为你分配“安全管理员”和“特权角色管理员”角色。If you're the first person to use Privileged Identity Management in your directory, you are automatically assigned the Security Administrator and Privileged Role Administrator roles in the directory. 只有特权角色管理员才能管理用户的 Azure AD 角色分配。Only privileged role administrators can manage Azure AD role assignments of users. 另外,还可以选择运行安全向导,该向导会引导你完成初始发现和分配体验。In addition, you may choose to run the security wizard that walks you through the initial discovery and assignment experience.

启用 PIMEnable PIM

若要开始在目录中使用 Privileged Identity Management,必须先启用 Privileged Identity Management。To start using Privileged Identity Management in your directory, you must first enable Privileged Identity Management.

  1. 以目录的全局管理员身份登录到 Azure 门户Sign in to the Azure portal as a Global Administrator of your directory.

    只有拥有组织帐户(例如 @yourdomain.com)而非 Microsoft 帐户(例如 @outlook.com)的全局管理员才能为目录启用 Privileged Identity Management。You must be a Global Administrator with an organizational account (for example, @yourdomain.com), not a Microsoft account (for example, @outlook.com), to enable Privileged Identity Management for a directory.

  2. 单击“所有服务” ,并查找 Azure AD Privileged Identity Management 服务。Click All services and find the Azure AD Privileged Identity Management service.

    “所有服务”中的 Azure AD Privileged Identity Management

  3. 单击打开 Privileged Identity Management 快速入门。Click to open the Privileged Identity Management Quickstart.

  4. 在列表中单击“许可 PIM”。 In the list, click Consent to PIM.

    许可 Privileged Identity Management 即可启用 Privileged Identity Management

  5. 单击“验证我的身份”,以便通过 Azure MFA 来验证身份。Click Verify my identity to verify your identity with Azure MFA. 系统会要求你选取一个帐户。You'll be asked to pick an account.

    用于验证身份的“选取帐户”窗口

  6. 如果需要更多信息才能进行验证,系统会引导你完成相关过程。If more information is required for verification, you'll be guided through the process. 有关详细信息,请参阅获取有关双重验证的帮助For more information, see Get help with two-step verification.

    如果组织需要更多信息,则显示“需要更多信息”窗口

    例如,系统可能会要求你提供电话验证。For example, you might be asked to provide phone verification.

    询问你的联系方式的“其他安全验证”页

  7. 完成验证过程以后,请单击“许可”按钮。 Once you have completed the verification process, click the Consent button.

  8. 在出现的消息中单击“是”,对 Privileged Identity Management 服务表示许可。 In the message that appears, click Yes to consent to the Privileged Identity Management service.

    许可 Privileged Identity Management 消息即可完成许可过程

为 Azure AD 角色注册 PIMSign up PIM for Azure AD roles

为目录启用 Privileged Identity Management 以后,需注册 Privileged Identity Management,然后才能管理 Azure AD 角色。Once you have enabled Privileged Identity Management for your directory, you'll need to sign up Privileged Identity Management to manage Azure AD roles.

  1. 打开“Azure AD Privileged Identity Management”。 Open Azure AD Privileged Identity Management.

  2. 单击“Azure AD 角色”。 Click Azure AD roles.

    注册针对 Azure AD 角色的 Privileged Identity Management

  3. 单击“注册”。 Click Sign up.

  4. 在出现的消息中单击“是”以注册 Privileged Identity Management,以便管理 Azure AD 角色。 In the message that appears, click Yes to sign up Privileged Identity Management to manage Azure AD roles.

    注册针对 Azure AD 角色消息的 Privileged Identity Management

    注册完成后,会启用 Azure AD 选项。When sign up completes, the Azure AD options will be enabled. 可能需要刷新门户。You might need to refresh the portal.

    若要了解如何发现并选择 Azure 资源,以便通过 Privileged Identity Management 进行保护,请参阅在 Privileged Identity Management 中发现要管理的 Azure 资源For information about how to discover and select the Azure resources to protect with Privileged Identity Management, see Discover Azure resources to manage in Privileged Identity Management.

设置 Privileged Identity Management 后,即可启动标识管理任务。Once Privileged Identity Management is set up, you can start your identity management tasks.

Privileged Identity Management 中的导航窗口,其中显示“任务”和“管理”选项

任务 + 管理Task + Manage 说明Description
我的角色My roles 显示已向你分配的符合条件的活动角色列表。Displays a list of eligible and active roles assigned to you. 可以在此处激活任何符合条件的已分配角色。This is where you can activate any assigned eligible roles.
我的请求My requests 显示要激活符合条件的角色分配的挂起的请求。Displays your pending requests to activate eligible role assignments.
审批请求Approve requests 按用户显示你的目录中指定由你进行审批的要激活符合条件的角色的请求列表。Displays a list of requests to activate eligible roles by users in your directory that you are designated to approve.
Azure AD 角色Azure AD roles 为特权角色管理员显示用来管理 Azure AD 角色分配的仪表板和设置。Displays a dashboard and settings for privileged role administrators to manage Azure AD role assignments. 此仪表板对非特权角色管理员禁用。This dashboard is disabled for anyone who isn't a privileged role administrator. 这些用户可以访问标题为“我的视图”的特殊仪表板。These users have access to a special dashboard titled My view. “我的视图”仪表板仅显示正在访问此仪表板的用户的相关信息,而非整个租户的相关信息。The My view dashboard only displays information about the user accessing the dashboard, not the entire tenant.
Azure 资源Azure resources 为特权角色管理员显示用来管理 Azure 资源角色分配的仪表板和设置。Displays a dashboard and settings for privileged role administrators to manage Azure resource role assignments. 此仪表板对非特权角色管理员禁用。This dashboard is disabled for anyone who isn't a privileged role administrator. 这些用户可以访问标题为“我的视图”的特殊仪表板。These users have access to a special dashboard titled My view. “我的视图”仪表板仅显示正在访问此仪表板的用户的相关信息,而非整个租户的相关信息。The My view dashboard only displays information about the user accessing the dashboard, not the entire tenant.

将 PIM 磁贴添加到仪表板Add a PIM tile to the dashboard

为了更加方便地打开 Privileged Identity Management,应当将 Privileged Identity Management 磁贴添加到 Azure 门户仪表板中。To make it easier to open Privileged Identity Management, you should add a Privileged Identity Management tile to your Azure portal dashboard.

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 单击“所有服务” ,并查找 Azure AD Privileged Identity Management 服务。Click All services and find the Azure AD Privileged Identity Management service.

    “所有服务”中的 Azure AD Privileged Identity Management

  3. 单击打开 Privileged Identity Management 快速入门。Click to open the Privileged Identity Management Quickstart.

  4. 选中“将边栏选项卡固定到仪表板” 可将“Privileged Identity Management 快速入门”边栏选项卡固定到仪表板。Check Pin blade to dashboard to pin the Privileged Identity Management Quickstart blade to the dashboard.

    用于将 Privileged Identity Management 边栏选项卡固定到仪表板的图钉图标

    在 Azure 仪表板上,你将看到如下所示的一个磁贴:On the Azure dashboard, you'll see a tile like this:

    仪表板上的 Privileged Identity Management 快速入门磁贴

后续步骤Next steps