在 PIM 中激活我的 Azure AD 角色Activate my Azure AD roles in PIM

Azure Active Directory (Azure AD) Privileged Identity Management (PIM) 简化了企业管理以特权身份访问 Azure AD 中的资源和其他 Microsoft 联机服务(如 Office 365 或 Microsoft Intune)的方式。Azure Active Directory (Azure AD) Privileged Identity Management (PIM) simplifies how enterprises manage privileged access to resources in Azure AD and other Microsoft online services like Office 365 or Microsoft Intune.

如果你符合管理角色的资格,则必须在需要执行特权操作时激活角色分配。If you have been made eligible for an administrative role, then you must activate the role assignment when you need to perform privileged actions. 例如,如果偶尔管理 Office 365 功能,则组织的特权角色管理员可能不会让你成为永久全局管理员,因为该角色也影响其他服务。For example, if you occasionally manage Office 365 features, your organization's privileged role administrators may not make you a permanent Global Administrator, since that role impacts other services, too. 他们会让你符合 Azure AD 角色(例如“Exchange Online 管理员”)的资格。Instead, they make you eligible for Azure AD roles such as Exchange Online Administrator. 可以在需要权限时,请求暂时分配该角色,并将在预定的时段内拥有管理员控制权。You can request to activate that role when you need its privileges, and then you'll have administrator control for a predetermined time period.

本文面向需要在 Privileged Identity Management 中激活其 Azure AD 角色的管理员。This article is for administrators who need to activate their Azure AD role in Privileged Identity Management.

确定 PIM 版本Determine your version of PIM

从 2019 年 11 月开始,Privileged Identity Management 的 Azure AD 角色部分将更新为与 Azure 资源角色的体验相匹配的新版本。Beginning in November 2019, the Azure AD roles portion of Privileged Identity Management is being updated to a new version that matches the experiences for Azure resource roles. 这将创建附加功能以及对现有 API 的更改This creates additional features as well as changes to the existing API. 在推出新版本时,本文中遵循的过程取决于当前拥有的 Privileged Identity Management 版本。While the new version is being rolled out, which procedures that you follow in this article depend on version of Privileged Identity Management you currently have. 按照本部分中的步骤确定所拥有的 Privileged Identity Management 的版本。Follow the steps in this section to determine which version of Privileged Identity Management you have. 了解 Privileged Identity Management 版本之后,可以选择本文中与该版本匹配的过程。After you know your version of Privileged Identity Management, you can select the procedures in this article that match that version.

  1. 使用特权角色管理员角色登录到 Azure 门户Sign in to the Azure portal with the Privileged role administrator role.

  2. 打开“Azure AD Privileged Identity Management”。 Open Azure AD Privileged Identity Management. 如果在概述页的顶部有横幅,请按照本文“新版本”选项卡中的说明进行操作 。If you have a banner on the top of the overview page, follow the instructions in the New version tab of this article. 否则,请按照“先前版本”选项卡中的说明操作 。Otherwise, follow the instructions in the Previous version tab.

    选择“Azure AD”>“Privileged Identity Management”。Select Azure AD > Privileged Identity Management.

激活角色Activate a role

需要充当某个 Azure AD 角色时,可在 Privileged Identity Management 中通过打开“我的角色”请求激活。When you need to assume an Azure AD role, you can request activation by opening My roles in Privileged Identity Management.

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 打开“Azure AD Privileged Identity Management”。Open Azure AD Privileged Identity Management. 有关如何将 Privileged Identity Management 磁贴添加到仪表板的信息,请参阅开始使用 Privileged Identity ManagementFor information about how to add the Privileged Identity Management tile to your dashboard, see Start using Privileged Identity Management.

  3. 选择“我的角色”,然后选择“Azure AD 角色”,查看符合条件的 Azure AD 角色的列表。 Select My roles, and then select Azure AD roles to see a list of your eligible Azure AD roles.

    显示可以激活的角色的“我的角色”页

  4. 在“Azure AD 角色”列表中,找到要激活的角色。In the Azure AD roles list, find the role you want to activate.

    Azure AD 角色 - 我的合格角色列表

  5. 选择“激活”打开“激活”页。Select Activate to open the Activate page.

    Azure AD 角色 - 激活页面包含持续时间和范围

  6. 如果角色需要多重身份验证,请选择“验证你的身份,然后继续”。If your role requires multi-factor authentication, select Verify your identity before proceeding. 只需在每个会话中执行身份验证一次。You only have to authenticate once per session.

    在激活角色之前使用 MFA 验证身份

  7. 选择“验证我的身份”,并按照说明提供其他安全验证。Select Verify my identity and follow the instructions to provide additional security verification.

    用于提供安全验证(例如 PIN 码)的屏幕

  8. 如果要指定缩小的范围,请选择“范围”以打开筛选器窗格。If you want to specify a reduced scope, select Scope to open the filter pane. 在筛选器窗格中,可以指定需要访问的 Azure AD 资源。On the filter pane, you can specify the Azure AD resources that you need access to. 它是仅请求访问所需资源的最佳做法。It's a best practice to request access to only the resources you need.

  9. 根据需要指定自定义的激活开始时间。If necessary, specify a custom activation start time. Azure AD 角色将在选定时间后激活。The Azure AD role would be activated after the selected time.

  10. 在“原因”框中,输入该激活请求的原因。In the Reason box, enter the reason for the activation request.

  11. 选择“激活”。Select Activate.

    如果角色需要审批才能激活,则浏览器右上角会显示一条通知,告知你请求正在等待审批。If the role requires approval to activate, a notification will appear in the upper right corner of your browser informing you the request is pending approval.

    “激活请求正在等待审批”通知

查看请求的状态View the status of your requests

可以查看等待激活的请求的状态。You can view the status of your pending requests to activate.

  1. 打开 Azure AD Privileged Identity Management。Open Azure AD Privileged Identity Management.

  2. 选择“我的请求”,查看你的 Azure AD 角色和 Azure 资源角色请求列表。Select My requests to see a list of your Azure AD role and Azure resource role requests.

    显示挂起的请求的“我的请求 - Azure AD”页

  3. 向右滚动以查看“请求状态” 列。Scroll to the right to view the Request Status column.

取消挂起的请求Cancel a pending request

如果不需要激活需要审批的角色,随时可以取消等待中的请求。If you do not require activation of a role that requires approval, you can cancel a pending request at any time.

  1. 打开 Azure AD Privileged Identity Management。Open Azure AD Privileged Identity Management.

  2. 选择“我的请求”。Select My requests.

  3. 针对想要取消的角色,选择“取消”链接。For the role that you want to cancel, select the Cancel link.

    选择“取消”会取消该请求。When you select Cancel, the request will be canceled. 若要再次激活该角色,必须提交新的激活请求。To activate the role again, you will have to submit a new request for activation.

    突出显示“取消”操作的“我的请求”列表

故障排除Troubleshoot

激活角色后,权限未被授予Permissions are not granted after activating a role

在 Privileged Identity Management 中激活角色时,激活可能不会立即传播到需要特权角色的所有门户。When you activate a role in Privileged Identity Management, the activation may not instantly propagate to all portals that require the privileged role. 有时,即使更改已传播,门户中的 Web 缓存也可能会导致更改不能立即生效。Sometimes, even if the change is propagated, web caching in a portal may result in the change not taking effect immediately. 如果激活已延迟,应当按照以下步骤操作。If your activation is delayed, here is what you should do.

  1. 注销 Azure 门户,然后重新登录。Sign out of the Azure portal and then sign back in.

  2. 在 Privileged Identity Management 中,验证是否已将你列为角色的成员。In Privileged Identity Management, verify that you are listed as the member of the role.

后续步骤Next steps