在 Privileged Identity Management 中分配 Azure AD 角色Assign Azure AD roles in Privileged Identity Management

使用 Azure Active Directory (Azure AD),全局管理员可以完成永久性的 Azure AD 管理员角色分配。With Azure Active Directory (Azure AD), a Global administrator can make permanent Azure AD admin role assignments. 可以使用 Azure 门户PowerShell 命令创建这些角色分配。These role assignments can be created using the Azure portal or using PowerShell commands.

Azure AD Privileged Identity Management (PIM) 服务还允许特权角色管理员进行永久管理员角色分配。The Azure AD Privileged Identity Management (PIM) service also allows Privileged role administrators to make permanent admin role assignments. 此外,特权角色管理员可将用户设置为 Azure AD 管理员角色的合格用户。Additionally, Privileged role administrators can make users eligible for Azure AD admin roles. 符合条件的管理员可在需要时激活角色,在完成任务后,其权限随即失效。An eligible administrator can activate the role when they need it, and then their permissions expire once they're done.

确定 PIM 版本Determine your version of PIM

从 2019 年 11 月开始,Privileged Identity Management 的 Azure AD 角色部分将更新为与 Azure 资源角色的体验相匹配的新版本。Beginning in November 2019, the Azure AD roles portion of Privileged Identity Management is being updated to a new version that matches the experiences for Azure resource roles. 这将创建附加功能以及对现有 API 的更改This creates additional features as well as changes to the existing API. 在推出新版本时,本文中遵循的过程取决于当前拥有的 Privileged Identity Management 版本。While the new version is being rolled out, which procedures that you follow in this article depend on version of Privileged Identity Management you currently have. 按照本部分中的步骤确定所拥有的 Privileged Identity Management 的版本。Follow the steps in this section to determine which version of Privileged Identity Management you have. 了解 Privileged Identity Management 版本之后,可以选择本文中与该版本匹配的过程。After you know your version of Privileged Identity Management, you can select the procedures in this article that match that version.

  1. 以具有特权角色管理员角色的用户身份登录到 Azure 门户Sign in to the Azure portal with a user who is in the Privileged role administrator role.
  2. 打开“Azure AD Privileged Identity Management”。 Open Azure AD Privileged Identity Management. 如果在概述页的顶部有横幅,请按照本文“新版本”选项卡中的说明进行操作 。If you have a banner on the top of the overview page, follow the instructions in the New version tab of this article. 否则,请按照“先前版本”选项卡中的说明操作 。Otherwise, follow the instructions in the Previous version tab.

选择“Azure AD”>“Privileged Identity Management”。Select Azure AD > Privileged Identity Management.

分配角色Assign a role

遵循以下步骤可使用户符合 Azure AD 管理员角色的条件。Follow these steps to make a user eligible for an Azure AD admin role.

  1. 使用“特权角色管理员”角色成员的用户身份登录到 Azure 门户Sign in to Azure portal with a user that is a member of the Privileged role administrator role.

    有关如何授予其他管理员访问权限以管理 Privileged Identity Management 的信息,请参阅授予其他管理员访问权限以管理 Privileged Identity ManagementFor information about how to grant another administrator access to manage Privileged Identity Management, see Grant access to other administrators to manage Privileged Identity Management.

  2. 打开“Azure AD Privileged Identity Management”。Open Azure AD Privileged Identity Management.

  3. 选择“Azure AD 角色”。Select Azure AD roles.

  4. 选择“角色”,查看 Azure AD 权限的角色列表。Select Roles to see the list of roles for Azure AD permissions.

    Azure AD 角色

  5. 选择“添加分配”以打开“添加分配”页。 Select Add assignments to open the Add assignments page.

  6. 选择“选择角色”以打开“选择角色”页 。Select Select a role to open the Select a role page.

    “新建分配”窗格

  7. 依次选择要分配的角色、要向角色分配的成员、“下一步”。Select a role you want to assign, select a member to whom you want to assign to the role, and then select Next.

  8. 在“成员身份设置”窗格的“分配类型”列表中,选择“合格”或“活动”。In the Assignment type list on the Membership settings pane, select Eligible or Active.

    • “合格” 分配要求该角色的成员执行某个操作才能使用该角色。Eligible assignments require the member of the role to perform an action to use the role. 操作可能包括执行多重身份验证 (MFA) 检查、提供业务理由或请求获得指定审批者的批准。Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.

    • “活动” 分配不要求成员执行任何操作便可使用该角色。Active assignments don't require the member to perform any action to use the role. 分配为“活动”的成员始终具有分配给该角色的权限。Members assigned as active have the privileges assigned to the role at all times.

  9. 若要指定特定分配持续时间,请添加开始和结束日期与时间框。To specify a specific assignment duration, add a start and end date and time boxes. 完成后,选择“分配”以创建新的角色分配。When finished, select Assign to create the new role assignment.

    成员身份设置 - 日期和时间

  10. 分配角色后,会显示分配状态通知。After the role is assigned, a assignment status notification is displayed.

    新建分配 - 通知

更新或删除现有的角色分配Update or remove an existing role assignment

按照以下步骤更新或删除现有的角色分配。Follow these steps to update or remove an existing role assignment.

  1. 打开“Azure AD Privileged Identity Management”。Open Azure AD Privileged Identity Management.

  2. 选择“Azure AD 角色”。Select Azure AD roles.

  3. 选择“角色”以查看 Azure AD 的角色列表。Select Roles to see the list of roles for Azure AD.

  4. 选择要更新或删除的角色。Select the role that you want to update or remove.

  5. 在“合格角色” 或“活动角色” 选项卡上查找角色分配。Find the role assignment on the Eligible roles or Active roles tabs.

    更新或删除角色分配

  6. 选择“更新” 或“删除” 以更新或删除角色分配。Select Update or Remove to update or remove the role assignment.

后续步骤Next steps