在 Privileged Identity Management 中配置 Azure AD 角色设置Configure Azure AD role settings in Privileged Identity Management

特权角色管理员可以在其 Azure Active Directory (Azure AD) 组织中自定义 Privileged Identity Management (PIM),包括更改激活合格角色分配的用户的体验。A Privileged role administrator can customize Privileged Identity Management (PIM) in their Azure Active Directory (Azure AD) organization, including changing the experience for a user who is activating an eligible role assignment.

确定 PIM 版本Determine your version of PIM

从 2019 年 11 月开始,Privileged Identity Management 的 Azure AD 角色部分将更新为与 Azure 资源角色的体验相匹配的新版本。Beginning in November 2019, the Azure AD roles portion of Privileged Identity Management is being updated to a new version that matches the experiences for Azure resource roles. 这将创建附加功能以及对现有 API 的更改This creates additional features as well as changes to the existing API. 在推出新版本时,本文中遵循的过程取决于当前拥有的 Privileged Identity Management 版本。While the new version is being rolled out, which procedures that you follow in this article depend on version of Privileged Identity Management you currently have. 按照本部分中的步骤确定所拥有的 Privileged Identity Management 的版本。Follow the steps in this section to determine which version of Privileged Identity Management you have. 了解 Privileged Identity Management 版本之后,可以选择本文中与该版本匹配的过程。After you know your version of Privileged Identity Management, you can select the procedures in this article that match that version.

  1. 以具有特权角色管理员角色的用户身份登录到 Azure 门户Sign in to the Azure portal with a user who is in the Privileged role administrator role.
  2. 打开“Azure AD Privileged Identity Management”。 Open Azure AD Privileged Identity Management. 如果在概述页的顶部有横幅,请按照本文“新版本”选项卡中的说明进行操作 。If you have a banner on the top of the overview page, follow the instructions in the New version tab of this article. 否则,请按照“先前版本”选项卡中的说明操作 。Otherwise, follow the instructions in the Previous version tab.

选择“Azure AD”>“Privileged Identity Management”。Select Azure AD > Privileged Identity Management.

按照本文中的步骤,批准或拒绝 Azure AD 角色的请求。Follow the steps in this article to approve or deny requests for Azure AD roles.

打开角色设置Open role settings

遵循以下步骤打开 Azure AD 角色的设置。Follow these steps to open the settings for an Azure AD role.

  1. 使用具有特权角色管理员角色的用户登录到 Azure 门户Sign in to Azure portal with a user in the Privileged Role Administrator role. gtgt

  2. 打开“Azure AD Privileged Identity Management”>“Azure AD 角色”>“角色设置”。Open Azure AD Privileged Identity Management > Azure AD roles > Role settings.

    列出 Azure AD 角色的“角色设置”页

  3. 选择要配置其设置的角色。Select the role whose settings you want to configure.

    列出多个分配和激活设置的“角色设置详细信息”页

  4. 选择“编辑”打开“角色设置”页。Select Edit to open the Role settings page.

    “编辑角色设置”页,其中包含用于更新分配和激活设置的选项

    在每个角色的“角色设置”窗格上,有多个可以配置的设置。On the Role setting pane for each role, there are several settings you can configure.

分配持续时间Assignment duration

配置角色的设置时,可以从用于每种分配类型(合格和活动)的两个分配持续时间选项中进行选择·。You can choose from two assignment duration options for each assignment type (eligible and active) when you configure settings for a role. 在 Privileged Identity Management 中将用户分配到角色时,这些选项将成为默认的最大持续时间。These options become the default maximum duration when a user is assigned to the role in Privileged Identity Management.

可以选择其中一个合格的分配持续时间选项:You can choose one of these eligible assignment duration options:

允许永久的合格分配Allow permanent eligible assignment 全局管理员和特权角色管理员可以分配永久的合格分配。Global admins and Privileged role admins can assign permanent eligible assignment.
使合格分配在以下时间后过期Expire eligible assignment after 全局管理员和特权角色管理员可以要求所有合格分配都具有指定的开始和结束日期。Global admins and Privileged role admins can require that all eligible assignments have a specified start and end date.

并且,可以选择其中一个活动分配持续时间选项:And, you can choose one of these active assignment duration options:

允许永久的活动分配Allow permanent active assignment 全局管理员和特权角色管理员可以分配永久的活动分配。Global admins and Privileged role admins can assign permanent active assignment.
使活动分配在以下时间后过期Expire active assignment after 全局管理员和特权角色管理员可以要求所有活动分配都具有指定的开始和结束日期。Global admins and Privileged role admins can require that all active assignments have a specified start and end date.

备注

全局管理员和特权角色管理员可续订具有特定结束日期的所有分配。All assignments that have a specified end date can be renewed by Global admins and Privileged role admins. 此外,用户也可启动自助服务请求来扩展或续订角色分配Also, users can initiate self-service requests to extend or renew role assignments.

需要多重身份验证Require multi-factor authentication

Privileged Identity Management 提供了两种不同的可选 Azure 多重身份验证强制执行方案。Privileged Identity Management provides optional enforcement of Azure Multi-Factor Authentication for two distinct scenarios.

要求在活动分配时进行多重身份验证Require Multi-Factor Authentication on active assignment

在某些情况下,你可能希望为用户分配短期(例如,一天)角色。In some cases, you might want to assign a user to a role for a short duration (one day, for example). 在这种情况下,分配的成员不需要请求激活。In this case, the assigned users don't need to request activation. 在这种情况下,Privileged Identity Management 无法在用户使用其角色分配时强制实施多重身份验证,因为从分配角色时起,用户就已经在角色中处于活动状态。In this scenario, Privileged Identity Management can't enforce multi-factor authentication when the user uses their role assignment because they are already active in the role from the time that it is assigned.

为确保完成分配的管理员是其本人,可以通过选中“在活动分配时要求进行多重身份验证”框来对活动分配强制执行多重身份验证。To ensure that the administrator fulfilling the assignment is who they say they are, you can enforce multi-factor authentication on active assignment by checking the Require Multi-Factor Authentication on active assignment box.

要求在激活时进行多重身份验证Require Multi-Factor Authentication on activation

可以要求符合角色条件的用户证明他们正在使用 Azure 多重身份验证,然后他们才能激活。You can require users who are eligible for a role to prove who they are using Azure Multi-Factor Authentication before they can activate. 多重身份验证能够以合理的确定性确保用户是其本人。Multi-factor authentication ensures that the user is who they say they are with reasonable certainty. 强制执行此选项可以在用户帐户可能已遭入侵的情况下保护关键资源。Enforcing this option protects critical resources in situations when the user account might have been compromised.

若要在激活前要求进行多重身份验证,请在“编辑角色设置”的“分配”选项卡中选中“在激活时要求进行多重身份验证”框。To require multi-factor authentication before activation, check the Require Multi-Factor Authentication on activation box in the Assignment tab of Edit role setting.

有关详细信息,请参阅多重身份验证和 Privileged Identity ManagementFor more information, see Multi-factor authentication and Privileged Identity Management.

最长激活持续时间Activation maximum duration

使用“最长激活持续时间”滑块是角色在过期前保持活动状态的最大时间(以小时为单位)。Use the Activation maximum duration slider to set the maximum time, in hours, that a role stays active before it expires. 此值可以是 1 到 24 个小时。This value can be from one to 24 hours.

需要理由Require justification

你可以要求用户在激活时输入业务理由。You can require that users enter a business justification when they activate. 若需要理由,请选中“在活动分配时需要理由”框或“在激活时需要理由”框。To require justification, check the Require justification on active assignment box or the Require justification on activation box.

需要批准才能激活Require approval to activate

如果设置多个审批者,则审批会在其中一项批准或拒绝后立即完成。If setting multiple approvers, approval completes as soon as one of them approves or denies. 不能要求获得至少两个用户的批准。You can't require approval from at least two users. 若要求批准以激活角色,请按照以下步骤操作。To require approval to activate a role, follow these steps.

  1. 选中“需要批准以激活”复选框。Check the Require approval to activate check box.

  2. 选择“选择审批者”。Select Select approvers.

    用于选择审批者的“选择用户或组”窗格

  3. 至少选择一个用户,然后单击“选择”。Select at least one user and then click Select. 必须至少选择 1 个审批者。You must select at least one approver. 没有默认的审批者。There are no default approvers.

    所选项将出现在所选审批者列表中。Your selections will appear in the list of selected approvers.

  4. 在指定所有角色设置后,选择“更新”以保存更改。Once you have specified your all your role settings, select Update to save your changes.

后续步骤Next steps