委托对 Privileged Identity Management 的访问权限Delegate access to Privileged Identity Management

为了委托对 Privileged Identity Management (PIM) 的访问权限,全局管理员可以将其他用户分配到“特权角色管理员”角色。To delegate access to Privileged Identity Management (PIM), a Global Administrator can assign other users to the Privileged Role Administrator role. 默认情况下,安全管理员和安全信息读取者拥有 Privileged Identity Management 的只读访问权限。By default, Security administrators and Security readers have read-only access to Privileged Identity Management. 要授予对 Privileged Identity Management 的访问权限,第一位用户可以将其他用户分配到“特权角色管理员”角色。To grant access to Privileged Identity Management, the first user can assign others to the Privileged Role Administrator role. “特权角色管理员”角色仅在管理 Azure AD 角色时是必需的。The Privileged Role Administrator role is required for managing Azure AD roles only. 若要管理 Azure 资源的设置,特权角色管理员权限不是必需的。Privileged Role Administrator permissions aren't required to manage settings for Azure resources.

备注

管理 Privileged Identity Management 需要 Azure 多重身份验证。Managing Privileged Identity Management requires Azure Multi-Factor Authentication. 由于 Microsoft 帐户无法注册 Azure 多重身份验证,因此使用 Microsoft 帐户登录的用户无法访问 Privileged Identity Management。Because Microsoft accounts can't register for Azure Multi-Factor Authentication, a user who signs in with a Microsoft account can't access Privileged Identity Management.

请确保特权角色管理员角色中始终至少有两位用户,以防其中一位用户被锁定或帐户被删除。Make sure there are always at least two users in a Privileged Role Administrator role, in case one user is locked out or their account is deleted.

委托用于管理 PIM 的访问权限Delegate access to manage PIM

  1. 登录 Azure 门户Sign in to the Azure portal.

  2. 在 Azure AD 中,打开 Privileged Identity ManagementIn Azure AD, open Privileged Identity Management.

  3. 选择“Azure AD 角色”。Select Azure AD roles.

  4. 选择“角色”。Select Roles.

    Privileged Identity Management Azure AD 角色 - 角色

  5. 选择“特权角色管理员”角色,打开成员页。Select the Privileged Role Administrator role to open the members page.

    特权角色管理员 - 成员

  6. 选择“添加成员”打开“添加受管理成员”窗格。Select Add member to open the Add managed members pane.

  7. 选择“选择成员”,打开“选择成员”窗格。Select Select members to open the Select members pane.

    特权角色管理员 - 选择成员

  8. 选择一个成员,然后单击“选择”。Select a member and then click Select.

  9. 选择“确定”,使该成员有资格获得“特权角色管理员”角色。Select OK to make the member eligible for the Privileged Role Administrator role.

    向 Privileged Identity Management 中的某位用户分配新角色时,系统会自动将其配置为“有资格”激活该角色。When you assign a new role to someone in Privileged Identity Management, they are automatically configured as Eligible to activate the role.

  10. 要使该成员成为永久成员,请在“特权角色管理员”成员列表中选择该用户。To make the member permanent, select the user in the Privileged Role Administrator member list.

  11. 选择“更多”,然后选择“永久保留”,使其成为永久成员。Select More and then Make permanent to make the assignment permanent.

    特权角色管理员 - 成为永久成员

  12. 向用户发送开始使用 Privileged Identity Management 的链接。Send the user a link to Start using Privileged Identity Management.

删除用于管理 PIM 的访问权限Remove access to manage PIM

从特权角色管理员角色中删除某人之前,请确保至少仍有两位用户分配有该角色。Before you remove someone from the Privileged Role Administrator role, always make sure there will still be at least two users assigned to it.

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 打开“Azure AD Privileged Identity Management”。Open Azure AD Privileged Identity Management.

  3. 选择“Azure AD 角色”。Select Azure AD roles.

  4. 选择“角色”。Select Roles.

  5. 选择“特权角色管理员”角色,打开成员页。Select the Privileged Role Administrator role to open the members page.

  6. 选中要删除的用户旁边的复选框,然后选择“删除成员”。Select the checkbox next to the user you want to remove and then select Remove member.

    特权角色管理员 - 删除成员

  7. 如果要求确认是否要从角色中删除成员,请选择“是”。When you are asked to confirm that you want to remove the member from the role, select Yes.

后续步骤Next steps