授予其他管理员访问权限以管理 Privileged Identity ManagementGrant access to other administrators to manage Privileged Identity Management

为组织启用 Privileged Identity Management (PIM) 的全局管理员会自动获得角色分配和 Privileged Identity Management 的访问权限。The Global administrator who enables Privileged Identity Management (PIM) for an organization automatically get role assignments and access to Privileged Identity Management. 但是,默认情况下,Azure Active Directory (Azure AD) 组织中的其他任何人(包括其他全局管理员)都不会获得写入访问权限。No one else in your Azure Active Directory (Azure AD) organization gets write access by default, though, including other Global administrators. 其他全局管理员、安全管理员和安全信息读取者拥有 Privileged Identity Management 的只读访问权限。Other Global administrators, Security administrators, and Security readers have read-only access to Privileged Identity Management. 要授予对 Privileged Identity Management 的访问权限,第一位用户可以将其他用户分配到“特权角色管理员”角色 。To grant access to Privileged Identity Management, the first user can assign others to the Privileged Role Administrator role.

Note

管理 Privileged Identity Management 需要 Azure 多重身份验证。Managing Privileged Identity Management requires Azure Multi-Factor Authentication. 由于 Microsoft 帐户无法注册 Azure 多重身份验证,因此使用 Microsoft 帐户登录的用户无法访问 Privileged Identity Management。Since Microsoft accounts cannot register for Azure Multi-Factor Authentication, a user who signs in with a Microsoft account cannot access Privileged Identity Management.

请确保特权角色管理员角色中始终至少有两位用户,以防其中一位用户被锁定或帐户被删除。Make sure there are always at least two users in a Privileged Role Administrator role, in case one user is locked out or their account is deleted.

授予用于管理 PIM 的访问权限Grant access to manage PIM

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 在 Azure AD 中,打开 Privileged Identity ManagementIn Azure AD, open Privileged Identity Management.

  3. 选择“Azure AD 角色” 。Select Azure AD roles.

  4. 选择“角色” 。Select Roles.

    Privileged Identity Management Azure AD 角色 - 角色

  5. 选择“特权角色管理员”角色,打开成员页 。Select the Privileged Role Administrator role to open the members page.

    特权角色管理员 - 成员

  6. 选择“添加成员”打开“添加受管理成员”窗格 。Select Add member to open the Add managed members pane.

  7. 选择“选择成员”,打开“选择成员”窗格 。Select Select members to open the Select members pane.

    特权角色管理员 - 选择成员

  8. 选择一个成员,然后单击“选择” 。Select a member and then click Select.

  9. 选择“确定”,使该成员有资格获得“特权角色管理员”角色 。Select OK to make the member eligible for the Privileged Role Administrator role.

    向 Privileged Identity Management 中的某位用户分配新角色时,系统会自动将其配置为“有资格”激活该角色 。When you assign a new role to someone in Privileged Identity Management, they are automatically configured as Eligible to activate the role.

  10. 要使该成员成为永久成员,请在“特权角色管理员”成员列表中选择该用户。To make the member permanent, select the user in the Privileged Role Administrator member list.

  11. 选择“更多”,然后选择“永久保留”,使其成为永久成员 。Select More and then Make permanent to make the assignment permanent.

    特权角色管理员 - 成为永久成员

  12. 向用户发送开始使用 Privileged Identity Management 的链接。Send the user a link to Start using Privileged Identity Management.

删除用于管理 PIM 的访问权限Remove access to manage PIM

从特权角色管理员角色中删除某人之前,请确保至少仍有两位用户分配有该角色。Before you remove someone from the Privileged Role Administrator role, always make sure there will still be at least two users assigned to it.

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 打开“Azure AD Privileged Identity Management”。 Open Azure AD Privileged Identity Management.

  3. 选择“Azure AD 角色” 。Select Azure AD roles.

  4. 选择“角色” 。Select Roles.

  5. 选择“特权角色管理员”角色,打开成员页 。Select the Privileged Role Administrator role to open the members page.

  6. 选中要删除的用户旁边的复选框,然后选择“删除成员” 。Select the checkbox next to the user you want to remove and then select Remove member.

    特权角色管理员 - 删除成员

  7. 如果要求确认是否要从角色中删除成员,请选择“是” 。When you are asked to confirm that you want to remove the member from the role, select Yes.

后续步骤Next steps