在 Privileged Identity Management 中创建对 Azure AD 角色的访问评审Create an access review of Azure AD roles in Privileged Identity Management

若要降低与过时角色分配相关的风险,应定期查看访问权限。To reduce the risk associated with stale role assignments, you should regularly review access. 可以使用 Azure AD Privileged Identity Management (PIM) 为特权 Azure AD 角色创建访问评审。You can use Azure AD Privileged Identity Management (PIM) to create access reviews for privileged Azure AD roles. 还可以配置自动进行的定期访问评审。You can also configure recurring access reviews that occur automatically.

本文介绍如何为特权 Azure AD 角色创建一个或多个访问评审。This article describes how to create one or more access reviews for privileged Azure AD roles.

先决条件Prerequisites

特权角色管理员Privileged Role Administrator

打开访问评审Open access reviews

  1. 使用“特权角色管理员”角色成员的用户身份登录到 Azure 门户Sign in to Azure portal with a user that is a member of the Privileged role administrator role.

  2. 打开“Azure AD Privileged Identity Management”。Open Azure AD Privileged Identity Management.

  3. 选择“Azure AD 角色”。Select Azure AD roles.

  4. 在“管理”下,选择“访问评审”,然后选择“新建” 。Under Manage, select Access reviews, and then select New.

    Azure AD 角色 - 访问评审列表,其中显示所有评审的状态

创建一个或多个访问评审Create one or more access reviews

  1. 单击“新建”创建新的访问评审。 Click New to create a new access review.

  2. 命名访问评审。Name the access review. 可选择为评审提供说明。Optionally, give the review a description. 名称和说明向评审者显示。The name and description are shown to the reviewers.

    创建访问评审 - 评审名称和说明

  3. 设置“开始日期”。 Set the Start date. 默认情况下,访问评审只进行一次,从创建的时候开始,在一个月内结束。By default, an access review occurs once, starts the same time it's created, and it ends in one month. 可以更改开始和结束日期,使访问评审在将来的时间开始,并持续所需的天数。You can change the start and end dates to have an access review start in the future and last however many days you want.

    开始日期、频率、持续时间、结束、次数以及结束日期

  4. 若要让访问评审定期进行,请将“频率”设置从“一次”更改为“每周”、“每月”、“每季”、“每年”或“半年”。 To make the access review recurring, change the Frequency setting from One time to Weekly, Monthly, Quarterly, Annually, or Semi-annually. 请使用“持续时间”滑块或文本框来定义定期进行的一系列评审每次的运行天数(可供审阅者输入)。 Use the Duration slider or text box to define how many days each review of the recurring series will be open for input from reviewers. 例如,每月评审的最长持续时间可以设置为 27 天,以免评审时间重叠。For example, the maximum duration that you can set for a monthly review is 27 days, to avoid overlapping reviews.

  5. 使用“结束”设置指定如何结束定期访问评审系列。 Use the End setting to specify how to end the recurring access review series. 系列的结束方式有三种:持续运行,无限期地开始评审;运行至指定日期;运行至已完成定义的评审数目。The series can end in three ways: it runs continuously to start reviews indefinitely, until a specific date, or after a defined number of occurrences has been completed. 你、其他用户管理员或其他全局管理员可以在创建后停止此系列,只需在“设置”中更改日期,然后此系列就会在该日期结束。 You, another User administrator, or another Global administrator can stop the series after creation by changing the date in Settings, so that it ends on that date.

  6. 在“用户”部分选择一个或多个角色,以便查看其成员身份。 In the Users section, select one or more roles that you want to review membership of.

    可以查看其角色成员身份的用户范围

    Note

    选择多个角色会创建多个访问评审。Selecting more than one role will create multiple access reviews. 例如,选择五个角色会创建五个单独的访问评审。For example, selecting five roles will create five separate access reviews.

    如果创建 Azure AD 角色的访问评审,则下面显示的是一个“审阅成员资格”列表的示例。If you are creating an access review of Azure AD roles, the following shows an example of the Review membership list.

    “审阅成员资格”窗格,其中列出了可供选择的 Azure AD 角色

    如果创建 Azure 资源角色的访问评审,则下面显示的是一个“审阅成员资格”列表的示例。If you are creating an access review of Azure resource roles, the following shows an example of the Review membership list.

    “审阅成员资格”窗格,其中列出了可供选择的 Azure 资源角色

  7. 在“评审者”部分选择一人或多人来评审所有用户。 In the Reviewers section, select one or more people to review all the users. 也可以选择让成员评审自己的访问权限。Or you can select to have the members review their own access.

    审阅者列表,其中包含所选用户或成员(自己)

    • 所选用户 - 如果不知道谁需要访问,请使用此选项。Selected users - Use this option when you don't know who needs access. 使用此选项,可以将审阅分配给资源所有者或组管理员完成。With this option, you can assign the review to a resource owner or group manager to complete.
    • 成员(自我) - 使用此选项可让用户评审其自己的角色分配。Members (self) - Use this option to have the users review their own role assignments.

完成后的设置Upon completion settings

  1. 若要指定评审完成后发生的情况,请展开“完成后的设置”部分。 To specify what happens after a review completes, expand the Upon completion settings section.

    “完成后操作”设置会自动应用,应该评审不响应的情况

  2. 若要自动删除被拒绝用户的访问权限,请将“将结果自动应用到资源”设置为“启用”。 If you want to automatically remove access for users that were denied, set Auto apply results to resource to Enable. 若要在评审完成后手动应用结果,请将开关设置为“禁用”。 If you want to manually apply the results when the review completes, set the switch to Disable.

  3. 使用“如果审阅者未答复”列表指定对于审阅者在评审期限内未评审的用户要执行的操作。 Use the Should reviewer not respond list to specify what happens for users that are not reviewed by the reviewer within the review period. 此设置不影响审阅者已手动评审的用户。This setting does not impact users who have been reviewed by the reviewers manually. 如果最终的审阅者决策是“拒绝”,则会删除用户的访问权限。If the final reviewer's decision is Deny, then the user's access will be removed.

    • 不更改 - 将用户访问权限保持不变No change - Leave user's access unchanged
    • 删除访问权限 - 删除用户的访问权限Remove access - Remove user's access
    • 批准访问权限 - 批准用户的访问权限Approve access - Approve user's access
    • 采用建议 - 根据系统的建议拒绝或批准用户的持续访问权限Take recommendations - Take the system's recommendation on denying or approving the user's continued access

高级设置Advanced settings

  1. 若要指定其他设置,请展开“高级设置”部分。 To specify additional settings, expand the Advanced settings section.

    与“显示建议”、“需提供批准理由”、邮件通知和提醒相对应的高级设置

  2. 将“显示建议”设置为“启用”,以基于用户的访问权限信息向评审者显示系统建议。 Set Show recommendations to Enable to show the reviewers the system recommendations based the user's access information.

  3. 将“需要提供审批原因”设置为“启用”,以要求审阅者提供批准原因。 Set Require reason on approval to Enable to require the reviewer to supply a reason for approval.

  4. 将“邮件通知”设置为“启用”,以便在访问评审开始时让 Azure AD 向评审者发送电子邮件通知,并在评审完成时向管理员发送电子邮件通知。 Set Mail notifications to Enable to have Azure AD send email notifications to reviewers when an access review starts, and to administrators when a review completes.

  5. 将“提醒”设置为“启用”,让 Azure AD 向尚未完成其审阅的审阅者发送访问评审正在进行的提醒。 Set Reminders to Enable to have Azure AD send reminders of access reviews in progress to reviewers who have not completed their review.

启动访问评审Start the access review

指定访问评审的设置后,选择“启动”。Once you have specified the settings for an access review, select Start. 访问评审将显示在列表中,并带有其状态指示器。The access review will appear in your list with an indicator of its status.

访问评审列表,其中显示已启动评审的状态

默认情况下,在评审开始后不久,Azure AD 会向评审者发送一封电子邮件。By default, Azure AD sends an email to reviewers shortly after the review starts. 如果选择不让 Azure AD 发送电子邮件,请务必通知评审者有一个访问评审任务等待他们完成。If you choose not to have Azure AD send the email, be sure to inform the reviewers that an access review is waiting for them to complete. 可以向他们显示有关如何评审 Azure AD 角色访问权限的说明。You can show them the instructions for how to review access to Azure AD roles.

管理访问审阅Manage the access review

可以在访问评审的“概述”页上跟踪评审者完成评审的进度。You can track the progress as the reviewers complete their reviews on the Overview page of the access review. 评审完成之前,目录中的任何访问权限都不会更改。No access rights are changed in the directory until the review is completed.

显示评审详细信息的访问评审概述页

如果这是一次性评审,则请在访问评审期限结束后或管理员停止了访问评审后,按照完成 Azure AD 角色的访问评审中的步骤查看并应用结果。If this is a one-time review, then after the access review period is over or the administrator stops the access review, follow the steps in Complete an access review of Azure AD roles to see and apply the results.

若要管理一系列访问评审,请导航到访问评审,此时会在“计划的评审”中找到即将进行的评审,然后即可相应地编辑结束日期或添加/删除评审者。To manage a series of access reviews, navigate to the access review, and you will find upcoming occurrences in Scheduled reviews, and edit the end date or add/remove reviewers accordingly.

根据你在“完成后操作”设置中的选择,自动应用会在评审的结束日期之后执行,或在你手动停止评审后执行。Based on your selections in Upon completion settings, auto-apply will be executed after the review's end date or when you manually stop the review. 评审状态将从“已完成”变为各种中间状态(例如“正在应用”),并最终变为“已应用”状态 。The status of the review will change from Completed through intermediate states such as Applying and finally to state Applied. 几分钟后,应当会看到被拒绝的用户(如果有)被从角色中删除。You should expect to see denied users, if any, being removed from roles in a few minutes.

后续步骤Next steps