在 Privileged Identity Management 中激活 Azure 资源角色Activate my Azure resource roles in Privileged Identity Management

使用 Privileged Identity Management (PIM) 让 Azure 资源的合格角色成员可以计划在将来的日期和时间激活。Use Privileged Identity Management (PIM) to allow eligible role members for Azure resources to schedule activation for a future date and time. 他们还可选择特定激活持续时间,但不能超过最长持续时间(由管理员配置)。They can also select a specific activation duration within the maximum (configured by administrators).

本文面向需要在 Privileged Identity Management 中激活其 Azure 资源角色的成员。This article is for members who need to activate their Azure resource role in Privileged Identity Management.

激活角色Activate a role

需要充当某个 Azure 资源角色时,可在 Privileged Identity Management 中使用“我的角色”导航选项请求激活。 When you need to take on an Azure resource role, you can request activation by using the My roles navigation option in Privileged Identity Management.

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 打开“Azure AD Privileged Identity Management”。 Open Azure AD Privileged Identity Management. 有关如何将 Privileged Identity Management 磁贴添加到仪表板的信息,请参阅开始使用 Privileged Identity ManagementFor information about how to add the Privileged Identity Management tile to your dashboard, see Start using Privileged Identity Management.

  3. 选择“我的角色” 。Select My roles.

    显示可以激活的角色的“我的角色”页

  4. 选择“Azure 资源角色” 查看符合条件的 Azure 资源角色列表。Select Azure resource roles to see a list of your eligible Azure resource roles.

    “我的角色 - Azure 资源角色”页

  5. 在“Azure 资源角色”列表中,找到要激活的角色。 In the Azure resource roles list, find the role you want to activate.

    Azure 资源角色 - 我的合格角色列表

  6. 选择“激活”打开“激活”页。Select Activate to open the Activate page.

    打开的“激活”窗格,其中包含范围、开始时间、持续时间和原因

  7. 如果角色需要多重身份验证,请选择“验证你的身份,然后继续”。If your role requires multi-factor authentication, select Verify your identity before proceeding. 只需在每个会话中执行身份验证一次。You only have to authenticate once per session.

    在激活角色之前使用 MFA 验证身份

  8. 选择“验证我的身份”,并按照说明提供其他安全验证。Select Verify my identity and follow the instructions to provide additional security verification.

    用于提供安全验证(例如 PIN 码)的屏幕

  9. 如果要指定缩小的范围,请选择“范围”以打开“资源筛选器”窗格。If you want to specify a reduced scope, select Scope to open the Resource filter pane.

    它是仅请求访问所需资源的最佳做法。It's a best practice to only request access to the resources you need. 在“资源筛选器”窗格中,可以指定需要访问的资源组或资源。On the Resource filter pane, you can specify the resource groups or resources that you need access to.

    用于指定范围的“激活 - 资源筛选器”窗格

  10. 根据需要指定自定义的激活开始时间。If necessary, specify a custom activation start time. 成员将在选定时间后激活。The member would be activated after the selected time.

  11. 在“原因”框中,输入该激活请求的原因。In the Reason box, enter the reason for the activation request.

    “已完成激活”窗格,其中包含范围、开始时间、持续时间和原因

  12. 选择“激活”。Select Activate.

    如果角色需要审批才能激活,则浏览器右上角会显示一条通知,告知你请求正在等待审批。If the role requires approval to activate, a notification will appear in the upper right corner of your browser informing you the request is pending approval.

    “激活请求正在等待审批”通知

查看请求的状态View the status of your requests

可以查看等待激活的请求的状态。You can view the status of your pending requests to activate.

  1. 打开 Azure AD Privileged Identity Management。Open Azure AD Privileged Identity Management.

  2. 选择“我的请求”,查看你的 Azure AD 角色和 Azure 资源角色请求列表。Select My requests to see a list of your Azure AD role and Azure resource role requests.

    显示挂起的请求的“我的请求 - Azure 资源”页

  3. 向右滚动以查看“请求状态”列。Scroll to the right to view the Request Status column.

取消挂起的请求Cancel a pending request

如果不需要激活需要审批的角色,随时可以取消等待中的请求。If you do not require activation of a role that requires approval, you can cancel a pending request at any time.

  1. 打开 Azure AD Privileged Identity Management。Open Azure AD Privileged Identity Management.

  2. 选择“我的请求”。Select My requests.

  3. 针对想要取消的角色,选择“取消”链接。For the role that you want to cancel, select the Cancel link.

    选择“取消”会取消该请求。When you select Cancel, the request will be canceled. 若要再次激活该角色,必须提交新的激活请求。To activate the role again, you will have to submit a new request for activation.

    突出显示“取消”操作的“我的请求”列表

故障排除Troubleshoot

激活角色后,权限未被授予Permissions are not granted after activating a role

在 Privileged Identity Management 中激活角色时,激活可能不会立即传播到需要特权角色的所有门户。When you activate a role in Privileged Identity Management, the activation may not instantly propagate to all portals that require the privileged role. 有时,即使更改已传播,门户中的 Web 缓存也可能会导致更改不能立即生效。Sometimes, even if the change is propagated, web caching in a portal may result in the change not taking effect immediately. 如果激活已延迟,应当按照以下步骤操作。If your activation is delayed, here is what you should do.

  1. 注销 Azure 门户,然后重新登录。Sign out of the Azure portal and then sign back in.
  2. 在 Privileged Identity Management 中,验证是否已将你列为角色的成员。In Privileged Identity Management, verify that you are listed as the member of the role.

后续步骤Next steps