在 Privileged Identity Management 中批准或拒绝 Azure 资源角色的请求Approve or deny requests for Azure resource roles in Privileged Identity Management

利用 Azure Active Directory (Azure AD) 中的 Privileged Identity Management (PIM),可以将角色配置为需要审批才能激活,并从 Azure AD 组织中选择用户或组作为委托的审批者。With Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), you can configure roles to require approval for activation, and choose users or groups from your Azure AD organization as delegated approvers. 我们建议为每个角色选择两个或更多审批者,以减少特权角色管理员的工作量。We recommend selecting two or more approvers for each role to reduce workload for the privileged role administrator. 委派的审批者有 24 小时可以审批请求。Delegated approvers have 24 hours to approve requests. 如果请求未在 24 小时内获得审批,则符合条件的用户必须重新提交新请求。If a request is not approved within 24 hours, then the eligible user must re-submit a new request. 24 小时的审批时间范围不可供配置。The 24 hour approval time window is not configurable.

按照本文中的步骤,审批或拒绝 Azure 资源角色的请求。Follow the steps in this article to approve or deny requests for Azure resource roles.

查看待处理请求View pending requests

有 Azure 资源角色请求正在等待审批时,委派的审批者将收到电子邮件通知。As a delegated approver, you'll receive an email notification when an Azure resource role request is pending your approval. 可以在 Privileged Identity Management 中查看这些挂起的请求。You can view these pending requests in Privileged Identity Management.

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 打开“Azure AD Privileged Identity Management”。 Open Azure AD Privileged Identity Management.

  3. 选择“审批请求” 。Select Approve requests.

    显示要评审的请求的“审批请求 - Azure 资源”页

    在“请求激活角色”部分,将看到等待审批的请求列表 。In the Requests for role activations section, you'll see a list of requests pending your approval.

审批请求Approve requests

  1. 找到并选择要审批的请求。Find and select the request that you want to approve. 此时将显示“批准或拒绝”页。An approve or deny page appears.

    “审批请求 - 批准或拒绝”窗格,其中包含详细信息和“理由”框

  2. 在“理由” 框中,输入业务理由。In the Justification box, enter the business justification.

  3. 选择“批准” 。Select Approve. 你将收到 Azure 批准通知。You will receive an Azure notification of your approval.

    显示请求已批准的批准通知

拒绝请求Deny requests

  1. 找到并选择要拒绝的请求。Find and select the request that you want to deny. 此时将显示“批准或拒绝”页。An approve or deny page appears.

    “审批请求 - 批准或拒绝”窗格,其中包含详细信息和“理由”框

  2. 在“理由” 框中,输入业务理由。In the Justification box, enter the business justification.

  3. 选择“拒绝” 。Select Deny. 拒绝后会出现一个通知。A notification appears with your denial.

工作流通知Workflow notifications

下面是一些有关工作流通知的信息:Here's some information about workflow notifications:

  • 当某个角色的请求等待审阅时,审批者将收到电子邮件通知。Approvers are notified by email when a request for a role is pending their review. 电子邮件通知包含请求的直接链接,审批者可通过此链接批准或拒绝请求。Email notifications include a direct link to the request, where the approver can approve or deny.
  • 请求由第一个批准或拒绝的审批者来解析。Requests are resolved by the first approver who approves or denies.
  • 当审批者响应请求时,会通知所有审批者该操作。When an approver responds to the request, all approvers are notified of the action.
  • 获批准的用户激活其角色后,资源管理员会收到通知。Resource administrators are notified when an approved user becomes active in their role.

备注

如果资源管理员认为获批准的用户不应被激活,则可在 Privileged Identity Management 中删除已激活的角色分配。A resource administrator who believes that an approved user should not be active can remove the active role assignment in Privileged Identity Management. 尽管资源管理员不会收到待处理请求的通知(除非他们是审批者),但他们可通过在 Privileged Identity Management 中查看待处理请求,来查看和取消所有用户的待处理请求。Although resource administrators are not notified of pending requests unless they are an approver, they can view and cancel pending requests for all users by viewing pending requests in Privileged Identity Management.

后续步骤Next steps