在 Privileged Identity Management 中配置 Azure 资源角色设置Configure Azure resource role settings in Privileged Identity Management

配置 Azure 资源角色设置时,可定义应用于 Azure Active Directory (Azure AD) Privileged Identity Management (PIM) 中的 Azure 资源角色分配的默认设置。When you configure Azure resource role settings, you define the default settings that are applied to Azure resource role assignments in Azure Active Directory (Azure AD) Privileged Identity Management (PIM). 使用以下步骤配置审批工作流并指定谁可以批准或拒绝请求。Use the following procedures to configure the approval workflow and specify who can approve or deny requests.

打开角色设置Open role settings

请遵循以下步骤打开 Azure 资源角色的设置。Follow these steps to open the settings for an Azure resource role.

  1. 使用具有特权角色管理员角色的用户登录到 Azure 门户Sign in to Azure portal with a user in the Privileged Role Administrator role.

  2. 打开“Azure AD Privileged Identity Management”。 Open Azure AD Privileged Identity Management.

  3. 选择“Azure 资源” 。Select Azure resources.

  4. 选择要管理的资源,如订阅或管理组。Select the resource you want to manage, such as a subscription or management group.

    列出可以管理的资源的“Azure 资源”页

  5. 选择 “角色设置”。Select Role settings.

    列出 Azure 资源角色的“角色设置”页

  6. 选择要配置其设置的角色。Select the role whose settings you want to configure.


  7. 选择“编辑”打开“角色设置”窗格。 Select Edit to open the Role settings pane. 第一个选项卡用于更新在 Privileged Identity Management 中激活角色所需的配置。The first tab allows you to update the configuration for role activation in Privileged Identity Management.


  8. 选择“分配” 选项卡或页面底部的“下一步: 分配”按钮,打开分配设置选项卡。这些设置控制在 Privileged Identity Management 界面中进行的角色分配。Select the Assignment tab or the Next: Assignment button at the bottom of the page to open the assignment setting tab. These settings control role assignments made inside the Privileged Identity Management interface.


  9. 使用“通知”选项卡或页面底部的 “下一步: 激活”按钮即可转到此角色的通知设置选项卡。Use the Notification tab or the Next: Activation button at the bottom of the page to get to the notification setting tab for this role. 这些设置控制与此角色相关的所有电子邮件通知。These settings control all the email notifications related to this role.


    在角色设置页上的“通知” 选项卡上,Privileged Identity Management 允许对接收通知的人员及其收到的通知进行精细控制。In the Notifications tab on the role settings page, Privileged Identity Management enables granular control over who receives notifications and which notifications they receive.

    • 关闭电子邮件Turning off an email
      可以通过清除“默认收件人”复选框并删除任何其他收件人来关闭特定电子邮件。You can turn off specific emails by clearing the default recipient check box and deleting any additional recipients.

    • 将电子邮件限制为指定的电子邮件地址Limit emails to specified email addresses
      可以通过清除“默认收件人”复选框来关闭发送给默认收件人的电子邮件。You can turn off emails sent to default recipients by clearing the default recipient checkbox. 然后,可以添加其他电子邮件地址作为其他收件人。You can then add additional email addresses as additional recipients. 如果要添加多个电子邮件地址,请使用分号 (;) 分隔它们。If you want to add more than one email address, separate them using a semicolon (;).

    • 向默认收件人和其他收件人发送电子邮件Send emails to both default recipients and additional recipients
      可以通过选择“默认收件人”复选框并添加其他收件人的电子邮件地址,将电子邮件发送给默认收件人和其他收件人。You can send emails to both default recipient and additional recipient by selecting the default recipient checkbox and adding email addresses for additional recipients.

    • 仅限关键电子邮件Critical emails only
      对于每种类型的电子邮件,可以选择该复选框以仅接收关键电子邮件。For each type of email, you can select the checkbox to receive critical emails only. 这意味着,仅当电子邮件需要即时操作时,Privileged Identity Management 才会继续向配置的收件人发送电子邮件。What this means is that Privileged Identity Management will continue to send emails to the configured recipients only when the email requires an immediate action. 例如,将要触发要求管理员批准扩展请求的电子邮件时,不会触发要求用户扩展其角色分配的电子邮件。For example, emails asking users to extend their role assignment will not be triggered while an emails requiring admins to approve an extension request will be triggered.

  10. 随时选择“更新”按钮,对角色设置进行更新。 Select the Update button at any time to update the role settings.

分配持续时间Assignment duration

配置角色的设置时,可以从用于每种分配类型(合格和活动)的两个分配持续时间选项中进行选择·。You can choose from two assignment duration options for each assignment type (eligible and active) when you configure settings for a role. 在 Privileged Identity Management 中将用户分配到角色时,这些选项将成为默认的最大持续时间。These options become the default maximum duration when a user is assigned to the role in Privileged Identity Management.

可以选择其中一个合格的 分配持续时间选项:You can choose one of these eligible assignment duration options:

允许永久的合格分配Allow permanent eligible assignment 资源管理员可以分配永久的合格分配。Resource administrators can assign permanent eligible assignment.
使合格分配在以下时间后过期Expire eligible assignment after 资源管理员可以要求所有合格分配都具有指定的开始和结束日期。Resource administrators can require that all eligible assignments have a specified start and end date.

并且,可以选择其中一个活动 分配持续时间选项:And, you can choose one of these active assignment duration options:

允许永久的活动分配Allow permanent active assignment 资源管理员可以分配永久的活动分配。Resource administrators can assign permanent active assignment.
使活动分配在以下时间后过期Expire active assignment after 资源管理员可以要求所有活动分配都具有指定的开始和结束日期。Resource administrators can require that all active assignments have a specified start and end date.


资源管理员可续订具有特定结束日期的所有分配。All assignments that have a specified end date can be renewed by resource administrators. 此外,用户也可启动自助服务请求来扩展或续订角色分配Also, users can initiate self-service requests to extend or renew role assignments.

需要多重身份验证Require multi-factor authentication

Privileged Identity Management 提供了两种不同的可选 Azure AD 多重身份验证强制执行方案。Privileged Identity Management provides optional enforcement of Azure AD Multi-Factor Authentication for two distinct scenarios.

要求在活动分配时进行多重身份验证Require Multi-Factor Authentication on active assignment

在某些情况下,你可能希望为用户或组分配短期(例如,一天)角色。In some cases, you might want to assign a user or group to a role for a short duration (one day, for example). 在这种情况下,分配的成员不需要请求激活。In this case, the assigned users don't need to request activation. 在这种情况下,Privileged Identity Management 无法在用户使用其角色分配时强制实施多重身份验证,因为从分配角色时起,用户就已经在角色中处于活动状态。In this scenario, Privileged Identity Management can't enforce multi-factor authentication when the user uses their role assignment because they are already active in the role from the time that it is assigned.

为确保完成分配的资源管理员是其本人,可以通过选中“在活动分配时要求进行多重身份验证” 框来对活动分配强制执行多重身份验证。To ensure that the resource administrator fulfilling the assignment is who they say they are, you can enforce multi-factor authentication on active assignment by checking the Require Multi-Factor Authentication on active assignment box.

要求在激活时进行多重身份验证Require Multi-Factor Authentication on activation

可以要求符合角色条件的用户通过 Azure AD 多重身份验证来证明其身份,然后才允许其激活。You can require users who are eligible for a role to prove who they are using Azure AD Multi-Factor Authentication before they can activate. 多重身份验证能够以合理的确定性确保用户是其本人。Multi-factor authentication ensures that the user is who they say they are with reasonable certainty. 强制执行此选项可以在用户帐户可能已遭入侵的情况下保护关键资源。Enforcing this option protects critical resources in situations when the user account might have been compromised.

若要在激活前要求进行多重身份验证,请选中“在激活时要求进行多重身份验证” 框。To require multi-factor authentication before activation, check the Require Multi-Factor Authentication on activation box.

有关详细信息,请参阅多重身份验证和 Privileged Identity ManagementFor more information, see Multi-factor authentication and Privileged Identity Management.

最长激活持续时间Activation maximum duration

使用“最长激活持续时间” 滑块是角色在过期前保持活动状态的最大时间(以小时为单位)。Use the Activation maximum duration slider to set the maximum time, in hours, that a role stays active before it expires. 此值可以是 1 到 24 个小时。This value can be from one to 24 hours.

需要理由Require justification

你可以要求用户在激活时输入业务理由。You can require that users enter a business justification when they activate. 若需要理由,请选中“在活动分配时需要理由” 框或“在激活时需要理由” 框。To require justification, check the Require justification on active assignment box or the Require justification on activation box.

需要批准才能激活Require approval to activate

如果要求批准以激活角色,请按照以下步骤操作。If you want to require approval to activate a role, follow these steps.

  1. 选中“需要批准以激活” 复选框。Check the Require approval to activate check box.

  2. 选择“选择审批者”打开“选择成员或组”页 。Select Select approvers to open the Select a member or group page.


  3. 至少选择一个用户或组,然后单击“选择” 。Select at least one user or group and then click Select. 可以添加任何用户和组的组合。You can add any combination of users and groups. 必须至少选择 1 个审批者。You must select at least one approver. 没有默认的审批者。There are no default approvers.

    所选项将出现在所选审批者列表中。Your selections will appear in the list of selected approvers.

  4. 在指定所有角色设置后,选择“更新” 以保存更改。Once you have specified your all your role settings, select Update to save your changes.

后续步骤Next steps