在 Privileged Identity Management 中创建对 Azure 资源角色的访问评审Create an access review of Azure resource roles in Privileged Identity Management

员工的特权 Azure 资源角色的访问权限会随时间推移而变化。Access to privileged Azure resource roles for employees changes over time. 若要降低与过时角色分配相关的风险,应定期查看访问权限。To reduce the risk associated with stale role assignments, you should regularly review access. 可以使用 Azure Active Directory (Azure AD) Privileged Identity Management (PIM) 为特权 Azure 资源角色创建访问评审。You can use Azure Active Directory (Azure AD) Privileged Identity Management (PIM) to create access reviews for privileged Azure resource roles. 还可以配置自动进行的定期访问评审。You can also configure recurring access reviews that occur automatically.

本文介绍如何为特权 Azure 资源角色创建一个或多个访问评审。This article describes how to create one or more access reviews for privileged Azure resource roles.


若要创建访问评审,必须具有资源的所有者用户访问管理员 Azure 角色。To create access reviews, you must be assigned to the Owner or User Access Administrator Azure role for the resource.

打开访问评审Open access reviews

  1. 使用“特权角色管理员”角色成员的用户身份登录到 Azure 门户Sign in to Azure portal with a user that is a member of the Privileged Role Administrator role.

  2. 打开“Azure AD Privileged Identity Management”。 Open Azure AD Privileged Identity Management.

  3. 在左侧菜单中,选择“Azure 资源” 。In the left menu, select Azure resources.

  4. 选择要管理的资源,例如订阅。Select the resource you want to manage, such as a subscription.

  5. 在“管理”下,选择“访问评审” 。Under Manage, select Access reviews.

    Azure 资源 - 访问评审列表,其中显示所有评审的状态

创建一个或多个访问评审Create one or more access reviews

  1. 单击“新建”创建新的访问评审。Click New to create a new access review.

  2. 命名访问评审。Name the access review. 可选择为评审提供说明。Optionally, give the review a description. 名称和说明向评审者显示。The name and description are shown to the reviewers.

    创建访问评审 - 评审名称和说明

  3. 设置“开始日期”。Set the Start date. 默认情况下,访问评审只进行一次,从创建的时候开始,在一个月内结束。By default, an access review occurs once, starts the same time it's created, and it ends in one month. 可以更改开始和结束日期,使访问评审在将来的时间开始,并持续所需的天数。You can change the start and end dates to have an access review start in the future and last however many days you want.


  4. 若要使访问评审定期进行,请将“频率”设置从“一次”更改为“每周”、“每月”、“每季度”、“每年”或“每半年”。To make the access review recurring, change the Frequency setting from One time to Weekly, Monthly, Quarterly, Annually, or Semi-annually. 使用“持续时间”滑块或文本框来定义定期进行的一系列评审每次的运行天数(可供审阅者输入)。Use the Duration slider or text box to define how many days each review of the recurring series will be open for input from reviewers. 例如,每月评审的最长持续时间可以设置为 27 天,以免评审时间重叠。For example, the maximum duration that you can set for a monthly review is 27 days, to avoid overlapping reviews.

  5. 使用“结束”设置指定如何结束定期访问评审系列。Use the End setting to specify how to end the recurring access review series. 系列的结束方式有三种:持续运行,无限期地开始评审;运行至指定日期;运行至已完成定义的评审数目。The series can end in three ways: it runs continuously to start reviews indefinitely, until a specific date, or after a defined number of occurrences has been completed. 你、其他用户管理员或其他全局管理员可以在创建后停止此系列,只需在“设置”中更改日期,然后此系列就会在该日期结束。You, another User administrator, or another Global administrator can stop the series after creation by changing the date in Settings, so that it ends on that date.

  6. 在“用户”部分中,选择要查看其成员身份的一个或多个角色。In the Users section, select one or more roles that you want to review membership of.



    • 此处选择的角色包括永久和符合条件的角色Roles selected here include both permanent and eligible roles.
    • 选择多个角色会创建多个访问评审。Selecting more than one role will create multiple access reviews. 例如,选择五个角色会创建五个单独的访问评审。For example, selecting five roles will create five separate access reviews.

    如果创建 Azure AD 角色的访问评审,下面显示了审阅成员身份列表的示例。If you are creating an access review of Azure AD roles, the following shows an example of the Review membership list.

    列出可以选择的 Azure AD 角色的审阅成员身份窗格

    如果创建 Azure 资源角色的访问评审,下图显示了审阅成员身份列表的示例。If you are creating an access review of Azure resource roles, the following image shows an example of the Review membership list.

    列出可以选择的 Azure 资源角色的审阅成员身份窗格

  7. 在“审阅者”部分选择一人或多人来评审所有用户。In the Reviewers section, select one or more people to review all the users. 也可以选择让成员评审自己的访问权限。Or you can select to have the members review their own access.


    • 所选用户 - 如果不知道谁需要访问,请使用此选项。Selected users - Use this option when you don't know who needs access. 使用此选项,可以将审阅分配给资源所有者或组管理员完成。With this option, you can assign the review to a resource owner or group manager to complete.
    • 成员(自我) - 使用此选项可让用户评审其自己的角色分配。Members (self) - Use this option to have the users review their own role assignments.
    • (预览)管理员 - 使用此选项可让用户的管理员查看其角色分配。(Preview) Manager - Use this option to have the user’s manager review their role assignment. 选择“(预览)管理员”后,还可以选择指定一个后备审阅者。Upon selecting (Preview) Manager, you will also have the option to specify a fallback reviewer. 当用户未在目录中指定任何管理员时,系统会要求后备审阅者评审用户。Fallback reviewers are asked to review a user when the user has no manager specified in the directory.

完成后的设置Upon completion settings

  1. 若要指定评审完成后发生的情况,请展开“完成后的设置”部分。To specify what happens after a review completes, expand the Upon completion settings section.


  2. 若要自动删除被拒绝用户的访问权限,请将“将结果自动应用到资源”设置为“启用”。 If you want to automatically remove access for users that were denied, set Auto apply results to resource to Enable. 若要在评审完成后手动应用结果,请将开关设置为“禁用”。 If you want to manually apply the results when the review completes, set the switch to Disable.

  3. 使用“如果审阅者未答复”列表指定对于审阅者在评审期限内未评审的用户要执行的操作。 Use the Should reviewer not respond list to specify what happens for users that are not reviewed by the reviewer within the review period. 此设置不影响审阅者已手动评审的用户。This setting does not impact users who have been reviewed by the reviewers manually. 如果最终的审阅者决策是“拒绝”,则会删除用户的访问权限。If the final reviewer's decision is Deny, then the user's access will be removed.

    • 不更改 - 将用户访问权限保持不变No change - Leave user's access unchanged
    • 删除访问权限 - 删除用户的访问权限Remove access - Remove user's access
    • 批准访问权限 - 批准用户的访问权限Approve access - Approve user's access
    • 采用建议 - 根据系统的建议拒绝或批准用户的持续访问权限Take recommendations - Take the system's recommendation on denying or approving the user's continued access

高级设置Advanced settings

  1. 若要指定其他设置,请展开“高级设置”部分。To specify additional settings, expand the Advanced settings section.


  2. 将“显示建议”设置为“启用”,以基于用户的访问权限信息向评审者显示系统建议。 Set Show recommendations to Enable to show the reviewers the system recommendations based the user's access information.

  3. 将“需要提供审批原因”设置为“启用”,以要求审阅者提供批准原因。 Set Require reason on approval to Enable to require the reviewer to supply a reason for approval.

  4. 将“邮件通知”设置为“启用”,以便在访问评审开始时让 Azure AD 向评审者发送电子邮件通知,并在评审完成时向管理员发送电子邮件通知。 Set Mail notifications to Enable to have Azure AD send email notifications to reviewers when an access review starts, and to administrators when a review completes.

  5. 将“提醒”设置为“启用”,让 Azure AD 向尚未完成其审阅的审阅者发送访问评审正在进行的提醒。 Set Reminders to Enable to have Azure AD send reminders of access reviews in progress to reviewers who have not completed their review.

  6. 发送给审阅者的电子邮件的内容是根据审阅详细信息(如审阅名称、资源名称、截止日期等)自动生成的。如果你需要一种方式来传达其他信息(例如其他说明或联系人信息),则可在审阅者电子邮件的“其他内容”中指定这些详细信息,这些信息将包含在发送给分配的审阅者的邀请和提醒电子邮件中。The content of the email sent to reviewers is autogenerated based on the review details, such as review name, resource name, due date, etc. If you need a way to communicate additional information such as additional instructions or contact information, you can specify these details in the Additional content for reviewer email which will be included in the invitation and reminder emails sent to assigned reviewers. 下面突出显示的部分是将要显示此信息的位置。The highlighted section below is where this information will be displayed.


启动访问评审Start the access review

指定访问评审的设置后,单击“启动”。Once you have specified the settings for an access review, click Start. 访问评审将显示在列表中,并带有其状态指示器。The access review will appear in your list with an indicator of its status.


默认情况下,在评审开始后不久,Azure AD 会向评审者发送一封电子邮件。By default, Azure AD sends an email to reviewers shortly after the review starts. 如果选择不让 Azure AD 发送电子邮件,请务必通知评审者有一个访问评审任务等待他们完成。If you choose not to have Azure AD send the email, be sure to inform the reviewers that an access review is waiting for them to complete. 可以向他们显示有关如何评审 Azure 资源角色访问权限的说明。You can show them the instructions for how to review access to Azure resource roles.

管理访问审阅Manage the access review

可以在访问评审的“概述” 页上跟踪评审者完成评审的进度。You can track the progress as the reviewers complete their reviews on the Overview page of the access review. 评审完成之前,目录中的任何访问权限都不会更改。No access rights are changed in the directory until the review is completed.


如果这是一次性评审,则请在访问评审期限结束后或管理员停止了访问评审后,按照完成 Azure 资源角色的访问评审中的步骤查看并应用结果。If this is a one-time review, then after the access review period is over or the administrator stops the access review, follow the steps in Complete an access review of Azure resource roles to see and apply the results.

若要管理一系列访问评审,请导航到访问评审,此时会在“计划的评审”中找到即将进行的评审,然后即可相应地编辑结束日期或添加/删除评审者。To manage a series of access reviews, navigate to the access review, and you will find upcoming occurrences in Scheduled reviews, and edit the end date or add/remove reviewers accordingly.

根据你在“完成后操作” 设置中的选择,自动应用会在评审的结束日期之后执行,或在你手动停止评审后执行。Based on your selections in Upon completion settings, auto-apply will be executed after the review's end date or when you manually stop the review. 评审状态将从“已完成”变为各种中间状态(例如“正在应用”),并最终变为“已应用”状态 。The status of the review will change from Completed through intermediate states such as Applying and finally to state Applied. 几分钟后,应当会看到被拒绝的用户(如果有)被从角色中删除。You should expect to see denied users, if any, being removed from roles in a few minutes.

后续步骤Next steps