Azure AD 角色的发现和见解(以前称为安全向导)(预览版)Discovery and Insights (preview) for Azure AD roles (formerly Security Wizard)

如果你在 Azure Active Directory (Azure AD) 组织中开始使用 Privileged Identity Management (PIM),可以使用 发现和见解(预览版) 页来入门。If you're starting out with Privileged Identity Management (PIM) in your Azure Active Directory (Azure AD) organization, you can use the Discovery and insights (preview) page to get started. 此功能显示已分配到组织中的特权角色的用户,以及如何使用 PIM 快速将永久角色分配更改为实时分配。This feature shows you who is assigned to privileged roles in your organization and how to use PIM to quickly change permanent role assignments into just-in-time assignments. 可以在 发现和见解(预览版) 中查看或更改永久特权角色分配。You can view or make changes to your permanent privileged role assignments in Discovery and Insights (preview). 它是一个分析工具,也是一个操作工具。It's an analysis tool and an action tool.

发现和见解(预览版)Discovery and insights (preview)

在你的组织开始使用 Privileged Identity Management 之前,所有角色分配都是永久性的。Before your organization starts using Privileged Identity Management, all role assignments are permanent. 即使用户不需要其权限,用户也始终处于已分配的角色中。Users are always in their assigned roles even when they don't need their privileges. 发现和见解(预览版)取代了以前的安全向导,它会显示特权角色的列表以及当前有多少个用户处于这些角色中。Discovery and insights (preview), which replaces the former Security Wizard, shows you a list of privileged roles and how many users are currently in those roles. 你可以列出角色的分配,以便详细了解分配的用户(如果你不熟悉其中一个或多个用户)。You can list out assignments for a role to learn more about the assigned users if one or more of them are unfamiliar.

✔️Microsoft 建议你保留两个永久分配给全局管理员角色的紧急访问帐户。Microsoft recommends that you keep two break glass accounts that are permanently assigned to the global administrator role. 请确保这些帐户不需要使用与普通管理帐户相同的多重身份验证机制进行登录,如在 Azure AD 中管理紧急访问帐户中所述。Make sure that these accounts don't require the same multi-factor authentication mechanism as your normal administrative accounts to sign in, as described in Manage emergency access accounts in Azure AD.

此外,如果用户具有 Microsoft 帐户(即,用于登录 Skype 或 Outlook.com 等 Microsoft 服务的帐户),则永久保留角色分配。Also, keep role assignments permanent if a user has a Microsoft account (in other words, an account they use to sign in to Microsoft services like Skype, or Outlook.com). 如果要求具有 Microsoft 帐户的用户执行多重身份验证以激活角色分配,则该用户会被锁定。If you require multi-factor authentication for a user with a Microsoft account to activate a role assignment, the user will be locked out.

打开发现和见解(预览版)Open Discovery and insights (preview)

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 打开“Azure AD Privileged Identity Management”。Open Azure AD Privileged Identity Management.

  3. 选择“Azure AD 角色”,然后选择“发现和见解(预览)”。Select Azure AD roles and then select Discovery and insights (Preview). 打开该页面将开始发现过程,以查找相关的角色分配。Opening the page begins the discovery process to find relevant role assignments.

    Azure AD 角色 - 发现和见解页面,其中显示 3 个选项

  4. 选择“减少全局管理员”。Select Reduce global administrators.

    此屏幕截图显示了“发现和见解(预览)”,其中已选择“减少全局管理员”操作。

  5. 查看全局管理员角色分配的列表。Review the list of Global Administrator role assignments.

    减少全局管理员 -“角色”窗格,其中显示所有全局管理员

  6. 选择“下一步”以选择要设为符合条件的管理员的用户或组,然后选择“设为符合条件的管理员”或“删除分配”。Select Next to select the users or groups you want to make eligible, and then select Make eligible or Remove assignment.

    “将成员转换为符合条件成员”页,其中显示选择要使其符合角色条件的成员的选项

  7. 还可以要求所有全局管理员评审其自己的访问权限。You can also require all global administrators to review their own access.

    “全局管理员”页面,其中显示“访问评审”部分

  8. 选择其中任何一个更改后,你将看到 Azure 通知。After you select any of these changes, you'll see an Azure notification.

  9. 然后,可以选择“消除现有访问权限”或“评审服务主体”,在其他特权角色和服务主体分配上重复上述步骤。You can then select Eliminate standing access or Review service principals to repeat the above steps on other privileged roles and on service principal role assignments. 对于服务主体角色分配,只能删除角色分配。For service principal role assignments, you can only remove role assignments.

    用于消除现有访问权限和评审服务主体的其他见解选项Additional Insights options to eliminate standing access and review service principals

后续步骤Next steps