排查 Privileged Identity Management 问题Troubleshoot a problem with Privileged Identity Management

是否在使用 Azure Active Directory (Azure AD) 中的 Privileged Identity Management (PIM) 时遇到问题?Are you having a problem with Privileged Identity Management (PIM) in Azure Active Directory (Azure AD)? 下面的信息可帮助你将一切复原。The information that follows can help you to get things working again.

拒绝对 Azure 资源的访问Access to Azure resources denied

问题Problem

作为 Azure 资源的活动所有者或用户访问管理员,可以查看 Privileged Identity Management 中的资源,但不能执行任何操作,例如进行符合条件的分配或从资源概述页查看角色分配列表。As an active owner or user access administrator for an Azure resource, you are able to see your resource inside Privileged Identity Management but can't perform any actions such as making an eligible assignment or viewing a list of role assignments from the resource overview page. 其中任何操作都会导致授权错误。Any of these actions results in an authorization error.

原因Cause

当从订阅中意外删除 PIM 服务主体的“用户访问管理员”角色时,可能会发生此问题。This problem can happen when the User Access Administrator role for the PIM service principal was accidentally removed from the subscription. 为了使 Privileged Identity Management 服务能够访问 Azure 资源,应始终为 MS-PIM 服务主体分配 Azure 订阅上的“用户访问管理员”角色For the Privileged Identity Management service to be able to access Azure resources, the MS-PIM service principal should always have be assigned the User Access Administrator role over the Azure subscription.

解决方法Resolution

在订阅级别将“用户访问管理员”角色分配给 Privileged identity Management 服务主体名称 (MS-PIM)。Assign the User Access Administrator role to the Privileged identity Management service principal name (MS-PIM) at the subscription level. 此分配应允许 Privileged identity Management 服务访问 Azure 资源。This assignment should allow the Privileged identity Management service to access the Azure resources. 根据你的要求,可以在管理组级别或订阅级别分配角色。The role can be assigned on a management group level or at the subscription level, depending on your requirements. 有关服务主体的详细信息,请参阅将应用程序分配给角色For more information service principals, see Assign an application to a role.

后续步骤Next steps