使用 Privileged Identity Management 所要满足的许可证要求License requirements to use Privileged Identity Management

若要使用 Azure Active Directory (Azure AD) Privileged Identity Management (PIM),目录必须具有有效的许可证。To use Azure Active Directory (Azure AD) Privileged Identity Management (PIM), a directory must have a valid license. 此外,必须将许可证分配给管理员和相关用户。Furthermore, licenses must be assigned to the administrators and relevant users. 本文介绍使用 Privileged Identity Management 所要满足的许可证要求。This article describes the license requirements to use Privileged Identity Management.

有效的许可证Valid licenses

使用此功能需要 Azure AD Premium P2 许可证。Using this feature requires an Azure AD Premium P2 license. 若要根据需要查找合适的许可证,请参阅 比较免费版、Office 365 应用版和高级版的正式发布功能To find the right license for your requirements, see Comparing generally available features of the Free, Office 365 Apps, and Premium editions.

你必须拥有的许可证Licenses you must have

确保你的目录具有的 Azure AD Premium P2 许可证至少与将执行以下任务的员工一样多:Ensure that your directory has at least as many Azure AD Premium P2 licenses as you have employees that will be performing the following tasks:

  • 已分配到使用 PIM 管理的 Azure AD 或 Azure 角色的合格用户Users assigned as eligible to Azure AD or Azure roles managed using PIM
  • 被分配为特权访问组的符合条件的成员或所有者的用户Users who are assigned as eligible members or owners of privileged access groups
  • 能够在 PIM 中批准或拒绝请求的用户Users able to approve or reject activation requests in PIM
  • 已分配到访问评审的用户Users assigned to an access review
  • 执行访问评审的用户Users who perform access reviews

以下任务无需 Azure AD Premium P2 许可证:Azure AD Premium P2 licenses are not required for the following tasks:

  • 设置 PIM、配置策略、接收警报和设置访问评审的用户不需要许可证。No licenses are required for users who set up PIM, configure policies, receive alerts, and set up access reviews.

有关许可证的详细信息,请参阅使用 Azure Active Directory 门户分配或删除许可证For more information about licenses, see Assign or remove licenses using the Azure Active Directory portal.

许可证场景示例Example license scenarios

下面是一些许可证场景示例,可帮助你确定必须拥有的许可证数量。Here are some example license scenarios to help you determine the number of licenses you must have.

方案Scenario 计算Calculation 许可证数量Number of licenses
Woodgrove Bank 有用于不同部门的 10 个管理员和用于配置和管理 PIM 的 2 个全局管理员。Woodgrove Bank has 10 administrators for different departments and 2 Global Administrators that configure and manage PIM. 他们使五个管理员符合条件。They make five administrators eligible. 五个许可证用于符合条件的管理员Five licenses for the administrators who are eligible 55
Graphic Design Institute 有 25 个管理员,其中 14 个是通过 PIM 管理的。Graphic Design Institute has 25 administrators of which 14 are managed through PIM. 角色激活需要批准,并且组织中有三个不同的用户可以批准激活。Role activation requires approval and there are three different users in the organization who can approve activations. 14 个许可证用于符合条件的角色 + 三个审批者14 licenses for the eligible roles + three approvers 1717
Contoso 有 50 个管理员,其中 42 个是通过 PIM 管理的。Contoso has 50 administrators of which 42 are managed through PIM. 角色激活需要批准,并且组织中有五个不同的用户可以批准激活。Role activation requires approval and there are five different users in the organization who can approve activations. Contoso 还每月对分配给管理员角色的用户进行一次审阅,审阅者是用户的经理,其中有六个不在 PIM 管理的管理员角色中。Contoso also does monthly reviews of users assigned to administrator roles and reviewers are the users’ managers of which six are not in administrator roles managed by PIM. 42 个许可证用于符合条件的角色 + 五个审批者 + 六个审阅者42 licenses for the eligible roles + five approvers + six reviewers 5353

当许可证到期时When a license expires

如果 Azure AD Premium P2、EMS E5 或试用许可证过期,则不再可以在目录中使用 Privileged Identity Management 功能:If an Azure AD Premium P2, EMS E5, or trial license expires, Privileged Identity Management features will no longer be available in your directory:

  • 对 Azure AD 角色的永久角色分配会受到影响。Permanent role assignments to Azure AD roles will be unaffected.
  • Azure 门户中的 Privileged Identity Management 服务,以及 Graph API cmdlet 和 Privileged Identity Management 的 PowerShell 接口不再可供用户用来激活特权角色、管理特权访问或执行特权角色的访问评审。The Privileged Identity Management service in the Azure portal, as well as the Graph API cmdlets and PowerShell interfaces of Privileged Identity Management, will no longer be available for users to activate privileged roles, manage privileged access, or perform access reviews of privileged roles.
  • 将删除 Azure AD 角色的符合条件的角色分配,因为用户不再能够激活特权角色。Eligible role assignments of Azure AD roles will be removed, as users will no longer be able to activate privileged roles.
  • Azure AD 角色的任何正在进行的访问评审将结束,并且将删除 Privileged Identity Management 配置设置。Any ongoing access reviews of Azure AD roles will end, and Privileged Identity Management configuration settings will be removed.
  • 角色分配更改时,Privileged Identity Management 将不再发送电子邮件。Privileged Identity Management will no longer send emails on role assignment changes.

后续步骤Next steps