在 Azure Active Directory 的管理单元中添加和管理组Add and manage groups in an administrative unit in Azure Active Directory

在 Azure Active Directory (Azure AD) 中,你可以向管理单元添加组,以获得更精细的管理控制范围。In Azure Active Directory (Azure AD), you can add groups to an administrative unit for a more granular administrative scope of control.

若要准备将 PowerShell 和 Microsoft Graph 用于管理单元的管理,请参阅入门To prepare to use PowerShell and Microsoft Graph for administrative unit management, see Get started.

向管理单元添加组Add groups to an administrative unit

可以使用 Azure 门户、PowerShell 或 Microsoft Graph 向管理单元添加组。You can add groups to an administrative unit by using the Azure portal, PowerShell, or Microsoft Graph.

使用 Azure 门户Use the Azure portal

只能将单个组分配给管理单元。You can assign only individual groups to an administrative unit. 没有将组分配为批量操作的选项。There is no option to assign groups as a bulk operation. 在 Azure 门户中,可以通过以下两种方式之一将组分配给管理单元:In the Azure portal, you can assign a group to an administrative unit in either of two ways:

  • 从“组”窗格:From the Groups pane:

    1. 在 Azure 门户中,转到“Azure AD”。In the Azure portal, go to Azure AD.

    2. 选择“组”,然后选择要分配给管理单元的组。Select Groups, and then select the group that you want to assign to the administrative unit.

    3. 在左侧窗格中,选择“管理单元”以显示该组分配到的管理单元的列表。On the left pane, select Administrative units to display a list of the administrative units that the group is assigned to.

      “管理单元”窗格上“分配给管理单元”链接的屏幕截图。

    4. 选择“分配给管理单元”。Select Assign to administrative unit.

    5. 在右侧窗格中,选择管理单元。On the right pane, select the administrative unit.

  • 从“管理单元” > “所有组”窗格中 :From the Administrative units > All Groups pane:

    1. 在 Azure 门户中,转到“Azure AD”。In the Azure portal, go to Azure AD.

    2. 在左侧窗格中,选择“管理单元”,然后选择“所有组” 。On the left pane, select Administrative units, and then select All Groups. 已分配给管理单元的所有组显示在右侧窗格中。Any groups that are already assigned to the administrative unit are displayed on the right pane.

    3. 在“组”窗格中,选择“添加” 。On the Groups pane, select Add. 右侧窗格列出了 Azure AD 组织中的所有可用组。The right pane lists all available groups in your Azure AD organization.

      用于向管理单元添加组的“添加”按钮的屏幕截图。

    4. 选择要分配给管理单元的一个或多个组,然后选择“选择”按钮。Select one or more groups to be assigned to the administrative unit, and then select the Select button.

使用 PowerShellUse PowerShell

在以下示例中,将使用 Add-AzureADMSAdministrativeUnitMember cmdlet 向管理单元添加组。In the following example, use the Add-AzureADMSAdministrativeUnitMember cmdlet to add the group to the administrative unit. 管理单元的对象 ID 和要添加的组的对象 ID 用作参数。The object ID of the administrative unit and the object ID of the group to be added are taken as arguments. 根据特定环境的需要更改突出显示的部分。Change the highlighted section as required for your specific environment.

$administrative unitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
$GroupObj = Get-AzureADGroup -Filter "displayname eq 'TestGroup'"
Add-AzureADMSAdministrativeUnitMember -ObjectId $administrative unitObj.ObjectId -RefObjectId $GroupObj.ObjectId

使用 Microsoft GraphUse Microsoft Graph

运行以下命令:Run the following commands:

Http request
POST /administrativeUnits/{Admin Unit id}/members/$ref

Request body
{
"@odata.id":"https://microsoftgraph.chinacloudapi.cn/v1.0/groups/{id}"
}

例如:Example:

{
"@odata.id":"https://microsoftgraph.chinacloudapi.cn/v1.0/groups/ 871d21ab-6b4e-4d56-b257-ba27827628f3"
}

查看管理单元中的组列表View a list of groups in an administrative unit

使用 Azure 门户Use the Azure portal

  1. 在 Azure 门户中,转到“Azure AD”。In the Azure portal, go to Azure AD.

  2. 在左侧窗格中,选择“管理单元”,然后选择要查看其组的管理单元。On the left pane, select Administrative units, and then select the administrative unit whose groups you want to view. 默认情况下,左侧窗格中选择了“所有用户”。By default, All users is selected on the left pane.

  3. 在左侧窗格中,选择“组”。On the left pane, select Groups. 右窗格显示作为所选管理单位成员的组的列表。The right pane displays a list of groups that are members of the selected administrative unit.

    “组”窗格的屏幕截图,其中显示了管理单元中的组列表。

使用 PowerShellUse PowerShell

若要显示管理单元的所有成员的列表,请运行以下命令:To display a list of all the members of the administrative unit, run the following command:

$administrative unitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
Get-AzureADMSAdministrativeUnitMember -ObjectId $administrative unitObj.ObjectId

若要显示属于管理单元成员的所有组,请使用以下代码片段:To display all the groups that are members of the administrative unit, use the following code snippet:

foreach ($member in (Get-AzureADMSAdministrativeUnitMember -ObjectId $administrative unitObj.ObjectId)) 
{
if($member.ObjectType -eq "Group")
{
Get-AzureADGroup -ObjectId $member.ObjectId
}
}

使用 Microsoft GraphUse Microsoft Graph

运行以下命令:Run the following command:

HTTP request
GET /directory/administrativeUnits/{Admin id}/members/$/microsoft.graph.group
Request body
{}

查看组的管理单元列表View a list of administrative units for a group

使用 Azure 门户Use the Azure portal

  1. 在 Azure 门户中,转到“Azure AD”。In the Azure portal, go to Azure AD.

  2. 在左侧窗格中,选择“组”以显示组列表。On the left pane, select Groups to display a list of groups.

  3. 选择一个组可打开该组的配置文件。Select a group to open the group's profile.

  4. 在左侧窗格中,选择“管理单元”以列出该组所属的所有管理单元。On the left pane, select Administrative units to list all the administrative units where the group is a member.

    “管理单元”窗格的屏幕截图,其中显示了组分配到的管理单元的列表。

使用 PowerShellUse PowerShell

运行以下命令:Run the following command:

Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -ObjectId $_.ObjectId | where {$_.ObjectId -eq $groupObjId} }

使用 Microsoft GraphUse Microsoft Graph

运行以下命令:Run the following command:

https://microsoftgraph.chinacloudapi.cn/v1.0/groups/<group-id>/memberOf/$/Microsoft.Graph.AdministrativeUnit

从管理单元删除组Remove a group from an administrative unit

使用 Azure 门户Use the Azure portal

可以通过以下两种方式之一从 Azure 门户中的管理单元中删除组:You can remove a group from an administrative unit in the Azure portal in either of two ways:

  • 从组概述中删除:Remove it from a group overview:

    1. 在 Azure 门户中,转到“Azure AD”。In the Azure portal, go to Azure AD.

    2. 在左侧窗格中,选择“组”,然后打开要从管理单元中删除的组的配置文件。On the left pane, select Groups, and then open the profile for the group you want to remove from an administrative unit.

    3. 在左侧窗格中,选择“管理单元”以列出该组分配到的所有管理单元。On the left pane, select Administrative units to list all the administrative units that the group is assigned to.

    4. 选择要从中删除组的管理单元,然后选择“从管理单元中删除”。Select the administrative unit that you want to remove the group from, and then select Remove from administrative unit.

      “管理单元”窗格的屏幕截图,其中显示了分配给所选管理单元的组的列表。

  • 从管理单元中删除:Remove it from an administrative unit:

    1. 在 Azure 门户中,转到“Azure AD”。In the Azure portal, go to Azure AD.
    2. 在左侧窗格中,选择“管理单元”,然后选择该组分配到的管理单元。On the left pane, select Administrative units, and then select the administrative unit that the group is assigned to.
    3. 在左侧窗格中,选择“组”以列出分配给该管理单元的所有组。On the left pane, select Groups to list all the groups that are assigned to the administrative unit.
    4. 选择要删除的组,然后选择“删除组”。Select the group that you want to remove, and then select Remove groups.

    “组”窗格的屏幕截图,其中显示了管理单元中的组列表。

使用 PowerShellUse PowerShell

运行以下命令:Run the following command:

Remove-AzureADMSAdministrativeUnitMember -ObjectId $auId -MemberId $memberGroupObjId

使用 Microsoft GraphUse Microsoft Graph

运行以下命令:Run the following command:

https://microsoftgraph.chinacloudapi.cn/v1.0/directory/AdministrativeUnits/<adminunit-id>/members/<group-id>/$ref

后续步骤Next steps