在 Azure Active Directory 的管理单元中添加和管理用户Add and manage users in an administrative unit in Azure Active Directory

在 Azure Active Directory (Azure AD) 中,你可以向管理单元添加用户,以便更精细地控制管理范围。In Azure Active Directory (Azure AD), you can add users to an administrative unit for a more granular administrative scope of control.

若要准备将 PowerShell 和 Microsoft Graph 用于管理单元的管理,请参阅入门To prepare to use PowerShell and Microsoft Graph for administrative unit management, see Get started.

向管理单元添加用户Add users to an administrative unit

使用 Azure 门户Use the Azure portal

你可以逐个地或以批量操作的方式将用户分配到管理单元。You can assign users to administrative units individually or as a bulk operation.

  • 从用户配置文件分配单个用户:Assign individual users from a user profile:

    1. 使用特权角色管理员权限登录到 Azure 门户Sign in to the Azure portal with Privileged Role Administrator permissions.

    2. 选择“用户”,然后打开用户配置文件,选择要分配给管理单元的用户。Select Users and then, to open the user's profile, select the user to be assigned to an administrative unit.

    3. 选择“管理单元”。Select Administrative units.

    4. 若要将用户分配给一个或多个管理单元,请选择“分配给管理单元”,然后在右窗格中选择要为其分配用户的管理单元。To assign the user to one or more administrative units, select Assign to administrative unit and then, on the right pane, select the administrative units to which you want to assign the user.

      “管理单元”窗格的屏幕截图,用于将用户分配给管理单元。

  • 从管理单元分配单个用户:Assign individual users from an administrative unit:

    1. 使用特权角色管理员权限登录到 Azure 门户Sign in to the Azure portal with Privileged Role Administrator permissions.

    2. 选择“管理单元”,然后选择要为其分配用户的管理单元。Select Administrative units, and then select the administrative unit where the user is to be assigned.

    3. 选择“所有用户”,然后选择“添加成员”,然后在“添加成员”窗格上,选择要分配给管理单元的一个或多个用户 。Select All users, select Add member and then, on the Add member pane, select one or more users that you want to assign to the administrative unit.

      管理单元“用户”窗格的屏幕截图,用于将用户分配给管理单元。

  • 批量分配用户:Assign users as a bulk operation:

    1. 使用特权角色管理员权限登录到 Azure AD 管理中心Sign in to the Azure AD admin center with Privileged Role Administrator permissions.

    2. 选择“管理单元”。Select Administrative units.

    3. 选择要向其中添加用户的管理单元。Select the administrative unit to which you want to add users.

    4. 选择“用户” > “批量活动” > “批量添加成员” 。Select Users > Bulk activities > Bulk add members. 然后可以下载逗号分隔值 (CSV) 模板并编辑该文件。You can then download the comma-separated values (CSV) template and edit the file. 格式很简单,需要在每一行中添加一个用户主体名称。The format is simple and needs a single user principal name to be added on each line. 在该文件准备就绪后,请将其保存在适当的位置,然后作为本步骤的一部分上传。After the file is ready, save it to an appropriate location, and then upload it as part of this step.

      “用户”窗格的屏幕截图,用于将用户批量分配给管理单元。

使用 PowerShellUse PowerShell

在 PowerShell 中,使用以下示例中的 Add-AzureADAdministrativeUnitMember cmdlet 将用户添加到管理单元。In PowerShell, use the Add-AzureADAdministrativeUnitMember cmdlet in the following example to add the user to the administrative unit. 要向其中添加用户的管理单元的对象 ID 和要添加的用户的对象 ID 用作参数。The object ID of the administrative unit to which you want to add the user and the object ID of the user you want to add are taken as arguments. 根据特定环境的需要更改突出显示的部分。Change the highlighted section as required for your specific environment.

$administrativeunitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
$UserObj = Get-AzureADUser -Filter "UserPrincipalName eq 'billjohn@fabidentity.partner.onmschina.cn'"
Add-AzureADMSAdministrativeUnitMember -Id $administrativeunitObj.ObjectId -RefObjectId $UserObj.ObjectId

使用 Microsoft GraphUse Microsoft Graph

用测试信息替换占位符并运行以下命令:Replace the placeholder with test information and run the following command:

Http request
POST /administrativeUnits/{Admin Unit id}/members/$ref
Request body
{
  "@odata.id":"https://microsoftgraph.chinacloudapi.cn/v1.0/users/{id}"
}

例如:Example:

{
  "@odata.id":"https://microsoftgraph.chinacloudapi.cn/v1.0/users/johndoe@fabidentity.com"
}

查看用户的管理单元列表View a list of administrative units for a user

使用 Azure 门户Use the Azure portal

在 Azure 门户中可以通过以下方式打开用户配置文件:In the Azure portal, you can open a user's profile by doing the following:

  1. 转到“Azure AD”并选择“用户” 。Go to Azure AD, and then select Users.

  2. 选择要查看其配置文件的用户。Select the user whose profile you want to view.

  3. 选择“管理单元”,显示已向其分配用户的管理单元列表。Select Administrative units to display the list of administrative units to which the user has been assigned.

    已向其分配用户的管理单元的屏幕截图。

使用 PowerShellUse PowerShell

运行以下命令:Run the following command:

Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.ObjectId | where {$_.RefObjectId -eq $userObjId} }

备注

默认情况下,Get-AzureADAdministrativeUnitMember 只返回管理单元的 100 个成员。By default, Get-AzureADAdministrativeUnitMember returns only 100 members of an administrative unit. 若要检索更多成员,可以添加 "-All $true"To retrieve more members, you can add "-All $true".

使用 Microsoft GraphUse Microsoft Graph

用测试信息替换占位符并运行以下命令:Replace the placeholder with test information and run the following command:

https://microsoftgraph.chinacloudapi.cn/v1.0/users/{id}/memberOf/$/Microsoft.Graph.AdministrativeUnit

从管理单元中删除单个用户Remove a single user from an administrative unit

使用 Azure 门户Use the Azure portal

可以通过以下两种方式之一从管理单元中删除用户:You can remove a user from an administrative unit in either of two ways:

  • 在 Azure 门户中,转到“Azure AD”,然后选择“用户” 。In the Azure portal, go to Azure AD, and then select Users.

    1. 选择该用户以打开该用户的配置文件。Select the user to open the user's profile.

    2. 选择要从中删除用户的管理单元,然后选择“从管理单元中删除”。Select the administrative unit you want to remove the user from, and then select Remove from administrative unit.

      显示如何从用户配置文件窗格中删除管理单元中的用户的屏幕截图。

  • 在 Azure 门户中,转到“Azure AD”,然后选择“管理单元” 。In the Azure portal, go to Azure AD, and then select Administrative units.

    1. 选择要从中删除用户的管理单元。Select the administrative unit you want to remove the user from.

    2. 选择用户,然后选择“删除成员”。Select the user, and then select Remove member.

      显示如何在管理单元级别删除用户的屏幕截图。

使用 PowerShellUse PowerShell

运行以下命令:Run the following command:

Remove-AzureADMSAdministrativeUnitMember -Id $auId -MemberId $memberUserObjId

使用 Microsoft GraphUse Microsoft Graph

用测试信息替换占位符并运行以下命令:Replace the placeholders with test information and run the following command:

https://microsoftgraph.chinacloudapi.cn/v1.0/directory/administrativeUnits/{adminunit-id}/members/{user-id}/$ref

批量删除多个用户Remove multiple users as a bulk operation

若要从管理单元中删除多个用户,请执行以下操作:To remove multiple users from an administrative unit, do the following:

  1. 在 Azure 门户中,转到“Azure AD”。In the Azure portal, go to Azure AD.

  2. 选择“管理单元”,然后选择要从中删除用户的管理单元。Select Administrative units, and then select the administrative unit you want to remove users from.

  3. 选择“批量删除成员”,然后下载将用于列出要删除的用户的 CSV 模板。Select Bulk remove members, and then download the CSV template you'll use to list the users you want to remove.

    显示“用户”窗格上的“批量删除成员”链接的屏幕截图。

  4. 编辑带有相关用户条目的已下载 CSV 模板。Edit the downloaded CSV template with the relevant user entries. 请勿删除模板的前两行。Don't remove the first two rows of the template. 在每行中添加一个用户主体名称 (UPN)。Add one user principal name (UPN) in each row.

    用于从管理单元批量删除用户的已编辑 CSV 文件的屏幕截图。

  5. 保存更改、上传文件、然后选择“提交”。Save your changes, upload the file, and then select Submit.

后续步骤Next steps