向管理单元分配限定范围的角色Assign scoped roles to an administrative unit

若要在 Azure Active Directory (Azure AD) 中实现更精细的管理控制,可向用户分配范围限定为一个或多个管理单元的 Azure AD 角色。In Azure Active Directory (Azure AD), for more granular administrative control, you can assign users to an Azure AD role with a scope that's limited to one or more administrative units.

若要准备将 PowerShell 和 Microsoft Graph 用于管理单元的管理,请参阅入门To prepare to use PowerShell and Microsoft Graph for administrative unit management, see Get started.

可用的角色Available roles

角色Role 描述Description
身份验证管理员Authentication Administrator 其访问权限仅限于查看、设置和重置所分配的管理单元中任何非管理员用户的身份验证方法信息。Has access to view, set, and reset authentication method information for any non-admin user in the assigned administrative unit only.
组管理员Groups Administrator 只能在所分配的管理单元中管理组和组设置的所有方面,如命名策略和过期策略。Can manage all aspects of groups and groups settings, such as naming and expiration policies, in the assigned administrative unit only.
支持管理员Helpdesk Administrator 只能重置所分配的管理单元中非管理员和支持管理员的密码。Can reset passwords for non-administrators and Helpdesk administrators in the assigned administrative unit only.
许可证管理员License Administrator 只能在管理单元内分配、删除和更新许可证分配。Can assign, remove, and update license assignments within the administrative unit only.
密码管理员Password Administrator 只能在所分配的管理单元内重置非管理员和密码管理员的密码。Can reset passwords for non-administrators and Password Administrators within the assigned administrative unit only.
用户管理员User Administrator 只能在所分配的管理单元内管理用户和组的所有方面,包括重置受限管理员的密码。Can manage all aspects of users and groups, including resetting passwords for limited admins within the assigned administrative unit only.

可分配给范围角色的安全主体Security principals that can be assigned to a scoped role

可以将以下安全主体分配给具有管理单元范围的角色:The following security principals can be assigned to a role with an administrative unit scope:

  • 用户Users
  • 可分配角色的云组(预览版)Role-assignable cloud groups (preview)
  • 服务主体名称 (SPN)Service Principal Name (SPN)

分配限定范围的角色Assign a scoped role

可使用 Azure 门户、PowerShell 或 Microsoft Graph 分配限定范围的角色。You can assign a scoped role by using the Azure portal, PowerShell, or Microsoft Graph.

使用 Azure 门户Use the Azure portal

  1. 在 Azure 门户中,转到“Azure AD”。In the Azure portal, go to Azure AD.

  2. 选择“管理单元”,然后选择要向其分配用户角色范围的管理单元。Select Administrative units, and then select the administrative unit that you want to assign a user role scope to.

  3. 在左侧窗格中,选择“角色和管理员”以列出所有可用的角色。On the left pane, select Roles and administrators to list all the available roles.

    “角色和管理员”窗格的屏幕截图,用于选择要分配角色范围的管理单元。

  4. 选择要分配的角色,然后选择“添加分配”。Select the role to be assigned, and then select Add assignments.

  5. 在“添加分配”窗格中,选择要分配给该角色的一个或多个用户。On the Add assignments pane, select one or more users to be assigned to the role.

    选择要限定范围的角色,然后选择“添加分配”

备注

若要使用 Azure AD Privileged Identity Management (PIM) 在管理单元上分配角色,请参阅在 PIM 中分配 Azure AD 角色To assign a role on an administrative unit by using Azure AD Privileged Identity Management (PIM), see Assign Azure AD roles in PIM.

使用 PowerShellUse PowerShell

$AdminUser = Get-AzureADUser -ObjectId "Use the user's UPN, who would be an admin on this unit"
$Role = Get-AzureADDirectoryRole | Where-Object -Property DisplayName -EQ -Value "User Account Administrator"
$administrativeUnit = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'The display name of the unit'"
$RoleMember = New-Object -TypeName Microsoft.Open.AzureAD.Model.RoleMemberInfo
$RoleMember.ObjectId = $AdminUser.ObjectId
Add-AzureADMSScopedRoleMembership -ObjectId $administrativeUnit.ObjectId -RoleObjectId $Role.ObjectId -RoleMemberInfo $RoleMember

可以根据特定环境的需要更改突出显示的部分。You can change the highlighted section as required for the specific environment.

使用 Microsoft GraphUse Microsoft Graph

Http request
POST /directory/administrativeUnits/{id}/scopedRoleMembers
    
Request body
{
  "roleId": "roleId-value",
  "roleMemberInfo": {
    "id": "id-value"
  }
}

查看管理单元中限定范围的管理员列表View a list of the scoped admins in an administrative unit

可使用 Azure 门户、PowerShell 或 Microsoft Graph 查看限定范围的管理员列表。You can view a list of scoped admins by using the Azure portal, PowerShell, or Microsoft Graph.

使用 Azure 门户Use the Azure portal

可在 Azure AD 的“管理单元”部分中查看使用管理单元范围创建的所有角色分配。You can view all the role assignments created with an administrative unit scope in the Administrative units section of Azure AD.

  1. 在 Azure 门户中,转到“Azure AD”。In the Azure portal, go to Azure AD.

  2. 在左侧窗格中,选择“管理单元”,然后选择要查看其角色分配列表的管理单元。In the left pane, select Administrative units, and then select the administrative unit for the list of role assignments you want to view.

  3. 选择“角色和管理员”,然后打开一个角色查看该管理单元中的分配。Select Roles and administrators, and then open a role to view the assignments in the administrative unit.

使用 PowerShellUse PowerShell

$administrativeUnit = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'The display name of the unit'"
Get-AzureADMSScopedRoleMembership -ObjectId $administrativeUnit.ObjectId | fl *

可以根据特定环境的需要更改突出显示的部分。You can change the highlighted section as required for your specific environment.

使用 Microsoft GraphUse Microsoft Graph

Http request
GET /directory/administrativeUnits/{id}/scopedRoleMembers
Request body
{}

后续步骤Next steps