Azure AD 管理单元:故障排除和常见问题解答Azure AD administrative units: Troubleshooting and FAQ

若要在 Azure Active Directory (Azure AD) 中实现更精细的管理控制,可将用户分配到范围限定为一个或多个管理单元的 Azure AD 角色。For more granular administrative control in Azure Active Directory (Azure AD), you can assign users to an Azure AD role with a scope that's limited to one or more administrative units.

常见问题解答Frequently asked questions

问:我为何无法创建管理单元?Q: Why am I unable to create an administrative unit?

答: 只有“全局管理员”或“特权角色管理员”能够在 Azure AD 中创建管理单元。A: Only a Global Administrator or Privileged Role Administrator can create an administrative unit in Azure AD. 请进行检查以确保尝试创建管理单元的用户分配有“全局管理员”或“特权角色管理员”角色。Check to ensure that the user who's trying to create the administrative unit is assigned either the Global Administrator or Privileged Role Administrator role.

问:我向管理单元中添加了一个组。为什么组成员仍然没有显示在其中?Q: I added a group to an administrative unit. Why are the group members still not showing up there?

答: 向管理单元中添加组时,不会导致将组的所有成员添加到该管理单元。A: When you add a group to an administrative unit, that does not result in all the group's members being added to it. 用户必须直接分配到管理单元。Users must be directly assigned to the administrative unit.

问:我刚刚添加(或删除)了管理单元的成员。为什么成员未显示(或仍然显示)在用户界面中?Q: I just added (or removed) a member of the administrative unit. Why is the member not showing up (or still showing up) on the user interface?

答: 有时候,添加或删除管理单元的一个或多个成员的操作可能需要几分钟才能反映在“管理单元”窗格上。A: Sometimes, the addition or removal of one or more members of an administrative unit might take a few minutes to be reflected on the Administrative units pane. 此外,你可以直接访问关联资源的属性,查看该操作是否已完成。Alternatively, you can go directly to the associated resource's properties and see whether the action has been completed. 有关管理单元中用户和组的详细信息,请参阅查看用户的管理单元列表查看组的管理单元列表For more information about users and groups in administrative units, see View a list of administrative units for a user and View a list of administrative units for a group.

问:我是某个管理单元上的委托密码管理员。我为何无法重置特定用户的密码?Q: I am a delegated password administrator on an administrative unit. Why am I unable to reset a specific user's password?

答: 作为管理单元的管理员,你只能为分配到你的管理单元的用户重置密码。A: As an administrator of an administrative unit, you can reset passwords only for users who are assigned to your administrative unit. 请确保其密码重置失败的用户属于已分配给你的管理单元。Make sure that the user whose password reset is failing belongs to the administrative unit to which you've been assigned. 如果用户属于同一管理单元,但你仍无法重置其密码,请检查分配给该用户的角色。If the user belongs to the same administrative unit but you still can't reset the user's password, check the roles that are assigned to the user.

为了防止特权提升,其权限范围为某个管理单元的管理员不能重置其角色权限范围为组织的用户的密码。To prevent an elevation of privilege, an administrative unit-scoped administrator can't reset the password of a user who's assigned to a role with an organization-wide scope.

问:为何需要使用管理单元?为何不能使用安全组作为定义作用域的方式?Q: Why are administrative units necessary? Couldn't we have used security groups as the way to define a scope?

答: 安全组已有用途和授权模型。A: Security groups have an existing purpose and authorization model. 例如,用户管理员可以管理 Azure AD 组织中所有安全组的成员身份。A User Administrator, for example, can manage membership of all security groups in the Azure AD organization. 角色可以使用组来管理对应用程序(例如 Salesforce)的访问权限。The role might use groups to manage access to applications such as Salesforce. 用户管理员不应该能够管理委托模型本身,但如果安全组已扩展为支持“资源分组”方案,则会导致他们能够管理。A User Administrator should not be able to manage the delegation model itself, which would be the result if security groups were extended to support "resource grouping" scenarios.

管理单元(例如 Windows Server Active Directory 中的组织单位)的目标是提供一种方式对范围广泛的目录对象的管理进行作用域限定。Administrative units, such as organizational units in Windows Server Active Directory, are intended to provide a way to scope administration of a wide range of directory objects. 安全组本身可以是资源作用域的成员。Security groups themselves can be members of resource scopes. 使用安全组来定义管理员可以管理的安全组集可能会造成混淆。Using security groups to define the set of security groups that an administrator can manage could become confusing.

问:向管理单元添加组意味着什么?Q: What does it mean to add a group to an administrative unit?

答: 向管理单元添加组会将组本身引入到其权限范围也限定为该管理单元的任何用户管理员的管理范围中。A: Adding a group to an administrative unit brings the group itself into the management scope of any User Administrator who is also scoped to that administrative unit. 管理单元的用户管理员可以管理组本身的名称和成员身份。User administrators for the administrative unit can manage the name and membership of the group itself. 它不会向用户管理员授予管理组用户(例如,重置其密码)所需的权限。It does not grant the User Administrator permissions to manage the users of the group (for example, to reset their passwords). 若要向用户管理员授予管理用户的权限,用户必须是管理单元的直接成员。To grant the User Administrator the ability to manage users, the users have to be direct members of the administrative unit.

问:一个资源(用户或组)是否可以是多个管理单元的成员?Q: Can a resource (user or group) be a member of more than one administrative unit?

答: 可以,一个资源可以是多个管理单元的成员。A: Yes, a resource can be a member of more than one administrative unit. 资源可由所有对该资源具有权限且权限范围为整个组织或管理单元的管理员进行管理。The resource can be managed by all organization-wide and administrative unit-scoped administrators who have permissions over the resource.

问:B2C 组织中是否有管理单元?Q: Are administrative units available in B2C organizations?

答: 没有,管理单元不可用于 B2C 组织。A: No, administrative units are not available for B2C organizations.

问:是否支持嵌套的管理单元?Q: Are nested administrative units supported?

答: 否,不支持嵌套的管理单元。A: No, nested administrative units are not supported.

问:PowerShell 和图形 API 中是否支持管理单元?Q: Are administrative units supported in PowerShell and the Graph API?

答: 是的。A: Yes. 你可以在 PowerShell cmdlet 文档中找到对管理单元的支持。You'll find support for administrative units in PowerShell cmdlet documentation.

查找 Microsoft Graph 中对 administrativeUnit 资源类型的支持。Find support for the administrativeUnit resource type in Microsoft Graph.

后续步骤Next steps