在 Azure Active Directory 中管理管理单元Manage administrative units in Azure Active Directory

若要在 Azure Active Directory (Azure AD) 中实现更精细的管理控制,可将用户分配到范围限定为一个或多个管理单元的 Azure AD 角色。For more granular administrative control in Azure Active Directory (Azure AD), you can assign users to an Azure AD role with a scope that's limited to one or more administrative units.

入门Get started

  1. 若要通过 Graph 浏览器使用以下指令运行查询,请执行以下操作:To run queries from the following instructions via Graph Explorer, do the following:

    a.a. 在 Azure 门户中,转到 Azure AD。In the Azure portal, go to Azure AD.

    b.b. 在应用程序列表中,选择“Graph 浏览器”。In the applications list, select Graph explorer.

    c.c. 在“权限”窗格中,选择“为 Graph 浏览器授予管理员同意”。On the Permissions pane, select Grant admin consent for Graph explorer.

    显示“为 Graph 浏览器授予管理员同意”链接的屏幕截图。

  2. 使用 Azure AD Powershell 的预览版本。Use the preview version of Azure AD PowerShell.

添加管理单元Add an administrative unit

可以使用 Azure 门户或 PowerShell 添加管理单元。You can add an administrative unit by using either the Azure portal or PowerShell.

使用 Azure 门户Use the Azure portal

  1. 在 Azure 门户中,转到 Azure AD。In the Azure portal, go to Azure AD. 然后,在左侧窗格中,选择“管理单元”。Then, on the left pane, select Administrative units.

    Azure AD 中“管理单元”链接的屏幕截图。

  2. 选择窗格上部的“添加”按钮,然后在“名称”框中输入管理单元的名称。Select the Add button at the upper part of the pane, and then, in the Name box, enter the name of the administrative unit. (可选)添加管理单元的说明。Optionally, add a description of the administrative unit.

    此屏幕截图显示了“添加”按钮和用于输入管理单元名称的“名称”框。

  3. 选择蓝色的“添加”按钮以完成管理单元的操作。Select the blue Add button to finalize the administrative unit.

使用 PowerShellUse PowerShell

在尝试运行以下命令之前,请安装 Azure AD PowerShell(预览版):Install Azure AD PowerShell (preview) before you try to run the following commands:

Connect-AzureAD -AzureEnvironmentName AzureChinaCloud
New-AzureADMSAdministrativeUnit -Description "Coast region" -DisplayName "Coast"

可以根据需要修改用引号引起来的值。You can modify the values that are enclosed in quotation marks, as required.

使用 Microsoft GraphUse Microsoft Graph

Http Request
POST /administrativeUnits
Request body
{
  "displayName": "China North Operations",
  "description": "China North Operations administration"
}

删除管理单元Remove an administrative unit

在 Azure AD 中,可以删除不再需要作为管理角色的作用域的管理单元。In Azure AD, you can remove an administrative unit that you no longer need as a unit of scope for administrative roles.

使用 Azure 门户Use the Azure portal

  1. 在 Azure 门户中,转到“Azure AD”,然后选择“管理单元” 。In the Azure portal, go to Azure AD, and then select Administrative units.
  2. 键入要删除的管理单元,然后选择“删除”。Select the administrative unit to be deleted, and then select Delete.
  3. 若要确认是否要删除管理单元,请选择“是”。To confirm that you want to delete the administrative unit, select Yes. 此时会删除管理单元。The administrative unit is deleted.

管理单元的“删除”按钮和确认窗口的屏幕截图。

使用 PowerShellUse PowerShell

$delau = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'DeleteMe Admin Unit'"
Remove-AzureADMSAdministrativeUnit -ObjectId $delau.ObjectId

可以根据特定环境的需要修改用引号引起来的值。You can modify the values that are enclosed in quotation marks, as required for the specific environment.

使用 Graph APIUse the Graph API

HTTP request
DELETE /administrativeUnits/{Admin id}
Request body
{}

后续步骤Next steps