在 Azure Active Directory 中委托管理权限Delegate administration in Azure Active Directory

组织的发展伴随着复杂性的增加。With organizational growth comes complexity. 针对这种情况,常见的响应措施是降低使用 Azure Active Directory (AD) 管理员角色进行访问管理时的工作负荷。One common response is to reduce some of the workload of access management with Azure Active Directory (AD) admin roles. 可向用户分配让他们访问应用和执行任务所需的最低可能的特权。You can assign the least possible privilege to users to access their apps and perform their tasks. 你可以不将“全局管理员”角色分配给每个应用程序所有者,但这样会将应用程序管理责任施加给现有的全局管理员。Even if you don't assign the Global Administrator role to every application owner, you're placing application management responsibilities on the existing Global Administrators. 有多种原因导致组织改用更离散式的管理。There are many reasons for an organization move toward a more decentralized administration. 本文可帮助你在组织中规划权限委托。This article can help you plan for delegation in your organization.

集中化权限与委托权限Centralized versus delegated permissions

随着组织的发展,可能很难跟踪哪些用户拥有特定的管理员角色。As an organization grows, it can be difficult to keep track of which users have specific admin roles. 如果某个员工拥有本不应拥有的管理员权限,组织可能会更容易出现安全漏洞。If an employee has administrator rights they shouldn’t, your organization can be more susceptible to security breaches. 通常情况下,可支持的管理员数量以及他们的权限粒度级别都取决于部署的大小和复杂性。Generally, how many administrators you support and how granular their permissions are depends on the size and complexity of your deployment.

  • 在小型或概念证明部署中,一个或少量几个管理员就能满足一切需求;无需委托权限。In small or proof-of-concept deployments, one or a few administrators do everything; there's no delegation. 在这种情况下,请创建每个具有“全局管理员”角色的管理员。In this case, create each administrator with the Global Administrator role.
  • 在包含多个计算机、应用程序和桌面的大型部署中,需要更多的委托。In larger deployments with more machines, applications, and desktops, more delegation is needed. 多个管理员可以承担更多的具体职责(角色)。Several administrators might have more specific functional responsibilities (roles). 例如,有些可以是“特权标识管理员”,还有一些管理员可以是“应用程序管理员”。For example, some might be Privileged Identity Administrators, and others might be Application Administrators. 此外,管理员只能管理特定的对象组,例如设备。Additionally, an administrator might manage only certain groups of objects such as devices.
  • 更大的部署可能需要更精细的权限,此外,某些管理员可能需要充当非常规或混合角色。Even larger deployments might require even more granular permissions, plus possibly administrators with unconventional or hybrid roles.

在 Azure AD 门户中,可以查看任何角色的所有成员,以帮助快速检查部署和委托权限。In the Azure AD portal, you can view all the members of any role, which can help you quickly check your deployment and delegate permissions.

如果想要委托 Azure 资源访问权限而不是 Azure AD 中的管理访问权限,请参阅分配 Azure 角色If you’re interested in delegating access to Azure resources instead of administrative access in Azure AD, see Assign an Azure role.

委托规划Delegation planning

用于开发符合需求的委托模型。It's work to develop a delegation model that fits your needs. 开发委托模型是一个迭代式设计过程,我们建议遵照以下步骤:Developing a delegation model is an iterative design process, and we suggest you follow these steps:

  • 定义所需的角色Define the roles you need
  • 委托应用管理权限Delegate app administration
  • 授予注册应用程序的能力Grant the ability to register applications
  • 委托应用所有权Delegate app ownership
  • 制定安全计划Develop a security plan
  • 建立紧急帐户Establish emergency accounts
  • 保护管理员角色Secure your administrator roles
  • 将特权提升指定为暂时性的措施Make privileged elevation temporary

定义角色Define roles

确定由管理员执行的 Active Directory 任务以及将它们映射到角色的方式。Determine the Active Directory tasks that are carried out by administrators and how they map to roles. 可在 Azure 门户中查看详细的角色说明You can view detailed role descriptions in the Azure portal.

应该评估每个任务的频率、重要性和难度。Each task should be evaluated for frequency, importance, and difficulty. 这些标准是任务定义至关重要的方面,因为它们决定了是否要委托某个权限:These criteria are vital aspects of task definition because they govern whether a permission should be delegated:

  • 日常执行的、风险有限的和容易完成的任务非常适合委托权限。Tasks that you do routinely, have limited risk, and are trivial to complete are excellent candidates for delegation.
  • 至于极少执行但会在整个组织中造成很大影响且需要较高技能的任务,在委托权限之前应慎重考虑。Tasks that you do rarely but have great impact across the organization and require high skill levels should be considered very carefully before delegating. 可以暂时将某个帐户提升到所需的角色,或重新分配任务。Instead, you can temporarily elevate an account to the required role or reassign the task.

委托应用管理权限Delegate app administration

组织中应用的激增可能会给委托模型带来压力。The proliferation of apps within your organization can strain your delegation model. 如果将应用程序访问管理的负担放在全局管理员身上,则随着时间的推移,该模型的开销可能会增大。If it places the burden for application access management on the Global Administrator, it's likely that model increases its overhead as time goes on. 如果向某人授予了“全局管理员”角色,让其执行配置企业应用程序等任务,则现在可将管理负担转移到其后面的特权更低的角色。If you have granted people the Global Administrator role for things like configuring enterprise applications, you can now offload them to the following less-privileged roles. 这样做有助于改善安全局势,并减少低级失误的可能性。Doing so helps to improve your security posture and reduces the potential for unfortunate mistakes. 特权最高的应用程序管理员角色包括:The most-privileged application administrator roles are:

  • “应用程序管理员”角色:授予管理目录中所有应用程序的能力,包括注册、单一登录设置、用户和组分配与授权、应用程序代理设置,以及许可。The Application Administrator role, which grants the ability to manage all applications in the directory, including registrations, single sign-on settings, user and group assignments and licensing, Application Proxy settings, and consent. 它不能授予管理条件访问的能力。It doesn't grant the ability to manage Conditional Access.
  • “云应用程序管理员”角色:授予“应用程序管理员”的所有能力,但不能授予应用程序代理设置的访问权限(因为该角色没有本地权限)。The Cloud Application Administrator role, which grants all the abilities of the Application Administrator, except it doesn't grant access to Application Proxy settings (because it has no on-premises permission).

委托应用注册Delegate app registration

默认情况下,所有用户都可以创建应用程序注册。By default, all users can create application registrations. 若要有选择地授予创建应用程序注册的能力,请执行以下操作:To selectively grant the ability to create application registrations:

  • 在“用户设置”中,将“用户可以注册应用程序”更改为“否” Set Users can register applications to No in User settings
  • 将用户分配到应用程序开发人员角色Assign the user to the Application Developer role

若要有选择地授予允许应用程序访问数据的能力,请执行以下操作:To selectively grant the ability to consent to allow an application to access data:

  • 在“用户设置”中,将“用户可以自行许可应用程序访问公司数据”设置为“否” Set Users can consent to applications accessing company data on their behalf To No in User settings
  • 将用户分配到应用程序开发人员角色Assign the user to the Application Developer role

当应用程序开发人员创建新应用程序注册时,他们将自动添加为第一个所有者。When an Application Developer creates a new application registration, they are automatically added as the first owner.

委托应用所有权Delegate app ownership

若要进行更精细的应用访问权限委托,可将所有权分配到单个企业应用程序。For even finer-grained app access delegation, you can assign ownership to individual enterprise applications. 这是对分配应用程序注册所有者的现有支持的补充。This complements the existing support for assigning application registration owners. 所有权在“企业应用程序”边栏选项卡中根据每个企业应用程序进行分配。Ownership is assigned on a per-enterprise application basis in the Enterprise Applications blade. 优点是所有者只能管理他们拥有的企业应用程序。The benefit is owners can manage only the enterprise applications they own. 例如,可以分配 Salesforce 应用程序的所有者,该所有者可以管理 Salesforce 的访问权限和配置,但不能管理其他任何应用程序的访问权限和配置。For example, you can assign an owner for the Salesforce application, and that owner can manage access to and configuration for Salesforce, and no other applications. 一个企业应用程序可以有多个所有者,一个用户可以是许多企业应用程序的所有者。An enterprise application can have many owners, and a user can be the owner for many enterprise applications. 有两种应用所有者角色:There are two app owner roles:

  • “企业应用程序所有者”角色授予管理用户拥有的企业应用程序的能力,包括单一登录设置、用户和组分配,以及添加其他所有者。The Enterprise Application Owner role grants the ability to manage the ‘enterprise applications that the user owns, including single sign-on settings, user and group assignments, and adding additional owners. 它并不授予管理应用程序代理设置或条件访问的能力。It doesn't grant the ability to manage Application Proxy settings or Conditional Access.
  • “应用程序注册所有者”角色授予管理用户拥有的应用的应用程序注册的能力,包括应用程序清单和添加其他所有者。The Application Registration Owner role grants the ability to manage application registrations for app that the user owns, including the application manifest and adding additional owners.

制定安全计划Develop a security plan

Azure AD 提供了一篇综合性的指南来帮助你规划和执行 Azure AD 管理员角色的安全计划:保护混合和云部署的特权访问Azure AD provides an extensive guide to planning and executing a security plan on your Azure AD admin roles, Securing privileged access for hybrid and cloud deployments.

建立紧急帐户Establish emergency accounts

若要在出现问题时保持对标识管理存储的访问权限,请按照创建紧急访问管理帐户中的说明准备紧急访问帐户。To maintain access to your identity management store when issue arises, prepare emergency access accounts according to Create emergency-access administrative accounts.

保护管理员角色Secure your administrator roles

控制了特权帐户的攻击者可能会造成极大的损害,因此,首先请使用默认适用于所有 Azure AD 组织的基线访问策略(公共预览版)保护这些帐户。Attackers who get control of privileged accounts can do tremendous damage, so protect these accounts first, using the baseline access policy that is available by default to all Azure AD organizations (in public preview). 该策略针对 Azure AD 特权帐户强制实施多重身份验证。The policy enforces multi-factor authentication on privileged Azure AD accounts. Azure AD 基线策略涵盖以下 Azure AD 角色:The following Azure AD roles are covered by the Azure AD baseline policy:

  • 全局管理员Global administrator
  • SharePoint 管理员SharePoint administrator
  • Exchange 管理员Exchange administrator
  • 条件访问管理员Conditional Access administrator
  • 安全管理员Security administrator

暂时提升特权Elevate privilege temporarily

对于大多数日常活动,并非所有用户都需要全局管理员权限,也不应将所有用户永久分配到全局管理员角色。For most day-to-day activities, not all users need global administrator rights, and not all of them should be permanently assigned to the Global Administrator role. 当用户需要全局管理员权限时,应使用其自己的帐户或备用管理帐户在 Azure AD Privileged Identity Management 中激活角色分配。When users need the permissions of a Global Administrator, they should activate the role assignment in Azure AD Privileged Identity Management on either their own account or an alternate administrative account.

后续步骤Next steps

有关 Azure AD 角色说明的参考,请参阅在 Azure AD 中分配管理员角色For a reference to the Azure AD role descriptions, see Assign admin roles in Azure AD