了解 Azure Active Directory 中的角色Understand roles in Azure Active Directory

Azure Active Directory (Azure AD) 内置角色大约有 60 个,它们是具有一组固定角色权限的角色。There are about 60 Azure Active Directory (Azure AD) built-in roles, which are roles with a fixed set of role permissions. 为了补充内置角色,Azure AD 还支持自定义角色。To supplement the built-in roles, Azure AD also supports custom roles. 请使用自定义角色来选择你需要的角色权限。Use custom roles to select the role permissions that you want. 例如,你可以创建一个自定义角色来管理特定 Azure AD 资源,例如应用程序或服务主体。For example, you could create one to manage particular Azure AD resources such as applications or service principals.

本文介绍了 Azure AD 角色的定义及其使用方法。This article explains what Azure AD roles are and how they can be used.

Azure AD 角色与其他 Microsoft 365 角色的区别How Azure AD roles are different from other Microsoft 365 roles

Microsoft 365 中有许多不同的服务,例如 Azure AD 和 Intune。There are many different services in Microsoft 365, such as Azure AD and Intune. 其中一些服务具有自己的基于角色的访问控制系统,尤其是以下服务:Some of these services have their own role-based access control systems; specifically:

  • Azure ADAzure AD
  • ExchangeExchange
  • IntuneIntune
  • 安全中心Security Center
  • 合规中心Compliance Center
  • Microsoft Cloud App SecurityMicrosoft Cloud App Security
  • 商业Commerce

Teams、SharePoint 和托管桌面等其他服务没有单独的基于角色的访问控制系统。Other services such as Teams, SharePoint, and Managed Desktop don’t have separate role-based access control systems. 它们使用 Azure AD 角色来实现其管理访问。They use Azure AD roles for their administrative access. Azure 对虚拟机等 Azure 资源使用其自己的基于角色的访问控制系统,此系统与 Azure AD 角色不同。Azure has its own role-based access control system for Azure resources such as virtual machines, and this system is not the same as Azure AD roles.

说到单独的基于角色的访问控制系统,When we say separate role-based access control system. 就意味着存在另一个数据存储区,用于存储角色定义和角色分配。it means there is a different data store where role definitions and role assignments are stored. 同样,也有另一个策略决策点,用于访问检查。Similarly, there is a different policy decision point where access checks happen. 有关详细信息,请参阅 Azure AD 中 Microsoft 365 服务的角色经典订阅管理员角色、Azure 角色和 Azure AD 角色For more information , see Roles for Microsoft 365 services in Azure AD and Classic subscription administrator roles, Azure roles, and Azure AD roles.

为什么某些 Azure AD 角色适用于其他服务Why some Azure AD roles are for other services

Microsoft 365 具有许多基于角色的访问控制系统,它们是在一段时间内是独立开发的,每个系统都有自己的服务门户。Microsoft 365 has a number of role-based access control systems that developed independently over time, each with its own service portal. 为了方便你在 Azure AD 门户中管理适用于整个 Microsoft 365 的标识,我们添加了一些特定于服务的内置角色,其中每个角色都授予对 Microsoft 365 服务的管理访问权限。To make it convenient for you to manage identity across Microsoft 365 from the Azure AD portal, we have added some service-specific built-in roles, each of which grants administrative access to a Microsoft 365 service. 添加的角色的一个示例是 Azure AD 中的 Exchange 管理员角色。An example of this addition is the Exchange Administrator role in Azure AD. 此角色与 Exchange 基于角色的访问控制系统中的“组织管理”角色组相同,可以管理 Exchange 的所有方面。This role is equivalent to the Organization Management role group in the Exchange role-based access control system, and can manage all aspects of Exchange. 同样,我们添加了 Intune 管理员角色、Teams 管理员、SharePoint 管理员等。Similarly, we added the Intune Administrator role, Teams Administrator, SharePoint Administrator, and so on. 特定于服务的角色是以下部分介绍的一类 Azure AD 内置角色。Service-specific roles is one category of Azure AD built-in roles in the following section.

Azure AD 角色的类别Categories of Azure AD roles

Azure AD 内置角色的区别在于使用场景,可分为以下三大类别。Azure AD built-in roles differ in where they can be used, which fall into the following three broad categories.

  • 特定于 Azure AD 的角色:这些角色仅授予管理 Azure AD 中资源的权限。Azure AD-specific roles: These roles grant permissions to manage resources within Azure AD only. 例如,用户管理员、应用程序管理员、组管理员都授予管理 Azure AD 中资源的权限。For example, User Administrator, Application Administrator, Groups Administrator all grant permissions to manage resources that live in Azure AD.
  • 服务特定的角色:对于主要 Microsoft 365 服务(非 Azure AD),我们创建了特定于服务的角色,这些角色授予管理服务中所有功能的权限。Service-specific roles: For major Microsoft 365 services (non-Azure AD), we have built service-specific roles that grant permissions to manage all features within the service. 例如,Exchange 管理员、Intune 管理员、SharePoint 管理员和 Teams 管理员角色可以管理相应服务的功能。For example, Exchange Admin, Intune Admin, SharePoint Admin, and Teams Admin roles can manage features with their respective services. Exchange 管理员可以管理邮箱,Intune 管理员可以管理设备策略,SharePoint 管理员可以管理网站集,Teams 管理员可以管理通话质量等。Exchange Admin can manage mailboxes, Intune Admin can manage device policies, SharePoint Admin can manage site collections, Teams Admin can manage call qualities and so on.
  • 跨服务角色:有些角色可以跨服务。Cross-service roles: There are some roles that span services. 我们有两个全局角色 - 全局管理员和全局读者。We have two global roles - Global Administrator and Global Reader. 所有 Microsoft 365 服务都认可这两个角色。All Microsoft 365 services honor these two roles. 此外,还有一些与安全相关的角色,例如安全管理员和安全读者,它们授予 Microsoft 365 中多个安全服务的访问权限。Also, there are some security-related roles like Security Admin and Security Reader that grant access across multiple security services within Microsoft 365. 例如,在 Azure AD 中使用安全管理员角色,可以管理 Microsoft 365 安全中心、Microsoft Defender 高级威胁防护和 Microsoft Cloud App Security。For example, using Security Admin roles in Azure AD, you can manage Microsoft 365 Security Center, Microsoft Defender Advanced Threat Protection, and Microsoft Cloud App Security. 同样,在合规性管理员角色中,你可以在 Microsoft 365 合规中心、Exchange 等位置管理与合规性相关的设置。Similarly, in the Compliance Administrator role you can manage Compliance-related settings in Microsoft 365 Compliance Center, Exchange, and so on.

Azure AD 内置角色的三个类别

提供下表是为了帮助你理解这些角色类别。The following table is offered as an aid to understanding these role categories. 类别任意命名,并不暗示记录的角色权限之外的任何其他功能。The categories are named arbitrarily, and aren't intended to imply any other capabilities beyond the documented role permissions.

CategoryCategory RoleRole
特定于 Azure AD 的角色Azure AD-specific roles 应用程序管理员Application Administrator
应用程序开发人员Application Developer
身份验证管理员Authentication Administrator
B2C IEF 密钥集管理员B2C IEF Keyset Administrator
B2C IEF 策略管理员B2C IEF Policy Administrator
云应用管理员Cloud Application Administrator
云设备管理员Cloud Device Administrator
条件访问管理员Conditional Access Administrator
设备管理员Device Administrators
目录读者Directory Readers
目录同步帐户Directory Synchronization Accounts
目录编写人员Directory Writers
外部 ID 用户流管理员External ID User Flow Administrator
外部 ID 用户流属性管理员External ID User Flow Attribute Administrator
外部标识提供者管理员External Identity Provider Administrator
组管理员Groups Administrator
来宾邀请者Guest Inviter
支持管理员Helpdesk Administrator
混合标识管理员Hybrid Identity Administrator
许可证管理员License Administrator
合作伙伴一线支持人员Partner Tier1 Support
合作伙伴二线支持人员Partner Tier2 Support
密码管理员Password Administrator
特权身份验证管理员Privileged Authentication Administrator
特权角色管理员Privileged Role Administrator
报告读者Reports Reader
用户帐户管理员User Account Administrator
跨服务角色Cross-service roles 全局管理员Global Administrator
合规性管理员Compliance Administrator
符合性数据管理员Compliance Data Administrator
全局读取者Global Reader
安全管理员Security Administrator
安全操作员Security Operator
安全读取者Security Reader
服务支持管理员Service Support Administrator
特定于服务的角色Service-specific roles Azure DevOps 管理员Azure DevOps Administrator
Azure 信息保护管理员Azure Information Protection Administrator
计费管理员Billing Administrator
CRM 服务管理员CRM Service Administrator
客户密码箱访问审批者Customer LockBox Access Approver
桌面分析管理员Desktop Analytics Administrator
Exchange 服务管理员Exchange Service Administrator
Insights 管理员Insights Administrator
Insights 业务主管Insights Business Leader
Intune 服务管理员Intune Service Administrator
Kaizala 管理员Kaizala Administrator
Lync 服务管理员Lync Service Administrator
消息中心隐私读取者Message Center Privacy Reader
消息中心读取者Message Center Reader
现代商业用户Modern Commerce User
网络管理员Network Administrator
Office 应用管理员Office Apps Administrator
Power BI 服务管理员Power BI Service Administrator
Power Platform 管理员Power Platform Administrator
打印机管理员Printer Administrator
打印机技术人员Printer Technician
搜索管理员Search Administrator
搜索编辑员Search Editor
SharePoint 服务管理员SharePoint Service Administrator
Teams 通信管理员Teams Communications Administrator
Teams 通信支持工程师Teams Communications Support Engineer
Teams 通信支持专家Teams Communications Support Specialist
Teams 设备管理员Teams Devices Administrator
Teams 服务管理员Teams Service Administrator

后续步骤Next steps