Azure Active Directory 中自定义角色的企业应用程序权限Enterprise application permissions for custom roles in Azure Active Directory

本文包含适用于 Azure Active Directory (Azure AD) 中的自定义角色定义的当前可用的企业应用程序权限。This article contains the currently available enterprise application permissions for custom role definitions in Azure Active Directory (Azure AD). 在本文中,你将找到一些常见方案的权限列表以及企业应用程序权限的完整列表。In this article, you'll find permission lists for some common scenarios and the full list of enterprise app permissions. 当前未在此版本中推出应用程序代理权限。Application Proxy permissions are not currently rolled out in this release.

所需许可证计划Required license plan

使用此功能需要 Azure AD 组织的 Azure AD Premium P1 许可证。Using this feature requires an Azure AD Premium P1 license for your Azure AD organization. 若要根据需要查找合适的许可证,请参阅比较免费版、基本版和高级版的正式发布功能To find the right license for your requirements, see Comparing generally available features of the Free, Basic, and Premium editions.

企业应用程序权限Enterprise application permissions

有关如何使用这些权限的详细信息,请参阅分配自定义角色来管理企业应用For more information about how to use these permissions, see Assign custom roles to manage enterprise apps

将用户或组分配到应用程序Assigning users or groups to an application

委托可以访问基于 SAML 的单一登录应用程序的用户和组的分配。To delegate the assignment of user and groups that can access SAML based single sign-on applications. 所需的权限Permissions required

  • microsoft.directory/servicePrincipals/appRoleAssignedTo/updatemicrosoft.directory/servicePrincipals/appRoleAssignedTo/update

委托创建 Azure AD 库应用程序,例如 ServiceNow、F5、Salesforce 等。To delegate the creation of Azure AD Gallery applications such as ServiceNow, F5, Salesforce, among others. 所需的权限:Permissions required:

  • microsoft.directory/applicationTemplates/instantiatemicrosoft.directory/applicationTemplates/instantiate

配置基本 SAML URLConfiguring basic SAML URLs

委托对基于 SAML 的单一登录应用程序的基本 SAML 配置的更新和读取。To delegate the update and read of basic SAML Configurations for SAML based single sign-on applications. 所需的权限:Permissions required:

  • microsoft.directory/servicePrincipals/authentication/updatemicrosoft.directory/servicePrincipals/authentication/update
  • microsoft.directory/applications.myOrganization/authentication/updatemicrosoft.directory/applications.myOrganization/authentication/update

滚动或创建签名证书Rolling over or creating signing certs

委托对基于 SAML 的单一登录应用程序的签名证书管理。To delegate the management of signing certificates for SAML based single sign-on applications. 所需的权限。Permissions required.

microsoft.directory/applications/credentials/updatemicrosoft.directory/applications/credentials/update

更新即将到期的登录证书通知电子邮件地址Update expiring sign-in cert notification email address

委托更新基于 SAML 的单一登录应用程序即将到期的登录证书通知电子邮件地址。To delegate the update of expiring sign-in certificates notification email addresses for SAML based single sign-on applications. 所需的权限:Permissions required:

  • microsoft.directory/applications.myOrganization/authentication/updatemicrosoft.directory/applications.myOrganization/authentication/update
  • microsoft.directory/applications.myOrganization/permissions/updatemicrosoft.directory/applications.myOrganization/permissions/update
  • microsoft.directory/servicePrincipals/authentication/updatemicrosoft.directory/servicePrincipals/authentication/update
  • microsoft.directory/servicePrincipals/basic/updatemicrosoft.directory/servicePrincipals/basic/update

管理 SAML 令牌签名和登录算法Manage SAML token signature and Sign-in algorithm

委托更新基于 SAML 的单一登录应用程序的 SAML 令牌签名和登录算法。To delegate the update of the SAML token signature and sign-in algorithm for SAML based single sign-on applications. 所需的权限:Permissions required:

  • microsoft.directory/applicationPolicies/basic/updatemicrosoft.directory/applicationPolicies/basic/update
  • microsoft.directory/applications/authentication/updatemicrosoft.directory/applications/authentication/update
  • microsoft.directory/servicePrincipals/policies/updatemicrosoft.directory/servicePrincipals/policies/update

管理用户特性和声明Manage user attributes and claims

委托对基于 SAML 的单一登录应用程序的用户特性和声明的创建、删除和更新。To delegate the create, delete, and update of user attributes and claims for SAML based single sign-on applications. 所需的权限:Permissions required:

  • microsoft.directory/applicationPolicies/basic/updatemicrosoft.directory/applicationPolicies/basic/update
  • microsoft.directory/applications/authentication/updatemicrosoft.directory/applications/authentication/update
  • microsoft.directory/servicePrincipals/policies/updatemicrosoft.directory/servicePrincipals/policies/update

应用预配权限App provisioning permissions

执行任何写入操作(例如通过 UI 管理作业、架构或凭据)也需要读取权限才能查看预配页。Performing any write operation such as managing the job, schema, or credentials through the UI will also require the read permissions to view the provisioning page.

若要将范围设置为所有用户和组或已分配的用户和组,目前需要 synchronizationJob 和 synchronizationCredentials 权限。Setting the scope to all users and groups or assigned users and groups currently requires both the synchronizationJob and synchronizationCredentials permissions.

启用或重启预配作业Turn on or restart provisioning jobs

委派打开、关闭和重启资源预配作业的功能。To delegate ability to turn on, off and restart provisioning jobs. 所需的权限:Permissions required:

  • microsoft.directory/servicePrincipals/synchronizationJobs/managemicrosoft.directory/servicePrincipals/synchronizationJobs/manage

配置预配架构Configure the provisioning schema

委托对属性映射的更新。To delegate updates to attribute mapping. 所需的权限:Permissions required:

  • microsoft.directory/servicePrincipals/synchronizationSchema/managemicrosoft.directory/servicePrincipals/synchronizationSchema/manage

读取与应用程序对象关联的预配设置Read provisioning settings associated with the application object

委托读取与对象关联的预配设置的能力。To delegate ability to read provisioning settings associated with the object. 所需的权限:Permissions required:

  • microsoft.directory/applications/synchronization/standard/readmicrosoft.directory/applications/synchronization/standard/read

读取与服务主体关联的预配设置Read provisioning settings associated with your service principal

委托读取与服务主体关联的预配设置的能力。To delegate ability to read provisioning settings associated with your service principal. 所需的权限:Permissions required:

  • microsoft.directory/servicePrincipals/synchronization/standard/readmicrosoft.directory/servicePrincipals/synchronization/standard/read

授权应用程序访问以进行预配Authorize application access for provisioning

委派授权应用程序访问以进行预配的能力。To delegate ability to authorize application access for provisioning. 输入 Oauth 持有者令牌示例。Example input Oauth bearer token. 所需的权限:Permissions required:

  • microsoft.directory/servicePrincipals/synchronizationCredentials/managemicrosoft.directory/servicePrincipals/synchronizationCredentials/manage

权限的完整列表Full list of permissions

权限Permission 说明Description
microsoft.directory/applicationPolicies/allProperties/readmicrosoft.directory/applicationPolicies/allProperties/read 读取应用程序策略的所有属性。Read all properties on application policies.
microsoft.directory/applicationPolicies/allProperties/updatemicrosoft.directory/applicationPolicies/allProperties/update 更新应用程序策略的所有属性。Update all properties on application policies.
microsoft.directory/applicationPolicies/basic/updatemicrosoft.directory/applicationPolicies/basic/update 更新应用程序策略的标准属性。Update standard properties of application policies.
microsoft.directory/applicationPolicies/createmicrosoft.directory/applicationPolicies/create 创建应用程序策略。Create application policies.
microsoft.directory/applicationPolicies/createAsOwnermicrosoft.directory/applicationPolicies/createAsOwner 创建应用程序策略。Create application policies. 添加“创建者”作为第一个所有者。Creator is added as the first owner.
microsoft.directory/applicationPolicies/deletemicrosoft.directory/applicationPolicies/delete 删除应用程序策略。Delete application policies.
microsoft.directory/applicationPolicies/owners/readmicrosoft.directory/applicationPolicies/owners/read 读取应用程序策略的所有者。Read owners on application policies.
microsoft.directory/applicationPolicies/owners/updatemicrosoft.directory/applicationPolicies/owners/update 更新应用程序策略的所有者属性。Update the owner property of application policies.
microsoft.directory/applicationPolicies/policyAppliedTo/readmicrosoft.directory/applicationPolicies/policyAppliedTo/read 读取应用于对象列表的应用程序策略。Read application policies applied to objects list.
microsoft.directory/applicationPolicies/standard/readmicrosoft.directory/applicationPolicies/standard/read 读取应用程序策略的标准属性。Read standard properties of application policies.
microsoft.directory/servicePrincipals/allProperties/allTasksmicrosoft.directory/servicePrincipals/allProperties/allTasks 创建和删除 servicePrincipals,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete servicePrincipals, and read and update all properties in Azure Active Directory.
microsoft.directory/servicePrincipals/allProperties/readmicrosoft.directory/servicePrincipals/allProperties/read 读取 servicePrincipals 的所有属性。Read all properties on servicePrincipals.
microsoft.directory/servicePrincipals/allProperties/updatemicrosoft.directory/servicePrincipals/allProperties/update 更新 servicePrincipals 的所有属性。Update all properties on servicePrincipals.
microsoft.directory/servicePrincipals/appRoleAssignedTo/readmicrosoft.directory/servicePrincipals/appRoleAssignedTo/read 读取服务主体角色分配。Read service principal role assignments.
microsoft.directory/servicePrincipals/appRoleAssignedTo/updatemicrosoft.directory/servicePrincipals/appRoleAssignedTo/update 更新服务主体角色分配。Update service principal role assignments.
microsoft.directory/servicePrincipals/appRoleAssignments/readmicrosoft.directory/servicePrincipals/appRoleAssignments/read 读取分配给服务主体的角色分配。Read role assignments assigned to service principals.
microsoft.directory/servicePrincipals/audience/updatemicrosoft.directory/servicePrincipals/audience/update 更新服务主体的受众属性。Update audience properties on service principals.
microsoft.directory/servicePrincipals/authentication/updatemicrosoft.directory/servicePrincipals/authentication/update 更新服务主体的身份验证属性。Update authentication properties on service principals.
microsoft.directory/servicePrincipals/basic/updatemicrosoft.directory/servicePrincipals/basic/update 更新服务主体的基本属性。Update basic properties on service principals.
microsoft.directory/servicePrincipals/createmicrosoft.directory/servicePrincipals/create 创建服务主体。Create service principals.
microsoft.directory/servicePrincipals/createAsOwnermicrosoft.directory/servicePrincipals/createAsOwner 创建服务主体。Create service principals. 添加“创建者”作为第一个所有者。Creator is added as the first owner.
microsoft.directory/servicePrincipals/credentials/updatemicrosoft.directory/servicePrincipals/credentials/update 更新服务主体的凭据属性。Update credentials properties on service principals.
microsoft.directory/servicePrincipals/deletemicrosoft.directory/servicePrincipals/delete 删除服务主体。Delete service principals.
microsoft.directory/servicePrincipals/disablemicrosoft.directory/servicePrincipals/disable 禁用服务主体。Disable service principals.
microsoft.directory/servicePrincipals/enablemicrosoft.directory/servicePrincipals/enable 启用服务主体。Enable service principals.
microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentialsmicrosoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials 读取服务主体的密码单一登录凭据。Read password single sign-on credentials on service principals.
microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentialsmicrosoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials 管理服务主体的密码单一登录凭据。Manage password single sign-on credentials on service principals.
microsoft.directory/servicePrincipals/oAuth2PermissionGrants/readmicrosoft.directory/servicePrincipals/oAuth2PermissionGrants/read 读取服务主体的委托权限授权。Read delegated permission grants on service principals.
microsoft.directory/servicePrincipals/owners/readmicrosoft.directory/servicePrincipals/owners/read 读取服务主体的所有者。Read owners on service principals.
microsoft.directory/servicePrincipals/owners/updatemicrosoft.directory/servicePrincipals/owners/update 更新服务主体的所有者。Update owners on service principals.
microsoft.directory/servicePrincipals/permissions/updatemicrosoft.directory/servicePrincipals/permissions/update
microsoft.directory/servicePrincipals/policies/readmicrosoft.directory/servicePrincipals/policies/read 读取服务主体的策略。Read policies on service principals.
microsoft.directory/servicePrincipals/policies/updatemicrosoft.directory/servicePrincipals/policies/update 更新服务主体的策略。Update policies on service principals.
microsoft.directory/servicePrincipals/standard/readmicrosoft.directory/servicePrincipals/standard/read 读取服务主体的标准属性。Read standard properties of service principals.
microsoft.directory/servicePrincipals/synchronization/standard/readmicrosoft.directory/servicePrincipals/synchronization/standard/read 读取与服务主体关联的预配设置。Read provisioning settings associated with your service principal.
microsoft.directory/servicePrincipals/tag/updatemicrosoft.directory/servicePrincipals/tag/update 更新服务主体的标记属性。Update tags property on service principals.
microsoft.directory/applicationTemplates/instantiatemicrosoft.directory/applicationTemplates/instantiate 从应用程序模板实例化库应用程序。Instantiate gallery applications from application templates.
microsoft.directory/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 读取审核日志。Read audit logs.
microsoft.directory/signInReports/allProperties/readmicrosoft.directory/signInReports/allProperties/read 读取登录报表。Read sign-in reports.
microsoft.directory/applications/synchronization/standard/readmicrosoft.directory/applications/synchronization/standard/read 读取与应用程序对象关联的预配设置。Read provisioning settings associated with the application object.
microsoft.directory/servicePrincipals/synchronizationJobs/managemicrosoft.directory/servicePrincipals/synchronizationJobs/manage 管理服务主体资源的作业同步的所有方面Manage all aspects of job synchronization for service principal resources
microsoft.directory/servicePrincipals/synchronization/standard/readmicrosoft.directory/servicePrincipals/synchronization/standard/read 读取与服务主体关联的预配设置Read provisioning settings associated with service principals
microsoft.directory/servicePrincipals/synchronizationSchema/managemicrosoft.directory/servicePrincipals/synchronizationSchema/manage 管理服务主体资源的架构同步的所有方面Manage all aspects of schema synchronization for service principal resources
microsoft.directory/provisioningLogs/allProperties/readmicrosoft.directory/provisioningLogs/allProperties/read 读取预配日志的所有属性Read all properties of provisioning logs

后续步骤Next steps