分配自定义角色以在 Azure Active Directory 中管理企业应用Assign custom roles to manage enterprise apps in Azure Active Directory

本文介绍如何创建一个在 Azure Active Directory (Azure AD) 中有权限管理用户和组的企业应用分配的自定义角色。This article explains how to create a custom role with permissions to manage enterprise app assignments for users and groups in Azure Active Directory (Azure AD). 有关角色分配的元素,以及子类型、权限和属性集等术语的含义,请参阅自定义角色概述For the elements of roles assignments and the meaning of terms such as subtype, permission, and property set, see the custom roles overview.

企业应用角色权限Enterprise app role permissions

本文中讨论了两种企业应用权限。There are two enterprise app permissions discussed in this article. 所有示例都使用 update 权限。All examples use the update permission.

  • 若要读取范围内的用户和组分配,请授予 microsoft.directory/servicePrincipals/appRoleAssignedTo/read 权限To read the user and group assignments at scope, grant the microsoft.directory/servicePrincipals/appRoleAssignedTo/read permission
  • 若要管理范围内的用户和组分配,请授予 microsoft.directory/servicePrincipals/appRoleAssignedTo/update 权限To manage the user and group assignments at scope, grant the microsoft.directory/servicePrincipals/appRoleAssignedTo/update permission

授予 update 权限后,被分派人能够管理向企业应用的用户和组分配。Granting the update permission results in the assignee being able to manage assignments of users and groups to enterprise apps. 可以针对单个应用程序或针对所有应用程序授予用户和/或组分配的范围。The scope of user and/or group assignments can be granted for a single application or granted for all applications. 如果在组织范围级别授予,则被分派人可以管理所有应用程序的分配。If granted at an organization-wide level, the assignee can manage assignments for all applications. 如果在应用程序级别授予,则被分派人只能管理指定应用程序的分配。If made at an application level, the assignee can manage assignments for only the specified application.

授予 update 权限的操作分为两步:Granting the update permission is done in two steps:

  1. 使用权限 microsoft.directory/servicePrincipals/appRoleAssignedTo/update 创建自定义角色Create a custom role with permission microsoft.directory/servicePrincipals/appRoleAssignedTo/update
  2. 向用户或组授予权限,以管理向企业应用的用户和组分配。Grant users or groups permissions to manage user and group assignments to enterprise apps. 这时,你可以将范围设置为组织范围级别或单个应用程序。This is when you can set the scope to the organization-wide level or to a single application.

使用 Azure AD 管理中心Use the Azure AD admin center

创建新的自定义角色Create a new custom role

备注

自定义角色是在组织范围级别创建和管理的,只在组织的“概述”页中提供。Custom roles are created and managed at an organization-wide level and are available only from the organization's Overview page.

  1. 在组织中使用特权角色管理员或全局管理员权限登录 Azure 门户Sign in to the Azure portal with Privileged Role Administrator or Global Administrator permissions in your organization.

  2. 依次选择“Azure Active Directory”、“角色和管理员”和“新建自定义角色” 。Select Azure Active Directory, select Roles and administrators, and then select New custom role.

    在 Azure AD 中,从角色列表添加新的自定义角色

  3. 在“基础”选项卡上,提供“管理用户和组分配”作为角色的名称,提供“授予权限以管理用户和组分配”作为角色说明,然后选择“下一步” 。On the Basics tab, provide "Manage user and group assignments" for the name of the role and "Grant permissions to manage user and group assignments" for the role description, and then select Next.

    提供自定义角色的名称及描述

  4. 在“权限”选项卡上的搜索框中输入“microsoft.directory/servicePrincipals/appRoleAssignedTo/update”,选中所需权限旁边的复选框,然后选择“下一步” 。On the Permissions tab, enter "microsoft.directory/servicePrincipals/appRoleAssignedTo/update" in the search box, and then select the checkboxes next to the desired permissions, and then select Next.

    向自定义角色添加权限

  5. 在“查看 + 创建”选项卡上查看权限,然后选择“创建” 。On the Review + create tab, review the permissions and select Create.

    现在可以创建自定义角色

使用 Azure AD 门户将角色分配给用户Assign the role to a user using the Azure AD portal

  1. 使用特权角色管理员角色权限登录到 Azure 门户Sign in to the Azure portal with Privileged Role administrator role permissions.

  2. 依次选择“Azure Active Directory”、“角色和管理员” 。Select Azure Active Directory and then select Roles and administrators.

  3. 选择“授予权限以管理用户和组分配”角色。Select the Grant permissions to manage user and group assignments role.

    打开“角色和管理员”并搜索自定义角色

  4. 选择“添加分配”,选择所需的用户,然后单击“选择”以向用户添加角色分配 。Select Add assignment, select the desired user, and then click Select to add role assignment to the user.

    向用户添加自定义角色的分配

分配提示Assignment tips

  • 若要向被分派人授予权限以管理组织范围内所有企业应用的用户和组访问权限,请从组织的 Azure AD“概述”页上组织范围内的“角色和管理员”列表开始操作 。To grant permissions to assignees to manage users and group access for all enterprise apps organization-wide, start from the organization-wide Roles and Administrators list on the Azure AD Overview page for your organization.

  • 若要向被分派人授予权限以管理特定企业应用的用户和组访问权限,请在 Azure AD 中转到该应用,并打开该应用的“角色和管理员”列表。To grant permissions to assignees to manage users and group access for a specific enterprise app, go to that app in Azure AD and open in the Roles and Administrators list for that app. 选择新的自定义角色并完成用户或组分配。Select the new custom role and complete the user or group assignment. 被分派人只能管理特定应用的用户和组访问权限。The assignees can manage users and group access only for the specific app.

  • 若要测试自定义角色分配,请以被分派人身份登录,并打开应用程序的“用户和组”页,验证是否启用了“添加用户”选项 。To test your custom role assignment, sign in as the assignee and open an application’s Users and groups page to verify that the Add user option is enabled.

    验证用户权限

使用 Azure AD PowerShellUse Azure AD PowerShell

有关更多详细信息,请参阅创建和分配自定义角色使用 PowerShell 分配具有资源范围的自定义角色For more detail, see Create and assign a custom role and Assign custom roles with resource scope using PowerShell.

首先,安装 PowerShell 库中的 Azure AD PowerShell 模块。First, install the Azure AD PowerShell module from the PowerShell Gallery. 然后使用以下命令导入 Azure AD PowerShell 预览版模块:Then import the Azure AD PowerShell preview module, using the following command:

PowerShell
import-module azureadpreview

若要验证该模块是否可供使用,请将以下命令返回的版本与此处列出的版本之一进行匹配:To verify that the module is ready to use, match the version returned by the following command to the one listed here:

PowerShell
get-module azureadpreview
  ModuleType Version      Name                         ExportedCommands
  ---------- ---------    ----                         ----------------
  Binary     2.0.0.115    azureadpreview               {Add-AzureADAdministrati...}

创建自定义角色Create a custom role

使用以下 PowerShell 脚本创建新角色:Create a new role using the following PowerShell script:

# Basic role information
$description = "Manage user and group assignments"
$displayName = "Can manage user and group assignments for Applications"
$templateId = (New-Guid).Guid

# Set of permissions to grant
$allowedResourceAction =@( "microsoft.directory/servicePrincipals/appRoleAssignedTo/update")
$resourceActions = @{'allowedResourceActions'= $allowedResourceAction}
$rolePermission = @{'resourceActions' = $resourceActions}
$rolePermissions = $rolePermission

# Create new custom admin role
$customRole = New-AzureADMSRoleDefinition -RolePermissions $rolePermissions -DisplayName $displayName -Description $description -TemplateId $templateId -IsEnabled $true

分配自定义角色Assign the custom role

使用此 PowerShell 脚本分配角色。Assign the role using this PowerShell script.

PowerShell
# Basic role information

$description = "Manage user and group assignments"
$displayName = "Can manage user and group assignments for Applications"
$templateId = (New-Guid).Guid

# Set of permissions to grant
$allowedResourceAction =
@(
    "microsoft.directory/servicePrincipals/appRoleAssignedTo/update"
)
$resourceActions = @{'allowedResourceActions'= $allowedResourceAction}
$rolePermission = @{'resourceActions' = $resourceActions}
$rolePermissions = $rolePermission

# Create new custom role
$customRole = New-AzureAdRoleDefinition -RolePermissions $rolePermissions -DisplayName $displayName -Description $description -TemplateId $templateId -IsEnabled $true

使用 Microsoft Graph APIUse the Microsoft Graph API

在 Microsoft Graph API 中使用提供的示例创建自定义角色。Create a custom role using the provided example in the Microsoft Graph API. 有关更多详细信息,请参阅创建和分配自定义角色以及使用 Microsoft Graph API 分配自定义管理员角色For more detail, see Create and assign a custom role and Assign custom admin roles using the Microsoft Graph API.

用于创建自定义角色的 HTTP 请求。HTTP request to create the custom role.

POST
https://microsoftgraph.chinacloudapi.cn/beta/roleManagement/directory/roleDefinitionsIsEnabled $true
{
    "description":"Can manage user and group assignments for Applications.",
    "displayName":" Manage user and group assignments",
    "isEnabled":true,
    "rolePermissions":
    [
        {
            "resourceActions":
            {
                "allowedResourceActions":
                [
                    "microsoft.directory/servicePrincipals/appRoleAssignedTo/update"
                ]
            },
            "condition":null
        }
    ],
    "templateId":"<PROVIDE NEW GUID HERE>",
    "version":"1"
}

使用 Microsoft 图形 API 分配自定义角色Assign the custom role using Microsoft Graph API

角色分配会将安全主体 ID(可以是用户或服务主体)、角色定义 ID 和 Azure AD 资源范围合并。The role assignment combines a security principal ID (which can be a user or service principal), a role definition ID, and an Azure AD resource scope. 有关角色分配元素的详细信息,请参阅自定义角色概述For more information on the elements of a role assignment, see the custom roles overview

用于分配自定义角色的 HTTP 请求。HTTP request to assign a custom role.

POST https://microsoftgraph.chinacloudapi.cn/beta/roleManagement/directory/roleAssignments

{
    "principalId":"<PROVIDE OBJECTID OF USER TO ASSIGN HERE>",
    "roleDefinitionId":"<PROVIDE OBJECTID OF ROLE DEFINITION HERE>",
    "resourceScopes":["/"]
}

后续步骤Next steps