Azure Active Directory 中基于角色的访问控制概述Overview of role-based access control in Azure Active Directory

本文介绍如何理解 Azure Active Directory (Azure AD) 基于角色的访问控制。This article describes how to understand Azure Active Directory (Azure AD) role-based access control. 可通过 Azure AD 角色向管理员授予精细的权限,遵循最低权限原则。Azure AD roles allow you to grant granular permissions to your admins, abiding by the principle of least privilege. Azure AD 内置和自定义角色的运作原理与针对 Azure 资源的基于角色的访问控制系统(Azure 角色)中描述的类似。Azure AD built-in and custom roles operate on concepts similar to those you will find in the role-based access control system for Azure resources (Azure roles). 这两个基于角色的访问控制系统的区别在于:The difference between these two role-based access control systems is:

  • Azure AD 角色使用图形 API 控制对 Azure AD 资源(例如用户、组和应用程序)的访问Azure AD roles control access to Azure AD resources such as users, groups, and applications using Graph API
  • Azure 角色使用 Azure 资源管理控制对 Azure 资源(例如虚拟机或存储)的访问Azure roles control access to Azure resources such as virtual machines or storage using Azure Resource Management

这两个系统都包含角色定义和角色分配,且其用途相似。Both systems contain similarly used role definitions and role assignments. 但是,Azure AD 角色权限不能用于 Azure 自定义角色,反之亦然。However, Azure AD role permissions can't be used in Azure custom roles and vice versa.

了解 Azure AD 基于角色的访问控制Understand Azure AD role-based access control

Azure AD 支持两种类型的角色定义 -Azure AD supports 2 types of roles definitions -

内置角色是具有一系列固定权限的现成角色。Built-in roles are out of box roles that have a fixed set of permissions. 不能修改这些角色定义。These role definitions cannot be modified. Azure AD 支持许多内置角色,并且支持的角色还在不断增加。There are many built-in roles that Azure AD supports, and the list is growing. 为了完善功能并满足复杂要求,Azure AD 还支持自定义角色To round off the edges and meet your sophisticated requirements, Azure AD also supports custom roles. 使用自定义 Azure AD 角色授予权限的过程分为两个步骤,涉及到创建自定义角色定义,然后使用角色分配来分配该角色。Granting permission using custom Azure AD roles is a two-step process that involves creating a custom role definition and then assigning it using a role assignment. 自定义角色定义是从预设列表添加的权限集合。A custom role definition is a collection of permissions that you add from a preset list. 这些权限与内置角色中使用的权限相同。These permissions are the same permissions used in the built-in roles.

创建自定义角色定义(或使用内置角色)后,可以通过创建角色分配将其分配给某个用户。Once you’ve created your custom role definition (or using a built-in role), you can assign it to a user by creating a role assignment. 角色分配在指定的范围向用户授予角色定义中的权限。A role assignment grants the user the permissions in a role definition at a specified scope. 此双步过程可让你创建单个角色定义,并在不同的范围多次分配它。This two-step process allows you to create a single role definition and assign it many times at different scopes. 范围定义了角色成员有权访问的 Azure AD 资源集。A scope defines the set of Azure AD resources the role member has access to. 最常见的范围是组织范围。The most common scope is organization-wide (org-wide) scope. 可以在组织范围分配自定义角色,这意味着,该角色成员对组织中的所有资源拥有角色权限。A custom role can be assigned at org-wide scope, meaning the role member has the role permissions over all resources in the organization. 还可以在对象范围分配自定义角色。A custom role can also be assigned at an object scope. 对象范围的示例是单个应用程序。An example of an object scope would be a single application. 同一个角色可以分配给组织中所有应用程序的某个用户,然后分配给另一个用户,但范围仅限 Contoso Expense Reports 应用。The same role can be assigned to one user over all applications in the organization and then to another user with a scope of only the Contoso Expense Reports app.

Azure AD 内置和自定义角色的运作思路类似于 Azure 基于角色的访问控制 (Azure RBAC)Azure AD built-in and custom roles operate on concepts similar to Azure role-based access control (Azure RBAC). 这两个基于角色的访问控制系统的区别在于,Azure RBAC 使用 Azure 资源管理控制对 Azure 资源(例如虚拟机或存储)的访问,Azure AD 自定义角色使用图形 API 控制对 Azure AD 资源的访问。The difference between these two role-based access control systems is that Azure RBAC controls access to Azure resources such as virtual machines or storage using Azure Resource Management, and Azure AD custom roles control access to Azure AD resources using Graph API. 这两个系统都利用角色定义和角色分配的概念。Both systems leverage the concept of role definitions and role assignments. Azure AD RBAC 权限不能包含在 Azure 角色中,反之亦然。Azure AD RBAC permissions cannot be included in Azure roles and vice versa.

Azure AD 如何确定用户是否有权访问资源How Azure AD determines if a user has access to a resource

下面是 Azure AD 用于确定你是否有权访问管理资源的概要步骤。The following are the high-level steps that Azure AD uses to determine if you have access to a management resource. 使用此信息可对访问问题进行故障排除。Use this information to troubleshoot access issues.

  1. 用户(或服务主体)获取 Microsoft Graph 或 Azure AD Graph 终结点的令牌。A user (or service principal) acquires a token to the Microsoft Graph or Azure AD Graph endpoint.
  2. 用户使用颁发的令牌通过 Microsoft Graph 或 Azure AD Graph 对 Azure Active Directory (Azure AD) 进行 API 调用。The user makes an API call to Azure Active Directory (Azure AD) via Microsoft Graph or Azure AD Graph using the issued token.
  3. 根据具体情况,Azure AD 会执行以下操作之一:Depending on the circumstance, Azure AD takes one of the following actions:
    • 基于用户访问令牌中的 wids 声明评估用户的角色成员身份。Evaluates the user’s role memberships based on the wids claim in the user’s access token.
    • 检索为用户应用于(直接或通过组成员身份)执行操作的资源的所有角色分配。Retrieves all the role assignments that apply for the user, either directly or via group membership, to the resource on which the action is being taken.
  4. Azure AD 确定 API 调用中的操作是否包含在用户针对此资源拥有的角色中。Azure AD determines if the action in the API call is included in the roles the user has for this resource.
  5. 如果用户在请求的范围内没有包含该操作的角色,则不授予访问权限。If the user doesn't have a role with the action at the requested scope, access is not granted. 否则授予访问权限。Otherwise access is granted.

角色分配Role assignment

角色分配是一种 Azure AD 资源,它将角色定义附加到特定范围的用户,以授予对 Azure AD 资源的访问权限。 A role assignment is an Azure AD resource that attaches a role definition to a user at a particular scope to grant access to Azure AD resources. 通过创建角色分配来授予访问权限,通过删除角色分配来撤销访问权限。Access is granted by creating a role assignment, and access is revoked by removing a role assignment. 角色分配的核心包含三个要素:At its core, a role assignment consists of three elements:

  • Azure AD 用户Azure AD user
  • 角色定义Role definition
  • 资源范围Resource scope

可以使用 Azure 门户、Azure AD PowerShell 或图形 API 创建角色分配You can create role assignments using the Azure portal, Azure AD PowerShell, or Graph API. 还可以查看自定义角色的分配You can also view the assignments for a custom role.

下图显示了角色分配的示例。The following diagram shows an example of a role assignment. 在此示例中,在 Contoso Widget Builder 应用注册范围为 Chris Green 分配了“应用注册管理员”自定义角色。In this example, Chris Green has been assigned the App registration administrator custom role at the scope of the Contoso Widget Builder app registration. 此分配仅授予 Chris 对此特定应用注册的“应用注册管理员”角色权限。The assignment grants Chris the permissions of the App registration administrator role for only this specific app registration.


安全主体Security principal

安全主体表示分配了对 Azure AD 资源的访问权限的用户。A security principal represents the user that is to be assigned access to Azure AD resources. 用户是在 Azure Active Directory 中具有配置文件的个人。A user is an individual who has a user profile in Azure Active Directory.


角色定义(或角色)是权限的集合。A role definition, or role, is a collection of permissions. 角色定义列出可对 Azure AD 资源执行的操作,例如创建、读取、更新和删除。A role definition lists the operations that can be performed on Azure AD resources, such as create, read, update, and delete. 在 Azure AD 中有两种类型的角色:There are two types of roles in Azure AD:

  • Microsoft 创建的内置角色(无法更改)。Built-in roles created by Microsoft that can't be changed.
  • 由组织创建和管理的自定义角色。Custom roles created and managed by your organization.


范围是指允许对角色分配中的特定 Azure AD 资源执行的操作的限制。A scope is the restriction of permitted actions to a particular Azure AD resource as part of a role assignment. 分配角色时,可以指定一个范围来限制管理员对特定资源的访问。When you assign a role, you can specify a scope that limits the administrator's access to a specific resource. 例如,如果要为开发人员授予某个自定义角色,但仅允许该开发人员管理特定的应用程序注册,则你可以在角色分配中包含特定的应用程序注册作为范围。For example, if you want to grant a developer a custom role, but only to manage a specific application registration, you can include the specific application registration as a scope in the role assignment.

所需的许可计划Required license plan

在 Azure AD 中可免费使用内置角色,而使用自定义角色则需要 Azure AD Premium P1 许可证。Using built-in roles in Azure AD is free, while custom roles requires an Azure AD Premium P1 license. 若要根据需要查找合适的许可证,请参阅比较免费版、基本版和高级版的正式发布功能To find the right license for your requirements, see Comparing generally available features of the Free, Basic, and Premium editions.

后续步骤Next steps