将角色分配到 Azure Active Directory 中的云组Assign a role to a cloud group in Azure Active Directory

本部分介绍 IT 管理员如何将 Azure Active Directory (Azure AD) 角色分配到 Azure AD 组。This section describes how an IT admin can assign Azure Active Directory (Azure AD) role to an Azure AD group.

使用 Azure AD 管理中心Using Azure AD admin center

向 Azure AD 角色分配组类似于分配用户和服务主体,只不过只能使用可分配角色的组。Assigning a group to an Azure AD role is similar to assigning users and service principals except that only groups that are role-assignable can be used. 在 Azure 门户中,只显示可分配角色的组。In the Azure portal, only groups that are role-assignable are displayed.

  1. 使用 Azure AD 组织中的特权角色管理员或全局管理员权限登录到 Azure AD 管理中心Sign in to the Azure AD admin center with Privileged role administrator or Global administrator permissions in the Azure AD organization.

  2. 选择“Azure Active Directory” > “角色和管理员”,然后选择要分配的角色 。Select Azure Active Directory > Roles and administrators, and select the role you want to assign.

  3. 在“角色名称”页上,选择 >“添加分配”。On the *role name_ page, select > _* Add assignment**.

    添加新的角色分配

  4. 选择组。Select the group. 仅显示可分配给 Azure AD 角色的组。Only the groups that can be assigned to Azure AD roles are displayed.

    对于新的角色分配,仅显示可分配的组。Only groups that are assignable are shown for a new role assignment.

  5. 选择 添加Select Add.

有关分配角色权限的详细信息,请参阅将管理员和非管理员角色分配给用户For more information on assigning role permissions, see Assign administrator and non-administrator roles to users.

使用 PowerShellUsing PowerShell

创建可分配给角色的组Create a group that can be assigned to role

$group = New-AzureADMSGroup -DisplayName "Contoso_Helpdesk_Administrators" -Description "This group is assigned to Helpdesk Administrator built-in role in Azure AD." -MailEnabled $true -SecurityEnabled $true -MailNickName "contosohelpdeskadministrators" -IsAssignableToRole $true 

获取要分配的角色的角色定义Get the role definition for the role you want to assign

$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq 'Helpdesk Administrator'" 

创建角色分配Create a role assignment

$roleAssignment = New-AzureADMSRoleAssignment -ResourceScope '/' -RoleDefinitionId $roleDefinition.Id -PrincipalId $group.Id 

使用 Microsoft Graph APIUsing Microsoft Graph API

创建可被分配 Azure AD 角色的组Create a group that can be assigned Azure AD role

POST https://microsoftgraph.chinacloudapi.cn/beta/groups
{
"description": "This group is assigned to Helpdesk Administrator built-in role of Azure AD.",
"displayName": "Contoso_Helpdesk_Administrators",
"groupTypes": [
"Unified"
],
"mailEnabled": true,
"securityEnabled": true
"mailNickname": "contosohelpdeskadministrators",
"isAssignableToRole": true,
}

获取角色定义Get the role definition

GET https://microsoftgraph.chinacloudapi.cn/beta/roleManagement/directory/roleDefinitions?$filter = displayName eq ‘Helpdesk Administrator’

创建角色分配Create the role assignment

POST https://microsoftgraph.chinacloudapi.cn/beta/roleManagement/directory/roleAssignments
{
"principalId":"<Object Id of Group>",
"roleDefinitionId":"<ID of role definition>",
"directoryScopeId":"/"
}

后续步骤Next steps