使用云组来管理 Azure Active Directory(预览版)中的角色分配Use cloud groups to manage role assignments in Azure Active Directory (preview)

Azure Active Directory (Azure AD) 即将引入公共预览,可在其中向 Azure AD 内置角色分配云组。Azure Active Directory (Azure AD) is introducing a public preview in which you can assign a cloud group to Azure AD built-in roles. 使用此功能,可以使用组轻松地在 Azure AD 中通过“全局”和“特权”角色管理员来授予管理员访问权限。With this feature, you can use groups to grant admin access in Azure AD with minimal effort from your Global and Privileged role admins.

请看以下示例:Contoso 已在多个地理区域雇用人员,以便为其 Azure AD 组织中的员工管理和重置密码。Consider this example: Contoso has hired people across geographies to manage and reset passwords for employees in its Azure AD organization. 他们可以创建 Contoso_Helpdesk_Administrators 组并将其分配给角色,而不是要求特权角色管理员或全局管理员分别为每个人分配支持管理员角色。Instead of asking a Privileged role admin or Global admin to assign the Helpdesk admin role to each person individually, they can create a Contoso_Helpdesk_Administrators group and assign it to the role. 当用户加入组时,将间接为他们分配角色。When people join the group, they are assigned the role indirectly. 然后,你现有的治理工作流可以处理审批过程和审核组成员身份,以确保只有合法用户才能成为该组成员,并因此将其分配给支持管理员角色。Your existing governance workflow can then take care of the approval process and auditing of the group’s membership to ensure that only legitimate users are members of the group and are thus assigned to the Helpdesk admin role.

该功能的工作原理How this feature works

创建新的 Microsoft 365 或安全组,并将“isAssignableToRole”属性设置为“true”。Create a new Microsoft 365 or security group with the ‘isAssignableToRole’ property set to ‘true’. 还可以通过启用“Azure AD 角色可以分配到组”,在 Azure 门户中创建组时启用此属性。You could also enable this property when creating a group in the Azure portal by turning on Azure AD roles can be assigned to the group. 无论采用哪种方式,你都可以将组分配给一个或多个 Azure AD 角色,方法与为用户分配角色的方式相同。Either way, you can then assign the group to one or more Azure AD roles in the same way as you assign roles to users. 在单个 Azure AD 组织(租户)中最多可以创建 200 个可分配角色的组。A maximum of 200 role-assignable groups can be created in a single Azure AD organization (tenant).

如果不希望组成员具有对角色的现有访问权限,则可以使用 Azure AD Privileged Identity Management。If you do not want members of the group to have standing access to the role, you can use Azure AD Privileged Identity Management. 将组分配为 Azure AD 角色的符合条件的成员。Assign a group as an eligible member of an Azure AD role. 然后,该组中的每个成员都有资格为分配给该组的角色激活其分配。Each member of the group is then eligible to have their assignment activated for the role that the group is assigned to. 然后,他们可以在固定的时间内激活角色分配。They can then activate their role assignment for a fixed time duration.


必须使用 Privileged Identity Management 的更新版本才能通过 PIM 将组分配给 Azure AD 角色。You must be on updated version of Privileged Identity Management to be able to assign a group to Azure AD role via PIM. 你可以使用旧版本的 PIM,因为你的 Azure AD 组织使用的是 Privileged Identity Management API。You could be on older version of PIM because your Azure AD organization leverages the Privileged Identity Management API. 请联系别名 pim_preview@microsoft.com 来移动你的组织并更新你的 API。Please reach out to the alias pim_preview@microsoft.com to move your organization and update your API. 有关详细信息,请参阅 PIM 中的 Azure AD 角色和功能Learn more at Azure AD roles and features in PIM.

我们为何要强制创建特殊组来将其分配给角色Why we enforce creation of a special group for assigning it to a role

如果为组分配了角色,则任何可以管理组成员身份的 IT 管理员也可以间接管理该角色的成员身份。If a group is assigned a role, any IT admin who can manage group membership could also indirectly manage the membership of that role. 例如,假定将组 Contoso_User_Administrators 分配给用户帐户管理员角色。For example, assume that a group Contoso_User_Administrators is assigned to User account admin role. 可以修改组成员身份的 Exchange 管理员可以将自己添加到 Contoso_User_Administrators 组中,从而成为用户帐户管理员。如你所见,管理员可以以你不希望的方式提升他们的特权。An Exchange admin who can modify group membership could add themselves to the Contoso_User_Administrators group and in that way become a User account admin. As you can see, an admin could elevate their privilege in a way you did not intend.

通过 Azure AD 可使用名为 isAssignableToRole 的新属性来保护分配给某个角色的组。Azure AD allows you to protect a group assigned to a role by using a new property called isAssignableToRole for groups. 只有在创建时将 isAssignableToRole 属性设置为“true”的云组才能分配给角色。Only cloud groups that had the isAssignableToRole property set to ‘true’ at creation time can be assigned to a role. 此属性是不可变的;一旦创建了一个将此属性设置为“true”的组,则无法更改它。This property is immutable; once a group is created with this property set to ‘true’, it can’t be changed. 不能对现有组设置属性。You can't set the property on an existing group. 我们设计了如何将组分配给角色,以防止出现这种潜在的漏洞:We designed how groups are assigned to roles to prevent that sort of potential breach from happening:

  • 只有全局管理员和特权角色管理员才能创建可分配角色的组(启用“isAssignableToRole”属性)。Only Global admins and Privileged role admins can create a role-assignable group (with the "isAssignableToRole" property enabled).
  • 默认情况下,只有全局管理员和特权角色管理员可以管理可分配角色组的成员资格,但你可以通过添加组所有者来委派对可分配角色的组的管理。By default, only Global admins and Privileged role admins can manage the membership of a role-assignable group, but you can delegate the management of role-assignable groups by adding group owners.
  • 为了防止特权提升,只能由特权身份验证管理员或全局管理员更改可分配角色组的成员和所有者的凭据。To prevent elevation of privilege, the credentials of members and owners of a role-assignable group can be changed only by a Privileged Authentication administrator or a Global administrator.
  • 无嵌套。No nesting. 不能将组添加为角色可分配的组的成员。A group can't be added as a member of a role-assignable group.


当前不支持以下方案:The following scenarios are not supported right now:

  • 将云组分配到 Azure AD 自定义角色Assign cloud groups to Azure AD custom roles
  • 将云组分配给管理单元或应用程序范围内的 Azure AD 角色(内置或自定义)。Assign cloud groups to Azure AD roles (built-in or custom) over an administrative unit or application scope.
  • 将本地组分配给 Azure AD 角色(内置或自定义)Assign on-premises groups to Azure AD roles (built-in or custom)

已知问题Known issues

  • “为托管用户登录名启用分阶段推出”功能不支持通过组分配。The Enable staged rollout for managed user sign-in feature doesn't support assignment via group.
  • 仅限 Azure AD P2 授权客户 :不要通过 Azure AD 和 Privileged Identity Management (PIM) 为角色分配活动组。Azure AD P2 licensed customers only : Don't assign a group as Active to a role through both Azure AD and Privileged Identity Management (PIM). 具体而言,在创建一个可分配角色的组时,不要将角色分配给该组,也不要在以后使用 PIM 时将角色分配给该组。Specifically, don't assign a role to a role-assignable group when it's being created and assign a role to the group using PIM later. 这将导致用户无法在 PIM 中看到其活动角色分配以及无法删除该 PIM 分配的问题。This will lead to issues where users can’t see their active role assignments in the PIM as well as the inability to remove that PIM assignment. 符合条件的分配在此方案中不受影响。Eligible assignments are not affected in this scenario. 如果尝试进行此分配,可能会出现意外的行为,例如:If you do attempt to make this assignment, you might see unexpected behavior such as:
    • 角色分配的结束时间可能显示错误。End time for the role assignment might display incorrectly.
    • 在 PIM 门户中,“我的角色”只能显示一个角色分配,而不管通过多少方法授予分配(通过一个或多个组直接进行)。In the PIM portal, My Roles can show only one role assignment regardless of how many methods by which the assignment is granted (through one or more groups and directly).
  • 仅限 Azure AD P2 授权客户。即使删除该组,它仍会在 PIM UI 中显示该角色的合格成员。Azure AD P2 licensed customers only Even after deleting the group, it is still shown an eligible member of the role in PIM UI. 在功能上没有问题;这只是 Azure 门户中的缓存问题。Functionally there's no problem; it's just a cache issue in the Azure portal.
  • 使用新的 Exchange 管理中心通过组成员身份进行角色分配。Use the new Exchange Admin Center for role assignments via group membership. 旧的 Exchange 管理中心目前尚不支持此功能。The old Exchange Admin Center doesn’t support this feature yet. Exchange PowerShell cmdlet 将按预期方式工作。Exchange PowerShell cmdlets will work as expected.

我们正在解决这些问题。We are fixing these issues.

所需许可证计划Required license plan

使用此功能要求你在 Azure AD 组织中具有可用的 Azure AD Premium P1 许可证。Using this feature requires you to have an available Azure AD Premium P1 license in your Azure AD organization. 若要同时使用 Privileged Identity Management 进行即时角色激活,需要具有可用的 Azure AD Premium P2 许可证。To use also Privileged Identity Management for just-in-time role activation requires you to have an available Azure AD Premium P2 license. 若要根据需要查找合适的许可证,请参阅比较免费和高级计划的正式发布功能To find the right license for your requirements, see Comparing generally available features of the Free and Premium plans.

后续步骤Next steps