分配给云组的角色疑难解答Troubleshooting roles assigned to cloud groups

以下是一些常见问题和疑难解答提示,用于在 Azure Active Directory (Azure AD) 中将角色分配给组。Here are some common questions and troubleshooting tips for assigning roles to groups in Azure Active Directory (Azure AD).

问: 谁可以修改分配给 Azure AD 角色的组的成员资格?Q: Who can modify the membership of groups that are assigned to Azure AD roles?

答: 默认情况下,只有特权角色管理员和全局管理员管理可分配角色组的成员资格,但你可以通过添加组所有者来委派对可分配角色的组的管理。A: By default, only Privileged Role Administrator and Global Administrator manage the membership of a role-assignable group, but you can delegate the management of role-assignable groups by adding group owners.

:我是组织中的帮助台管理员,但无法更新目录读取器用户的密码。Q: I am a Helpdesk Administrator in my organization but I can't update password of a user who is a Directory Reader. 为何发生这种情况?Why does that happen?

:用户可能通过可分配角色的组获取目录读取器。A: The user might have gotten Directory Reader by way of a role-assignable group. 可分配角色的组的所有成员和所有者都受到保护。All members and owners of a role-assignable groups are protected. 只有具有特权身份验证管理员或全局管理员角色的用户才能重置受保护用户的凭据。Only users in the Privileged Authentication Administrator or Global Administrator roles can reset credentials for a protected user.

问: 无法更新用户的密码。Q: I can't update password of a user. 它们未分配任何更高权限的特权角色。They don't have any higher privileged role assigned. 为何会发生这种情况?Why is it happening?

答: 用户可以是可分配角色的组的所有者。A: The user could be an owner of a role-assignable group. 我们保护可分配角色的组的所有者,以避免特权提升。We protect owners of role-assignable groups to avoid elevation of privilege. 例如,如果将组 Contoso_Security_Admins 分配给安全管理员角色,其中 Bob 是组所有者,Alice 是组织中的密码管理员,则可能会出现这种情况。An example might be if a group Contoso_Security_Admins is assigned to Security administrator role, where Bob is the group owner and Alice is Password administrator in the organization. 如果没有这种保护措施,Alice 可以重置 Bob 的凭据并接管其身份。If this protection weren't present, Alice could reset Bob's credentials and take over his identity. 之后,Alice 可以将自己或任何人添加到 Contoso_Security_Admins 组,成为组织中的安全管理员。After that, Alice could add herself or anyone to the group Contoso_Security_Admins group to become a Security administrator in the organization. 若要查明用户是否为组所有者,请获取该用户拥有的对象列表,并查看是否有组将 isAssignableToRole 设置为 true。To find out if a user is a group owner, get the list of owned objects of that user and see if any of the groups have isAssignableToRole set to true. 如果是,则用户是受保护的,并且该行为是设计的行为。If yes, then that user is protected and the behavior is by design. 请参阅以下文档,了解如何获取拥有的对象:Refer to these documentations for getting owned objects:

问: 是否可以对可分配给 Azure AD 角色的组(特别是 isAssignableToRole 属性设置为 true 的组)创建访问评审?Q: Can I create an access review on groups that can be assigned to Azure AD roles (specifically, groups with isAssignableToRole property set to true)?

答: 可以。A: Yes, you can. 如果你使用最新版访问评审,则审阅者默认进入“我的访问权限”,且仅全局管理员可以对可分配角色的组创建访问评审。If you are on newest version of Access Review, then your reviewers are directed to My Access by default, and only Global administrators can create access reviews on role-assignable groups. 但是,如果你使用旧版本的访问评审,则审阅者默认进入“访问面板”,且全局管理员和用户管理员均可以对可分配角色的组创建访问评审。However, if you are on the older version of Access Review, then your reviewers are directed to the Access Panel by default, and both Global administrators and User administrator can create access reviews on role-assignable groups. 新版体验将于 2020 年 7 月 28 日向所有客户推出。如果你想尽快升级,请在 Azure AD 访问评审 - 我的访问权限新审阅者体验登记表中提出申请。The new experience will be rolled out to all customers on July 28, 2020 but if you’d like to upgrade sooner, make a request to Azure AD Access Reviews - Updated reviewer experience in My Access Signup.

问: 是否可以创建访问包并将可以分配给 Azure AD 角色的组添加到其中?Q: Can I create an access package and put groups that can be assigned to Azure AD roles in it?

答: 可以。A: Yes, you can. 全局管理员和用户管理员有权将任何组放入访问包中。Global Administrator and User Administrator have the power to put any group in an access package. 全局管理员没有任何更改,但用户管理员角色权限稍有更改。Nothing changes for Global Administrator, but there's a slight change in User administrator role permissions. 若要将可分配角色的组放入访问包中,你必须是用户管理员,同时也是可分配角色的组的所有者。To put a role-assignable group into an access package, you must be a User Administrator and also owner of the role-assignable group. 下面是显示了哪些用户可以在“企业许可证管理”中创建访问包的完整表:Here's the full table showing who can create access package in Enterprise License Management:

Azure AD 目录角色Azure AD directory role 权利管理角色Entitlement management role 可以添加安全组*Can add security group* 可以添加 Microsoft 365 组*Can add Microsoft 365 group* 可以添加应用Can add app 可以添加 SharePoint Online 站点Can add SharePoint Online site
全局管理员Global administrator 不适用n/a ✔️✔️ ✔️✔️ ✔️✔️ ✔️✔️
用户管理员User administrator 不适用n/a ✔️✔️ ✔️✔️ ✔️✔️
Intune 管理员Intune administrator 目录所有者Catalog owner ✔️✔️ ✔️✔️    
Exchange 管理员Exchange administrator 目录所有者Catalog owner   ✔️✔️    
Teams 服务管理员Teams service administrator 目录所有者Catalog owner   ✔️✔️    
SharePoint 管理员SharePoint administrator 目录所有者Catalog owner   ✔️✔️   ✔️✔️
应用程序管理员Application administrator 目录所有者Catalog owner     ✔️✔️  
云应用程序管理员Cloud application administrator 目录所有者Catalog owner     ✔️✔️  
用户User 目录所有者Catalog owner 仅限组所有者Only if group owner 仅限组所有者Only if group owner 仅限应用所有者Only if app owner  

*组不可分配角色;也就是说,isAssignableToRole = false。*Group isn't role-assignable; that is, isAssignableToRole = false. 如果组可以分配角色,则创建访问包的人员也必须是可分配角色的组的所有者。If a group is role-assignable, then the person creating the access package must also be owner of the role-assignable group.

问: 在“分配的角色”中找不到“删除分配”选项。Q: I can't find "Remove assignment" option in "Assigned Roles". 如何删除分配给用户的角色?How do I delete role assignment to a user?

答: 此答案仅适用于 Azure AD Premium P1 组织。A: This answer is applicable only to Azure AD Premium P1 organizations.

  1. 登录到 Azure 门户,然后打开“Azure Active Directory”。Sign in to the Azure portal and open Azure Active Directory.
  2. 选择“用户”并打开用户配置文件。Select users and open a user profile.
  3. 选择“分配的角色”。Select Assigned roles.
  4. 选择齿轮图标。Select the gear icon. 此时会打开一个窗格,会显示此信息。A pane opens that can give this information. 直接分配旁边有一个“删除”按钮。There's a "Remove" button beside direct assignments. 若要删除间接角色分配,请从已分配角色的组中删除该用户。To remove indirect role assignment, remove the user from the group that has been assigned the role.

问: 如何查看所有可分配角色的组?Q: How do I see all groups that are role-assignable?

答: 执行以下步骤:A: Follow these steps:

  1. 登录到 Azure 门户,然后打开“Azure Active Directory”。Sign in to the Azure portal and open Azure Active Directory.
  2. 选择“组” > “所有组” 。Select Groups > All groups.
  3. 选择“添加筛选器”。Select Add filters.
  4. 筛选到“角色可分配”。Filter to Role assignable.

问: 如何实现知道哪个角色直接和间接分配到了某个主体?Q: How do I know which role are assigned to a principal directly and indirectly?

答: 执行以下步骤:A: Follow these steps:

  1. 登录到 Azure 门户,然后打开“Azure Active Directory”。Sign in to the Azure portal and open Azure Active Directory.

  2. 选择“用户”并打开用户配置文件。Select users and open a user profile.

  3. 选择“分配的角色”,然后:Select Assigned roles, and then:

    • 在 Azure AD Premium P1 许可组织中:选择齿轮图标。In Azure AD Premium P1 licensed organizations: Select the gear icon. 此时会打开一个窗格,会显示此信息。A pane opens that can give this information.
    • 在 Azure AD Premium P2 许可组织中:你可以在“成员资格”列中找到直接和继承的许可证信息。In Azure AD Premium P2 licensed organizations: You'll find direct and inherited license information in the Membership column.

问: 我们为何要强制创建新的云组来将其分配给角色?Q: Why do we enforce creating a new cloud group for assigning it to role?

答: 如果将现有组分配给角色,则现有组所有者可以向该组添加其他成员,而新成员不会意识到他们将拥有该角色。A: If you assign an existing group to a role, the existing group owner could add other members to this group without the new members realizing that they'll have the role. 因为可分配角色的组功能强大,因此我们设置了很多限制来保护它们。Because role-assignable groups are powerful, we're putting lots of restrictions to protect them. 你不会希望发生会让管理组的人员感到意外的更改。You don't want changes to the group that would be surprising to the person managing the group.

后续步骤Next steps