使用 Privileged Identity Management 将角色分配给组Assign a role to a group using Privileged Identity Management
本文介绍如何使用 Azure AD Privileged Identity Management (PIM) 将 Azure Active Directory (Azure AD) 角色分配给组。This article describes how you can assign an Azure Active Directory (Azure AD) role to a group using Azure AD Privileged Identity Management (PIM).
备注
必须使用 Privileged Identity Management 的更新版本才能使用 PIM 将组分配给 Azure AD 角色。You must be using the updated version of Privileged Identity Management to be able to assign a group to an Azure AD role using PIM. 如果你的 Azure AD 组织使用的是 Privileged Identity Management API,则你可能使用的是旧版本的 PIM。You might be on older version of PIM if your Azure AD organization leverages the Privileged Identity Management API. 如果是这样,请联系别名 pim_preview@microsoft.com 来移动你的组织并更新你的 API。If so, please reach out to the alias pim_preview@microsoft.com to move your organization and update your API. 有关详细信息,请参阅 PIM 中的 Azure AD 角色和功能。Learn more at Azure AD roles and features in PIM.
使用 Azure AD 管理中心Using Azure AD admin center
作为组织中的特权角色管理员或全局管理员登录到 Azure AD Privileged Identity Management。Sign in to Azure AD Privileged Identity Management as a Privileged role administrator or Global administrator in your organization.
选择“Privileged Identity Management” > “Azure AD 角色” > “角色” > “添加分配” Select Privileged Identity Management > Azure AD roles > Roles > Add assignments
选择一个角色,然后选择一个组。Select a role, and then select a group. 仅显示符合角色分配条件的组(可分配角色的组),而不是所有组。Only groups that are eligible for role assignment (role-assignable groups) are displayed, not all groups.
选择所需的成员资格设置。Select the desired membership setting. 对于需要激活的角色,请选择“符合条件的”。For roles requiring activation, choose eligible. 默认情况下,用户将是永久符合条件的,但你也可以为用户的资格设置开始和结束时间。By default, the user would be permanently eligible, but you could also set a start and end time for the user's eligibility. 完成后,单击“保存”并“添加”以完成角色分配。Once you are complete, hit Save and Add to complete the role assignment.
使用 PowerShellUsing PowerShell
下载 Azure AD 预览版 PowerShell 模块Download the Azure AD Preview PowerShell module
若要安装 Azure AD #PowerShell 模块,请使用以下 cmdlets:To install the Azure AD #PowerShell module, use the following cmdlets:
install-module azureadpreview
import-module azureadpreview
若要验证模块是否可供使用,请运行以下 cmdlets:To verify that the module is ready to use, use the following cmdlet:
get-module azureadpreview
将组分配为角色的符合条件的成员Assign a group as an eligible member of a role
$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
$schedule.Type = "Once"
$schedule.StartDateTime = "2019-04-26T20:49:11.770Z"
$schedule.endDateTime = "2019-07-25T20:49:11.770Z"
Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId aadRoles -Schedule $schedule -ResourceId "[YOUR TENANT ID]" -RoleDefinitionId "9f8c1837-f885-4dfd-9a75-990f9222b21d" -SubjectId "[YOUR GROUP ID]" -AssignmentState "Eligible" -Type "AdminAdd"
使用 Microsoft Graph APIUsing Microsoft Graph API
POST
https://microsoftgraph.chinacloudapi.cn/beta/privilegedAccess/aadroles/roleAssignmentRequests
{
"roleDefinitionId": {roleDefinitionId},
"resourceId": {tenantId},
"subjectId": {GroupId},
"assignmentState": "Eligible",
"type": "AdminAdd",
"reason": "reason string",
"schedule": {
"startDateTime": {DateTime},
"endDateTime": {DateTime},
"type": "Once"
}
}
后续步骤Next steps
- 使用云组来管理角色分配Use cloud groups to manage role assignments
- 分配给云组的角色疑难解答Troubleshooting roles assigned to cloud groups
- 在 Privileged Identity Management 中配置 Azure AD 管理员角色设置Configure Azure AD admin role settings in Privileged Identity Management
- 在 Privileged Identity Management 中分配 Azure 资源角色Assign Azure resource roles in Privileged Identity Management