Azure Active Directory 中的管理单元管理(预览版)Administrative units management in Azure Active Directory (preview)

本文介绍 Azure Active Directory (Azure AD) 中的管理单元。This article describes administrative units in Azure Active Directory (Azure AD). 管理单元是一项 Azure AD 资源,可以是其他 Azure AD 资源的容器。An administrative unit is an Azure AD resource that can be a container for other Azure AD resources. 在此预览版中,这些资源只能是用户。In this preview release, these resources can be only users. 例如,管理单元范围的用户帐户管理员只能在管理单元中为用户更新配置文件信息、重置密码和分配许可证。For example, an administrative unit-scoped User account admin can update profile information, reset passwords, and assign licenses for users only in their administrative unit.

可以使用管理单元向一部分用户委托管理权限,并向一部分用户应用策略。You can use administrative units to delegate administrative permissions over subsets of users and applying policies to a subset of users. 可以使用管理单元将权限委派给区域管理员或以粒度级别设置策略。You can use administrative units to delegate permissions to regional administrators or to set policy at a granular level.

部署方案Deployment scenario

管理单元可以用于具有独立部门的组织。Administrative units can be useful in organizations with independent divisions. 可以考虑这样一个示例:一个大型大学由互相独立的许多自治学院(商学院、工程学院等)组成,每个学院都有自己的 IT 管理员,为学院控制访问权限、管理用户以及设置策略。Consider the example of a large university that is made up of many autonomous schools (School of Business, School of Engineering, and so on) that each has their own IT administrators who control access, manage users, and set policies for their school. 中心管理员可以创建商学院的管理单元,并仅使用商学院学生和教工填充该单元。A central administrator could create an administrative unit for the School of Business and populate it with only the business school students and staff. 然后,中心管理员可以将商学院的 IT 员工添加到限定范围的角色中,该角色只通过商学院管理单元中的 Azure AD 用户授予管理权限。Then the central administrator can add the Business school IT staff to a scoped role that grants administrative permissions over only Azure AD users in the business school administrative unit.

许可要求License requirements

若要使用管理单元,每个管理单元管理员都必须有 Azure Active Directory Premium 许可证。有关详细信息,请参阅 Azure AD Premium 入门To use administrative units requires an Azure Active Directory Premium license for each administrative unit admin. For more information, see Getting started with Azure AD Premium.

管理管理单元Managing administrative units

在此预览版中,若要创建和管理管理单元,唯一方法是使用 Windows PowerShell cmdlet 的 Azure Active Directory 模块,详见使用管理单元In this preview release, the only way you can create and manage administrative units is to use the Azure Active Directory Module for Windows PowerShell cmdlets as described in Working with Administrative Units

有关软件要求和安装 Azure AD 模块的详细信息,以及有关用于管理管理单元的 Azure AD 模块 cmdlet 的参考信息(包括语法、参数说明和示例),请参阅 Azure Active Directory PowerShellFor more information on software requirements and installing the Azure AD module, and for reference information on the Azure AD Module cmdlets for managing administrative units, including syntax, parameter descriptions, and examples, see Azure Active Directory PowerShell.

后续步骤Next steps

Azure Active Directory 版本Azure Active Directory editions