什么是企业用户管理?What is enterprise user management?

本文为 Azure AD 管理员介绍最重要标识管理任务在用户的组、许可证、已部署企业应用与管理员角色方面的关系。This article introduces the Azure AD administrator to the relationship between top identity management tasks for users in terms of their groups, licenses, deployed enterprise apps, and administrator roles. 随着组织的不断发展,可以使用 Azure AD 组和管理员角色来实现以下目的:As your organization grows, you can use Azure AD groups and administrator roles to:

  • 将许可证分配到组,而无需逐个分配Assign licenses to groups instead of to individually
  • 委托权限,以将 Azure AD 管理工作分配给特权更低的角色Delegate permissions to distribute the work of Azure AD management to less-privileged roles
  • 将企业应用访问权限分配到组Assign enterprise app access to groups

将用户分配到组Assign users to groups

可以使用 Azure AD 中的组将许可证分配给大量用户,或者为用户分配已部署企业应用的访问权限。You can use groups in Azure AD to assign licenses to large numbers of users, or to assign user access to deployed enterprise apps. 可以在 Azure AD 中使用组分配除全局管理员以外的所有管理员角色,也可以授予对外部资源(例如 SharePoint 站点)的访问权限。You can use groups to assign all administrator roles except for Global Administrator in Azure AD, or you can grant access to resources that are external, such as SharePoint sites.

将许可证分配到组Assign licenses to groups

逐个地分配或删除用户的许可证可能非常耗费时间和精力。Assigning or removing licenses from users individually can demand time and attention. 如果将许可证分配到组,则可以更轻松地完成大规模许可证管理。If you assign licenses to groups instead, you can make your large-scale license management easier.

在 Azure AD 中,当用户加入许可的组时,他们会自动获得相应的许可证。In Azure AD, when users join a licensed group, they're automatically assigned the appropriate licenses. 当用户离开组时,Azure AD 会删除其许可证分配。When users leave the group, Azure AD removes their license assignments. 如果不使用 Azure AD 组,则必须编写 PowerShell 脚本或使用图形 API 才能批量添加或删除加入或离开组织的用户的用户许可证。Without Azure AD groups, you'd have to write a PowerShell script or use Graph API to bulk add or remove user licenses for users joining or leaving the organization.

如果没有足够的可用许可证或出现无法同时分配服务计划之类的问题,在 Azure 门户中可以看到组出现任何许可问题的状态。If there are not enough available licenses, or an issue occurs like service plans that can't be assigned at the same time, you can see status of any licensing issue for the group in the Azure portal.


基于组的许可功能目前以公共预览版提供。The group-based licensing feature currently is in public preview. 在预览期,可在任何付费 Azure Active Directory (Azure AD) 许可计划或试用版中使用此功能。During the preview, the feature is available with any paid Azure Active Directory (Azure AD) license plan or trial.

委托管理员角色Delegate administrator roles

许多大型组织希望其用户能够通过某些选项获取足够的权限来完成其工作任务,而无需向必须注册应用程序的用户分配强大的全局管理员等角色。Many large organizations want options for their users to obtain sufficient permissions for their work tasks without assigning the powerful Global Administrator role to, for example, users who must register applications. 下面是可以帮助你以更高的粒度分配应用程序管理工作的新 Azure AD 管理员角色示例:Here's an example of new Azure AD administrator roles to help you distribute the work of application management with more granularity:

角色名称Role name 权限摘要Permissions summary
应用程序管理员Application Administrator 可以添加和管理企业应用程序与应用程序注册,以及配置代理应用程序设置。Can add and manage enterprise applications and application registrations, and configure proxy application settings. 应用程序管理员可以查看条件访问策略和设备,但不能对其进行管理。Application Administrators can view Conditional Access policies and devices, but not manage them.
云应用程序管理员Cloud Application Administrator 可以添加和管理企业应用程序与企业应用注册。Can add and manage enterprise applications and enterprise app registrations. 此角色具有应用程序管理员的所有权限。This role has all of the permissions of the Application Administrator.
应用程序开发人员Application Developer 可以添加和更新应用程序注册,但不能管理企业应用程序。Can add and update application registrations, but can't manage enterprise applications.

我们正在添加新的 Azure AD 管理员角色。New Azure AD administrator roles are being added. 请查看 Azure 门户或管理员角色权限参考来了解当前可用的角色。Check the Azure portal or the administrator role permission reference for current available roles.

分配应用访问权限Assign app access

可以使用 Azure AD 为组分配对 Azure AD 组织中部署的企业应用的访问权限。You can use Azure AD to assign group access to the enterprise apps that are deployed in your Azure AD organization.

在 Azure AD 中,还可以精细控制你有权访问的应用和组之间流动的数据。Azure AD also gives you granular control of the data that flows between the app and the groups to whom you assign access. 企业应用程序中打开一个应用,并选择“预配”以执行以下操作:In Enterprise Applications, open an app and select Provisioning to:

  • 为支持自动预配的应用设置自动预配Set up automatic provisioning for apps that support it
  • 提供凭据以连接到应用的用户管理 APIProvide credentials to connect to the app's user management API
  • 设置映射,用于在预配或更新用户帐户时,控制对 Azure AD 与应用之间的流产生影响的用户Set up the mappings that control which user attributes flow between Azure AD and the app when user accounts are provisioned or updated
  • 启动和停止应用的 Azure AD 预配服务、清除预配缓存,或重启服务Start and stop the Azure AD provisioning service for an app, clear the provisioning cache, or restart the service
  • 查看“预配活动报告”,其中提供了在 Azure AD 与应用之间创建、更新和删除的所有用户与组的日志;以及查看“预配错误报告”,其中提供了更详细的错误消息 View the Provisioning activity report that provides a log of all users and groups created, updated, and removed between Azure AD and the app, and the Provisioning error report that provides more detailed error messages

后续步骤Next steps

入门级的 Azure AD 管理员可在 Azure Active Directory 基础知识中获取基础知识。If you're a beginning Azure AD administrator, get the basics down in Azure Active Directory Fundamentals.

或者,可以开始创建组分配许可证分配应用访问权限分配管理员角色Or you can start creating groups, assigning licenses, assigning app access or assigning administrator roles.