在 Azure Active Directory 中设置自助服务组管理Set up self-service group management in Azure Active Directory

可以在 Azure Active Directory (Azure AD) 中允许用户创建和管理他们自己的安全组或 Microsoft 365 组。You can enable users to create and manage their own security groups or Microsoft 365 groups in Azure Active Directory (Azure AD). 组的所有者可以批准或拒绝成员身份请求,并可以委托对组成员身份的控制。The owner of the group can approve or deny membership requests, and can delegate control of group membership. 自助服务组管理功能不可用于启用了邮件的安全组或通讯组列表。Self-service group management features are not available for mail-enabled security groups or distribution lists.

自助服务组成员身份默认值Self-service group membership defaults

如果安全组是在 Azure 门户中或使用 Azure AD PowerShell 创建的,则只有组的所有者可以更新成员身份。When security groups are created in the Azure portal or using Azure AD PowerShell, only the group's owners can update membership. 通过自助服务在访问面板中创建的安全组和所有 Microsoft 365 组都可供所有用户加入,无论是所有者批准的还是自动批准的。Security groups created by self-service in the Access panel and all Microsoft 365 groups are available to join for all users, whether owner-approved or auto-approved. 在访问面板中,你可以在创建组时更改成员身份选项。In the Access panel, you can change membership options when you create the group.

组创建于Groups created in 安全组默认行为Security group default behavior Microsoft 365 组默认行为Microsoft 365 group default behavior
Azure AD PowerShellAzure AD PowerShell 只有所有者才能添加成员Only owners can add members
在访问面板中可见但不可供加入Visible but not available to join in Access panel
可供所有用户加入Open to join for all users
Azure 门户Azure portal 只有所有者才能添加成员Only owners can add members
在访问面板中可见但不可供加入Visible but not available to join in Access panel
在创建组时不会自动分配所有者Owner is not assigned automatically at group creation
可供所有用户加入Open to join for all users
访问面板Access panel 可供所有用户加入Open to join for all users
可以在创建组时更改成员身份选项Membership options can be changed when the group is created
可供所有用户加入Open to join for all users
可以在创建组时更改成员身份选项Membership options can be changed when the group is created

自助服务组管理方案Self-service group management scenarios

  • 委托组管理 — 以管理对公司所用 SaaS 应用程序的访问权限的管理员为例。Delegated group management An example is an administrator who is managing access to a SaaS application that the company is using. 由于有许多加入者和离开者,管理这些访问权限变得越来越繁琐,因此该管理员要求业务所有者创建一个新组。Managing these access rights is becoming cumbersome, so this administrator asks the business owner to create a new group. 管理员将该应用程序的访问权限分配给新组,并向此组添加所有已访问该应用程序的人员。The administrator assigns access for the application to the new group, and adds to the group all people already accessing the application. 然后,业务所有者可以添加更多用户,而这些用户会自动预配到该应用程序中。The business owner then can add more users, and those users are automatically provisioned to the application. 业务所有者无需等待管理员管理用户的访问权限。The business owner doesn't need to wait for the administrator to manage access for users. 如果管理员将相同的权限授予不同业务组中的经理,则该人员也可以管理自己组成员的访问权限。If the administrator grants the same permission to a manager in a different business group, then that person can also manage access for their own group members. 企业主和经理无法查看或管理对方的组成员身份。Neither the business owner nor the manager can view or manage each other's group memberships. 该管理员仍然可以看到有权访问该应用程序的所有用户,并可根据需要阻止访问权限。The administrator can still see all users who have access to the application and block access rights if needed.
  • 自助组管理 — 以下是该方案的一个示例:两个用户都拥有独立设置的 SharePoint Online 站点。Self-service group management An example of this scenario is two users who both have SharePoint Online sites that they set up independently. 他们想为对方的团队提供对自己站点的访问权限。They want to give each other's teams access to their sites. 要实现此目的,他们可以在 Azure AD 中创建一个组,各自在 SharePoint Online 中选择该组并为该组提供对其站点的访问权限。To accomplish this, they can create one group in Azure AD, and in SharePoint Online each of them selects that group to provide access to their sites. 当有人想要访问时,他们从访问面板发出请求,获得批准后便可自动访问这两个 SharePoint Online 站点。When someone wants access, they request it from the Access Panel, and after approval they get access to both SharePoint Online sites automatically. 后来,他们中的一人决定,允许访问其站点的所有人也访问特定的 SaaS 应用程序。Later, one of them decides that all people accessing the site should also get access to a particular SaaS application. SaaS 应用程序的管理员可以将此应用程序的访问权限添加到 SharePoint Online 站点。The administrator of the SaaS application can add access rights for the application to the SharePoint Online site. 从那以后,他批准的任何请求都将提供对这两个 SharePoint Online 站点以及该 SaaS 应用程序的访问权限。From then on, any requests that get approved gives access to the two SharePoint Online sites and also to this SaaS application.

使组可用于用户自助服务Make a group available for user self-service

  1. 使用目录的全局管理员帐户登录到 Azure AD 管理中心Sign in to the Azure AD admin center with an account that's a global admin for the directory.

  2. 依次选择“组”、“常规”设置。 Select Groups, and then select General settings.

  3. 将“所有者可以在访问面板中管理组成员资格请求”设置为“是”。 Set Owners can manage group membership requests in the Access Panel to Yes.

  4. 将“限制对访问面板中组的访问”设置为“否” 。Set Restrict access to Groups in the Access Panel to No.

  5. 如果将“用户可以在 Azure 门户中创建安全组”或“用户可以在 Azure 门户中创建 Microsoft 365 组”设置为If you set Users can create security groups in Azure portals or Users can create Microsoft 365 groups in Azure portals to

    • :Azure AD 组织中的所有用户均可以创建新的安全组,并可以将成员添加到这些组。Yes: All users in your Azure AD organization are allowed to create new security groups and add members to these groups. 这些新组也会显示在其他所有用户的“访问面板”中。These new groups would also show up in the Access Panel for all other users. 如果组的策略设置允许,其他用户可以创建加入这些组的请求If the policy setting on the group allows it, other users can create requests to join these groups
    • :用户无法创建组,也无法更改其拥有的现有组。No: Users can't create groups and can't change existing groups for which they are an owner. 不过,他们仍然可以管理这些组的成员身份,并审批其他用户加入其组的请求。However, they can still manage the memberships of those groups and approve requests from other users to join their groups.

你还可以使用“可以将成员分配为 Azure 门户中组所有者的所有者”和“可以将成员分配为 Azure 门户中组所有者的所有者”,来实现对用户的自助服务组管理的更精细访问控制。You can also use Owners who can assign members as group owners in Azure portals and Owners who can assign members as group owners in Azure portals to achieve more granular access control over self-service group management for your users.

当用户可以创建组时,组织中的所有用户均可以创建新组,然后作为默认所有者将成员添加到这些组。When users can create groups, all users in your organization are allowed to create new groups and then can, as the default owner, add members to these groups. 不能指定可以创建自己的组的个人。You can't specify individuals who can create their own groups. 指定个人只能用于将其他组成员设为组所有者。You can specify individuals only for making another group member a group owner.

备注

必须具备 Azure Active Directory Premium(P1 或 P2)许可证,用户才能请求加入安全组或 Microsoft 365 组,所有者才能批准或拒绝成员身份请求。An Azure Active Directory Premium (P1 or P2) license is required for users to request to join a security group or Microsoft 365 group and for owners to approve or deny membership requests. 如果没有 Azure Active Directory Premium 许可证,用户仍可在访问面板中管理他们的组,但不能在访问面板中创建需要所有者批准的组,也不能请求加入组。Without an Azure Active Directory Premium license, users can still manage their groups in the Access Panel, but they can't create a group that requires owner approval in the Access Panel, and they can't request to join a group.

后续步骤Next steps

这些文章提供了有关 Azure Active Directory 的更多信息。These articles provide additional information on Azure Active Directory.