在 Azure Active Directory 中对管理单元中的组的添加和管理Add and manage groups in administrative units in Azure Active Directory

在 Azure Active Directory (Azure AD) 中,你可以向管理单元 (AU) 添加组,以获得更精细的管理控制范围。In Azure Active Directory (Azure AD), you can add groups to an administrative unit (AU) for more granular administrative scope of control.

有关将 PowerShell 和 Microsoft Graph 用于管理单元的管理的准备步骤,请参阅入门For steps to prepare to use PowerShell and Microsoft Graph for administrative unit management, see Get started.

向 AU 添加组Add groups to an AU

Azure 门户Azure portal

在预览版中,只能将组一个个地分配给管理单元。In the preview, you can assign groups only individually to an administrative unit. 无法将组批量地分配给管理单元。There is no option of bulk assignment of groups to an administrative unit. 在门户中,可通过以下两种方式之一,将向管理单元分配组:You can assign a group to an administrative unit in one of the two ways in portal:

  1. 通过“Azure AD”>“组”页From the Azure AD > Groups page

    在 Azure AD 中打开“组”概述页面,然后选择需要向管理单元分配的组。Open the Groups overview page in Azure AD and select the group that needs to be assigned to the administrative unit. 在左侧,选择“管理单元”以列出给组分配的管理单元。On the left side, select Administrative units to list out the administrative units the group is assigned to. 可在顶部看到“分配到管理单元”选项,单击它,屏幕右侧就会显示一个用于选择管理单元的面板。On the top you will find the option Assign to administrative unit and clicking on it will give a panel on right side to choose the administrative unit.

    将组一个一个地分配给管理单元

  2. 通过“Azure AD”>“管理单元”>“所有组”页From the Azure AD > Administrative units > All Groups page

    通过“Azure AD”>“管理单元”打开“所有组”边栏选项卡。Open the All Groups blade in Azure AD > Administrative Units. 如果已有组分配给了管理单元,它们将显示在右侧。If there are groups already assigned to the administrative unit, they will be displayed on the right side. 在顶部选择“添加”,右面板就会滑入,上面列出你所在 Azure AD 组织中可用的组。Select Add on the top and a right panel will slide in listing the groups available in your Azure AD organization. 选择要分配给管理单元的一个或多个组。Select one or more groups to be assigned to the administrative units.

    选择一个管理单元,然后选择“添加成员”

PowerShellPowerShell

$administrative unitObj = Get-AzureADAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
$GroupObj = Get-AzureADGroup -Filter "displayname eq 'TestGroup'"
Add-AzureADAdministrativeUnitMember -ObjectId $administrative unitObj.ObjectId -RefObjectId $GroupObj.ObjectId

此示例使用 Add-AzureADAdministrativeUnitMember cmdlet 向管理单元添加组。In this example, the cmdlet Add-AzureADAdministrativeUnitMember is used to add the group to the administrative unit. 管理单元的对象 ID 和要添加的组的对象 ID 用作参数。The object ID of the administrative unit and the object ID of the group to be added are taken as argument. 可以根据特定环境的需要更改突出显示的部分。The highlighted section may be changed as required for the specific environment.

Microsoft GraphMicrosoft Graph

Http request
POST /administrativeUnits/{Admin Unit id}/members/$ref

Request body
{
"@odata.id":"https://microsoftgraph.chinacloudapi.cn/beta/groups/{id}"
}

示例:Example:

{
"@odata.id":"https://microsoftgraph.chinacloudapi.cn/beta/groups/ 871d21ab-6b4e-4d56-b257-ba27827628f3"
}

列出 AU 中的组List groups in an AU

Azure 门户Azure portal

在门户中,转到“Azure AD”>“管理单元”。Go to Azure AD > Administrative units in the portal. 选择要列出其中的用户的管理单元。Select the administrative unit for which you want to list the users. 左面板上默认选中“所有用户”。By default, All users is selected already on the left panel. 选择“所有组”,右侧就会显示一列组,这些组都是所选管理单元的成员。Select All groups and on the right you will find the list of groups that are members of the selected administrative unit.

列出管理单元中的组

PowerShellPowerShell

$administrative unitObj = Get-AzureADAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
Get-AzureADAdministrativeUnitMember -ObjectId $administrative unitObj.ObjectId

这将帮助你获取管理单元的所有成员。This will help you get all the members of the administrative unit. 如果要显示属于管理单元的成员的所有组,可以使用以下代码片段:If you want to display all the groups that are members of the administrative unit, you can use the below code snippet:

foreach ($member in (Get-AzureADAdministrativeUnitMember -ObjectId $administrative unitObj.ObjectId)) 
{
if($member.ObjectType -eq "Group")
{
Get-AzureADGroup -ObjectId $member.ObjectId
}
}

Microsoft GraphMicrosoft Graph

HTTP request
GET /administrativeUnits/{Admin id}/members/$/microsoft.graph.group
Request body
{}

列出组的 AUList AUs for a group

Azure 门户Azure portal

在 Azure AD 门户中,打开“组”即可展开组的详细信息。In the Azure AD portal, you can open a group's details by opening Groups. 选择一个组可打开该组的配置文件。Select a group to open the group's profile. 选择“管理单元”以列出该组所属的所有管理单元。Select Administrative units to list all the administrative units where the group is a member.

列出组的管理单元

PowerShellPowerShell

Get-AzureADAdministrativeUnit | where { Get-AzureADAdministrativeUnitMember -ObjectId $_.ObjectId | where {$_.ObjectId -eq $groupObjId} }

Microsoft GraphMicrosoft Graph

https://microsoftgraph.chinacloudapi.cn/beta/groups/<group-id>/memberOf/$/Microsoft.Graph.AdministrativeUnit

从 AU 删除组Remove a group from an AU

Azure 门户Azure portal

在 Azure 门户中,有两种方式可以从管理单元删除组。There are two ways you can remove a group from an administrative unit in the Azure portal.

打开“Azure AD” > “组”,然后打开要从管理单元删除的组的配置文件 。Open Azure AD > Groups and open the profile for group you want to remove from administrative unit. 在左面板中选择“管理单元”以列出该组所属的所有管理单元。Select Administrative units in the left panel to list all the administrative units where the group is a member. 选择要从中删除组的管理单元,然后选择“从管理单元中删除”。Select the administrative unit that you want to remove the group from, and then select Remove from administrative unit.

从管理单元删除组

另一种方式是:转到“Azure AD” > “管理单元”,然后选择组所属的管理单元 。Alternatively, you can go to Azure AD > Administrative units and select the administrative unit where the group is a member. 在左面板中选择“组”以列出成员组。Select Groups in the left panel to list the member groups. 选择要从管理单元中删除的组,然后选择“删除组”。Select the group to be removed from the administrative unit and then select Remove groups.

列出管理单元中的组

PowerShellPowerShell

Remove-AzureADAdministrativeUnitMember -ObjectId $auId -MemberId $memberGroupObjId

Microsoft GraphMicrosoft Graph

https://microsoftgraph.chinacloudapi.cn/beta/administrativeUnits/<adminunit-id>/members/<group-id>/$ref

后续步骤Next steps