在 Azure Active Directory 中创建和分配自定义角色Create and assign a custom role in Azure Active Directory

本文介绍如何在 Azure Active Directory (Azure AD) 中创建新的自定义角色。This article describes how to create new custom roles in Azure Active Directory (Azure AD). 有关自定义角色的基础知识,请参阅自定义角色概述For the basics of custom roles, see the custom roles overview. 角色只能在目录级别范围或应用注册资源范围分配。The role can be assigned either at the directory-level scope or an app registration resource scope only.

自定义角色可以在 Azure AD 概览页的 角色和管理员 选项卡中创建。Custom roles can be created in the Roles and administrators tab on the Azure AD overview page.

在 Azure 门户中创建角色Create a role in the Azure portal

创建新的自定义角色,授予管理应用注册所需的访问权限Create a new custom role to grant access to manage app registrations

  1. 在 Azure AD 组织中使用特权角色管理员或全局管理员权限登录 Azure 门户Sign in to the Azure Portal with Privileged role administrator or Global administrator permissions in the Azure AD organization.

  2. 选择“Azure Active Directory” > “角色和管理员” > “新建自定义角色”。Select Azure Active Directory > Roles and administrators > New custom role.

    在“角色和管理员”页中创建或编辑角色

  3. 在“基本信息”选项卡中提供角色的名称和说明,然后单击“下一步”。 On the Basics tab, provide a name and description for the role and then click Next.

    在“基本信息”选项卡中提供自定义角色的名称和说明

  4. 在“权限”选项卡中,选择管理应用注册的基本属性和凭据属性所需的权限。 On the Permissions tab, select the permissions necessary to manage basic properties and credential properties of app registrations. 如需每个权限的详细说明,请参阅 Azure Active Directory 中的应用程序注册子类型和权限For a detailed description of each permission, see Application registration subtypes and permissions in Azure Active Directory.

    1. 首先在搜索栏中输入“credentials”,然后选择 microsoft.directory/applications/credentials/update 权限。First, enter "credentials" in the search bar and select the microsoft.directory/applications/credentials/update permission.

      在“权限”选项卡上选择自定义角色的权限

    2. 接下来,在搜索栏中输入“basic”,选择 microsoft.directory/applications/basic/update 权限,然后单击“下一步”。 Next, enter "basic" in the search bar, select the microsoft.directory/applications/basic/update permission, and then click Next.

  5. 在“查看 + 创建”选项卡上查看权限,然后选择“创建”。 On the Review + create tab, review the permissions and select Create.

自定义角色将显示在要分配的可用角色的列表中。Your custom role will show up in the list of available roles to assign.

使用 PowerShell 创建角色Create a role using PowerShell

准备 PowerShellPrepare PowerShell

首先,必须下载 Azure AD 预览版 PowerShell 模块First, you must download the Azure AD Preview PowerShell module.

若要安装 Azure AD PowerShell 模块,请使用以下命令:To install the Azure AD PowerShell module, use the following commands:

install-module azureadpreview
import-module azureadpreview

若要验证模块是否可供使用,请运行下面的命令:To verify that the module is ready to use, use the following command:

get-module azureadpreview
  ModuleType Version      Name                         ExportedCommands
  ---------- ---------    ----                         ----------------
  Binary     2.0.2.31     azuread                      {Add-AzureADAdministrati...}

创建自定义角色Create the custom role

使用以下 PowerShell 脚本创建新角色:Create a new role using the following PowerShell script:

# Basic role information
$displayName = "Application Support Administrator"
$description = "Can manage basic aspects of application registrations."
$templateId = (New-Guid).Guid
 
# Set of permissions to grant
$allowedResourceAction =
@(
    "microsoft.directory/applications/basic/update",
    "microsoft.directory/applications/credentials/update"
)
$rolePermissions = @{'allowedResourceActions'= $allowedResourceAction}
 
# Create new custom admin role
$customAdmin = New-AzureADMSRoleDefinition -RolePermissions $rolePermissions -DisplayName $displayName -Description $description -TemplateId $templateId -IsEnabled $true

使用 Azure AD PowerShell 分配自定义角色Assign the custom role using Azure AD PowerShell

使用以下 PowerShell 脚本分配角色:Assign the role using the below PowerShell script:

# Get the user and role definition you want to link
$user = Get-AzureADUser -Filter "userPrincipalName eq 'cburl@f128.info'"
$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq 'Application Support Administrator'"

# Get app registration and construct resource scope for assignment.
$appRegistration = Get-AzureADApplication -Filter "displayName eq 'f/128 Filter Photos'"
$resourceScope = '/' + $appRegistration.objectId

# Create a scoped role assignment
$roleAssignment = New-AzureADMSRoleAssignment -ResourceScope $resourceScope -RoleDefinitionId $roleDefinition.Id -PrincipalId $user.objectId

使用图形 API 创建角色Create a role with Graph API

  1. 创建角色定义。Create the role definition.

    用于创建自定义角色定义的 HTTP 请求。HTTP request to create a custom role definition.

    POSTPOST

    https://microsoftgraph.chinacloudapi.cn/beta/roleManagement/directory/roleDefinitions
    

    正文Body

    {
       "description": "Can manage basic aspects of application registrations.",
       "displayName": "Application Support Administrator",
       "isEnabled": true,
       "templateId": "<GUID>",
       "rolePermissions": [
           {
               "allowedResourceActions": [
                   "microsoft.directory/applications/basic/update",
                   "microsoft.directory/applications/credentials/update"
               ]
           }
       ]
    }
    
  2. 创建角色分配。Create the role assignment.

    用于创建自定义角色定义的 HTTP 请求。HTTP request to create a custom role definition.

    POSTPOST

    https://microsoftgraph.chinacloudapi.cn/beta/roleManagement/directory/roleAssignments
    

    正文Body

    {
       "principalId":"<GUID OF USER>",
       "roleDefinitionId":"<GUID OF ROLE DEFINITION>",
       "resourceScope":"/<GUID OF APPLICATION REGISTRATION>"
    }
    

分配资源范围的自定义角色Assign a custom role scoped to a resource

与内置角色一样,默认情况下,在默认的组织范围内分配自定义角色,以授予对组织中所有应用注册的访问权限。Like built-in roles, custom roles are assigned by default at the default organization-wide scope to grant access permissions over all app registrations in your organization. 但与内置角色不同,自定义角色也可以在单个 Azure AD 资源的范围内分配。But unlike built-in roles, custom roles can also be assigned at the scope of a single Azure AD resource. 这样你就可以被用户分配权限,使之可以更新单个应用的凭据和基本属性,不需创建另一个自定义角色。This allows you to give the user the permission to update credentials and basic properties of a single app without having to create a second custom role.

  1. 在 Azure AD 组织中使用应用程序开发人员权限登录  Azure 门户Sign in to the Azure portal with Application developer permissions in the Azure AD organization.

  2. 选择“应用注册” 。Select App registrations.

  3. 选择要向其授予管理权限的应用注册。Select the app registration to which you are granting access to manage. 可能必须选择“所有应用程序”,以便在 Azure AD 组织中查看应用注册的完整列表。 You might have to select All applications to see the complete list of app registrations in your Azure AD organization.

    选择应用注册作为角色分配的资源范围

  4. 在应用注册中,选择“角色和管理员”。 In the app registration, select Roles and administrators. 如果尚未创建,请按上一过程中的说明操作。If you haven't already created one, instructions are in the preceding procedure.

  5. 选择角色以打开“分配”页 。Select the role to open the Assignments page.

  6. 选择“添加分配”以添加用户。 Select Add assignment to add a user. 用户将仅被授予对所选应用注册的任何权限。The user will be granted any permissions over only the selected app registration.

后续步骤Next steps