Azure Active Directory 中的自定义管理员角色(预览版)Custom administrator roles in Azure Active Directory (preview)

本文介绍如何了解 Azure Active Directory (Azure AD) 中具有基于角色的访问控制和资源范围的 Azure AD 自定义角色。This article describes how to understand Azure AD custom roles in Azure Active Directory (Azure AD) with roles-based access control and resource scopes. 自定义 Azure AD 角色揭示内置角色的基础权限,以便可以创建和组织自己的自定义角色。Custom Azure AD roles surface the underlying permissions of the built-in roles, so that you can create and organize your own custom roles. 只要有需要,就可以使用此方法以高于内置角色的精细度授予访问权限。This approach allows you to grant access in a more granular way than built-in roles, whenever they're needed. Azure AD 自定义角色的这第一个版本包含创建角色以分配用于管理应用注册的权限的功能。This first release of Azure AD custom roles includes the ability to create a role to assign permissions for managing app registrations. 随着时间的推移,我们将为企业应用程序、用户和设备等组织资源添加更多的权限。Over time, additional permissions for organization resources like enterprise applications, users, and devices will be added.

此外,Azure AD 自定义角色支持按资源分配,此外还支持更传统的组织范围分配。Additionally, Azure AD custom roles support assignments on a per-resource basis, in addition to the more traditional organization-wide assignments. 此方法可让你授予管理某些资源(例如一个应用注册)的访问权限,而无需授予对所有资源(所有应用注册)的访问权限。This approach gives you the ability to grant access to manage some resources (for example, one app registration) without giving access to all resources (all app registrations).

Azure AD 基于角色的访问控制是 Azure AD 的一项公共预览版功能,可通过任何付费 Azure AD 许可证计划获得。Azure AD role-based access control is a public preview feature of Azure AD and is available with any paid Azure AD license plan. 有关预览版的详细信息,请参阅 Azure 预览版补充使用条款For more information about previews, see Supplemental Terms of Use for Azure Previews.

了解 Azure AD 基于角色的访问控制Understand Azure AD role-based access control

使用自定义 Azure AD 角色授予权限的过程分为两个步骤,涉及到创建自定义角色定义,然后使用角色分配来分配该角色。Granting permission using custom Azure AD roles is a two-step process that involves creating a custom role definition and then assigning it using a role assignment. 自定义角色定义是从预设列表添加的权限集合。A custom role definition is a collection of permissions that you add from a preset list. 这些权限与内置角色中使用的权限相同。These permissions are the same permissions used in the built-in roles.

创建角色定义后,可以通过创建角色分配将其分配给某个用户。Once you’ve created your role definition, you can assign it to a user by creating a role assignment. 角色分配在指定的范围向用户授予角色定义中的权限。A role assignment grants the user the permissions in a role definition at a specified scope. 此双步过程可让你创建单个角色定义,并在不同的范围多次分配它。This two-step process allows you to create a single role definition and assign it many times at different scopes. 范围定义了角色成员有权访问的 Azure AD 资源集。A scope defines the set of Azure AD resources the role member has access to. 最常见的范围是组织范围。The most common scope is organization-wide (org-wide) scope. 可以在组织范围分配自定义角色,这意味着,该角色成员对组织中的所有资源拥有角色权限。A custom role can be assigned at org-wide scope, meaning the role member has the role permissions over all resources in the organization. 还可以在对象范围分配自定义角色。A custom role can also be assigned at an object scope. 对象范围的示例是单个应用程序。An example of an object scope would be a single application. 同一个角色可以分配给组织中所有应用程序的某个用户,然后分配给另一个用户,但范围仅限 Contoso Expense Reports 应用。The same role can be assigned to one user over all applications in the organization and then to another user with a scope of only the Contoso Expense Reports app.

Azure AD 内置和自定义角色的运作思路类似于 Azure 基于角色的访问控制 (Azure RBAC)Azure AD built-in and custom roles operate on concepts similar to Azure role-based access control (Azure RBAC). 这两个基于角色的访问控制系统的区别在于,Azure RBAC 使用 Azure 资源管理控制对 Azure 资源(例如虚拟机或存储)的访问,Azure AD 自定义角色使用图形 API 控制对 Azure AD 资源的访问。The difference between these two role-based access control systems is that Azure RBAC controls access to Azure resources such as virtual machines or storage using Azure Resource Management, and Azure AD custom roles control access to Azure AD resources using Graph API. 这两个系统都利用角色定义和角色分配的概念。Both systems leverage the concept of role definitions and role assignments.

Azure AD 如何确定用户是否有权访问资源How Azure AD determines if a user has access to a resource

下面是 Azure AD 用于确定你是否有权访问管理资源的概要步骤。The following are the high-level steps that Azure AD uses to determine if you have access to a management resource. 使用此信息可对访问问题进行故障排除。Use this information to troubleshoot access issues.

  1. 用户(或服务主体)获取 Microsoft Graph 或 Azure AD Graph 终结点的令牌。A user (or service principal) acquires a token to the Microsoft Graph or Azure AD Graph endpoint.

  2. 用户使用颁发的令牌通过 Microsoft Graph 或 Azure AD Graph 对 Azure Active Directory (Azure AD) 进行 API 调用。The user makes an API call to Azure Active Directory (Azure AD) via Microsoft Graph or Azure AD Graph using the issued token.

  3. 根据具体情况,Azure AD 会执行以下操作之一:Depending on the circumstance, Azure AD takes one of the following actions:

    • 基于用户访问令牌中的 wids 声明评估用户的角色成员身份。Evaluates the user’s role memberships based on the wids claim in the user’s access token.
    • 检索为用户应用于(直接或通过组成员身份)执行操作的资源的所有角色分配。Retrieves all the role assignments that apply for the user, either directly or via group membership, to the resource on which the action is being taken.
  4. Azure AD 确定 API 调用中的操作是否包含在用户针对此资源拥有的角色中。Azure AD determines if the action in the API call is included in the roles the user has for this resource.

  5. 如果用户在请求的范围内没有包含该操作的角色,则不授予访问权限。If the user doesn't have a role with the action at the requested scope, access is not granted. 否则授予访问权限。Otherwise access is granted.

角色分配Role assignments

角色分配是一个对象,该对象将角色定义附加到特定范围的用户,目的是授予 Azure AD 资源访问权限。A role assignment is the object that attaches a role definition to a user at a particular scope to grant Azure AD resource access. 通过创建角色分配来授予访问权限,通过删除角色分配来撤销访问权限。Access is granted by creating a role assignment, and access is revoked by removing a role assignment. 角色分配的核心包含三个要素:At its core, a role assignment consists of three elements:

  • 用户(在 Azure Active Directory 中具有配置文件的个人)User (an individual who has a user profile in Azure Active Directory)
  • 角色定义Role definition
  • 资源作用域Resource scope

可以使用 Azure 门户、Azure AD PowerShell 或图形 API 创建角色分配You can create role assignments using the Azure portal, Azure AD PowerShell, or Graph API. 还可以查看自定义角色的分配You can also view the assignments for a custom role.

下图显示了角色分配的示例。The following diagram shows an example of a role assignment. 在此示例中,在 Contoso Widget Builder 应用注册范围为 Chris Green 分配了“应用注册管理员”自定义角色。In this example, Chris Green has been assigned the App registration administrator custom role at the scope of the Contoso Widget Builder app registration. 此分配仅授予 Chris 对此特定应用注册的“应用注册管理员”角色权限。The assignment grants Chris the permissions of the App registration administrator role for only this specific app registration.

角色分配是指如何强制实施权限,具有三个部分

安全主体Security principal

安全主体表示分配了对 Azure AD 资源的访问权限的用户。A security principal represents the user that is to be assigned access to Azure AD resources. 用户是在 Azure Active Directory 中具有配置文件的个人。A user is an individual who has a user profile in Azure Active Directory.

角色Role

角色定义(或角色)是权限的集合。A role definition, or role, is a collection of permissions. 角色定义列出可对 Azure AD 资源执行的操作,例如创建、读取、更新和删除。A role definition lists the operations that can be performed on Azure AD resources, such as create, read, update, and delete. 在 Azure AD 中有两种类型的角色:There are two types of roles in Azure AD:

  • Microsoft 创建的内置角色(无法更改)。Built-in roles created by Microsoft that can't be changed.
  • 由组织创建和管理的自定义角色。Custom roles created and managed by your organization.

范围Scope

范围是指允许对角色分配中的特定 Azure AD 资源执行的操作的限制。A scope is the restriction of permitted actions to a particular Azure AD resource as part of a role assignment. 分配角色时,可以指定一个范围来限制管理员对特定资源的访问。When you assign a role, you can specify a scope that limits the administrator's access to a specific resource. 例如,如果要为开发人员授予某个自定义角色,但仅允许该开发人员管理特定的应用程序注册,则你可以在角色分配中包含特定的应用程序注册作为范围。For example, if you want to grant a developer a custom role, but only to manage a specific application registration, you can include the specific application registration as a scope in the role assignment.

备注

可以在目录范围和资源范围分配自定义角色。Custom roles can be assigned at directory scope and resource scoped. 目前无法在“管理单元”范围分配自定义角色。They cannot yet be assigned at Administrative Unit scope. 可以在目录范围分配内置角色,在某些情况下,还可以在“管理单元”范围分配内置角色。Built-in roles can can be assigned at directory scope, and in some cases, Administrative Unit scope. 目前无法在 Azure AD 资源范围分配内置角色。They cannot yet be assigned at Azure AD resource scope.

所需许可证计划Required license plan

使用此功能需要 Azure AD Premium P1 许可证。Using this feature requires an Azure AD Premium P1 license. 若要根据需要查找合适的许可证,请参阅 比较免费版、基本版和高级版的正式发布功能To find the right license for your requirements, see Comparing generally available features of the Free, Basic, and Premium editions.

后续步骤Next steps