从 Azure Active Directory 的组中删除角色分配Remove role assignments from a group in Azure Active Directory

本文介绍 IT 管理员如何删除分配给组的 Azure AD 角色。This article describes how an IT admin can remove Azure AD roles assigned to groups. 在 Azure 门户中,现在可以删除对用户的直接和间接角色分配。In the Azure portal, you can now remove both direct and indirect role assignments to a user. 如果按组成员身份向用户分配了角色,则从组中删除该用户以删除角色分配。If a user is assigned a role by a group membership, remove the user from the group to remove the role assignment.

使用 Azure 管理中心Using Azure admin center

  1. 使用 Azure AD 组织中的特权角色管理员或全局管理员权限登录到 Azure AD 管理中心Sign in to the Azure AD admin center with Privileged role administrator or Global administrator permissions in the Azure AD organization.

  2. 选择“角色和管理员” > “角色名称”。Select Roles and administrators > role name.

  3. 选择要从中删除角色分配的组,然后选择“删除分配”。Select the group from which you want to remove the role assignment and select Remove assignment.

    从所选组中删除角色分配。

  4. 当系统要求你确认操作时,请选择“是”。When asked to confirm your action, select Yes.

使用 PowerShellUsing PowerShell

创建可分配给角色的组Create a group that can be assigned to role

$group = New-AzureADMSGroup -DisplayName "Contoso_Helpdesk_Administrators" -Description "This group is assigned to Helpdesk Administrator built-in role in Azure AD." -MailEnabled $true -SecurityEnabled $true -MailNickName "contosohelpdeskadministrators" -IsAssignableToRole $true

获取要向其分配组的角色定义Get the role definition you want to assign the group to

$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq 'Helpdesk Administrator'"

创建角色分配Create a role assignment

$roleAssignment = New-AzureADMSRoleAssignment -ResourceScope '/' -RoleDefinitionId $roleDefinition.Id -PrincipalId $group.objectId

删除角色分配Remove the role assignment

Remove-AzureAdMSRoleAssignment -Id $roleAssignment.Id 

使用 Microsoft Graph APIUsing Microsoft Graph API

创建可被分配 Azure AD 角色的组Create a group that can be assigned an Azure AD role

POST https://microsoftgraph.chinacloudapi.cn/beta/groups

{
"description": "This group is assigned to Helpdesk Administrator built-in role of Azure AD",
"displayName": "Contoso_Helpdesk_Administrators",
"groupTypes": [
"Unified"
],
"mailEnabled": true,
"securityEnabled": true
"mailNickname": "contosohelpdeskadministrators",
"isAssignableToRole": true,
}

获取角色定义Get the role definition

GET https://microsoftgraph.chinacloudapi.cn/beta/roleManagement/directory/roleDefinitions?$filter = displayName eq ‘Helpdesk Administrator’

创建角色分配Create the role assignment

POST https://microsoftgraph.chinacloudapi.cn/beta/roleManagement/directory/roleAssignments
{
"principalId":"<Object Id of Group>",
"roleDefinitionId":"<Id of role definition>",
"directoryScopeId":"/"
}

删除角色分配Delete role assignment

DELETE https://microsoftgraph.chinacloudapi.cn/beta/roleManagement/directory/roleAssignments/<Id of role assignment>

后续步骤Next steps