在 Azure Active Directory 中查看自定义角色分配View custom role assignments in Azure Active Directory

本文介绍如何在 Azure Active Directory (Azure AD) 中查看已分配的自定义角色。This article describes how to view custom roles you have assigned in Azure Active Directory (Azure AD). 在 Azure Active Directory (Azure AD) 中,角色可以在组织范围内分配,也可以在单应用程序范围内分配。In Azure Active Directory (Azure AD), roles can be assigned at an organization-wide scope or with a single-application scope.

  • 组织范围的角色分配会添加到单应用程序角色分配列表中,并可在其中查看它们。Role assignments at the organization-wide scope are added to and can be seen in the list of single application role assignments.
  • 单应用程序范围的角色分配不会添加到组织范围的分配列表中,也不能在其中查看它们。Role assignments at the single application scope aren't added to and can't be seen in the list of organization-wide scoped assignments.

在 Azure 门户中查看角色分配View role assignments in the Azure portal

此过程介绍如何查看组织范围的角色分配。This procedure describes viewing assignments of a role with organization-wide scope.

  1. 在 Azure AD 组织中使用特权角色管理员或全局管理员权限登录 Azure 门户Sign in to the Azure portal with Privileged role administrator or Global administrator permissions in the Azure AD organization.

  2. 依次选择“Azure Active Directory”、“角色和管理员”,然后选择一个角色,将其打开并查看其属性。 Select Azure Active Directory, select Roles and administrators, and then select a role to open it and view its properties.

  3. 选择“分配”,查看角色的分配 。Select Assignments to view the assignments for the role.

    从列表中打开一个角色时,查看角色分配和权限

使用 Azure AD PowerShell 查看角色分配View role assignments using Azure AD PowerShell

此部分介绍如何查看组织范围的角色分配。This section describes viewing assignments of a role with organization-wide scope. 本文使用 Azure Active Directory PowerShell 版本 2 模块。This article uses the Azure Active Directory PowerShell Version 2 module. 若要使用 PowerShell 查看单应用程序范围的分配,可以使用通过 PowerShell 分配自定义角色中的 cmdlet。To view single-application scope assignments using PowerShell, you can use the cmdlets in Assign custom roles with PowerShell.

准备 PowerShellPrepare PowerShell

首先,必须下载 Azure AD 预览版 PowerShell 模块First, you must download the Azure AD preview PowerShell module.

若要安装 Azure AD PowerShell 模块,请使用以下命令:To install the Azure AD PowerShell module, use the following commands:

install-module azureadpreview
import-module azureadpreview

若要验证模块是否可供使用,请运行下面的命令:To verify that the module is ready to use, use the following command:

get-module azuread
  ModuleType Version      Name                         ExportedCommands
  ---------- ---------    ----                         ----------------
  Binary     2.0.0.115    azuread                      {Add-AzureADAdministrati...}

查看角色的分配View the assignments of a role

示例:查看角色分配。Example of viewing the assignments of a role.

# Fetch list of all directory roles with object ID
Get-AzureADDirectoryRole

# Fetch a specific directory role by ID
$role = Get-AzureADDirectoryRole -ObjectId "5b3fe201-fa8b-4144-b6f1-875829ff7543"

# Fetch role membership for a role
Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | Get-AzureADUser

使用 Microsoft Graph API 查看角色分配View role assignments using Microsoft Graph API

此部分介绍如何查看组织范围的角色分配。This section describes viewing assignments of a role with organization-wide scope. 若要使用 Graph API 查看单应用程序范围的分配,可以使用通过 Graph API 分配自定义角色中的操作。To view single-application scope assignments using Graph API, you can use the operations in Assign custom roles with Graph API.

HTTP 请求,用于获取给定角色定义的角色分配。HTTP request to get a role assignment for a given role definition.

GETGET

https://graph.chinacloudapi.cn/<tenantDomain-or-tenantId>/roleAssignments?api-version=1.61-internal&$filter=roleDefinitionId eq ‘<object-id-or-template-id-of-role-definition>’

响应Response

HTTP/1.1 200 OK
{
    "id":"CtRxNqwabEKgwaOCHr2CGJIiSDKQoTVJrLE9etXyrY0-1"
    "principalId":"ab2e1023-bddc-4038-9ac1-ad4843e7e539",
    "roleDefinitionId":"3671d40a-1aac-426c-a0c1-a3821ebd8218",
    "resourceScopes":["/"]
}

查看单应用程序范围的分配View assignments of single-application scope

此部分介绍如何查看单应用程序范围的角色分配。This section describes viewing assignments of a role with single-application scope. 此功能目前处于公开预览状态。This feature is currently in public preview.

  1. 在 Azure AD 组织中使用特权角色管理员或全局管理员权限登录 Azure 门户Sign in to the Azure portal with Privileged role administrator or Global administrator permissions in the Azure AD organization.

  2. 选择“应用注册”,然后选择要查看其属性的应用注册。 Select App registrations, and then select the app registration to view its properties. 可能必须选择“所有应用程序”,以便在 Azure AD 组织中查看应用注册的完整列表。 You might have to select All applications to see the complete list of app registrations in your Azure AD organization.

    在“应用注册”页中创建或编辑应用注册

  3. 在应用注册中,选择“角色和管理员”,然后选择一个角色,以查看其属性。 In the app registration, select Roles and administrators, and then select a role to view its properties.

    在“应用注册”页中查看应用注册角色分配

  4. 选择“分配”,查看角色的分配 。Select Assignments to view the assignments for the role. 在应用注册中打开分配视图会显示局限于此 Azure AD 资源的分配。Opening the assignments view from within the app registration shows you the assignments that are scoped to this Azure AD resource.

    在应用注册的属性中查看应用注册角色分配

后续步骤Next steps