配置和批准对 Azure 托管应用程序的实时访问Configure and approve just-in-time access for Azure Managed Applications

作为托管应用程序的使用者,你可能不愿意让发布者永久访问托管资源组。As a consumer of a managed application, you might not be comfortable giving the publisher permanent access to the managed resource group. 为了让你在授予对托管资源的访问权限时能够更好地进行控制,Azure 托管应用程序提供了一种称为实时 (JIT) 访问的功能,该功能目前为预览版。To give you greater control over granting access to managed resources, Azure Managed Applications provides a feature called just-in-time (JIT) access, which is currently in preview. 它使你能够批准发布者有权访问资源组的时间和时长。It enables you to approve when and for how long the publisher has access to the resource group. 发布者可以在该时间内进行所需的更新,但当该时间结束时,发布者的访问权限将过期。The publisher can make required updates during that time, but when that time is over, the publisher's access expires.

用于授予访问权限的工作流为:The work flow for granting access is:

  1. 发布者将托管应用程序添加到市场,并指定 JIT 访问可用。The publisher adds a managed application to the marketplace and specifies that JIT access is available.

  2. 在部署过程中,你为托管应用程序的实例启用 JIT 访问。During deployment, you enable JIT access for your instance of the managed application.

  3. 在部署后,可以更改 JIT 访问设置。After deployment, you can change the settings for JIT access.

  4. 发布者发送访问请求。The publisher sends a request for access.

  5. 你批准该请求。You approve the request.

本文重点介绍了使用者在启用 JIT 访问和批准请求时要执行的操作。This article focuses on the actions consumers take to enable JIT access and approve requests. 若要了解如何发布采用 JIT 访问的托管应用程序,请参阅在 Azure 托管应用程序中请求实时访问To learn about publishing a managed application with JIT access, see Request just-in-time access in Azure Managed Applications.

备注

若要使用实时访问,必须具有 Azure Active Directory P2 许可证To use just-in-time access, you must have a Azure Active Directory P2 license.

在部署期间启用Enable during deployment

  1. 登录 Azure 门户Sign in to the Azure portal.

  2. 查找启用了 JIT 的托管应用程序的市场项。Find a marketplace entry for a managed application with JIT enabled. 选择“创建” 。Select Create.

  3. 为新的托管应用程序提供值时,“JIT 配置” 步骤允许你为托管应用程序启用或禁用 JIT 访问。While providing values for the new managed application, the JIT Configuration step allows you to enable or disable JIT access for the managed application. 对于“启用 JIT 访问”,选择“是”。 Select Yes for Enable JIT Access. 对于市场中在定义时便启用了 JIT 的托管应用程序,会默认选择此选项。This option is selected by default for managed applications that defined with JIT enabled in the marketplace.

    配置访问权限

    只能在部署期间启用 JIT 访问。You can only enable JIT access during deployment. 如果选择“否” ,则发布者将永久可以访问托管资源组。If you select No, the publisher gets permanent access to the managed resource group. 无法在以后启用 JIT 访问。You can't enable JIT access later.

  4. 若要更改默认的审批设置,请选择“自定义 JIT 配置” 。To change the default approval settings, select Customize JIT Configuration.

    自定义访问权限

    默认情况下,启用了 JIT 的托管应用程序具有以下设置:By default, a managed application with JIT enabled has the following settings:

    • 审批模式 - 自动Approval mode - automatic
    • 访问权限最大持续时间 - 8 小时Maximum access duration - 8 hours
    • 审批者 - 无Approvers - none

    当审批模式设置为“自动” 时,审批者针对每个请求都会收到通知,但请求会自动批准。When the approval mode is set to automatic, the approvers receive a notification for each request but the request is automatically approved. 当设置为“手动” 时,审批者针对每个请求都会收到通知,并且必须由某个审批者批准请求。When set to manual, the approvers receive a notification for each request, and one of them must approve it.

    “激活最大持续时间”指定发布者可以请求访问托管资源组的最长时间。The activation maximum duration specifies the maximum amount of time a publisher can request for access to the managed resource group.

    审批者列表是可以批准 JIT 访问请求的 Azure Active Directory 用户。The approvers list is the Azure Active Directory users that can approve of JIT access requests. 若要添加审批者,请选择“添加批准者” 并搜索用户。To add an approver, select Add Approver and search for the user.

    更新设置后,选择“保存” 。After updating the setting, select Save.

在部署后更新Update after deployment

你可以更改有关如何批准请求的值。You can change the values for how requests are approved. 但是,如果在部署期间未启用 JIT 访问,则以后将无法启用。However, if you didn't enable JIT access during deployment, you can't enable it later.

若要更改已部署的托管应用程序的设置,请执行以下操作:To change the settings for a deployed managed application:

  1. 在门户中,选择“管理应用程序”。In the portal, select the manage application.

  2. 选择“JIT 配置” 并根据需要更改设置。Select JIT Configuration and change the settings as needed.

    更改访问设置

  3. 完成后,选择“保存” 。When done, select Save.

审批请求Approve requests

当发布者请求访问时,你会收到请求通知。When the publisher requests access, you're notified of the request. 你可以直接通过托管应用程序或通过 Azure AD Privileged Identity Management 服务在所有托管应用程序中批准 JIT 访问请求。You can approve JIT access requests either directly through the managed application, or across all managed applications through the Azure AD Privileged Identity Management service. 若要使用实时访问,必须具有 Azure Active Directory P2 许可证To use just-in-time access, you must have a Azure Active Directory P2 license.

若要通过托管应用程序批准请求,请执行以下操作:To approve requests through the managed application:

  1. 为托管应用程序选择“JIT 访问” ,并选择“批准请求” 。Select JIT Access for the managed application, and select Approve Requests.

    审批请求

  2. 选择要批准的请求。Select the request to approve.

    选择请求

  3. 在窗体中,提供批准原因并选择“批准” 。In the form, provide the reason for the approval and select Approve.

若要通过 Azure AD Privileged Identity Management 批准请求,请执行以下操作:To approve requests through Azure AD Privileged Identity Management:

  1. 选择“所有服务” ,然后开始搜索“Azure AD Privileged Identity Management” 。Select All services and begin searching for Azure AD Privileged Identity Management. 从可用选项中选择它。Select it from the available options.

    搜索服务

  2. 选择“审批请求” 。Select Approve requests.

    选择“审批请求”

  3. 选择“Azure 托管应用程序” ,然后选择要批准的请求。Select Azure managed applications, and select the request to approve.

    选择请求

后续步骤Next steps

若要了解如何发布采用 JIT 访问的托管应用程序,请参阅在 Azure 托管应用程序中请求实时访问To learn about publishing a managed application with JIT access, see Request just-in-time access in Azure Managed Applications.