在租户级别创建资源Create resources at the tenant level

随着组织的成熟,你可能需要在 Azure AD 租户中定义和分配策略Azure 基于角色的访问控制 (Azure RBAC)As your organization matures, you may need to define and assign policies or Azure role-based access control (Azure RBAC) across your Azure AD tenant. 通过租户级模板,可以声明的方式在全局级别应用策略和分配角色。With tenant level templates, you can declaratively apply policies and assign roles at a global level.

支持的资源Supported resources

并非所有资源类型都可以部署到租户级别。Not all resource types can be deployed to the tenant level. 本部分列出了支持的资源类型。This section lists which resource types are supported.

对于 Azure 策略,请使用:For Azure Policies, use:

  • policyAssignmentspolicyAssignments
  • policyDefinitionspolicyDefinitions
  • policySetDefinitionspolicySetDefinitions

对于基于角色的访问控制,请使用:For role-based access control, use:

  • roleAssignmentsroleAssignments

对于部署到管理组、订阅或资源组的嵌套模板,请使用:For nested templates that deploy to management groups, subscriptions, or resource groups, use:

  • deploymentsdeployments

对于创建管理组,请使用:For creating management groups, use:

  • managementGroupsmanagementGroups

对于管理成本,请使用:For managing costs, use:

  • billingProfilesbillingProfiles
  • 说明instructions
  • invoiceSectionsinvoiceSections

架构Schema

用于租户部署的架构与资源组部署的架构不同。The schema you use for tenant deployments is different than the schema for resource group deployments.

对于模板,请使用:For templates, use:

https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#

对于所有部署范围,参数文件的架构都相同。The schema for a parameter file is the same for all deployment scopes. 对于参数文件,请使用:For parameter files, use:

https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#

所需访问权限Required access

部署模板的主体必须具有在租户范围中创建资源的权限。The principal deploying the template must have permissions to create resources at the tenant scope. 该主体必须有权执行部署操作 (Microsoft.Resources/deployments/*) 和创建模板中定义的资源。The principal must have permission to execute the deployment actions (Microsoft.Resources/deployments/*) and to create the resources defined in the template. 例如,若要创建管理组,主体必须在租户范围内具有参与者权限。For example, to create a management group, the principal must have Contributor permission at the tenant scope. 若要创建角色分配,主体则必须具有所有者权限。To create role assignments, the principal must have Owner permission.

Azure Active Directory 的全局管理员不自动拥有分配角色的权限。The Global Administrator for the Azure Active Directory doesn't automatically have permission to assign roles. 若要在租户范围内实现模板部署,全局管理员必须执行以下步骤:To enable template deployments at the tenant scope, the Global Administrator must do the following steps:

  1. 提升帐户访问权限,使其自身可分配角色。Elevate account access so the Global Administrator can assign roles. 有关详细信息,请参阅提升访问权限以管理所有 Azure 订阅和管理组For more information, see Elevate access to manage all Azure subscriptions and management Groups.

  2. 向需要部署模板的主体分配所有者或参与者角色。Assign Owner or Contributor to the principal that needs to deploy the templates.

    New-AzRoleAssignment -SignInName "[userId]" -Scope "/" -RoleDefinitionName "Owner"
    
    az role assignment create --assignee "[userId]" --scope "/" --role "Owner"
    

主体现已具有部署模板所需的权限。The principal now has the required permissions to deploy the template.

部署命令Deployment commands

用于租户部署的命令与资源组部署使用的命令不同。The commands for tenant deployments are different than the commands for resource group deployments.

对于 Azure CLI,请使用 az deployment tenant createFor Azure CLI, use az deployment tenant create:

az deployment tenant create \
  --name demoTenantDeployment \
  --location ChinaNorth \
  --template-uri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/tenant-deployments/new-mg/azuredeploy.json"

对于 Azure PowerShell,请使用 New-AzTenantDeploymentFor Azure PowerShell, use New-AzTenantDeployment.

New-AzTenantDeployment `
  -Name demoTenantDeployment `
  -Location "China North" `
  -TemplateUri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/tenant-deployments/new-mg/azuredeploy.json"

对于 REST API,请使用部署 - 在租户范围内创建或更新For REST API, use Deployments - Create Or Update At Tenant Scope.

部署位置和名称Deployment location and name

对于租户级别的部署,必须提供部署位置。For tenant level deployments, you must provide a location for the deployment. 部署位置独立于部署的资源的位置。The location of the deployment is separate from the location of the resources you deploy. 部署位置指定何处存储部署数据。The deployment location specifies where to store deployment data.

可以为部署提供一个名称,也可以使用默认部署名称。You can provide a name for the deployment, or use the default deployment name. 默认名称是模板文件的名称。The default name is the name of the template file. 例如,部署一个名为 azuredeploy.json 的模板将创建默认部署名称 azuredeployFor example, deploying a template named azuredeploy.json creates a default deployment name of azuredeploy.

每个部署名称的位置不可变。For each deployment name, the location is immutable. 当某个位置中已有某个部署时,无法在另一位置创建同名的部署。You can't create a deployment in one location when there's an existing deployment with the same name in a different location. 如果出现错误代码 InvalidDeploymentLocation,请使用其他名称或使用与该名称的以前部署相同的位置。If you get the error code InvalidDeploymentLocation, either use a different name or the same location as the previous deployment for that name.

部署范围Deployment scopes

部署到租户时,可以将租户或租户中的管理组、订阅和资源组作为目标。When deploying to a tenant, you can target the tenant or management groups, subscriptions and resource groups in the tenant. 部署模板的用户必须有权访问指定的作用域。The user deploying the template must have access to the specified scope.

在模板的资源部分中定义的资源将应用于租户。Resources defined within the resources section of the template are applied to the tenant.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        tenant-level-resources
    ],
    "outputs": {}
}

若要以租户内的管理组为目标,请添加嵌套部署并指定 scope 属性。To target a management group within the tenant, add a nested deployment and specify the scope property.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "mgName": {
            "type": "string"
        }
    },
    "variables": {
        "mgId": "[concat('Microsoft.Management/managementGroups/', parameters('mgName'))]"
    },
    "resources": [
        {
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2020-06-01",
            "name": "nestedMG",
            "scope": "[variables('mgId')]",
            "location": "chinaeast",
            "properties": {
                "mode": "Incremental",
                "template": {
                    nested-template
                }
            }
        }
    ],
    "outputs": {}
}

使用模板函数Use template functions

对于租户部署,在使用模板函数时有一些重要注意事项:For tenant deployments, there are some important considerations when using template functions:

  • 不支持 resourceGroup() 函数。The resourceGroup() function is not supported.

  • 不支持 subscription() 函数。The subscription() function is not supported.

  • 支持 reference()list() 函数。The reference() and list() functions are supported.

  • 使用 tenantResourceId() 函数可获得在租户级别部署的资源的 ID。Use the tenantResourceId() function to get the resource ID for resources that are deployed at tenant level.

    例如,若要获取策略定义的资源 ID,请使用:For example, to get the resource ID for a policy definition, use:

    tenantResourceId('Microsoft.Authorization/policyDefinitions/', parameters('policyDefinition'))
    

    返回的资源 ID 具有以下格式:The returned resource ID has the following format:

    /providers/{resourceProviderNamespace}/{resourceType}/{resourceName}
    

创建管理组Create management group

以下模板用于创建管理组。The following template creates a management group.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "mgName": {
      "type": "string",
      "defaultValue": "[concat('mg-', uniqueString(newGuid()))]"
    }
  },
  "resources": [
    {
      "type": "Microsoft.Management/managementGroups",
      "apiVersion": "2019-11-01",
      "name": "[parameters('mgName')]",
      "properties": {
      }
    }
  ]
}

分配角色Assign role

以下模板用于在租户范围内分配角色。The following template assigns a role at the tenant scope.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "principalId": {
      "type": "string",
      "metadata": {
        "description": "principalId if the user that will be given contributor access to the resourceGroup"
      }
    },
    "roleDefinitionId": {
      "type": "string",
      "defaultValue": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
      "metadata": {
        "description": "roleDefinition for the assignment - default is owner"
      }
    }
  },
  "variables": {
    // This creates an idempotent guid for the role assignment
    "roleAssignmentName": "[guid('/', parameters('principalId'), parameters('roleDefinitionId'))]"
  },
  "resources": [
    {
      "name": "[variables('roleAssignmentName')]",
      "type": "Microsoft.Authorization/roleAssignments",
      "apiVersion": "2019-04-01-preview",
      "properties": {
        "roleDefinitionId": "[tenantResourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]",
        "principalId": "[parameters('principalId')]",
        "scope": "/"
      }
    }
  ]
}

后续步骤Next steps