快速入门:使用 JavaScript 创建管理组Quickstart: Create a management group with JavaScript

管理组是一些容器,可以帮助跨多个订阅管理访问权限、策略和符合性。Management groups are containers that help you manage access, policy, and compliance across multiple subscriptions. 可以创建这些容器来构建可以与 Azure PolicyAzure 基于角色的访问控制配合使用的有效且高效的层次结构。Create these containers to build an effective and efficient hierarchy that can be used with Azure Policy and Azure Role Based Access Controls. 若要详细了解管理组,请参阅使用 Azure 管理组整理资源For more information on management groups, see Organize your resources with Azure management groups.

在目录中创建的第一个管理组可能需要最多 15 分钟才能完成。The first management group created in the directory could take up to 15 minutes to complete. 一些进程会首次运行以在 Azure 中为目录设置管理组服务。There are processes that run the first time to set up the management groups service within Azure for your directory. 在进程完成后将显示通知。You receive a notification when the process is complete. 有关详细信息,请参阅管理组的初始设置For more information, see initial setup of management groups.

先决条件Prerequisites

  • 如果没有 Azure 订阅,请在开始前创建一个试用版订阅帐户。If you don't have an Azure subscription, create a trial subscription account before you begin.

  • 在开始之前,请确保至少已安装 Node.js 的版本 12。Before you start, make sure that at least version 12 of Node.js is installed.

  • 如果未启用层次结构保护,则租户中的任何 Azure AD 用户即使未分配有管理组写入权限,也可创建管理组。Any Azure AD user in the tenant can create a management group without the management group write permission assigned to that user if hierarchy protection isn't enabled. 这个新的管理组将成为根管理组的子级或默认管理组,并将为创建者分配“所有者”角色。This new management group becomes a child of the Root Management Group or the default management group and the creator is given an "Owner" role assignment. 管理组服务允许此功能,因此不需要在根级别分配角色。Management group service allows this ability so that role assignments aren't needed at the root level. 创建根管理组时,用户没有访问权限。No users have access to the Root Management Group when it's created. 为避免在查找 Azure AD 全局管理员以开始使用管理组方面遇到阻碍,我们允许在根级别创建初始管理组。To avoid the hurdle of finding the Azure AD Global Admins to start using management groups, we allow the creation of the initial management groups at the root level.

应用程序设置Application setup

若要启用 JavaScript 以对管理组进行管理,必须设置环境。To enable JavaScript to manage management groups, the environment must be set up. 此设置适用于可使用 JavaScript 的任何环境,包括 Bash on Windows 10This setup works wherever JavaScript can be used, including bash on Windows 10.

  1. 运行以下命令,设置新的 Node.js 项目。Set up a new Node.js project by running the following command.

    npm init -y
    
  2. 添加对 yargs 模块的引用。Add a reference to the yargs module.

    npm install yargs
    
  3. 添加对 Azure Resource Graph 模块的引用。Add a reference to the Azure Resource Graph module.

    npm install @azure/arm-managementgroups
    
  4. 添加对 Azure 身份验证库的引用。Add a reference to the Azure authentication library.

    npm install @azure/ms-rest-nodeauth
    

    备注

    在 package.json 中验证 @azure/arm-managementgroups 是否为版本 1.1.0 或更高版本,并且 @azure/ms-rest-nodeauth 是否为版本 3.0.5 或更高版本 。Verify in package.json @azure/arm-managementgroups is version 1.1.0 or higher and @azure/ms-rest-nodeauth is version 3.0.5 or higher.

创建管理组Create the management group

  1. 创建一个名为 index.js 的文件,并输入以下代码。Create a new file named index.js and enter the following code.

    const argv = require("yargs").argv;
    const authenticator = require("@azure/ms-rest-nodeauth");
    const managementGroups = require("@azure/arm-managementgroups");
    
    if (argv.groupID && argv.displayName) {
       const createMG = async () => {
          const credentials = await authenticator.interactiveLogin();
          const client = new managementGroups.ManagementGroupsAPI(credentials);
          const result = await client.managementGroups.createOrUpdate(
             groupId: argv.groupID,
             {
                 displayName: argv.displayName
             }
          );
          console.log(result);
       };
    
       createMG();
    }
    
  2. 在终端中输入以下命令:Enter the following command in the terminal:

    node index.js --groupID "<NEW_MG_GROUP_ID>" --displayName "<NEW_MG_FRIENDLY_NAME>"
    

    请确保将每个令牌 <> 占位符分别替换为管理组 ID 和管理组易记名称 。Make sure to replace each token <> placeholder with your management group ID and management group friendly name, respectively.

    当脚本尝试进行身份验证时,终端会显示如下所示的消息:As the script attempts to authenticate, a message similar to the following message is displayed in the terminal:

    备注

    若要登录,请使用 Web 浏览器打开页面 https://microsoft.com/deviceloginchina ,然后输入代码 FGB56WJUGK 进行身份验证。To sign in, use a web browser to open the page https://microsoft.com/deviceloginchina and enter the code FGB56WJUGK to authenticate.

    在浏览器中进行身份验证后,该脚本将继续运行。Once you authenticate in the browser, then the script continues to run.

创建管理组的结果将输出到控制台。The result of creating the management group is output to the console.

清理资源Clean up resources

如果希望从应用程序中删除已安装的库,请运行以下命令。If you wish to remove the installed libraries from your application, run the following command.

npm uninstall @azure/arm-managementgroups @azure/ms-rest-nodeauth yargs

后续步骤Next steps

在本快速入门中,你创建了一个管理组来整理资源层次结构。In this quickstart, you created a management group to organize your resource hierarchy. 管理组可以包含订阅或其他管理组。The management group can hold subscriptions or other management groups.

要详细了解管理组以及如何管理资源层次结构,请继续执行以下操作:To learn more about management groups and how to manage your resource hierarchy, continue to: