如何保护资源层次结构How to protect your resource hierarchy

资源、资源组、订阅、管理组和租户共同构成了资源层次结构。Your resources, resource groups, subscriptions, management groups, and tenant collectively make up your resource hierarchy. 根管理组(如 Azure 自定义角色或 Azure Policy 策略分配)的设置可能会影响资源层次结构中的每个资源。Settings at the root management group, such as Azure custom roles or Azure Policy policy assignments, can impact every resource in your resource hierarchy. 保护资源层次结构以免发生可能会负面影响所有资源的更改,这一点很重要。It's important to protect the resource hierarchy from changes that could negatively impact all resources.

管理组现在具有可使租户管理员控制这些行为的层次结构设置。Management groups now have hierarchy settings that enable the tenant administrator to control these behaviors. 本文介绍每个可用的层次结构设置以及如何设置它们。This article covers each of the available hierarchy settings and how to set them.

层次结构设置的 Azure RBAC 权限Azure RBAC permissions for hierarchy settings

配置任何层次结构设置都需要对根管理组执行以下两个资源提供程序操作:Configuring any of the hierarchy settings requires the following two resource provider operations on the root management group:

  • Microsoft.Management/managementgroups/settings/write
  • Microsoft.Management/managementgroups/settings/read

这些操作只允许用户读取和更新层次结构设置。These operations only allow a user to read and update the hierarchy settings. 这些操作不会提供对管理组层次结构或层次结构中的资源的任何其他访问权限。The operations don't provide any other access to the management group hierarchy or resources in the hierarchy. 这两个操作均可用于 Azure 内置角色“层次结构设置管理员”。Both of these operations are available in the Azure built-in role Hierarchy Settings Administrator.

设置 - 默认管理组Setting - Default management group

默认情况下,在租户中添加的新订阅将添加为根管理组的成员。By default, a new subscription added within a tenant is added as a member of the root management group. 如果将策略分配、Azure 基于角色的访问控制 (Azure RBAC) 和其他治理构造分配给根管理组,则它们会立即影响这些新订阅。If policy assignments, Azure role-based access control (Azure RBAC), and other governance constructs are assigned to the root management group, they immediately effect these new subscriptions. 出于此原因,许多组织不会在根管理组中应用这些构造,即使这是它们分配到的目标位置。For this reason, many organizations don't apply these constructs at the root management group even though that is the desired place to assign them. 在其他情况下,新订阅需要一组更严格的控件,但不应将其分配给所有订阅。In other cases, a more restrictive set of controls is desired for new subscriptions, but shouldn't be assigned to all subscriptions. 此设置支持两个用例。This setting supports both use cases.

通过允许定义新订阅的默认管理组,可以在根管理组中应用组织范围的治理构造,并且可以定义具有更适合新订阅的策略分配或 Azure 角色分配的单独管理组。By allowing the default management group for new subscriptions to be defined, organization-wide governance constructs can be applied at the root management group, and a separate management group with policy assignments or Azure role assignments more suited to a new subscription can be defined.

在门户中设置默认管理组Set default management group in portal

若要在 Azure 门户中配置此设置,请执行以下步骤:To configure this setting in Azure portal, follow these steps:

  1. 使用搜索栏搜索并选择“管理组”。Use the search bar to search for and select 'Management groups'.

  2. 在根管理组中,选择管理组名称旁边的“详细信息”。On the root management group, select details next to the name of the management group.

  3. 在“设置”下,选择“层次结构设置” 。Under Settings, select Hierarchy settings.

  4. 选择“更改默认管理组”按钮。Select the Change default management group button.

    备注

    如果“更改默认管理组”按钮处于禁用状态,要么所查看的管理组不是根管理组,要么你的安全主体没有更改层次结构设置所需的权限。If the Change default management group button is disabled, either the management group being viewed isn't the root management group or your security principal doesn't have the necessary permissions to alter the hierarchy settings.

  5. 从层次结构中选择管理组,并使用“选择”按钮。Select a management group from your hierarchy and use the Select button.

使用 REST API 设置默认管理组Set default management group with REST API

若要使用 REST API 配置此设置,请调用层次结构设置终结点。To configure this setting with REST API, the Hierarchy Settings endpoint is called. 为此,请使用以下 REST API URI 和正文格式。To do so, use the following REST API URI and body format. {rootMgID} 替换为根管理组 ID,将 {defaultGroupID} 替换为将成为默认管理组的管理组 ID:Replace {rootMgID} with the ID of your root management group and {defaultGroupID} with the ID of the management group to become the default management group:

  • REST API URIREST API URI

    PUT https://management.chinacloudapi.cn/providers/Microsoft.Management/managementGroups/{rootMgID}/settings/default?api-version=2020-02-01
    
  • 请求正文Request Body

    {
        "properties": {
            "defaultManagementGroup": "/providers/Microsoft.Management/managementGroups/{defaultGroupID}"
        }
    }
    

若要将默认管理组设置回根管理组,请使用相同终结点,并将 defaultManagementGroup 设置为值 /providers/Microsoft.Management/managementGroups/{rootMgID}To set the default management group back to the root management group, use the same endpoint and set defaultManagementGroup to a value of /providers/Microsoft.Management/managementGroups/{rootMgID}.

设置 - 需要授权Setting - Require authorization

默认情况下,任何用户都可以在租户中创建新管理组。Any user, by default, can create new management groups within a tenant. 租户管理员可能希望仅向特定用户提供这些权限,以维护管理组层次结构中的一致性和合规性。Admins of a tenant may wish to only provide these permissions to specific users to maintain consistency and conformity in the management group hierarchy. 如果启用,则用户需要对根管理组进行 Microsoft.Management/managementGroups/write 操作才能创建新的子管理组。If enabled, a user requires the Microsoft.Management/managementGroups/write operation on the root management group to create new child management groups.

在门户中设置“需要授权”Set require authorization in portal

若要在 Azure 门户中配置此设置,请执行以下步骤:To configure this setting in Azure portal, follow these steps:

  1. 使用搜索栏搜索并选择“管理组”。Use the search bar to search for and select 'Management groups'.

  2. 在根管理组中,选择管理组名称旁边的“详细信息”。On the root management group, select details next to the name of the management group.

  3. 在“设置”下,选择“层次结构设置” 。Under Settings, select Hierarchy settings.

  4. 将“需要权限才能创建新管理组。”Toggle the Require permissions for creating new management groups. 选项切换为打开。option to on.

    备注

    如果“需要权限才能创建新管理组。”If the Require permissions for creating new management groups. 切换功能处于禁用状态,要么所查看的管理组不是根管理组,要么你的安全主体没有更改层次结构设置所需的权限。toggle is disabled, either the management group being viewed isn't the root management group or your security principal doesn't have the necessary permissions to alter the hierarchy settings.

使用 REST API 设置“需要授权”Set require authorization with REST API

若要使用 REST API 配置此设置,请调用层次结构设置终结点。To configure this setting with REST API, the Hierarchy Settings endpoint is called. 为此,请使用以下 REST API URI 和正文格式。To do so, use the following REST API URI and body format. 此值是布尔值,因此请为该值提供 true 或 false。This value is a boolean, so provide either true or false for the value. 值 true 允许这种保护管理组层次结构的方法:A value of true enables this method of protecting your management group hierarchy:

  • REST API URIREST API URI

    PUT https://management.chinacloudapi.cn/providers/Microsoft.Management/managementGroups/{rootMgID}/settings/default?api-version=2020-02-01
    
  • 请求正文Request Body

    {
        "properties": {
            "requireAuthorizationForGroupCreation": true
        }
    }
    

若要重新打开该设置,请使用相同终结点,并将 requireAuthorizationForGroupCreation 设置为值 false。To turn the setting back off, use the same endpoint and set requireAuthorizationForGroupCreation to a value of false.

后续步骤Next steps

若要了解有关管理组的详细信息,请参阅:To learn more about management groups, see: