了解 Azure 拒绝分配Understand Azure deny assignments

拒绝分配类似于角色分配,可将一组拒绝操作附加到特定范围内的用户、组或服务主体,以便拒绝访问。Similar to a role assignment, a deny assignment attaches a set of deny actions to a user, group, or service principal at a particular scope for the purpose of denying access. 即使角色分配向用户授予了访问权限,拒绝分配也会阻止用户执行特定的 Azure 资源操作。Deny assignments block users from performing specific Azure resource actions even if a role assignment grants them access.

本文介绍如何定义拒绝分配。This article describes how deny assignments are defined.

如何创建拒绝分配How deny assignments are created

拒绝分配由 Azure 创建和管理以保护资源。Deny assignments are created and managed by Azure to protect resources. Azure 蓝图和 Azure 托管应用使用拒绝分配来保护系统管理的资源。Azure Blueprints and Azure managed apps use deny assignments to protect system-managed resources. Azure 蓝图和 Azure 托管应用是创建拒绝分配的唯一方式。Azure Blueprints and Azure managed apps are the only way that deny assignments can be created. 不能直接创建自己的拒绝分配。You can't directly create your own deny assignments.

备注

不能直接创建自己的拒绝分配。You can't directly create your own deny assignments.

比较角色分配和拒绝分配Compare role assignments and deny assignments

拒绝分配遵循与角色分配类似的模式,但也存在一些差异。Deny assignments follow a similar pattern as role assignments, but also have some differences.

功能Capability 角色分配Role assignment 拒绝分配Deny assignment
授予访问权限Grant access ✔️
拒绝访问Deny access ✔️
可以直接创建Can be directly created ✔️
在某个范围应用Apply at a scope ✔️ ✔️
排除主体Exclude principals ✔️
阻止子范围进行继承Prevent inheritance to child scopes ✔️
适用于经典订阅管理员分配。Apply to classic subscription administrator assignments ✔️

拒绝分配属性Deny assignment properties

拒绝分配具有以下属性:A deny assignment has the following properties:

属性Property 必须Required 类型Type 说明Description
DenyAssignmentName Yes StringString 拒绝分配的显示名称。The display name of the deny assignment. 对于给定作用域,名称必须是唯一的。Names must be unique for a given scope.
Description No StringString 拒绝分配的说明。The description of the deny assignment.
Permissions.Actions 至少一个 Actions 或一个 DataActionsAt least one Actions or one DataActions String[]String[] 用于指定拒绝分配阻止访问的管理操作的字符串数组。An array of strings that specify the management operations to which the deny assignment blocks access.
Permissions.NotActions No String[]String[] 用于指定要从拒绝分配中排除的管理操作的字符串数组。An array of strings that specify the management operations to exclude from the deny assignment.
Permissions.DataActions 至少一个 Actions 或一个 DataActionsAt least one Actions or one DataActions String[]String[] 用于指定拒绝分配阻止访问的数据操作的字符串数组。An array of strings that specify the data operations to which the deny assignment blocks access.
Permissions.NotDataActions No String[]String[] 用于指定要从拒绝分配中排除的数据操作的字符串数组。An array of strings that specify the data operations to exclude from the deny assignment.
Scope No StringString 用于指定拒绝分配应用到的作用域的字符串。A string that specifies the scope that the deny assignment applies to.
DoNotApplyToChildScopes No 布尔Boolean 指定拒绝分配是否应用到子作用域。Specifies whether the deny assignment applies to child scopes. 默认值为 false。Default value is false.
Principals[i].Id Yes String[]String[] 拒绝分配应用到的 Azure AD 主体对象 ID(用户、组、服务主体或托管主体)的数组。An array of Azure AD principal object IDs (user, group, service principal, or managed identity) to which the deny assignment applies. 设置为空 GUID 00000000-0000-0000-0000-000000000000 将表示所有主体。Set to an empty GUID 00000000-0000-0000-0000-000000000000 to represent all principals.
Principals[i].Type No String[]String[] Principals[i].Id 所表示的对象类型的数组。设置为 SystemDefined 将表示所有主体。An array of object types represented by Principals[i].Id. Set to SystemDefined to represent all principals.
ExcludePrincipals[i].Id No String[]String[] 拒绝分配不会应用到的 Azure AD 主体对象 ID(用户、组、服务主体或托管主体)的数组。An array of Azure AD principal object IDs (user, group, service principal, or managed identity) to which the deny assignment does not apply.
ExcludePrincipals[i].Type No String[]String[] ExcludePrincipals[i].Id 所表示的对象类型的数组。An array of object types represented by ExcludePrincipals[i].Id.
IsSystemProtected No 布尔Boolean 指定此拒绝分配是否由 Azure 创建,且无法编辑或删除。Specifies whether this deny assignment was created by Azure and cannot be edited or deleted. 当前,所有拒绝分配受系统保护。Currently, all deny assignments are system protected.

“所有主体”主体The All Principals principal

为了支持拒绝分配,引入了名为“所有主体”的系统定义的主体。To support deny assignments, a system-defined principal named All Principals has been introduced. 此主体表示 Azure AD 目录中的所有用户、组、服务主体和托管标识。This principal represents all users, groups, service principals, and managed identities in an Azure AD directory. 如果主体 ID 是零 GUID 00000000-0000-0000-0000-000000000000 且主体类型是 SystemDefined,则此主体表示所有主体。If the principal ID is a zero GUID 00000000-0000-0000-0000-000000000000 and the principal type is SystemDefined, the principal represents all principals. 在 Azure PowerShell 输出中,“所有主体”的外观如下所示:In Azure PowerShell output, All Principals looks like the following:

Principals              : {
                          DisplayName:  All Principals
                          ObjectType:   SystemDefined
                          ObjectId:     00000000-0000-0000-0000-000000000000
                          }

可以将“所有主体”与 ExcludePrincipals 组合使用来拒绝除了某些用户之外的所有主体。All Principals can be combined with ExcludePrincipals to deny all principals except some users. “所有主体”具有以下约束:All Principals has the following constraints:

  • 只能用于 Principals,不能用于 ExcludePrincipalsCan be used only in Principals and cannot be used in ExcludePrincipals.
  • Principals[i].Type 必须设置为 SystemDefinedPrincipals[i].Type must be set to SystemDefined.

后续步骤Next steps