提升访问权限以管理所有 Azure 订阅和管理组Elevate access to manage all Azure subscriptions and management groups

Azure Active Directory (Azure AD) 中的全局管理员不一定对目录中的所有订阅和管理组拥有访问权限。As a Global Administrator in Azure Active Directory (Azure AD), you might not have access to all subscriptions and management groups in your directory. 本文介绍如何自我提升对所有订阅和管理组的访问权限。This article describes the ways that you can elevate your access to all subscriptions and management groups.

备注

有关查看或删除个人数据的信息,请参阅 GDPR 的 Azure 数据使用者请求For information about viewing or deleting personal data, see Azure Data Subject Requests for the GDPR. 有关 GDPR 的详细信息,请参阅服务信任门户的 GDPR 部分For more information about GDPR, see the GDPR section of the Service Trust portal.

为何需要提升访问权限?Why would you need to elevate your access?

全局管理员有时可能需要执行以下操作:If you are a Global Administrator, there might be times when you want to do the following actions:

  • 在用户失去访问权限时重新获取对 Azure 订阅或管理组的访问权限Regain access to an Azure subscription or management group when a user has lost access
  • 授予其他用户或自己对 Azure 订阅或管理组的访问权限Grant another user or yourself access to an Azure subscription or management group
  • 查看组织中的所有 Azure 订阅或管理组See all Azure subscriptions or management groups in an organization
  • 允许自动化应用(例如发票或审计应用)访问所有 Azure 订阅或管理组Allow an automation app (such as an invoicing or auditing app) to access all Azure subscriptions or management groups

提升访问权限的工作原理是什么?How does elevated access work?

Azure AD 和 Azure 资源彼此独立保护。Azure AD and Azure resources are secured independently from one another. 也就是说,Azure AD 角色分配不授予对 Azure 资源的访问权限,Azure 角色分配页不授予对 Azure AD 的访问权限。That is, Azure AD role assignments do not grant access to Azure resources, and Azure role assignments do not grant access to Azure AD. 但是,Azure AD 中的全局管理员可为自己分配对目录中所有 Azure 订阅和管理组的访问权限。However, if you are a Global Administrator in Azure AD, you can assign yourself access to all Azure subscriptions and management groups in your directory. 如果无权访问 Azure 订阅资源(如虚拟机或存储帐户),并且想使用全局管理员权限来获取这些资源的访问权限,则请使用此功能。Use this capability if you don't have access to Azure subscription resources, such as virtual machines or storage accounts, and you want to use your Global Administrator privilege to gain access to those resources.

提升访问权限时,将分配到 Azure 中根范围 (/) 的用户访问管理员角色。When you elevate your access, you will be assigned the User Access Administrator role in Azure at root scope (/). 此角色可查看所有资源,并且可用于分配目录中任何订阅或管理组中的访问权限。 This allows you to view all resources and assign access in any subscription or management group in the directory. 可以使用 Azure PowerShell、Azure CLI 或 REST API 删除“用户访问管理员”角色分配。User Access Administrator role assignments can be removed using Azure PowerShell, Azure CLI, or the REST API.

完成需在根范围执行的更改后,应删除此提升的访问权限。You should remove this elevated access once you have made the changes you need to make at root scope.

提升访问权限

Azure 门户Azure portal

为局管理员提升访问权限Elevate access for a Global Administrator

请按照这些步骤,使用 Azure 门户为全局管理员提升访问权限。Follow these steps to elevate access for a Global Administrator using the Azure portal.

  1. 以全局管理员的身份登录到 Azure 门户Sign in to the Azure portal as a Global Administrator.

    如果使用 Azure Active Directory Privileged Identity Management,请激活全局管理员角色分配If you are using Azure AD Privileged Identity Management, activate your Global Administrator role assignment.

  2. 打开“Azure Active Directory”。Open Azure Active Directory.

  3. 在“管理”下,选择“属性” 。Under Manage , select Properties.

    选择 Azure Active Directory 属性的“属性” - 屏幕截图

  4. 在“Azure 资源的访问管理”下,将开关设置为“是” 。Under Access management for Azure resources , set the toggle to Yes.

    Azure 资源的访问管理 - 屏幕截图

    将开关设为“是”时,你将分配到 Azure RBAC 中根范围 (/) 的“用户访问管理员”角色。When you set the toggle to Yes , you are assigned the User Access Administrator role in Azure RBAC at root scope (/). 这将授予你在与此 Azure AD 目录关联的所有 Azure 订阅和管理组中分配角色的权限。This grants you permission to assign roles in all Azure subscriptions and management groups associated with this Azure AD directory. 此开关仅适用于分配到 Azure AD 中全局管理员角色的用户。This toggle is only available to users who are assigned the Global Administrator role in Azure AD.

    将开关设为“否”时,会从用户帐户中删除 Azure RBAC 中的用户访问管理员角色。When you set the toggle to No , the User Access Administrator role in Azure RBAC is removed from your user account. 将无法再分配在与此 Azure AD 目录关联的所有 Azure 订阅和管理组中的角色。You can no longer assign roles in all Azure subscriptions and management groups that are associated with this Azure AD directory. 只能查看和管理已获取访问权限的 Azure 订阅和管理组。You can view and manage only the Azure subscriptions and management groups to which you have been granted access.

    备注

    如果正在使用 Privileged Identity Management,则停用角色分配不会将“Azure 资源的访问管理”更改为“否” 。If you're using Privileged Identity Management, deactivating your role assignment does not change the Access management for Azure resources toggle to No. 为了保持最小特权访问,我们建议你在停用角色分配之前,将此开关设置为“否”。To maintain least privileged access, we recommend that you set this toggle to No before you deactivate your role assignment.

  5. 单击“保存”,保存设置。Click Save to save your setting.

    此设置不是全局属性,仅适用于当前已登录的用户。This setting is not a global property and applies only to the currently signed in user. 无法提升所有全局管理员角色成员的访问权限。You can't elevate access for all members of the Global Administrator role.

  6. 注销然后重新登录可以刷新访问权限。Sign out and sign back in to refresh your access.

    现在,你应该有权访问目录中的所有订阅和管理组。You should now have access to all subscriptions and management groups in your directory. 在查看“访问控制(IAM)”窗格时,你会注意到,系统为你分配了根范围的“用户访问管理员”角色。When you view the Access control (IAM) pane, you'll notice that you have been assigned the User Access Administrator role at root scope.

    根范围的订阅角色分配 - 屏幕截图

  7. 以提升的访问权限做出所需的更改。Make the changes you need to make at elevated access.

    有关角色分配的信息,请参阅使用 Azure 门户添加或删除 Azure 角色分配For information about assigning roles, see Add or remove Azure role assignments using the Azure portal. 如果使用 Privileged Identity Management,请参阅发现要管理的 Azure 资源分配 Azure 资源角色If you are using Privileged Identity Management, see Discover Azure resources to manage or Assign Azure resource roles.

  8. 执行以下部分中的步骤以删除提升的访问权限。Perform the steps in the following section to remove your elevated access.

撤消提升的访问权限Remove elevated access

若要删除根范围 (/) 的“用户访问管理员”角色分配,请遵循以下步骤。To remove the User Access Administrator role assignment at root scope (/), follow these steps.

  1. 以提升访问权限时使用的用户身份登录。Sign in as the same user that was used to elevate access.

  2. 在导航列表中,单击“Azure Active Directory”,然后单击“属性” 。In the navigation list, click Azure Active Directory and then click Properties.

  3. 将“Azure 资源的访问管理”切换回“否” 。Set the Access management for Azure resources toggle back to No. 由于此设置特定于用户,因此,必须以提升访问权限时所用的同一用户登录。Since this is a per-user setting, you must be signed in as the same user as was used to elevate access.

    如果尝试删除“访问控制(IAM)”窗格上的“用户访问管理员”角色分配,将看到以下消息。If you try to remove the User Access Administrator role assignment on the Access control (IAM) pane, you'll see the following message. 若要删除角色分配,必须切换回“否”,或者使用 Azure PowerShell、Azure CLI 或 REST API。To remove the role assignment, you must set the toggle back to No or use Azure PowerShell, Azure CLI, or the REST API.

    删除根范围的角色分配

  4. 以全局管理员身份注销。Sign out as Global Administrator.

    如果使用 Privileged Identity Management,请停用全局管理员角色分配。If you are using Privileged Identity Management, deactivate your Global Administrator role assignment.

    备注

    如果正在使用 Privileged Identity Management,则停用角色分配不会将“Azure 资源的访问管理”更改为“否” 。If you're using Privileged Identity Management, deactivating your role assignment does not change the Access management for Azure resources toggle to No. 为了保持最小特权访问,我们建议你在停用角色分配之前,将此开关设置为“否”。To maintain least privileged access, we recommend that you set this toggle to No before you deactivate your role assignment.

Azure PowerShellAzure PowerShell

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

列出根范围 (/) 的角色分配List role assignment at root scope (/)

若要列出用户在根范围 (/) 内的“用户访问管理员”角色分配,请使用 Get-AzRoleAssignment 命令。To list the User Access Administrator role assignment for a user at root scope (/), use the Get-AzRoleAssignment command.

Get-AzRoleAssignment | where {$_.RoleDefinitionName -eq "User Access Administrator" `
  -and $_.SignInName -eq "<username@example.com>" -and $_.Scope -eq "/"}
RoleAssignmentId   : /providers/Microsoft.Authorization/roleAssignments/11111111-1111-1111-1111-111111111111
Scope              : /
DisplayName        : username
SignInName         : username@example.com
RoleDefinitionName : User Access Administrator
RoleDefinitionId   : 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9
ObjectId           : 22222222-2222-2222-2222-222222222222
ObjectType         : User
CanDelegate        : False

撤消提升的访问权限Remove elevated access

若要删除自己或其他用户在根范围 (/) 的“用户访问管理员”角色分配,请遵循以下步骤。To remove the User Access Administrator role assignment for yourself or another user at root scope (/), follow these steps.

  1. 以能够删除提升访问权限的用户身份登录。Sign in as a user that can remove elevated access. 此用户可以是提升访问权限时所用的同一用户,也可以是在根范围拥有提升访问权限的另一个“全局管理员”。This can be the same user that was used to elevate access or another Global Administrator with elevated access at root scope.

  2. 使用 Remove-AzRoleAssignment 命令删除用户访问管理员角色分配。Use the Remove-AzRoleAssignment command to remove the User Access Administrator role assignment.

    Remove-AzRoleAssignment -SignInName <username@example.com> `
      -RoleDefinitionName "User Access Administrator" -Scope "/"
    

Azure CLIAzure CLI

为局管理员提升访问权限Elevate access for a Global Administrator

使用以下基本步骤,通过 Azure CLI 为全局管理员提升访问权限。Use the following basic steps to elevate access for a Global Administrator using the Azure CLI.

  1. 使用 az rest 命令调用 elevateAccess 终结点,这将授予你根范围 (/) 内的“用户访问管理员”角色。Use the az rest command to call the elevateAccess endpoint, which grants you the User Access Administrator role at root scope (/).

    az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"
    
  2. 以提升的访问权限做出所需的更改。Make the changes you need to make at elevated access.

    有关角色分配的信息,请参阅使用 Azure CLI 添加或删除 Azure 角色分配For information about assigning roles, see Add or remove Azure role assignments using the Azure CLI.

  3. 执行后续部分中的步骤以删除提升的访问权限。Perform the steps in a later section to remove your elevated access.

列出根范围 (/) 的角色分配List role assignment at root scope (/)

若要列出用户在根范围 (/) 内的“用户访问管理员”角色分配,请使用 az role assignment list 命令。To list the User Access Administrator role assignment for a user at root scope (/), use the az role assignment list command.

az role assignment list --role "User Access Administrator" --scope "/"
[
  {
    "canDelegate": null,
    "id": "/providers/Microsoft.Authorization/roleAssignments/11111111-1111-1111-1111-111111111111",
    "name": "11111111-1111-1111-1111-111111111111",
    "principalId": "22222222-2222-2222-2222-222222222222",
    "principalName": "username@example.com",
    "principalType": "User",
    "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
    "roleDefinitionName": "User Access Administrator",
    "scope": "/",
    "type": "Microsoft.Authorization/roleAssignments"
  }
]

撤消提升的访问权限Remove elevated access

若要删除自己或其他用户在根范围 (/) 的“用户访问管理员”角色分配,请遵循以下步骤。To remove the User Access Administrator role assignment for yourself or another user at root scope (/), follow these steps.

  1. 以能够删除提升访问权限的用户身份登录。Sign in as a user that can remove elevated access. 此用户可以是提升访问权限时所用的同一用户,也可以是在根范围拥有提升访问权限的另一个“全局管理员”。This can be the same user that was used to elevate access or another Global Administrator with elevated access at root scope.

  2. 使用 az role assignment delete 命令删除“用户访问管理员”角色分配。Use the az role assignment delete command to remove the User Access Administrator role assignment.

    az role assignment delete --assignee username@example.com --role "User Access Administrator" --scope "/"
    

REST APIREST API

为局管理员提升访问权限Elevate access for a Global Administrator

使用以下基本步骤,通过 REST API 为全局管理员提升访问权限。Use the following basic steps to elevate access for a Global Administrator using the REST API.

  1. 使用 REST 调用 elevateAccess,这将授予你根范围 (/) 内的“用户访问管理员”角色。Using REST, call elevateAccess, which grants you the User Access Administrator role at root scope (/).

    POST https://management.chinacloudapi.cn/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01
    
  2. 以提升的访问权限做出所需的更改。Make the changes you need to make at elevated access.

    有关角色分配的信息,请参阅使用 REST API 添加或删除 Azure 角色分配For information about assigning roles, see Add or remove Azure role assignments using the REST API.

  3. 执行后续部分中的步骤以删除提升的访问权限。Perform the steps in a later section to remove your elevated access.

列出根范围 (/) 的角色分配List role assignments at root scope (/)

可以列出用户在根范围 (/) 的所有角色分配。You can list all of the role assignments for a user at root scope (/).

  • 调用 GET roleAssignments,其中 {objectIdOfUser} 是要检索其角色分配的用户的对象 ID。Call GET roleAssignments where {objectIdOfUser} is the object ID of the user whose role assignments you want to retrieve.

    GET https://management.chinacloudapi.cn/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01&$filter=principalId+eq+'{objectIdOfUser}'
    

列出根范围 (/) 的拒绝分配List deny assignments at root scope (/)

可以列出用户在根范围 (/) 的所有拒绝分配。You can list all of the deny assignments for a user at root scope (/).

  • 调用 GET denyAssignments,其中 {objectIdOfUser} 是要检索其拒绝分配的用户的对象 ID。Call GET denyAssignments where {objectIdOfUser} is the object ID of the user whose deny assignments you want to retrieve.

    GET https://management.chinacloudapi.cn/providers/Microsoft.Authorization/denyAssignments?api-version=2018-07-01-preview&$filter=gdprExportPrincipalId+eq+'{objectIdOfUser}'
    

撤消提升的访问权限Remove elevated access

调用 elevateAccess 即为自己创建角色分配,因此若要撤销这些特权,需要删除自己在根范围 (/) 内的“用户访问管理员”角色分配。When you call elevateAccess, you create a role assignment for yourself, so to revoke those privileges you need to remove the User Access Administrator role assignment for yourself at root scope (/).

  1. 调用 GET roleDefinitions,其中 roleName = 用户访问管理员,由此确定用户访问管理员角色的名称 ID。Call GET roleDefinitions where roleName equals User Access Administrator to determine the name ID of the User Access Administrator role.

    GET https://management.chinacloudapi.cn/providers/Microsoft.Authorization/roleDefinitions?api-version=2015-07-01&$filter=roleName+eq+'User Access Administrator'
    
    {
      "value": [
        {
          "properties": {
      "roleName": "User Access Administrator",
      "type": "BuiltInRole",
      "description": "Lets you manage user access to Azure resources.",
      "assignableScopes": [
        "/"
      ],
      "permissions": [
        {
          "actions": [
            "*/read",
            "Microsoft.Authorization/*"
          ],
          "notActions": []
        }
      ],
      "createdOn": "0001-01-01T08:00:00.0000000Z",
      "updatedOn": "2016-05-31T23:14:04.6964687Z",
      "createdBy": null,
      "updatedBy": null
          },
          "id": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
          "type": "Microsoft.Authorization/roleDefinitions",
          "name": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9"
        }
      ],
      "nextLink": null
    }
    

    保存 name 参数中的 ID,在本例中为 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9Save the ID from the name parameter, in this case 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9.

  2. 还需要列出目录管理员在目录范围的角色分配。You also need to list the role assignment for the directory administrator at directory scope. 对于执行了提升访问权限调用的目录管理员,列出其 principalId 在目录范围内的所有分配。List all assignments at directory scope for the principalId of the directory administrator who made the elevate access call. 这将为 objectid 列出目录中的所有分配。This will list all assignments in the directory for the objectid.

    GET https://management.chinacloudapi.cn/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01&$filter=principalId+eq+'{objectid}'
    

    备注

    目录管理员不应拥有多个分配,如果前面的查询返回过多分配,你也可以只在目录范围级别查询所有分配,然后筛选结果:GET https://management.chinacloudapi.cn/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01&$filter=atScope()A directory administrator should not have many assignments, if the previous query returns too many assignments, you can also query for all assignments just at directory scope level, then filter the results: GET https://management.chinacloudapi.cn/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01&$filter=atScope()

  3. 上述调用将返回角色分配列表。The previous calls return a list of role assignments. 在范围 "/" 查找以下角色分配:roleDefinitionId 以第 1 步中的角色名称 ID 结尾,并且 principalId 与目录管理员的 objectId 一致。Find the role assignment where the scope is "/" and the roleDefinitionId ends with the role name ID you found in step 1 and principalId matches the objectId of the directory administrator.

    示例角色分配:Sample role assignment:

    {
      "value": [
        {
          "properties": {
            "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
            "principalId": "{objectID}",
            "scope": "/",
            "createdOn": "2016-08-17T19:21:16.3422480Z",
            "updatedOn": "2016-08-17T19:21:16.3422480Z",
            "createdBy": "22222222-2222-2222-2222-222222222222",
            "updatedBy": "22222222-2222-2222-2222-222222222222"
          },
          "id": "/providers/Microsoft.Authorization/roleAssignments/11111111-1111-1111-1111-111111111111",
          "type": "Microsoft.Authorization/roleAssignments",
          "name": "11111111-1111-1111-1111-111111111111"
        }
      ],
      "nextLink": null
    }
    

    同样,请保存 name 参数中的 ID,在本例中为 11111111-1111-1111-1111-111111111111。Again, save the ID from the name parameter, in this case 11111111-1111-1111-1111-111111111111.

  4. 最后,使用角色分配 ID 删除 elevateAccess 添加的分配:Finally, Use the role assignment ID to remove the assignment added by elevateAccess:

    DELETE https://management.chinacloudapi.cn/providers/Microsoft.Authorization/roleAssignments/11111111-1111-1111-1111-111111111111?api-version=2015-07-01
    

后续步骤Next steps