使用 RBAC 和 Azure PowerShell 管理对 Azure 资源的访问权限Manage access to Azure resources using RBAC and Azure PowerShell

可以通过基于角色的访问控制 (RBAC) 管理对 Azure 资源的访问权限。Role-based access control (RBAC) is the way that you manage access to Azure resources. 本文介绍如何使用 RBAC 和 Azure PowerShell 来管理用户、组和应用程序的访问权限。This article describes how you manage access for users, groups, and applications using RBAC and Azure PowerShell.

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

先决条件Prerequisites

若要管理访问,需要具有以下任一项:To manage access, you need one of the following:

列出角色List roles

列出所有可用的角色List all available roles

若要列出可以进行分配的 RBAC 角色,并检查其授权访问的操作,请使用 Get-AzRoleDefinitionTo list RBAC roles that are available for assignment and to inspect the operations to which they grant access, use Get-AzRoleDefinition.

Get-AzRoleDefinition | FT Name, Description
AcrImageSigner                                    acr image signer
AcrQuarantineReader                               acr quarantine data reader
AcrQuarantineWriter                               acr quarantine data writer
API Management Service Contributor                Can manage service and the APIs
API Management Service Operator Role              Can manage service but not the APIs
API Management Service Reader Role                Read-only access to service and APIs
Automation Job Operator                           Create and Manage Jobs using Automation Runbooks.
Automation Operator                               Automation Operators are able to start, stop, suspend, and resume ...
...

列出特定角色List a specific role

若要列出特定角色,请使用 Get-AzRoleDefinitionTo list a specific role, use Get-AzRoleDefinition.

Get-AzRoleDefinition <role_name>
PS C:\> Get-AzRoleDefinition "Contributor"

Name             : Contributor
Id               : b24988ac-6180-42a0-ab88-20f7382dd24c
IsCustom         : False
Description      : Lets you manage everything except access to resources.
Actions          : {*}
NotActions       : {Microsoft.Authorization/*/Delete, Microsoft.Authorization/*/Write,
                   Microsoft.Authorization/elevateAccess/Action}
DataActions      : {}
NotDataActions   : {}
AssignableScopes : {/}

列出角色定义List a role definition

以 JSON 格式列出角色定义List a role definition in JSON format

若要以 JSON 格式列出角色定义,请使用 Get-AzRoleDefinitionTo list a role definition in JSON format, use Get-AzRoleDefinition.

Get-AzRoleDefinition <role_name> | ConvertTo-Json
PS C:\> Get-AzRoleDefinition "Contributor" | ConvertTo-Json

{
  "Name": "Contributor",
  "Id": "b24988ac-6180-42a0-ab88-20f7382dd24c",
  "IsCustom": false,
  "Description": "Lets you manage everything except access to resources.",
  "Actions": [
    "*"
  ],
  "NotActions": [
    "Microsoft.Authorization/*/Delete",
    "Microsoft.Authorization/*/Write",
    "Microsoft.Authorization/elevateAccess/Action",
    "Microsoft.Blueprint/blueprintAssignments/write",
    "Microsoft.Blueprint/blueprintAssignments/delete"
  ],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/"
  ]
}

列出角色的操作List actions of a role

若要列出特定角色的操作,请使用 Get-AzRoleDefinitionTo list the actions for a specific role, use Get-AzRoleDefinition.

Get-AzRoleDefinition <role_name> | FL Actions, NotActions
PS C:\> Get-AzRoleDefinition "Contributor" | FL Actions, NotActions

Actions    : {*}
NotActions : {Microsoft.Authorization/*/Delete, Microsoft.Authorization/*/Write,
             Microsoft.Authorization/elevateAccess/Action,
             Microsoft.Blueprint/blueprintAssignments/write...}
(Get-AzRoleDefinition <role_name>).Actions
PS C:\> (Get-AzRoleDefinition "Virtual Machine Contributor").Actions

Microsoft.Authorization/*/read
Microsoft.Compute/availabilitySets/*
Microsoft.Compute/locations/*
Microsoft.Compute/virtualMachines/*
Microsoft.Compute/virtualMachineScaleSets/*
Microsoft.DevTestLab/schedules/*
Microsoft.Insights/alertRules/*
Microsoft.Network/applicationGateways/backendAddressPools/join/action
Microsoft.Network/loadBalancers/backendAddressPools/join/action
...

列出访问权限List access

在 RBAC 中,若要列出访问权限,请列出角色分配。In RBAC, to list access, you list the role assignments.

列出用户的角色分配List role assignments for a user

若要列出分配给指定用户的所有角色,请使用 Get-AzRoleAssignmentTo list all the roles that are assigned to a specified user, use Get-AzRoleAssignment.

Get-AzRoleAssignment -SignInName <email_or_userprincipalname>
PS C:\> Get-AzRoleAssignment -SignInName isabella@example.com | FL DisplayName, RoleDefinitionName, Scope

DisplayName        : Isabella Simonsen
RoleDefinitionName : BizTalk Contributor
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales

若要列出分配给指定用户的所有角色和分配给该用户所属组的所有角色,请使用 Get-AzRoleAssignmentTo list all the roles that are assigned to a specified user and the roles that are assigned to the groups to which the user belongs, use Get-AzRoleAssignment.

Get-AzRoleAssignment -SignInName <email_or_userprincipalname> -ExpandPrincipalGroups
Get-AzRoleAssignment -SignInName isabella@example.com -ExpandPrincipalGroups | FL DisplayName, RoleDefinitionName, Scope

列出资源组范围内的角色分配List role assignments at a resource group scope

若要列出资源组范围内的所有角色分配,请使用 Get-AzRoleAssignmentTo list all role assignments at a resource group scope, use Get-AzRoleAssignment.

Get-AzRoleAssignment -ResourceGroupName <resource_group_name>
PS C:\> Get-AzRoleAssignment -ResourceGroupName pharma-sales | FL DisplayName, RoleDefinitionName, Scope

DisplayName        : Alain Charon
RoleDefinitionName : Backup Operator
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales

DisplayName        : Isabella Simonsen
RoleDefinitionName : BizTalk Contributor
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales

DisplayName        : Alain Charon
RoleDefinitionName : Virtual Machine Contributor
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales

列出订阅范围内的角色分配List role assignments at a subscription scope

若要列出订阅范围内的所有角色分配,请使用 Get-AzRoleAssignmentTo list all role assignments at a subscription scope, use Get-AzRoleAssignment. 若要获取订阅 ID,可以在 Azure 门户中的“订阅” 边栏选项卡上找到它,也可以使用 Get-AzSubscriptionTo get the subscription ID, you can find it on the Subscriptions blade in the Azure portal or you can use Get-AzSubscription.

Get-AzRoleAssignment -Scope /subscriptions/<subscription_id>
PS C:\> Get-AzRoleAssignment -Scope /subscriptions/00000000-0000-0000-0000-000000000000

列出管理组范围内的角色分配List role assignments at a management group scope

若要列出管理组范围内的所有角色分配,请使用 Get-AzRoleAssignmentTo list all role assignments at a management group scope, use Get-AzRoleAssignment. 若要获取管理组 ID,可以在 Azure 门户中的“管理组” 边栏选项卡上找到它,也可以使用 Get-AzManagementGroupTo get the management group ID, you can find it on the Management groups blade in the Azure portal or you can use Get-AzManagementGroup.

Get-AzRoleAssignment -Scope /providers/Microsoft.Management/managementGroups/<group_id>
PS C:\> Get-AzRoleAssignment -Scope /providers/Microsoft.Management/managementGroups/marketing-group

列出经典服务管理员和共同管理员的角色分配List role assignments for classic service administrator and co-administrators

若要列出经典订阅管理员和共同管理员的角色分配,请使用 Get-AzRoleAssignmentTo list role assignments for the classic subscription administrator and co-administrators, use Get-AzRoleAssignment.

Get-AzRoleAssignment -IncludeClassicAdministrators

授予访问权限Grant access

在 RBAC 中,若要授予访问权限,请创建角色分配。In RBAC, to grant access, you create a role assignment.

搜索对象 IDSearch for object IDs

若要分配角色,需要标识对象(用户、组或应用程序)和范围。To assign a role, you need to identify both the object (user, group, or application) and the scope.

若要获取订阅 ID,可以在 Azure 门户中的“订阅” 边栏选项卡上找到它,也可以使用 Get-AzSubscriptionTo get the subscription ID, you can find it on the Subscriptions blade in the Azure portal or you can use Get-AzSubscription.

若要获取 Azure AD 用户的对象 ID,请使用 Get-AzADUserTo get the object ID for an Azure AD user, use Get-AzADUser.

Get-AzADUser -StartsWith <string_in_quotes>

若要获取 Azure AD 组的对象 ID,请使用 Get-AzADGroupTo get the object ID for an Azure AD group, use Get-AzADGroup.

Get-AzADGroup -SearchString <group_name_in_quotes>

若要获取 Azure AD 服务主体或应用程序的对象 ID,请使用 Get-AzADServicePrincipalTo get the object ID for an Azure AD service principal or application, use Get-AzADServicePrincipal.

Get-AzADServicePrincipal -SearchString <service_name_in_quotes>

在资源组范围内为用户创建角色分配Create a role assignment for a user at a resource group scope

若要向资源组范围内的用户授予访问权限,请使用 New-AzRoleAssignmentTo grant access to a user at a resource group scope, use New-AzRoleAssignment.

New-AzRoleAssignment -SignInName <email_or_userprincipalname> -RoleDefinitionName <role_name> -ResourceGroupName <resource_group_name>
PS C:\> New-AzRoleAssignment -SignInName alain@example.com -RoleDefinitionName "Virtual Machine Contributor" -ResourceGroupName pharma-sales


RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales/pr
                     oviders/Microsoft.Authorization/roleAssignments/55555555-5555-5555-5555-555555555555
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales
DisplayName        : Alain Charon
SignInName         : alain@example.com
RoleDefinitionName : Virtual Machine Contributor
RoleDefinitionId   : 9980e02c-c2be-4d73-94e8-173b1dc7cf3c
ObjectId           : 44444444-4444-4444-4444-444444444444
ObjectType         : User
CanDelegate        : False

使用唯一角色 ID 创建角色分配Create a role assignment using the unique role ID

很多时候角色名称可能会更改,例如:There are a couple of times when a role name might change, for example:

  • 你使用的是自己的自定义角色,你决定更改名称。You are using your own custom role and you decide to change the name.
  • 你使用的是预览版角色,其名称中有“(预览)”字样。 You are using a preview role that has (Preview) in the name. 发布角色时重命名了角色。When the role is released, the role is renamed.

Important

预览版在提供时没有附带服务级别协议,不建议将其用于生产工作负荷。A preview version is provided without a service level agreement, and it's not recommended for production workloads. 某些功能可能不受支持或者受限。Certain features might not be supported or might have constrained capabilities. 有关详细信息,请参阅适用于 Azure 预览版的补充使用条款For more information, see Supplemental Terms of Use for Azure Previews.

即使重命名了角色,角色 ID 也不会更改。Even if a role is renamed, the role ID does not change. 如果使用脚本或自动化来创建角色分配,最佳做法是使用唯一的角色 ID 而非角色名称。If you are using scripts or automation to create your role assignments, it's a best practice to use the unique role ID instead of the role name. 这样一来,即使角色重命名,脚本仍可以使用。Therefore, if a role is renamed, your scripts are more likely to work.

若要使用唯一的角色 ID 而非角色名称来创建角色分配,请使用 New-AzRoleAssignmentTo create a role assignment using the unique role ID instead of the role name, use New-AzRoleAssignment.

New-AzRoleAssignment -ObjectId <object_id> -RoleDefinitionId <role_id> -ResourceGroupName <resource_group_name>

以下示例将“虚拟机参与者”角色分配给 pharma-sales 资源组范围内的 *alain@example.com* 用户。The following example assigns the Virtual Machine Contributor role to *alain@example.com* user at the pharma-sales resource group scope. 若要获取唯一的角色 ID,可以使用 Get-AzRoleDefinition,也可以参阅 Azure 资源的内置角色To get the unique role ID, you can use Get-AzRoleDefinition or see Built-in roles for Azure resources.

PS C:\> New-AzRoleAssignment -ObjectId 44444444-4444-4444-4444-444444444444 -RoleDefinitionId 9980e02c-c2be-4d73-94e8-173b1dc7cf3c -Scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales

RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales/providers/Microsoft.Authorization/roleAssignments/55555555-5555-5555-5555-555555555555
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales
DisplayName        : Alain Charon
SignInName         : alain@example.com
RoleDefinitionName : Virtual Machine Contributor
RoleDefinitionId   : 9980e02c-c2be-4d73-94e8-173b1dc7cf3c
ObjectId           : 44444444-4444-4444-4444-444444444444
ObjectType         : User
CanDelegate        : False

在资源范围内为组创建角色分配Create a role assignment for a group at a resource scope

若要向资源范围内的组授予访问权限,请使用 New-AzRoleAssignmentTo grant access to a group at a resource scope, use New-AzRoleAssignment.

New-AzRoleAssignment -ObjectId <object_id> -RoleDefinitionName <role_name> -ResourceName <resource_name> -ResourceType <resource_type> -ParentResource <parent resource> -ResourceGroupName <resource_group_name>
PS C:\> Get-AzADGroup -SearchString "Pharma"

SecurityEnabled DisplayName         Id                                   Type
--------------- -----------         --                                   ----
           True Pharma Sales Admins aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa Group

PS C:\> New-AzRoleAssignment -ObjectId aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa -RoleDefinitionName "Virtual Machine Contributor" -ResourceName RobertVirtualNetwork -ResourceType Microsoft.Network/virtualNetworks -ResourceGroupName RobertVirtualNetworkResourceGroup

RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyVirtualNetworkResourceGroup
                     /providers/Microsoft.Network/virtualNetworks/RobertVirtualNetwork/providers/Microsoft.Authorizat
                     ion/roleAssignments/bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyVirtualNetworkResourceGroup
                     /providers/Microsoft.Network/virtualNetworks/RobertVirtualNetwork
DisplayName        : Pharma Sales Admins
SignInName         :
RoleDefinitionName : Virtual Machine Contributor
RoleDefinitionId   : 9980e02c-c2be-4d73-94e8-173b1dc7cf3c
ObjectId           : aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa
ObjectType         : Group
CanDelegate        : False

在订阅范围内为应用程序创建角色分配Create a role assignment for an application at a subscription scope

若要向订阅范围内的应用程序授予访问权限,请使用 New-AzRoleAssignmentTo grant access to an application at a subscription scope, use New-AzRoleAssignment.

New-AzRoleAssignment -ObjectId <application_id> -RoleDefinitionName <role_name> -Scope /subscriptions/<subscription_id>
PS C:\> New-AzRoleAssignment -ObjectId 77777777-7777-7777-7777-777777777777 -RoleDefinitionName "Reader" -Scope /subscriptions/00000000-0000-0000-0000-000000000000

RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/66666666-6666-6666-6666-666666666666
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000
DisplayName        : MyApp1
SignInName         :
RoleDefinitionName : Reader
RoleDefinitionId   : acdd72a7-3385-48ef-bd42-f606fba81ae7
ObjectId           : 77777777-7777-7777-7777-777777777777
ObjectType         : ServicePrincipal
CanDelegate        : False

为管理组范围内的用户创建角色分配Create a role assignment for a user at a management group scope

若要向管理组范围内的用户授予访问权限,请使用 New-AzRoleAssignmentTo grant access to a user at a management group scope, use New-AzRoleAssignment. 若要获取管理组 ID,可以在 Azure 门户中的“管理组” 边栏选项卡上找到它,也可以使用 Get-AzManagementGroupTo get the management group ID, you can find it on the Management groups blade in the Azure portal or you can use Get-AzManagementGroup.

New-AzRoleAssignment -SignInName <email_or_userprincipalname> -RoleDefinitionName <role_name> -Scope /providers/Microsoft.Management/managementGroups/<group_id>
PS C:\> New-AzRoleAssignment -SignInName alain@example.com -RoleDefinitionName "Billing Reader" -Scope /providers/Microsoft.Management/managementGroups/marketing-group

RoleAssignmentId   : /providers/Microsoft.Management/managementGroups/marketing-group/providers/Microsoft.Authorization/roleAssignments/22222222-2222-2222-2222-222222222222
Scope              : /providers/Microsoft.Management/managementGroups/marketing-group
DisplayName        : Alain Charon
SignInName         : alain@example.com
RoleDefinitionName : Billing Reader
RoleDefinitionId   : fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64
ObjectId           : 44444444-4444-4444-4444-444444444444
ObjectType         : User
CanDelegate        : False

删除访问权限Remove access

在 RBAC 中,若要删除访问权限,请使用 Remove-AzRoleAssignment 删除角色分配。In RBAC, to remove access, you remove a role assignment by using Remove-AzRoleAssignment.

以下示例在 pharma-sales 资源组上从 alain@example.com 用户删除“虚拟机参与者”角色分配 :The following example removes the Virtual Machine Contributor role assignment from the alain@example.com user on the pharma-sales resource group:

PS C:\> Remove-AzRoleAssignment -SignInName alain@example.com -RoleDefinitionName "Virtual Machine Contributor" -ResourceGroupName pharma-sales

以下示例在订阅范围内从 <object_id> 中删除 <role_name> 角色。The following example removes the <role_name> role from <object_id> at a subscription scope.

Remove-AzRoleAssignment -ObjectId <object_id> -RoleDefinitionName <role_name> -Scope /subscriptions/<subscription_id>

以下示例在管理组范围内从 <object_id> 中删除 <role_name> 角色。The following example removes the <role_name> role from <object_id> at the management group scope.

Remove-AzRoleAssignment -ObjectId <object_id> -RoleDefinitionName <role_name> -Scope /providers/Microsoft.Management/managementGroups/<group_id>

如果收到错误消息:“提供的信息未映射到角色分配”,请确保还指定了 -Scope-ResourceGroupName 参数。If you get the error message: "The provided information does not map to a role assignment", make sure that you also specify the -Scope or -ResourceGroupName parameters. 有关详细信息,请参阅对 Azure 资源的 RBAC 进行故障排除For more information, see Troubleshoot RBAC for Azure resources.

后续步骤Next steps