使用 Azure PowerShell 添加或删除 Azure 角色分配Add or remove Azure role assignments using Azure PowerShell

Azure 基于角色的访问控制 (RBAC) 是用于管理对 Azure 资源的访问权限的授权系统。Azure role-based access control (RBAC) is the authorization system you use to manage access to Azure resources. 若要授予访问权限,请将角色分配给特定范围内的用户、组、服务主体或托管标识。To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. 本文介绍如何使用 Azure PowerShell 分配角色。Azure 基于角色的访问控制 (RBAC) 是用于管理对 Azure 资源的访问权限的授权系统。Azure role-based access control (RBAC) is the authorization system you use to manage access to Azure resources. 若要授予访问权限,请将角色分配给特定范围内的用户、组、服务主体或托管标识。To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. This article describes how to assign roles using Azure PowerShell.

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

先决条件Prerequisites

若要添加或删除角色分配,必须拥有以下权限:To add or remove role assignments, you must have:

获取对象 IDGet object IDs

若要添加或删除角色分配,可能需要指定对象的唯一 ID。To add or remove role assignments, you might need to specify the unique ID of an object. ID 的格式为:11111111-1111-1111-1111-111111111111The ID has the format: 11111111-1111-1111-1111-111111111111. 可以使用 Azure 门户或 Azure PowerShell 获取 ID。You can get the ID using the Azure portal or Azure PowerShell.

UserUser

若要获取 Azure AD 用户的对象 ID,可以使用 Get-AzADUserTo get the object ID for an Azure AD user, you can use Get-AzADUser.

Get-AzADUser -StartsWith <string_in_quotes>
(Get-AzADUser -DisplayName <name_in_quotes>).id

Group

若要获取 Azure AD 组的对象 ID,可以使用 Get-AzADGroupTo get the object ID for an Azure AD group, you can use Get-AzADGroup.

Get-AzADGroup -SearchString <group_name_in_quotes>
(Get-AzADGroup -DisplayName <group_name_in_quotes>).id

应用程序Application

若要获取 Azure AD 服务主体的对象ID(应用程序使用的标识),可以使用 Get-AzADServicePrincipalTo get the object ID for an Azure AD service principal (identity used by an application), you can use Get-AzADServicePrincipal. 对于服务主体,请使用对象 ID,而是使用应用程序 ID。For a service principal, use the object ID and not the application ID.

Get-AzADServicePrincipal -SearchString <service_name_in_quotes>
(Get-AzADServicePrincipal -DisplayName <service_name_in_quotes>).id

添加角色分配Add a role assignment

在 Azure RBAC 中,要授予访问权限,请添加角色分配。In Azure RBAC, to grant access, you add a role assignment.

资源组范围内的用户User at a resource group scope

若要为资源组范围内的用户添加角色分配,请使用 New-AzRoleAssignmentTo add a role assignment for a user at a resource group scope, use New-AzRoleAssignment.

New-AzRoleAssignment -SignInName <email_or_userprincipalname> -RoleDefinitionName <role_name> -ResourceGroupName <resource_group_name>
PS C:\> New-AzRoleAssignment -SignInName alain@example.com -RoleDefinitionName "Virtual Machine Contributor" -ResourceGroupName pharma-sales


RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales/pr
                     oviders/Microsoft.Authorization/roleAssignments/55555555-5555-5555-5555-555555555555
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales
DisplayName        : Alain Charon
SignInName         : alain@example.com
RoleDefinitionName : Virtual Machine Contributor
RoleDefinitionId   : 9980e02c-c2be-4d73-94e8-173b1dc7cf3c
ObjectId           : 44444444-4444-4444-4444-444444444444
ObjectType         : User
CanDelegate        : False

使用唯一角色 IDUsing the unique role ID

很多时候角色名称可能会更改,例如:There are a couple of times when a role name might change, for example:

  • 你使用的是自己的自定义角色,你决定更改名称。You are using your own custom role and you decide to change the name.
  • 你使用的是预览版角色,其名称中有“(预览)”字样。You are using a preview role that has (Preview) in the name. 发布角色时重命名了角色。When the role is released, the role is renamed.

Important

预览版在提供时没有附带服务级别协议,不建议将其用于生产工作负荷。A preview version is provided without a service level agreement, and it's not recommended for production workloads. 某些功能可能不受支持或者受限。Certain features might not be supported or might have constrained capabilities. 有关详细信息,请参阅适用于 Azure 预览版的补充使用条款For more information, see Supplemental Terms of Use for Azure Previews.

即使重命名了角色,角色 ID 也不会更改。Even if a role is renamed, the role ID does not change. 如果使用脚本或自动化来创建角色分配,最佳做法是使用唯一的角色 ID 而非角色名称。If you are using scripts or automation to create your role assignments, it's a best practice to use the unique role ID instead of the role name. 这样一来,即使角色重命名,脚本仍可以使用。Therefore, if a role is renamed, your scripts are more likely to work.

若要使用唯一角色 ID 而非角色名称来添加角色分配,请使用 New-AzRoleAssignmentTo add a role assignment using the unique role ID instead of the role name, use New-AzRoleAssignment.

New-AzRoleAssignment -ObjectId <object_id> -RoleDefinitionId <role_id> -ResourceGroupName <resource_group_name>

以下示例将虚拟机参与者角色分配给 pharma-sales 资源组范围内的 alain@example.com 用户。The following example assigns the Virtual Machine Contributor role to alain@example.com user at the pharma-sales resource group scope. 要获取唯一角色 ID,可以使用 Get-AzRoleDefinition,也可以参阅 Azure 内置角色To get the unique role ID, you can use Get-AzRoleDefinition or see Azure built-in roles.

PS C:\> New-AzRoleAssignment -ObjectId 44444444-4444-4444-4444-444444444444 -RoleDefinitionId 9980e02c-c2be-4d73-94e8-173b1dc7cf3c -Scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales

RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales/providers/Microsoft.Authorization/roleAssignments/55555555-5555-5555-5555-555555555555
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales
DisplayName        : Alain Charon
SignInName         : alain@example.com
RoleDefinitionName : Virtual Machine Contributor
RoleDefinitionId   : 9980e02c-c2be-4d73-94e8-173b1dc7cf3c
ObjectId           : 44444444-4444-4444-4444-444444444444
ObjectType         : User
CanDelegate        : False

资源范围内的组Group at a resource scope

若要为资源范围内的组添加角色分配,请使用 New-AzRoleAssignmentTo add a role assignment for a group at a resource scope, use New-AzRoleAssignment. 有关如何获取组的对象 ID 的信息,请参阅获取对象 IDFor information about how to get the object ID of the group, see Get object IDs.

New-AzRoleAssignment -ObjectId <object_id> -RoleDefinitionName <role_name> -ResourceName <resource_name> -ResourceType <resource_type> -ParentResource <parent resource> -ResourceGroupName <resource_group_name>
PS C:\> Get-AzADGroup -SearchString "Pharma"

SecurityEnabled DisplayName         Id                                   Type
--------------- -----------         --                                   ----
           True Pharma Sales Admins aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa Group

PS C:\> New-AzRoleAssignment -ObjectId aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa -RoleDefinitionName "Virtual Machine Contributor" -ResourceName RobertVirtualNetwork -ResourceType Microsoft.Network/virtualNetworks -ResourceGroupName RobertVirtualNetworkResourceGroup

RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyVirtualNetworkResourceGroup
                     /providers/Microsoft.Network/virtualNetworks/RobertVirtualNetwork/providers/Microsoft.Authorizat
                     ion/roleAssignments/bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyVirtualNetworkResourceGroup
                     /providers/Microsoft.Network/virtualNetworks/RobertVirtualNetwork
DisplayName        : Pharma Sales Admins
SignInName         :
RoleDefinitionName : Virtual Machine Contributor
RoleDefinitionId   : 9980e02c-c2be-4d73-94e8-173b1dc7cf3c
ObjectId           : aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa
ObjectType         : Group
CanDelegate        : False

订阅范围内的应用程序Application at a subscription scope

若要为订阅范围内的应用程序添加角色分配,请使用 New-AzRoleAssignmentTo add a role assignment for an application at a subscription scope, use New-AzRoleAssignment. 有关如何获取应用程序的对象 ID 的信息,请参阅获取对象 IDFor information about how to get the object ID of the application, see Get object IDs.

New-AzRoleAssignment -ObjectId <object_id> -RoleDefinitionName <role_name> -Scope /subscriptions/<subscription_id>
PS C:\> New-AzRoleAssignment -ObjectId 77777777-7777-7777-7777-777777777777 -RoleDefinitionName "Reader" -Scope /subscriptions/00000000-0000-0000-0000-000000000000

RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/66666666-6666-6666-6666-666666666666
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000
DisplayName        : MyApp1
SignInName         :
RoleDefinitionName : Reader
RoleDefinitionId   : acdd72a7-3385-48ef-bd42-f606fba81ae7
ObjectId           : 77777777-7777-7777-7777-777777777777
ObjectType         : ServicePrincipal
CanDelegate        : False

管理组范围内的用户User at a management group scope

若要为管理组范围内的用户添加角色分配,请使用 New-AzRoleAssignmentTo add a role assignment for a user at a management group scope, use New-AzRoleAssignment. 若要获取管理组 ID,可以在 Azure 门户中的“管理组”边栏选项卡上找到它,也可以使用 Get-AzManagementGroupTo get the management group ID, you can find it on the Management groups blade in the Azure portal or you can use Get-AzManagementGroup.

New-AzRoleAssignment -SignInName <email_or_userprincipalname> -RoleDefinitionName <role_name> -Scope /providers/Microsoft.Management/managementGroups/<group_id>
PS C:\> New-AzRoleAssignment -SignInName alain@example.com -RoleDefinitionName "Billing Reader" -Scope /providers/Microsoft.Management/managementGroups/marketing-group

RoleAssignmentId   : /providers/Microsoft.Management/managementGroups/marketing-group/providers/Microsoft.Authorization/roleAssignments/22222222-2222-2222-2222-222222222222
Scope              : /providers/Microsoft.Management/managementGroups/marketing-group
DisplayName        : Alain Charon
SignInName         : alain@example.com
RoleDefinitionName : Billing Reader
RoleDefinitionId   : fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64
ObjectId           : 44444444-4444-4444-4444-444444444444
ObjectType         : User
CanDelegate        : False

删除角色分配Remove a role assignment

在 Azure RBAC 中,要删除访问权限,请使用 Remove-AzRoleAssignment 删除角色分配。In Azure RBAC, to remove access, you remove a role assignment by using Remove-AzRoleAssignment.

以下示例在 pharma-sales 资源组上从 alain@example.com 用户删除“虚拟机参与者”角色分配:The following example removes the Virtual Machine Contributor role assignment from the alain@example.com user on the pharma-sales resource group:

PS C:\> Remove-AzRoleAssignment -SignInName alain@example.com -RoleDefinitionName "Virtual Machine Contributor" -ResourceGroupName pharma-sales

以下示例在订阅范围内从 <object_id> 中删除 <role_name> 角色。The following example removes the <role_name> role from <object_id> at a subscription scope.

Remove-AzRoleAssignment -ObjectId <object_id> -RoleDefinitionName <role_name> -Scope /subscriptions/<subscription_id>

以下示例在管理组范围内从 <object_id> 中删除 <role_name> 角色。The following example removes the <role_name> role from <object_id> at the management group scope.

Remove-AzRoleAssignment -ObjectId <object_id> -RoleDefinitionName <role_name> -Scope /providers/Microsoft.Management/managementGroups/<group_id>

如果收到错误消息:“提供的信息未映射到角色分配”,请确保还指定了 -Scope-ResourceGroupName 参数。If you get the error message: "The provided information does not map to a role assignment", make sure that you also specify the -Scope or -ResourceGroupName parameters. 有关详细信息,请参阅 Azure RBAC 疑难解答For more information, see Troubleshoot Azure RBAC.

后续步骤Next steps