对 Azure 资源的 RBAC 问题进行故障排除Troubleshoot RBAC for Azure resources

本文解答有关 Azure 资源的基于角色的访问控制 (RBAC) 的常见问题,以便你了解在 Azure 门户中使用角色时可能出现的情况,并可对访问问题进行故障排除。This article answers common questions about role-based access control (RBAC) for Azure resources, so that you know what to expect when using the roles in the Azure portal and can troubleshoot access problems.

RBAC 角色分配出现问题Problems with RBAC role assignments

  • 如果你因为 “添加” > “添加角色分配” 选项被禁用或者因为收到权限错误“具有此对象 id 的客户端无权执行操作”而无法在 Azure 门户中的“访问控制(IAM)” 上添加角色分配,请检查你当前登录时使用的用户是否为在你尝试分配角色的范围中具有 Microsoft.Authorization/roleAssignments/write 权限的角色,例如所有者用户访问管理员If you are unable to add a role assignment in the Azure portal on Access control (IAM) because the Add > Add role assignment option is disabled or because you get the permissions error "The client with object id does not have authorization to perform action", check that you are currently signed in with a user that is assigned a role that has the Microsoft.Authorization/roleAssignments/write permission such as Owner or User Access Administrator at the scope you are trying to assign the role.
  • 如果尝试分配角色时收到错误消息“无法创建更多的角色分配(代码:RoleAssignmentLimitExceeded)”,请尝试通过改为将角色分配给组来减少角色分配数。If you get the error message "No more role assignments can be created (code: RoleAssignmentLimitExceeded)" when you try to assign a role, try to reduce the number of role assignments by assigning roles to groups instead. Azure 对于每个订阅最多支持 2000 个角色分配。Azure supports up to 2000 role assignments per subscription.

自定义角色出现问题Problems with custom roles

  • 如果需要了解有关如何创建自定义角色的步骤,请参阅使用 Azure PowerShellAzure CLI 自定义角色的教程。If you need steps for how to create a custom role, see the custom role tutorials using Azure PowerShell or Azure CLI.
  • 如果你无法更新现有的自定义角色,请检查你当前登录时使用的用户是否分配有具有 Microsoft.Authorization/roleDefinition/write 权限的角色,例如所有者用户访问管理员If you are unable to update an existing custom role, check that you are currently signed in with a user that is assigned a role that has the Microsoft.Authorization/roleDefinition/write permission such as Owner or User Access Administrator.
  • 如果你无法删除自定义角色并且收到错误消息“已存在引用此角色的角色分配(代码:RoleDefinitionHasAssignments)”,则表明存在仍然使用此自定义角色的角色分配。If you are unable to delete a custom role and get the error message "There are existing role assignments referencing role (code: RoleDefinitionHasAssignments)", then there are role assignments still using the custom role. 请删除这些角色分配,然后再次尝试删除自定义角色。Remove those role assignments and try to delete the custom role again.
  • 如果尝试创建新的自定义角色时收到错误消息“角色定义超限。If you get the error message "Role definition limit exceeded. 无法创建更多的角色定义(代码:RoleDefinitionLimitExceeded)”,请删除未在使用的任何自定义角色。No more role definitions can be created (code: RoleDefinitionLimitExceeded)" when you try to create a new custom role, delete any custom roles that aren't being used. Azure 在一个租户中最多支持 5000 个自定义角色。Azure supports up to 5000 custom roles in a tenant. (对于 Azure 中国世纪互联等专用云,限制为 2000 个自定义角色。)(For specialized clouds, such as Azure China 21Vianet, the limit is 2000 custom roles.)
  • 如果尝试更新自定义角色时收到类似于“客户端具有在范围 '/subscriptions/{subscriptionid}' 上执行操作 'Microsoft.Authorization/roleDefinitions/write' 的权限,但是未找到链接的订阅”的错误,请检查是否已在租户中删除了一个或多个可分配的范围If you get an error similar to "The client has permission to perform action 'Microsoft.Authorization/roleDefinitions/write' on scope '/subscriptions/{subscriptionid}', however the linked subscription was not found" when you try to update a custom role, check whether one or more assignable scopes have been deleted in the tenant. 如果删除了作用域,请创建一个支持票证,因为目前没有自助服务解决方案可用。If the scope was deleted, then create a support ticket as there is no self-service solution available at this time.

在租户之间移动订阅时恢复 RBACRecover RBAC when subscriptions are moved across tenants

  • 如果你需要了解将订阅转让给其他 Azure AD 租户的步骤,请参阅将 Azure 订阅所有权转让给其他帐户If you need steps for how to transfer a subscription to a different Azure AD tenant, see Transfer ownership of an Azure subscription to another account.
  • 如果将订阅转让给其他 Azure AD 租户,所有角色分配都将从源 Azure AD 租户中永久删除,而不会迁移到目标 Azure AD 租户。If you transfer a subscription to a different Azure AD tenant, all role assignments are permanently deleted from the source Azure AD tenant and are not migrated to the target Azure AD tenant. 必须在目标租户中重新创建角色分配。You must re-create your role assignments in the target tenant. 此外,还需手动重新创建 Azure 资源的托管标识。You also have to manually recreate managed identities for Azure resources. 有关详细信息,请参阅托管标识的 FAQ 和已知问题For more information, see FAQs and known issues with managed identities.
  • 如果你是 Azure AD 全局管理员并且在租户之间移动某个订阅后对其没有访问权限,请使用“Azure 资源的访问权限管理” 开关暂时提升你的访问权限来获取对订阅的访问权限。If you are an Azure AD Global Administrator and you don't have access to a subscription after it was moved between tenants, use the Access management for Azure resources toggle to temporarily elevate your access to get access to the subscription.

服务管理员或共同管理员出现问题Issues with service admins or co-admins

访问被拒绝或权限错误Access denied or permission errors

  • 如果尝试创建资源时收到权限错误“具有此对象 id 的客户端无权在此作用域内执行操作(代码:AuthorizationFailed)”,请检查你当前登录时使用的用户是否分配有在所选作用域内对资源具有写入权限的角色。If you get the permissions error "The client with object id does not have authorization to perform action over scope (code: AuthorizationFailed)" when you try to create a resource, check that you are currently signed in with a user that is assigned a role that has write permission to the resource at the selected scope. 例如,若要管理某个资源组中的虚拟机,则你应当在该资源组(或父作用域)中具有虚拟机参与者角色。For example, to manage virtual machines in a resource group, you should have the Virtual Machine Contributor role on the resource group (or parent scope). 有关每个内置角色的权限列表,请参阅 Azure 资源的内置角色For a list of the permissions for each built-in role, see Built-in roles for Azure resources.
  • 如果尝试创建或更新支持票证时收到权限错误“无权创建支持票证”,请检查你当前登录时使用的用户是否分配有具有 Microsoft.Support/supportTickets/write 权限的角色,例如支持请求参与者If you get the permissions error "You don't have permission to create a support request" when you try to create or update a support ticket, check that you are currently signed in with a user that is assigned a role that has the Microsoft.Support/supportTickets/write permission, such as Support Request Contributor.

具有未知安全主体的角色分配Role assignments with Unknown security principal

使用 Azure PowerShell 列出角色分配时,可能会看到分配的 DisplayName 为空且 ObjectType 设置为“未知”。When you list your role assignments using Azure PowerShell, you might see assignments with an empty DisplayName and an ObjectType set to Unknown. 例如,Get-AzRoleAssignment 返回的角色分配如下所示:For example, Get-AzRoleAssignment returns a role assignment that is similar to the following:

RoleAssignmentId   : /subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Authorization/roleAssignments/22222222-2222-2222-2222-222222222222
Scope              : /subscriptions/11111111-1111-1111-1111-111111111111
DisplayName        :
SignInName         :
RoleDefinitionName : Storage Blob Data Contributor
RoleDefinitionId   : ba92f5b4-2d11-453d-a403-e96b0029c9fe
ObjectId           : 33333333-3333-3333-3333-333333333333
ObjectType         : Unknown
CanDelegate        : False

类似地,使用 Azure CLI 列出角色分配时,可能会看到分配的 principalName 为空。Similarly, when you list your role assignments using Azure CLI, you might see assignments with an empty principalName. 例如,az role assignment list 返回的角色分配如下所示:For example, az role assignment list returns a role assignment that is similar to the following:

{
    "canDelegate": null,
    "id": "/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Authorization/roleAssignments/22222222-2222-2222-2222-222222222222",
    "name": "22222222-2222-2222-2222-222222222222",
    "principalId": "33333333-3333-3333-3333-333333333333",
    "principalName": "",
    "roleDefinitionId": "/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe",
    "roleDefinitionName": "Storage Blob Data Contributor",
    "scope": "/subscriptions/11111111-1111-1111-1111-111111111111",
    "type": "Microsoft.Authorization/roleAssignments"
}

如果将角色分配给安全主体(用户、组、服务主体或托管标识),然后又删除该安全主体,则会进行此类角色分配。These role assignments occur when you assign a role to a security principal (user, group, service principal, or managed identity) and you later delete that security principal. 这些角色分配不显示在 Azure 门户中,留下它们没有问题。These role assignments aren't displayed in the Azure portal and it isn't a problem to leave them. 不过,你可以根据需要删除这些角色分配。However, if you like, you can remove these roles assignments.

若要删除这些角色分配,请使用 Remove-AzRoleAssignmentaz role assignment delete 命令。To remove these role assignments, use the Remove-AzRoleAssignment or az role assignment delete commands.

在 PowerShell 中,如果尝试通过对象 ID 和角色定义名称来删除角色分配,而多个角色分配与参数相匹配,则会出现错误消息:“提供的信息未映射到角色分配”。In PowerShell, if you try to remove the role assignments using the object ID and role definition name, and more than one role assignment matches your parameters, you will get the error message: "The provided information does not map to a role assignment". 下面显示了错误消息示例:The following shows an example of the error message:

PS C:\> Remove-AzRoleAssignment -ObjectId 33333333-3333-3333-3333-333333333333 -RoleDefinitionName "Storage Blob Data Contributor"

Remove-AzRoleAssignment : The provided information does not map to a role assignment.
At line:1 char:1
+ Remove-AzRoleAssignment -ObjectId 33333333-3333-3333-3333-333333333333 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : CloseError: (:) [Remove-AzRoleAssignment], KeyNotFoundException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.RemoveAzureRoleAssignmentCommand

如果出现此错误消息,请确保还指定了 -Scope-ResourceGroupName 参数。If you get this error message, make sure you also specify the -Scope or -ResourceGroupName parameters.

PS C:\> Remove-AzRoleAssignment -ObjectId 33333333-3333-3333-3333-333333333333 -RoleDefinitionName "Storage Blob Data Contributor" - Scope /subscriptions/11111111-1111-1111-1111-111111111111

未检测到 RBAC 更改RBAC changes are not being detected

Azure 资源管理器有时会缓存配置和数据以提高性能。Azure Resource Manager sometimes caches configurations and data to improve performance. 创建或删除角色分配时,更改最多可能需要 30 分钟才能生效。When creating or deleting role assignments, it can take up to 30 minutes for changes to take effect. 如果使用的是 Azure 门户、Azure PowerShell 或 Azure CLI,则可以通过注销和登录来强制刷新角色分配更改。If you are using the Azure portal, Azure PowerShell, or Azure CLI, you can force a refresh of your role assignment changes by signing out and signing in. 如果使用 REST API 调用进行角色分配更改,则可以通过刷新访问令牌来强制刷新。If you are making role assignment changes with REST API calls, you can force a refresh by refreshing your access token.

需要写访问权限的 Web 应用功能Web app features that require write access

如果为用户授予单个 Web 应用的只读访问权限,某些功能可能会被禁用,这可能不是你所期望的。If you grant a user read-only access to a single web app, some features are disabled that you might not expect. 以下管理功能需要对 Web 应用具有访问权限(参与者或所有者),并且在任何只读方案中不可用。The following management capabilities require write access to a web app (either Contributor or Owner), and aren't available in any read-only scenario.

  • 命令(例如启动、停止等。)Commands (like start, stop, etc.)
  • 更改设置(如常规配置、缩放设置、备份设置和监视设置)Changing settings like general configuration, scale settings, backup settings, and monitoring settings
  • 访问发布凭据和其他机密(如应用设置和连接字符串)Accessing publishing credentials and other secrets like app settings and connection strings
  • 流式处理日志Streaming logs
  • 诊断日志配置Diagnostic logs configuration
  • 控制台(命令提示符)Console (command prompt)
  • 活动和最新部署(适用于本地 Git 持续部署)Active and recent deployments (for local git continuous deployment)
  • 估计费用Estimated spend
  • Web 测试Web tests
  • 虚拟网络(只在虚拟网络是由具有写入权限的用户在以前配置时,才对读者可见)。Virtual network (only visible to a reader if a virtual network has previously been configured by a user with write access).

如果无法访问以上任何磁贴,则需要让管理员提供对 Web 应用的“参与者”访问权限。If you can't access any of these tiles, you need to ask your administrator for Contributor access to the web app.

需要写访问权限的 Web 应用资源Web app resources that require write access

由于存在几个相互作用的不同资源,Web 应用程序是复杂的。Web apps are complicated by the presence of a few different resources that interplay. 下面是包含几个网站的典型资源组:Here is a typical resource group with a couple of websites:

Web 应用程序资源组

因此,如果只授予某人对 Web 应用的访问权限,则 Azure 门户中的网站边栏选项卡上的很多功能将被禁用。As a result, if you grant someone access to just the web app, much of the functionality on the website blade in the Azure portal is disabled.

这些项需要对与网站对应的应用服务计划具有写入权限: These items require write access to the App Service plan that corresponds to your website:

  • 查看 Web 应用的定价层(“免费”或“标准”)Viewing the web app's pricing tier (Free or Standard)
  • 规模配置(实例数、虚拟机大小、自动缩放设置)Scale configuration (number of instances, virtual machine size, autoscale settings)
  • 配额(存储空间、带宽、CPU)Quotas (storage, bandwidth, CPU)

这些项需要对包含网站的整个资源组具有访问权限:These items require write access to the whole Resource group that contains your website:

  • SSL 证书和绑定(SSL 证书可以在同一资源组和地理位置中的站点之间共享)SSL Certificates and bindings (SSL certificates can be shared between sites in the same resource group and geo-location)
  • 警报规则Alert rules
  • 自动缩放设置Autoscale settings
  • Web 测试Web tests

需要写访问权限的虚拟机功能Virtual machine features that require write access

与 Web 应用类似,虚拟机边栏选项卡上的某些功能需要对虚拟机或资源组中的其他资源具有写访问权限。Similar to web apps, some features on the virtual machine blade require write access to the virtual machine, or to other resources in the resource group.

虚拟机与域名、虚拟网络、存储帐户和警报规则相关。Virtual machines are related to Domain names, virtual networks, storage accounts, and alert rules.

这些项需要对虚拟机具有写入权限: These items require write access to the Virtual machine:

  • 终结点Endpoints
  • IP 地址IP addresses
  • 磁盘Disks
  • 扩展Extensions

这些项需要对虚拟机和其所在的资源组(以及域名)具有写入权限: These require write access to both the Virtual machine, and the Resource group (along with the Domain name) that it is in:

  • 可用性集Availability set
  • 负载均衡集Load balanced set
  • 警报规则Alert rules

如果无法访问以上任何磁贴,则需要让管理员提供对资源组的“参与者”访问权限。If you can't access any of these tiles, ask your administrator for Contributor access to the Resource group.

Azure Functions 和写访问权限Azure Functions and write access

Azure Functions 的某些功能需要写入权限。Some features of Azure Functions require write access. 例如,如果给用户分配读者角色,他们将无法查看函数应用中的函数。For example, if a user is assigned the Reader role, they will not be able to view the functions within a function app. 门户将显示 (无访问权限) 。The portal will display (No access).

函数应用无访问权限

读者可单击“平台功能”选项卡,然后单击“所有设置”查看与函数应用(类似于 Web 应用)相关的一些设置,但无法修改任何这些设置 。A reader can click the Platform features tab and then click All settings to view some settings related to a function app (similar to a web app), but they can't modify any of these settings. 若要访问这些功能,需要参与者角色。To access these features, you will need the Contributor role.

后续步骤Next steps