排查 Azure RBAC 的问题Troubleshoot Azure RBAC

本文解答有关 Azure 基于角色的访问控制 (Azure RBAC) 的一些常见问题,使你能够了解在使用角色时可能出现的情况,并排查访问问题。This article answers some common questions about Azure role-based access control (Azure RBAC), so that you know what to expect when using the roles and can troubleshoot access problems.

Azure 角色分配限制Azure role assignments limit

Azure 对于每个订阅最多支持 2000 个角色分配。Azure supports up to 2000 role assignments per subscription. 此限制包括订阅、资源组和资源范围内的角色分配。This limit includes role assignments at the subscription, resource group, and resource scopes. 如果尝试分配角色时收到错误消息“无法创建更多的角色分配(代码:RoleAssignmentLimitExceeded)”,请尝试减少订阅中的角色分配数。If you get the error message "No more role assignments can be created (code: RoleAssignmentLimitExceeded)" when you try to assign a role, try to reduce the number of role assignments in the subscription.

备注

每个订阅的角色分配数限制 2000 是固定的,无法提高。The 2000 role assignments limit per subscription is fixed and cannot be increased.

如果即将达到此限制,可通过以下方式减少角色分配数:If you are getting close to this limit, here are some ways that you can reduce the number of role assignments:

  • 将用户添加到组,并改为向组分配角色。Add users to groups and assign roles to the groups instead.
  • 结合使用多个内置角色和一个自定义角色。Combine multiple built-in roles with a custom role.
  • 在较高的范围(例如订阅或管理组)进行常见的角色分配。Make common role assignments at a higher scope, such as subscription or management group.
  • 如果你有 Azure AD Premium P2,请在 Azure AD Privileged Identity Management 中创建符合条件的角色分配,而不要永久分配角色。If you have Azure AD Premium P2, make role assignments eligible in Azure AD Privileged Identity Management instead of permanently assigned.
  • 添加额外的订阅。Add an additional subscription.

若要获取角色分配数,可以查看 Azure 门户中“访问控制(IAM)”页上的图表To get the number of role assignments, you can view the chart on the Access control (IAM) page in the Azure portal. 还可以使用以下 Azure PowerShell 命令:You can also use the following Azure PowerShell commands:

$scope = "/subscriptions/<subscriptionId>"
$ras = Get-AzRoleAssignment -Scope $scope | Where-Object {$_.scope.StartsWith($scope)}
$ras.Count

Azure 角色分配问题Problems with Azure role assignments

  • 如果你因为“添加” > “添加角色分配”选项被禁用或者因为收到权限错误“具有此对象 id 的客户端无权执行操作”而无法在 Azure 门户中的“访问控制(IAM)”上添加角色分配,请检查你当前登录时使用的用户是否为在你尝试分配角色的范围中具有 Microsoft.Authorization/roleAssignments/write 权限的角色,例如所有者用户访问管理员If you are unable to add a role assignment in the Azure portal on Access control (IAM) because the Add > Add role assignment option is disabled or because you get the permissions error "The client with object id does not have authorization to perform action", check that you are currently signed in with a user that is assigned a role that has the Microsoft.Authorization/roleAssignments/write permission such as Owner or User Access Administrator at the scope you are trying to assign the role.

自定义角色出现问题Problems with custom roles

  • 如需了解创建自定义角色的步骤,请参阅使用 Azure 门户(目前为预览版)、Azure PowerShell 或 Azure CLI 创建自定义角色的教程。If you need steps for how to create a custom role, see the custom role tutorials using the Azure portal (currently in preview), Azure PowerShell, or Azure CLI.
  • 如果你无法更新现有的自定义角色,请检查你当前登录时使用的用户是否分配有具有 Microsoft.Authorization/roleDefinition/write 权限的角色,例如所有者用户访问管理员If you are unable to update an existing custom role, check that you are currently signed in with a user that is assigned a role that has the Microsoft.Authorization/roleDefinition/write permission such as Owner or User Access Administrator.
  • 如果你无法删除自定义角色并且收到错误消息“已存在引用此角色的角色分配(代码:RoleDefinitionHasAssignments)”,则表明存在仍然使用此自定义角色的角色分配。If you are unable to delete a custom role and get the error message "There are existing role assignments referencing role (code: RoleDefinitionHasAssignments)", then there are role assignments still using the custom role. 请删除这些角色分配,然后再次尝试删除自定义角色。Remove those role assignments and try to delete the custom role again.
  • 如果尝试创建新的自定义角色时收到错误消息“角色定义超限。If you get the error message "Role definition limit exceeded. 无法创建更多的角色定义(代码:RoleDefinitionLimitExceeded)”,请删除未在使用的任何自定义角色。No more role definitions can be created (code: RoleDefinitionLimitExceeded)" when you try to create a new custom role, delete any custom roles that aren't being used. Azure 在一个目录中最多支持 5000 个自定义角色。Azure supports up to 5000 custom roles in a directory. (对于 Azure 德国云和 Azure 中国世纪互联,限制为 2000 个自定义角色。)(For Azure Germany and Azure China 21Vianet, the limit is 2000 custom roles.)
  • 如果尝试更新自定义角色时收到类似于“客户端具有在范围 '/subscriptions/{subscriptionid}' 上执行操作 'Microsoft.Authorization/roleDefinitions/write' 的权限,但是未找到链接的订阅”的错误,请检查是否已在目录中删除了一个或多个可分配的范围If you get an error similar to "The client has permission to perform action 'Microsoft.Authorization/roleDefinitions/write' on scope '/subscriptions/{subscriptionid}', however the linked subscription was not found" when you try to update a custom role, check whether one or more assignable scopes have been deleted in the directory. 如果删除了作用域,请创建一个支持票证,因为目前没有自助服务解决方案可用。If the scope was deleted, then create a support ticket as there is no self-service solution available at this time.

自定义角色和管理组Custom roles and management groups

  • 只能在自定义角色的 AssignableScopes 中定义一个管理组。You can only define one management group in AssignableScopes of a custom role. 将管理组添加到 AssignableScopes 的功能目前为预览版。Adding a management group to AssignableScopes is currently in preview.
  • 无法在管理组范围内分配具有 DataActions 的自定义角色。Custom roles with DataActions cannot be assigned at the management group scope.
  • Azure 资源管理器不验证管理组是否存在于角色定义的可分配范围中。Azure Resource Manager doesn't validate the management group's existence in the role definition's assignable scope.
  • 若要详细了解自定义角色和管理组,请参阅使用 Azure 管理组来组织资源For more information about custom roles and management groups, see Organize your resources with Azure management groups.

将订阅转移到另一目录Transferring a subscription to a different directory

  • 如需了解将订阅转移到另一 Azure AD 目录的步骤,请参阅将 Azure 订阅所有权转移到另一帐户If you need steps for how to transfer a subscription to a different Azure AD directory, see Transfer ownership of an Azure subscription to another account.
  • 如果将订阅转移到另一 Azure AD 目录,所有角色分配将从源 Azure AD 目录中永久删除,而不会迁移到目标 Azure AD 目录。If you transfer a subscription to a different Azure AD directory, all role assignments are permanently deleted from the source Azure AD directory and are not migrated to the target Azure AD directory. 必须在目标目录中重新创建角色分配。You must re-create your role assignments in the target directory. 此外,还需手动重新创建 Azure 资源的托管标识。You also have to manually recreate managed identities for Azure resources. 有关详细信息,请参阅托管标识的 FAQ 和已知问题For more information, see FAQs and known issues with managed identities.
  • 如果你是 Azure AD 全局管理员并且在目录之间转移某个订阅后对其没有访问权限,请使用“Azure 资源的访问权限管理”开关暂时提升你的访问权限来获取对订阅的访问权限。If you are an Azure AD Global Administrator and you don't have access to a subscription after it was transferred between directories, use the Access management for Azure resources toggle to temporarily elevate your access to get access to the subscription.

服务管理员或共同管理员出现问题Issues with service admins or co-admins

访问被拒绝或权限错误Access denied or permission errors

  • 如果尝试创建资源时收到权限错误“具有此对象 id 的客户端无权在此作用域内执行操作(代码:AuthorizationFailed)”,请检查你当前登录时使用的用户是否分配有在所选作用域内对资源具有写入权限的角色。If you get the permissions error "The client with object id does not have authorization to perform action over scope (code: AuthorizationFailed)" when you try to create a resource, check that you are currently signed in with a user that is assigned a role that has write permission to the resource at the selected scope. 例如,若要管理某个资源组中的虚拟机,则你应当在该资源组(或父作用域)中具有虚拟机参与者角色。For example, to manage virtual machines in a resource group, you should have the Virtual Machine Contributor role on the resource group (or parent scope). 有关每个内置角色的权限列表,请参阅 Azure 内置角色For a list of the permissions for each built-in role, see Azure built-in roles.
  • 如果尝试创建或更新支持票证时收到权限错误“无权创建支持票证”,请检查你当前登录时使用的用户是否分配有具有 Microsoft.Support/supportTickets/write 权限的角色,例如支持请求参与者If you get the permissions error "You don't have permission to create a support request" when you try to create or update a support ticket, check that you are currently signed in with a user that is assigned a role that has the Microsoft.Support/supportTickets/write permission, such as Support Request Contributor.

未找到标识的角色分配Role assignments with identity not found

在 Azure 门户的角色分配列表中,你可能会注意到安全主体(用户、组、服务主体或托管标识)列为“未找到标识”,类型为“未知” 。In the list of role assignments for the Azure portal, you might notice that the security principal (user, group, service principal, or managed identity) is listed as Identity not found with an Unknown type.

Web 应用程序资源组

找不到标识的原因有两个:The identity might not be found for two reasons:

  • 你最近在创建角色分配时邀请了用户You recently invited a user when creating a role assignment
  • 你删除了具有角色分配的安全主体You deleted a security principal that had a role assignment

如果你最近在创建角色分配时邀请了用户,则此安全主体可能仍处于跨区域的复制过程中。If you recently invited a user when creating a role assignment, this security principal might still be in the replication process across regions. 如果是这样,请稍等片刻并刷新角色分配列表。If so, wait a few moments and refresh the role assignments list.

但是,如果此安全主体不是最近邀请的用户,则可能是已删除的安全主体。However, if this security principal is not a recently invited user, it might be a deleted security principal. 如果将角色分配给安全主体,然后在不先删除角色分配的情况下删除该安全主体,则该安全主体类型将列为“未找到标识”,类型为“未知” 。If you assign a role to a security principal and then you later delete that security principal without first removing the role assignment, the security principal will be listed as Identity not found and an Unknown type.

如果使用 Azure PowerShell 列出此角色分配,则可能看到空的 DisplayNameObjectType 设置为“未知”。If you list this role assignment using Azure PowerShell, you might see an empty DisplayName and an ObjectType set to Unknown. 例如,Get-AzRoleAssignment 返回类似于以下输出的角色分配:For example, Get-AzRoleAssignment returns a role assignment that is similar to the following output:

RoleAssignmentId   : /subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Authorization/roleAssignments/22222222-2222-2222-2222-222222222222
Scope              : /subscriptions/11111111-1111-1111-1111-111111111111
DisplayName        :
SignInName         :
RoleDefinitionName : Storage Blob Data Contributor
RoleDefinitionId   : ba92f5b4-2d11-453d-a403-e96b0029c9fe
ObjectId           : 33333333-3333-3333-3333-333333333333
ObjectType         : Unknown
CanDelegate        : False

同样,如果使用 Azure CLI 列出此角色分配,则可能看到空的 principalNameSimilarly, if you list this role assignment using Azure CLI, you might see an empty principalName. 例如,az role assignment list 返回类似于以下输出的角色分配:For example, az role assignment list returns a role assignment that is similar to the following output:

{
    "canDelegate": null,
    "id": "/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Authorization/roleAssignments/22222222-2222-2222-2222-222222222222",
    "name": "22222222-2222-2222-2222-222222222222",
    "principalId": "33333333-3333-3333-3333-333333333333",
    "principalName": "",
    "roleDefinitionId": "/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe",
    "roleDefinitionName": "Storage Blob Data Contributor",
    "scope": "/subscriptions/11111111-1111-1111-1111-111111111111",
    "type": "Microsoft.Authorization/roleAssignments"
}

在删除安全主体的情况下,保留这些角色分配没有问题。It isn't a problem to leave these role assignments where the security principal has been deleted. 如果需要,可以使用与其他角色分配相似的步骤删除这些角色分配。If you like, you can remove these role assignments using steps that are similar to other role assignments. 有关如何删除角色分配的信息,请参阅 Azure 门户Azure PowerShellAzure CLIFor information about how to remove role assignments, see Azure portal, Azure PowerShell, or Azure CLI

在 PowerShell 中,如果尝试通过对象 ID 和角色定义名称来删除角色分配,而多个角色分配与参数相匹配,则会出现错误消息:“提供的信息未映射到角色分配”。In PowerShell, if you try to remove the role assignments using the object ID and role definition name, and more than one role assignment matches your parameters, you will get the error message: "The provided information does not map to a role assignment". 以下输出显示了错误消息示例:The following output shows an example of the error message:

PS C:\> Remove-AzRoleAssignment -ObjectId 33333333-3333-3333-3333-333333333333 -RoleDefinitionName "Storage Blob Data Contributor"

Remove-AzRoleAssignment : The provided information does not map to a role assignment.
At line:1 char:1
+ Remove-AzRoleAssignment -ObjectId 33333333-3333-3333-3333-333333333333 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : CloseError: (:) [Remove-AzRoleAssignment], KeyNotFoundException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.RemoveAzureRoleAssignmentCommand

如果出现此错误消息,请确保还指定了 -Scope-ResourceGroupName 参数。If you get this error message, make sure you also specify the -Scope or -ResourceGroupName parameters.

PS C:\> Remove-AzRoleAssignment -ObjectId 33333333-3333-3333-3333-333333333333 -RoleDefinitionName "Storage Blob Data Contributor" - Scope /subscriptions/11111111-1111-1111-1111-111111111111

未检测到角色分配更改Role assignment changes are not being detected

Azure 资源管理器有时会缓存配置和数据以提高性能。Azure Resource Manager sometimes caches configurations and data to improve performance. 添加或删除角色分配时,更改最多可能需要 30 分钟才能生效。When you add or remove role assignments, it can take up to 30 minutes for changes to take effect. 如果使用的是 Azure 门户、Azure PowerShell 或 Azure CLI,则可以通过注销和登录来强制刷新角色分配更改。If you are using the Azure portal, Azure PowerShell, or Azure CLI, you can force a refresh of your role assignment changes by signing out and signing in. 如果使用 REST API 调用进行角色分配更改,则可以通过刷新访问令牌来强制刷新。If you are making role assignment changes with REST API calls, you can force a refresh by refreshing your access token.

如果在管理组范围添加或删除某个角色分配,并且该角色具有 DataActions,对数据平面的访问权限在几个小时内可能不会更新。If you are add or remove a role assignment at management group scope and the role has DataActions, the access on the data plane might not be updated for several hours. 这仅适用于管理组范围和数据平面。This applies only to management group scope and the data plane.

需要写访问权限的 Web 应用功能Web app features that require write access

如果为用户授予单个 Web 应用的只读访问权限,某些功能可能会被禁用,这可能不是你所期望的。If you grant a user read-only access to a single web app, some features are disabled that you might not expect. 以下管理功能需要对 Web 应用具有访问权限(参与者或所有者),并且在任何只读方案中不可用。The following management capabilities require write access to a web app (either Contributor or Owner), and aren't available in any read-only scenario.

  • 命令(例如启动、停止等。)Commands (like start, stop, etc.)
  • 更改设置(如常规配置、缩放设置、备份设置和监视设置)Changing settings like general configuration, scale settings, backup settings, and monitoring settings
  • 访问发布凭据和其他机密(如应用设置和连接字符串)Accessing publishing credentials and other secrets like app settings and connection strings
  • 流式处理日志Streaming logs
  • 资源日志配置Resource logs configuration
  • 控制台(命令提示符)Console (command prompt)
  • 活动和最新部署(适用于本地 Git 持续部署)Active and recent deployments (for local git continuous deployment)
  • 估计费用Estimated spend
  • Web 测试Web tests
  • 虚拟网络(只在虚拟网络是由具有写入权限的用户在以前配置时,才对读者可见)。Virtual network (only visible to a reader if a virtual network has previously been configured by a user with write access).

如果无法访问以上任何磁贴,则需要让管理员提供对 Web 应用的“参与者”访问权限。If you can't access any of these tiles, you need to ask your administrator for Contributor access to the web app.

需要写访问权限的 Web 应用资源Web app resources that require write access

由于存在几个相互作用的不同资源,Web 应用程序是复杂的。Web apps are complicated by the presence of a few different resources that interplay. 下面是包含几个网站的典型资源组:Here is a typical resource group with a couple of websites:

Web 应用程序资源组

因此,如果只授予某人对 Web 应用的访问权限,则 Azure 门户中的网站边栏选项卡上的很多功能将被禁用。As a result, if you grant someone access to just the web app, much of the functionality on the website blade in the Azure portal is disabled.

这些项需要对与网站对应的应用服务计划具有写入权限: These items require write access to the App Service plan that corresponds to your website:

  • 查看 Web 应用的定价层(“免费”或“标准”)Viewing the web app's pricing tier (Free or Standard)
  • 规模配置(实例数、虚拟机大小、自动缩放设置)Scale configuration (number of instances, virtual machine size, autoscale settings)
  • 配额(存储空间、带宽、CPU)Quotas (storage, bandwidth, CPU)

这些项需要对包含网站的整个资源组具有写入权限: These items require write access to the whole Resource group that contains your website:

  • TLS/SSL 证书和绑定(TLS/SSL 证书可以在同一资源组和地理位置中的站点之间共享)TLS/SSL Certificates and bindings (TLS/SSL certificates can be shared between sites in the same resource group and geo-location)
  • 警报规则Alert rules
  • 自动缩放设置Autoscale settings
  • Application Insights 组件Application insights components
  • Web 测试Web tests

需要写访问权限的虚拟机功能Virtual machine features that require write access

与 Web 应用类似,虚拟机边栏选项卡上的某些功能需要对虚拟机或资源组中的其他资源具有写访问权限。Similar to web apps, some features on the virtual machine blade require write access to the virtual machine, or to other resources in the resource group.

虚拟机与域名、虚拟网络、存储帐户和警报规则相关。Virtual machines are related to Domain names, virtual networks, storage accounts, and alert rules.

这些项需要对虚拟机具有写入权限: These items require write access to the Virtual machine:

  • 终结点Endpoints
  • IP 地址IP addresses
  • 磁盘Disks
  • 扩展Extensions

这些项需要对虚拟机和其所在的资源组(以及域名)具有写入权限: These require write access to both the Virtual machine, and the Resource group (along with the Domain name) that it is in:

  • 可用性集Availability set
  • 负载均衡集Load balanced set
  • 警报规则Alert rules

如果无法访问以上任何磁贴,则需要让管理员提供对资源组的“参与者”访问权限。If you can't access any of these tiles, ask your administrator for Contributor access to the Resource group.

Azure Functions 和写访问权限Azure Functions and write access

Azure Functions 的某些功能需要写入权限。Some features of Azure Functions require write access. 例如,如果给用户分配读者角色,他们将无法查看函数应用中的函数。For example, if a user is assigned the Reader role, they will not be able to view the functions within a function app. 门户将显示 (无访问权限)。The portal will display (No access).

函数应用无访问权限

读者可单击“平台功能”选项卡,然后单击“所有设置”查看与函数应用(类似于 Web 应用)相关的一些设置,但无法修改任何这些设置 。A reader can click the Platform features tab and then click All settings to view some settings related to a function app (similar to a web app), but they can't modify any of these settings. 若要访问这些功能,需要参与者角色。To access these features, you will need the Contributor role.

后续步骤Next steps