教程:使用 Azure PowerShell 授予组对 Azure 资源的访问权限Tutorial: Grant a group access to Azure resources using Azure PowerShell

可以通过 Azure 基于角色的访问控制 (Azure RBAC) 管理对 Azure 资源的访问权限。Azure role-based access control (Azure RBAC) is the way that you manage access to Azure resources. 在本教程中,请授予组访问权限,以便通过 Azure PowerShell 查看订阅中的所有内容并管理资源组中的一切。In this tutorial, you grant a group access to view everything in a subscription and manage everything in a resource group using Azure PowerShell.

本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 在不同范围授予组访问权限Grant access for a group at different scopes
  • 列出访问权限List access
  • 删除访问权限Remove access

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a Trial before you begin.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

先决条件Prerequisites

若要完成本教程,需要:To complete this tutorial, you will need:

  • 在 Azure Active Directory 中创建组的权限(或者有现成的组)Permissions to create groups in Azure Active Directory (or have an existing group)

角色分配Role assignments

在 Azure RBAC 中,若要授予访问权限,请创建角色分配。In Azure RBAC, to grant access, you create a role assignment. 角色分配包含三个要素:安全主体、角色订阅和范围。A role assignment consists of three elements: security principal, role definition, and scope. 下面是两个将要在本教程中执行的角色分配:Here are the two role assignments you will perform in this tutorial:

安全主体Security principal 角色定义Role definition 作用域Scope
Group
(RBAC 教程组)(RBAC Tutorial Group)
读者Reader 订阅Subscription
Group
(RBAC 教程组)(RBAC Tutorial Group)
参与者Contributor 资源组Resource group
(rbac-tutorial-resource-group)(rbac-tutorial-resource-group)

组的角色分配

创建组Create a group

若要分配角色,需要一个用户、组或服务主体。To assign a role, you need a user, group, or service principal. 如果还没有组,可以创建一个。If you don't already have a group, you can create one.

  • 在 Azure powershell 中,使用 New-AzureADGroup 命令创建一个新组。In Azure powershell, create a new group using the New-AzureADGroup command.

    Connect-AzureAD -AzureEnvironmentName AzureChinaCloud
    
    New-AzureADGroup -DisplayName "RBAC Tutorial Group" `
       -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"
    
    ObjectId                             DisplayName         Description
    --------                             -----------         -----------
    11111111-1111-1111-1111-111111111111 RBAC Tutorial Group
    

如果你无权创建组,可以尝试改用教程:使用 Azure PowerShell 授予用户对 Azure 资源的访问权限If you don't have permissions to create groups, you can try the Tutorial: Grant a user access to Azure resources using Azure PowerShell instead.

创建资源组Create a resource group

请使用资源组来演示如何在资源组范围分配角色。You use a resource group to show how to assign a role at a resource group scope.

  1. 使用 Get-AzLocation 命令获取区域位置的列表。Get a list of region locations using the Get-AzLocation command.

    Get-AzLocation | select Location
    
  2. 选择附近的一个位置,将其分配给某个变量。Select a location near you and assign it to a variable.

    $location = "chinanorth"
    
  3. 使用 New-AzResourceGroup 命令创建新的资源组。Create a new resource group using the New-AzResourceGroup command.

    New-AzResourceGroup -Name "rbac-tutorial-resource-group" -Location $location
    
    ResourceGroupName : rbac-tutorial-resource-group
    Location          : chinanorth
    ProvisioningState : Succeeded
    Tags              :
    ResourceId        : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rbac-tutorial-resource-group
    

授予访问权限Grant access

若要为组授予访问权限,请使用 New-AzRoleAssignment 命令分配一个角色。To grant access for the group, you use the New-AzRoleAssignment command to assign a role. 必须指定安全主体、角色定义和范围。You must specify the security principal, role definition, and scope.

  1. 使用 Get-AzureADGroup 命令获取组的对象 ID。Get the object ID of the group using the Get-AzureADGroup command.

    Get-AzureADGroup -SearchString "RBAC Tutorial Group"
    
    ObjectId                             DisplayName         Description
    --------                             -----------         -----------
    11111111-1111-1111-1111-111111111111 RBAC Tutorial Group
    
  2. 在变量中保存组对象 ID。Save the group object ID in a variable.

    $groupId = "11111111-1111-1111-1111-111111111111"
    
  3. 使用 Get-AzSubscription 命令获取订阅的 ID。Get the ID of your subscription using the Get-AzSubscription command.

    Get-AzSubscription
    
    Name     : Pay-As-You-Go
    Id       : 00000000-0000-0000-0000-000000000000
    TenantId : 22222222-2222-2222-2222-222222222222
    State    : Enabled
    
  4. 在变量中保存订阅范围。Save the subscription scope in a variable.

    $subScope = "/subscriptions/00000000-0000-0000-0000-000000000000"
    
  5. 读者角色分配给订阅范围内的组。Assign the Reader role to the group at the subscription scope.

    New-AzRoleAssignment -ObjectId $groupId `
      -RoleDefinitionName "Reader" `
      -Scope $subScope
    
    RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/44444444-4444-4444-4444-444444444444
    Scope              : /subscriptions/00000000-0000-0000-0000-000000000000
    DisplayName        : RBAC Tutorial Group
    SignInName         :
    RoleDefinitionName : Reader
    RoleDefinitionId   : acdd72a7-3385-48ef-bd42-f606fba81ae7
    ObjectId           : 11111111-1111-1111-1111-111111111111
    ObjectType         : Group
    CanDelegate        : False
    
  6. 参与者角色分配给资源组范围内的组。Assign the Contributor role to the group at the resource group scope.

    New-AzRoleAssignment -ObjectId $groupId `
      -RoleDefinitionName "Contributor" `
      -ResourceGroupName "rbac-tutorial-resource-group"
    
    RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rbac-tutorial-resource-group/providers/Microsoft.Authorization/roleAssignments/33333333-3333-3333-3333-333333333333
    Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rbac-tutorial-resource-group
    DisplayName        : RBAC Tutorial Group
    SignInName         :
    RoleDefinitionName : Contributor
    RoleDefinitionId   : b24988ac-6180-42a0-ab88-20f7382dd24c
    ObjectId           : 11111111-1111-1111-1111-111111111111
    ObjectType         : Group
    CanDelegate        : False
    

列出访问权限List access

  1. 若要验证订阅的访问权限,请使用 Get-AzRoleAssignment 命令列出角色分配。To verify the access for the subscription, use the Get-AzRoleAssignment command to list the role assignments.

    Get-AzRoleAssignment -ObjectId $groupId -Scope $subScope
    
    RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/22222222-2222-2222-2222-222222222222
    Scope              : /subscriptions/00000000-0000-0000-0000-000000000000
    DisplayName        : RBAC Tutorial Group
    SignInName         :
    RoleDefinitionName : Reader
    RoleDefinitionId   : acdd72a7-3385-48ef-bd42-f606fba81ae7
    ObjectId           : 11111111-1111-1111-1111-111111111111
    ObjectType         : Group
    CanDelegate        : False
    

    在输出中,可以看到“读者”角色已分配给订阅范围的“RBAC 教程组”。In the output, you can see that the Reader role has been assigned to the RBAC Tutorial Group at the subscription scope.

  2. 若要验证资源组的访问权限,请使用 Get-AzRoleAssignment 命令列出角色分配。To verify the access for the resource group, use the Get-AzRoleAssignment command to list the role assignments.

    Get-AzRoleAssignment -ObjectId $groupId -ResourceGroupName "rbac-tutorial-resource-group"
    
    RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rbac-tutorial-resource-group/providers/Microsoft.Authorization/roleAssignments/33333333-3333-3333-3333-333333333333
    Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rbac-tutorial-resource-group
    DisplayName        : RBAC Tutorial Group
    SignInName         :
    RoleDefinitionName : Contributor
    RoleDefinitionId   : b24988ac-6180-42a0-ab88-20f7382dd24c
    ObjectId           : 11111111-1111-1111-1111-111111111111
    ObjectType         : Group
    CanDelegate        : False
    
    RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/22222222-2222-2222-2222-222222222222
    Scope              : /subscriptions/00000000-0000-0000-0000-000000000000
    DisplayName        : RBAC Tutorial Group
    SignInName         :
    RoleDefinitionName : Reader
    RoleDefinitionId   : acdd72a7-3385-48ef-bd42-f606fba81ae7
    ObjectId           : 11111111-1111-1111-1111-111111111111
    ObjectType         : Group
    CanDelegate        : False
    

    在输出中,可以看到“参与者”角色和“读者”角色已分配给“RBAC 教程组”。In the output, you can see that both the Contributor and Reader roles have been assigned to the RBAC Tutorial Group. “参与者”角色处于 rbac-tutorial-resource-group 范围,“读者”角色在订阅范围继承。The Contributor role is at the rbac-tutorial-resource-group scope and the Reader role is inherited at the subscription scope.

(可选)使用 Azure 门户列出访问权限(Optional) List access using the Azure Portal

  1. 若要查看角色分配在 Azure 门户中的显示情况,请查看“访问控制(IAM)”边栏选项卡,以了解相关订阅。To see how the role assignments look in the Azure portal, view the Access control (IAM) blade for the subscription.

    组在订阅范围的角色分配

  2. 查看“访问控制(IAM)”边栏选项卡,了解相关资源组。View the Access control (IAM) blade for the resource group.

    组在资源组范围的角色分配

删除访问权限Remove access

若要删除用户、组和应用程序的访问权限,请使用 Remove-AzRoleAssignment 删除角色分配。To remove access for users, groups, and applications, use Remove-AzRoleAssignment to remove a role assignment.

  1. 使用以下命令,删除组在资源组范围的“参与者”角色分配。Use the following command to remove the Contributor role assignment for the group at the resource group scope.

    Remove-AzRoleAssignment -ObjectId $groupId `
      -RoleDefinitionName "Contributor" `
      -ResourceGroupName "rbac-tutorial-resource-group"
    
  2. 使用以下命令,删除组在订阅范围的“读者”角色分配。Use the following command to remove the Reader role assignment for the group at the subscription scope.

    Remove-AzRoleAssignment -ObjectId $groupId `
      -RoleDefinitionName "Reader" `
      -Scope $subScope
    

清理资源Clean up resources

若要清理本教程创建的资源,请删除资源组和组。To clean up the resources created by this tutorial, delete the resource group and the group.

  1. 使用 Remove-AzResourceGroup 命令删除资源组。Delete the resource group using the Remove-AzResourceGroup command.

    Remove-AzResourceGroup -Name "rbac-tutorial-resource-group"
    
    Confirm
    Are you sure you want to remove resource group 'rbac-tutorial-resource-group'
    [Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"):
    
  2. 系统要求确认时,请键入“Y”。只需数秒钟即可删除。When asked to confirm, type Y. It will take a few seconds to delete.

  3. 使用 Remove-AzureADGroup 命令删除组。Delete the group using the Remove-AzureADGroup command.

    Remove-AzureADGroup -ObjectId $groupId
    

    如果在尝试删除组时收到错误,也可在门户中删除组。If you receive an error when you try to delete the group, you can also delete the group in the portal.

后续步骤Next steps