教程:使用 Azure PowerShell 授予用户对 Azure 资源的访问权限Tutorial: Grant a user access to Azure resources using Azure PowerShell

可以通过 Azure 基于角色的访问控制 (Azure RBAC) 管理对 Azure 资源的访问权限。Azure role-based access control (Azure RBAC) is the way that you manage access to Azure resources. 在本教程中,请授予用户访问权限,以便通过 Azure PowerShell 查看订阅中的所有内容并管理资源组中的一切。In this tutorial, you grant a user access to view everything in a subscription and manage everything in a resource group using Azure PowerShell.

本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 在不同范围授予用户访问权限Grant access for a user at different scopes
  • 列出访问权限List access
  • 删除访问权限Remove access

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a Trial before you begin.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

先决条件Prerequisites

若要完成本教程,需要:To complete this tutorial, you will need:

  • 在 Azure Active Directory 中创建用户的权限(或者有现成的用户)Permissions to create users in Azure Active Directory (or have an existing user)

角色分配Role assignments

在 Azure RBAC 中,若要授予访问权限,请创建角色分配。In Azure RBAC, to grant access, you create a role assignment. 角色分配包含三个要素:安全主体、角色订阅和范围。A role assignment consists of three elements: security principal, role definition, and scope. 下面是两个将要在本教程中执行的角色分配:Here are the two role assignments you will perform in this tutorial:

安全主体Security principal 角色定义Role definition 作用域Scope
UserUser
(RBAC 教程用户)(RBAC Tutorial User)
读者Reader 订阅Subscription
UserUser
(RBAC 教程用户)(RBAC Tutorial User)
参与者Contributor 资源组Resource group
(rbac-tutorial-resource-group)(rbac-tutorial-resource-group)

用户的角色分配

创建用户Create a user

若要分配角色,需要一个用户、组或服务主体。To assign a role, you need a user, group, or service principal. 如果还没有用户,可以创建一个。If you don't already have a user, you can create one.

  1. 在 Azure powershell 中创建一个符合密码复杂性要求的密码。In Azure powershell, create a password that complies with your password complexity requirements.

    Connect-AzureAD -AzureEnvironmentName AzureChinaCloud
    
    $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
    $PasswordProfile.Password = "Password"
    
  2. 使用 New-AzureADUser 命令为域创建新用户。Create a new user for your domain using the New-AzureADUser command.

    New-AzureADUser -DisplayName "RBAC Tutorial User" -PasswordProfile $PasswordProfile `
      -UserPrincipalName "rbacuser@example.com" -AccountEnabled $true -MailNickName "rbacuser"
    
    ObjectId                             DisplayName        UserPrincipalName    UserType
    --------                             -----------        -----------------    --------
    11111111-1111-1111-1111-111111111111 RBAC Tutorial User rbacuser@example.com Member
    

创建资源组Create a resource group

请使用资源组来演示如何在资源组范围分配角色。You use a resource group to show how to assign a role at a resource group scope.

  1. 使用 Get-AzLocation 命令获取区域位置的列表。Get a list of region locations using the Get-AzLocation command.

    Get-AzLocation | select Location
    
  2. 选择附近的一个位置,将其分配给某个变量。Select a location near you and assign it to a variable.

    $location = "chinanorth"
    
  3. 使用 New-AzResourceGroup 命令创建新的资源组。Create a new resource group using the New-AzResourceGroup command.

    New-AzResourceGroup -Name "rbac-tutorial-resource-group" -Location $location
    
    ResourceGroupName : rbac-tutorial-resource-group
    Location          : chinanorth
    ProvisioningState : Succeeded
    Tags              :
    ResourceId        : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rbac-tutorial-resource-group
    

授予访问权限Grant access

若要为用户授予访问权限,请使用 New-AzRoleAssignment 命令分配一个角色。To grant access for the user, you use the New-AzRoleAssignment command to assign a role. 必须指定安全主体、角色定义和范围。You must specify the security principal, role definition, and scope.

  1. 使用 Get-AzSubscription 命令获取订阅的 ID。Get the ID of your subscription using the Get-AzSubscription command.

    Get-AzSubscription
    
    Name     : Pay-As-You-Go
    Id       : 00000000-0000-0000-0000-000000000000
    TenantId : 22222222-2222-2222-2222-222222222222
    State    : Enabled
    
  2. 在变量中保存订阅范围。Save the subscription scope in a variable.

    $subScope = "/subscriptions/00000000-0000-0000-0000-000000000000"
    
  3. 读者角色分配给订阅范围内的用户。Assign the Reader role to the user at the subscription scope.

    New-AzRoleAssignment -SignInName rbacuser@example.com `
      -RoleDefinitionName "Reader" `
      -Scope $subScope
    
    RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/44444444-4444-4444-4444-444444444444
    Scope              : /subscriptions/00000000-0000-0000-0000-000000000000
    DisplayName        : RBAC Tutorial User
    SignInName         : rbacuser@example.com
    RoleDefinitionName : Reader
    RoleDefinitionId   : acdd72a7-3385-48ef-bd42-f606fba81ae7
    ObjectId           : 11111111-1111-1111-1111-111111111111
    ObjectType         : User
    CanDelegate        : False
    
  4. 参与者角色分配给资源组范围内的用户。Assign the Contributor role to the user at the resource group scope.

    New-AzRoleAssignment -SignInName rbacuser@example.com `
      -RoleDefinitionName "Contributor" `
      -ResourceGroupName "rbac-tutorial-resource-group"
    
    RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rbac-tutorial-resource-group/providers/Microsoft.Authorization/roleAssignments/33333333-3333-3333-3333-333333333333
    Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rbac-tutorial-resource-group
    DisplayName        : RBAC Tutorial User
    SignInName         : rbacuser@example.com
    RoleDefinitionName : Contributor
    RoleDefinitionId   : b24988ac-6180-42a0-ab88-20f7382dd24c
    ObjectId           : 11111111-1111-1111-1111-111111111111
    ObjectType         : User
    CanDelegate        : False
    

列出访问权限List access

  1. 若要验证订阅的访问权限,请使用 Get-AzRoleAssignment 命令列出角色分配。To verify the access for the subscription, use the Get-AzRoleAssignment command to list the role assignments.

    Get-AzRoleAssignment -SignInName rbacuser@example.com -Scope $subScope
    
    RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/22222222-2222-2222-2222-222222222222
    Scope              : /subscriptions/00000000-0000-0000-0000-000000000000
    DisplayName        : RBAC Tutorial User
    SignInName         : rbacuser@example.com
    RoleDefinitionName : Reader
    RoleDefinitionId   : acdd72a7-3385-48ef-bd42-f606fba81ae7
    ObjectId           : 11111111-1111-1111-1111-111111111111
    ObjectType         : User
    CanDelegate        : False
    

    在输出中,可以看到“读者”角色已分配给订阅范围的“RBAC 教程用户”。In the output, you can see that the Reader role has been assigned to the RBAC Tutorial User at the subscription scope.

  2. 若要验证资源组的访问权限,请使用 Get-AzRoleAssignment 命令列出角色分配。To verify the access for the resource group, use the Get-AzRoleAssignment command to list the role assignments.

    Get-AzRoleAssignment -SignInName rbacuser@example.com -ResourceGroupName "rbac-tutorial-resource-group"
    
    RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rbac-tutorial-resource-group/providers/Microsoft.Authorization/roleAssignments/33333333-3333-3333-3333-333333333333
    Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rbac-tutorial-resource-group
    DisplayName        : RBAC Tutorial User
    SignInName         : rbacuser@example.com
    RoleDefinitionName : Contributor
    RoleDefinitionId   : b24988ac-6180-42a0-ab88-20f7382dd24c
    ObjectId           : 11111111-1111-1111-1111-111111111111
    ObjectType         : User
    CanDelegate        : False
    
    RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/22222222-2222-2222-2222-222222222222
    Scope              : /subscriptions/00000000-0000-0000-0000-000000000000
    DisplayName        : RBAC Tutorial User
    SignInName         : rbacuser@example.com
    RoleDefinitionName : Reader
    RoleDefinitionId   : acdd72a7-3385-48ef-bd42-f606fba81ae7
    ObjectId           : 11111111-1111-1111-1111-111111111111
    ObjectType         : User
    CanDelegate        : False
    

    在输出中,可以看到“参与者”角色和“读者”角色已分配给“RBAC 教程用户”。In the output, you can see that both the Contributor and Reader roles have been assigned to the RBAC Tutorial User. “参与者”角色处于 rbac-tutorial-resource-group 范围,“读者”角色在订阅范围继承。The Contributor role is at the rbac-tutorial-resource-group scope and the Reader role is inherited at the subscription scope.

(可选)使用 Azure 门户列出访问权限(Optional) List access using the Azure Portal

  1. 若要查看角色分配在 Azure 门户中的显示情况,请查看“访问控制(IAM)”边栏选项卡,以了解相关订阅。To see how the role assignments look in the Azure portal, view the Access control (IAM) blade for the subscription.

    用户在订阅范围的角色分配

  2. 查看“访问控制(IAM)”边栏选项卡,了解相关资源组。View the Access control (IAM) blade for the resource group.

    用户在资源组范围的角色分配

删除访问权限Remove access

若要删除用户、组和应用程序的访问权限,请使用 Remove-AzRoleAssignment 删除角色分配。To remove access for users, groups, and applications, use Remove-AzRoleAssignment to remove a role assignment.

  1. 使用以下命令,删除用户在资源组范围的“参与者”角色分配。Use the following command to remove the Contributor role assignment for the user at the resource group scope.

    Remove-AzRoleAssignment -SignInName rbacuser@example.com `
      -RoleDefinitionName "Contributor" `
      -ResourceGroupName "rbac-tutorial-resource-group"
    
  2. 使用以下命令,删除用户在订阅范围的“读者”角色分配。Use the following command to remove the Reader role assignment for the user at the subscription scope.

    Remove-AzRoleAssignment -SignInName rbacuser@example.com `
      -RoleDefinitionName "Reader" `
      -Scope $subScope
    

清理资源Clean up resources

若要清理本教程创建的资源,请删除资源组和用户。To clean up the resources created by this tutorial, delete the resource group and the user.

  1. 使用 Remove-AzResourceGroup 命令删除资源组。Delete the resource group using the Remove-AzResourceGroup command.

    Remove-AzResourceGroup -Name "rbac-tutorial-resource-group"
    
    Confirm
    Are you sure you want to remove resource group 'rbac-tutorial-resource-group'
    [Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"):
    
  2. 系统要求确认时,请键入“Y”。只需数秒钟即可删除。When asked to confirm, type Y. It will take a few seconds to delete.

  3. 使用 Remove-AzureADUser 命令删除用户。Delete the user using the Remove-AzureADUser command.

    Remove-AzureADUser -ObjectId "rbacuser@example.com"
    

后续步骤Next steps