将订阅组织到管理组中并为用户分配角色Organize subscriptions into management groups and assign roles to users

本文介绍如何通过将安全策略应用于关联到 Azure Active Directory 租户的所有 Azure 订阅来大规模管理组织的安全状况。This article explains how to manage your organization’s security posture at scale by applying security policies to all Azure subscriptions linked to your Azure Active Directory tenant.

若要了解在 Azure AD 租户中注册的所有订阅的安全状态,必须对根管理组分配拥有足够读取权限的 Azure 角色。To get visibility into the security posture of all subscriptions registered in the Azure AD tenant, an Azure role with sufficient read permissions is required to be assigned on the root management group.

将订阅组织到管理组中Organize your subscriptions into management groups

管理组简介Introduction to management groups

借助 Azure 管理组,可以对各组订阅高效管理访问、策略和报告,并能对根管理组执行操作,从而有效管理整个 Azure 资产。Azure management groups provide the ability to efficiently manage access, policies, and reporting on groups of subscriptions, as well as effectively manage the entire Azure estate by performing actions on the root management group. 可以将订阅整理到管理组中,并向管理组应用治理策略。You can organize subscriptions into management groups and apply your governance policies to the management groups. 管理组中的所有订阅都会自动继承应用于管理组的策略。All subscriptions within a management group automatically inherit the policies applied to the management group.

每个 Azure AD 租户都指定有一个顶级管理组,称为“根管理组”。Each Azure AD tenant is given a single top-level management group called the root management group. 此根管理组内置在层次结构中,包含其所有下级管理组和订阅。This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. 借助此组,可以在目录级别应用全局策略和 Azure 角色分配。This group allows global policies and Azure role assignments to be applied at the directory level.

执行以下任何操作时,都会自动创建根管理组:The root management group is created automatically when you do any of the following actions:

虽然不一定要在安全中心内创建管理组,但建议至少创建一个,以便创建根管理组。Management groups aren't required to onboard Security Center, but we recommend that you create at least one so that the root management group gets created. 创建管理组后,Azure AD 租户下的所有订阅都会与它关联。After the group is created, all subscriptions under your Azure AD tenant will be linked to it.

有关管理组的详细概述,请参阅使用 Azure 管理组整理资源一文。For a detailed overview of management groups, see the Organize your resources with Azure management groups article.

在 Azure 门户中查看和创建管理组View and create management groups in the Azure portal

  1. Azure 门户中,使用顶部栏中的“搜索”框找到并打开“管理组”。From the Azure portal, use the search box in the top bar to find and open Management Groups.

    访问管理组

    此时将显示管理组的列表。The list of your management groups appears.

  2. 若要创建管理组,请选择“添加管理组”,输入相关详细信息,然后选择“保存” 。To create a management group, select Add management group, enter the relevant details, and select Save.

    向 Azure 添加管理组

    • “管理组 ID”是用来在此管理组上提交命令的目录唯一标识符。The Management Group ID is the directory unique identifier that is used to submit commands on this management group. 此标识符一旦创建便无法再编辑,因为它用来在整个 Azure 系统中标识这个组。This identifier isn't editable after creation as it is used throughout the Azure system to identify this group.
    • 显示名称字段是在 Azure 门户中显示的名称。The display name field is the name that is displayed within the Azure portal. 创建管理组时,单独的显示名称是一个可选字段,并且可以随时更改。A separate display name is an optional field when creating the management group and can be changed at any time.

向管理组添加订阅Add subscriptions to a management group

可以向创建的管理组添加订阅。You can add subscriptions to the management group that you created.

  1. 在“管理组”下,为你的订阅选择管理组。Under Management Groups, select the management group for your subscription.

    为你的订阅选择管理组

  2. 当组的页面打开时,选择“详细信息”When the group's page opens, select Details

    打开管理组的“详细信息”页

  3. 从组的“详细信息”页中,选择“添加订阅”,然后选择你的订阅,再选择“保存” 。From the group's details page, select Add subscription, then select your subscriptions and select Save. 重复执行上述步骤,直到已添加范围内的所有订阅。Repeat until you've added all the subscriptions in the scope.

    向管理组添加订阅

    重要

    管理组可以包含订阅和子管理组。Management groups can contain both subscriptions and child management groups. 向父管理组分配拥有 Azure 角色的用户时,子管理组的订阅继承访问权限。When you assign a user an Azure role to the parent management group, the access is inherited by the child management group's subscriptions. 子管理组还继承在父管理组设置的策略。Policies set at the parent management group are also inherited by the children.

将 Azure 角色分配给其他用户Assign Azure roles to other users

通过 Azure 门户向用户分配 Azure 角色:Assign Azure roles to users through the Azure portal:

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 若要查看管理组,请在 Azure 主菜单下选择“所有服务”,然后选择“管理组”。To view management groups, select All services under the Azure main menu then select Management Groups.

  3. 选择一个管理组,然后选择“详细信息”。Select a management group and select details.

    管理组详细信息屏幕截图

  4. 选择“访问控制(IAM)”,然后选择“角色分配” 。Select Access control (IAM) then Role assignments.

  5. 选择“添加角色分配”。Select Add role assignment.

  6. 选择要分配的角色和用户,然后选择“保存”。Select the role to assign and the user, then select Save.

    添加安全读取者角色屏幕截图

使用 PowerShell 向用户分配 Azure 角色:Assign Azure roles to users with PowerShell:

  1. 安装 Azure PowerShellInstall Azure PowerShell.

  2. 运行以下命令:Run the following commands:

    # Login to Azure as a Global Administrator user
    Connect-AzAccount -Environment AzureChinaCloud
    
  3. 当出现提示时,请使用全局管理员凭据登录。When prompted, sign in with global admin credentials.

    登录提示屏幕截图

  4. 运行下面的命令,授予读者角色权限:Grant reader role permissions by running the following command:

    # Add Reader role to the required user on the Root Management Group
    # Replace "user@domian.com” with the user to grant access to
    New-AzRoleAssignment -SignInName "user@domain.com" -RoleDefinitionName "Reader" -Scope "/"
    
  5. 若要删除角色,请运行下面的命令:To remove the role, use the following command:

    Remove-AzRoleAssignment -SignInName "user@domain.com" -RoleDefinitionName "Reader" -Scope "/" 
    

撤消提升的访问权限Remove elevated access

向用户分配 Azure 角色后,租户管理员应将自己从用户访问管理员角色中删除。Once the Azure roles have been assigned to the users, the tenant administrator should remove itself from the user access administrator role.

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 在导航列表中,选择“Azure Active Directory”,然后选择“属性” 。In the navigation list, select Azure Active Directory and then select Properties.

  3. 在“Azure 资源的访问管理”下,将开关设置为“否” 。Under Access management for Azure resources, set the switch to No.

  4. 选择“保存”以保存设置。To save your setting, select Save.

后续步骤Next steps

本文介绍了如何将订阅组织到管理组中以及如何为用户分配角色。In this article, you learned how to organize subscriptions into management groups and assign roles to users. 如需相关信息,请参阅:For related information, see: