在 Azure 安全中心内实现租户级公开范围Gain tenant-wide visibility for Azure Security Center

本文介绍如何通过将安全策略应用于关联到 Azure Active Directory 租户的所有 Azure 订阅来大规模管理组织的安全状况。This article explains how to manage your organization's security posture at scale by applying security policies to all Azure subscriptions linked to your Azure Active Directory tenant.

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

管理组Management groups

借助 Azure 管理组,可以对各组订阅高效管理访问、策略和报告,并能对根管理组执行操作,从而有效管理整个 Azure 资产。Azure management groups provide the ability to efficiently manage access, policies, and reporting on groups of subscriptions, as well as effectively manage the entire Azure estate by performing actions on the root management group. 每个 Azure AD 租户都指定有一个顶级管理组,称为“根管理组”。Each Azure AD tenant is given a single top-level management group called the root management group. 此根管理组内置在层次结构中,包含其所有下级管理组和订阅。This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. 借助此组,可以在目录一级应用全局策略和 RBAC 分配。This group allows global policies and RBAC assignments to be applied at the directory level.

执行以下任何操作时,都会自动创建根管理组:The root management group is created automatically when you do any of the following actions:

  1. 通过在 Azure 门户中转到“管理组”,选择使用 Azure 管理组。Opt in to use Azure management groups by navigating to Management Groups in the Azure portal.
  2. 通过 API 调用来创建管理组。Create a management group via an API call.
  3. 通过 PowerShell 创建管理组。Create a management group with PowerShell.

有关管理组的详细概述,请参阅使用 Azure 管理组整理资源一文。For a detailed overview of management groups, see the Organize your resources with Azure management groups article.

在 Azure 门户中创建管理组Create a management group in the Azure portal

可以将订阅整理到管理组中,并向管理组应用治理策略。You can organize subscriptions into management groups and apply your governance policies to the management groups. 管理组中的所有订阅都会自动继承应用于管理组的策略。All subscriptions within a management group automatically inherit the policies applied to the management group. 虽然不一定要在安全中心内创建管理组,但强烈建议至少创建一个管理组,以便创建根管理组。While management groups aren't required to onboard Security Center, it’s highly recommended that you create at least one management group so the root management group is created. 创建管理组后,Azure AD 租户下的所有订阅都会与它关联。After the group is created, all subscriptions under your Azure AD tenant will be linked to it. 有关 PowerShell 说明以及更多信息,请参阅创建管理组以管理资源和组织For instructions for PowerShell and more information, see Create management groups for resource and organization management.

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 选择“所有服务” > “管理组”。 Select All services > Management groups.

  3. 在主页上,选择“新建管理组”。On the main page, select New Management group.

    主要组

  4. 填写管理组 ID 字段。Fill in the management group ID field.

    • “管理组 ID”是用来在此管理组上提交命令的目录唯一标识符。The Management Group ID is the directory unique identifier that is used to submit commands on this management group. 此标识符一旦创建便无法再编辑,因为它用来在整个 Azure 系统中标识这个组。This identifier isn't editable after creation as it is used throughout the Azure system to identify this group.

    • 显示名称字段是在 Azure 门户中显示的名称。The display name field is the name that is displayed within the Azure portal. 创建管理组时,单独的显示名称是一个可选字段,并且可以随时更改。A separate display name is an optional field when creating the management group and can be changed at any time.

      创建

  5. 选择“保存”Select Save

在 Azure 门户中查看管理组View management groups in the Azure portal

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 若要查看管理组,请选择 Azure 主菜单下的“所有服务”。To view management groups, select All services under the Azure main menu.

  3. 选择“通用”下的“管理组”。Under General, select Management Groups.

    创建管理组

授予租户级公开范围和策略分配权限Grant tenant-level visibility and the ability to assign policies

若要了解在 Azure AD 租户中注册的所有订阅的安全状态,必须对根管理组分配拥有足够读取权限的 RBAC 角色。To get visibility into the security posture of all subscriptions registered in the Azure AD tenant, an RBAC role with sufficient read permissions is required to be assigned on the root management group.

提升 Azure Active Directory 全局管理员的访问权限Elevate access for a global administrator in Azure Active Directory

Azure Active Directory 租户管理员无权直接访问 Azure 订阅。An Azure Active Directory tenant administrator doesn’t have direct access to Azure subscriptions. 不过,作为目录管理员,他们有权将自身提升为拥有访问权限的角色。However, as a directory administrator, they have the right to elevate themselves to a role that does have access. Azure AD 租户管理员必须将自身提升为根管理组级用户访问管理员,才能分配 RBAC 角色。An Azure AD tenant administrator needs to elevate itself to user access administrator at the root management group level so they can assign RBAC roles. 有关 PowerShell 说明以及更多信息,请参阅提升 Azure Active Directory 全局管理员的访问权限For PowerShell instructions and additional information, see Elevate access for a Global administrator in Azure Active Directory.

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 在导航列表中,单击“Azure Active Directory”,然后单击“属性” 。In the navigation list, click Azure Active Directory and then click Properties.

    Azure AD 属性 - 屏幕截图

  3. 在“Azure 资源的访问管理”下,将开关设置为“是” 。Under Access management for Azure resources, set the switch to Yes.

    全局管理员可管理 Azure 订阅和管理组 - 屏幕截图

    • 将开关设为“是”时,将分配到 Azure RBAC 中根范围 (/) 的用户访问管理员角色。When you set the switch to Yes, you are assigned the User Access Administrator role in Azure RBAC at the root scope (/). 这将授予你在与此 Azure AD 目录关联的所有 Azure 订阅和管理组中分配角色的权限。This grants you permission to assign roles in all Azure subscriptions and management groups associated with this Azure AD directory. 此开关仅适用于分配到 Azure AD 中全局管理员角色的用户。This switch is only available to users who are assigned the Global Administrator role in Azure AD.

    • 将开关设为“否”时,会从用户帐户中删除 Azure RBAC 中的用户访问管理员角色。When you set the switch to No, the User Access Administrator role in Azure RBAC is removed from your user account. 将无法再分配在与此 Azure AD 目录关联的所有 Azure 订阅和管理组中的角色。You can no longer assign roles in all Azure subscriptions and management groups that are associated with this Azure AD directory. 只能查看和管理已获取访问权限的 Azure 订阅和管理组。You can view and manage only the Azure subscriptions and management groups to which you have been granted access.

  4. 单击“保存”,保存设置。Click Save to save your setting.

    • 此设置不是全局属性,仅适用于当前登录用户。This setting isn't a global property and applies only to the currently logged in user.
  5. 在提升访问权限下执行需要完成的任务。Perform the tasks you need to make at the elevated access. 完成后,将开关设置回“否”。When you're done, set the switch back to No.

向用户分配 RBAC 角色Assign RBAC roles to users

若想获得所有订阅的可见性,租户管理员需要在根管理组级别向他们希望向其授予租户级可见性的所有用户分配合适的 RBAC 角色,包括他们自己。To gain visibility to all subscriptions, tenant administrators need to assign the appropriate RBAC role to any users they wish to grant tenant-wide visibility, including themselves, at the root management group level. 建议分配的角色是安全管理员安全读取者The recommended roles to assign are either Security Admin or Security Reader. 通常情况下,若要在根级别应用策略,需要安全管理员角色,若要提供租户级可见性,安全读取者角色就足够了。Generally, the Security Admin role is required to apply policies on the root level, while Security Reader will suffice to provide tenant-level visibility. 有关这些角色授予的权限的详细信息,请参阅安全管理员内置角色说明安全读取者内置角色说明For more information about the permissions granted by these roles, see the Security Admin built-in role description or the Security Reader built-in role description.

通过 Azure 门户向用户分配 RBAC 角色:Assign RBAC roles to users through the Azure portal:

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 若要查看管理组,请在 Azure 主菜单下选择“所有服务”,然后选择“管理组”。To view management groups, select All services under the Azure main menu then select Management Groups.

  3. 选择一个管理组,然后单击“详细信息”。Select a management group and click details.

    管理组详细信息屏幕截图

  4. 单击“访问控制(IAM)”,然后单击“角色分配”。Click Access control (IAM) then Role assignments.

  5. 单击“添加角色分配”。Click Add role assignment.

  6. 选择要分配的角色和用户,然后单击“保存”。Select the role to assign and the user, then click Save.

    添加安全读取者角色屏幕截图

使用 PowerShell 向用户分配 RBAC 角色:Assign RBAC roles to users with PowerShell:

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

  1. 安装 Azure PowerShellInstall Azure PowerShell.

  2. 运行以下命令:Run the following commands:

    # Login to Azure as a Global Administrator user
    Connect-AzAccount -EnvironmentName AzureChinaCloud
    
  3. 当出现提示时,请使用全局管理员凭据登录。When prompted, sign in with global admin credentials.

    登录提示屏幕截图

  4. 运行下面的命令,授予读者角色权限:Grant reader role permissions by running the following command:

    # Add Reader role to the required user on the Root Management Group
    # Replace "user@domian.com” with the user to grant access to
    New-AzRoleAssignment -SignInName "user@domain.com" -RoleDefinitionName "Reader" -Scope "/"
    
  5. 若要删除角色,请运行下面的命令:To remove the role, use the following command:

    Remove-AzRoleAssignment -SignInName "user@domain.com" -RoleDefinitionName "Reader" -Scope "/" 
    

打开或刷新安全中心Open or refresh Security Center

获得提升的访问权限后,立即打开或刷新 Azure 安全中心,验证能否查看 Azure AD 租户下的所有订阅。Once you have elevated access, open or refresh Azure Security Center to verify you have visibility into all subscriptions under your Azure AD tenant.

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 请确保在订阅选择器中选择了要在安全中心内查看的所有订阅。Make sure you select all the subscriptions in the subscription selector that you would like to view in Security Center.

    订阅选择器屏幕截图

  3. 在 Azure 主菜单下,依次选择“所有服务”和“安全中心”。Select All services under the Azure main menu then select Security Center.

  4. 在“概述”中,没有订阅覆盖率图表。In the Overview, there's a subscription coverage chart.

    “订阅覆盖范围”图表屏幕截图

  5. 单击“覆盖率”,查看所覆盖的订阅列表。Click on Coverage to see the list of subscriptions covered.

    “订阅覆盖范围”列表屏幕截图

撤消提升的访问权限Remove elevated access

向用户分配 RBAC 角色后,租户管理员应将自己从用户访问管理员角色中删除。Once the RBAC roles have been assigned to the users, the tenant administrator should remove itself from the user access administrator role.

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 在导航列表中,单击“Azure Active Directory”,然后单击“属性” 。In the navigation list, click Azure Active Directory and then click Properties.

  3. 在“全局管理员可管理 Azure 订阅和管理组”下,将开关设置为“否”。Under Global admin can manage Azure Subscriptions and Management Groups, set the switch to No.

  4. 单击“保存”,保存设置。Click Save to save your setting.

向管理组添加订阅Adding subscriptions to a management group

可以向创建的管理组添加订阅。You can add subscriptions to the management group that you created. 这些步骤不是实现租户级公开范围以及全局策略和访问管理的必需步骤。These steps aren't mandatory for gaining tenant-wide visibility and global policy and access management.

  1. 在“管理组”下,选择要向其中添加订阅的管理组。Under Management Groups, select a management group to add your subscription to.

    选择要向其中添加订阅的管理组

  2. 添加“添加现有”。Select Add existing.

    添加现有

  3. 在“添加现有资源”下输入订阅,并单击“保存”。Enter subscription under Add existing resource and click Save.

  4. 重复执行第 1 步到第 3 步,直到已添加范围内的所有订阅。Repeat steps 1 through 3 until you've added all the subscriptions in the scope.

    Note

    管理组可以包含订阅和子管理组。Management groups can contain both subscriptions and child management groups. 向父管理组分配拥有 RBAC 角色的用户时,子管理组的订阅继承访问权限。When you assign a user an RBAC role to the parent management group, the access is inherited by the child management group's subscriptions. 子管理组还继承在父管理组设置的策略。Policies set at the parent management group are also inherited by the children.

后续步骤Next steps

本文介绍了如何在 Azure 安全中心内实现租户级公开范围。In this article, you learned how to gain tenant-wide visibility for Azure Security Center. 若要详细了解安全中心,请参阅以下文章:To learn more about Security Center, see the following articles: