您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

在 Azure Active Directory 中创建或更新动态组Create or update a dynamic group in Azure Active Directory

在 Azure Active Directory (Azure AD) 中,可以使用规则根据用户或设备属性确定组成员资格。In Azure Active Directory (Azure AD), you can use rules to determine group membership based on user or device properties. 本文介绍如何为 Azure 门户中的动态组设置一项规则。This article tells how to set up a rule for a dynamic group in the Azure portal. 安全组或 Microsoft 365 组支持动态成员身份。Dynamic membership is supported for security groups or Microsoft 365 Groups. 应用组成员身份规则时,将会对用户和设备属性进行评估,确定其是否与成员身份规则匹配。When a group membership rule is applied, user and device attributes are evaluated for matches with the membership rule. 当用户或设备的任何属性发生更改时,将处理组织中的所有动态组规则以进行成员身份更改。When an attribute changes for a user or device, all dynamic group rules in the organization are processed for membership changes. 如果用户和设备符合组的条件,则会对其执行添加或删除操作。Users and devices are added or removed if they meet the conditions for a group. 安全组可用于设备或用户,但 Microsoft 365 组只能是用户组。Security groups can be used for either devices or users, but Microsoft 365 Groups can be only user groups. 使用动态组需要 Azure AD 高级 P1 许可证。Using Dynamic groups requires Azure AD premium P1 license . 有关更多详细信息,请参阅 组的动态成员身份规则See Dynamic membership rules for groups for more details.

Azure 门户中的规则生成器Rule builder in the Azure portal

Azure AD 提供了一个规则生成器,用于更快地创建和更新重要规则。Azure AD provides a rule builder to create and update your important rules more quickly. 规则生成器支持最多包含五个表达式的构造。The rule builder supports the construction up to five expressions. 通过规则生成器可以更轻松地使用几个简单表达式来组成规则,但是,它无法用于重现每个规则。The rule builder makes it easier to form a rule with a few simple expressions, however, it can't be used to reproduce every rule. 如果规则生成器不支持要创建的规则,则可以使用文本框。If the rule builder doesn't support the rule you want to create, you can use the text box.

下面是建议使用文本框构造的高级规则或语法的一些示例:Here are some examples of advanced rules or syntax for which we recommend that you construct using the text box:

备注

规则生成器可能无法显示在文本框中构造的某些规则。The rule builder might not be able to display some rules constructed in the text box. 当规则生成器无法显示规则时,可能会看到一条消息。You might see a message when the rule builder is not able to display the rule. 规则生成器不会以任何方式更改动态组规则的支持语法、验证或处理。The rule builder doesn't change the supported syntax, validation, or processing of dynamic group rules in any way.

显示 "动态成员身份规则" 页的屏幕截图,其中选择了 "配置规则" 选项卡上的 "添加表达式" 操作。

如需成员身份规则的语法、支持的属性、运算符和值的示例,请参阅 Azure Active Directory 中的组的动态成员资格规则For examples of syntax, supported properties, operators, and values for a membership rule, see Dynamic membership rules for groups in Azure Active Directory.

要创建组成员资格规则,请执行以下操作:To create a group membership rule

  1. 使用 Azure AD 组织中 "全局管理员"、"Intune 管理员" 或 "用户管理员" 角色中的帐户登录到 Azure AD 管理中心Sign in to the Azure AD admin center with an account that is in the Global administrator, Intune administrator, or User administrator role in the Azure AD organization.

  2. 搜索并选择 " "。Search for and select Groups.

  3. 选择“所有组”,然后选择“新组”。Select All groups, and select New group.

    选择用于添加新组的命令

  4. 在“组”页面上,输入新组的名称和说明。On the Group page, enter a name and description for the new group. 为用户或设备选择“成员身份类型”,然后选择“添加动态查询”。Select a Membership type for either users or devices, and then select Add dynamic query. 规则生成器支持最多五个表达式。The rule builder supports up to five expressions. 若要添加五个以上的表达式,必须使用文本框。To add more than five expressions, you must use the text box.

    显示 "所有组" 页面并选择 "新组" 操作的屏幕截图。

  5. 查看适用于成员身份查询的自定义扩展属性:To see the custom extension properties available for your membership query:

    1. 选择“获取自定义扩展属性”Select Get custom extension properties
    2. 输入应用程序 ID,然后选择“刷新属性”。Enter the application ID, and then select Refresh properties.
  6. 创建规则之后,选择“保存”。After creating the rule, select Save.

  7. 在“新建组”页中,选择“创建”以创建该组。 Select Create on the New group page to create the group.

如果输入的规则无效,则会在门户的 Azure 通知中显示一个说明,指出为何系统无法处理规则。If the rule you entered isn't valid, an explanation of why the rule couldn't be processed is displayed in an Azure notification in the portal. 请仔细阅读,了解如何修复规则。Read it carefully to understand how to fix the rule.

更新现有规则To update an existing rule

  1. 使用 Azure AD 组织中 "全局管理员"、"组管理员"、"Intune 管理员" 或 "用户管理员" 角色中的帐户登录到 Azure AD 管理中心Sign in to the Azure AD admin center with an account that is in the Global administrator, Group administrator, Intune administrator, or User administrator role in the Azure AD organization.

  2. 选择“组” > “所有组” 。Select Groups > All groups.

  3. 选择组以打开其配置文件。Select a group to open its profile.

  4. 在该组的 "配置文件" 页上,选择 " 动态成员身份规则"。On the profile page for the group, select Dynamic membership rules. 规则生成器支持最多五个表达式。The rule builder supports up to five expressions. 若要添加五个以上的表达式,必须使用文本框。To add more than five expressions, you must use the text box.

    为动态组添加成员身份规则

  5. 查看适用于你的成员身份规则的自定义扩展属性:To see the custom extension properties available for your membership rule:

    1. 选择“获取自定义扩展属性”Select Get custom extension properties
    2. 输入应用程序 ID,然后选择“刷新属性”。Enter the application ID, and then select Refresh properties.
  6. 更新规则后,请选择 " 保存"。After updating the rule, select Save.

打开或关闭欢迎电子邮件Turn on or off welcome email

创建新的 Microsoft 365 组后,会向添加到该组的用户发送欢迎电子邮件通知。When a new Microsoft 365 group is created, a welcome email notification is sent the users who are added to the group. 以后,如果用户或设备的任何属性发生更改时,将处理组织中的所有动态组规则以进行成员身份更改。Later, if any attributes of a user or device change, all dynamic group rules in the organization are processed for membership changes. 添加的用户也会收到欢迎通知。Users who are added then also receive the welcome notification. 可以在 Exchange PowerShell 中关闭此行为。You can turn off this behavior in Exchange PowerShell.

检查规则的处理状态Check processing status for a rule

可在组的“概述”页上查看成员资格处理状态和上次更新日期。You can see the membership processing status and the last updated date on the Overview page for the group.

显示动态组状态

“成员资格处理”状态会显示以下几种状态消息:The following status messages can be shown for Membership processing status:

  • 正在评估:已收到组更改,正在评估更新。Evaluating: The group change has been received and the updates are being evaluated.
  • 正在处理:正在进行更新。Processing: Updates are being processed.
  • 更新完成:处理已完成,且已完成所有适用更新。Update complete: Processing has completed and all applicable updates have been made.
  • 处理错误:无法完成处理,因为评估成员身份规则时出错。Processing error: Processing couldn't be completed because of an error evaluating the membership rule.
  • 更新已暂停:管理员暂停了动态成员资格规则更新。Update paused: Dynamic membership rule updates have been paused by the administrator. MembershipRuleProcessingState 设置为“已暂停”。MembershipRuleProcessingState is set to “Paused”.

“上次更新的成员资格”状态会显示以下几种状态消息:The following status messages can be shown for Membership last updated status:

  • <日期和时间 > :上次更新成员身份的时间。<Date and time>: The last time the membership was updated.
  • 正在进行:目前正在进行更新。In Progress: Updates are currently in progress.
  • 未知:无法检索上次更新时间。Unknown: The last update time can't be retrieved. 该组可能是新的。The group might be new.

如果在处理特定组的成员资格规则时出错误,则该组的“概述”页顶部会显示警报。If an error occurs while processing the membership rule for a specific group, an alert is shown on the top of the Overview page for the group. 如果在组织内的所有组中无法处理任何挂起的动态成员身份更新,则会在 所有组 的顶部显示警报。If no pending dynamic membership updates can be processed for all the groups within the organization for more than 24 hours, an alert is shown on the top of All groups.

正在处理错误消息警报

以下文章提供了有关 Azure Active Directory 中的组的更多信息。These articles provide additional information on groups in Azure Active Directory.