您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

什么是 Azure AD 访问评审?What are Azure AD access reviews?

Azure Active Directory (Azure AD) 访问评审可以使组织能够有效地管理组成员身份、 对企业应用程序和角色分配访问权限。Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. 可以定期评审用户的访问权限,确保相应人员持续拥有访问权限。User's access can be reviewed on a regular basis to make sure only the right people have continued access.

下面的视频简要介绍了访问评审:Here's a video that provides a quick overview of access reviews:

访问评审为何重要?Why are access reviews important?

Azure AD 支持在组织内进行内部协作和与外部组织的用户(例如合作伙伴)进行协作。Azure AD enables you to collaborate internally within your organization and with users from external organizations, such as partners. 用户可以加入组、邀请来宾、连接到云应用以及通过工作或个人设备远程工作。Users can join groups, invite guests, connect to cloud apps, and work remotely from their work or personal devices. 自助服务的便捷性使人们需要更好的访问管理功能。The convenience of leveraging the power of self-service has led to a need for better access management capabilities.

  • 新员工加入时,如何确保他们获得有助于提高工作效率的相应访问权限?As new employees join, how do you ensure they have the right access to be productive?
  • 当员工在团队间调动或离开公司时,如何确保删除旧的访问权限,尤其是在涉及来宾时?As people move teams or leave the company, how do you ensure their old access is removed, especially when it involves guests?
  • 访问权限过多可能影响审计结果,导致利益受损,因为此类情况表示对访问权限缺乏控制。Excessive access rights can lead to audit findings and compromises as they indicate a lack of control over access.
  • 需要主动与资源所有者联系,确保他们定期评审有权访问其资源的用户。You have to proactively engage with resource owners to ensure they regularly review who has access to their resources.

何时使用访问评审?When to use access reviews?

  • 特权角色用户过多: 它是一个好办法检查多少用户具有管理访问权限,其中的多少一些全球管理员,并且如果有任何受邀来宾或分配来执行管理任务后尚未删除的合作伙伴。Too many users in privileged roles: It's a good idea to check how many users have administrative access, how many of them are Global Administrators, and if there are any invited guests or partners that have not been removed after being assigned to do an administrative task. 可以再次验证中的角色分配用户Azure AD 角色如全局管理员或Azure 资源角色如用户访问管理员在Azure AD 特权Identity Management (PIM)体验。You can recertify the role assignment users in Azure AD roles such as Global Administrators, or Azure resources roles such as User Access Administrator in the Azure AD Privileged Identity Management (PIM) experience.
  • 自动化不可行: 可针对安全组或 Office 365 组中的动态成员资格创建规则,但如果人力资源数据不在 Azure AD 中或者如果用户在离开组后仍需访问权限来培训其接任者应该怎么办?When automation is infeasible: You can create rules for dynamic membership on security groups or Office 365 groups, but what if the HR data is not in Azure AD or if users still need access after leaving the group to train their replacement? 对于此类情况,可以对该组创建评审,确保仍需访问权限的用户能够继续获得访问权限。You can then create a review on that group to ensure those who still need access should have continued access.
  • 将组用于新用途: 如果要将组同步到 Azure AD,或计划为所有销售团队组成员启用 Salesforce 应用程序,则要求组所有者在将组用于其他风险内容前评审组成员资格会非常有用。When a group is used for a new purpose: If you have a group that is going to be synced to Azure AD, or if you plan to enable the application Salesforce for everyone in the Sales team group, it would be useful to ask the group owner to review the group membership prior to the group being used in a different risk content.
  • 业务关键数据访问权限: 对于特定资源,可能出于审核目的要求 IT 以外的人员定期注销并提供需要访问权限的正当理由。Business critical data access: for certain resources, it might be required to ask people outside of IT to regularly sign off and give a justification on why they need access for auditing purposes.
  • 要维护策略的例外列表: 在理想情况下,所有用户将都按照访问策略来保护组织的资源的访问权限。To maintain a policy's exception list: In an ideal world, all users would follow the access policies to secure access to your organization's resources. 但是,有时,某些业务案例要求例外处理。However, sometimes there are business cases that require you to make exceptions. IT 管理员可以管理此任务、避免忽视策略例外情况,为审核员提供定期评审这些例外情况的证明。As the IT admin, you can manage this task, avoid oversight of policy exceptions, and provide auditors with proof that these exceptions are reviewed regularly.
  • 要求组所有者确认他们在组中是否仍需要来宾: 员工的访问权限可能会使用一些本地 IAM,但不是受邀来宾自动执行。Ask group owners to confirm they still need guests in their groups: Employee access might be automated with some on premises IAM, but not invited guests. 如果组为来宾授予了业务敏感内容的访问权限,则由组所有者负责确认来宾是否仍有对访问权限的合法业务需求。If a group gives guests access to business sensitive content, then it's the group owner's responsibility to confirm the guests still have a legitimate business need for access.
  • 定期重复评审: 可以设置按设定频率(例如每周、每月、每季度或每年)定期对用户进行访问评审,审阅者将在每次评审开始前收到通知。Have reviews recur periodically: You can set up recurring access reviews of users at set frequencies such as weekly, monthly, quarterly or annually, and the reviewers will be notified at the start of each review. 审阅者可以借助友好界面和智能建议的帮助,批准或拒绝访问权限。Reviewers can approve or deny access with a friendly interface and with the help of smart recommendations.

在哪里创建评审?Where do you create reviews?

根据要查看,您将创建访问评审在 Azure AD 访问评审、 (处于预览状态),Azure AD 企业应用或 Azure AD PIM。Depending on what you want to review, you will create your access review in Azure AD access reviews, Azure AD enterprise apps (in preview), or Azure AD PIM.

用户访问权限Access rights of users 审阅者身份Reviewers can be 评审创建位置Review created in 审阅者体验Reviewer experience
安全组成员Security group members
Office 组成员Office group members
指定的审阅者Specified reviewers
组所有者Group owners
自我审查Self-review
Azure AD 访问评审Azure AD access reviews
Azure AD 组Azure AD groups
访问面板Access panel
分配联网应用Assigned to a connected app 指定的审阅者Specified reviewers
自我审查Self-review
Azure AD 访问评审Azure AD access reviews
Azure AD 企业应用(预览版)Azure AD enterprise apps (in preview)
访问面板Access panel
Azure AD 角色Azure AD role 指定的审阅者Specified reviewers
自我审查Self-review
Azure AD PIMAzure AD PIM Azure 门户Azure portal
Azure 资源角色Azure resource role 指定的审阅者Specified reviewers
自我审查Self-review
Azure AD PIMAzure AD PIM Azure 门户Azure portal

哪些用户必须有许可证?Which users must have licenses?

每个交互使用访问评审的用户必须具有付费的 Azure AD Premium P2 许可证。Each user who interacts with access reviews must have a paid Azure AD Premium P2 license. 示例包括:Examples include:

  • 创建访问评审的管理员Administrators who create an access review
  • 组所有者执行访问检查Group owners who perform an access review
  • 为审阅者分配用户Users assigned as reviewers
  • 执行自我审查的用户Users who perform a self-review

还可以要求来宾用户评审自己的访问权限。You can also ask guest users to review their own access. 对于每个付费的 Azure AD Premium P2 许可证分配给你自己组织的用户之一,可以使用 Azure AD 企业到企业 (B2B) 来邀请外部用户限额下的最多 5 名来宾用户。For each paid Azure AD Premium P2 license that you assign to one of your own organization's users, you can use Azure AD business-to-business (B2B) to invite up to five guest users under the External User Allowance. 这些来宾用户也可以使用 Azure AD Premium P2 功能。These guest users can also use Azure AD Premium P2 features. 有关详细信息,请参阅Azure AD B2B 协作许可指南For more information, see Azure AD B2B collaboration licensing guidance.

以下是一些示例方案,可帮助您确定必须具有的许可证数量。Here are some example scenarios to help you determine the number of licenses you must have.

场景Scenario 计算Calculation 所需许可证数Required number of licenses
管理员使用 500 个用户创建组 A 的访问评审。An administrator creates an access review of Group A with 500 users.
将分配为审阅者的 3 组所有者。Assigns 3 group owners as reviewers.
一名管理员 + 3 组所有者1 administrator + 3 group owners 44
管理员使用 500 个用户创建组 A 的访问评审。An administrator creates an access review of Group A with 500 users.
可以自我审查。Makes it a self-review.
一名管理员 + 500 个用户为自我审阅者1 administrator + 500 users as self-reviewers 501501
管理员使用 5 个用户和 25 个来宾用户创建组 A 的访问评审。An administrator creates an access review of Group A with 5 users and 25 guest users.
可以自我审查。Makes it a self-review.
一名管理员 + 5 个用户为自我审阅者1 administrator + 5 users as self-reviewers
(需要的 1:5 比率介绍来宾用户)(guest users are covered in the required 1:5 ratio)
66
管理员使用 5 个用户和 28 来宾用户创建组 A 的访问评审。An administrator creates an access review of Group A with 5 users and 28 guest users.
可以自我审查。Makes it a self-review.
一名管理员 + 5 个用户自我审阅者为 + 1 个用户以覆盖来宾用户以所需的 1:5 的比例1 administrator + 5 users as self-reviewers + 1 user to cover guest users in the required 1:5 ratio 77

有关如何将许可证分配给用户的信息,请参阅使用 Azure Active Directory 门户分配或删除许可证For information about how to assign licenses to your uses, see Assign or remove licenses using the Azure Active Directory portal.

了解访问评审Learn about access reviews

若要了解有关创建和执行访问评审的详细信息,请观看此简短演示:To learn more about creating and performing access reviews, watch this short demo:

如果已准备好在组织中部署访问评审,请按照视频中的这些步骤来载入访问评审、培训管理员以及创建第一个访问评审!If you are ready to deploy access reviews in your organization, follow these steps in the video to onboard, train your administrators, and create your first access review!

许可要求License requirements

使用此功能需要 Azure AD Premium P2 许可证。Using this feature requires an Azure AD Premium P2 license. 若要根据需要查找合适的许可证,请参阅 比较免费版、基本版和高级版的正式发布功能To find the right license for your requirements, see Comparing generally available features of the Free, Basic, and Premium editions.

后续步骤Next steps