您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

什么是 Azure AD 标识管理?What is Azure AD Identity Governance?

Azure Active Directory (Azure AD) 标识管理可平衡的正确过程和可见性的安全和员工工作效率的组织的需要。Azure Active Directory (Azure AD) Identity Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. 标识监管提供的功能可以确保适当的用户对适当的资源拥有适当的访问权限,它还可用于保护、监视和审核对关键资产的访问 - 同时确保员工的工作效率。It provides you with capabilities to ensure that the right users have the right access to the right resources, and it allows you to protect, monitor, and audit access to critical assets -- while ensuring employee productivity.

标识管理使组织能够跨员工、 业务合作伙伴和供应商和服务和应用程序执行以下任务:Identity Governance give organizations the ability to do the following tasks across employees, business partners and vendors, and services and applications:

  • 监管标识生命周期Govern the identity lifecycle
  • 监管访问生命周期Govern access lifecycle
  • 安全管理Secure administration

具体而言,标识监管旨在帮助组织解决以下四个关键问题:Specifically, it is intended to help organizations address these four key questions:

  • 哪些用户应该有权访问哪些资源?Which users should have access to which resources?
  • 这些用户使用该访问权限做些什么?What are those users doing with that access?
  • 是否存在有效的组织控制措施可用于管理访问权限?Are there effective organizational controls for managing access?
  • 审核员是否可以验证控制措施是否正常实施?Can auditors verify that the controls are working?

标识生命周期Identity lifecycle

标识管理可帮助组织实现之间的平衡生产力-一个人可以多快的速度有访问的资源所需,例如何时加入我的组织?Identity Governance helps organizations achieve a balance between productivity - How quickly can a person have access to the resources they need, such as when they join my organization? 安全性 - 用户的访问权限会不断发生怎样的变化(例如,由于该用户的雇佣状态发生变化)? And security - How should their access change over time, such as due to changes to that person's employment status? 标识生命周期管理是标识管理的基础,在规模较大的有效的管理需要现代化的应用程序的标识生命周期管理基础结构。Identity lifecycle management is the foundation for Identity Governance, and effective governance at scale requires modernizing the identity lifecycle management infrastructure for applications.

标识生命周期

对于许多组织而言,员工的标识生命周期与该用户在 HCM(人力资本管理)系统中的表示形式密切相关。For many organizations, identity lifecycle for employees is tied to the representation of that user in an HCM (human capital management) system. Azure AD Premium 在 Active Directory 和 Azure Active Directory 中自动维护 Workday 中表示的人员的用户标识,请参阅 Workday 入站预配(预览版)教程Azure AD Premium automatically maintains user identities for people represented in Workday in both Active Directory and Azure Active Directory, as described in the Workday inbound provisioning (preview) tutorial. Azure AD Premium 还包含可从 SAP、Oracle eBusiness 和 Oracle PeopleSoft 等本地 HCM 系统导入记录的 Microsoft Identity ManagerAzure AD Premium also includes Microsoft Identity Manager, which can import records from on-premises HCM systems such as SAP, Oracle eBusiness, and Oracle PeopleSoft.

越来越多的方案需要与组织外部的人员协作。Increasingly, scenarios require collaboration with people outside your organization. 使用 Azure AD B2B 协作可以安全地将组织的应用程序和服务与来自任何组织的来宾用户和外部合作伙伴共享,同时保持对自己公司数据的控制。Azure AD B2B collaboration enables you to securely share your organization's applications and services with guest users and external partners from any organization, while maintaining control over your own corporate data.

访问生命周期Access lifecycle

组织需要使用一个流程来管理最初在创建用户标识时未为用户预配的访问权限。Organizations need a process to manage access beyond what was initially provisioned for a user when that user's identity was created. 此外,企业组织需要能够有效缩放,以便持续制定和实施访问策略与控制措施。Furthermore, enterprise organizations need to be able to scale efficiently to be able to develop and enforce access policy and controls on an ongoing basis.

访问生命周期

通常,IT 部门会将访问权限审批决策委托给业务决策人。Typically, IT delegates access approval decisions to business decision makers. 此外,IT 部门可能涉及到用户本身的事务。Furthermore, IT can involve the users themselves. 例如,访问公司位于欧洲的市场营销应用程序中的机密客户数据的用户需要知道该公司的策略。For example, users that access confidential customer data in a company's marketing application in Europe need to know the company's policies. 来宾用户可能不知道他们受邀访问的组织的数据处理要求。Guest users may be unaware of the handling requirements for data in an organization to which they have been invited.

组织可以通过动态组等技术,并结合 SaaS 应用的用户预配或者与 SCIM集成的应用,将访问生命周期过程自动化。Organizations can automate the access lifecycle process through technologies such as dynamic groups, coupled with user provisioning to SaaS apps or apps integrated with SCIM. 组织还可以控制哪些来宾用户有权访问本地应用程序Organizations can also control which guest users have access to on-premises applications. 然后,可以使用 Azure AD 访问评审定期评审这些访问权限。These access rights can then be regularly reviewed using recurring Azure AD access reviews.

当用户尝试访问应用程序时,Azure AD 强制实施条件性访问策略。When a user attempts to access applications, Azure AD enforces Conditional Access policies. 例如,条件性访问策略可以包括显示使用条款确保用户已同意这些条款之前无法访问某个应用程序。For example, Conditional Access policies can include displaying a terms of use and ensuring the user has agreed to those terms prior to being able to access an application.

特权访问权限生命周期Privileged access lifecycle

从历史上看,特许访问权限已由其他供应商描述为一项单独从标识管理功能。Historically, privileged access has been described by other vendors as a separate capability from Identity Governance. 但是,在 Microsoft,我们认为用于管理特权的访问是标识监管-尤其是考虑可能与这些权限可能会给组织的管理员相关联的滥用的关键部分。However, at Microsoft, we think governing privileged access is a key part of Identity Governance -- especially given the potential for misuse associated with those administrator rights can cause to an organization. 拥有管理权限的员工、供应商与合同工需要接受监管。The employees, vendors, and contractors that take on administrative rights need to be governed.

特权访问权限生命周期

Azure AD Privileged Identity Management (PIM) 提供用于保护 Azure AD、Azure 和其他 Microsoft Online Services 中的资源访问权限的其他定制控制措施。Azure AD Privileged Identity Management (PIM) provides additional controls tailored to securing access rights for resources, across Azure AD, Azure, and other Microsoft Online Services. 在实时访问和角色更改警报提供的 Azure AD PIM,除了多重身份验证和条件性访问功能,提供了全面的管理控制,以帮助安全公司资源 (目录中,Office 365 和 Azure 资源角色)。The just-in-time access, and role change alerting capabilities provided by Azure AD PIM, in addition to multi-factor authentication and Conditional Access, provide a comprehensive set of governance controls to help secure your company's resources (directory, Office 365, and Azure resource roles). 与处理其他形式的访问权限一样,组织可以使用访问评审来针对充当管理员角色的所有用户配置定期的访问权限重新认证。As with other forms of access, organizations can use access reviews to configure recurring access recertification for all users in administrator roles.

入门Getting started

虽然没有完美的解决方案或每个客户的建议,以下配置将提供 Microsoft 建议您的基线策略的遵循以确保更安全且更高效的工作人员的指南。While there is no perfect solution or recommendation for every customer, the following configurations provide a guide to what baseline policies Microsoft recommends you follow to ensure a more secure and productive workforce.

您还可以查看的入门选项卡标识监管在 Azure 门户中开始使用授权管理,访问评审、 Privileged Identity Management 和使用条款。You can also check out the Getting started tab of Identity Governance in the Azure portal to start using entitlement management, access reviews, Privileged Identity Management, and Terms of use.

标识管理入门

后续步骤Next steps