您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

开始使用 PIMStart using PIM

使用 Azure Active Directory (Azure AD) Privileged Identity Management (PIM),可以管理、控制和监视组织内的访问。With Azure Active Directory (Azure AD) Privileged Identity Management (PIM), you can manage, control, and monitor access within your organization. 此范围包括访问 Azure 资源、Azure AD 和其他 Microsoft 联机服务(如 Office 365 或 Microsoft Intune)。This scope includes access to Azure resources, Azure AD and other Microsoft online services like Office 365 or Microsoft Intune.

本文介绍了如何启用并开始使用 PIM。This article describes how to enable and get started using PIM.

必备组件Prerequisites

若要使用 PIM,必须具有以下许可证之一:To use PIM, you must have one of the following licenses:

  • Azure AD Premium P2Azure AD Premium P2
  • 企业移动性 + 安全性 (EMS) E5Enterprise Mobility + Security (EMS) E5

有关详细信息,请参阅使用 PIM 所要满足的许可要求For more information, see License requirements to use PIM.

要使用 PIM 的第一个人First person to use PIM

如果你是第一个要在目录中使用 PIM 的人,系统会自动在目录中为你分配安全管理员特权角色管理员角色。If you're the first person to use PIM in your directory, you are automatically assigned the Security Administrator and Privileged Role Administrator roles in the directory. 只有特权的角色管理员可以管理用户的 Azure AD 角色分配。Only privileged role administrators can manage Azure AD role assignments of users. 另外,还可以选择运行安全向导,该向导会引导你完成初始发现和分配体验。In addition, you may choose to run the security wizard that walks you through the initial discovery and assignment experience.

启用 PIMEnable PIM

若要开始在目录中使用 PIM,必须先启用 PIM。To start using PIM in your directory, you must first enable PIM.

  1. 以目录的全局管理员身份登录到 Azure 门户Sign in to the Azure portal as a Global Administrator of your directory.

    只有拥有组织帐户(例如 @yourdomain.com)而非 Microsoft 帐户(例如 @outlook.com)的全局管理员才能为目录启用 PIM。You must be a Global Administrator with an organizational account (for example, @yourdomain.com), not a Microsoft account (for example, @outlook.com), to enable PIM for a directory.

  2. 单击“所有服务” ,并查找 Azure AD Privileged Identity Management 服务。Click All services and find the Azure AD Privileged Identity Management service.

    “所有服务”中的 Azure AD Privileged Identity Management

  3. 单击此项可打开“PIM 快速入门”。Click to open the PIM Quickstart.

  4. 在列表中单击“许可 PIM”。 In the list, click Consent to PIM.

    许可 PIM 来启用 PIM

  5. 单击“验证我的身份”,以便通过 Azure MFA 来验证身份。Click Verify my identity to verify your identity with Azure MFA. 系统会要求你选取一个帐户。You'll be asked to pick an account.

    选择身份验证的帐户窗口

  6. 如果需要更多信息才能进行验证,系统会引导你完成相关过程。If more information is required for verification, you'll be guided through the process. 有关详细信息,请参阅获取有关双重验证的帮助For more information, see Get help with two-step verification.

    详细信息所需窗口,如果你的组织需要的详细信息

    例如,系统可能会要求你提供电话验证。For example, you might be asked to provide phone verification.

    其他安全验证页面,要求如何与您联系

  7. 完成验证过程以后,请单击“许可”按钮。 Once you have completed the verification process, click the Consent button.

  8. 在出现的消息中单击“是”,对 PIM 服务表示许可。 In the message that appears, click Yes to consent to the PIM service.

    许可 PIM 消息完成同意过程

为 Azure AD 角色注册 PIMSign up PIM for Azure AD roles

为目录启用 PIM 以后,需注册 PIM,然后才能管理 Azure AD 角色。Once you have enabled PIM for your directory, you'll need to sign up PIM to manage Azure AD roles.

  1. 打开“Azure AD Privileged Identity Management”。 Open Azure AD Privileged Identity Management.

  2. 单击“Azure AD 角色”。 Click Azure AD roles.

    为 Azure AD 角色注册 PIM

  3. 单击“注册”。 Click Sign up.

  4. 在出现的消息中单击“是”以注册 PIM,以便管理 Azure AD 角色。 In the message that appears, click Yes to sign up PIM to manage Azure AD roles.

    “为 Azure AD 角色注册 PIM”消息

    注册完成后,会启用 Azure AD 选项。When sign up completes, the Azure AD options will be enabled. 可能需要刷新门户。You might need to refresh the portal.

    若要了解如何发现并选择 Azure 资源,以便通过 PIM 进行保护,请参阅在 PIM 中发现要管理的 Azure 资源For information about how to discover and select the Azure resources to protect with PIM, see Discover Azure resources to manage in PIM.

设置 PIM 后,即可执行标识管理任务。Once PIM is set up, you can perform your identity management tasks.

在 PIM 显示导航窗口任务和管理选项

任务 + 管理Task + Manage 描述Description
我的角色My roles 显示已向你分配的符合条件的活动角色列表。Displays a list of eligible and active roles assigned to you. 可以在此处激活任何符合条件的已分配角色。This is where you can activate any assigned eligible roles.
我的请求My requests 显示要激活符合条件的角色分配的挂起的请求。Displays your pending requests to activate eligible role assignments.
审批请求Approve requests 按用户显示你的目录中指定由你进行审批的要激活符合条件的角色的请求列表。Displays a list of requests to activate eligible roles by users in your directory that you are designated to approve.
审阅访问权限Review access 列出指定要由你完成的活动访问审阅(无论你是审阅自己还是审阅其他人的访问权限)。Lists active access reviews you are assigned to complete, whether you're reviewing access for yourself or someone else.
Azure AD 角色Azure AD roles 显示仪表板和特权的角色管理员用于管理 Azure AD 角色分配的设置。Displays a dashboard and settings for privileged role administrators to manage Azure AD role assignments. 此仪表板对非特权角色管理员禁用。This dashboard is disabled for anyone who isn't a privileged role administrator. 这些用户可以访问标题为“我的视图”的特殊仪表板。These users have access to a special dashboard titled My view. “我的视图”仪表板仅显示正在访问此仪表板的用户的相关信息,而非整个租户的相关信息。The My view dashboard only displays information about the user accessing the dashboard, not the entire tenant.
Azure 资源Azure resources 为特权角色管理员显示用来管理 Azure 资源角色分配的仪表板和设置。Displays a dashboard and settings for privileged role administrators to manage Azure resource role assignments. 此仪表板对非特权角色管理员禁用。This dashboard is disabled for anyone who isn't a privileged role administrator. 这些用户可以访问标题为“我的视图”的特殊仪表板。These users have access to a special dashboard titled My view. “我的视图”仪表板仅显示正在访问此仪表板的用户的相关信息,而非整个租户的相关信息。The My view dashboard only displays information about the user accessing the dashboard, not the entire tenant.

将 PIM 磁贴添加到仪表板Add a PIM tile to the dashboard

为了更加方便地打开 PIM,应当将 PIM 磁贴添加到 Azure 门户仪表板中。To make it easier to open PIM, you should add a PIM tile to your Azure portal dashboard.

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 单击“所有服务” ,并查找 Azure AD Privileged Identity Management 服务。Click All services and find the Azure AD Privileged Identity Management service.

    “所有服务”中的 Azure AD Privileged Identity Management

  3. 单击此项可打开“PIM 快速入门”。Click to open the PIM Quickstart.

  4. 选中“将边栏选项卡固定到仪表板” 可将“PIM 快速入门”边栏选项卡固定到仪表板。Check Pin blade to dashboard to pin the PIM Quickstart blade to the dashboard.

    到 PIM 边栏选项卡固定到仪表板的图钉图标

    在 Azure 仪表板上,你将看到如下所示的一个磁贴:On the Azure dashboard, you'll see a tile like this:

    快速入门 PIM 仪表板上的磁贴

后续步骤Next steps