您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure Active Directory 中的管理单元Administrative units in Azure Active Directory

本文介绍 Azure Active Directory (Azure AD) 中的管理单元。This article describes administrative units in Azure Active Directory (Azure AD). 管理单元是一种 Azure AD 资源,它可以是其他 Azure AD 资源的容器。An administrative unit is an Azure AD resource that can be a container for other Azure AD resources. 管理单元只能包含用户和组。An administrative unit can contain only users and groups.

管理单元将角色中的权限限制为你定义的组织的任何部分。Administrative units restrict permissions in a role to any portion of your organization that you define. 例如,可以使用管理单元将帮助台管理员角色委派给区域支持专家,以便他们仅管理其支持的区域中的用户。You could, for example, use administrative units to delegate the Helpdesk Administrator role to regional support specialists, so they can manage users only in the region that they support.

部署场景Deployment scenario

在由任何类型的独立部门组成的组织中,使用管理单元限制管理范围非常有用。It can be useful to restrict administrative scope by using administrative units in organizations that are made up of independent divisions of any kind. 假设一个由多个自治学院(商业院、工程学院等)组成的大型大学示例。Consider the example of a large university that's made up of many autonomous schools (School of Business, School of Engineering, and so on). 每个学院都有一个 IT 管理员团队,他们负责控制访问、管理用户并为学校设置策略。Each school has a team of IT admins who control access, manage users, and set policies for their school.

中心管理员可以:A central administrator could:

  • 创建具有仅对商学院管理单元中的 Azure AD 用户具有管理权限的角色。Create a role with administrative permissions over only Azure AD users in the business school administrative unit.
  • 为商学院创建管理单元。Create an administrative unit for the School of Business.
  • 仅可将商学院学生和员工填充到该管理单元。Populate the administrative unit with only the business school students and staff.
  • 将商学院 IT 团队及其范围添加到角色中。Add the business school IT team to the role, along with its scope.

许可要求License requirements

若要使用管理单元,需要每个管理单元管理员具有 Azure Active Directory Premium 许可证,并需要管理单元成员具有 Azure Active Directory Free 许可证。To use administrative units, you need an Azure Active Directory Premium license for each administrative unit admin, and Azure Active Directory Free licenses for administrative unit members. 有关详细信息,请参阅 Azure AD Premium 入门For more information, see Getting started with Azure AD Premium.

对管理单元进行管理Manage administrative units

可使用 Azure 门户、PowerShell cmdlet 和脚本或 Microsoft Graph 对管理单元进行管理。You can manage administrative units by using the Azure portal, PowerShell cmdlets and scripts, or Microsoft Graph. 有关详细信息,请参阅:For more information, see:

规划管理单元Plan your administrative units

可使用管理单元对 Azure AD 资源进行逻辑分组。You can use administrative units to logically group Azure AD resources. IT 部门分散在世界各地的组织可能会创建定义相关地理边界的管理单元。An organization whose IT department is scattered globally might create administrative units that define relevant geographical boundaries. 在另一种情况下,如果一个全球化组织的次级组织采用半自治运营模式,那么管理单元就可代表次级组织。In another scenario, where a global organization has suborganizations that are semi-autonomous in their operations, administrative units could represent the suborganizations.

创建管理单元的条件将遵循组织的独特要求。The criteria on which administrative units are created are guided by the unique requirements of an organization. 管理单元是跨 Microsoft 365 服务定义结构的常用方法。Administrative units are a common way to define structure across Microsoft 365 services. 建议你在准备管理单元时考虑它们在各项 Microsoft 365 服务中的使用。We recommend that you prepare your administrative units with their use across Microsoft 365 services in mind. 如果可以在管理单元下跨 Microsoft 365 关联共有资源,则可以通过管理单元获取最大价值。You can get maximum value out of administrative units when you can associate common resources across Microsoft 365 under an administrative unit.

组织中管理单元的创建会经历以下阶段:You can expect the creation of administrative units in the organization to go through the following stages:

  1. 初始采用:组织将开始基于初始条件创建管理单元,并且随着条件的优化,管理单元的数量将增加。Initial adoption: Your organization will start creating administrative units based on initial criteria, and the number of administrative units will increase as the criteria are refined.
  2. 删除:在定义条件后,不再需要的管理单元将被删除。Pruning: After the criteria are defined, administrative units that are no longer required will be deleted.
  3. 稳定化:定义组织结构之后,管理单元的数量在短期内不会发生显著变化。Stabilization: Your organizational structure is defined, and the number of administrative units isn't going to change significantly in the short term.

当前支持的场景Currently supported scenarios

全局管理员或特权角色管理员可以使用 Azure AD 门户来执行以下操作:As a Global Administrator or a Privileged Role Administrator, you can use the Azure AD portal to:

  • 创建管理单元Create administrative units
  • 添加管理单元的用户和组成员Add users and groups members of administrative units
  • 将 IT 人员分配给管理单元范围管理员角色。Assign IT staff to administrative unit-scoped administrator roles.

管理单元范围管理员可以使用 Microsoft 365 管理中心对其管理单元中的用户进行基本管理。Administrative unit-scoped admins can use the Microsoft 365 admin center for basic management of users in their administrative units. 管理单元范围组管理员可以使用 PowerShell、Microsoft Graph 和 Microsoft 365 管理中心来管理组。A group administrator with administrative unit scope can manage groups by using PowerShell, Microsoft Graph, and the Microsoft 365 admin centers.

备注

Microsoft 365 管理中心仅提供本节中介绍的功能。Only the features described in this section are available in the Microsoft 365 admin center. 没有为管理单元范围 Azure AD 角色提供组织级功能。No organization-level features are available for an Azure AD role with administrative unit scope.

以下各节描述了对管理单元场景的当前支持。The following sections describe current support for administrative unit scenarios.

管理单元管理Administrative unit management

权限Permissions Graph/PowerShellGraph/PowerShell Azure AD 门户Azure AD portal Microsoft 365 管理中心Microsoft 365 admin center
创建和删除管理单元Creating and deleting administrative units 支持Supported 支持Supported 不支持Not supported
单独添加和删除管理单位成员Adding and removing administrative unit members individually 支持Supported 支持Supported 不支持Not supported
使用 CSV 文件批量添加和删除管理单元成员Adding and removing administrative unit members in bulk by using CSV files 不支持Not supported 支持Supported 无支持计划No plan to support
分配管理单元范围管理员Assigning administrative unit-scoped administrators 支持Supported 支持Supported 不支持Not supported
基于属性动态添加和删除管理单元成员Adding and removing administrative unit members dynamically based on attributes 不支持Not supported 不支持Not supported 不支持Not supported

用户管理User management

权限Permissions Graph/PowerShellGraph/PowerShell Azure AD 门户Azure AD portal Microsoft 365 管理中心Microsoft 365 admin center
用户属性、密码和许可证的管理单元范围管理Administrative unit-scoped management of user properties, passwords, and licenses 支持Supported 支持Supported 支持Supported
用户登录的管理单元范围阻止和取消阻止Administrative unit-scoped blocking and unblocking of user sign-ins 支持Supported 支持Supported 支持Supported
用户多重身份验证凭据的管理单元范围管理Administrative unit-scoped management of user multifactor authentication credentials 支持Supported 支持Supported 不支持Not supported

组管理Group management

权限Permissions Graph/PowerShellGraph/PowerShell Azure AD 门户Azure AD portal Microsoft 365 管理中心Microsoft 365 admin center
组属性和成员的管理单元范围管理Administrative unit-scoped management of group properties and members 支持Supported 支持Supported 不支持Not supported
组许可的管理单元范围管理Administrative unit-scoped management of group licensing 支持Supported 支持Supported 不支持Not supported

管理单元仅对管理权限应用范围。Administrative units apply scope only to management permissions. 它们不会阻止成员或管理员使用其默认用户权限浏览管理单元外部的其他用户、组或资源。They don't prevent members or administrators from using their default user permissions to browse other users, groups, or resources outside the administrative unit. 在 Microsoft 365 管理中心,管理员的管理单元范围外的用户会被筛选掉。但你可以在 Azure AD 门户、PowerShell 和其他 Microsoft 服务中浏览其他用户。In the Microsoft 365 admin center, users outside a scoped admin's administrative units are filtered out. But you can browse other users in the Azure AD portal, PowerShell, and other Microsoft services.

后续步骤Next steps