您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 Privileged Identity Management 将角色分配给组Assign a role to a group using Privileged Identity Management

本文介绍如何使用 Azure AD Privileged Identity Management (PIM) 将 Azure Active Directory (Azure AD) 角色分配给组。This article describes how you can assign an Azure Active Directory (Azure AD) role to a group using Azure AD Privileged Identity Management (PIM).

备注

必须使用 Privileged Identity Management 的更新版本才能使用 PIM 将组分配给 Azure AD 角色。You must be using the updated version of Privileged Identity Management to be able to assign a group to an Azure AD role using PIM. 如果你的 Azure AD 组织使用的是 Privileged Identity Management API,则你可能使用的是旧版本的 PIM。You might be on older version of PIM if your Azure AD organization leverages the Privileged Identity Management API. 如果是这样,请联系别名 pim_preview@microsoft.com 来移动你的组织并更新你的 API。If so, please reach out to the alias pim_preview@microsoft.com to move your organization and update your API. 有关详细信息,请参阅 PIM 中的 Azure AD 角色和功能Learn more at Azure AD roles and features in PIM.

使用 Azure AD 管理中心Using Azure AD admin center

  1. 作为组织中的特权角色管理员或全局管理员登录到 Azure AD Privileged Identity ManagementSign in to Azure AD Privileged Identity Management as a Privileged role administrator or Global administrator in your organization.

  2. 选择“Privileged Identity Management” > “Azure AD 角色” > “角色” > “添加分配” Select Privileged Identity Management > Azure AD roles > Roles > Add assignments

  3. 选择一个角色,然后选择一个组。Select a role, and then select a group. 仅显示符合角色分配条件的组(可分配角色的组),而不是所有组。Only groups that are eligible for role assignment (role-assignable groups) are displayed, not all groups.

    屏幕截图,其中显示了“添加分配”页,页面上突出显示了“选择角色”和“选择成员”部分。

  4. 选择所需的成员资格设置。Select the desired membership setting. 对于需要激活的角色,请选择“符合条件的”。For roles requiring activation, choose eligible. 默认情况下,用户将是永久符合条件的,但你也可以为用户的资格设置开始和结束时间。By default, the user would be permanently eligible, but you could also set a start and end time for the user's eligibility. 完成后,单击“保存”并“添加”以完成角色分配。Once you are complete, hit Save and Add to complete the role assignment.

    选择要分配到该角色的用户

使用 PowerShellUsing PowerShell

下载 Azure AD 预览版 PowerShell 模块Download the Azure AD Preview PowerShell module

若要安装 Azure AD #PowerShell 模块,请使用以下 cmdlets:To install the Azure AD #PowerShell module, use the following cmdlets:

install-module azureadpreview
import-module azureadpreview

若要验证模块是否可供使用,请运行以下 cmdlets:To verify that the module is ready to use, use the following cmdlet:

get-module azureadpreview

将组分配为角色的符合条件的成员Assign a group as an eligible member of a role

$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
$schedule.Type = "Once"
$schedule.StartDateTime = "2019-04-26T20:49:11.770Z"
$schedule.endDateTime = "2019-07-25T20:49:11.770Z"
Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId aadRoles -Schedule $schedule -ResourceId "[YOUR TENANT ID]" -RoleDefinitionId "9f8c1837-f885-4dfd-9a75-990f9222b21d" -SubjectId "[YOUR GROUP ID]" -AssignmentState "Eligible" -Type "AdminAdd"

使用 Microsoft Graph APIUsing Microsoft Graph API

POST
https://graph.microsoft.com/beta/privilegedAccess/aadroles/roleAssignmentRequests  

{

 "roleDefinitionId": {roleDefinitionId},

 "resourceId": {tenantId},

 "subjectId": {GroupId},

 "assignmentState": "Eligible",

 "type": "AdminAdd",

 "reason": "reason string",

 "schedule": {

   "startDateTime": {DateTime},

   "endDateTime": {DateTime},

   "type": "Once"

 }

}

后续步骤Next steps