您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

跨租户管理体验Cross-tenant management experiences

作为服务提供商,你可以使用Azure LighthouseAzure 门户中的你自己的租户内管理多个客户的资源。As a service provider, you can use Azure Lighthouse to manage resources for multiple customers from within your own tenant in the Azure portal. 使用azure 委派的资源管理,可以在托管租户之间跨委派的 azure 资源执行许多任务和服务。Many tasks and services can be performed on delegated Azure resources across managed tenants by using Azure delegated resource management.

备注

还可在具有多个其自己的 Azure AD 租户的企业中使用 Azure 委托资源管理,以简化跨租户管理。Azure delegated resource management can also be used within an enterprise which has multiple Azure AD tenants of its own to simplify cross-tenant administration.

理解客户租户Understanding customer tenants

Azure Active Directory (Azure AD) 租户表示组织。An Azure Active Directory (Azure AD) tenant is a representation of an organization. 它是组织通过注册 Azure、Microsoft 365 或其他服务与 Microsoft 建立关系时接收的 Azure AD 的专用实例。It's a dedicated instance of Azure AD that an organization receives when they create a relationship with Microsoft by signing up for Azure, Microsoft 365, or other services. 每个 Azure AD 租户都是独特的,独立于其他 Azure AD 租户,且具有其自己的租户 ID (GUID)。Each Azure AD tenant is distinct and separate from other Azure AD tenants, and has its own tenant ID (a GUID). 有关详细信息,请参阅什么是 Azure Active Directory?For more info, see What is Azure Active Directory?

通常,为管理客户的 Azure 资源,服务提供商必须使用与该客户的租户相关联的帐户登录 Azure 门户,要求客户租户中的管理员为该服务提供商创建和管理用户帐户。Typically, in order to manage Azure resources for a customer, service providers would have to sign in to the Azure portal using an account associated with that customer's tenant, requiring an administrator in the customer's tenant to create and manage user accounts for the service provider.

使用 Azure Lighthouse,载入过程可指定服务提供商的租户中的用户,该用户能够访问和管理客户租户中的订阅、资源组和资源。With Azure Lighthouse, the onboarding process specifies users within the service provider's tenant who will be able to access and manage subscriptions, resource groups, and resources in the customer's tenant. 然后,这些用户可以使用自己的凭据登录到 Azure 门户。These users can then sign in to the Azure portal using their own credentials. 在 Microsoft Azure 门户中,这些用户可以管理其有权访问的所有客户的资源。Within the Azure portal, they can manage resources belonging to all customers to which they have access. 为此,可以访问 Microsoft Azure 门户中的我的客户页,或直接在该客户订阅的上下文中工作(在 Azure 门户中或通过 API)。This can be done by visiting the My customers page in the Azure portal, or by working directly within the context of that customer's subscription, either in the Azure portal or via APIs.

Azure Lighthouse 允许更灵活地管理多个客户的资源,而无需登录到不同租户中的不同帐户。Azure Lighthouse allows greater flexibility to manage resources for multiple customers without having to sign in to different accounts in different tenants. 例如,服务提供商可能有两个客户,各自有不同的职责和访问级别。For example, a service provider may have two customers with different responsibilities and access levels. 使用 Azure Lighthouse,授权用户可以登录到服务提供商的租户来访问这些资源。Using Azure Lighthouse, authorized users can sign in to the service provider's tenant to access these resources.

通过一个服务提供商租户管理的客户资源

API 和管理工具支持APIs and management tool support

可以直接在门户中对委派资源执行管理任务,也可以使用 API 和管理工具(如 Azure CLI 和 Azure PowerShell)对委派资源执行管理任务。You can perform management tasks on delegated resources either directly in the portal or by using APIs and management tools (such as Azure CLI and Azure PowerShell). 在处理委托的资源时,只要跨租户管理支持该功能,并且用户具有相应的权限,可以使用所有现有 API。All existing APIs can be used when working with delegated resources, as long as the functionality is supported for cross-tenant management and the user has the appropriate permissions.

Azure PowerShell Get-AzSubscription cmdlet 会显示每个订阅的 tenantID,让你可以标识某个返回的订阅是属于服务提供商租户还是托管客户租户。The Azure PowerShell Get-AzSubscription cmdlet show the tenantID for each subscription, allowing you to identify whether a returned subscription belongs to your service provider tenant or to a managed customer tenant.

同样,Azure CLI 命令(例如 az account list)会显示 homeTenantId 和 managedByTenants 属性。Similarly, Azure CLI commands such as az account list show the homeTenantId and managedByTenants attributes.

提示

如果在使用 Azure CLI 时看不到这些值,请尝试通过先运行 az account clear 再运行 az login --identity 来清除缓存。If you don't see these values when using Azure CLI, try clearing your cache by running az account clear followed by az login --identity.

我们还提供了特定于执行 Azure Lighthouse 任务的 Api。We also provide APIs that are specific to performing Azure Lighthouse tasks. 有关详细信息,请参阅“参考”部分。For more info, see the Reference section.

增强的服务和方案Enhanced services and scenarios

大多数任务和服务都可对跨托管租户的委托资源执行。Most tasks and services can be performed on delegated resources across managed tenants. 下面是一些关键方案,在这些方案中,跨租户管理特别有效。Below are some of the key scenarios where cross-tenant management can be especially effective.

用于服务器的 Azure Arc(预览版)Azure Arc for servers (preview):

Azure 自动化Azure Automation:

  • 通过自动化帐户来访问和使用委派的客户资源Use automation accounts to access and work with delegated customer resources

Azure 备份Azure Backup:

  • 备份并还原客户租户中的客户数据Back up and restore customer data in customer tenants
  • 使用备份资源管理器可以查看备份项(包括尚未配置用于备份的 Azure 资源)的操作信息以及委托订阅的监视信息(作业和警报)。Use the Backup Explorer to help view operational information of backup items (including Azure resources not yet configured for backup) and monitoring information (jobs and alerts) for delegated subscriptions. 备份资源管理器当前仅可用于 Azure VM 数据。The Backup Explorer is currently available only for Azure VM data.
  • 跨委托订阅使用备份报告来跟踪历史趋势、分析备份存储消耗,以及审核备份和还原。Use Backup Reports across delegated subscriptions to track historical trends, analyze backup storage consumption, and audit backups and restores.

Azure 成本管理 + 计费Azure Cost Management + Billing:

  • 从管理租户中,CSP 合作伙伴可以查看、管理和分析 Azure 计划下的客户的预税消耗成本(不包括购买)。From the managing tenant, CSP partners can view, manage and analyze pre-tax consumption costs (not inclusive of purchases) for customers who are under the Azure plan. 费用将基于零售费率和合作伙伴对客户订阅的 Azure RBAC 访问权限。The cost will be based on retail rates and the Azure RBAC access that the partner has for the customer's subscription.

Azure Kubernetes 服务 (AKS)Azure Kubernetes Service (AKS):

  • 管理托管的 Kubernetes 环境并部署和管理客户租户中的容器化应用程序Manage hosted Kubernetes environments and deploy and manage containerized applications within customer tenants

Azure MonitorAzure Monitor:

  • 查看委派订阅的警报,并能够查看所有订阅的警报View alerts for delegated subscriptions, with the ability to view alerts across all subscriptions
  • 查看委派订阅的活动日志详细信息View activity log details for delegated subscriptions
  • 日志分析:从多个租户中的远程客户工作区查询数据Log analytics: Query data from remote customer workspaces in multiple tenants
  • 通过 Webhook 在服务提供商租户中创建触发自动化(例如 Azure Automation Runbook 或 Azure Functions)的客户租户警报Create alerts in customer tenants that trigger automation, such as Azure Automation runbooks or Azure Functions, in the service provider tenant through webhooks

Azure 网络Azure Networking:

Azure PolicyAzure Policy:

  • 符合性快照显示委派订阅中分配的策略的详细信息Compliance snapshots show details for assigned policies within delegated subscriptions
  • 在委派订阅中创建和编辑策略定义Create and edit policy definitions within a delegated subscription
  • 在委派订阅中分配客户定义的策略定义Assign customer-defined policy definitions within the delegated subscription
  • 客户将看到由服务提供商和自己创建的策略Customers see policies authored by the service provider alongside any policies they've authored themselves
  • 可以修正 deployIfNotExists 或修改客户租户内的分配Can remediate deployIfNotExists or modify assignments within the customer tenant

Azure Resource GraphAzure Resource Graph:

  • 现在,在返回的查询结果中包含租户 ID,以便确定订阅是属于客户租户还是服务提供商租户Now includes the tenant ID in returned query results, allowing you to identify whether a subscription belongs to the customer tenant or service provider tenant

Azure 安全中心Azure Security Center:

  • 跨租户可见性Cross-tenant visibility
    • 对是否符合安全策略进行监视,确保安全措施涵盖所有租户的资源Monitor compliance to security policies and ensure security coverage across all tenants' resources
    • 单个视图中跨多个客户的连续合规性监视Continuous regulatory compliance monitoring across multiple customers in a single view
    • 通过安全分数计算监视、会审可操作安全建议,并设置其优先级Monitor, triage, and prioritize actionable security recommendations with secure score calculation
  • 跨租户安全状况管理Cross-tenant security posture management
    • 管理安全策略Manage security policies
    • 对不符合可操作安全建议的资源执行操作Take action on resources that are out of compliance with actionable security recommendations
    • 收集并存储安全相关数据Collect and store security-related data
  • 跨租户威胁检测和保护Cross-tenant threat detection and protection
    • 跨租户资源检测威胁Detect threats across tenants' resources
    • 应用高级威胁防护控制(如实时 (JIT) VM 访问)Apply advanced threat protection controls such as just-in-time (JIT) VM access
    • 通过自适应网络强化来强化网络安全组配置Harden network security group configuration with Adaptive Network Hardening
    • 通过自适应应用程序控制,确保服务器仅运行适当的应用程序和进程Ensure servers are running only the applications and processes they should be with adaptive application controls
    • 运用文件完整性监视 (FIM) 监视对重要文件和注册表项的更改Monitor changes to important files and registry entries with File Integrity Monitoring (FIM)

Azure SentinelAzure Sentinel:

Azure 服务运行状况Azure Service Health:

  • 通过 Azure 资源运行状况监视客户资源的运行状况Monitor the health of customer resources with Azure Resource Health
  • 跟踪客户使用的 Azure 服务的运行状况Track the health of the Azure services used by your customers

Azure Site RecoveryAzure Site Recovery:

  • 为客户租户中的 Azure 虚拟机管理灾难恢复选项(请注意,不能使用运行方式帐户复制 VM 扩展)Manage disaster recovery options for Azure virtual machines in customer tenants (note that you can't use RunAs accounts to copy VM extensions)

Azure 虚拟机Azure Virtual Machines:

  • 使用虚拟机扩展在客户租户的 Azure VM 上提供部署后配置和自动化任务Use virtual machine extensions to provide post-deployment configuration and automation tasks on Azure VMs in customer tenants
  • 使用启动诊断对客户租户中的 Azure VM 进行故障排除Use boot diagnostics to troubleshoot Azure VMs in customer tenants
  • 使用客户租户中的串行控制台访问 VMAccess VMs with serial console in customer tenants
  • 使用通过策略管理的标识,将 VM 与 Azure KeyVault 集成以使用密码、机密或加密密钥进行磁盘加密,确保机密存储在客户租户的 Key Vault 中Integrate VMs with Azure KeyVault for passwords, secrets, or cryptographic keys for disk encryption by using managed identity through policy, ensuring that secrets are stored in a Key Vault in customer tenants
  • 请注意,不能使用 Azure Active Directory 远程登录到客户租户中的 VMNote that you can't use Azure Active Directory for remote login to VMs in customer tenants

支持请求:Support requests:

  • 从 Microsoft Azure 门户中的“帮助 + 支持”边栏选项卡中,打开对委派资源的支持请求(选择对委派范围可用的支持计划)Open support requests for delegated resources from the Help + support blade in the Azure portal (selecting the support plan available to the delegated scope)

当前限制Current limitations

对于所有方案,都请注意以下当前限制:With all scenarios, please be aware of the following current limitations:

  • 可以使用 Azure 委派资源管理执行 Azure 资源管理器处理的请求。Requests handled by Azure Resource Manager can be performed using Azure delegated resource management. 这些请求的操作 URI 都以 https://management.azure.com 开头。The operation URIs for these requests start with https://management.azure.com. 但是,Azure 委托资源管理不支持由资源类型的实例处理的请求(如 KeyVault 机密访问或存储数据访问)。However, requests that are handled by an instance of a resource type (such as KeyVault secrets access or storage data access) aren't supported with Azure delegated resource management. 这些请求的操作 URI 通常以实例特有的地址开头,例如 https://myaccount.blob.core.windows.nethttps://mykeyvault.vault.azure.net/The operation URIs for these requests typically start with an address that is unique to your instance, such as https://myaccount.blob.core.windows.net or https://mykeyvault.vault.azure.net/. 后者通常也是数据操作,而不是管理操作。The latter also are typically data operations rather than management operations.
  • 角色分配必须使用基于角色的访问控制 (RBAC) 内置角色Role assignments must use role-based access control (RBAC) built-in roles. 除了所有者或具有 DataActions 权限的任何内置角色之外,Azure 委派资源管理当前支持其他所有内置角色。All built-in roles are currently supported with Azure delegated resource management except for Owner or any built-in roles with DataActions permission. 仅在向托管标识分配角色时才支持使用用户访问管理员角色。The User Access Administrator role is supported only for limited use in assigning roles to managed identities. 不支持自定义角色和经典订阅管理员角色Custom roles and classic subscription administrator roles are not supported.
  • 尽管你可以加入使用 Azure Databricks 的订阅,但管理租户中的用户目前无法在委托订阅上启动 Azure Databricks 工作区。While you can onboard subscriptions that use Azure Databricks, users in the managing tenant can't launch Azure Databricks workspaces on a delegated subscription at this time.
  • 虽然可以为具有资源锁的 Azure 委托资源管理加入订阅和资源组,但这些锁不会阻止管理租户中的用户执行操作。While you can onboard subscriptions and resource groups for Azure delegated resource management which have resource locks, those locks will not prevent actions from being performed by users in the managing tenant. 用于保护系统管理资源(例如由 Azure 托管应用程序或 Azure 蓝图创建的资源)的拒绝分配(系统分配的拒绝分配)会阻止管理租户中的用户对这些资源进行操作;但是,目前客户租户中的用户无法创建自己的拒绝分配(用户分配的拒绝分配)。Deny assignments that protect system-managed resources, such as those created by Azure managed applications or Azure Blueprints (system-assigned deny assignments), do prevent users in the managing tenant from acting on those resources; however, at this time users in the customer tenant can't create their own deny assignments (user-assigned deny assignments).

后续步骤Next steps