您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

将客户载入到 Azure 委派资源管理Onboard a customer to Azure delegated resource management

本文介绍了服务提供商可如何将客户载入到 Azure 委托资源管理,使其能够通过自己的 Azure Active Directory (Azure AD) 租户访问和管理他们委托的资源(订阅和/或资源组)。This article explains how you, as a service provider, can onboard a customer to Azure delegated resource management, allowing their delegated resources (subscriptions and/or resource groups) to be accessed and managed through your own Azure Active Directory (Azure AD) tenant. 虽然我们在此处提到的是服务提供商和客户,但管理多个租户的企业可以使用相同的过程来设置 Azure Lighthouse 并整合其管理体验。While we'll refer to service providers and customers here, enterprises managing multiple tenants can use the same process to set up Azure Lighthouse and consolidate their management experience.

如果要为多位客户管理资源,可重复此过程。You can repeat this process if you are managing resources for multiple customers. 随后,当授权用户登录到你的租户时,可跨客户租赁范围向此用户授权,使其无需登录到每个单独的客户租户即可执行管理操作。Then, when an authorized user signs in to your tenant, that user can be authorized across customer tenancy scopes to perform management operations without having to sign in to every individual customer tenant.

若要跟踪你对客户互动的影响并获得认可,请将你的 Microsoft 合作伙伴网络 (MPN) ID 与至少一个有权访问你加入的每个订阅的用户帐户相关联。To track your impact across customer engagements and receive recognition, associate your Microsoft Partner Network (MPN) ID with at least one user account that has access to each of your onboarded subscriptions. 请注意,你需要在服务提供商租户中执行此关联。Note that you'll need to perform this association in your service provider tenant. 简单起见,我们建议在租户中创建一个与你的 MPN ID 相关联的服务主体帐户,并向其授予对你加入的每个客户的“读取者”访问权限。For simplicity, we recommend creating a service principal account in your tenant that is associated your MPN ID, and granting it Reader access to every customer you onboard. 有关详细信息,请参阅将合作伙伴 ID 链接到 Azure 帐户For more info, see Link a partner ID to your Azure accounts.

备注

在客户购买你发布到 Azure 市场的托管服务产品(公共或专用)时也可将其加入。Customers can also be onboarded when they purchase a managed services offer (public or private) that you published to Azure Marketplace. 有关详细信息,请参阅将托管服务产品发布到 Azure 市场For more info, see Publish Managed Services offers to Azure Marketplace. 还可以结合已发布到 Azure 市场的产品/服务使用此处所述的流程。You can also use the onboarding process described here along with an offer published to Azure Marketplace.

载入过程要求从服务提供商的租户和客户的租户中执行操作。The onboarding process requires actions to be taken from within both the service provider's tenant and from the customer's tenant. 上述所有步骤均可参见本文。All of these steps are described in this article.

收集租户和订阅详细信息Gather tenant and subscription details

要载入客户的租户,必须具备有效的 Azure 订阅。To onboard a customer's tenant, it must have an active Azure subscription. 需了解以下信息:You'll need to know the following:

  • 服务提供商租户的租户 ID(要在其中管理客户的资源)The tenant ID of the service provider's tenant (where you will be managing the customer's resources)
  • 客户租户的租户 ID(具有由服务提供商管理的资源)The tenant ID of the customer's tenant (which will have resources managed by the service provider)
  • 客户租户中由服务提供商管理的每个特定订阅的订阅 ID(或包含将由服务提供商管理的资源组的订阅 ID)。The subscription IDs for each specific subscription in the customer's tenant that will be managed by the service provider (or that contains the resource group(s) that will be managed by the service provider).

备注

即使你只希望加入订阅中的一个或多个资源组,也必须在订阅级别执行部署,因此你将需要使用订阅 ID。Even if you only wish to onboard one or more resource groups within a subscription, the deployment must be done at the subscription level, so you'll need the subscription ID.

如果尚未准备好这些 ID 值,可通过以下方式之一进行检索。If you don't have these ID values already, you can retrieve them in one of the following ways. 确保在部署中使用这些确切的值。Be sure and use these exact values in your deployment.

Azure 门户Azure portal

可将鼠标悬停在 Azure 门户右上方的帐户名称上,或者选择“切换目录”来查看租户 ID。Your tenant ID can be seen by hovering over your account name on the upper right-hand side of the Azure portal, or by selecting Switch directory. 要选择并复制租户 ID,请从门户中搜索“Azure Active Directory”,然后选择“属性”并复制“目录 ID”字段中显示的值 。To select and copy your tenant ID, search for "Azure Active Directory" from within the portal, then select Properties and copy the value shown in the Directory ID field. 要在客户租户中查找订阅 ID,请搜索“订阅”,然后选择相应的订阅 ID。To find the ID of a subscription in the customer tenant, search for "Subscriptions" and then select the appropriate subscription ID.

PowerShellPowerShell

# Log in first with Connect-AzAccount if you're not using Cloud Shell

Select-AzSubscription <subscriptionId>

Azure CLIAzure CLI

# Log in first with az login if you're not using Cloud Shell

az account set --subscription <subscriptionId/name>
az account show

备注

使用此处所述的过程加入订阅(或订阅中的一个或多个资源组)时,将为该订阅注册 Microsoft.ManagedServices 资源提供程序。When onboarding a subscription (or one or more resource groups within a subscription) using the process described here, the Microsoft.ManagedServices resource provider will be registered for that subscription.

定义角色和权限Define roles and permissions

作为服务提供商,你可能想要为单个客户执行多个任务,这需要针对不同范围的不同访问权限。As a service provider, you may want to perform multiple tasks for a single customer, requiring different access for different scopes. 可以根据需要定义任意数量的授权,以将基于角色的访问控制 (RBAC) 内置角色分配给租户中的用户。You can define as many authorizations as you need to assign role-based access control (RBAC) built-in roles to users in your tenant.

为了简化管理,建议为每个角色使用 Azure AD 用户组,这使你能够向组添加或删除单个用户,而不是直接向此用户分配权限。To make management easier, we recommend using Azure AD user groups for each role, allowing you to add or remove individual users to the group rather than assigning permissions directly to that user. 你可能还想要将角色分配给服务主体。You may also want to assign roles to a service principal. 请务必遵循最低权限原则,使用户仅具有完成作业所需的权限。Be sure to follow the principle of least privilege so that users only have the permissions needed to complete their job. 有关支持角色的建议和信息,请参阅 Azure Lighthouse 方案中的租户、用户和角色For recommendations and info about supported roles, see Tenants, users, and roles in Azure Lighthouse scenarios.

重要

若要为 Azure AD 组添加权限,“组类型”必须是“安全性”而不是“Office 365” 。In order to add permissions for an Azure AD group, the Group type must be Security and not Office 365. 此选项是在创建组时选择的。This option is selected when the group is created. 有关详细信息,请参阅使用 Azure Active Directory 创建基本组并添加成员For more information, see Create a basic group and add members using Azure Active Directory.

要定义授权,需要知道服务提供商租户中你要向其授予访问权限的每个用户、用户组或服务主体的 ID 值。In order to define authorizations, you'll need to know the ID values for each user, user group, or service principal in the service provider tenant to which you want to grant access. 还需知道要分配的每个内置角色的角色定义 ID。You'll also need the role definition ID for each built-in role you want to assign. 如果尚未获得这些 ID,可以从服务提供商租户内运行以下命令来检索它们。If you don't have them already, you can retrieve them by running the commands below from within the service provider tenant.

PowerShellPowerShell

# Log in first with Connect-AzAccount if you're not using Cloud Shell

# To retrieve the objectId for an Azure AD group
(Get-AzADGroup -DisplayName '<yourGroupName>').id

# To retrieve the objectId for an Azure AD user
(Get-AzADUser -UserPrincipalName '<yourUPN>').id

# To retrieve the objectId for an SPN
(Get-AzADApplication -DisplayName '<appDisplayName>').objectId

# To retrieve role definition IDs
(Get-AzRoleDefinition -Name '<roleName>').id

Azure CLIAzure CLI

# Log in first with az login if you're not using Cloud Shell

# To retrieve the objectId for an Azure AD group
az ad group list --query "[?displayName == '<yourGroupName>'].objectId" --output tsv

# To retrieve the objectId for an Azure AD user
az ad user show --id "<yourUPN>" --query "objectId" --output tsv

# To retrieve the objectId for an SPN
az ad sp list --query "[?displayName == '<spDisplayName>'].objectId" --output tsv

# To retrieve role definition IDs
az role definition list --name "<roleName>" | grep name

提示

我们建议在加入客户时分配托管服务注册分配删除角色,这样租户中的用户之后可以删除对委派的访问权限(如果需要)。We recommend assigning the Managed Services Registration Assignment Delete Role when onboarding a customer, so that users in your tenant can remove access to the delegation later if needed. 如果未分配此角色,则只能由客户租户中的用户删除委派资源。If this role is not assigned, delegated resources can only be removed by a user in the customer's tenant.

创建 Azure 资源管理器模板Create an Azure Resource Manager template

若要加入客户,需要使用以下信息为你的产品/服务创建 Azure 资源管理器模板。To onboard your customer, you'll need to create an Azure Resource Manager template for your offer with the following information. 在 Azure 门户的服务提供商页中查看产品/服务详细信息时,客户可以看到 mspOfferNamemspOfferDescription 值。The mspOfferName and mspOfferDescription values will be visible to the customer when viewing offer details in the Service providers page of the Azure portal.

字段Field 定义Definition
mspOfferNamemspOfferName 描述此定义的名称。A name describing this definition. 此值将作为产品/服务的标题显示给客户。This value is displayed to the customer as the title of the offer.
mspOfferDescriptionmspOfferDescription 产品/服务的简短说明(例如“Contoso VM 管理产品/服务”)。A brief description of your offer (for example, "Contoso VM management offer").
managedByTenantIdmanagedByTenantId 租户 ID。Your tenant ID.
authorizationsauthorizations 租户中用户/组/SPN 的 principalId 值,每个值都带有一个 principalIdDisplayName(帮助客户了解授权的目的)并且已映射到内置 roleDefinitionId 值以指定访问级别。The principalId values for the users/groups/SPNs from your tenant, each with a principalIdDisplayName to help your customer understand the purpose of the authorization, and mapped to a built-in roleDefinitionId value to specify the level of access.

加入过程需要 Azure 资源管理器模板(在示例存储库中提供)以及相应的参数文件(可修改此文件,使其与你的配置匹配并定义你的授权)。The onboarding process requires an Azure Resource Manager template (provided in our samples repo) and a corresponding parameters file that you modify to match your configuration and define your authorizations.

所选的模板取决于你是要加入整个订阅,还是要加入订阅中的一个资源组或多个资源组。The template you choose will depend on whether you are onboarding an entire subscription, a resource group, or multiple resource groups within a subscription. 我们还提供了一个模板,可供购买了你发布 Azure 市场的托管服务产品/服务的客户使用;如果你偏向于按此方式载入其资源,则可使用它。We also provide a template that can be used for customers who purchased a managed service offer that you published to Azure Marketplace, if you prefer to onboard their subscription(s) this way.

加入此内容To onboard this 使用此 Azure 资源管理器模板Use this Azure Resource Manager template 修改此参数文件And modify this parameter file
订阅Subscription delegatedResourceManagement.jsondelegatedResourceManagement.json delegatedResourceManagement.parameters.jsondelegatedResourceManagement.parameters.json
资源组Resource group rgDelegatedResourceManagement.jsonrgDelegatedResourceManagement.json rgDelegatedResourceManagement.parameters.jsonrgDelegatedResourceManagement.parameters.json
订阅内的多个资源组Multiple resource groups within a subscription multipleRgDelegatedResourceManagement.jsonmultipleRgDelegatedResourceManagement.json multipleRgDelegatedResourceManagement.parameters.jsonmultipleRgDelegatedResourceManagement.parameters.json
订阅(使用发布到 Azure 市场的产品/服务时)Subscription (when using an offer published to Azure Marketplace) marketplaceDelegatedResourceManagement.jsonmarketplaceDelegatedResourceManagement.json marketplaceDelegatedResourceManagement.parameters.jsonmarketplaceDelegatedResourceManagement.parameters.json

重要

此处所述的过程要求对所要加入的每个订阅单独进行订阅级部署,即使是在同一客户租户中加入这些订阅。The process described here requires a separate subscription-level deployment for each subscription being onboarded, even if you are onboarding subscriptions in the same customer tenant. 如果要在同一客户租户中加入不同订阅中的多个资源组,也需要单独部署。Separate deployments are also required if you are onboarding multiple resource groups within different subscriptions in the same customer tenant. 但是,可在一个订阅级部署中加入单个订阅中的多个资源组。However, onboarding multiple resource groups within a single subscription can be done in one subscription-level deployment.

对于应用于同一订阅(或订阅内的资源组)的多个产品/服务,还需要单独部署。Separate deployments are also required for multiple offers being applied to the same subscription (or resource groups within a subscription). 所应用的每个产品/服务必须使用不同的 mspOfferNameEach offer applied must use a different mspOfferName.

以下示例显示了一个修改后的 delegatedResourceManagement.parameters.json 文件,该文件可用于加入订阅。The following example shows a modified delegatedResourceManagement.parameters.json file that can be used to onboard a subscription. 资源组参数文件(位于 rg-delegated-resource-management 文件夹)很类似,但还带有一个 rgName 参数,它用于标识要载入的特定资源组。The resource group parameter files (located in the rg-delegated-resource-management folder) are similar, but also include an rgName parameter to identify the specific resource group(s) to be onboarded.

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "mspOfferName": {
            "value": "Fabrikam Managed Services - Interstellar"
        },
        "mspOfferDescription": {
            "value": "Fabrikam Managed Services - Interstellar"
        },
        "managedByTenantId": {
            "value": "df4602a3-920c-435f-98c4-49ff031b9ef6"
        },
        "authorizations": {
            "value": [
                {
                    "principalId": "0019bcfb-6d35-48c1-a491-a701cf73b419",
                    "principalIdDisplayName": "Tier 1 Support",
                    "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c"
                },
                {
                    "principalId": "0019bcfb-6d35-48c1-a491-a701cf73b419",
                    "principalIdDisplayName": "Tier 1 Support",
                    "roleDefinitionId": "36243c78-bf99-498c-9df9-86d9f8d28608"
                },
                {
                    "principalId": "0afd8497-7bff-4873-a7ff-b19a6b7b332c",
                    "principalIdDisplayName": "Tier 2 Support",
                    "roleDefinitionId": "acdd72a7-3385-48ef-bd42-f606fba81ae7"
                },
                {
                    "principalId": "9fe47fff-5655-4779-b726-2cf02b07c7c7",
                    "principalIdDisplayName": "Service Automation Account",
                    "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c"
                },
                {
                    "principalId": "3kl47fff-5655-4779-b726-2cf02b05c7c4",
                    "principalIdDisplayName": "Policy Automation Account",
                    "roleDefinitionId": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
                    "delegatedRoleDefinitionIds": [
                        "b24988ac-6180-42a0-ab88-20f7382dd24c",
                        "92aaf0da-9dab-42b6-94a3-d43ce8d16293"
                    ]
                }
            ]
        }
    }
}

上面示例中的最后一个授权添加了具有用户访问管理员角色 (18d7d88d-d35e-4fb5-a5c3-7773c20a72d9) 的 principalId。The last authorization in the example above adds a principalId with the User Access Administrator role (18d7d88d-d35e-4fb5-a5c3-7773c20a72d9). 分配此角色时,必须包含 delegatedRoleDefinitionIds 属性和一个/多个内置角色。When assigning this role, you must include the delegatedRoleDefinitionIds property and one or more built-in roles. 在此授权中创建的用户能够在客户租户中将这些内置角色分配给托管标识,这是部署可修正的策略所必需的。The user created in this authorization will be able to assign these built-in roles to managed identities in the customer tenant, which is required in order to deploy policies that can be remediated. 通常与用户访问管理员角色关联的其他权限均不适用于此用户。No other permissions normally associated with the User Access Administrator role will apply to this user.

部署 Azure 资源管理器模板Deploy the Azure Resource Manager templates

更新参数文件后,客户租户中的某个用户必须在其租户中将 Azure 资源管理器模板部署为订阅级部署。Once you have updated your parameter file, a user in the customer's tenant must deploy the Azure Resource Manager template within their tenant as a subscription-level deployment. 对于要载入 Azure 委托资源管理的每个订阅(或者包含要载入的资源组的每个订阅),需要单独进行部署。A separate deployment is needed for each subscription that you want to onboard to Azure delegated resource management (or for each subscription that contains resource groups that you want to onboard).

由于这是订阅级部署,因此无法在 Azure 门户中启动。Because this is a subscription-level deployment, it cannot be initiated in the Azure portal. 可以使用 PowerShell 或 Azure CLI 来完成部署,如下所示。The deployment may be done by using PowerShell or Azure CLI, as shown below.

重要

此订阅级部署必须由客户租户中的非来宾帐户完成,该帐户对于正在加入的订阅(或包含正在加入的资源组的订阅)拥有“所有者”内置角色This subscription-level deployment must be done by a non-guest account in the customer's tenant who has the Owner built-in role for the subscription being onboarded (or which contains the resource groups that are being onboarded). 若要查看所有可以委托订阅的用户,客户租户中的用户可以在 Azure 门户中选择订阅,打开“访问控制(IAM)”,然后查看具有“所有者”角色的所有用户To see all users who can delegate the subscription, a user in the customer's tenant can select the subscription in the Azure portal, open Access control (IAM), and view all users with the Owner role.

如果订阅是通过云解决方案提供商 (CSP) 计划创建的,则在服务提供商租户中具有管理员代理角色的任何用户都可以执行部署。If the subscription was created through the Cloud Solution Provider (CSP) program, any user who has the Admin Agent role in your service provider tenant can perform the deployment.

PowerShellPowerShell

# Log in first with Connect-AzAccount if you're not using Cloud Shell

# Deploy Azure Resource Manager template using template and parameter file locally
New-AzSubscriptionDeployment -Name <deploymentName> `
                 -Location <AzureRegion> `
                 -TemplateFile <pathToTemplateFile> `
                 -TemplateParameterFile <pathToParameterFile> `
                 -Verbose

# Deploy Azure Resource Manager template that is located externally
New-AzSubscriptionDeployment -Name <deploymentName> `
                 -Location <AzureRegion> `
                 -TemplateUri <templateUri> `
                 -TemplateParameterUri <parameterUri> `
                 -Verbose

Azure CLIAzure CLI

# Log in first with az login if you're not using Cloud Shell

# Deploy Azure Resource Manager template using template and parameter file locally
az deployment create --name <deploymentName> \
                     --location <AzureRegion> \
                     --template-file <pathToTemplateFile> \
                     --parameters <parameters/parameterFile> \
                     --verbose

# Deploy external Azure Resource Manager template, with local parameter file
az deployment create --name <deploymentName> \
                     --location <AzureRegion> \
                     --template-uri <templateUri> \
                     --parameters <parameterFile> \
                     --verbose

确认成功载入Confirm successful onboarding

客户订阅成功载入 Azure 委托资源管理后,服务提供商租户中的用户将能够查看订阅及其资源(前提是通过上述过程单独或者作为具有相应权限的 Azure AD 组的成员向这些用户授予了访问此内容的权限)。When a customer subscription has successfully been onboarded to Azure delegated resource management, users in the service provider's tenant will be able to see the subscription and its resources (if they have been granted access to it through the process above, either individually or as a member of an Azure AD group with the appropriate permissions). 要确认此信息,请查看确保订阅以下列方式之一显示。To confirm this, check to make sure the subscription appears in one of the following ways.

Azure 门户Azure portal

在服务提供商的租户中:In the service provider's tenant:

  1. 导航到“我的客户”页面Navigate to the My customers page.
  2. 选择“客户”。Select Customers.
  3. 确认可使用在资源管理器模板中提供的产品/服务名称查看订阅。Confirm that you can see the subscription(s) with the offer name you provided in the Resource Manager template.

重要

若要在我的客户中查看委派的订阅,在为 Azure 委派资源管理加入订阅时,必须向服务提供商租户中的用户授予读者角色(或其他包括读者访问权限的内置角色)。In order to see the delegated subscription in My customers, users in the service provider's tenant must have been granted the Reader role (or another built-in role which includes Reader access) when the subscription was onboarded for Azure delegated resource management.

在客户的租户中:In the customer's tenant:

  1. 导航到服务提供商页面Navigate to the Service providers page.
  2. 选择“服务提供商产品/服务”。Select Service provider offers.
  3. 确认可使用在资源管理器模板中提供的产品/服务名称查看订阅。Confirm that you can see the subscription(s) with the offer name you provided in the Resource Manager template.

备注

部署完成后,可能需要几分钟时间才能在 Azure 门户中显示更新。It may take a few minutes after your deployment is complete before the updates are reflected in the Azure portal.

PowerShellPowerShell

# Log in first with Connect-AzAccount if you're not using Cloud Shell

Get-AzContext

Azure CLIAzure CLI

# Log in first with az login if you're not using Cloud Shell

az account list

后续步骤Next steps