您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

经典订阅管理员角色、Azure RBAC 角色和 Azure AD 管理员角色Classic subscription administrator roles, Azure RBAC roles, and Azure AD administrator roles

如果你不熟悉 Azure,可能会发现,要理解 Azure 中的所有不同角色存在一定的难度。If you are new to Azure, you may find it a little challenging to understand all the different roles in Azure. 本文将帮助解释以下角色,以及应在何时使用其中的每种角色:This article helps explain the following roles and when you would use each:

  • 经典订阅管理员角色Classic subscription administrator roles
  • Azure 基于角色的访问控制 (RBAC) 角色Azure role-based access control (RBAC) roles
  • Azure Active Directory (Azure AD) 管理员角色Azure Active Directory (Azure AD) administrator roles

若要更好地理解 Azure 中的角色,最好是先了解一些历史信息。To better understand roles in Azure, it helps to know some of the history. Azure 最初发布时,对资源的访问权限只是通过以下三种管理员角色进行管理:帐户管理员、服务管理员和共同管理员。When Azure was initially released, access to resources was managed with just three administrator roles: Account Administrator, Service Administrator, and Co-Administrator. 后来,针对 Azure 资源添加了基于角色的访问控制 (RBAC)。Later, role-based access control (RBAC) for Azure resources was added. Azure RBAC 是一个较新的授权系统,它针对 Azure 资源提供精细的访问管理。Azure RBAC is a newer authorization system that provides fine-grained access management to Azure resources. RBAC 包括许多内置角色,可在不同的范围进行分配,并允许你创建自己的自定义角色。RBAC includes many built-in roles, can be assigned at different scopes, and allows you to create your own custom roles. 若要管理 Azure AD 中的资源(例如用户、组和域),可以使用多种 Azure AD 管理员角色。To manage resources in Azure AD, such as users, groups, and domains, there are several Azure AD administrator roles.

下图从较高的层面显示了经典订阅管理员角色、Azure RBAC 角色与 Azure AD 管理员角色之间的相互关系。The following diagram is a high-level view of how the classic subscription administrator roles, Azure RBAC roles, and Azure AD administrator roles are related.

Azure 中的不同角色

经典订阅管理员角色Classic subscription administrator roles

帐户管理员、服务管理员和共同管理员是 Azure 中的三种经典订阅管理员角色。Account Administrator, Service Administrator, and Co-Administrator are the three classic subscription administrator roles in Azure. 经典订阅管理员对 Azure 订阅拥有完全访问权限。Classic subscription administrators have full access to the Azure subscription. 他们可以使用 Azure 门户、Azure 资源管理器 API 和经典部署模型 API 来管理资源。They can manage resources using the Azure portal, Azure Resource Manager APIs, and the classic deployment model APIs. 用于注册 Azure 的帐户会自动同时设置为帐户管理员和服务管理员。The account that is used to sign up for Azure is automatically set as both the Account Administrator and Service Administrator. 然后,可以添加其他共同管理员。Then, additional Co-Administrators can be added. 服务管理员和共同管理员拥有在订阅范围内分配有“所有者”角色(Azure RBAC 角色)的用户的等效访问权限。The Service Administrator and the Co-Administrators have the equivalent access of users who have been assigned the Owner role (an Azure RBAC role) at the subscription scope. 下表描述了这三种经典订阅管理角色之间的差别。The following table describes the differences between these three classic subscription administrative roles.

经典订阅管理员Classic subscription administrator 限制Limit 权限Permissions 说明Notes
帐户管理员Account Administrator 每个 Azure 帐户有 1 个1 per Azure account
  • 访问 Azure 帐户中心Access the Azure Account Center
  • 管理帐户中的所有订阅Manage all subscriptions in an account
  • 创建新订阅Create new subscriptions
  • 取消订阅Cancel subscriptions
  • 更改订阅的计费Change the billing for a subscription
  • 更改服务管理员Change the Service Administrator
在概念上是订阅的计费所有者。Conceptually, the billing owner of the subscription.
帐户管理员无权访问 Azure 门户。The Account Administrator has no access to the Azure portal.
服务管理员Service Administrator 每个 Azure 订阅有 1 个1 per Azure subscription
  • Azure 门户中管理服务Manage services in the Azure portal
  • 将用户分配到共同管理员角色Assign users to the Co-Administrator role
默认情况下,新订阅的帐户管理员也是服务管理员。By default, for a new subscription, the Account Administrator is also the Service Administrator.
服务管理员拥有在订阅范围内分配有“所有者”角色的用户的等效访问权限。The Service Administrator has the equivalent access of a user who is assigned the Owner role at the subscription scope.
服务管理员具有 Azure 门户的完全访问权限。The Service Administrator has full access to the Azure portal.
共同管理员Co-Administrator 每个订阅有 200 个200 per subscription
  • 与服务管理员的访问特权相同,但无法更改订阅与 Azure 目录之间的关联。Same access privileges as the Service Administrator, but can’t change the association of subscriptions to Azure directories
  • 将用户分配到共同管理员角色,但无法更改服务管理员Assign users to the Co-Administrator role, but cannot change the Service Administrator
共同管理员拥有在订阅范围内分配有“所有者”角色的用户的等效访问权限。The Co-Administrator has the equivalent access of a user who is assigned the Owner role at the subscription scope.

在 Azure 门户中,可以使用“经典管理员”选项卡管理共同管理员或查看服务管理员。In the Azure portal, you can manage Co-Administrators or view the Service Administrator by using the Classic administrators tab.

Azure 门户中的 Azure 经典订阅管理员

在 Azure 门户中,可以在订阅的属性边栏选项卡上,查看或更改服务管理员,或是查看帐户管理员。In the Azure portal, you can view or change the Service Administrator or view the Account Administrator on the properties blade of your subscription.

Azure 门户中的帐户管理员和服务管理员

有关详细信息,请参阅 Azure 经典订阅管理员For more information, see Azure classic subscription administrators.

Azure 帐户和 Azure 订阅Azure account and Azure subscriptions

Azure 帐户代表计费关系。An Azure account represents a billing relationship. 一个 Azure 帐户代表一个用户标识、一个或多个 Azure 订阅和一组关联的 Azure 资源。An Azure account is a user identity, one or more Azure subscriptions, and an associated set of Azure resources. 创建帐户的人员是该帐户中创建的所有订阅的帐户管理员。The person who creates the account is the Account Administrator for all subscriptions created in that account. 此人也是订阅的默认服务管理员。That person is also the default Service Administrator for the subscription.

Azure 订阅可帮助你组织 Azure 资源的访问权限。Azure subscriptions help you organize access to Azure resources. 它们还可帮助控制如何根据资源使用量生成报告、计费及付费。They also help you control how resource usage is reported, billed, and paid for. 每个订阅可以采用不同的计费和付款设置,因此,根据办公室、部门、项目等因素,可以采用不同的订阅和不同的计划。Each subscription can have a different billing and payment setup, so you can have different subscriptions and different plans by office, department, project, and so on. 每个服务属于一个订阅,执行编程操作时可能需要订阅 ID。Every service belongs to a subscription, and the subscription ID may be required for programmatic operations.

帐户和订阅在 Azure 帐户中心进行管理。Accounts and subscriptions are managed in the Azure Account Center.

Azure RBAC 角色Azure RBAC roles

Azure RBAC 是基于 Azure 资源管理器构建的授权系统,它针对 Azure 资源(例如计算和存储)提供精细的访问权限管理。Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management to Azure resources, such as compute and storage. Azure RBAC 包括 70 多个内置角色。Azure RBAC includes over 70 built-in roles. 有四个基本的 RBAC 角色。There are four fundamental RBAC roles. 前三个角色适用于所有资源类型:The first three apply to all resource types:

Azure RBAC 角色Azure RBAC role 权限Permissions 说明Notes
所有者Owner
  • 对所有资源的完全访问权限Full access to all resources
  • 将访问权限委托给其他人Delegate access to others
服务管理员和共同管理员在订阅范围内分配有“所有者”角色The Service Administrator and Co-Administrators are assigned the Owner role at the subscription scope
适用于所有资源类型。Applies to all resource types.
参与者Contributor
  • 创建和管理所有类型的 Azure 资源Create and manage all of types of Azure resources
  • 无法将访问权限授予其他人Cannot grant access to others
适用于所有资源类型。Applies to all resource types.
读取者Reader
  • 查看 Azure 资源View Azure resources
适用于所有资源类型。Applies to all resource types.
用户访问管理员User Access Administrator
  • 管理用户对 Azure 资源的访问Manage user access to Azure resources

剩余的内置角色允许管理特定的 Azure 资源。The rest of the built-in roles allow management of specific Azure resources. 例如,虚拟机参与者角色允许用户创建和管理虚拟机。For example, the Virtual Machine Contributor role allows the user to create and manage virtual machines. 有关所有内置角色的列表,请参阅 Azure 资源的内置角色For a list of all the built-in roles, see Built-in roles for Azure resources.

只有 Azure 门户和 Azure 资源管理器 API 支持 Azure RBAC。Only the Azure portal and the Azure Resource Manager APIs support RBAC. 分配有 RBAC 角色的用户、组和应用程序无法使用 Azure 经典部署模型 APIUsers, groups, and applications that are assigned RBAC roles cannot use the Azure classic deployment model APIs.

在 Azure 门户中,使用 RBAC 的角色分配显示在“访问控制(IAM)”边栏选项卡上。In the Azure portal, role assignments using RBAC appear on the Access control (IAM) blade. 在整个门户中都可以找到此边栏选项卡,例如,在管理组、订阅、资源组和各种资源所在的部分。This blade can be found throughout the portal, such as management groups, subscriptions, resource groups, and various resources.

Azure 门户中的“访问控制(IAM)”边栏选项卡

单击“角色”选项卡时,会看到内置角色和自定义角色的列表。When you click the Roles tab, you will see the list of built-in and custom roles.

Azure 门户中的内置角色

有关详细信息,请参阅使用 RBAC 和 Azure 门户管理 Azure 资源的访问权限For more information, see Manage access to Azure resources using RBAC and the Azure portal.

Azure AD 管理员角色Azure AD administrator roles

Azure AD 管理员角色用于管理目录中的 Azure AD 资源,例如,创建或编辑用户、将管理角色分配给其他人、重置用户密码、管理用户许可证以及管理域。Azure AD administrator roles are used to manage Azure AD resources in a directory such as create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, and manage domains. 下表描述了几个更重要的 Azure AD 管理员角色。The following table describes a few of the more important Azure AD administrator roles.

Azure AD 管理员角色Azure AD administrator role 权限Permissions 说明Notes
全局管理员Global Administrator
  • 管理对 Azure Active Directory 中所有管理功能的访问,以及与 Azure Active Directory 联合的服务Manage access to all administrative features in Azure Active Directory, as well as services that federate to Azure Active Directory
  • 将管理员角色分配给其他人Assign administrator roles to others
  • 重置任何用户和其他所有管理员的密码Reset the password for any user and all other administrators
注册 Azure Active Directory 租户的人员将成为全局管理员。The person who signs up for the Azure Active Directory tenant becomes a Global Administrator.
用户管理员User Administrator
  • 创建和管理用户与组的所有方面Create and manage all aspects of users and groups
  • 管理支持票证Manage support tickets
  • 监视服务运行状况Monitor service health
  • 更改用户、支持管理员和其他用户帐户管理员的密码Change passwords for users, Helpdesk administrators, and other User Administrators
计费管理员Billing Administrator
  • 购买产品Make purchases
  • 管理订阅Manage subscriptions
  • 管理支持票证Manage support tickets
  • 监视服务运行状况Monitors service health

在 Azure 门户中的“角色和管理员”边栏选项卡上,可以看到 Azure AD 管理员角色的列表。In the Azure portal, you can see the list of Azure AD administrator roles on the Roles and administrators blade. 有关所有 Azure AD 管理员角色的列表,请参阅 Azure Active Directory 中的管理员角色权限For a list of all the Azure AD administrator roles, see Administrator role permissions in Azure Active Directory.

Azure 门户中的 Azure AD 管理员角色

Azure RBAC 角色与 Azure AD 管理员角色之间的差别Differences between Azure RBAC roles and Azure AD administrator roles

从较高层面讲,Azure RBAC 角色控制 Azure 资源的管理权限,而 Azure AD 管理员角色控制 Azure Active Directory 资源的管理权限。At a high level, Azure RBAC roles control permissions to manage Azure resources, while Azure AD administrator roles control permissions to manage Azure Active Directory resources. 下表比较了两者之间的一些差别。The following table compares some of the differences.

Azure RBAC 角色Azure RBAC roles Azure AD 管理员角色Azure AD administrator roles
管理对 Azure 资源的访问Manage access to Azure resources 管理对 Azure Active Directory 资源的访问Manage access to Azure Active Directory resources
支持自定义角色Supports custom roles 无法创建自己的角色Cannot create your own roles
可在多个级别(管理组、订阅、资源组、资源)指定范围Scope can be specified at multiple levels (management group, subscription, resource group, resource) 范围为租户级别Scope is at the tenant level
可在 Azure 门户、Azure CLI、Azure PowerShell、Azure 资源管理器模板、REST API 中访问角色信息Role information can be accessed in Azure portal, Azure CLI, Azure PowerShell, Azure Resource Manager templates, REST API 可在 Azure 管理门户、Microsoft 365 管理中心、Microsoft Graph、AzureAD PowerShell 中访问角色信息Role information can be accessed in Azure admin portal, Microsoft 365 admin center, Microsoft Graph, AzureAD PowerShell

Azure RBAC 角色与 Azure AD 管理员角色是否重叠?Do Azure RBAC roles and Azure AD administrator roles overlap?

默认情况下,Azure RBAC 角色和 Azure AD 管理员角色不会跨越 Azure 与 Azure AD。By default, Azure RBAC roles and Azure AD administrator roles do not span Azure and Azure AD. 但是,如果全局管理员通过在 Azure 门户中选择“全局管理员可以管理 Azure 订阅和管理组”开关提升了自己的访问权限,则会针对特定租户的所有订阅为全局管理员授予用户访问管理员角色(一种 RBAC 角色)。However, if a Global Administrator elevates their access by choosing the Global admin can manage Azure Subscriptions and Management Groups switch in the Azure portal, the Global Administrator will be granted the User Access Administrator role (an RBAC role) on all subscriptions for a particular tenant. “用户访问管理员”角色允许用户向其他用户授予对 Azure 资源的访问权限。The User Access Administrator role enables the user to grant other users access to Azure resources. 此开关可帮助重新获取订阅的访问权限。This switch can be helpful to regain access to a subscription. 有关详细信息,请参阅以 Azure AD 管理员的身份提升访问权限For more information, see Elevate access as an Azure AD administrator.

有多个 Azure AD 管理员角色(例如全局管理员和用户管理员角色)可跨越 Azure AD 和 Microsoft Office 365。Several Azure AD administrator roles span Azure AD and Microsoft Office 365, such as the Global Administrator and User Administrator roles. 例如,如果你是全局管理员角色的成员,则会获得 Azure AD 和 Office 365 中的全局管理员功能,例如,对 Microsoft Exchange 和 Microsoft SharePoint 进行更改。For example, if you are a member of the Global Administrator role, you have global administrator capabilities in Azure AD and Office 365, such as making changes to Microsoft Exchange and Microsoft SharePoint. 但是,在默认情况下,全局管理员无权访问 Azure 资源。However, by default, the Global Administrator doesn't have access to Azure resources.

Azure RBAC 与 Azure AD 管理员角色

后续步骤Next steps