您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 Azure RBAC 和 Azure PowerShell 添加或删除角色分配Add or remove role assignments using Azure RBAC and Azure PowerShell

Azure 基于角色的访问控制(RBAC)是用于管理对 Azure 资源的访问权限的授权系统。Azure role-based access control (RBAC) is the authorization system you use to manage access to Azure resources. 若要授予访问权限,请将角色分配给特定范围内的用户、组、服务主体或托管标识。To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. 本文介绍如何使用 Azure PowerShell 分配角色。Azure 基于角色的访问控制(RBAC)是用于管理对 Azure 资源的访问权限的授权系统。Azure role-based access control (RBAC) is the authorization system you use to manage access to Azure resources. 若要授予访问权限,请将角色分配给特定范围内的用户、组、服务主体或托管标识。To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. This article describes how to assign roles using Azure PowerShell.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

先决条件Prerequisites

若要添加或删除角色分配,必须具备:To add or remove role assignments, you must have:

获取对象 IdGet object IDs

若要添加或删除角色分配,则可能需要指定对象的唯一 ID。To add or remove role assignments, you might need to specify the unique ID of an object. ID 的格式为: 11111111-1111-1111-1111-111111111111The ID has the format: 11111111-1111-1111-1111-111111111111. 您可以使用 Azure 门户或 Azure PowerShell 获取该 ID。You can get the ID using the Azure portal or Azure PowerShell.

用户User

若要获取 Azure AD 用户的对象 ID,可以使用AzADUserTo get the object ID for an Azure AD user, you can use Get-AzADUser.

Get-AzADUser -StartsWith <string_in_quotes>
(Get-AzADUser -DisplayName <name_in_quotes>).id

Group

若要获取 Azure AD 组的对象 ID,可以使用AzADGroupTo get the object ID for an Azure AD group, you can use Get-AzADGroup.

Get-AzADGroup -SearchString <group_name_in_quotes>
(Get-AzADGroup -DisplayName <group_name_in_quotes>).id

应用程序Application

若要获取 Azure AD 服务主体(应用程序使用的标识)的对象 ID,可以使用AzADServicePrincipalTo get the object ID for an Azure AD service principal (identity used by an application), you can use Get-AzADServicePrincipal. 对于服务主体,请使用对象 ID,而是应用程序 id。For a service principal, use the object ID and not the application ID.

Get-AzADServicePrincipal -SearchString <service_name_in_quotes>
(Get-AzADServicePrincipal -DisplayName <service_name_in_quotes>).id

添加角色分配Add a role assignment

在 RBAC 中,若要授予访问权限,请添加角色分配。In RBAC, to grant access, you add a role assignment.

资源组范围内的用户User at a resource group scope

若要为资源组范围内的用户添加角色分配,请使用AzRoleAssignmentTo add a role assignment for a user at a resource group scope, use New-AzRoleAssignment.

New-AzRoleAssignment -SignInName <email_or_userprincipalname> -RoleDefinitionName <role_name> -ResourceGroupName <resource_group_name>
PS C:\> New-AzRoleAssignment -SignInName alain@example.com -RoleDefinitionName "Virtual Machine Contributor" -ResourceGroupName pharma-sales


RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales/pr
                     oviders/Microsoft.Authorization/roleAssignments/55555555-5555-5555-5555-555555555555
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales
DisplayName        : Alain Charon
SignInName         : alain@example.com
RoleDefinitionName : Virtual Machine Contributor
RoleDefinitionId   : 9980e02c-c2be-4d73-94e8-173b1dc7cf3c
ObjectId           : 44444444-4444-4444-4444-444444444444
ObjectType         : User
CanDelegate        : False

使用唯一角色 IDUsing the unique role ID

角色名称可能会发生变化,例如:There are a couple of times when a role name might change, for example:

  • 你使用的是自己的自定义角色,并决定更改该名称。You are using your own custom role and you decide to change the name.
  • 你使用的是名称中包含 (预览版) 的预览角色。You are using a preview role that has (Preview) in the name. 当角色被释放时,角色会重命名。When the role is released, the role is renamed.

重要

提供的预览版本没有服务级别协议,不建议用于生产工作负荷。A preview version is provided without a service level agreement, and it's not recommended for production workloads. 某些功能可能不受支持或者受限。Certain features might not be supported or might have constrained capabilities. 有关详细信息,请参阅 Microsoft Azure 预览版补充使用条款For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

即使重命名了角色,角色 ID 也不会更改。Even if a role is renamed, the role ID does not change. 如果要使用脚本或自动化来创建角色分配,最佳做法是使用唯一角色 ID,而不是角色名称。If you are using scripts or automation to create your role assignments, it's a best practice to use the unique role ID instead of the role name. 因此,如果重命名了某个角色,则脚本将更有可能运行。Therefore, if a role is renamed, your scripts are more likely to work.

若要使用唯一角色 ID 而不是角色名称添加角色分配,请使用AzRoleAssignmentTo add a role assignment using the unique role ID instead of the role name, use New-AzRoleAssignment.

New-AzRoleAssignment -ObjectId <object_id> -RoleDefinitionId <role_id> -ResourceGroupName <resource_group_name>

下面的示例将虚拟机参与者角色分配给医药资源组作用域上的alain@example.com用户。The following example assigns the Virtual Machine Contributor role to alain@example.com user at the pharma-sales resource group scope. 若要获取唯一角色 ID,可以使用AzRoleDefinition或查看Azure 资源的内置角色To get the unique role ID, you can use Get-AzRoleDefinition or see Built-in roles for Azure resources.

PS C:\> New-AzRoleAssignment -ObjectId 44444444-4444-4444-4444-444444444444 -RoleDefinitionId 9980e02c-c2be-4d73-94e8-173b1dc7cf3c -Scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales

RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales/providers/Microsoft.Authorization/roleAssignments/55555555-5555-5555-5555-555555555555
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales
DisplayName        : Alain Charon
SignInName         : alain@example.com
RoleDefinitionName : Virtual Machine Contributor
RoleDefinitionId   : 9980e02c-c2be-4d73-94e8-173b1dc7cf3c
ObjectId           : 44444444-4444-4444-4444-444444444444
ObjectType         : User
CanDelegate        : False

资源范围内的组Group at a resource scope

若要为资源范围内的组添加角色分配,请使用AzRoleAssignmentTo add a role assignment for a group at a resource scope, use New-AzRoleAssignment. 有关如何获取组的对象 ID 的信息,请参阅获取对象id。For information about how to get the object ID of the group, see Get object IDs.

New-AzRoleAssignment -ObjectId <object_id> -RoleDefinitionName <role_name> -ResourceName <resource_name> -ResourceType <resource_type> -ParentResource <parent resource> -ResourceGroupName <resource_group_name>
PS C:\> Get-AzADGroup -SearchString "Pharma"

SecurityEnabled DisplayName         Id                                   Type
--------------- -----------         --                                   ----
           True Pharma Sales Admins aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa Group

PS C:\> New-AzRoleAssignment -ObjectId aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa -RoleDefinitionName "Virtual Machine Contributor" -ResourceName RobertVirtualNetwork -ResourceType Microsoft.Network/virtualNetworks -ResourceGroupName RobertVirtualNetworkResourceGroup

RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyVirtualNetworkResourceGroup
                     /providers/Microsoft.Network/virtualNetworks/RobertVirtualNetwork/providers/Microsoft.Authorizat
                     ion/roleAssignments/bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyVirtualNetworkResourceGroup
                     /providers/Microsoft.Network/virtualNetworks/RobertVirtualNetwork
DisplayName        : Pharma Sales Admins
SignInName         :
RoleDefinitionName : Virtual Machine Contributor
RoleDefinitionId   : 9980e02c-c2be-4d73-94e8-173b1dc7cf3c
ObjectId           : aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa
ObjectType         : Group
CanDelegate        : False

订阅范围内的应用程序Application at a subscription scope

若要在订阅范围内添加应用程序的角色分配,请使用AzRoleAssignmentTo add a role assignment for an application at a subscription scope, use New-AzRoleAssignment. 有关如何获取应用程序的对象 ID 的信息,请参阅获取对象id。For information about how to get the object ID of the application, see Get object IDs.

New-AzRoleAssignment -ObjectId <object_id> -RoleDefinitionName <role_name> -Scope /subscriptions/<subscription_id>
PS C:\> New-AzRoleAssignment -ObjectId 77777777-7777-7777-7777-777777777777 -RoleDefinitionName "Reader" -Scope /subscriptions/00000000-0000-0000-0000-000000000000

RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/66666666-6666-6666-6666-666666666666
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000
DisplayName        : MyApp1
SignInName         :
RoleDefinitionName : Reader
RoleDefinitionId   : acdd72a7-3385-48ef-bd42-f606fba81ae7
ObjectId           : 77777777-7777-7777-7777-777777777777
ObjectType         : ServicePrincipal
CanDelegate        : False

管理组范围内的用户User at a management group scope

若要为管理组范围内的用户添加角色分配,请使用AzRoleAssignmentTo add a role assignment for a user at a management group scope, use New-AzRoleAssignment. 若要获取管理组 ID,你可以在 Azure 门户的 "管理组" 边栏选项卡中找到它,也可以使用AzManagementGroupTo get the management group ID, you can find it on the Management groups blade in the Azure portal or you can use Get-AzManagementGroup.

New-AzRoleAssignment -SignInName <email_or_userprincipalname> -RoleDefinitionName <role_name> -Scope /providers/Microsoft.Management/managementGroups/<group_id>
PS C:\> New-AzRoleAssignment -SignInName alain@example.com -RoleDefinitionName "Billing Reader" -Scope /providers/Microsoft.Management/managementGroups/marketing-group

RoleAssignmentId   : /providers/Microsoft.Management/managementGroups/marketing-group/providers/Microsoft.Authorization/roleAssignments/22222222-2222-2222-2222-222222222222
Scope              : /providers/Microsoft.Management/managementGroups/marketing-group
DisplayName        : Alain Charon
SignInName         : alain@example.com
RoleDefinitionName : Billing Reader
RoleDefinitionId   : fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64
ObjectId           : 44444444-4444-4444-4444-444444444444
ObjectType         : User
CanDelegate        : False

删除角色分配Remove a role assignment

在 RBAC 中,若要删除访问权限,请使用 Remove-AzRoleAssignment 删除角色分配。In RBAC, to remove access, you remove a role assignment by using Remove-AzRoleAssignment.

以下示例从医药资源组上的alain@Example.com用户删除虚拟机参与者角色分配:The following example removes the Virtual Machine Contributor role assignment from the alain@example.com user on the pharma-sales resource group:

PS C:\> Remove-AzRoleAssignment -SignInName alain@example.com -RoleDefinitionName "Virtual Machine Contributor" -ResourceGroupName pharma-sales

下面的示例从订阅范围内的 < object_id > 中删除 < role_name > 角色。The following example removes the <role_name> role from <object_id> at a subscription scope.

Remove-AzRoleAssignment -ObjectId <object_id> -RoleDefinitionName <role_name> -Scope /subscriptions/<subscription_id>

下面的示例从管理组作用域的 < object_id > 中删除 < role_name > 角色。The following example removes the <role_name> role from <object_id> at the management group scope.

Remove-AzRoleAssignment -ObjectId <object_id> -RoleDefinitionName <role_name> -Scope /providers/Microsoft.Management/managementGroups/<group_id>

如果收到错误消息: "提供的信息未映射到角色分配",请确保同时指定 -Scope-ResourceGroupName 参数。If you get the error message: "The provided information does not map to a role assignment", make sure that you also specify the -Scope or -ResourceGroupName parameters. 有关详细信息,请参阅Azure 资源的 RBAC 故障排除For more information, see Troubleshoot RBAC for Azure resources.

后续步骤Next steps