Microsoft Graph 数据连接与 Privileged Access Management 的集成Microsoft Graph data connect integration with Privileged Access Management

Microsoft Graph 数据连接依赖于 Privileged Access Management (PAM) 来允许 Microsoft 365 管理员批准数据移动请求。Microsoft Graph data connect relies on Privileged Access Management (PAM) to allow Microsoft 365 administrators to approve data movement requests. 数据连接管道必须由 Microsoft 365 管理员在启用期间指定的数据访问请求审批者批准。Data connect pipelines must be approved by a member of the data access request approver specified by the Microsoft 365 administrator during enablement. 若要设置审批者组,请参阅入门To set up the approver group, see Get started.

当复制活动请求访问权限以提取 Microsoft 365 数据时,系统会向审批者的每名成员发送审批请求电子邮件来通知他们。Approval request emails will be sent to each member of the approver group to notify them when copy activities request access to extract Microsoft 365 data. 审批者可以批准或拒绝这些请求,指定应从提取的数据中清理的用户组,或撤销以前批准的请求。Approvers can approve or deny these requests, specify a user group that should be scrubbed out of extracted data, or revoke a previously approved request. 审批持续时间为 6 个月,并且 Azure 数据工厂管道中的每次复制活动都需要进行审批。Approvals persist for 6 months, and one approval is needed per copy activity in the Azure Data Factory pipeline.

每个请求将始终包含以下详细信息,包括有关数据集和将提取其相关数据的用户:Every request will always include the following details about the dataset and the users about whom data is being extracted:

  • Requestor:发出管道请求的用户。Requestor: The user who requested the pipeline.
  • Duration:在获得批准的情况下,审批将持续有效的时长。Duration: If approved, how long the approval will persist. 始终为 4320 小时(6 个月)。Always 4320 hours (6 months).
  • Reason:请求的原因,通常为“组织安装的应用需要批准以访问 Office 365 数据”。Reason: Reason for the request, typically "An app installed for your organization requires approval for access to Office 365 Data."
  • Requested at:请求的日期时间。Requested at: The DateTime of the request.
  • Request id:请求的 ID,用于审批目的。Request id: The ID of the request, used for approval purposes.
  • DataTable:所提取的数据集(例如,已发送邮件)。DataTable: The data set being extracted (for example, Sent Items).
  • Columns:从数据表中提取的列的列表(例如,SentDateTime)。Columns: The list of columns being extracted from the data table (for example, SentDateTime).
  • AllowedGroups:管道针对其提取数据的一个或多个用户组。AllowedGroups: The group or groups of users against whom the pipeline is extracting data. 如果组列表为空,则管道会请求访问租户内所有用户中的数据。If the list of groups is empty, the pipeline is requesting access to data from all users in the tenant.
  • User Scope Query:用于筛选出用户的谓词。User Scope Query: The predicate used to filter out users. 仅在请求针对租户中的所有用户时适用。Only applies if the request is for all users in the tenant. 如果此项为空,则不应用筛选器。If this is empty, no filter is applied.
  • OutputUri:将存储提取数据的输出路径。OutputUri: The output path in which the extracted data will be stored.
  • SourceTenantId:从中提取数据的租户 ID。SourceTenantId: The tenant ID from which data is being extracted.
  • InstallerIdentity:应用安装程序的标识。InstallerIdentity: The identity of the app installer.

请求中的以下字段将仅在某些情况下可用:The following fields in the request will be available only in some cases:

  • “Application Name”和“Marketplace URI”(仅适用于通过 Azure 应用商店安装的应用程序)。Application Name and the Marketplace URI (available only for applications installed from the Azure marketplace).
  • 应用程序隐私政策及服务条款的链接(仅在应用程序提供时可用)。Links to the application's privacy policy and terms of service (available only if the application provides it).
  • 应用程序实施的合规性策略,例如输出存储位置的静态数据加密(仅在应用程序提供该策略,并且应用程序是从 Azure 应用市场中安装的情况下可用)。The compliance policies that the application enforces, such as data encryption at rest in the output storage location (available only if the application provides it and if the application is installed from the Azure marketplace).
  • 拒绝列表 - 可从提取数据中清理的用户组。Deny List - The user group that can be scrubbed out of the extracted data. 如果作为支持从提取数据中清理隐私的数据集请求的一部分,则此字段为空。This field is empty as a part of the request for datasets that support privacy scrubbing of extracted data. 负责批准请求的审批者组的成员可在审批时填充该字段。It can be populated by the member of the approver group who approves the request at approval time.

审批请求Approving requests

数据连接管道必须由数据访问请求审批者组的成员批准。Data connect pipelines must be approved by a member of a data access request approver group. 审批者可通过使用 Exchange Online PowerShell 模块或 PAM 用户体验批准、拒绝或撤销管道。Approvers can approve, deny, or revoke pipelines by using the Exchange Online PowerShell module or the PAM user experience.

通过使用 PowerShell 批准、拒绝和撤销请求Approving, denying, and revoking requests by using PowerShell

使用以下步骤,通过 Exchange Online PowerShell 模块与请求交互:Use the following steps to interact with a request using the Exchange Online PowerShell module:

  1. 安装 Exchange Online Powershell 模块。Install the Exchange Online Powershell module. 有关安装说明,请参阅使用多重身份验证连接到 Exchange Online PowerShellFor installation instructions, see Connect to Exchange Online PowerShell using multi-factor authentication.

  2. 使用多重身份验证 (MFA) 连接到 Exchange Online PowerShell。Connect to Exchange Online Powershell using multi-factor authentication (MFA). 有关说明,请参阅使用多重身份验证连接到 Exchange Online PowerShellFor instructions, see Connect to Exchange Online PowerShell using multi-factor authentication.

    注意:在连接到 Exchange Online PowerShell 时,你无需为组织启用多重身份验证便可使用这些步骤。Note: You do not need to enable multi-factor authentication for your organization to use these steps while connecting to Exchange Online PowerShell. 使用 MFA 进行连接会创建一个 OAuth 令牌,PAM 将使用该令牌来为请求签名。Connecting with MFA creates an OAuth token that is used by PAM for signing your requests.

  3. 使用你的帐户登录。Sign in with your account. 请注意,你必须是配置的数据访问审批者组的成员才能批准、拒绝或撤销请求。Note that you must be part of the configured data access approver group in order to be able to approve, deny, or revoke requests. 来宾用户无法批准请求,即使他们是审批者组的成员。Guest users cannot approve requests, even if they are in the approver group.

    Connect-EXOPSSession
    
  4. 查找所有待处理的请求。Find all pending requests.

    注意:****Identity 属性中的值将用于标识以及批准或拒绝请求。Note: The value in the Identity property will be used to identify and approve or deny the request. 记下此值,并在 -RequestId 参数中使用。Note this value and use it in the -RequestId parameter.

    Get-ElevatedAccessRequest | ?{$_.RequestStatus -eq 'Pending'}
    
  5. 仔细查看你感兴趣的请求的 context 字段。Take a closer look at the context field of the request you are interested in.

    注意: 数据访问请求的 context 字段描述复制活动的参数和属性。Note: The context field of the data access request describes the parameters and properties of the copy activity.

    (Get-ElevatedAccessRequest -RequestId $requestId).Context | ConvertFrom-Json
    

    你将收到如下所示的响应。You'll get a response that looks like the following.

    Key                          Value
    ---                          -----
    ApplicationName
    ComplianceStatus             [{"Timestamp":"2018-05-02T18:29:21.5705664Z","RequirementName":"adlsEncryption","PolicyComplianceState":"Compliant","Violations":0},{"Timestamp":"2018-05-02T...
    ApplicationMarketPlaceUri
    OutputUri                    adl://myadlserumvrroyspmq.azuredatalakestore.net/targetFolder/Event
    ApplicationPrivacyPolicyUri  http://www.wkw.com/privacy
    ApplicationTermsOfServiceUri http://www.wkw.com/tos
    InstallerIdentity            a89885c3-4b0e-499e-86ed-14d7ed9147c2@942229f8-4656-4fb0-828b-e938dad4019a
    SourceTenantId               942229f8-4656-4fb0-828b-e938dad4019a
    UserScopeQuery               tenant in (942229f8-4656-4fb0-828b-e938dad4019a)
    ApplicationId
    DataTable                    Calendar Events
    DestinationTenantId          942229f8-4656-4fb0-828b-e938dad4019a
    Columns                      Subject:string, HasAttachments:bool, End:DateTime, Start:DateTime, ResponseStatus:string, Organizer:Object, Attendees:string, Importance:string, Sensitivity:...
    
  6. 为 -RequestId 参数使用 Identity 的值来批准/拒绝请求。Approve/deny the request using the value for Identity for the -RequestId parameter.

    Approve-ElevatedAccessRequest -RequestId $requestId -Comment "Yay!!"
    Deny-ElevatedAccessRequest -RequestId $requestId -Comment "Nay!!"
    

你也可以使用拒绝列表来批准请求,以确保不包括某些用户的数据。You can also approve the request with a deny list to ensure data from certain users is not included. 为此,你需要修改请求的上下文以添加要忽略的组的 object Id,然后批准请求。To do so, you need to modify the context of the request to add the object Id of the group that you want to omit and then approve the request.

$request = Get-ElevatedAccessRequest -RequestId
$hash = $request.Context
$hash["DenyList"] = <Object ID of denied user group>;
Approve-ElevatedAccessRequest -RequestId $requestId -Comment "Yay!!" -RequestContext $hash
Deny-ElevatedAccessRequest -RequestId $requestId -Comment "Nay!!"

你也可以撤销以前批准的请求。You can also revoke requests that were previously approved. 与审批请求类似,Identity 的值是 -RequestId 参数中的必需值。Similar to approving requests, the value for Identity is what is required in the -RequestId parameter.

Revoke-ElevatedAccessAuthorization -Comment "Revoking this request!" -RequestId $requestId

你将看到如下所示的响应。You'll see a response similar to the following.

AuthorizedBy          : user@tenant.onmicrosoft.com
Type                  : Task
AuthorizedAccess      : Data Access Request
StartTimeUtc          : 7/24/2018 6:02:42 PM
EndTimeUtc            : 10/22/2018 6:02:42 PM
Revoked               : True
RevocationDateTimeUtc : 7/24/2018 9:12:55 PM
RevokedBy             : NAMPR00A001.prod.outlook.com/Microsoft Exchange Hosted  Organizations/tenant.onmicrosoft.com/user
RevocationComment     : Revoking this request!
Identity              : bda75607-0d87-43cb-bdf1-284b18446b34
DateCreatedUtc        : 1/1/0001 12:00:00 AM
DateUpdatedUtc        : 7/24/2018 9:12:55 PM

通过使用 PAM 用户体验批准、拒绝和撤销请求Approving, denying, and revoking requests by using the PAM user experience

使用以下步骤,通过 PAM Web 体验与请求交互:Use the following steps to interact with a request using the PAM web experience:

  1. 使用管理员凭据登录到 Microsoft 365 管理门户,并转到“Privileged Access Managment 审批用户体验”页面。Sign in to the Microsoft 365 admin portal using admin credentials and go to the Privileged Access Managment approval user experience page. 这将显示所有访问请求(待处理请求/已批准请求/已过期请求/已拒绝请求)。This will show you all the access requests (pending/approved/expired/denied).

在生成的页面上,选择你感兴趣的请求。On the resulting page, select the request that you are interested in. 若要选择用于清理隐私的拒绝列表,请单击“拒绝列表”下拉列表,选择需要清理的组,然后选择“批准”。To select deny list for privacy scrubbing, click the DenyList dropdown, select the group that needs to be scrubbed, and then select Approve.

若要撤销以前批准的请求,请选择需要撤销的已批准请求,并选择“撤销”。To revoke a previously approved request, select the approved request that needs to be revoked, and choose Revoke. 下一次使用该审批转移数据的尝试将失败。The next attempt to move data using that approval will fail.

审批行为Approval behavior

数据连接审批请求有一些务必要注意的特性:Data conenct approval requests have particular characteristics that are important to be aware of:

  • 审批请求基于 Azure 数据工厂、管道和复制活动名称。Approval requests are based on the Azure Data Factory, pipeline and copy activity names. 每次复制活动运行时,都将验证 Microsoft 365 管理员是否批准了复制活动关于访问 Office 数据的请求,并将依据审批的参数验证复制活动运行的重要参数。Every copy activity run will verify that the Microsoft 365 admin has approved the copy activity's request to access Office data, and will validate the important parameters of the copy activity run against the parameters of the approval.
  • 在某些条件下,将会自动触发新审批请求。Under certain conditions, a new approval request will automatically be triggered. 数据连接审批者将必须批准新请求,然后复制活动才能访问 Microsoft 365 数据。A data connect approver will have to approve the new request before the copy activity can access Microsoft 365 data.
  • 如果复制活动运行的参数发生变化,则会触发一个新的审批请求。If the parameters of the copy activity run changes, a new approval request will be triggered.
  • 如果数据工厂、管道或复制活动名称发生变化,则会触发一个新的审批请求。If the Data Factory, pipeline or copy activity names change, a new approval request will be triggered.
  • 例如:如果复制活动正在访问的数据表或列集发生变化,则需要进行一次新审批。For example: A new approval will be required if the data table or set of columns that the copy activity is accessing changes.
  • 必须每隔 6 个月审批一次复制活动。Copy activities will have to be approved once every 6 months. 如果原始审批是 6 个月前批准的,则会自动触发一个新审批请求。If the original approval was approved 6 months ago, a new approval request will automatically be triggered.
  • 如果 Microsoft 365 数据访问审批者拒绝了审批请求或撤销了以前批准的请求,则复制活动将持续失败。If a Microsoft 365 Data Access approver has denied an approval request or revoked a previously approved request, the copy activity will fail continually. 你应与审批者协作,了解拒绝或撤销原因,并相应修复复制活动的参数。You should work with the approver to understand the reason for the denial or revocation and fix the parameters of the copy activity accordingly. 必须部署新的复制活动或更改现有复制活动的名称,以便触发新的审批请求进行审批。A new copy activity will have to deployed, or the name of the existing copy activity will have to be changed in order to trigger a new approval request for approval.
  • 如果 Microsoft 365 数据访问审批者未处理请求,则审批请求将在 24 小时内过期。An approval request will expire in 24 hours unless a Microsoft 365 data access approver acts on the request. 将每隔 24 小时提交一次新请求以供审批。A new request will be submitted once every 24 hours for approval. 如果看到复制活动正在等待审批(处于“等待同意”阶段),请与 Microsoft 365 数据访问审批者协作,使你的请求获得批准。If you see your copy activity waiting for approval (in the Consent Pending stage), then work with Microsoft 365 data access approvers to get your request approved.

隐私清理Privacy scrubbing

负责审批请求的审批者组成员可指定将从提取的数据中清理其数据的用户组名称。The member of the approver group who approves the request can specify the name of one user group whose data would be scrubbed out of extracted data. 如果行包含与已拒绝组的成员对应的电子邮件地址,则会从提取的数据中清理这些行。The rows containing email addresses corresponding to the members of the denied group will be scrubbed out of extracted data. 嵌套在已拒绝组中的组将展开,只会清理用户。有关如何在审批期间通过 PowerShell 或 PAM UX 应用拒绝列表的详细信息,请参阅本主题的“审批请求”部分。Groups nested within the denied group will be expanded and only users will be scrubbed out. Refer to the approving requests section of this topic for details on how to apply the deny list during approval, through either PowerShell or the PAM UX.

下表显示了将对其内容进行隐私清理检查的数据集和列的名称。The following table shows the names of the datasets and the columns for which the contents are checked for privacy scrubbing.

数据集名称Dataset name 用于基于拒绝列表进行清理的列Columns used for deny list-based scrubbing
BasicDataSet_v0.Message_v0BasicDataSet_v0.Message_v0
BasicDataSet_v0.Message_v1BasicDataSet_v0.Message_v1
Sender、From、ToRecipients、CcRecipients、BccRecipientsSender, From, ToRecipients, CcRecipients, BccRecipients
BasicDataSet_v0.SentItem_v0BasicDataSet_v0.SentItem_v0
BasicDataSet_v0.SentItem_v1BasicDataSet_v0.SentItem_v1
Sender、From、ToRecipients、CcRecipients、BccRecipientsSender, From, ToRecipients, CcRecipients, BccRecipients
BasicDataSet_v0.Event_v0BasicDataSet_v0.Event_v0
BasicDataSet_v0.Event_v1BasicDataSet_v0.Event_v1
Organizer、AttendeesOrganizer, Attendees
BasicDataSet_v0.Contact_v0BasicDataSet_v0.Contact_v0
BasicDataSet_v0.Contact_v1BasicDataSet_v0.Contact_v1
EmailAddressesEmailAddresses
BasicDataSet_v0.CalendarView_v0BasicDataSet_v0.CalendarView_v0 Organizer、AttendeesOrganizer, Attendees

后续步骤Next Steps

确保你的组织已完成入门中的步骤,正确配置了 Privileged Access Management,以便与 Microsoft Graph 数据结合使用。Ensure your organization has Privileged Access Management configured correctly for usage with Microsoft Graph data by completing the steps in Get started.