使用 Microsoft Intune 的基于角色的访问控制 (RBAC)Role-based access control (RBAC) with Microsoft Intune

基于角色的访问控制 (RBAC) 有助于管理有权访问组织资源的用户及其可以对这些资源执行的操作。Role-based access control (RBAC) helps you manage who has access to your organization's resources and what they can do with those resources. 通过为 Intune 用户分配角色,可以限制其可查看和更改的内容。By assigning roles to your Intune users, you can limit what they can see and change. 每个角色都有一组权限,用于确定具有该角色的用户可以在组织内访问和更改的内容。Each role has a set of permissions that determine what users with that role can access and change within your organization.

若要创建、编辑或分配角色,你的帐户必须在 Azure AD 中具有以下权限之一:To create, edit, or assign roles, your account must have one of the following permissions in Azure AD:

  • 全局管理员Global Administrator
  • Intune 服务管理员(也称为 Intune 管理员)********Intune Service Administrator (also known as Intune Administrator)

有关 Intune RBAC 的建议和意见,可查看此系列的五个视频,它们展示了示例和演练:12345For advice and suggestions about Intune RBAC, you can check out this series of five videos that showcase examples and walkthroughs: 1, 2, 3, 4, 5.

角色Roles

角色定义授予分配给该角色的用户的权限集。A role defines the set of permissions granted to users assigned to that role. 可以使用内置和自定义角色。You can use both the built-in and custom roles. 内置角色涵盖一些常见的 Intune 方案。Built-in roles cover some common Intune scenarios. 可以使用所需的确切权限集创建自己的自定义角色You can create your own custom roles with the exact set of permissions you need. 一些 Azure Active Directory 角色具有对 Intune 的权限。Several Azure Active Directory roles have permissions to Intune. 要查看角色,请选择“Intune” > “角色” > “所有角色”> 选择一个角色 。To see a role, choose Intune > Roles > All roles > choose a role. 你将看到以下页面:You'll see the following pages:

  • 属性:角色的名称、说明、类型、分配和作用域标记。Properties: The name, description, type, assignments, and scope tags for the role.
  • 权限:列出一组定义该角色具有哪些权限的开关。Permissions: Lists a long set of toggles defining what permissions the role has.
  • 分配角色分配列表,用于定义有权访问哪些用户/设备的用户。Assignments: A list of role assignments defining which users have access to which users/devices. 一个角色可以有多个分配,并且一个用户可以位于多个分配中。A role can have multiple assignments, and a user can be in multiple assignments.

内置角色Built-in roles

无需进一步配置,即可向组分配内置角色。You can assign built-in roles to groups without further configuration. 无法删除或编辑内置角色的名称、说明、类型或权限。You can't delete or edit the name, description, type, or permissions of a built-in role.

  • 支持人员操作员:对用户和设备执行远程任务,并可以将应用或策略分配到用户或设备。Help Desk Operator: Performs remote tasks on users and devices, and can assign applications or policies to users or devices.
  • 策略和配置文件管理员:管理符合性策略、配置文件、Apple 注册、企业设备标识符和安全性基线。Policy and Profile Manager: Manages compliance policy, configuration profiles, Apple enrollment, corporate device identifiers, and security baselines.
  • 只读操作员:查看用户、设备、注册、配置和应用程序信息****。Read Only Operator: Views user, device, enrollment, configuration, and application information. 无法更改 Intune。Can't make changes to Intune.
  • 应用程序管理员:管理移动和托管应用程序,可读取设备信息和查看设备配置文件。Application Manager: Manages mobile and managed applications, can read device information and can view device configuration profiles.
  • Intune 角色管理员:管理自定义 Intune 角色,并添加内置 Intune 角色分配。Intune Role Administrator: Manages custom Intune roles and adds assignments for built-in Intune roles. 这是唯一可向管理员分配权限的 Intune 角色。It's the only Intune role that can assign permissions to Administrators.
  • 学校管理员:管理 Intune for Education 中的 Windows 10 设备。School Administrator: Manages Windows 10 devices in Intune for Education.
  • 终结点安全管理器:管理安全和合规性功能,例如安全基线、设备合规性、条件访问和 Microsoft Defender ATP。Endpoint Security Manager: Manages security and compliance features, such as security baselines, device compliance, conditional access, and Microsoft Defender ATP.

自定义角色Custom roles

使用自定义权限,可以创建自己的角色。You can create your own roles with custom permissions. 有关自定义角色的详细信息,请参阅创建自定义角色For more information about custom roles, see Create a custom role.

具有 Intune 访问权限的 Azure Active Directory 角色Azure Active Directory roles with Intune access

Azure Active Directory 角色Azure Active Directory role 所有 Intune 数据All Intune data Intune 审核数据Intune audit data
全局管理员角色Global Administrator 读取/写入Read/write 读取/写入Read/write
Intune 服务管理员Intune Service Administrator 读取/写入Read/write 读取/写入Read/write
条件访问管理员Conditional Access Administrator None None
安全管理员Security Administrator 只读(终结点安全性节点的完全管理权限)Read only (full administrative permissions for Endpoint Security node) 只读Read only
安全操作员Security Operator 只读Read only 只读Read only
安全读取者Security Reader 只读Read only 只读Read only
合规性管理员Compliance Administrator None 只读Read only
符合性数据管理员Compliance Data Administrator None 只读Read only
全局读取者Global Reader 只读Read Only 只读Read Only

提示

Intune 还显示三个 Azure AD 扩展:“用户”、“组”和“条件访问”(使用 Azure AD RBAC 进行控制)。Intune also shows three Azure AD extensions: Users, Groups, and Conditional Access, which are controlled using Azure AD RBAC. 此外,用户帐户管理员仅执行 AAD 用户/组活动,而不具备在 Intune 中执行所有活动的完全权限。Additionally, the User Account Administrator only performs AAD user/group activities and does not have full permissions to perform all activities in Intune. 有关详细信息,请参阅 RBAC 与 Azure ADFor more information, see RBAC with Azure AD.

角色分配Role assignments

角色分配定义:A role assignment defines:

  • 分配到角色的用户which users are assigned to the role
  • 用户可以使用的资源what resources they can see
  • 用户可以更改的资源。what resources they can change.

可以为用户分配自定义和内置角色。You can assign both custom and built-in roles to your users. 用户必须有 Intune 许可证,才能分配有 Intune 角色。To be assigned an Intune role, the user must have an Intune license. 要查看角色分配,请选择“Intune” > “角色” > “所有角色”> 选择一个角色 > 选择分配 。To see a role assignment, choose Intune > Roles > All roles > choose a role > choose an assignment. 你将看到以下页面:You'll see the following pages:

  • 属性:分配的名称、说明、角色、成员、作用域和标记。Properties: The name, description, role, members, scopes, and tags of the assignment.
  • 成员:列出的 Azure 安全组中的所有用户都有权管理作用域(组)中列出的用户/设备。Members: All users in the listed Azure security groups have permission to manage the users/devices that are listed in Scope (Groups).
  • 作用域(组) :这些 Azure 安全组中的所有用户/设备都可以由“成员”中的用户管理。Scope (Groups): All users/devices in these Azure security groups can be managed by the users in Members.
  • 作用域(标记) :成员中的用户可以查看具有相同作用域标记的资源。Scope (Tags): Users in Members can see the resources that have the same scope tags.

多角色分配Multiple role assignments

如果用户有多个角色分配、权限和作用域标记,这些角色分配会扩展到不同的对象,如下所示:If a user has multiple role assignments, permissions, and scope tags, those role assignments extend to different objects as follows:

  • 分配权限和作用域标记仅适用于相应角色的分配作用域(组)中的对象(如策略或应用)。Assign permissions and scope tags only apply to the objects (like policies or apps) in that role's assignment Scope (Groups). 分配权限和作用域标记不适用于其他角色分配中的对象,除非其他分配专门授予它们。Assign permissions and scope tags don't apply to objects in other role assignments unless the other assignment specifically grants them.
  • 其他权限(如“创建”、“读取”、“更新”、“删除”)和作用域标记适用于任何用户分配中相同类型的所有对象(如所有策略或所有应用)。Other permissions (such as Create, Read, Update, Delete) and scope tags apply to all objects of the same type (like all policies or all apps) in any of the user's assignments.
  • 不同类型对象(如策略或应用)的权限和作用域标记彼此不适用。Permissions and scope tags for objects of different types (like policies or apps), don't apply to each other. 例如,策略的读取权限不会为用户分配中的应用提供读取权限。A Read permission for a policy, for example, doesn't provide a Read permission to apps in the user's assignments.

后续步骤Next steps