添加用户并授予对 Intune 的管理权限Add users and grant administrative permission to Intune

作为管理员,可直接添加用户或从本地 Active Directory 同步用户。As an administrator, you can add users directly or synchronize users from your on-premises Active Directory. 添加后,用户可注册设备并访问公司资源。Once added, users can enroll devices and access company resources. 还可为用户提供更多权限,包括“全局管理员”和“服务管理员”权限 。You can also give users additional permissions including global administrator and service administrator permissions.

添加用户到 IntuneAdd users to Intune

可通过 Microsoft 365 管理中心Azure 门户,手动将用户添加到 Intune 订阅。You can manually add users to your Intune subscription via the Microsoft 365 admin center or the Azure portal. 管理员可以通过编辑用户帐户来分配 Intune 许可证。An administrator can edit user accounts to assign Intune licenses. 可通过 Microsoft 365 管理中心或 Intune Azure 门户分配许可证。You can assign licenses in either the Microsoft 365 admin center or the Intune Azure portal. 若要深入了解如何使用 Microsoft 365管理中心,请参阅向 Microsoft 365 管理中心逐一或批量添加用户For more information on using the Microsoft 365 admin center, see Add users individually or in bulk to the Microsoft 365 admin center.

在 Microsoft 365 管理中心添加 Intune 用户Add Intune users in the Microsoft 365 admin center

  1. 使用全局管理员或用户管理管理员帐户登录 Microsoft 365 管理中心Sign in to Microsoft 365 admin center with a global administrator or user management administrator account.

  2. 在 Microsoft 365 菜单中,选择“管理员”。In the Microsoft 365 menu, select Admin.

  3. 在管理中心,选择“添加用户” 。In the Admin center, select Add a user.

    “添加用户”部分的屏幕截图

  4. 指定下列用户详细信息:Specify the following user details:

    • First name

    • Last name

    • 显示名称 Display name

    • 用户名 - 存储在 Azure Active Directory 中用于访问服务的通用主体名称 (UPN) User name - Universal principle name (UPN) stored in Azure Active Directory used to access the service

    • 位置Location

    • 联系人信息(可选) Contact information (optional)

    • 密码 - 自动生成或指定 Password - Auto-generate or specify

      “新用户”部分的屏幕截图

  5. 分配 Intune 许可证。Assign an Intune license. 选择“产品许可证”,然后选择所需的产品许可证 。Select Product licenses and choose the product license. 需要包括 Intune 的许可证。A license including Intune is required.

  6. 选择“添加”创建新用户 。Choose Add to create the new user.

在 Azure 门户中添加 Intune 用户Add Intune users in the Azure portal

  1. Microsoft Endpoint Manager 管理中心中,选择“用户” > “所有用户” 。In the Microsoft Endpoint Manager admin center, choose Users > All users.

  2. 在管理中心,选择“新用户” 。In the Admin center, select New user.

  3. 指定下列用户详细信息:Specify the following user details:

    • NameName
    • 用户名 - Azure Active Directory 门户中的新名称添加名称和用户名的屏幕截图选择“确定”以继续 。User name - The new name in Azure Active Directory portal Screenshot of adding name and user name Choose OK to continue.
  4. 或者,也可以指定下列用户属性:Optionally, you can specify the following user properties:

    • 个人资料 - 包括“职务”和“部门”在内的工作信息 Profile - Work information including Job title and Department
    • 组 - 选择要为用户添加的组 Groups - Select groups to add for the user
    • 目录角色 - 向用户授予管理权限,包括 Intune 服务管理员角色 。Directory role - Give the user administrative permissions including an Intune service administrator role.

    选择“创建”,将新用户添加到 Intune 。Select Create to add the new user to Intune.

  5. 选择“个人资料”,然后为新用户选择“使用位置” 。Select Profile, and then choose a Usage location for the new user. 只有指定使用位置后,才能为新用户分配 Intune 许可证。Usage location is required before you can assign the new user an Intune license. 选择“保存”以继续 。Choose Save to continue. 使用位置的屏幕截图Screenshot of usage location

  6. 依次选择“许可证”和“分配”,为此用户分配 Intune 许可证 。Select Licenses and then choose Assign to assign an Intune license for this user. 只有获得 Intune 许可证后,才能注册设备或访问公司资源。An Intune license is required to enroll devices or access company resources. 依次选择“产品”、“许可证类型”、“选择”和“分配”。 Select Products, choose the license type, choose Select, and then choose Assign.

授予管理员权限Grant admin permissions

在 Intune 订阅中添加用户后,最好为一些用户授予管理员权限。After you've added users to your Intune subscription, we recommend that you grant a few users administrative permission. 若要授予管理员权限,请按照下列步骤操作:To grant admin permissions, follow these steps:

在 Microsoft 365 中授予管理员权限Give admin permissions in Microsoft 365

  1. 使用全局管理员帐户登录 Microsoft 365 管理中心Sign in to the Microsoft 365 admin center with a global administrator account.

  2. 在 Microsoft 365 菜单中,选择“管理员”。In the Microsoft 365 menu, select Admin.

  3. 在管理中心,选择“活动用户”,然后选择要为其授予管理员权限的用户 。In the Admin center, choose Active users and then choose the user to give admin permissions.

  4. 在“角色”列中,选择“编辑” 。In the Roles column, choose Edit.

    管理员用户的屏幕截图

  5. 从可用角色列表中选择要授予的管理员权限。Choose the admin permission to grant from the list of available roles. 分配角色的屏幕截图Screenshot of  assigning Roles

  6. 选择 “保存”Choose Save.

在 Azure 门户中授予管理员权限Give admin permissions in the Azure portal

  1. 使用全局管理员帐户登录 Azure 门户Sign in to the Azure portal with a global administrator account.
  2. 在 Azure 门户中,依次选择“用户” 和要向其授予管理员权限的用户。In the Azure portal, choose User, and then choose the user you want to give admin permissions.
  3. 选择“目录角色”,然后选择权限 。Select Directory role, and then select the permission. 目录角色的屏幕截图Screenshot of Directory role
  4. 选择 “保存”Choose Save.

管理员类型Types of administrators

为用户分配一个或多个管理员权限。Assign users one or more administrator permissions. 这些权限定义了各用户的管理范围及其能够管理的任务。These permissions define the administrative scope for users and the tasks they can manage. 管理员权限在不同的 Microsoft 云服务之间是通用的,但部分服务可能不支持某些权限。Administrator permissions are common between the different Microsoft cloud services, and some services might not support some permissions. Azure 门户和 Microsoft 365 管理中心均列出 Intune 未使用的受限管理员角色。Both the Azure portal and Microsoft 365 admin center list limited administrator roles that are not used by Intune. Intune 管理员权限包括以下选项:Intune administrator permissions include the following options:

  • 全局管理员 -(Microsoft 365 和 Intune)访问 Intune 中的所有管理功能。Global administrator - (Microsoft 365 and Intune) Accesses all administrative features in Intune. 默认注册 Intune 的人员为全局管理员。全局管理员是唯一可分配其他管理员角色的管理员。By default the person who signs up for Intune becomes a Global admin. Global admins are the only admins who can assign other admin roles. 在组织中可有多个全局管理员。You can have more than one global admin in your organization. 建议最好只向公司中的少数人分配此角色,以降低业务风险。As a best practice, we recommend that only a few people in your company have this role to reduce the risk to your business.
  • 密码管理员 -(Microsoft 365 和 Intune)重置密码、管理服务请求并监视服务运行状况。Password administrator - (Microsoft 365 and Intune) Resets passwords, manages service requests, and monitors service health. 密码管理员仅限为用户重置密码。Password admins are limited to resetting passwords for users.
  • 服务管理员 -(Microsoft 365 和 Intune)向 Microsoft 提出支持请求,并查看服务仪表板和消息中心。Service administrator - (Microsoft 365 and Intune) Opens support requests with Microsoft, and views the service dashboard and message center. 除打开支持票证并读取外,他们还具有“仅查看”权限。They have "view only" permissions except for opening support tickets and reading them.
  • 计费管理员 -(Microsoft 365 和 Intune)采购、管理订阅、管理支持票证并监视服务运行状况。Billing administrator - (Microsoft 365 and Intune) Makes purchases, manages subscriptions, manages support tickets, and monitors service health.
  • 用户管理员 -(Microsoft 365 和 Intune)重置密码、监视服务运行状况、添加和删除用户帐户以及管理服务请求。User administrator - (Microsoft 365 and Intune) Resets passwords, monitors service health, adds and deletes user accounts, and manages service requests. 用户管理管理员不能删除全局管理员,也不能创建其他管理员角色或为其他管理员重置密码。The user management admin can't delete a global admin, create other admin roles, or reset passwords for other admins.
  • Intune 服务管理员 - 除使用“目录角色”选项创建管理员以外的所有 Intune 全局管理员权限 。Intune Service administrator - All Intune Global administrator permissions except permission to create administrators with Directory Role options.

创建 Microsoft Intune 订阅使用的是全局管理员帐户。The account you use to create your Microsoft Intune subscription is a global administrator. 最佳做法是,不要将全局管理员用于日常管理任务。As a best practice, do not use a global administrator for day-to-day management tasks. 虽然管理员不需要 Intune 许可证即可访问 Azure 门户上的 Intune,但在执行某些管理任务(例如设置 Exchange 服务连接器)时,则需要 Intune 许可证。While an administrator does not require an Intune license to access the Intune on Azure portal, in order to perform certain management tasks, such as setting up the Exchange service Connector, an Intune license is required.

若要访问 Microsoft 365 管理中心,必须将帐户设置为“允许登录” 。To access the Microsoft 365 admin center, your account must have a Sign-in allowed set. 在 Azure 门户中,将“配置文件” 下的“禁止登录” 设置为“否” ,以允许访问。In the Azure portal under Profile, set Block sign in to No to allow access. 此状态与拥有订阅许可证不同。This status is different from having a license to the subscription. 默认情况下,所有用户帐户均为“已允许” 。By default, all user accounts are Allowed. 无管理员权限的用户可使用 Microsoft 365 管理中心重置 Intune 密码。Users without administrator permissions can use the Microsoft 365 admin center to reset Intune passwords.

同步 Active Directory 并将用户添加到 IntuneSync Active Directory and add users to Intune

可配置目录同步,将用户帐户从本地 Active Directory 导入到包含 Intune 用户的 Microsoft Azure Active Directory (Azure AD)。You can configure directory synchronization to import user accounts from your on-premises Active Directory to Microsoft Azure Active Directory (Azure AD) which includes Intune users. 让本地 Active Directory 服务与你所有基于 Azure Active Directory 的服务相连接,使管理用户标识变得更简单。Having your on-premises Active Directory service connected with all of your Azure Active Directory-based services makes managing user identity much simpler. 还可以配置单一登录功能,使用户的身份验证体验熟悉且简单。You can also configure single sign-on features to make the authentication experience for your users familiar and easy. 通过将同一 Azure AD 租户与多个服务相链接,先前同步的用户帐户便可用于所有基于云的服务。By linking the same Azure AD tenant with multiple services, the user accounts that you have previously synchronized are available to all cloud-based services.

如何使用 Azure AD 同步本地用户How to sync on-premises users with Azure AD

使用 Azure AD 同步本地用户所需的唯一工具是 Azure AD Connect 向导The only tool that you need to synchronize your user accounts with Azure AD is the Azure AD Connect wizard. Azure AD Connect 向导为将你的本地身份基础结构连接到云提供简化的指导式体验。The Azure AD Connect wizard provides a simplified and guided experience for connecting your on-premises identity infrastructure to the cloud. 选择拓扑和需求(单个目录或多个目录、密码哈希同步、传递身份验证或联合身份验证)。Choose your topology and needs (single or multiple directories, password hash sync, pass-through authentication, or federation). 向导将部署和配置所有必需组件,以使连接正常运行。The wizard deploys and configures all components required to get your connection up and running. 其中包括:同步服务、Active Directory 联合身份验证服务 (AD FS) 和 Azure AD PowerShell 模块。Including: sync services, Active Directory Federation Services (AD FS), and the Azure AD PowerShell module.

提示

Azure AD 连接包含之前作为目录同步和 Azure AD Sync 发布的功能。了解有关目录集成的详细信息。Azure AD Connect encompasses functionality that was previously released as Dirsync and Azure AD Sync. Learn more about directory integration. 若要了解如何将用户帐户从本地目录同步到 Azure AD,请参阅 Active Directory 与 Azure AD 之间的相似之处To learn about syncing user accounts from a local directory to Azure AD, see Similarities between Active Directory and Azure AD.