什麼是 Azure AD 存取權檢閱嗎?What are Azure AD access reviews?

Azure Active Directory (Azure AD) 存取權檢閱可讓組織有效地管理群組成員資格、 存取企業應用程式,以及角色指派。Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. 您可以定期檢閱使用者的存取權,以確定只有適當的人員會具有持續存取權。User's access can be reviewed on a regular basis to make sure only the right people have continued access.

以下影片會快速地概述存取權檢閱:Here's a video that provides a quick overview of access reviews:

存取權檢閱為何重要?Why are access reviews important?

Azure AD 可讓您在組織內部以及與外部組織 (例如,合作夥伴) 的使用者共同作業。Azure AD enables you to collaborate internally within your organization and with users from external organizations, such as partners. 使用者可以加入群組、邀請來賓、連線至雲端應用程式,以及從他們的工作或個人裝置遠端工作。Users can join groups, invite guests, connect to cloud apps, and work remotely from their work or personal devices. 由於能夠方便地運用自助式服務的能力,因此需要更好的存取管理功能。The convenience of leveraging the power of self-service has led to a need for better access management capabilities.

  • 當有新員工加入時,如何確保他們會有適當的存取權,以便發揮生產力?As new employees join, how do you ensure they have the right access to be productive?
  • 當有員工調動到其他小組或離職時,如何確保他們的舊有存取權會移除,特別是當此存取權涉及來賓時?As people move teams or leave the company, how do you ensure their old access is removed, especially when it involves guests?
  • 多餘的存取權限可能會導致稽核後果與洩露,因為這表示公司對於存取權的控制不夠嚴謹。Excessive access rights can lead to audit findings and compromises as they indicate a lack of control over access.
  • 您必須主動與資源擁有者合作,以確保他們會定期檢閱可存取其資源的使用者。You have to proactively engage with resource owners to ensure they regularly review who has access to their resources.

何時要使用存取權檢閱?When to use access reviews?

  • 太多使用者具有特殊權限角色: 它是個不錯的主意,若要檢查有多少使用者擁有系統管理存取權,其中有多少全域管理員,以及是否有任何受邀來賓或不指派給執行系統管理工作之後已經移除的合作夥伴。Too many users in privileged roles: It's a good idea to check how many users have administrative access, how many of them are Global Administrators, and if there are any invited guests or partners that have not been removed after being assigned to do an administrative task. 您可以重新認證中的角色指派使用者Azure AD 角色例如全域系統管理員,或Azure 資源角色等使用者存取系統管理員在Azure AD 特殊權限Identity Management (PIM)體驗。You can recertify the role assignment users in Azure AD roles such as Global Administrators, or Azure resources roles such as User Access Administrator in the Azure AD Privileged Identity Management (PIM) experience.
  • 無法自動化時: 您可以在安全性群組或 Office 365 群組上建立動態成員資格的規則,但如果 HR 資料未放在 Azure AD 中,或如果使用者在離開群組之後依然需要存取權以便訓練其接替者呢?When automation is infeasible: You can create rules for dynamic membership on security groups or Office 365 groups, but what if the HR data is not in Azure AD or if users still need access after leaving the group to train their replacement? 這時,您就可以在該群組上建立檢閱,以確保仍需要存取權的人員應該會具有持續存取權。You can then create a review on that group to ensure those who still need access should have continued access.
  • 當群組用於新的用途時: 如果您有要同步處理至 Azure AD 的群組,或如果您計劃讓銷售小組群組中的每個人都能使用 Salesforce 應用程式,則要求群組擁有者先檢閱群組成員資格,再將群組用於不同風險內容中的做法會很有用。When a group is used for a new purpose: If you have a group that is going to be synced to Azure AD, or if you plan to enable the application Salesforce for everyone in the Sales team group, it would be useful to ask the group owner to review the group membership prior to the group being used in a different risk content.
  • 資料存取權: 對於某些資源來說,您可能必須要求 IT 以外的人定期登出,並請他們提出需要存取權的理由,以便進行稽核。Business critical data access: for certain resources, it might be required to ask people outside of IT to regularly sign off and give a justification on why they need access for auditing purposes.
  • 為了維護原則的例外狀況清單: 在理想的世界中,所有的使用者會遵循的存取原則來保護您的組織資源的存取權。To maintain a policy's exception list: In an ideal world, all users would follow the access policies to secure access to your organization's resources. 不過,有時候會有需要您視為例外狀況的商務案例。However, sometimes there are business cases that require you to make exceptions. 身為 IT 系統管理員,您可以管理這項工作、免於監督原則例外狀況,並向稽核人員證明您有定期檢閱這些例外狀況。As the IT admin, you can manage this task, avoid oversight of policy exceptions, and provide auditors with proof that these exceptions are reviewed regularly.
  • 要求群組擁有者確認他們的群組中仍然需要來賓: 使用部分在內部部署環境 IAM,但不是受邀的來賓,可能會自動化員工存取。Ask group owners to confirm they still need guests in their groups: Employee access might be automated with some on premises IAM, but not invited guests. 如果有群組賦予來賓存取商務機密內容的權限,該群組的擁有者就有責任確認其來賓仍有合理獲得存取權的商務需求。If a group gives guests access to business sensitive content, then it's the group owner's responsibility to confirm the guests still have a legitimate business need for access.
  • 反覆定期檢閱: 您可以設定以一定的頻率 (例如,每週、每月、每季或每年) 週期性地檢閱使用者的存取權,每次檢閱開始時,檢閱者都會收到通知。Have reviews recur periodically: You can set up recurring access reviews of users at set frequencies such as weekly, monthly, quarterly or annually, and the reviewers will be notified at the start of each review. 檢閱者可以透過容易使用的介面與智慧建議的協助,來核准或拒絕存取權。Reviewers can approve or deny access with a friendly interface and with the help of smart recommendations.

在哪裡建立檢閱?Where do you create reviews?

根據您想要檢閱,您將建立您的存取權檢閱在 Azure AD 存取權檢閱,Azure AD 企業應用程式 (處於預覽狀態) 或 Azure AD PIM。Depending on what you want to review, you will create your access review in Azure AD access reviews, Azure AD enterprise apps (in preview), or Azure AD PIM.

使用者的存取權限Access rights of users 檢閱者可以是Reviewers can be 檢閱建立於Review created in 檢閱者體驗Reviewer experience
安全性群組成員Security group members
Office 群組成員Office group members
指定的檢閱者Specified reviewers
群組擁有者Group owners
自我檢閱Self-review
Azure AD 存取權檢閱Azure AD access reviews
Azure AD 群組Azure AD groups
存取面板Access panel
指派給已連線的應用程式Assigned to a connected app 指定的檢閱者Specified reviewers
自我檢閱Self-review
Azure AD 存取權檢閱Azure AD access reviews
Azure AD 企業應用程式 (預覽版)Azure AD enterprise apps (in preview)
存取面板Access panel
Azure AD 角色Azure AD role 指定的檢閱者Specified reviewers
自我檢閱Self-review
Azure AD PIMAzure AD PIM Azure 入口網站Azure portal
Azure 資源角色Azure resource role 指定的檢閱者Specified reviewers
自我檢閱Self-review
Azure AD PIMAzure AD PIM Azure 入口網站Azure portal

哪些使用者必須有授權?Which users must have licenses?

每位使用者存取權檢閱與互動都必須有付費的 Azure AD Premium P2 授權。Each user who interacts with access reviews must have a paid Azure AD Premium P2 license. 範例包括:Examples include:

  • 系統管理員建立的存取權檢閱Administrators who create an access review
  • 群組擁有者執行的存取權檢閱Group owners who perform an access review
  • 使用者指派為檢閱者Users assigned as reviewers
  • 執行自我檢閱的使用者Users who perform a self-review

您也可以要求來賓使用者檢閱自己的存取權。You can also ask guest users to review their own access. 針對每個付費 Azure AD Premium P2 授權指派給其中一個您自己組織的使用者,您可以使用 Azure AD 企業對企業 (B2B) 受邀者在外部的使用者允許的最多五位來賓使用者。For each paid Azure AD Premium P2 license that you assign to one of your own organization's users, you can use Azure AD business-to-business (B2B) to invite up to five guest users under the External User Allowance. 這些來賓使用者也可以使用 Azure AD Premium P2 功能。These guest users can also use Azure AD Premium P2 features. 如需詳細資訊,請參閱 < Azure AD B2B 共同作業授權指引For more information, see Azure AD B2B collaboration licensing guidance.

以下是一些範例案例可協助您判斷您必須擁有的授權數目。Here are some example scenarios to help you determine the number of licenses you must have.

案例Scenario 計算Calculation 所需的授權數目Required number of licenses
系統管理員有 500 個使用者建立群組 A 的存取權檢閱。An administrator creates an access review of Group A with 500 users.
會指派為檢閱者的 3 個群組擁有者。Assigns 3 group owners as reviewers.
1 的系統管理員 + 3 的群組擁有者1 administrator + 3 group owners 44
系統管理員有 500 個使用者建立群組 A 的存取權檢閱。An administrator creates an access review of Group A with 500 users.
可讓自我檢閱。Makes it a self-review.
1 的系統管理員 + 500 位使用者做為自我檢閱者1 administrator + 500 users as self-reviewers 501501
系統管理員會建立群組 A 的存取權檢閱,5 位使用者,以及 25 位來賓使用者。An administrator creates an access review of Group A with 5 users and 25 guest users.
可讓自我檢閱。Makes it a self-review.
1 的系統管理員 + 5 位使用者做為自我檢閱者1 administrator + 5 users as self-reviewers
(涵蓋在所需的 1:5 比例來賓使用者)(guest users are covered in the required 1:5 ratio)
66
系統管理員會建立群組 A 的存取權檢閱,5 位使用者以及 28 位來賓使用者。An administrator creates an access review of Group A with 5 users and 28 guest users.
可讓自我檢閱。Makes it a self-review.
1 的系統管理員 + 5 位使用者自我檢閱者為 + 1 位使用者,以涵蓋來賓使用者所需的 1:5 比例1 administrator + 5 users as self-reviewers + 1 user to cover guest users in the required 1:5 ratio 77

如需如何指派授權給使用者的相關資訊,請參閱使用 Azure Active Directory 入口網站指派或移除授權For information about how to assign licenses to your uses, see Assign or remove licenses using the Azure Active Directory portal.

深入了解存取權檢閱Learn about access reviews

若要深入了解如何建立和執行存取權檢閱,請觀看這個簡短示範:To learn more about creating and performing access reviews, watch this short demo:

如果您已準備好在組織中部署存取權檢閱,請遵循影片中的這些步驟,以便上架、訓練系統管理員,以及建立您的第一個存取權檢閱!If you are ready to deploy access reviews in your organization, follow these steps in the video to onboard, train your administrators, and create your first access review!

授權需求License requirements

使用這項功能需要 Azure AD Premium P2 授權。Using this feature requires an Azure AD Premium P2 license. 若要為您的需求尋找適當的授權,請參閱 比較 Free、 Basic 及 Premium 版本的正式運作功能To find the right license for your requirements, see Comparing generally available features of the Free, Basic, and Premium editions.

後續步驟Next steps