什麼是 Azure AD 權利管理?What is Azure AD entitlement management? (預覽)(Preview)


Azure Active Directory (Azure AD) 權利管理目前處於公開預覽狀態。Azure Active Directory (Azure AD) entitlement management is currently in public preview. 此預覽版本是在沒有服務等級協定的情況下提供,不建議用於生產工作負載。This preview version is provided without a service level agreement, and it's not recommended for production workloads. 可能不支援特定功能,或可能已經限制功能。Certain features might not be supported or might have constrained capabilities. 如需詳細資訊,請參閱 Microsoft Azure 預覽版增補使用條款For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

組織中的員工需要存取各種群組、應用程式和網站, 才能執行其工作。Employees in organizations need access to various groups, applications, and sites to perform their job. 管理這項存取是一項挑戰。Managing this access is challenging. 在大部分情況下, 專案的使用者所需的所有資源並沒有組織的清單。In most cases, there is no organized list of all the resources a user needs for a project. 專案經理對於所需的資源、涉及的人員, 以及專案的持續時間有很大的瞭解。The project manager has a good understanding of the resources needed, the individuals involved, and how long the project will last. 不過, 專案經理通常沒有核准或授與存取權給其他人的許可權。However, the project manager typically does not have permissions to approve or grant access to others. 當您嘗試使用外部個人或公司時, 此案例會變得更複雜。This scenario gets more complicated when you try to work with external individuals or companies.

Azure Active Directory (Azure AD) 權利管理可協助您管理內部使用者和組織外部使用者的群組、應用程式和 SharePoint Online 網站的存取權。Azure Active Directory (Azure AD) entitlement management can help you manage access to groups, applications, and SharePoint Online sites for internal users and also users outside your organization.

這段影片提供權利管理和其商業價值的總覽:This video provides an overview of entitlement management and its business value:

為何要使用權利管理?Why use entitlement management?

企業組織通常面臨的挑戰, 就是管理資源的存取權, 例如:Enterprise organizations often face challenges when managing access to resources such as:

  • 使用者可能不知道他們應該擁有哪些存取權Users may not know what access they should have
  • 使用者可能難以找到正確的個人或適當的資源Users may have difficulty locating the right individuals or right resources
  • 一旦使用者找到並接收資源的存取權, 他們可能會因為商務目的而讓存取時間超過所需Once users find and receive access to a resource, they may hold on to access longer than is required for business purposes

這些問題對於需要來自另一個目錄 (例如來自供應鏈組織或其他商務合作夥伴的外部使用者) 存取權的使用者而言是更複雜的。These problems are compounded for users who need access from another directory, such as external users that are from supply chain organizations or other business partners. 例如:For example:

  • 組織可能不知道其他目錄中的特定人員能夠邀請他們Organizations may not know all of the specific individuals in other directories to be able to invite them
  • 即使組織能夠邀請這些使用者, 組織可能也不記得以一致的方式管理所有使用者的存取權Even if organizations were able to invite these users, organizations may not remember to manage all of the user's access consistently

Azure AD 權利管理有助於解決這些挑戰。Azure AD entitlement management can help address these challenges.

我可以使用權利管理來做什麼?What can I do with entitlement management?

以下是一些權利管理的功能:Here are some of capabilities of entitlement management:

  • 建立使用者可以要求的相關資源套件Create packages of related resources that users can request
  • 定義規則, 以瞭解如何要求資源以及存取何時過期Define rules for how to request resources and when access expires
  • 管理內部和外部使用者存取的生命週期Govern the lifecycle of access for both internal and external users
  • 委派資源的管理Delegate management of resources
  • 指定核准要求的核准者Designate approvers to approve requests
  • 建立報表以追蹤歷程記錄Create reports to track history

如需身分識別治理和權利管理的總覽, 請觀看 Ignite 2018 會議的下列影片:For an overview of Identity Governance and entitlement management, watch the following video from the Ignite 2018 conference:

我可以管理哪些資源?What resources can I manage?

以下是您可以使用權利管理來管理存取權的資源類型:Here are the types of resources you can manage access to with entitlement management:

  • Azure AD 安全性群組Azure AD security groups
  • Office 365 群組Office 365 groups
  • Azure AD 企業應用程式, 包括 SaaS 應用程式和支援同盟或布建的自訂整合應用程式Azure AD enterprise applications, including SaaS application and custom-integrated applications that support federation or provisioning
  • SharePoint Online 網站集合和網站SharePoint Online site collections and sites

您也可以控制依賴 Azure AD 安全性群組或 Office 365 群組之其他資源的存取權。You can also control access to other resources that rely upon Azure AD security groups or Office 365 groups. 例如:For example:

  • 您可以使用存取套件中的 Azure AD 安全性群組, 以及為該群組設定以群組為基礎的授權, 為使用者提供 Microsoft Office 365 授權You can give users licenses for Microsoft Office 365 by using an Azure AD security group in an access package and configuring group-based licensing for that group
  • 您可以使用存取套件中的 Azure AD 安全性群組, 並建立該群組的azure 角色指派, 以授與使用者管理 azure 資源的存取權You can give users access to manage Azure resources by using an Azure AD security group in an access package and creating an Azure role assignment for that group

什麼是存取套件和原則?What are access packages and policies?

權利管理引進了存取套件的概念。Entitlement management introduces the concept of an access package. 存取套件是使用者處理專案或執行其工作所需之所有資源的組合。An access package is a bundle of all the resources a user needs to work on a project or perform their job. 這些資源包括對群組、應用程式或網站的存取權。The resources include access to groups, applications, or sites. 存取套件是用來管理內部員工的存取權, 以及組織外部的使用者。Access packages are used to govern access for your internal employees, and also users outside your organization. 存取套件會定義在名為目錄的容器中。Access packages are defined in containers called catalogs.

存取套件也包含一或多個原則Access packages also include one or more policies. 原則會定義用來存取存取封裝的規則或護欄。A policy defines the rules or guardrails to access an access package. 啟用原則會強制只授與正確的使用者存取權、正確的資源, 以及正確的時間量。Enabling a policy enforces that only the right users are granted access, to the right resources, and for the right amount of time.


透過存取套件和其原則, 存取套件管理員會定義:With an access package and its policies, the access package manager defines:

  • 資源Resources
  • 使用者資源所需的角色Roles the users need for the resources
  • 有資格要求存取權的外部使用者內部使用者和夥伴組織Internal users and partner organizations of external users that are eligible to request access
  • 核准程式和可以核准或拒絕存取的使用者Approval process and the users that can approve or deny access
  • 使用者存取的持續時間Duration of user's access

下圖顯示 [權利管理] 中不同元素的範例。The following diagram shows an example of the different elements in entitlement management. 它會顯示兩個範例存取封裝。It shows two example access packages.

  • 存取套件 1包含單一群組做為資源。Access package 1 includes a single group as a resource. 存取是以原則定義, 可讓目錄中的一組使用者要求存取權。Access is defined with a policy that enables a set of users in the directory to request access.
  • 存取套件 2包含群組、應用程式和 SharePoint Online 網站做為資源。Access package 2 includes a group, an application, and a SharePoint Online site as resources. 存取會以兩個不同的原則定義。Access is defined with two different policies. 第一個原則可讓目錄中的一組使用者要求存取權。The first policy enables a set of users in the directory to request access. 第二個原則可讓外部目錄中的使用者要求存取權。The second policy enables users in an external directory to request access.


外部使用者External users

當您使用Azure AD 的企業對企業 (B2B)邀請體驗時, 您必須已經知道您想要帶入資原始目錄並使用的外部來賓使用者的電子郵件地址。When using the Azure AD business-to-business (B2B) invite experience, you must already know the email addresses of the external guest users you want to bring into your resource directory and work with. 當您處理較小或短期的專案, 而且您已經知道所有參與者, 但如果您有許多想要使用的使用者, 或參與者隨著時間改變, 這就很難管理。This works great when you're working on a smaller or short-term project and you already know all the participants, but this is harder to manage if you have lots of users you want to work with or if the participants change over time. 例如, 您可能會與另一個組織合作, 並與該組織有一個聯繫點, 但經過一段時間之後, 該組織的其他使用者也會需要存取權。For example, you might be working with another organization and have one point of contact with that organization, but over time additional users from that organization will also need access.

使用 [權利管理] 時, 您可以定義一個原則, 允許您指定的組織使用者 (也就是使用 Azure AD) 能夠要求存取封裝。With entitlement management, you can define a policy that allows users from organizations you specify, that are also using Azure AD, to be able to request an access package. 您可以指定是否需要核准和存取的到期日。You can specify whether approval is required and an expiration date for the access. 如果需要核准, 您也可以將您先前受邀的外部組織中的一個或多個使用者指定為核准者, 因為他們可能會知道組織中的哪些外部使用者需要存取權。If approval is required, you can also designate as an approver one or more users from the external organization that you previously invited - since they are likely to know which external users from their organization need access. 設定存取套件之後, 您可以將存取套件的連結傳送給外部組織的連絡人人員。Once you have configured the access package, you can send a link to the access package to your contact person at the external organization. 該連絡人可以與外部組織中的其他使用者共用, 也可以使用此連結來要求存取封裝。That contact can share with other users in the external organization, and they can use this link to request the access package. 來自該組織且已受邀進入您目錄的使用者, 也可以使用該連結。Users from that organization who have already been invited into your directory can also use that link.

當要求獲得核准時, 權利管理會將必要的存取權提供給使用者, 其中可能包括邀請使用者 (如果他們還不在您的目錄中)。When a request is approved, entitlement management will provision the user with the necessary access, which may include inviting the user if they're not already in your directory. Azure AD 會自動為他們建立 B2B 帳戶。Azure AD will automatically create a B2B account for them. 請注意, 系統管理員可能先前已限制允許共同作業的組織, 方法是設定B2B 允許或拒絕清單, 以允許或封鎖其他組織的邀請。Note that an administrator may have previously limited which organizations are permitted for collaboration, by setting a B2B allow or deny list to allow or block invites to other organizations. 如果允許或封鎖清單不允許使用者, 則不會邀請他們。If the user is not permitted by the allow or block list, then they will not be invited.

由於您不想讓外部使用者存取最後一次, 因此您可以在原則中指定到期日, 例如180天。Since you do not want the external user's access to last forever, you specify an expiration date in the policy, such as 180 days. 180天后, 如果未更新其存取權, 權利管理將會移除所有與該存取套件相關聯的存取權。After 180 days, if their access is not renewed, entitlement management will remove all access associated with that access package. 如果透過 [權利管理] 邀請的使用者沒有其他存取套件指派, 則當他們失去最後一項指派時, 其 B2B 帳戶將會遭到封鎖而無法登入30天, 並隨後予以移除。If the user who was invited through entitlement management has no other access package assignments, then when they lose their last assignment, their B2B account will be blocked from sign in for 30 days, and subsequently removed. 這可避免不必要的帳戶激增。This prevents the proliferation of unnecessary accounts.


若要進一步瞭解權利管理及其檔, 您應參閱下列條款。To better understand entitlement management and its documentation, you should review the following terms.

詞彙或概念Term or concept 描述Description
權利管理entitlement management 指派、撤銷和管理存取套件的服務。A service that assigns, revokes, and administers access packages.
存取套件access package 使用者可以要求之資源的許可權和原則集合。A collection of permissions and policies to resources that users can request. 存取套件一律包含在目錄中。An access package is always contained in a catalog.
存取要求access request 存取存取封裝的要求。A request to access an access package. 要求通常會經過工作流程。A request typically goes through a workflow.
policypolicy 定義存取生命週期的一組規則, 例如使用者取得存取權的方式、核准者, 以及使用者可以存取的時間長度。A set of rules that defines the access lifecycle, such as how users get access, who can approve, and how long users have access. 範例原則包括員工存取權和外部存取。Example policies include employee access and external access.
目錄catalog 相關資源和存取封裝的容器。A container of related resources and access packages.
一般目錄General catalog 一律可使用的內建目錄。A built-in catalog that is always available. 若要將資源新增至一般目錄, 需要特定許可權。To add resources to the General catalog, requires certain permissions.
resourceresource 使用者可被授與許可權的資產或服務 (例如, Office 群組、安全性群組、應用程式或 SharePoint Online 網站)。An asset or service (such as an Office group, a security group, an application, or a SharePoint Online site) that a user can be granted permissions to.
資源類型resource type 資源類型, 包括群組、應用程式和 SharePoint Online 網站。The type of resource, which includes groups, applications, and SharePoint Online sites.
資源角色resource role 與資源相關聯的許可權集合。A collection of permissions associated with a resource.
資原始目錄resource directory 具有一或多個要共用之資源的目錄。A directory that has one or more resources to share.
指派的使用者assigned users 將存取套件指派給使用者, 讓使用者擁有該存取套件的所有資源角色。An assignment of an access package to a user, so that the user has all the resource roles of that access package.
啟用enable 讓使用者可以要求存取套件的程式。The process of making an access package available for users to request.

授權需求License requirements

使用此功能需要擁有 Azure AD Premium P2 授權。Using this feature requires an Azure AD Premium P2 license. 若要尋找適用於您需求的正確授權,請參閱 比較 Free、Basic 及 Premium 版本的正式運作功能To find the right license for your requirements, see Comparing generally available features of the Free, Basic, and Premium editions.

特製化雲端 (例如 Azure Government、Azure 德國和 Azure 中國世紀) 目前無法在此預覽中使用。Specialized clouds, such as Azure Government, Azure Germany, and Azure China 21Vianet, are not currently available for use in this preview.

哪些使用者必須有授權?Which users must have licenses?

您的租使用者必須有至少多個 Azure AD Premium P2 授權, 因為您擁有使用中的成員使用者。Your tenant must have at least as many Azure AD Premium P2 licenses as you have active member users. 權利管理中的有效成員使用者包括:Active member users in entitlement management include:

  • 起始或核准存取封裝要求的使用者。A user that initiates or approves a request for an access package.
  • 已獲指派存取套件的使用者。A user that has been assigned an access package.
  • 管理存取套件的使用者。A user that manages access packages.

在成員使用者的授權中, 您也可以允許許多來賓使用者與權利管理互動。As part of the licenses for member users, you can also allow a number of guest users to interact with entitlement management. 如需如何計算可包含的來賓使用者數目的詳細資訊, 請參閱AZURE ACTIVE DIRECTORY B2B 共同作業授權指引For information about how to calculate the number of guest users you can include, see Azure Active Directory B2B collaboration licensing guidance.

如需如何將授權指派給使用者的詳細資訊, 請參閱使用 Azure Active Directory 入口網站指派或移除授權For information about how to assign licenses to your users, see Assign or remove licenses using the Azure Active Directory portal.

後續步驟Next steps