使用 Azure AD 存取權檢閱來管理使用者存取權Manage user access with Azure AD access reviews

透過 Azure Active Directory (Azure AD),您可以輕易地確認使用者是否有適當的存取權。With Azure Active Directory (Azure AD), you can easily ensure that users have appropriate access. 您可藉由要求使用者本身或決策者參與存取權檢閱,並重新證實 (或「證明」) 使用者的存取權。You can ask the users themselves or a decision maker to participate in an access review and recertify (or attest) to users' access. 檢閱者可以根據 Azure AD 的建議,對每位使用者的持續存取需求給予其意見。The reviewers can give their input on each user's need for continued access based on suggestions from Azure AD. 存取權檢閱完成時,您可接著進行變更並為使用者移除不再需要的存取權。When an access review is finished, you can then make changes and remove access from users who no longer need it.

注意

如果您只想檢閱來賓使用者的存取權,而不要檢閱各類使用者的存取權,請參閱透過存取權檢閱管理來賓使用者存取權If you want to review only guest users' access and not review all types of users' access, see Manage guest user access with access reviews. 若您想要檢閱使用者的系統管理角色 (例如全域系統管理員) 成員資格,請參閱在 Azure AD Privileged Identity Management 中開始存取權檢閱If you want to review users' membership in administrative roles such as global administrator, see Start an access review in Azure AD Privileged Identity Management.

必要條件Prerequisites

  • Azure AD Premium P2Azure AD Premium P2

如需詳細資訊,請參閱授權需求For more information, see License requirements.

建立和執行存取權檢閱Create and perform an access review

您可以讓一或多個使用者作為存取權檢閱中的檢閱者。You can have one or more users as reviewers in an access review.

  1. 在 Azure AD 中選取具有一個或多個成員的群組。Select a group in Azure AD that has one or more members. 或選取連線到 Azure AD 的應用程式,該應用程式上有一或多個指派至此的使用者。Or select an application connected to Azure AD that has one or more users assigned to it.

  2. 決定是否要讓每個使用者檢閱自己的存取權,或讓一個或多個使用者檢閱每個人的存取權。Decide whether to have each user review their own access or to have one or more users review everyone's access.

  3. 下列其中一個角色:全域管理員、使用者系統管理員或 (預覽版) 要檢查之群組的 M365 或 AAD 安全性群組擁有者,請移至 身分 [識別管理] 頁面In one of the following roles: a global administrator, user administrator, or (Preview) a M365 or AAD Security Group owner of the group to be reviewed, go to the Identity Governance page.

  4. 建立存取權檢閱。Create the access review. 如需詳細資訊,請參閱 建立群組或應用程式的存取權審核For more information, see Create an access review of groups or applications.

  5. 存取權檢閱開始時,要求檢閱者提供輸入。When the access review starts, ask the reviewers to give input. 根據預設,每個使用者都會收到來自 Azure AD 的電子郵件,其中包含存取面板的連結,可在其中 查看群組或應用程式的存取權By default, they each receive an email from Azure AD with a link to the access panel, where they review access to groups or applications.

  6. 如果檢閱者有沒有指定的輸入,則您可以要求 Azure AD 將提醒傳送給他們。If the reviewers haven't given input, you can ask Azure AD to send them a reminder. 依預設,Azure AD 會在結束日期過半時自動將提醒傳送給尚未回應的檢閱者。By default, Azure AD automatically sends a reminder halfway to the end date to reviewers who haven't yet responded.

  7. 在檢閱者提供輸入後,停止存取權檢閱並套用變更。After the reviewers give input, stop the access review and apply the changes. 如需詳細資訊,請參閱 完成群組或應用程式的存取權檢查For more information, see Complete an access review of groups or applications.

後續步驟Next steps

建立群組或應用程式的存取權檢閱Create an access review of groups or applications