開始使用 PIMStart using PIM

您可以使用 Azure Active Directory (Azure AD) Privileged Identity Management (PIM) 來管理、控制和監視組織內的存取。With Azure Active Directory (Azure AD) Privileged Identity Management (PIM), you can manage, control, and monitor access within your organization. 此範圍包括存取 Azure 資源、Azure AD 和其他 Microsoft 線上服務 (例如 Office 365 或 Microsoft Intune)。This scope includes access to Azure resources, Azure AD and other Microsoft online services like Office 365 or Microsoft Intune.

本文說明如何啟用及開始使用 PIM。This article describes how to enable and get started using PIM.

必要條件Prerequisites

若要使用 PIM,您必須具有下列其中一個授權:To use PIM, you must have one of the following licenses:

  • Azure AD Premium P2Azure AD Premium P2
  • Enterprise Mobility + Security (EMS) E5Enterprise Mobility + Security (EMS) E5

如需詳細資訊,請參閱使用 PIM 的授權需求For more information, see License requirements to use PIM.

使用 PIM 的第一個人First person to use PIM

如果您是目錄中使用 PIM 的第一人,則會自動獲指派目錄中的安全性系統管理員特殊權限角色管理員角色。If you're the first person to use PIM in your directory, you are automatically assigned the Security Administrator and Privileged Role Administrator roles in the directory. 只有特殊許可權角色管理員可以管理使用者的 Azure AD 角色指派。Only privileged role administrators can manage Azure AD role assignments of users. 此外,您也可以選擇執行安全性精靈,讓其引導您完成初始的探索和指派體驗。In addition, you may choose to run the security wizard that walks you through the initial discovery and assignment experience.

啟用 PIMEnable PIM

若要在目錄中開始使用 PIM,您必須先啟用 PIM。To start using PIM in your directory, you must first enable PIM.

  1. 以目錄的全域系統管理員身分登入 Azure 入口網站Sign in to the Azure portal as a Global Administrator of your directory.

    您必須是具有組織帳戶 (例如 @yourdomain.com) 而非 Microsoft 帳戶 (例如 @outlook.com) 的全域管理員,才能啟用目錄的 PIM。You must be a Global Administrator with an organizational account (for example, @yourdomain.com), not a Microsoft account (for example, @outlook.com), to enable PIM for a directory.

  2. 按一下 [所有服務],並尋找 [Azure AD Privileged Identity Management] 服務。Click All services and find the Azure AD Privileged Identity Management service.

    所有服務中的 Azure AD Privileged Identity Management

  3. 按一下以開啟 PIM 快速入門。Click to open the PIM Quickstart.

  4. 在清單中,按一下 [同意 PIM]。In the list, click Consent to PIM.

    同意 PIM 以啟用 PIM

  5. 按一下 [驗證我的身分識別] 以使用 Azure MFA 驗證您的身分識別。Click Verify my identity to verify your identity with Azure MFA. 系統會要求您選取帳戶。You'll be asked to pick an account.

    選擇帳戶視窗來驗證您的身分識別

  6. 如果需要更多資訊才能完成驗證,系統將會引導您完成相關程序。If more information is required for verification, you'll be guided through the process. 如需詳細資訊,請參閱取得雙步驟驗證的說明For more information, see Get help with two-step verification.

    如果您的組織需要詳細資訊,則需要更多資訊視窗

    例如,系統可能會要求您提供電話驗證。For example, you might be asked to provide phone verification.

    其他安全性驗證頁面,詢問如何聯絡您

  7. 一旦您完成驗證程序後,請按一下 [同意] 按鈕。Once you have completed the verification process, click the Consent button.

  8. 在出現的訊息中,按一下 [是] 以同意 PIM 服務。In the message that appears, click Yes to consent to the PIM service.

    同意 PIM 訊息以完成同意程式

針對 Azure AD 角色註冊 PIMSign up PIM for Azure AD roles

為目錄啟用 PIM 後,您必須註冊 PIM 來管理 Azure AD 角色。Once you have enabled PIM for your directory, you'll need to sign up PIM to manage Azure AD roles.

  1. 開啟 Azure AD Privileged Identity ManagementOpen Azure AD Privileged Identity Management.

  2. 按一下 [Azure AD 角色]。Click Azure AD roles.

    針對 Azure AD 角色註冊 PIM

  3. 按一下 [註冊]。Click Sign up.

  4. 在出現的訊息中,按一下 [是] 以註冊 PIM 來管理 Azure AD 角色。In the message that appears, click Yes to sign up PIM to manage Azure AD roles.

    針對 Azure AD 角色註冊 PIM 的訊息

    完成註冊時,將會啟用 Azure AD 選項。When sign up completes, the Azure AD options will be enabled. 您可能需要重新整理入口網站。You might need to refresh the portal.

    若要了解如何探索及選取要以 PIM 保護的 Azure 資源,請參閱在 PIM 中探索要管理的 Azure 資源For information about how to discover and select the Azure resources to protect with PIM, see Discover Azure resources to manage in PIM.

PIM 設定完成後,您可以執行身分識別管理工作。Once PIM is set up, you can perform your identity management tasks.

PIM 中的導覽視窗,其中顯示工作和管理選項

工作 + 管理Task + Manage 描述Description
我的角色My roles 顯示一個清單,列出已指派給您的合格和使用中角色。Displays a list of eligible and active roles assigned to you. 您可以在這裡啟動任何指派的合格角色。This is where you can activate any assigned eligible roles.
我的要求My requests 顯示您啟動合格角色指派的任何擱置要求。Displays your pending requests to activate eligible role assignments.
核准要求Approve requests 顯示一個清單,列出您目錄中的使用者為了啟動合格角色所提出的要求,而此目錄是指定給您以進行核准的目錄。Displays a list of requests to activate eligible roles by users in your directory that you are designated to approve.
檢閱存取Review access 列出指派給您完成的使用中存取權檢閱 (無論您是在檢閱自己還是他人的存取權)。Lists active access reviews you are assigned to complete, whether you're reviewing access for yourself or someone else.
Azure AD 角色Azure AD roles 顯示儀表板和設定,讓特殊許可權角色管理員管理 Azure AD 角色指派。Displays a dashboard and settings for privileged role administrators to manage Azure AD role assignments. 對於任何不是特殊權限角色管理員的人員,系統會停用此儀表板。This dashboard is disabled for anyone who isn't a privileged role administrator. 這些使用者可以存取標題為 [我的檢視] 的特殊儀表板。These users have access to a special dashboard titled My view. [我的檢視] 儀表板只會顯示存取儀表板的使用者,而非整個租用戶的相關資訊。The My view dashboard only displays information about the user accessing the dashboard, not the entire tenant.
Azure 資源Azure resources 顯示儀表板和設定,讓特殊權限角色管理員可管理 Azure 資源角色指派。Displays a dashboard and settings for privileged role administrators to manage Azure resource role assignments. 對於任何不是特殊權限角色管理員的人員,系統會停用此儀表板。This dashboard is disabled for anyone who isn't a privileged role administrator. 這些使用者可以存取標題為 [我的檢視] 的特殊儀表板。These users have access to a special dashboard titled My view. [我的檢視] 儀表板只會顯示存取儀表板的使用者,而非整個租用戶的相關資訊。The My view dashboard only displays information about the user accessing the dashboard, not the entire tenant.

將 PIM 圖格新增至儀表板Add a PIM tile to the dashboard

若要更輕鬆地開啟 PIM,您應將 PIM 圖格新增至 Azure 入口網站儀表板。To make it easier to open PIM, you should add a PIM tile to your Azure portal dashboard.

  1. 登入 Azure 入口網站Sign in to the Azure portal.

  2. 按一下 [所有服務],並尋找 [Azure AD Privileged Identity Management] 服務。Click All services and find the Azure AD Privileged Identity Management service.

    所有服務中的 Azure AD Privileged Identity Management

  3. 按一下以開啟 PIM 快速入門。Click to open the PIM Quickstart.

  4. 請參閱將刀鋒視窗釘選到儀表板,將 [PIM 快速入門] 刀鋒視窗釘選到儀表板上。Check Pin blade to dashboard to pin the PIM Quickstart blade to the dashboard.

    圖釘圖示,可將 PIM 分頁釘選到儀表板

    在 Azure 儀表板上,您會看到像這樣的圖格:On the Azure dashboard, you'll see a tile like this:

    在儀表板上的 PIM 快速入門磚

後續步驟Next steps