啟用我在 PIM 中的 Azure AD 角色Activate my Azure AD roles in PIM

Azure Active Directory (Azure AD) Privileged Identity Management (PIM) 簡化了企業管理以特殊權限身分存取 Azure AD 中的資源和其他 Microsoft 線上服務 (如 Office 365 或 Microsoft Intune) 的方式。Azure Active Directory (Azure AD) Privileged Identity Management (PIM) simplifies how enterprises manage privileged access to resources in Azure AD and other Microsoft online services like Office 365 or Microsoft Intune.

如果您已被設為符合系統管理角色資格,即表示您可以在需要執行特殊權限動作時,啟用該角色。If you have been made eligible for an administrative role, that means you can activate that role when you need to perform privileged actions. 例如,如果您偶爾會管理 Office 365 功能,則貴組織的特殊權限角色管理員可能不會讓您成為永久全域管理員,因為該角色也會影響其他服務。For example, if you occasionally manage Office 365 features, your organization's privileged role administrators may not make you a permanent Global Administrator, since that role impacts other services, too. 他們反而會讓您符合 Azure AD 角色 (例如「Exchange Online 管理員」) 的資格。Instead, they make you eligible for Azure AD roles such as Exchange Online Administrator. 您可以在需要權限時,要求啟用該角色,然後您將會在預定的時段內擁有系統管理員控制權。You can request to activate that role when you need its privileges, and then you'll have administrator control for a predetermined time period.

本文適用於系統管理員必須啟用其在 PIM 中的 Azure AD 角色。This article is for administrators who need to activate their Azure AD role in PIM.

啟用角色Activate a role

當您需要對 Azure AD 角色時,您可以使用來要求啟用我的角色PIM 中的導覽選項。When you need to take on an Azure AD role, you can request activation by using the My roles navigation option in PIM.

  1. 登入 Azure 入口網站Sign in to the Azure portal.

  2. 開啟 Azure AD Privileged Identity ManagementOpen Azure AD Privileged Identity Management. 如需如何將 [PIM] 圖格新增至儀表板的資訊,請參閱開始使用 PIMFor information about how to add the PIM tile to your dashboard, see Start using PIM.

  3. 按一下 [Azure AD 角色] 。Click Azure AD roles.

  4. 按一下 我的角色若要查看您符合資格的 Azure AD 角色。Click My roles to see a list of your eligible Azure AD roles.

    Azure AD 角色-我顯示合格或有效的角色 清單中的角色

  5. 尋找您想要啟用的角色。Find a role that you want to activate.

    Azure AD 角色-我的合格角色清單中顯示啟用 連結

  6. 按一下 [啟用] 以開啟角色啟用詳細資料窗格。Click Activate to open the Role activation details pane.

  7. 如果您的角色需要多重要素驗證 (MFA),請按一下 [先驗證您的身分識別後再繼續] 。If your role requires multi-factor authentication (MFA), click Verify your identity before proceeding. 您只需在每個工作階段驗證一次。You only have to authenticate once per session.

    確認啟用角色之前先使用 MFA 我識別 窗格

  8. 按一下 [驗證我的身分識別] ,並遵循指示來提供其他安全性驗證。Click Verify my identity and follow the instructions to provide additional security verification.

    詢問如何與您連絡其他安全性驗證 頁面

  9. 按一下 [啟用] 以開啟啟用窗格。Click Activate to open the Activation pane.

    啟用窗格,即可指定開始時間、 持續時間、 票證,以及原因

  10. 如有必要,請指定自訂啟用開始時間。If necessary, specify a custom activation start time.

  11. 指定啟用持續時間。Specify the activation duration.

  12. 在 [啟用原因] 方塊中輸入此啟用要求的原因。In the Activation reason box, enter the reason for the activation request. 有些角色會要求您提供問題票證號碼。Some roles require you to supply a trouble ticket number.

    已完成的啟用窗格中使用自訂的開始時間、 持續時間、 票證,以及原因

  13. 按一下 [啟用]Click Activate.

    如果角色不需要核准啟用狀態窗格隨即出現,顯示的啟用狀態。If the role does not require approval, an Activation status pane appears that displays the status of the activation.

    顯示在三個階段的啟動的啟用狀態頁面

    所有階段完成後,按一下登出来登出 Azure 入口網站的連結。Once all the stages are complete, click the Sign out link to sign out of the Azure portal. 當您登入入口網站時,您現在可以使用角色。When you sign back in to the portal, you can now use the role.

    如果角色需要核准才能啟用,通知會出現在瀏覽器右上角,通知您要求正在等待核准。If the role requires approval to activate, a notification will appear in the upper right corner of your browser informing you the request is pending approval.

    啟用要求正在等待核准通知

檢視要求狀態View the status of your requests

您可以檢視要啟用的擱置要求狀態。You can view the status of your pending requests to activate.

  1. 開啟 Azure AD Privileged Identity Management。Open Azure AD Privileged Identity Management.

  2. 按一下 [Azure AD 角色] 。Click Azure AD roles.

  3. 按一下 [我的要求] 以查看要求清單。Click My requests to see a list of your requests.

    Azure AD 角色-我的要求清單

停用角色Deactivate a role

角色一經啟用,就會在達到時間限制 (合格的持續時間) 時自動停用。Once a role has been activated, it automatically deactivates when its time limit (eligible duration) is reached.

如果您提早完成系統管理員工作,也可以在 Azure AD Privileged Identity Management 中手動停用角色。If you complete your administrator tasks early, you can also deactivate a role manually in Azure AD Privileged Identity Management.

  1. 開啟 Azure AD Privileged Identity Management。Open Azure AD Privileged Identity Management.

  2. 按一下 [Azure AD 角色] 。Click Azure AD roles.

  3. 按一下 [我的角色] 。Click My roles.

  4. 按一下 [使用中的角色] ,以查看使用中的角色清單。Click Active roles to see your list of active roles.

  5. 尋找您使用完畢的角色,然後按一下 [停用] 。Find the role you're done using and then click Deactivate.

取消擱置要求Cancel a pending request

如果您不需要啟用需要核准的角色,您可以隨時取消擱置要求。If you do not require activation of a role that requires approval, you can cancel a pending request at any time.

  1. 開啟 Azure AD Privileged Identity Management。Open Azure AD Privileged Identity Management.

  2. 按一下 [Azure AD 角色] 。Click Azure AD roles.

  3. 按一下 [我的要求] 。Click My requests.

  4. 針對您想要取消的角色,按一下 [取消] 按鈕。For the role that you want to cancel, click the Cancel button.

    當您按一下 [取消] 時,將會取消要求。When you click Cancel, the request will be canceled. 若要再次啟用角色,您必須提交新的啟用要求。To activate the role again, you will have to submit a new request for activation.

    我的要求清單反白顯示 [取消] 按鈕

疑難排解Troubleshoot

啟用角色之後不授與權限Permissions are not granted after activating a role

當您啟用 PIM 中的角色時,啟動可能無法立即傳遞到需要特殊權限的角色的所有入口網站。When you activate a role in PIM, the activation may not instantly propagate to all portals that require the privileged role. 有時候,即使該變更會傳播,web 入口網站中的快取可能會導致不立即生效的變更。Sometimes, even if the change is propagated, web caching in a portal may result in the change not taking effect immediately. 如果您啟用已延遲,以下是該怎麼辦。If your activation is delayed, here is what you should do.

  1. Azure 入口網站登出,然後重新登入。Sign out of the Azure portal and then sign back in.

    當您啟用 Azure AD 角色時,您會看到您的啟用階段。When you activate an Azure AD role, you will see the stages of your activation. 所有階段完成後,您會看到登出連結。Once all the stages are complete, you will see a Sign out link. 若要登出,您可以使用此連結。這將會解決大部分的情況下,啟用延遲。You can use this link to sign out. This will solve most cases for activation delay.

  2. 在 PIM,確認您已列為角色的成員。In PIM, verify that you are listed as the member of the role.

後續步驟Next steps