啟用我在 PIM 中的 Azure AD 角色Activate my Azure AD roles in PIM

Azure Active Directory (Azure AD) Privileged Identity Management (PIM) 簡化了企業管理以特殊權限身分存取 Azure AD 中的資源和其他 Microsoft 線上服務 (如 Office 365 或 Microsoft Intune) 的方式。Azure Active Directory (Azure AD) Privileged Identity Management (PIM) simplifies how enterprises manage privileged access to resources in Azure AD and other Microsoft online services like Office 365 or Microsoft Intune.

如果您已被設為符合系統管理角色資格,即表示您可以在需要執行特殊權限動作時,啟用該角色。If you have been made eligible for an administrative role, that means you can activate that role when you need to perform privileged actions. 例如,如果您偶爾會管理 Office 365 功能,則貴組織的特殊權限角色管理員可能不會讓您成為永久全域管理員,因為該角色也會影響其他服務。For example, if you occasionally manage Office 365 features, your organization's privileged role administrators may not make you a permanent Global Administrator, since that role impacts other services, too. 他們反而會讓您符合 Azure AD 角色 (例如「Exchange Online 管理員」) 的資格。Instead, they make you eligible for Azure AD roles such as Exchange Online Administrator. 您可以在需要權限時,要求啟用該角色,然後您將會在預定的時段內擁有系統管理員控制權。You can request to activate that role when you need its privileges, and then you'll have administrator control for a predetermined time period.

本文適用於系統管理員必須啟用其在 PIM 中的 Azure AD 角色。This article is for administrators who need to activate their Azure AD role in PIM.

啟用角色Activate a role

當您需要對 Azure AD 角色時,您可以使用來要求啟用我的角色PIM 中的導覽選項。When you need to take on an Azure AD role, you can request activation by using the My roles navigation option in PIM.

  1. 登入 Azure 入口網站Sign in to the Azure portal.

  2. 開啟 Azure AD Privileged Identity ManagementOpen Azure AD Privileged Identity Management. 如需如何將 [PIM] 圖格新增至儀表板的資訊,請參閱開始使用 PIMFor information about how to add the PIM tile to your dashboard, see Start using PIM.

  3. 按一下 [Azure AD 角色] 。Click Azure AD roles.

  4. 按一下 我的角色若要查看您符合資格的 Azure AD 角色。Click My roles to see a list of your eligible Azure AD roles.

    Azure AD 角色-我的角色

  5. 尋找您想要啟用的角色。Find a role that you want to activate.

    Azure AD 角色-我的角色清單

  6. 按一下 [啟用] 以開啟角色啟用詳細資料窗格。Click Activate to open the Role activation details pane.

  7. 如果您的角色需要多重要素驗證 (MFA),請按一下 [先驗證您的身分識別後再繼續] 。If your role requires multi-factor authentication (MFA), click Verify your identity before proceeding. 您只需在每個工作階段驗證一次。You only have to authenticate once per session.

    在啟用角色之前先以 MFA 驗證

  8. 按一下 [驗證我的身分識別] ,並遵循指示來提供其他安全性驗證。Click Verify my identity and follow the instructions to provide additional security verification.

    其他安全性驗證

  9. 按一下 [啟用] 以開啟啟用窗格。Click Activate to open the Activation pane.

    啟用窗格

  10. 如有必要,請指定自訂啟用開始時間。If necessary, specify a custom activation start time.

  11. 指定啟用持續時間。Specify the activation duration.

  12. 在 [啟用原因] 方塊中輸入此啟用要求的原因。In the Activation reason box, enter the reason for the activation request. 有些角色會要求您提供問題票證號碼。Some roles require you to supply a trouble ticket number.

    已完成的啟用窗格

  13. 按一下 [啟用]Click Activate.

    如果角色不需要核准啟用狀態窗格隨即出現,顯示的啟用狀態。If the role does not require approval, an Activation status pane appears that displays the status of the activation.

    啟用狀態

    所有階段完成後,按一下登出来登出 Azure 入口網站的連結。Once all the stages are complete, click the Sign out link to sign out of the Azure portal. 當您登入入口網站時,您現在可以使用角色。When you sign back in to the portal, you can now use the role.

    如果角色需要核准才能啟用,通知會出現在瀏覽器右上角,通知您要求正在等待核准。If the role requires approval to activate, a notification will appear in the upper right corner of your browser informing you the request is pending approval.

    要求擱置通知

檢視要求狀態View the status of your requests

您可以檢視要啟用的擱置要求狀態。You can view the status of your pending requests to activate.

  1. 開啟 Azure AD Privileged Identity Management。Open Azure AD Privileged Identity Management.

  2. 按一下 [Azure AD 角色] 。Click Azure AD roles.

  3. 按一下 [我的要求] 以查看要求清單。Click My requests to see a list of your requests.

    Azure AD 角色-我的要求

停用角色Deactivate a role

角色一經啟用,就會在達到時間限制 (合格的持續時間) 時自動停用。Once a role has been activated, it automatically deactivates when its time limit (eligible duration) is reached.

如果您提早完成系統管理員工作,也可以在 Azure AD Privileged Identity Management 中手動停用角色。If you complete your administrator tasks early, you can also deactivate a role manually in Azure AD Privileged Identity Management.

  1. 開啟 Azure AD Privileged Identity Management。Open Azure AD Privileged Identity Management.

  2. 按一下 [Azure AD 角色] 。Click Azure AD roles.

  3. 按一下 [我的角色] 。Click My roles.

  4. 按一下 [使用中的角色] ,以查看使用中的角色清單。Click Active roles to see your list of active roles.

  5. 尋找您使用完畢的角色,然後按一下 [停用] 。Find the role you're done using and then click Deactivate.

取消擱置要求Cancel a pending request

如果您不需要啟用需要核准的角色,您可以隨時取消擱置要求。If you do not require activation of a role that requires approval, you can cancel a pending request at any time.

  1. 開啟 Azure AD Privileged Identity Management。Open Azure AD Privileged Identity Management.

  2. 按一下 [Azure AD 角色] 。Click Azure AD roles.

  3. 按一下 [我的要求] 。Click My requests.

  4. 針對您想要取消的角色,按一下 [取消] 按鈕。For the role that you want to cancel, click the Cancel button.

    當您按一下 [取消] 時,將會取消要求。When you click Cancel, the request will be canceled. 若要再次啟用角色,您必須提交新的啟用要求。To activate the role again, you will have to submit a new request for activation.

    取消擱置要求

疑難排解Troubleshoot

啟動角色之後未授與權限Permissions not granted after activating a role

當您在 PIM 中啟動角色之後,至少需等候 10 分鐘才能存取所需的系統管理入口網站,或在特定系統管理工作負載內執行函式。When you activate a role in PIM, it takes at least 10 minutes before you can access the desired administrative portal or perform functions within a specific administrative workload. 啟用完成後,Azure 入口網站登出再重新登入若要開始使用新的主動的角色。Once the activation is complete, sign out of the Azure portal and sign back in to start using the newly activated role.

如需其他疑難排解步驟,請參閱針對較高的權限進行疑難排解 (英文)。For additional troubleshooting steps, see Troubleshooting Elevated Permissions.

後續步驟Next steps