瞭解 Azure 拒絕指派Understand Azure deny assignments

與角色指派相同,「拒絕指派」也會基於拒絕存取權的目的來附加一組在特定範圍內拒絕使用者、群組或服務主體的動作。Similar to a role assignment, a deny assignment attaches a set of deny actions to a user, group, or service principal at a particular scope for the purpose of denying access. 拒絕指派會封鎖使用者執行指定的 Azure 資源動作,即使角色指派授予他們存取權也一樣。Deny assignments block users from performing specific Azure resource actions even if a role assignment grants them access.

此文章說明如何定義拒絕指派。This article describes how deny assignments are defined.

如何建立拒絕指派How deny assignments are created

拒絕指派會由 Azure 建立及管理,以保護資源。Deny assignments are created and managed by Azure to protect resources. Azure 藍圖和 Azure 受控應用程式會使用拒絕指派來保護系統管理的資源。Azure Blueprints and Azure managed apps use deny assignments to protect system-managed resources. Azure 藍圖和 Azure 受控應用程式是可以建立拒絕指派的唯一方式。Azure Blueprints and Azure managed apps are the only way that deny assignments can be created. 您無法直接建立自己的拒絕指派。You can't directly create your own deny assignments. 如需藍圖如何使用拒絕指派來鎖定資源的詳細資訊,請參閱 瞭解 Azure 藍圖中的資源鎖定For more information about how Blueprints uses deny assignments to lock resources, see Understand resource locking in Azure Blueprints.

注意

您無法直接建立自己的拒絕指派。You can't directly create your own deny assignments.

比較角色指派和拒絕指派Compare role assignments and deny assignments

拒絕指派會遵循與角色指派類似的模式,但也有一些差異。Deny assignments follow a similar pattern as role assignments, but also have some differences.

功能Capability 角色指派Role assignment 拒絕指派Deny assignment
授與存取權Grant access ✔️
拒絕存取Deny access ✔️
可以直接建立Can be directly created ✔️
套用於範圍Apply at a scope ✔️ ✔️
排除主體Exclude principals ✔️
防止繼承子範圍Prevent inheritance to child scopes ✔️
適用于 傳統訂用帳戶系統管理員 指派Apply to classic subscription administrator assignments ✔️

拒絕指派屬性Deny assignment properties

拒絕指派有下列屬性:A deny assignment has the following properties:

屬性Property 必要Required 類型Type 描述Description
DenyAssignmentName Yes StringString 拒絕指派的顯示名稱。The display name of the deny assignment. 名稱在指定範圍內必須是唯一的。Names must be unique for a given scope.
Description No StringString 拒絕指派的描述。The description of the deny assignment.
Permissions.Actions 至少一個 Actions 或一個 DataActionsAt least one Actions or one DataActions String[]String[] 一個字串陣列,指定拒絕指派要封鎖存取權的管理作業。An array of strings that specify the management operations to which the deny assignment blocks access.
Permissions.NotActions No String[]String[] 一個字串陣列,指定要從拒絕指派排除的管理作業。An array of strings that specify the management operations to exclude from the deny assignment.
Permissions.DataActions 至少一個 Actions 或一個 DataActionsAt least one Actions or one DataActions String[]String[] 一個字串陣列,指定拒絕指派要封鎖存取權的資料作業。An array of strings that specify the data operations to which the deny assignment blocks access.
Permissions.NotDataActions No String[]String[] 一個字串陣列,指定要從拒絕指派排除的資料作業。An array of strings that specify the data operations to exclude from the deny assignment.
Scope No StringString 一個字串, 指定拒絕指派要套用的範圍。A string that specifies the scope that the deny assignment applies to.
DoNotApplyToChildScopes No BooleanBoolean 指定拒絕指派是否要套用到子範圍。Specifies whether the deny assignment applies to child scopes. 預設值為 False。Default value is false.
Principals[i].Id Yes String[]String[] 要套用拒絕指派的 Azure AD 主體物件識別碼 (使用者、群組、服務主體或受控識別) 陣列。An array of Azure AD principal object IDs (user, group, service principal, or managed identity) to which the deny assignment applies. 設定為空 GUID 00000000-0000-0000-0000-000000000000 以代表所有主體。Set to an empty GUID 00000000-0000-0000-0000-000000000000 to represent all principals.
Principals[i].Type No String[]String[] 由主體 [i]. Id 表示的物件類型陣列,設定為 SystemDefined 表示所有主體。An array of object types represented by Principals[i].Id. Set to SystemDefined to represent all principals.
ExcludePrincipals[i].Id No String[]String[] 不套用拒絕指派的 Azure AD 主體物件識別碼 (使用者、群組、服務主體或受控識別) 陣列。An array of Azure AD principal object IDs (user, group, service principal, or managed identity) to which the deny assignment does not apply.
ExcludePrincipals[i].Type No String[]String[] 由 ExcludePrincipals[i].Id 代表的物件類型陣列。An array of object types represented by ExcludePrincipals[i].Id.
IsSystemProtected No BooleanBoolean 指定此拒絕指派是否由 Azure 建立且無法編輯或刪除。Specifies whether this deny assignment was created by Azure and cannot be edited or deleted. 目前,所有拒絕指派都受系統保護。Currently, all deny assignments are system protected.

所有主體主體The All Principals principal

為了支援拒絕指派,已引進名為 所有主體 的系統定義主體。To support deny assignments, a system-defined principal named All Principals has been introduced. 此主體代表 Azure AD 目錄中的所有使用者、群組、服務主體和受控識別。This principal represents all users, groups, service principals, and managed identities in an Azure AD directory. 若主體識別碼是零值 GUID 00000000-0000-0000-0000-000000000000 且主體類型是 SystemDefined,則主體代表所有主體。If the principal ID is a zero GUID 00000000-0000-0000-0000-000000000000 and the principal type is SystemDefined, the principal represents all principals. 在 Azure PowerShell 輸出中,所有主體看起來如下所示:In Azure PowerShell output, All Principals looks like the following:

Principals              : {
                          DisplayName:  All Principals
                          ObjectType:   SystemDefined
                          ObjectId:     00000000-0000-0000-0000-000000000000
                          }

所有主體都可以結合 ExcludePrincipals ,以拒絕部分使用者以外的所有主體。All Principals can be combined with ExcludePrincipals to deny all principals except some users. 所有主體都有下列限制:All Principals has the following constraints:

  • 只能在 Principals 中使用,而無法在 ExcludePrincipals 中使用。Can be used only in Principals and cannot be used in ExcludePrincipals.
  • Principals[i].Type 必須設為 SystemDefinedPrincipals[i].Type must be set to SystemDefined.

下一步Next steps