傳統訂用帳戶管理員角色、Azure 角色和 Azure AD 角色Classic subscription administrator roles, Azure roles, and Azure AD roles

如果您不熟悉 Azure,您可能會發現要了解 Azure 中的所有不同角色有點挑戰。If you are new to Azure, you may find it a little challenging to understand all the different roles in Azure. 本文協助說明下列角色,以及使用每個角色的時機:This article helps explain the following roles and when you would use each:

  • 傳統訂用帳戶管理員角色Classic subscription administrator roles
  • Azure 角色Azure roles
  • Azure Active Directory (Azure AD) 角色Azure Active Directory (Azure AD) roles

若要進一步了解 Azure 中的角色,最好先知道某些歷程記錄。To better understand roles in Azure, it helps to know some of the history. 當 Azure 初次發行時,只利用三個管理員角色管理資源存取:帳戶管理員、服務管理員和共同管理員。When Azure was initially released, access to resources was managed with just three administrator roles: Account Administrator, Service Administrator, and Co-Administrator. 之後,新增了 Azure 角色型存取控制 (Azure RBAC)。Later, Azure role-based access control (Azure RBAC) was added. Azure RBAC 是較新的授權系統,可提供更細緻的 Azure 資源存取管理。Azure RBAC is a newer authorization system that provides fine-grained access management to Azure resources. Azure RBAC 包含許多內建角色,這些角色可以在不同的範圍進行指派,並可讓您建立自己的自訂角色。Azure RBAC includes many built-in roles, can be assigned at different scopes, and allows you to create your own custom roles. 若要管理 Azure AD 中的資源 (例如使用者、群組和網域),有數個 Azure AD 角色可以使用。To manage resources in Azure AD, such as users, groups, and domains, there are several Azure AD roles.

下圖是傳統訂用帳戶管理員角色、Azure 角色和 Azure AD 角色如何產生關聯的高階檢視。The following diagram is a high-level view of how the classic subscription administrator roles, Azure roles, and Azure AD roles are related.

Azure 中不同的角色

傳統訂用帳戶管理員角色Classic subscription administrator roles

帳戶管理員、服務管理員和共同管理員是 Azure 中的三個傳統訂用帳戶管理員角色。Account Administrator, Service Administrator, and Co-Administrator are the three classic subscription administrator roles in Azure. 傳統訂用帳戶管理員具有 Azure 訂用帳戶的完整存取權。Classic subscription administrators have full access to the Azure subscription. 他們可以使用 Azure 入口網站、Azure Resource Manager API 和傳統部署模型 API 來管理資源。They can manage resources using the Azure portal, Azure Resource Manager APIs, and the classic deployment model APIs. 用來註冊 Azure 帳戶會自動設定為帳戶管理員和服務管理員。The account that is used to sign up for Azure is automatically set as both the Account Administrator and Service Administrator. 接著,註冊之後才新增額外的共同管理員。Then, additional Co-Administrators can be added. 服務管理員與共同管理員具有與下列使用者同等的存取權:在訂用帳戶範圍獲派擁有者角色 (Azure 角色) 的使用者。The Service Administrator and the Co-Administrators have the equivalent access of users who have been assigned the Owner role (an Azure role) at the subscription scope. 下表說明這三個傳統訂用帳戶系統管理角色之間的差異。The following table describes the differences between these three classic subscription administrative roles.

傳統訂用帳戶管理員Classic subscription administrator 限制Limit 權限Permissions 注意Notes
帳戶管理員Account Administrator 每個 Azure 帳戶 1 名1 per Azure account
  • Azure 入口網站中管理計費Manage billing in the Azure portal
  • 管理帳戶中的所有訂用帳戶Manage all subscriptions in an account
  • 建立新的訂用帳戶Create new subscriptions
  • 取消訂用帳戶Cancel subscriptions
  • 變更訂用帳戶的計費Change the billing for a subscription
  • 變更服務管理員Change the Service Administrator
在概念上,就是訂用帳戶的計費擁有者。Conceptually, the billing owner of the subscription.
服務管理員Service Administrator 每個 Azure 訂用帳戶 1 名1 per Azure subscription
  • Azure 入口網站中管理服務Manage services in the Azure portal
  • 取消訂用帳戶Cancel the subscription
  • 將使用者指派給共同管理員角色Assign users to the Co-Administrator role
根據預設,新訂用帳戶的帳戶管理員也是服務管理員。By default, for a new subscription, the Account Administrator is also the Service Administrator.
服務管理員與在訂用帳戶範圍獲派擁有者角色的使用者具有同等的存取權。The Service Administrator has the equivalent access of a user who is assigned the Owner role at the subscription scope.
服務管理員可完整存取 Azure 入口網站。The Service Administrator has full access to the Azure portal.
共同管理員Co-Administrator 每個訂用帳戶 200 名200 per subscription
  • 具有與服務管理員相同的存取權限,但無法變更訂用帳戶與 Azure 目錄的關聯Same access privileges as the Service Administrator, but can’t change the association of subscriptions to Azure directories
  • 將使用者指派給共同管理員角色,但無法變更服務管理員Assign users to the Co-Administrator role, but cannot change the Service Administrator
共同管理員與在訂用帳戶範圍獲派擁有者角色的使用者具有同等的存取權。The Co-Administrator has the equivalent access of a user who is assigned the Owner role at the subscription scope.

在 Azure 入口網站中,您可以使用 [傳統管理員] 索引標籤管理共同管理員或檢視服務管理員。In the Azure portal, you can manage Co-Administrators or view the Service Administrator by using the Classic administrators tab.

Azure 入口網站中的 Azure 傳統訂用帳戶管理員

在 Azure 入口網站中,您可以在訂用帳戶的 [屬性] 刀鋒視窗上檢視或變更服務管理員或檢視帳戶管理員。In the Azure portal, you can view or change the Service Administrator or view the Account Administrator on the properties blade of your subscription.

Azure 入口網站中的帳戶管理員和服務管理員

如需詳細資訊,請參閱 Azure 傳統訂用帳戶管理員For more information, see Azure classic subscription administrators.

Azure 帳戶與 Azure 訂用帳戶Azure account and Azure subscriptions

Azure 帳戶代表計費關聯性。An Azure account represents a billing relationship. Azure 帳戶就是使用者身分識別、一或多個 Azure 訂用帳戶,以及一組相關聯的 Azure 資源。An Azure account is a user identity, one or more Azure subscriptions, and an associated set of Azure resources. 建立帳戶的人員就是該帳戶中所有訂用帳戶的帳戶管理員。The person who creates the account is the Account Administrator for all subscriptions created in that account. 該人員也是訂用帳戶的預設服務管理員。That person is also the default Service Administrator for the subscription.

Azure 訂用帳戶可協助您組織 Azure 資源的存取權。Azure subscriptions help you organize access to Azure resources. 它們也可協助您控制如何根據資源使用量產生報告、計費及付費。They also help you control how resource usage is reported, billed, and paid for. 每個訂用帳戶可以有不同的計費和付款設定,因此,依照辦公室、部門、專案等等,您可有不同的訂用帳戶和不同的方案。Each subscription can have a different billing and payment setup, so you can have different subscriptions and different plans by office, department, project, and so on. 每個服務都屬於某個訂用帳戶,而且需要訂用帳戶識別碼才能進行程式設計作業。Every service belongs to a subscription, and the subscription ID may be required for programmatic operations.

每個訂用帳戶都與 Azure AD 目錄相關聯。Each subscription is associated with an Azure AD directory. 若要尋找與訂用帳戶相關聯的目錄,請在 Azure 入口網站中開啟 [訂用帳戶],然後選取訂用帳戶以查看目錄。To find the directory the subscription is associated with, open Subscriptions in the Azure portal and then select a subscription to see the directory.

帳戶和訂用帳戶都是在 Azure 入口網站中管理。Accounts and subscriptions are managed in the Azure portal.

Azure 角色Azure roles

Azure RBAC 是建置於 Azure Resource Manager 上的授權系統,可提供更細緻的 Azure 資源存取管理,例如計算和儲存體。Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management to Azure resources, such as compute and storage. Azure RBAC 包含超過 70 個內建角色。Azure RBAC includes over 70 built-in roles. 基本 Azure 角色有四個。There are four fundamental Azure roles. 前三個適用於所有資源類型:The first three apply to all resource types:

Azure 角色Azure role 權限Permissions 注意Notes
擁有者Owner
  • 所有資源的完整存取權Full access to all resources
  • 委派其他資源的存取權Delegate access to others
服務管理員和共同管理員都會獲派訂用帳戶範圍的擁有者角色The Service Administrator and Co-Administrators are assigned the Owner role at the subscription scope
適用於所有資源類型。Applies to all resource types.
參與者Contributor
  • 建立和管理所有類型的 Azure 資源Create and manage all of types of Azure resources
  • 在 Azure Active Directory 中建立新的租用戶Create a new tenant in Azure Active Directory
  • 無法授與其他資源的存取權Cannot grant access to others
適用於所有資源類型。Applies to all resource types.
讀取者Reader
  • 檢視 Azure 資源View Azure resources
適用於所有資源類型。Applies to all resource types.
使用者存取系統管理員User Access Administrator
  • 管理 Azure 資源的使用者存取Manage user access to Azure resources

其餘的 RBAC 角色可以管理特定 Azure 資源。The rest of the built-in roles allow management of specific Azure resources. 例如,虛擬機器參與者角色可讓使用者建立和管理虛擬機器。For example, the Virtual Machine Contributor role allows the user to create and manage virtual machines. 如需內建角色清單,請參閱 Azure 內建角色For a list of all the built-in roles, see Azure built-in roles.

只有 Azure 入口網站和 Azure Resource Manager API 支援 Azure RBAC。Only the Azure portal and the Azure Resource Manager APIs support Azure RBAC. 獲派 Azure 角色的使用者、群組和應用程式無法使用 Azure 傳統部署模型 APIUsers, groups, and applications that are assigned Azure roles cannot use the Azure classic deployment model APIs.

在 Azure 入口網站中,使用 Azure RBAC 的角色指派會出現在 [存取控制 (IAM)] 刀鋒視窗上。In the Azure portal, role assignments using Azure RBAC appear on the Access control (IAM) blade. 在整個入口網站中都可以找到此刀鋒視窗,例如管理群組、訂用帳戶、資源群組及各種資源。This blade can be found throughout the portal, such as management groups, subscriptions, resource groups, and various resources.

Azure 入口網站中的存取控制 (IAM) 刀鋒視窗

當您按一下 [角色] 索引標籤時,您會看到內建和自訂角色的清單。When you click the Roles tab, you will see the list of built-in and custom roles.

Azure 入口網站中的內建角色

如需詳細資訊,請參閱 使用 Azure 入口網站指派 Azure 角色For more information, see Assign Azure roles using the Azure portal.

Azure AD 角色Azure AD roles

Azure AD 角色會用來管理目錄中的 Azure AD 資源,例如建立或編輯使用者、將系統管理角色指派給其他人、重設使用者密碼、管理使用者授權,以及管理網域。Azure AD roles are used to manage Azure AD resources in a directory such as create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, and manage domains. 下表描述一些更重要的 Azure AD 角色。The following table describes a few of the more important Azure AD roles.

Azure AD 角色Azure AD role 權限Permissions 注意Notes
全域管理員Global Administrator
  • 管理 Azure Active Directory 中所有系統管理功能的存取權,以及 Azure Active Directory 同盟服務Manage access to all administrative features in Azure Active Directory, as well as services that federate to Azure Active Directory
  • 將管理員角色指派給其他人Assign administrator roles to others
  • 為任何使用者和所有其他管理員重設密碼Reset the password for any user and all other administrators
註冊 Azure Active Directory 租用戶的人員會變成全域管理員。The person who signs up for the Azure Active Directory tenant becomes a Global Administrator.
使用者管理員User Administrator
  • 建立及管理使用者與群組的所有層面Create and manage all aspects of users and groups
  • 管理支援票證Manage support tickets
  • 監視服務健康情況Monitor service health
  • 變更使用者、技術支援中心管理員及其他使用者管理員的密碼Change passwords for users, Helpdesk administrators, and other User Administrators
計費管理員Billing Administrator
  • 進行購買Make purchases
  • 管理訂用帳戶Manage subscriptions
  • 管理支援票證Manage support tickets
  • 監視服務健康狀態Monitors service health

在 Azure 入口網站中,您可以在 [角色和管理員] 刀鋒視窗上看到 Azure AD 角色清單。In the Azure portal, you can see the list of Azure AD roles on the Roles and administrators blade. 如需所有 Azure AD 角色的清單,請參閱 Azure Active Directory 中的管理員角色權限For a list of all the Azure AD roles, see Administrator role permissions in Azure Active Directory.

Azure 入口網站中的 Azure AD 角色

Azure 角色與 Azure AD 角色之間的差異Differences between Azure roles and Azure AD roles

概括而言,Azure 角色控制管理 Azure 資源的權限,而 Azure AD 角色控制管理 Azure Active Directory 資源的權限。At a high level, Azure roles control permissions to manage Azure resources, while Azure AD roles control permissions to manage Azure Active Directory resources. 下表比較一些差異。The following table compares some of the differences.

Azure 角色Azure roles Azure AD 角色Azure AD roles
管理 Azure 資源的存取權Manage access to Azure resources 管理 Azure Active Directory 資源的存取權Manage access to Azure Active Directory resources
支援自訂角色Supports custom roles 支援自訂角色Supports custom roles
您可以在多個層級指定範圍 (管理群組、訂用帳戶、資源群組、資源)Scope can be specified at multiple levels (management group, subscription, resource group, resource) 範圍是在租用戶層級Scope is at the tenant level
可以在 Azure 入口網站、Azure CLI、Azure PowerShell、Azure Resource Manager 範本、Azure CLI 中存取角色資訊Role information can be accessed in Azure portal, Azure CLI, Azure PowerShell, Azure Resource Manager templates, REST API 可以在 Azure 入口網站、Microsoft 365 管理中心、Microsoft Graph、AzureAD PowerShell 中存取角色資訊Role information can be accessed in Azure admin portal, Microsoft 365 admin center, Microsoft Graph, AzureAD PowerShell

Azure 角色和 Azure AD 角色是否重疊?Do Azure roles and Azure AD roles overlap?

根據預設,Azure 角色與 Azure AD 角色不會跨越 Azure 和 Azure AD。By default, Azure roles and Azure AD roles do not span Azure and Azure AD. 不過,如果全域管理員藉由在 Azure 入口網站中選擇 [Azure 資源的存取管理] 參數來提升其存取權,則全域管理員會被授與特定租用戶中所有訂用帳戶的使用者存取管理員 角色 (Azure 角色)。However, if a Global Administrator elevates their access by choosing the Access management for Azure resources switch in the Azure portal, the Global Administrator will be granted the User Access Administrator role (an Azure role) on all subscriptions for a particular tenant. 使用者存取管理員角色可讓使用者授權其他使用者存取根 Azure 資源的權限。The User Access Administrator role enables the user to grant other users access to Azure resources. 這個參數有助於重新取得訂用帳戶的存取權。This switch can be helpful to regain access to a subscription. 如需詳細資訊,請參閱提高存取權以管理所有 Azure 訂用帳戶和管理群組For more information, see Elevate access to manage all Azure subscriptions and management groups.

有數個 Azure AD 角色跨越 Azure AD 與 Microsoft 365,例如全域管理員和使用者管理員角色。Several Azure AD roles span Azure AD and Microsoft 365, such as the Global Administrator and User Administrator roles. 例如,如果您是全域管理員角色的成員,您就具有 Azure AD 和 Microsoft 365 的全域管理員功能,例如對 Microsoft Exchange 和 Microsoft SharePoint 進行變更。For example, if you are a member of the Global Administrator role, you have global administrator capabilities in Azure AD and Microsoft 365, such as making changes to Microsoft Exchange and Microsoft SharePoint. 不過,根據預設,全域管理員沒有 Azure 資源的存取權。However, by default, the Global Administrator doesn't have access to Azure resources.

Azure RBAC 與 Azure AD 角色的比較

後續步驟Next steps