使用 Azure 入口網站新增或移除 Azure 角色指派Add or remove Azure role assignments using the Azure portal

Azure 角色型存取控制 (Azure RBAC) 是您用來管理 Azure 資源存取權的授權系統。Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. 若要授與存取權,您可以將角色指派給特定範圍的使用者、群組、服務主體或受控識別。To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. 本文說明如何使用 Azure 入口網站指派角色。Azure 角色型存取控制 (Azure RBAC) 是您用來管理 Azure 資源存取權的授權系統。Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. 若要授與存取權,您可以將角色指派給特定範圍的使用者、群組、服務主體或受控識別。To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. This article describes how to assign roles using the Azure portal.

如果您需要在 Azure Active Directory 中指派系統管理員角色,請參閱 [Azure Active Directory 中的 查看和指派系統管理員角色]。If you need to assign administrator roles in Azure Active Directory, see View and assign administrator roles in Azure Active Directory.

先決條件Prerequisites

若要新增或移除角色指派,您必須具有:To add or remove role assignments, you must have:

存取控制 (IAM)Access control (IAM)

**存取控制 (IAM) ** 是您通常用來指派角色以授與 Azure 資源存取權的頁面。Access control (IAM) is the page that you typically use to assign roles to grant access to Azure resources. 它也稱為身分識別和存取管理,並且會出現在 Azure 入口網站的數個位置中。It's also known as identity and access management and appears in several locations in the Azure portal. 以下顯示訂用帳戶的存取控制 (IAM) 頁面的範例。The following shows an example of the Access control (IAM) page for a subscription.

訂用帳戶的存取控制 (IAM) 頁面

若要在存取控制 (IAM) 頁面上獲得最高效益,可協助遵循下列步驟來指派角色。To be the most effective with the Access control (IAM) page, it helps to follow these steps to assign a role.

  1. 判斷誰需要存取權。Determine who needs access. 您可以將角色指派給使用者、群組、服務主體或受控識別。You can assign a role to a user, group, service principal, or managed identity.

  2. 尋找適當的角色。Find the appropriate role. 許可權會群組在一起成為角色。Permissions are grouped together into roles. 您可以從數個 Azure 內建角色 的清單中選取,也可以使用自己的自訂角色。You can select from a list of several Azure built-in roles or you can use your own custom roles.

  3. 識別所需的範圍。Identify the needed scope. Azure 提供四個範圍層級: 管理群組、訂用帳戶、 資源群組和資源。Azure provides four levels of scope: management group, subscription, resource group, and resource. 如需範圍的詳細資訊,請參閱了解範圍For more information about scope, see Understand scope.

  4. 執行下列其中一節中的步驟來指派角色。Perform the steps in one of the following sections to assign a role.

新增角色指派Add a role assignment

在 Azure RBAC 中,若要授與 Azure 資源的存取權,您可以新增角色指派。In Azure RBAC, to grant access to an Azure resource, you add a role assignment. 請遵循下列步驟來指派角色。Follow these steps to assign a role.

  1. 在 [Azure 入口網站中,按一下 [ 所有服務 ],然後選取您想要授與存取權的範圍。In the Azure portal, click All services and then select the scope that you want to grant access to. 例如,您可以選取 [管理群組]****、[訂用帳戶]****、[資源群組]**** 或資源。For example, you can select Management groups, Subscriptions, Resource groups, or a resource.

  2. 按一下該範圍的特定資源。Click the specific resource for that scope.

  3. 按一下 [存取控制 (IAM)]。Click Access control (IAM).

  4. 按一下 [ 角色指派 ] 索引標籤,以查看此範圍的角色指派。Click the Role assignments tab to view the role assignments at this scope.

    存取控制 (IAM) 和角色指派索引標籤

  5. 按一下 [新增 > 新增角色指派]。Click Add > Add role assignment.

    若您沒有指派角色的權限,[新增角色指派] 選項將會被停用。If you don't have permissions to assign roles, the Add role assignment option will be disabled.

    新增角色指派功能表

    [新增角色指派] 窗格隨即開啟。The Add role assignment pane opens.

    [新增角色指派] 窗格

  6. 在 [角色]**** 下拉式清單中選取角色,例如 [虛擬機器參與者]****。In the Role drop-down list, select a role such as Virtual Machine Contributor.

  7. 在 [選取]**** 清單中,選取使用者、群組、服務主體或受控識別。In the Select list, select a user, group, service principal, or managed identity. 如果在清單中未看到安全性主體,您可以在 [選取]**** 方塊中輸入,以在目錄中搜尋顯示名稱、電子郵件地址和物件識別碼。If you don't see the security principal in the list, you can type in the Select box to search the directory for display names, email addresses, and object identifiers.

  8. 按一下 [儲存] 以指派角色。Click Save to assign the role.

    在幾分鐘之後,即會在所選範圍中指派安全性主體的角色。After a few moments, the security principal is assigned the role at the selected scope.

    已儲存新增角色指派

將使用者指派為訂用帳戶的系統管理員Assign a user as an administrator of a subscription

若要將使用者設定為 Azure 訂用帳戶的系統管理員,請在訂用帳戶範圍為其指派擁有者角色。To make a user an administrator of an Azure subscription, assign them the Owner role at the subscription scope. 擁有者角色提供使用者訂用帳戶中所有資源的完整存取權,包括將存取權授與其他人的許可權。The Owner role gives the user full access to all resources in the subscription, including the permission to grant access to others. 針對任何其他角色指派,這些步驟都相同。These steps are the same as any other role assignment.

  1. 在 Azure 入口網站中,按一下 [所有服務] ,然後按一下 [訂用帳戶] 。In the Azure portal, click All services and then Subscriptions.

  2. 選擇您想要授與存取權的訂用帳戶。Click the subscription where you want to grant access.

  3. 按一下 [存取控制 (IAM)]。Click Access control (IAM).

  4. 按一下 [ 角色指派 ] 索引標籤,以查看此訂用帳戶的角色指派。Click the Role assignments tab to view the role assignments for this subscription.

    存取控制 (IAM) 和角色指派索引標籤

  5. 按一下 [新增 > 新增角色指派]。Click Add > Add role assignment.

    若您沒有指派角色的權限,[新增角色指派] 選項將會被停用。If you don't have permissions to assign roles, the Add role assignment option will be disabled.

    新增訂用帳戶的角色指派功能表

    [新增角色指派] 窗格隨即開啟。The Add role assignment pane opens.

    新增訂用帳戶的角色指派窗格

  6. 在 [角色] 下拉式清單中,選取 [擁有者] 角色。In the Role drop-down list, select the Owner role.

  7. 在 [選取] 清單中,選取使用者。In the Select list, select a user. 如果在清單中未看到使用者,您可以在 [選取] 方塊中輸入,以在目錄中搜尋顯示名稱與電子郵件地址。If you don't see the user in the list, you can type in the Select box to search the directory for display names and email addresses.

  8. 按一下 [儲存] 以指派角色。Click Save to assign the role.

    在幾分鐘之後,即會在訂用帳戶範圍將「擁有者」角色指派給使用者。After a few moments, the user is assigned the Owner role at the subscription scope.

為受控識別新增角色指派 (預覽版) Add a role assignment for a managed identity (Preview)

如本文稍早所述,您可以使用 **存取控制 (IAM) ** 頁面來新增受控識別的角色指派。You can add role assignments for a managed identity by using the Access control (IAM) page as described earlier in this article. 當您使用存取控制 (IAM) ] 頁面時,您會從範圍開始,然後選取受控識別和角色。When you use the Access control (IAM) page, you start with the scope and then select the managed identity and role. 本節說明新增受控識別之角色指派的另一種方式。This section describes an alternate way to add role assignments for a managed identity. 使用這些步驟,您可以從受控識別開始,然後選取範圍和角色。Using these steps, you start with the managed identity and then select the scope and role.

重要

使用這些替代步驟來新增受控識別的角色指派目前為預覽狀態。Adding a role assignment for a managed identity using these alternate steps is currently in preview. 此預覽版本是在沒有服務等級協定的情況下提供,不建議用於生產工作負載。This preview version is provided without a service level agreement, and it's not recommended for production workloads. 可能不支援特定功能,或可能已經限制功能。Certain features might not be supported or might have constrained capabilities. 如需詳細資訊,請參閱 Microsoft Azure 預覽版增補使用條款For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

系統指派的受控識別System-assigned managed identity

請遵循下列步驟,從受控識別開始將角色指派給系統指派的受控識別。Follow these steps to assign a role to a system-assigned managed identity by starting with the managed identity.

  1. 在 Azure 入口網站中,開啟系統指派的受控識別。In the Azure portal, open a system-assigned managed identity.

  2. 在左側功能表中,按一下 [身分 識別]。In the left menu, click Identity.

    系統指派的受控識別

  3. 在 [ 許可權] 底下,按一下 [ Azure 角色指派]。Under Permissions, click Azure role assignments.

    如果角色已指派給選取的系統指派受控識別,您會看到角色指派清單。If roles are already assigned to the selected system-assigned managed identity, you see the list of role assignments. 這份清單包含您有權讀取的所有角色指派。This list includes all role assignments you have permission to read.

    系統指派的受控識別的角色指派

  4. 若要變更訂用帳戶,請按一下 用帳戶清單。To change the subscription, click the Subscription list.

  5. 按一下 [ **新增角色指派] (預覽) **。Click Add role assignment (Preview).

  6. 您可以使用下拉式清單來選取角色指派套用的資源集,例如 用帳戶、 資源群組或資源。Use the drop-down lists to select the set of resources that the role assignment applies to such as Subscription, Resource group, or resource.

    如果您沒有所選範圍的角色指派寫入權限,則會顯示內嵌訊息。If you don't have role assignment write permissions for the selected scope, an inline message will be displayed.

  7. 在 [角色]**** 下拉式清單中選取角色,例如 [虛擬機器參與者]****。In the Role drop-down list, select a role such as Virtual Machine Contributor.

    為系統指派的受控識別新增角色指派窗格

  8. 按一下 [儲存] 以指派角色。Click Save to assign the role.

    經過幾分鐘之後,受控識別會在選取的範圍指派角色。After a few moments, the managed identity is assigned the role at the selected scope.

使用者指派的受控識別User-assigned managed identity

請遵循下列步驟,從受控識別開始將角色指派給使用者指派的受控識別。Follow these steps to assign a role to a user-assigned managed identity by starting with the managed identity.

  1. 在 Azure 入口網站中,開啟使用者指派的受控識別。In the Azure portal, open a user-assigned managed identity.

  2. 在左側功能表中,按一下 [ Azure 角色指派]。In the left menu, click Azure role assignments.

    如果已將角色指派給所選使用者指派的受控識別,您會看到角色指派清單。If roles are already assigned to the selected user-assigned managed identity, you see the list of role assignments. 這份清單包含您有權讀取的所有角色指派。This list includes all role assignments you have permission to read.

    使用者指派的受控識別的角色指派

  3. 若要變更訂用帳戶,請按一下 用帳戶清單。To change the subscription, click the Subscription list.

  4. 按一下 [ **新增角色指派] (預覽) **。Click Add role assignment (Preview).

  5. 您可以使用下拉式清單來選取角色指派套用的資源集,例如 用帳戶、 資源群組或資源。Use the drop-down lists to select the set of resources that the role assignment applies to such as Subscription, Resource group, or resource.

    如果您沒有所選範圍的角色指派寫入權限,則會顯示內嵌訊息。If you don't have role assignment write permissions for the selected scope, an inline message will be displayed.

  6. 在 [角色]**** 下拉式清單中選取角色,例如 [虛擬機器參與者]****。In the Role drop-down list, select a role such as Virtual Machine Contributor.

    為使用者指派的受控識別新增角色指派窗格

  7. 按一下 [儲存] 以指派角色。Click Save to assign the role.

    經過幾分鐘之後,受控識別會在選取的範圍指派角色。After a few moments, the managed identity is assigned the role at the selected scope.

移除角色指派Remove a role assignment

在 Azure RBAC 中,若要移除 Azure 資源的存取權,請移除角色指派。In Azure RBAC, to remove access from an Azure resource, you remove a role assignment. 請遵循下列步驟來移除角色指派。Follow these steps to remove a role assignment.

  1. 針對您要移除存取權的範圍 (例如管理群組、訂用帳戶、資源群組或資源) 開啟 [存取控制 (IAM)]****。Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where you want to remove access.

  2. 按一下 [角色指派] 索引標籤以檢視此訂用帳戶的所有角色指派。Click the Role assignments tab to view all the role assignments for this subscription.

  3. 在角色指派清單中,在具有您要移除的角色指派安全性主體旁加上核取記號。In the list of role assignments, add a checkmark next to the security principal with the role assignment you want to remove.

    已選取要移除的角色指派

  4. 按一下 [移除]Click Remove.

    移除角色指派訊息

  5. 在顯示的移除角色指派訊息中,按一下 [是]。In the remove role assignment message that appears, click Yes.

    如果您看到無法移除繼承角色指派的訊息,則表示您嘗試移除子範圍的角色指派。If you see a message that inherited role assignments cannot be removed, you are trying to remove a role assignment at a child scope. 您應該在指派角色的範圍中開啟存取控制 (IAM) ,然後再試一次。You should open Access control (IAM) at the scope where the role was assigned and try again. 在正確的範圍中,快速開啟存取控制 (IAM) 的方法是查看 [ 領域 ] 資料行,然後按一下 [ ** (繼承的) **] 旁的連結。A quick way to open Access control (IAM) at the correct scope is to look at the Scope column and click the link next to (Inherited).

    移除繼承角色指派的角色指派訊息

後續步驟Next steps