以角色為基礎的系統管理 (RBAC) 搭配 IntuneRole-based administration control (RBAC) with Intune

RBAC 可協助您控制誰可以在組織內執行各種 Intune 工作,以及這些工作適用於誰。RBAC helps you control who can perform various Intune tasks within your organization, and who those tasks apply to. 您可以利用涵蓋一些常見 Intune 案例的內建角色,或建立自己的角色。You can either use the built-in roles that cover some common Intune scenarios, or you can create your own roles. 角色的定義包括︰A role is defined by:

  • 角色定義:角色的名稱、其所管理的資源,以及針對每個資源授與的權限。Role definition: The name of a role, the resources it manages, and the permissions granted for each resource.
  • 成員:授與權限的使用者群組。Members: The user groups that are granted the permissions.
  • 範圍:成員可以管理的使用者或裝置群組。Scope: The user or device groups that the members can manage.
  • 指派:當定義、成員及範圍設定完成之後,便完成了指派。Assignment: When the definition, members, and scope have been configured, the role is assigned.

Intune RBAC 範例

從新的 Intune 入口網站開始,Azure Active Directory (Azure AD) 提供兩個可與 Intune 搭配使用的目錄角色。Starting at the new Intune portal, Azure Active Directory (Azure AD) provides two Directory Roles which can be used with Intune. 這些角色會獲得完整的權限,以在 Intune 中執行所有活動:These roles are granted full permission to perform all activities in Intune:

  • 全域管理員:具有此角色的使用者可存取 Azure AD 中的所有管理功能,以及與 Azure AD 同盟的服務,例如 Exchange Online、SharePoint Online 及商務用 Skype Online。Global Administrator: Users with this role have access to all administrative features in Azure AD, as well as services that federate to Azure AD like Exchange Online, SharePoint Online, and Skype for Business Online. 註冊 Azure AD 租用戶的人員會變成全域管理員。The person who signs up for the Azure AD tenant becomes a global administrator. 只有全域管理員可以指派其他 Azure AD 系統管理員角色。Only global administrators can assign other Azure AD administrator roles. 您的組織可以擁有多個全域管理員。There can be more than one global administrator at your organization. 全域管理員可為任何使用者及其他所有系統管理員重設密碼。Global admins can reset the password for any user and all other administrators.

  • Intune 服務管理員:存在服務時,具有此角色的使用者在 Intune 內具有全域權限。Intune Service Administrator: Users with this role have global permissions within Intune when the service is present. 此外,此角色還提供管理使用者、裝置與建立和管理群組的能力。Additionally, this role provides the ability to manage users, devices, and create and manage groups.

  • 條件式存取系統管理員:具有此角色的使用者,只擁有檢視、建立、修改和刪除條件式存取原則的權限。Conditional Access Administrator: Users with this role only have permissions to view, create, modify, and delete conditional access policies.

    重要

    Intune 服務管理員角色不提供管理 Azure AD 條件式存取設定的能力。The Intune Service Administrator role does not provide the ability to manage Azure AD’s conditional access settings.

    提示

    Intune 也會顯示三個使用 Azure AD RBAC 控制的 Azure AD 延伸模組:使用者群組條件式存取Intune also shows three Azure AD extensions: Users, Groups, and Conditional access, which are controlled using Azure AD RBAC. 此外,使用者帳戶管理員只會執行 AAD 使用者/群組活動,並沒有在 Intune 中執行所有活動的完整權限。Additionally, the User Account Administrator only performs AAD user/group activities and does not have full permissions to perform all activities in Intune. 如需詳細資料,請參閱 RBAC 搭配 Azure ADRefer to RBAC with Azure AD for more details.

在 Intune 傳統主控台中建立的角色Roles created in the Intune classic console

只有具有「完整」權限的 Intune 服務管理員使用者可從 Intune 傳統主控台移轉至 Azure 上的 Intune。Only Intune Service Administrators users with "Full" permissions get migrated from the Intune classic console to Intune on Azure. 您需要將具有「唯讀」或「技術支援」存取權的 Intune 服務管理員使用者重新指派至 Azure 入口網站中的 Intune 角色,並將它們傳統入口網站移除。You need to re-assign Intune Service Administrators users with "Read-Only" or "Helpdesk" access into the Intune roles in the Azure portal, and remove them from the classic portal.

重要

如果您的系統管理員仍然需要使用 Intune 管理電腦的存取權,您可能需要在傳統主控台中保留 Intune 服務管理員存取權。You might need to keep the Intune Service Administrator access in the classic console if your admins still need access to manage PC’s using with Intune.

內建角色Built-in roles

以下是 Intune 的內建角色。您可以將它們指派給群組而不進一步設定:The following roles are built into Intune and you can assign them to groups with no further configuration:

  • 技術支援人員:對使用者和裝置執行遠端工作,並可將應用程式或原則指派給使用者或裝置。Help Desk Operator: Performs remote tasks on users and devices, and can assign applications or policies to users or devices.
  • 原則和設定檔管理員:管理合規性原則、組態設定檔、Apple 註冊和公司裝置識別碼。Policy and Profile Manager: Manages compliance policy, configuration profiles, Apple enrollment, and corporate device identifiers.
  • 唯讀操作員:檢視使用者、裝置、註冊、設定和應用程式資訊,Read Only Operator: Views user, device, enrollment, configuration, and application information. 但無法對 Intune 進行變更。Cannot make changes to Intune.
  • 應用程式管理員:管理行動裝置及受管理的應用程式,並可讀取裝置資訊。Application Manager: Manages mobile and managed applications, and can read device information.

指派內建角色To assign a built-in role

  1. 在 [Intune 角色] 上,選擇您想要指派的內建角色。On the Intune roles, choose the built-in role you want to assign.

  2. 在 [<角色名稱> - 內容] 刀鋒視窗中,依序選擇 [管理] 和 [指派]。On the <role name> - Properties blade, choose Manage, then Assignments.

    注意

    您無法刪除或編輯內建角色You cannot delete or edit the built-in roles

  3. 在自訂角色刀鋒視窗中,選擇 [指派]。On the custom role blade, choose Assign.

  4. 在 [角色指派] 刀鋒視窗中,為指派輸入名稱描述 (非必要),然後選擇下列項目︰On the Role Assignments blade, enter a Name and optional Description for the assignment, and then choose the following:

    • 成員 - 選取包含您要授與權限之使用者的群組。Members - Select a group that contains the user you want to give the permissions to.
    • 範圍 - 選取包含上列成員可以管理的使用者群組。Scope - Select a group containing the users who the member above will be allowed to manage.
  5. 完成之後,請按一下 [確定] 。When you are done, click OK. 新指派會隨即顯示在指派清單中。The new assignment is displayed in the list of assignments.

Intune RBAC 表格Intune RBAC table

  • 下載 Intune RBAC 表格 (英文) 可查看每個角色可以執行之工作的更多詳細資料。Download the Intune RBAC table to see more details on what each role can do.

自訂角色Custom roles

您可以建立自訂角色,其中包含特定工作功能所需的任何權限。You can create a custom role that includes any permissions required for a specific job function. 例如,如果 IT 部門群組管理應用程式、原則和組態設定檔,您可以將這裡的所有權限一起新增至一個自訂角色。For example, if an IT department group manages applications, policies, and configuration profiles, you can add all those permissions together in one custom role.

重要

若要建立、編輯或指派角色,您的帳戶必須具備下列其中一項 Azure AD 權限︰To create, edit, or assign roles, your account must have one of the following permissions in Azure AD:

  • 全域管理員Global Administrator
  • Intune 服務管理員Intune Service Administrator

建立自訂角色To create a custom role

  1. 使用您的 Intune 認證登入 Azure 入口網站Sign into the Azure portal with your Intune credentials.

  2. 選擇左功能表中的 [更多服務],然後在文字方塊篩選中輸入 IntuneChoose More services from the left menu, then type Intune in the text box filter.

  3. 選擇 [Intune],隨即開啟 [Intune 儀表板],然後選擇 [Intune 角色]。Choose Intune, the Intune Dashboard opens, choose Intune roles.

  4. 在 [Intune 角色] 刀鋒視窗中,依序選擇 [Intune 角色] 和 [新增自訂]。On the Intune roles blade, choose Intune roles, choose Add custom.

  5. 在 [新增自訂角色] 刀鋒視窗中輸入新角色的名稱及描述,然後按一下 [權限]。On the Add Custom Role blade, enter a name and description for the new role, then click Permissions.

  6. 在 [權限] 刀鋒視窗中,選擇此角色所要使用的權限。On the Permissions blade, choose the permissions you want to use with this role. 使用 Intune RBAC 表格 (英文) 可協助您決定套用哪些權限。Use the Intune RBAC table to help you decide which permissions you want to apply.

  7. 完成後,請選擇 [確定]。When you are done, choose OK.

  8. 在 [新增自訂角色] 刀鋒視窗中按一下 [建立]。On the Add Custom Role blade, click Create. 新角色會顯示在 [Intune 角色] 刀鋒視窗的清單中。The new role is displayed in the list on the Intune roles blade.

指派自訂角色To assign a custom role

  1. 在 [Intune 角色] 上,選擇您想要指派的自訂角色。On the Intune roles, choose the custom role you want to assign.

  2. 在 [<角色名稱> - 內容] 刀鋒視窗中,依序選擇 [管理] 和 [指派]。On the <role name> - Properties blade, choose Manage, then Assignments. 您也可以在此刀鋒視窗中編輯或刪除現有的角色。On this blade, you can also edit or delete existing roles.

  3. 在自訂角色刀鋒視窗中,選擇 [指派]。On the custom role blade, choose Assign.

  4. 在 [角色指派] 刀鋒視窗中,為指派輸入名稱描述 (非必要),然後選擇下列項目︰On the Role Assignments blade, enter a Name and optional Description for the assignment, and then choose the following:

    • 成員 - 選取包含您要授與權限之使用者的群組。Members - Select a group that contains the user you want to give the permissions to.
    • 範圍 - 選取包含上列成員可以管理的使用者群組。Scope - Select a group containing the users who the member above will be allowed to manage.
  5. 完成之後,請按一下 [確定] 。When you are done, click OK. 新指派會隨即顯示在指派清單中。The new assignment is displayed in the list of assignments.

後續步驟Next steps

使用 Intune 技術服務人員角色搭配疑難排解入口網站Use the Intune Helpdesk operator role with the troubleshooting portal

請參閱See also

使用 Azure AD 指派角色Assign roles using Azure AD

若要提交意見反應,請前往 Intune Feedback