Azure Active Directory 管理员角色 |电源外壳

---

Azure AD 管理员角色允许你委派 Azure Active Directory 管理的各个部分。

例如，您可以将全局读者角色委托给需要调查或审核您的资源但不需要进行任何更改的任何人。

在大型组织中，将管理 Azure AD 元素的权限委托给专门的管理员是有意义的。即使只有几个管理员的小型组织也可能会发现 Azure AD 管理员角色很有用。

本文向您展示如何使用 PowerShell 执行以下操作：

• 列出所有 Azure 管理员角色
• 列出具有特定 Azure 管理员角色的所有用户
• 列出为所有身份分配的所有 Azure 管理员角色
• 列出特定用户的所有 Azure 管理员角色

但首先让我们看一下 GUI，以直观地了解信息。

使用 Azure 门户管理 Azure 管理员角色

要查看所有角色并查看分配给角色的用户或组，请登录 Azure 门户，转到 Azure Active Directory 并单击“角色和管理员”：

要查看分配给单个用户的角色，请转到“用户”，选择用户并单击“分配的角色”：

使用 PowerShell 管理 Azure 管理员角色

在许多情况下，您可能希望使用 PowerShell 来管理 Azure Active Directory 中的管理员角色。 PowerShell 有两个用于管理 Azure 的重要模块：

• 用于图形的 Azure AD PowerShell
• 适用于 Windows PowerShell 的 Azure Active Directory 模块 (MSOnline)

您更喜欢哪一个取决于您。本文将演示 PowerShell 的 MSOnline 模块的使用。

所有代码示例均假定您具有与 Azure 的有效 PowerShell 连接。阅读本文以了解如何设置和使用 PowerShell 的 MSOnline 模块。

Azure 管理员角色概述

首先，我们来概述一下所有 Azure AD 管理员角色：

Get-MsolRole | Sort-Object Name | ft Name,ObjectID,description

在表格中很好地格式化，输出将如下所示：

Azure AD 管理员角色

RoleObjectIdDescription Application Administrator9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3Can create and manage all aspects of app registrations and enterprise apps. Application Developercf1c38e5-3621-4004-a7cb-879624dced7cCan create application registrations independent of the ‘Users can register applications’ setting. Authentication Administratorc4e39bd9-1100-46d3-8c65-fb160da0071fAllowed to view, set and reset authentication method information for any non-admin user. Azure DevOps Administratore3973bdf-4987-49ae-837a-ba8e231c7286Can manage Azure DevOps organization policy and settings. Azure Information Protection Administrator7495fdc4-34c4-4d15-a289-98788ce399fdCan manage all aspects of the Azure Information Protection product. B2C IEF Keyset Administratoraaf43236-0c0d-4d5f-883a-6955382ac081Can manage secrets for federation and encryption in the Identity Experience Framework (IEF). B2C IEF Policy Administrator3edaf663-341e-4475-9f94-5c398ef6c070Can create and manage trust framework policies in the Identity Experience Framework (IEF). B2C User Flow Administrator6e591065-9bad-43ed-90f3-e9424366d2f0Can create and manage all aspects of user flows. B2C User Flow Attribute Administrator0f971eea-41eb-4569-a71e-57bb8a3eff1eCan create and manage the attribute schema available to all user flows. Billing Administratorb0f54661-2d74-4c50-afa3-1ec803f12efeCan perform common billing related tasks like updating payment information. Cloud Application Administrator158c047a-c907-4556-b7ef-446551a6b5f7Can create and manage all aspects of app registrations and enterprise apps except App Proxy. Cloud Device Administrator7698a772-787b-4ac8-901f-60d6b08affd2Full access to manage devices in Azure AD. Company Administrator62e90394-69f5-4237-9190-012177145e10Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. Compliance Administrator17315797-102d-40b4-93e0-432062caca18Can read and manage compliance configuration and reports in Azure AD and Office 365. Compliance Data Administratore6d1a23a-da11-4be4-9570-befc86d067a7Creates and manages compliance content. Conditional Access Administratorb1be1c3e-b65d-4f19-8427-f6fa0d97feb9Can manage conditional access capabilities. CRM Service Administrator44367163-eba1-44c3-98af-f5787879f96aCan manage all aspects of the Dynamics 365 product. Customer LockBox Access Approver5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91Can approve Microsoft support requests to access customer organizational data. Desktop Analytics Administrator38a96431-2bdf-4b4c-8b6e-5d3d8abac1a4Can access and manage Desktop management tools and services. Device Administrators9f06204d-73c1-4d4c-880a-6edb90606fd8Device Administrators Device Join9c094953-4995-41c8-84c8-3ebb9b32c93fDevice Join Device Managers2b499bcd-da44-4968-8aec-78e1674fa64dDeprecated – Do Not Use. Device Usersd405c6df-0af8-4e3b-95e4-4d06e542189eDevice Users Directory Readers88d8e3e3-8f55-4a1e-953a-9b9898b8876bCan read basic directory information. Commonly used to grant directory read access to applications and guests. Directory Synchronization Accountsd29b2b05-8046-44ba-8758-1e26182fcf32Only used by Azure AD Connect service. Directory Writers9360feb5-f418-4baa-8175-e2a00bac4301Can read and write basic directory information. For granting access to applications, not intended for users. Exchange Service Administrator29232cdf-9323-42fd-ade2-1d097af3e4deCan manage all aspects of the Exchange product. External Identity Provider Administratorbe2f45a1-457d-42af-a067-6ec1fa63bc45Can configure identity providers for use in direct federation. Global Readerf2ef992c-3afb-46b9-b7cf-a126ee74c451Can read everything that a global admin can read but not update anything. Groups Administratorfdd7a751-b60b-444a-984c-02652fe8fa1cMembers of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports. Guest Inviter95e79109-95c0-4d8e-aee3-d01accf2d47bCan invite guest users independent of the ‘members can invite guests’ setting. Helpdesk Administrator729827e3-9c14-49f7-bb1b-9608f156bbb8Can reset passwords for non-administrators and Helpdesk Administrators. Intune Service Administrator3a2c62db-5318-420d-8d74-23affee5d9d5Can manage all aspects of the Intune product. Kaizala Administrator74ef975b-6605-40af-a5d2-b9539d836353Can manage settings for Microsoft Kaizala. License Administrator4d6ac14f-3453-41d0-bef9-a3e0c569773aCan manage product licenses on users and groups. Lync Service Administrator75941009-915a-4869-abe7-691bff18279eCan manage all aspects of the Skype for Business product. Message Center Privacy Readerac16e43d-7b2d-40e0-ac05-243ff356ab5bCan read security messages and updates in Office 365 Message Center only. Message Center Reader790c1fb9-7f7d-4f88-86a1-ef1f95c05c1bCan read messages and updates for their organization in Office 365 Message Center only. Office Apps Administrator2b745bdf-0803-4d80-aa65-822c4493daacCan manage Office apps cloud services, including policy and settings management, and manage the ability to select, unselect and publish ‘what’s new’ feature content to end-user’s devices. Partner Tier1 Support4ba39ca4-527c-499a-b93d-d9b492c50246Do not use – not intended for general use. Partner Tier2 Supporte00e864a-17c5-4a4b-9c06-f5b95a8d5bd8Do not use – not intended for general use. Password Administrator966707d0-3269-4727-9be2-8c3a10f19b9dCan reset passwords for non-administrators and Password Administrators. Power BI Service Administratora9ea8996-122f-4c74-9520-8edcd192826cCan manage all aspects of the Power BI product. Power Platform Administrator11648597-926c-4cf3-9c36-bcebb0ba8dccCan create and manage all aspects of Microsoft Dynamics 365, PowerApps and Microsoft Flow. Printer Administrator644ef478-e28f-4e28-b9dc-3fdde9aa0b1fCan manage all aspects of printers and printer connectors. Printer Techniciane8cef6f1-e4bd-4ea8-bc07-4b8d950f4477Can manage all aspects of printers and printer connectors. Privileged Authentication Administrator7be44c8a-adaf-4e2a-84d6-ab2649e08a13Allowed to view, set and reset authentication method information for any user (admin or non-admin). Privileged Role Administratore8611ab8-c189-46e8-94e1-60213ab1f814Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management. Reports Reader4a5d8f65-41da-4de4-8968-e035b65339cfCan read sign-in and audit reports. Search Administrator0964bb5e-9bdb-4d7b-ac29-58e794862a40Can create and manage all aspects of Microsoft Search settings. Search Editor8835291a-918c-4fd7-a9ce-faa49f0cf7d9Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan. Security Administrator194ae4cb-b126-40b2-bd5b-6091b380977dSecurity Administrator allows ability to read and manage security configuration and reports. Security Operator5f2222b1-57c3-48ba-8ad5-d4759f1fde6fCreates and manages security events. Security Reader5d6b6bb7-de71-4623-b4af-96380a352509Can read security information and reports in Azure AD and Office 365. Service Support Administratorf023fd81-a637-4b56-95fd-791ac0226033Can read service health information and manage support tickets. SharePoint Service Administratorf28a1f50-f6e7-4571-818b-6a12f2af6b6cCan manage all aspects of the SharePoint service. Teams Communications Administratorbaf37b3a-610e-45da-9e62-d9d1e5e8914bCan manage calling and meetings features within the Microsoft Teams service. Teams Communications Support Engineerf70938a0-fc10-4177-9e90-2178f8765737Can troubleshoot communications issues within Teams using advanced tools. Teams Communications Support Specialistfcf91098-03e3-41a9-b5ba-6f0ec8188a12Can troubleshoot communications issues within Teams using basic tools. Teams Service Administrator69091246-20e8-4a56-aa4d-066075b2a7a8Can manage the Microsoft Teams service. User Account Administratorfe930be7-5e62-47db-91af-98c3a49a38b1Can manage all aspects of users and groups, including resetting passwords for limited admins. Workplace Device Joinc34f683f-4d5a-4403-affd-6615e00e3a7fWorkplace Device Join

有关所有管理员角色及其所包含的权限的详细说明，请参阅 Microsoft 的官方文档。

列出具有特定 Azure 管理员角色的所有用户

Get-MsolRoleMember cmdlet 将列出给定角色的成员。它使用 RoleObjectId 来标识角色 GUID，因此您需要首先使用 Get-MsolRole cmdlet（或使用上表作为参考）查找角色 GUID。

要列出分配有全局管理员（实际上称为“公司管理员”！）角色的所有用户，请使用以下 PowerShell 命令：

Get-MsolRoleMember -RoleObjectId 62e90394-69f5-4237-9190-012177145e10

该命令的输出可能如下所示：

PS C:\> Get-MsolRoleMember -RoleObjectId 62e90394-69f5-4237-9190-012177145e10

RoleMemberType EmailAddress                              DisplayName          isLicensed
-------------- ------------                              -----------          ----------
User           [email protected]                Tycho Brahe          True
User           [email protected]             Jens Martin Knudsen  True

列出为所有身份分配的所有 Azure 管理员角色

要列出所有分配的 Azure 管理员角色，您可以使用下一个脚本。要使用“真实”角色名称而不是 Guid 很好地格式化输出，需要一些逻辑：

$RolesCollection = @()
$Roles = Get-MsolRole
ForEach ($Role In $Roles){
  $Members = Get-MsolRoleMember -RoleObjectId $Role.ObjectId
  ForEach ($Member In $Members) {
    $obj = New-Object PSObject -Property @{
      RoleName = $Role.Name
      MemberName = $Member.DisplayName
      MemberType = $Member.RoleMemberType
    }
    $RolesCollection += $obj
  }
}
Write-Output $RolesCollection | Sort-Object RoleName,MemberName | ft RoleName,MemberName,MemberType

此代码的输出将类似于以下内容：

RoleName                           MemberName                                            MemberType
--------                           ----------                                            ----------
Company Administrator              Tycho Brahe                                                 User
Application Administrator          Jens Martin Knudsen                                         User
Directory Synchronization Accounts On-Premises Directory Synchronization Service Account       User
License Administrator              Ole Roemer                                                  User

列出特定用户的所有 Azure 管理员角色

要查看分配给单个用户（或组）的 Azure 管理员角色，请通过将上一个脚本中的最后一行代码替换为以下内容，向输出添加一些筛选：

Write-Output $RolesCollection | Where-Object MemberName -eq 'Tycho Brahe' | Sort-Object RoleName | ft RoleName,MemberName,MemberType

概括

我希望您现在通过 Azure 管理员角色能够很好地掌握 PowerShell。希望上述构建块可以帮助您整合一些出色的自动化功能，使您的日常管理任务更加轻松且不易出错。

请查看我们的 PowerShell 部分，了解有关自动化的更多想法。