[英]Azure Active Directory Group - controlling user access
I have a requirement to add users to an Azure Active Directory group with certain privileges.我需要将用户添加到具有特定权限的 Azure Active Directory 组。
For example, specific user added to adgroup1
gets edit access on application specific data, while the same user could be part of adgroup2
with read only access for different set of application data.例如,添加到
adgroup1
的特定用户获得对应用程序特定数据的编辑访问权限,而同一用户可能是adgroup2
的一部分,对不同的应用程序数据集具有只读访问权限。
What would be the best practice to implement this?实现这一点的最佳做法是什么? Appreciate the feedback.
感谢反馈。
I am afraid this could not be implemented, in Azure AD, a normal user (ie User type
is member
) has the default permissions to view all the AD Apps in the tenant, source here .恐怕这无法实现,在 Azure AD 中,普通用户(即
User type
为member
)具有查看租户中所有 AD 应用程序的默认权限,source here 。
This could not be restricted, default permissions for member users can be restricted list here , even if you set Restrict access to Azure AD administration portal
, the user can also get the information from other clients eg powershell.这不能被限制,会员用户的默认权限可以在这里限制列表,即使你设置
Restrict access to Azure AD administration portal
,用户也可以从其他客户端获取信息,例如powershell。
For the edit permission, the user needs to be added as an Owner
to the AD App, but the AAD group
is not supported to be added as an Owner
to the AD App.对于编辑权限,需要将用户添加为 AD App 的
Owner
,但不支持将AAD group
添加为 AD App 的Owner
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.