Azure Active Directory 组 - 控制用户访问
[英]Azure Active Directory Group - controlling user access
问题描述
I have a requirement to add users to an Azure Active Directory group with certain privileges.
我需要将用户添加到具有特定权限的 Azure Active Directory 组。
For example, specific user added to adgroup1 gets edit access on application specific data, while the same user could be part of adgroup2 with read only access for different set of application data.例如,添加到adgroup1的特定用户获得对应用程序特定数据的编辑访问权限,而同一用户可能是adgroup2的一部分,对不同的应用程序数据集具有只读访问权限。
What would be the best practice to implement this?实现这一点的最佳做法是什么? Appreciate the feedback.感谢反馈。
1 个解决方案
解决方案1
1 已采纳 2021-05-14 07:05:17
I am afraid this could not be implemented, in Azure AD, a normal user (ie User type is member ) has the default permissions to view all the AD Apps in the tenant, source here .恐怕这无法实现,在 Azure AD 中,普通用户(即User type为member )具有查看租户中所有 AD 应用程序的默认权限,source here 。
This could not be restricted, default permissions for member users can be restricted list here , even if you set Restrict access to Azure AD administration portal , the user can also get the information from other clients eg powershell.这不能被限制,会员用户的默认权限可以在这里限制列表,即使你设置Restrict access to Azure AD administration portal ,用户也可以从其他客户端获取信息,例如powershell。
For the edit permission, the user needs to be added as an Owner to the AD App, but the AAD group is not supported to be added as an Owner to the AD App.对于编辑权限,需要将用户添加为 AD App 的Owner ,但不支持将AAD group添加为 AD App 的Owner 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.