帐户管理 - 服务管理员/租户 [英] Account management - Service Admin/Tenant
问题描述
我有2个关于帐户管理的问题。
I have 2 questions regarding account management.
- 在门户网站(Azure或AzureStack)中,如何将共同管理员添加到服务管理员角色('in-case-I-get-hit-by- a-bus'场景),他还可以制作新的优惠和计划吗?
- Within the portal (either Azure or AzureStack), how do I add a co-administrator to the service admin role (the 'in-case-I-get-hit-by-a-bus' scenario), so he can also make new Offers and Plans?
- 如何阻止任何拥有Azure Active Directory帐户的用户创建新的租户订阅? ;我没有给我的同事任何特定的azurestack权利,但他能够使用他的azure AD帐户登录azurestack
门户网站,创建订阅并添加公开发售。 默认情况下,任何Azure AD用户帐户是否具有此功能?
-How do you prevent any user with an Azure active directory account from creating a new tenant subscription? I did not give my coworker any specific rights for azurestack, yet he was able to use his azure AD account to log into the azurestack portal, create a subscription and add the public offering. By default, does any Azure AD user account have this ability?
***更新
1. ;根据Mike和Dan添加所有者的作品。 我们必须记住,对于每个租户订阅,我们始终需要手动添加备份所有者(或者创建一个Azure AD组,并在可能的情况下将该组指定为所有者)
1. Adding the Owner per Mike and Dan works. We will just have to remember that for each tenant subscription made we always need to add a backup owner manually (or create an Azure AD group and assign the group as Owner, if possible)
2。至于阻止所有Azure AD用户访问azure堆栈并创建订阅,我们只会将我们的商品状态更改为私有。 这样可以防止添加订阅。 但是,要防止任何Azure AD用户完全访问
azurestack门户, 看来有一种方法可以通过将赋值更改为Classic Azure AD中的azurestack-portal应用程序来实现此目的。 在经典Azure Active Directory中进行了一些挖掘后,在您的默认目录
下选择了"应用程序",将"显示"字段下拉列表更改为"我公司拥有的应用程序",并找到3个新的AzureStack.local项目,包括一个门户网站。 如果我选择AzureStack.local-portal并转到"配置",则会有一个名为
的设置'访问应用程序需要用户分配',默认为"否"。 我假设如果我们想将azurestack门户锁定为仅批准的Azure AD用户,我可以将此设置更改为"是"。 我没有对此进行测试,因为我想确保
这是正确支持的流程,并且不会破坏其他功能"幕后"。
2. As far as preventing all Azure AD users being able to access azure stack and create subscriptions, we will just change the state of our Offers to Private. This will prevent adding subscriptions. However, to prevent any Azure AD user from accessing the azurestack portal altogether, it appears there is a way to do this by changing assignment to the azurestack-portal application within Classic Azure AD. After some digging around in Classic Azure Active Directory, under your default directory I selected 'Applications', changed the 'Show' field dropdown to 'Applications my company owns', and found 3 new AzureStack.local items, including one for the portal. If I select AzureStack.local-portal and go to 'Configure', there is a setting called 'User Assignment Required to Access App', with 'No' as the default. I'm assuming if we wanted to lock down the azurestack portal to only approved Azure AD users, I could change this setting to 'Yes'. I haven't tested this as I want to make sure this is the correct supported process and won't break other functionality "behind the scenes".
推荐答案
对于共同管理方案,请尝试以下方法:
For the co-admin scenario try the following:
1。在Azure AD中创建新用户帐户(共同管理员)。
1. Create an new user account (co-administrator) in Azure AD.
2。使用原始服务管理员登录MAS门户 - >浏览 - >订阅 - >默认提供商订阅 - >访问(带2个人的小图标) - > +添加 - >所有者 - >添加新帐户。
2. Login into MAS portal with original Service Admin -> Browse -> Subscriptions -> Default Provider Subscription -> Access (small icon with 2 people) -> +Add -> Owner -> Add the new account.
可能有另一种方式,但这对我有用。新服务管理员通过RBAC拥有所有者权限。
There might be another way but this worked for me. The new service admin has the owner perms via RBAC.
这篇关于帐户管理 - 服务管理员/租户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
