允许用户在属于我们的Azure Active Directory帐户的PC上拥有提升权限需要什么角色？ [英] What role is required to allow a user to have elevated permissions on PCs who are part of our Azure Active Directory account?

问题描述

我们已将办公室中的PC锁定，因此个人用户不是本地管理员。如果我希望他们能够在需要提升权限的PC上执行任务，我需要知道我有什么角色给员工。我们只将
Azure Active Directory与Office365结合使用，而不使用其他Azure服务。 我不想让这个员工成为全局管理员，但Azure中有很多角色可供选择。我不确定选择哪个角色。

我已经尝试过给他设置Cloud Device Administrator和密码管理员，但当我们尝试以管理员身份启动PowerShell并使用他的Office365凭据登录时，我们仍然收到消息"要求提升"

解决方案

您可以使用全局管理员角色或用户访问管理员角色。  https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate- access-global-admin

"提升访问权限时，将在Azure范围内为您分配用户访问管理员角色（/） 。这允许您查看所有资源并在目录中的任何订阅或管理组中分配访问权限。
可以使用PowerShell删除用户访问管理员角色分配。"

如果有帮助，请告诉我！

We have the PCs in the office locked down so individual users are not local administrators on the boxes. I need to know what role I have to give an employee if I want them to be able perform tasks on the PCs that require elevated privileges. We only use Azure Active Directory in conjunction with Office365, no other Azure services.  I do not want to make this employee a Global Admin, but there are so many roles available within Azure that I am unsure which role to choose.

I have already tried giving him Cloud Device Administrator and Password Administrator, but when we tried to launch PowerShell as an administrator and he logs in using his Office365 credentials, we still get the message "requires elevation"

解决方案

You can use either a Global Admin role or a User Access Administrator role. https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin

"When you elevate your access, you will be assigned the User Access Administrator role in Azure at root scope (/). This allows you to view all resources and assign access in any subscription or management group in the directory. User Access Administrator role assignments can be removed using PowerShell."

Let me know if this helps!

这篇关于允许用户在属于我们的Azure Active Directory帐户的PC上拥有提升权限需要什么角色？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！