您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

启用 B2B 外部协作并管理谁可以邀请来宾Enable B2B external collaboration and manage who can invite guests

本文介绍如何启用 Azure Active Directory (Azure AD) B2B 协作、指定谁可以邀请来宾,并确定来宾用户在你的 Azure AD 中所具有的权限。This article describes how to enable Azure Active Directory (Azure AD) B2B collaboration, designate who can invite guests, and determine the permissions that guest users have in your Azure AD.

默认情况下,目录中的所有用户和来宾都可以邀请来宾,即使未为他们分配管理员角色。By default, all users and guests in your directory can invite guests even if they're not assigned to an admin role. 使用外部协作设置可为组织中不同类型的用户启用或禁用来宾邀请功能。External collaboration settings let you turn guest invitations on or off for different types of users in your organization. 还可以将邀请委托给个人用户,只需向他们分配有权邀请来宾的角色即可。You can also delegate invitations to individual users by assigning roles that allow them to invite guests.

Azure AD 允许你限制外部来宾用户可以在你的 Azure AD 目录中所看到的内容。Azure AD allows you to restrict what external guest users can see in your Azure AD directory. 默认情况下,来宾用户设置为受限权限级别,该权限级别阻止来宾用户枚举用户、组或其他目录资源,但允许他们查看非隐藏组的成员身份。By default, guest users are set to a limited permission level that blocks them from enumerating users, groups, or other directory resources, but lets them see membership of non-hidden groups. 新的预览设置可让你进一步限制来宾访问权限,使来宾只能查看其自己的个人资料信息。A new preview setting lets you restrict guest access even further, so that guests can only view their own profile information. 有关详细信息,请参阅 限制来宾访问权限 (预览) For details, see Restrict guest access permissions (preview).

配置 B2B 外部协作设置Configure B2B external collaboration settings

使用 Azure AD B2B 协作,租户管理员可以设置以下邀请策略:With Azure AD B2B collaboration, a tenant admin can set the following invitation policies:

  • 关闭邀请Turn off invitations
  • 只有管理员和具有“来宾邀请者”角色的用户可以邀请Only admins and users in the Guest Inviter role can invite
  • 管理员、“来宾邀请者”角色和成员可以邀请Admins, the Guest Inviter role, and members can invite
  • 所有用户(包括来宾)都可以邀请All users, including guests, can invite

默认情况下,所有用户(包括来宾)都可以邀请来宾用户。By default, all users, including guests, can invite guest users.

若要配置外部协作设置,请执行以下操作:To configure external collaboration settings:

  1. 以租户管理员身份登录到 Azure 门户Sign in to the Azure portal as a tenant administrator.

  2. 选择“Azure Active Directory” 。Select Azure Active Directory.

  3. 选择“外部标识” > “外部协作设置”。Select External Identities > External collaboration settings.

  4. 在 " **来宾用户访问限制 (预览") **下,选择希望来宾用户具有的访问级别:Under Guest user access restrictions (Preview), choose the level of access you want guest users to have:

    • **来宾用户具有与成员相同的访问权限 () **:此选项为来宾提供与成员用户 Azure AD 资源和目录数据相同的访问权限。Guest users have the same access as members (most inclusive): This option gives guests the same access to Azure AD resources and directory data as member users.

    • 来宾用户对目录对象的属性和成员身份具有有限的访问权限: (默认值) 此设置阻止某些目录任务的来宾,如枚举用户、组或其他目录资源。Guest users have limited access to properties and memberships of directory objects: (Default) This setting blocks guests from certain directory tasks, like enumerating users, groups, or other directory resources. 来宾可以查看所有非隐藏组的成员身份。Guests can see membership of all non-hidden groups.

    • **Guest 用户访问仅限于其自己的目录对象的属性和成员身份 (最严格的) **:使用此设置,来宾只能访问他们自己的配置文件。Guest user access is restricted to properties and memberships of their own directory objects (most restrictive): With this setting, guests can access only their own profiles. 不允许来宾查看其他用户的配置文件、组或组成员身份。Guests are not allowed to see other users' profiles, groups, or group memberships.

    来宾用户访问限制设置

  5. 在 " 来宾邀请设置" 下,选择适当的设置:Under Guest invite settings, choose the appropriate settings:

    • 管理员和具有“来宾邀请者”角色的用户可以邀请:若要允许充当“来宾邀请者”角色的管理员和用户邀请来宾,请将此策略设置为“是”。Admins and users in the guest inviter role can invite: To allow admins and users in the "Guest Inviter" role to invite guests, set this policy to Yes.

    • 成员可以邀请:若要允许目录的非管理员成员邀请来宾,请将此策略设置为“是”。Members can invite: To allow non-admin members of your directory to invite guests, set this policy to Yes.

    • 来宾可以邀请:若要允许来宾邀请其他来宾,请将此策略设置为“是”。Guests can invite: To allow guests to invite other guests, set this policy to Yes.

    • 来宾 (预览) 启用电子邮件 One-Time 密码:有关一次性密码功能的详细信息,请参阅电子邮件一次性密码身份验证 (预览) Enable Email One-Time Passcode for guests (Preview): For more information about the one-time passcode feature, see Email one-time passcode authentication (Preview).

    • **通过用户流 (预览) 启用来宾自助注册 **:有关此设置的详细信息,请参阅 向应用添加自助服务注册用户流 (预览) Enable guest self-service sign up via user flows (Preview): For more information about this setting, see Add a self-service sign-up user flow to an app (Preview).

    备注

    如果“成员可以邀请”设为“否”,而“来宾邀请者角色中的管理员和用户可以邀请”设为“是”,则“来宾邀请者”角色中的用户仍将能够邀请来宾。If Members can invite is set to No and Admins and users in the guest inviter role can invite is set to Yes, users in the Guest Inviter role will still be able to invite guests.

    来宾邀请设置

  6. 在 " 协作限制" 下,选择是允许还是拒绝指定的域的邀请。Under Collaboration restrictions, choose whether to allow or deny invitations to the domains you specify. 有关详细信息,请参阅允许或阻止向特定组织中的 B2B 用户发送邀请For more information, see Allow or block invitations to B2B users from specific organizations.

将“来宾邀请者”角色分配给用户Assign the Guest Inviter role to a user

“来宾邀请者”角色可让个人用户邀请来宾,无需向他们分配全局管理员角色或其他管理员角色。With the Guest Inviter role, you can give individual users the ability to invite guests without assigning them a global administrator or other admin role. 将“来宾邀请者”角色分配给个人。Assign the Guest inviter role to individuals. 然后,确保将“管理员和具有‘来宾邀请者’角色的用户可以邀请”设置为“是” 。Then make sure you set Admins and users in the guest inviter role can invite to Yes.

下面是一个示例,它展示了如何使用 PowerShell 将用户添加到“来宾邀请者”角色:Here's an example that shows how to use PowerShell to add a user to the Guest Inviter role:

Add-MsolRoleMember -RoleObjectId 95e79109-95c0-4d8e-aee3-d01accf2d47b -RoleMemberEmailAddress <RoleMemberEmailAddress>

后续步骤Next steps

请参阅以下有关 Azure AD B2B 协作的文章:See the following articles on Azure AD B2B collaboration: