您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

什么是 Azure Active Directory B2B 中的来宾用户访问权限?What is guest user access in Azure Active Directory B2B?

Azure Active Directory (Azure AD) 企业到企业 (B2B) 协作是外部标识的一项功能,使你能够邀请来宾用户同组织一起协作。Azure Active Directory (Azure AD) business-to-business (B2B) collaboration is a feature within External Identities that lets you invite guest users to collaborate with your organization. 使用 B2B 协作,可以安全地将公司的应用程序和服务与来自任何其他组织的来宾用户共享,同时保持对自己公司数据的控制。With B2B collaboration, you can securely share your company's applications and services with guest users from any other organization, while maintaining control over your own corporate data. 与外部合作伙伴安全放心地合作,不论其规模是大是小,甚至就算他们没有 Azure AD 或 IT 部门也无妨。Work safely and securely with external partners, large or small, even if they don't have Azure AD or an IT department. 合作伙伴通过一个简单的邀请和兑换过程即可使用自己的凭据来访问公司资源。A simple invitation and redemption process lets partners use their own credentials to access your company's resources. 开发人员可以使用 Azure AD 企业到企业 API 自定义邀请处理或编写自助注册门户之类的应用程序。Developers can use Azure AD business-to-business APIs to customize the invitation process or write applications like self-service sign-up portals. 有关与来宾用户相关的许可和定价信息,请参阅 Azure Active Directory 定价For licensing and pricing information related to guest users, refer to Azure Active Directory pricing.

重要

从 2021 年 3 月 31 日起 ,Microsoft 将不再支持通过创建用于 B2B 协作方案的非托管 Azure AD 帐户和租户进行邀请兑换。Starting March 31, 2021 , Microsoft will no longer support the redemption of invitations by creating unmanaged Azure AD accounts and tenants for B2B collaboration scenarios. 在准备期间,我们鼓励客户选择参与电子邮件一次性密码身份验证In preparation, we encourage customers to opt into email one-time passcode authentication. 我们欢迎你提供有关此公共预览版功能的反馈,并且很乐意创建更多的协作方式。We welcome your feedback on this public preview feature and are excited to create even more ways to collaborate.

与使用自己标识的任何合作伙伴协作Collaborate with any partner using their identities

借助 Azure AD B2B,合作伙伴可使用自己的标识管理解决方案,因此组织省去了外部管理开销。With Azure AD B2B, the partner uses their own identity management solution, so there is no external administrative overhead for your organization. 来宾用户可使用自己的工作、学校或社交标识登录应用和服务。Guest users sign in to your apps and services with their own work, school, or social identities.

  • 合作伙伴使用自己的标识和凭据;Azure AD 不是必需的。The partner uses their own identities and credentials; Azure AD is not required.
  • 不需要管理外部帐户或密码。You don't need to manage external accounts or passwords.
  • 不需要同步帐户或管理帐户生命周期。You don't need to sync accounts or manage account lifecycles.

从 Azure AD 门户轻松地邀请来宾用户Easily invite guest users from the Azure AD portal

管理员可以在 Azure 门户中轻松地向组织添加来宾用户。As an administrator, you can easily add guest users to your organization in the Azure portal.

  • 在 Azure AD 中创建新的来宾用户,方法类似于添加新用户。Create a new guest user in Azure AD, similar to how you'd add a new user.
  • 将来宾用户分配到应用或组。Assign guest users to apps or groups.
  • 发送包含兑换链接的邀请电子邮件或发送要共享的应用的直接链接。Send an invitation email that contains a redemption link, or send a direct link to an app you want to share.

显示“新建来宾用户邀请”入口页的屏幕截图

显示“查看权限”页的屏幕截图

使用策略安全地共享你的应用和服务Use policies to securely share your apps and services

可以使用授权策略保护企业内容。You can use authorization policies to protect your corporate content. 可在以下级别强制执行多重身份验证等条件访问策略:Conditional Access policies, such as multi-factor authentication, can be enforced:

  • 租户级别。At the tenant level.
  • 应用程序级别。At the application level.
  • 针对特定来宾用户,保护企业应用和数据。For specific guest users to protect corporate apps and data.

显示“条件访问”选项的屏幕截图

让应用程序和组所有者管理自己的来宾用户Let application and group owners manage their own guest users

可以委托应用程序所有者管理来宾用户,不论是否为 Microsoft 应用程序,他们都可以将来宾用户直接添加到他们想要共享的任何应用程序。You can delegate guest user management to application owners so that they can add guest users directly to any application they want to share, whether it's a Microsoft application or not.

  • 管理员设置自助服务应用和组管理。Administrators set up self-service app and group management.
  • 非管理员使用其访问面板将来宾用户添加到应用程序或组。Non-administrators use their Access Panel to add guest users to applications or groups.

显示来宾用户的访问面板的屏幕截图

自定义 B2B 来宾用户的载入体验Customize the onboarding experience for B2B guest users

使用按组织需求自定义的方法引入外部合作伙伴。Bring your external partners on board in ways customized to your organization's needs.

与标识提供者集成Integrate with Identity providers

Azure AD 支持外部标识提供者,如 Facebook、Microsoft 帐户、Google 或企业标识提供者。Azure AD supports external identity providers like Facebook, Microsoft accounts, Google, or enterprise identity providers. 可以设置与标识提供者的联合,这样外部用户就能使用现有的社交或企业帐户登录,而不用专门为应用新建一个帐户。You can set up federation with identity providers so your external users can sign in with their existing social or enterprise accounts instead of creating a new account just for your application. 详细了解外部标识的标识提供者。Learn more about identity providers for External Identities.

显示“标识提供者”页的屏幕截图

创建自助注册用户流(预览)Create a self-service sign-up user flow (Preview)

使用自助注册用户流,可以为要访问应用的外部用户创建注册体验。With a self-service sign-up user flow, you can create a sign-up experience for external users who want to access your apps. 在注册流中,可以提供不同的社交或企业标识提供者选项,并收集用户信息。As part of the sign-up flow, you can provide options for different social or enterprise identity providers, and collect information about the user. 了解自助注册及其设置方法Learn about self-service sign-up and how to set it up.

还可以使用 API 连接器将自助注册用户流与外部云系统集成。You can also use API connectors to integrate your self-service sign-up user flows with external cloud systems. 可以与自定义审批工作流连接、执行身份验证、验证用户提供的信息等。You can connect with custom approval workflows, perform identity verification, validate user-provided information, and more.

显示“用户流”页的屏幕截图 Screenshot showing the user flows page

后续步骤Next steps