您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 Azure RBAC 和 Azure 门户添加或删除外部来宾用户的角色分配Add or remove role assignments for external guest users using Azure RBAC and the Azure portal

使用Azure 基于角色的访问控制(RBAC) ,可以更好地管理大型组织,适用于需要访问环境中的特定资源,但不一定要访问整个基础结构或任何与计费相关范围的外部协作者、供应商或兼职的中小型企业。Azure role-based access control (RBAC) allows better security management for large organizations and for small and medium-sized businesses working with external collaborators, vendors, or freelancers that need access to specific resources in your environment, but not necessarily to the entire infrastructure or any billing-related scopes. 你可以使用AZURE ACTIVE DIRECTORY B2B中的功能与外部来宾用户合作,你可以使用 RBAC 仅授予来宾用户在你的环境中所需的权限。You can use the capabilities in Azure Active Directory B2B to collaborate with external guest users and you can use RBAC to grant just the permissions that guest users need in your environment.

先决条件Prerequisites

若要添加或删除角色分配,必须具备:To add or remove role assignments, you must have:

何时邀请来宾用户?When would you invite guest users?

下面是几个示例方案,你可能会向组织邀请来宾用户并授予权限:Here are a couple example scenarios when you might invite guest users to your organization and grant permissions:

  • 允许仅拥有电子邮件帐户的外部个体私营供应商访问项目的 Azure 资源。Allow an external self-employed vendor that only has an email account to access your Azure resources for a project.
  • 允许外部合作伙伴管理某些资源或整个订阅。Allow an external partner to manage certain resources or an entire subscription.
  • 允许组织外的支持工程师(如 Microsoft 支持部门)临时访问 Azure 资源,以解决问题。Allow support engineers not in your organization (such as Microsoft support) to temporarily access your Azure resource to troubleshoot issues.

成员用户和来宾用户之间的权限差异Permission differences between member users and guest users

目录的本机成员(成员用户)具有的权限不同于作为 B2B 协作来宾(来宾用户)从另一个目录邀请的用户。Native members of a directory (member users) have different permissions than users invited from another directory as a B2B collaboration guest (guest users). 例如,在来宾用户具有受限的目录权限的情况下,用户可以读取几乎所有的目录信息。For example, members user can read almost all directory information while guest users have restricted directory permissions. 有关成员用户和来宾用户的详细信息,请参阅Azure Active Directory 中的默认用户权限是什么?For more information about member users and guest users, see What are the default user permissions in Azure Active Directory?.

将来宾用户添加到目录Add a guest user to your directory

按照以下步骤,使用 "Azure Active Directory" 页将来宾用户添加到目录。Follow these steps to add a guest user to your directory using the Azure Active Directory page.

  1. 确保你的组织的外部协作设置已配置为允许你邀请来宾。Make sure your organization's external collaboration settings are configured such that you're allowed to invite guests. 有关详细信息,请参阅启用 B2B 外部协作和管理可以邀请来宾的人员For more information, see Enable B2B external collaboration and manage who can invite guests.

  2. 在 Azure 门户中,单击 " Azure Active Directory > 用户 > "新来宾用户"。In the Azure portal, click Azure Active Directory > Users > New guest user.

    Azure 门户中的新来宾用户功能

  3. 按照步骤添加新的来宾用户。Follow the steps to add a new guest user. 有关详细信息,请参阅在 Azure 门户中添加 AZURE ACTIVE DIRECTORY B2B 协作用户For more information, see Add Azure Active Directory B2B collaboration users in the Azure portal.

将来宾用户添加到目录后,你可以向来宾用户发送指向共享应用程序的直接链接,或者来宾用户可以单击邀请电子邮件中的兑换 URL。After you add a guest user to the directory, you can either send the guest user a direct link to a shared app, or the guest user can click the redemption URL in the invitation email.

来宾用户邀请电子邮件

要使来宾用户能够访问你的目录,必须完成邀请。For the guest user to be able to access your directory, they must complete the invitation process.

来宾用户邀请审阅权限

有关邀请过程的详细信息,请参阅AZURE ACTIVE DIRECTORY B2B 协作邀请兑换For more information about the invitation process, see Azure Active Directory B2B collaboration invitation redemption.

为来宾用户添加角色分配Add a role assignment for a guest user

在 RBAC 中,若要授予访问权限,请分配角色。In RBAC, to grant access, you assign a role. 若要为来宾用户添加角色分配,请执行与成员用户、组、服务主体或托管标识相同的步骤To add a role assignment for a guest user, you follow same steps as you would for a member user, group, service principal, or managed identity. 按照以下步骤为不同范围内的来宾用户添加角色分配。Follow these steps add a role assignment for a guest user at different scopes.

  1. 在 Azure 门户中,单击“所有服务”。In the Azure portal, click All services.

  2. 选择访问应用到的资源集,也称为 "作用域"。Select the set of resources that the access applies to, also known as the scope. 例如,可以选择“管理组”、“订阅”、“资源组”或某个资源。For example, you can select Management groups, Subscriptions, Resource groups, or a resource.

  3. 单击特定资源。Click the specific resource.

  4. 单击“访问控制(IAM)”。Click Access control (IAM).

    以下屏幕截图显示了资源组的 "访问控制(IAM)" 边栏选项卡的示例。The following screenshot shows an example of the Access control (IAM) blade for a resource group. 如果在此处进行任何访问控制更改,这些更改仅适用于资源组。If you make any access control changes here, they would apply to just to the resource group.

    资源组的“访问控制(IAM)”边栏选项卡

  5. 单击“角色分配”选项卡以查看在此范围内的所有角色分配。Click the Role assignments tab to view all the role assignments at this scope.

  6. 单击“添加” “添加角色分配”以打开“添加角色分配”窗格。 > Click Add > Add role assignment to open the Add role assignment pane.

    如果没有分配角色的权限,则将禁用“添加角色分配”选项。If you don't have permissions to assign roles, the Add role assignment option will be disabled.

    添加菜单

  7. 在“角色”下拉列表中选择一个角色,例如“虚拟机参与者”。In the Role drop-down list, select a role such as Virtual Machine Contributor.

  8. 在 "选择" 列表中,选择 "来宾用户"。In the Select list, select the guest user. 如果在列表中看不到用户,则可以在 "选择" 框中键入,以便在目录中搜索显示名称、电子邮件地址和对象标识符。If you don't see the user in the list, you can type in the Select box to search the directory for display names, email addresses, and object identifiers.

    “添加角色分配”窗格

  9. 单击 "保存" 可在所选作用域分配角色。Click Save to assign the role at the selected scope.

    虚拟机参与者的角色分配

为尚未在你的目录中的来宾用户添加角色分配Add a role assignment for a guest user not yet in your directory

若要为来宾用户添加角色分配,请执行与成员用户、组、服务主体或托管标识相同的步骤To add a role assignment for a guest user, you follow same steps as you would for a member user, group, service principal, or managed identity.

如果来宾用户还不在你的目录中,你可以直接从 "添加角色分配" 窗格邀请用户。If the guest user is not yet in your directory, you can invite the user directly from the Add role assignment pane.

  1. 在 Azure 门户中,单击“所有服务”。In the Azure portal, click All services.

  2. 选择访问应用到的资源集,也称为 "作用域"。Select the set of resources that the access applies to, also known as the scope. 例如,可以选择“管理组”、“订阅”、“资源组”或某个资源。For example, you can select Management groups, Subscriptions, Resource groups, or a resource.

  3. 单击特定资源。Click the specific resource.

  4. 单击“访问控制(IAM)”。Click Access control (IAM).

  5. 单击“角色分配”选项卡以查看在此范围内的所有角色分配。Click the Role assignments tab to view all the role assignments at this scope.

  6. 单击“添加” “添加角色分配”以打开“添加角色分配”窗格。 > Click Add > Add role assignment to open the Add role assignment pane.

    添加菜单

  7. 在“角色”下拉列表中选择一个角色,例如“虚拟机参与者”。In the Role drop-down list, select a role such as Virtual Machine Contributor.

  8. 在 "选择" 列表中,键入要邀请的人员的电子邮件地址,并选择该用户。In the Select list, type the email address of the person you want to invite and select that person.

    在 "添加角色分配" 窗格中邀请来宾用户

  9. 单击 "保存" 将来宾用户添加到目录,分配角色并发送邀请。Click Save to add the guest user to your directory, assign the role, and send an invite.

    几分钟后,你将看到有关角色分配和邀请信息的通知。After a few moments, you'll see a notification of the role assignment and information about the invite.

    角色分配和受邀用户通知

  10. 若要手动邀请来宾用户,请右键单击并复制通知中的 "邀请" 链接。To manually invite the guest user, right-click and copy the invitation link in the notification. 不要单击邀请链接,因为它会启动邀请。Don't click the invitation link because it starts the invitation process.

    邀请链接将采用以下格式:The invitation link will have the following format:

    https://invitations.microsoft.com/redeem/...

  11. 向来宾用户发送邀请链接以完成邀请。Send the invitation link to the guest user to complete the invitation process.

    有关邀请过程的详细信息,请参阅AZURE ACTIVE DIRECTORY B2B 协作邀请兑换For more information about the invitation process, see Azure Active Directory B2B collaboration invitation redemption.

从目录中删除来宾用户Remove a guest user from your directory

从目录中删除来宾用户之前,应该先删除该来宾用户的所有角色分配。Before you remove a guest user from a directory, you should first remove any role assignments for that guest user. 请按照以下步骤从目录中删除来宾用户。Follow these steps to remove a guest user from a directory.

  1. 在作用域(例如管理组、订阅、资源组或资源)中打开访问控制(IAM) ,其中 guest 用户具有角色分配。Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.

  2. 单击 "角色分配" 选项卡以查看所有角色分配。Click the Role assignments tab to view all the role assignments.

  3. 在角色分配列表中,在包含要删除的角色分配的来宾用户旁边添加复选标记。In the list of role assignments, add a checkmark next to the guest user with the role assignment you want to remove.

    删除角色分配

  4. 单击 “删除”Click Remove.

    “删除角色分配”消息

  5. 在显示的“删除角色分配”消息中,单击“是”。In the remove role assignment message that appears, click Yes.

  6. 在左侧导航栏中,单击 " Azure Active Directory > 用户"。In the left navigation bar, click Azure Active Directory > Users.

  7. 单击要删除的来宾用户。Click the guest user you want to remove.

  8. 单击“删除”。Click Delete.

    删除来宾用户

  9. 在出现的 "删除" 消息中,单击 "是"In the delete message that appears, click Yes.

故障排除Troubleshoot

来宾用户无法浏览目录Guest user cannot browse the directory

来宾用户的目录权限受到限制。Guest users have restricted directory permissions. 例如,来宾用户无法浏览目录,也无法搜索组或应用程序。For example, guest users cannot browse the directory and cannot search for groups or applications. 有关详细信息,请参阅Azure Active Directory 中的默认用户权限是什么?For more information, see What are the default user permissions in Azure Active Directory?.

来宾用户无法浏览目录中的用户

如果来宾用户在目录中需要额外的权限,则可以向来宾用户分配目录角色。If a guest user needs additional privileges in the directory, you can assign a directory role to the guest user. 如果你确实希望来宾用户对目录拥有完全读取访问权限,则可以在 Azure AD 中将来宾用户添加到目录读者角色。If you really want a guest user to have full read access to your directory, you can add the guest user to the Directory Readers role in Azure AD. 有关详细信息,请参阅从 Azure Active Directory 租户中的合作伙伴组织向用户授予权限For more information, see Grant permissions to users from partner organizations in your Azure Active Directory tenant.

分配目录读者角色

来宾用户不能浏览用户、组或服务主体来分配角色Guest user cannot browse users, groups, or service principals to assign roles

来宾用户的目录权限受到限制。Guest users have restricted directory permissions. 即使来宾用户是作用域的所有者,如果他们尝试添加角色分配来向其他人授予访问权限,他们也无法浏览用户、组或服务主体的列表。Even if a guest user is an Owner at a scope, if they try to add a role assignment to grant someone else access, they cannot browse the list of users, groups, or service principals.

来宾用户无法浏览安全主体来分配角色

如果来宾用户在目录中知道某人的确切登录名,则他们可以授予访问权限。If the guest user knows someone's exact sign-in name in the directory, they can grant access. 如果你确实希望来宾用户对目录拥有完全读取访问权限,则可以在 Azure AD 中将来宾用户添加到目录读者角色。If you really want a guest user to have full read access to your directory, you can add the guest user to the Directory Readers role in Azure AD. 有关详细信息,请参阅从 Azure Active Directory 租户中的合作伙伴组织向用户授予权限For more information, see Grant permissions to users from partner organizations in your Azure Active Directory tenant.

来宾用户无法注册应用程序或创建服务主体Guest user cannot register applications or create service principals

来宾用户的目录权限受到限制。Guest users have restricted directory permissions. 如果来宾用户需要能够注册应用程序或创建服务主体,则可以将来宾用户添加到 Azure AD 中的应用程序开发者角色。If a guest user needs to be able to register applications or create service principals, you can add the guest user to the Application Developer role in Azure AD. 有关详细信息,请参阅从 Azure Active Directory 租户中的合作伙伴组织向用户授予权限For more information, see Grant permissions to users from partner organizations in your Azure Active Directory tenant.

来宾用户无法注册应用程序

来宾用户看不到新目录Guest user does not see the new directory

如果已向来宾用户授予对某个目录的访问权限,但他们在尝试在 "目录 + 订阅" 窗格中切换时看不到 Azure 门户中列出的新目录,请确保来宾用户已完成邀请。If a guest user has been granted access to a directory, but they do not see the new directory listed in the Azure portal when they try to switch in their Directory + subscription pane, make sure the guest user has completed the invitation process. 有关邀请过程的详细信息,请参阅AZURE ACTIVE DIRECTORY B2B 协作邀请兑换For more information about the invitation process, see Azure Active Directory B2B collaboration invitation redemption.

来宾用户看不到资源Guest user does not see resources

如果已向来宾用户授予对某个目录的访问权限,但他们在 Azure 门户中看不到他们有权访问的资源,请确保来宾用户选择了正确的目录。If a guest user has been granted access to a directory, but they do not see the resources they have been granted access to in the Azure portal, make sure the guest user has selected the correct directory. 来宾用户可能有权访问多个目录。A guest user might have access to multiple directories. 若要切换目录,请在左上方单击 "目录 + 订阅",然后单击相应的目录。To switch directories, in the upper left, click Directory + subscription, and then click the appropriate directory.

目录 + 订阅窗格 Azure 门户

后续步骤Next steps