Skype for Business Online 中的标识、范围和租户Identities, scopes, and tenants in Skype for Business Online


上次修改的主题: 2015-03-09Topic Last Modified: 2015-03-09

许多用于管理 Skype for Business Online 的 Windows PowerShell cmdlet 都要求您特别注意您尝试管理的项目。Many of the Windows PowerShell cmdlets used to manage Skype for Business Online require you to be very specific about the item that you are trying to manage. 例如,当您运行 CsUserAcp cmdlet 时,您必须指明要尝试管理的用户。For example, when you run the Set-CsUserAcp cmdlet, you must indicate which user you are trying to manage. 这很合理。This makes sense. 除非您明确告知 cmdlet 要管理哪个用户帐户,否则 CsUserAcp cmdlet 将不知道应修改哪个用户的音频会议信息。Unless you specifically tell the cmdlet which user account to manage, the Set-CsUserAcp cmdlet has no idea which user’s audio conferencing information should be modified. 因此,每次运行 CsUserAcp cmdlet 时,都需要包含 identity 参数,后跟要修改的用户帐户的标识:For this reason, each time you run the Set-CsUserAcp cmdlet, you’ll need to include the Identity parameter, followed by the Identity of the user account to be modified:

Set-CsUserAcp -Identity "Ken Myer" -TollNumber "14255551298" -ParticipantPassCode 13761 -Domain "" -Name "Fabrikam ACP"

如果术语 " 标识 " 总是指用户帐户的标识,则很少导致混淆。If the term Identity always referred to the Identity of a user account, there would be little cause for confusion. 当您处理人员 (用户、联系人等) 时,标识是指单独的用户。When you are dealing with people (users, contacts, and so on), Identities refer to the individual users themselves. 但是,除用户帐户之外的其他项目也具有标识。However, items other than user accounts also have Identities. 当您处理 Skype for Business Online 服务的组件(策略、配置设置等)时,术语标识意味着有些不同。When you are dealing with components of the Skype for Business Online service—policies, configuration settings, and so on—the term Identity means something slightly different. 例如,请考虑以下命令:For example, consider this command:

Get-CsMeetingConfiguration -Identity "global"

在这种情况下,标识 "global" 表示会议配置设置的范围。In this case, the Identity "global" refers to the scope of the meeting configuration settings. 作用域 是在 Skype For business Online (和 Lync Server) 中使用的术语,用于指定管理的不足。Scope is a term used in Skype for Business Online (and in Lync Server) to designate spheres of management. 默认情况下,策略和设置始终具有全局作用域。By default, policies and settings always have a global scope. 在您首次设置 Skype for Business Online 帐户时,默认情况下,将拥有全局策略和设置(全局会议配置设置、全局外部访问策略、全局拨号计划等)的集合。When you first set up your Skype for Business Online account you'll have, by default, a collection of global policies and settings—global meeting configuration settings, a global external access policy, a global dial plan, and so on.

这些全局策略和设置在 Microsoft Lync Server 2010 中引入,以帮助确保所有用户和所有组件都始终以某种方式进行管理。These global policies and settings were introduced in Microsoft Lync Server 2010 to help ensure that all users and all components would always, in some way, be managed. 在 Microsoft Office Communicator 2007 R2 中不一定如此。This was not necessarily true in Microsoft Office Communicator 2007 R2. 根据您访问系统的方式的不同,通常情况下可能会在大部分非托管状态下最终 (,因为组策略不能应用于您的用户帐户) 。Depending on how you accessed the system, you could potentially end up in a largely unmanaged state (typically, because Group Policy could not be applied to your user account). 与此相反,在 Lync Server 和 Skype for Business Online 中,决不会留下任何非托管。In contrast, in Lync Server and in Skype for Business Online, nothing is ever left unmanaged. 这是因为,而不是其他任何内容,则始终强制实施全局策略和设置。This is because, in lieu of anything else, global policies and settings will always be enforced.

我们的意思是 "代替其他任何程序"?What do we mean by "in lieu of anything else"? 嗯,在 Skype for business Online 的情况下,可以在 标记范围或管理层创建策略。Well, in the case of Skype for Business Online, it’s possible to create policies at the tag scope, or sphere of management. 在标记作用域创建的策略 (也称为 每用户作用域) 优先于在全局范围内创建的策略。Policies created at the tag scope (also known as the per-user scope) take priority over policies created at the global scope. 换言之,每用户策略将始终优先于全局策略。In other words, a per-user policy will always take precedence over a global policy. 例如,您可能有两个外部用户访问策略。For example, you might have two external user access policies. 全局策略禁止用户与在公共即时消息 (IM) 提供程序(如 Windows Live)上具有帐户的人员进行通信。The global policy prohibits users from communicating with people who have accounts on public instant messaging (IM) providers, such as Windows Live. 每用户策略 AllowPublicIMCommunication 允许与公共 IM 提供商进行通信。The per-user policy, AllowPublicIMCommunication, allows communication with public IM providers.

您可能还有两个用户: Ken Myer 和 Pilar Ackerman。You might also have two users: Ken Myer and Pilar Ackerman. 已为 Ken Myer 分配每用户策略。Ken Myer has been assigned the per-user policy. 尚未为 Pilar Ackerman 分配每用户策略;即,由全局外部访问策略管理她。Pilar Ackerman has not been assigned a per-user policy; that is, she is managed by the global external access policy. 下表显示了任何) 可以与公共 IM 提供商通信时 (的用户:The following table shows which user (if any) can communicate with public IM providers:

策略设置Policy Settings Ken MyerKen Myer Pilar AckermanPilar Ackerman

公用 IM 提供商的全局策略设置Global policy setting for public IM providers



公用 IM 提供商的每用户策略设置Per-user policy setting for public IM providers



用户可以与公共 IM 提供商通信User can communicate with public IM providers



正如您所看到的,允许 Ken Myer 与公共 IM 提供商通信。As you can see, Ken Myer is allowed to communicate with public IM providers. 这是因为分配给他的每用户策略中的设置将覆盖全局策略中的设置。This is because the settings in the per-user policy assigned to him override the settings in the global policy. Pilar Ackerman 无法与公共 IM 提供商通信。Pilar Ackerman cannot communicate with public IM providers. 这是因为她由全局策略进行管理,而全局策略将禁止此类通信。This is because she is managed by the global policy, and the global policy prohibits such communications.

必须由 Microsoft 支持为您创建每个用户的策略。Per-user policies must be created for you by Microsoft Support. 创建策略后,您可以使用适当的 grant-Cs cmdlet 将它们分配给用户 (例如, set-csexternalaccesspolicy) 。After the policies are created, you can then assign them to users by using the appropriate Grant-Cs cmdlet (for example, Grant-CsExternalAccessPolicy). 由于策略标识总是以标记 前缀开头,因此每个用户的策略易于识别。Per-user policies are easy to identify because the policy Identity always begins with the tag prefix. 例如:For example:

Identity : tag:AllowPublicIMCommunication


标记 前缀 日期返回到 Lync Server 2010 的早期开发日。The tag prefix dates back to the early development days of Lync Server 2010. 在这些天中,每个用户的策略称为 标记策略 ,并由标记 前缀标识。In those days, per-user policies were referred to as tag policies and were identified by the tag prefix. 现在,这些策略更准确地称为 " 每用户策略",标记作用域更准确地称为 " 每用户" 作用域These policies are now more accurately referred to as per-user policies, and the tag scope is more accurately referred to as the per-user scope. 但是,由于技术原因,标记 前缀 永远不会更改。However, for technical reasons, the tag prefix was never changed.

使用 Skype for Business Online 和 Windows PowerShell 时使用的另一个关键术语是 租户Another key term used when working with Skype for Business Online and Windows PowerShell is tenant. 设置 Skype for Business Online 帐户时,会向新部署分配租户 ID 号,该号码是一个全局唯一标识符 (GUID) 类似于以下内容:When you set up a Skype for Business Online account, your new deployment is assigned a tenant ID number, which is a globally unique identifier (GUID) similar to this:


几个 Skype for Business Online cmdlet 要求您在每次运行 cmdlet 时输入租户 ID。A few of the Skype for Business Online cmdlets require you to enter the tenant ID whenever you run the cmdlet. 您必须输入租户 ID,即使您已登录到且只有一个租户。You must enter the tenant ID even if you have logged on to, and only have, one tenant. 幸运的是,您不必记住租户 ID。Fortunately, you do not have to memorize the tenant ID. 您可以通过运行以下 Windows PowerShell 命令随时检索租户 ID:You can retrieve your tenant ID at any time by running the following Windows PowerShell command:

Get-CsTenant | Select-Object TenantId

当然,了解全局范围和每用户范围之间的差异 (或标记范围) 的情况仅为一半。Of course, knowing things such as the difference between the global scope and the per-user scope (or the tag scope) is only half the battle. 了解何时 (或即使) 可以使用这些范围也是非常重要的。It’s also important to know when (or even if) you can use these scopes. 对于标识和租户参数,情况也是如此。The same is true for Identities and the tenant parameter. 以下主题介绍不同的 Skype for Business Online cmdlet 如何使用标识、作用域和租户参数:The following topics describe how the different Skype for Business Online cmdlets use Identities, scopes, and the tenant parameter: