在 Microsoft Teams 中授权来宾访问Authorize guest access in Microsoft Teams

为了满足组织的要求,您可以通过四种不同的授权级别管理团队来宾访问功能和功能。To satisfy your organization's requirements, you can manage Teams guest access features and capabilities through four different levels of authorization. 所有授权级别均适用于您的 Microsoft 365 组织。All the authorization levels apply to your Microsoft 365 organization. 每个授权级别按如下所示控制来宾体验:Each authorization level controls the guest experience as shown below:

  • Azure Active Directory:团队中的来宾访问依赖于 Azure AD 企业到企业 (B2B) 平台。Azure Active Directory: Guest access in Teams relies on the Azure AD business-to-business (B2B) platform. 此授权级别控制目录、租户和应用程序级别的来宾体验。This authorization level controls the guest experience at the directory, tenant, and application level.
  • 团队:仅在团队中控制来宾体验。Teams: Controls the guest experience in Teams only.
  • Microsoft 365 组:控制 Microsoft 365 组和团队中的来宾体验。Microsoft 365 Groups: Controls the guest experience in Microsoft 365 Groups and Teams.
  • Sharepoint 和 onedrive:控制 SharePoint、OneDrive、Microsoft 365 组和团队中的来宾体验。SharePoint and OneDrive: Controls the guest experience in SharePoint, OneDrive, Microsoft 365 Groups, and Teams.

这些不同的授权级别可让你灵活选择为组织设置来宾访问的方式。These different authorization levels provide you with flexibility in how you set up guest access for your organization. 例如,如果你不想允许团队中的来宾用户,但想要允许组织在你的组织中整体,只需关闭团队中的来宾访问。For example, if you don't want to allow guest users in Teams but want to allow it overall in your organization, just turn off guest access in Teams. 另一个示例:您可以在 Azure AD、团队和组级别启用来宾访问,但随后 禁用与一个或多个条件匹配的选定团队的来宾用户,如数据分类等于机密Another example: You could enable guest access at the Azure AD, Teams, and Groups levels, but then disable the addition of guest users on selected teams that match one or more criteria such as data classification equals confidential. SharePoint 和 OneDrive 具有自己的不依赖于 Microsoft 365 组的来宾访问设置。SharePoint and OneDrive have their own guest access settings that don't rely on Microsoft 365 Groups.

有关端到端来宾访问配置说明,请参阅 与团队中的来宾协作For end-to-end guest access configuration instructions, see Collaborate with guests in a team.

备注

来宾应遵守 Microsoft 365 和 Office 365 服务说明Azure AD B2B 协作限制中描述的服务限制。Guests are subject to the service limits described in Microsoft 365 and Office 365 service descriptions and Limitations of Azure AD B2B collaboration.

下图显示了如何在 Azure Active Directory、团队和 Microsoft 365 之间授予和集成来宾访问授权相关性。The following diagram shows how guest access authorization dependency is granted and integrated between Azure Active Directory, Teams, and Microsoft 365.

用于来宾访问的授权相关性示意图。

下一张示意图概括性地显示了用户体验如何通过典型的来宾访问邀请和兑换流程与权限模型结合使用。The next diagram shows, at a high level, how the user experience works with the permission model through a typical guest access invitation and redemption flow.

显示邀请和兑换流程的示意图

请务必注意,应用、bot 和连接器可能需要自己的一组特定于用户帐户的权限和/或同意。It's important to note here that apps, bots, and connectors might require their own set of permissions and/or consent specific to the user account. 这些可能需要单独授予。These might need to be granted separately. 同样,SharePoint 可能针对特定用户、用户组,甚至在站点级别设置了额外的外部共享界限。Similarly, SharePoint might impose extra external sharing boundaries for a specific user, groups of users, or even at the site level.

上两张示意图还可在 Visio 中查看。The previous two diagrams are also available in Visio.

控制 Azure Active Directory 中的条件访问Control guest access in Azure Active Directory

使用 Azure AD 来确定外部协作者能否受邀以来宾的身份加入你的租户以及如何加入。Use Azure AD to determine whether external collaborators can be invited into your tenant as guests, and in what ways. 有关 Azure B2B 来宾访问的详细信息,请参阅什么是 Azure Active Directory B2B 中的来宾用户访问权限For more information about Azure B2B guest access, see What is guest user access in Azure Active Directory B2B. 要了解 Azure AD 角色,请参阅在 Azure Active Directory 租户中向来自合作伙伴组织的用户授予权限For information about Azure AD roles, see Grant permissions to users from partner organizations in your Azure Active Directory tenant.

邀请的设置适用于组织级别,并控制目录和应用程序级别的来宾体验。The settings for invitations apply at the organization level and control the guest experience at the directory and application level. 可以在 外部协作设置中配置这些设置。You can configure these settings in External collaboration settings.

Azure AD 包含用于配置外部用户的以下设置:Azure AD includes the following settings to configure external users:

  • 来宾用户访问限制Guest user access restrictions

  • 管理员和具有“来宾邀请者”角色的用户可以邀请:“”表示管理员和具有“来宾邀请者”角色的用户将能够邀请来宾加入租户。Admins and users in the guest inviter role can invite: Yes means that admins and users in the guest inviter role will be able to invite guests to the tenant. ”表示管理员和用户不可邀请来宾加入租户。No means admins and users can't invite guests to the tenant.

  • 成员可邀请:要允许目录的非管理员成员邀请来宾,请将此策略设置为(建议设置)。Members can invite: To allow non-admin members of your directory to invite guests, set this policy to Yes (recommended). 如果你希望仅管理员能够添加来宾,可以将此策略设置为If you prefer that only admins be able to add guests, you can set this policy to No. 请记住,设置为将会限制非管理员团队所有者的来宾体验;他们只能向管理员已在 AAD 中添加的团队添加来宾。Keep in mind that setting No will limit the guest experience for non-admin teams owners; they'll only be able to add guests in Teams that have already been added in AAD by the admin.

  • 来宾可邀请:“”表示目录中的来宾可邀请其他来宾协作处理受到 Azure AD 保护的资源,例如 SharePoint 网站或 Azure 资源。Guests can invite: Yes means that guests in your directory can invite other guests to collaborate on resources secured by your Azure AD, such as SharePoint sites or Azure resources. ”表示来宾不可邀请其他来宾与你的组织协作。No means that guests can't invite other guests to collaborate with your organization.

    重要

    目前,Teams 不支持来宾邀请者角色,因此即使你将“来宾可邀请”设置为“”,来宾也不能邀请 Teams 中的其他来宾。Currently, Teams doesn't support the guest inviter role, so even if you set Guests can invite to Yes, guests can't invite other guests in Teams.

有关控制哪些人可以邀请来宾的详细信息,请参阅 启用 B2B 外部协作和管理可邀请来宾的人员For more information about controlling who can invite guests, see Enable B2B external collaboration and manage who can invite guests.

备注

还可管理可以来宾身份邀请哪些域加入你的租户。You can also manage which domains can be invited into your tenant as guests. 请参阅 允许或阻止来自特定组织的 B2B 用户的邀请See Allow or block invitations to B2B users from specific organizations.

无需将用户来宾帐户手动添加到 Azure AD B2B 中,因为在你向 Teams 添加来宾时,该帐户将自动添加到目录中。Adding the user guest account manually to Azure AD B2B is not required, as the account will be added to the directory automatically when you add the guest to Teams.

来宾访问的许可Licensing for guest access

来宾访问许可使用 Azure AD 外部标识定价,并且基于每月活动来宾。Guest access licensing uses Azure AD External Identities pricing and is based on monthly active guests. 有关详细信息,请参阅 AZURE AD 外部标识的计费模型See Billing model for Azure AD External Identities for details.

备注

你组织中仅拥有独立 Office 365 订阅计划(例如 Exchange Online 计划 2)的用户不可作为来宾被邀请加入你的组织,因为 Teams 将这些用户视为属于该组织。Users in your organization who have standalone Office 365 subscription plans only, such as Exchange Online Plan 2, cannot be invited as guests to your organization because Teams considers these users to belong to the same organization. 要让这些用户使用 Teams,必须向他们分配 Microsoft 365 商业标准版、Office 365 企业版或 Office 365 教育版订阅。For these users to use Teams, they must be assigned an Microsoft 365 Business Standard, Office 365 Enterprise, or Office 365 Education subscription.

外部访问(联合身份验证)与来宾访问External access (federation) vs. guest access

外部访问(联盟)和来宾访问不同:External access (federation) and guest access are different:

  • 外部访问提供对整个域的访问权限。External access gives access permission to an entire domain.
  • 来宾访问提供对个人的访问权限。Guest access gives access permission to an individual.

有关详细比较,请参阅与其他组织中的用户通信For a detailed comparison, see Communicate with users from other organizations.

与 Microsoft 365 建立安全协作Set up secure collaboration with Microsoft 365