使用 Azure AD 存取權檢閱來管理來賓存取權Manage guest access with Azure AD access reviews

您可以搭配使用 Azure Active Directory (Azure AD) 與 Azure AD B2B 功能,輕鬆地跨組織界限啟用共同作業。With Azure Active Directory (Azure AD), you can easily enable collaboration across organizational boundaries by using the Azure AD B2B feature. 系統管理員其他使用者可邀請來自其他租用戶的來賓使用者。Guest users from other tenants can be invited by administrators or by other users. 這也適用於社交識別,例如 Microsoft 帳戶。This capability also applies to social identities such as Microsoft accounts.

您可以輕易確保來賓使用者有適當的存取權。You also can easily ensure that guest users have appropriate access. 您可藉由要求來賓本身或決策者參與存取權檢閱,並重新證實 (或「證明」) 來賓的存取權。You can ask the guests themselves or a decision maker to participate in an access review and recertify (or attest) to the guests' access. 檢閱者可以根據 Azure AD 的建議,對每位使用者的持續存取需求給予其意見。The reviewers can give their input on each user's need for continued access, based on suggestions from Azure AD. 存取權檢閱完成時,您可以接著進行變更,並為不再需要存取的來賓移除存取權。When an access review is finished, you can then make changes and remove access for guests who no longer need it.

注意

本文件著重於檢閱來賓使用者的存取權。This document focuses on reviewing guest users' access. 如果您想檢閱所有使用者的存取權 (不只來賓),請參閱使用存取權檢閱管理使用者存取權If you want to review all users' access, not just guests, see Manage user access with access reviews. 如果您想要在系統管理角色(例如全域管理員)中檢查使用者的成員資格,請參閱 Azure AD Privileged Identity Management 中的開始存取權審核If you want to review users' membership in administrative roles, such as global administrator, see Start an access review in Azure AD Privileged Identity Management.

必要條件Prerequisites

  • Azure AD Premium P2Azure AD Premium P2

如需詳細資訊,請輸入 授權需求For more information, License requirements.

建立和執行來賓的存取權檢閱Create and perform an access review for guests

首先,您必須獲指派下列其中一個角色:First, you must be assigned one of the following roles:

  • 全域管理員global administrator
  • 使用者管理員User administrator
  • (預覽版) 要審核之群組的 M365 或 AAD 安全性群組擁有者(Preview) M365 or AAD Security Group owner of the group to be reviewed

然後,移至 身分 [識別管理] 頁面 ,以確定您的組織已準備好存取評論。Then, go to the Identity Governance page to ensure that access reviews is ready for your organization.

Azure AD 可檢閱來賓使用者的幾個案例。Azure AD enables several scenarios for reviewing guest users.

您可以檢閱:You can review either:

  • Azure AD 中的一個群組,成員包含一或多個來賓。A group in Azure AD that has one or more guests as members.
  • 與 Azure AD 連線的應用程式,有一或多個來賓使用者指派至此。An application connected to Azure AD that has one or more guest users assigned to it.

然後,您可以決定要讓每個來賓都能檢閱自己的存取權,還是要讓一或多個使用者檢閱所有來賓的存取權。You can then decide whether to ask each guest to review their own access or to ask one or more users to review every guest's access.

下列各節說明這些案例。These scenarios are covered in the following sections.

要求來賓檢閱其在群組中的成員資格Ask guests to review their own membership in a group

使用存取權檢閱,可確定已受邀並新增至群組的使用者持續需要存取權。You can use access reviews to ensure that users who were invited and added to a group continue to need access. 您可以輕鬆地要求來賓檢閱其在該群組中的成員資格。You can easily ask guests to review their own membership in that group.

  1. 若要建立群組的存取權審核,請選取審核以只包含來賓使用者成員,並讓成員自行審核。To create an access review for the group, select the review to include guest user members only and that members review themselves. 如需詳細資訊,請參閱 建立群組或應用程式的存取權審核For more information, see Create an access review of groups or applications.

  2. 要求每個來賓檢閱他們自己的成員資格。Ask each guest to review their own membership. 根據預設,已接受邀請的每個來賓都會收到 Azure AD 的電子郵件,其中包含存取權檢閱的連結。By default, each guest who accepted an invitation receives an email from Azure AD with a link to the access review. Azure AD 有關于來賓如何 審查群組或應用程式存取權的指示。Azure AD has instructions for guests on how to review access to groups or applications.

  3. 在檢閱者提供輸入後,停止存取權檢閱並套用變更。After the reviewers give input, stop the access review and apply the changes. 如需詳細資訊,請參閱 完成群組或應用程式的存取權檢查For more information, see Complete an access review of groups or applications.

  4. 除了那些拒絕持續存取權需求的使用者外,您可能也想要移除未回應的使用者。In addition to those users who denied their own need for continued access, you can also remove users who didn't respond. 未回應的使用者可能不會再收到電子郵件。Non-responding users potentially no longer receive email.

  5. 如果群組不是使用於存取權管理,您也可移除因未接受邀請而未獲選參與檢閱的使用者。If the group isn't used for access management, you also can remove users who weren't selected to participate in the review because they didn't accept their invitation. 未接受可能是因為受邀使用者的電子郵件地址拼錯。Not accepting might indicate that the invited user's email address had a typo. 如果某群組是作為通訊群組清單,可能某些來賓使用者因為是連絡人物件而未獲選參與。If a group is used as a distribution list, perhaps some guest users weren't selected to participate because they're contact objects.

要求贊助者檢閱來賓在群組中的成員資格Ask a sponsor to review a guest's membership in a group

您可以要求贊助者 (例如群組的擁有者) 檢閱來賓是否需要持續保有群組成員資格。You can ask a sponsor, such as the owner of a group, to review a guest's need for continued membership in a group.

  1. 若要建立群組的存取權檢查,請選取要包含來賓使用者成員的評論。To create an access review for the group, select the review to include guest user members only. 然後指定一或多個檢閱者。Then specify one or more reviewers. 如需詳細資訊,請參閱 建立群組或應用程式的存取權審核For more information, see Create an access review of groups or applications.

  2. 要求檢閱者提供意見。Ask the reviewers to give input. 根據預設,每個使用者都會收到來自 Azure AD 的電子郵件,其中包含存取面板的連結,可在其中 查看群組或應用程式的存取權By default, they each receive an email from Azure AD with a link to the access panel, where they review access to groups or applications.

  3. 在檢閱者提供輸入後,停止存取權檢閱並套用變更。After the reviewers give input, stop the access review and apply the changes. 如需詳細資訊,請參閱 完成群組或應用程式的存取權檢查For more information, see Complete an access review of groups or applications.

要求來賓檢閱其自己的應用程式存取權Ask guests to review their own access to an application

使用存取權檢閱,可確保因特定應用程式而受邀的使用者持續需要存取權。You can use access reviews to ensure that users who were invited for a particular application continue to need access. 您可以輕鬆地要求來賓檢閱自己的存取權需求。You can easily ask the guests themselves to review their own need for access.

  1. 若要建立應用程式的存取權審核,請選取要包含來賓的評論,並讓使用者檢查自己的存取權。To create an access review for the application, select the review to include guests only and that users review their own access. 如需詳細資訊,請參閱 建立群組或應用程式的存取權審核For more information, see Create an access review of groups or applications.

  2. 要求每個來賓檢閱其自己的應用程式存取權。Ask each guest to review their own access to the application. 根據預設,已接受邀請的每個來賓都會收到 Azure AD 的電子郵件。By default, each guest who accepted an invitation receives an email from Azure AD. 該電子郵件有一個連結可連至貴組織存取面板中的存取權檢閱。That email has a link to the access review in your organization's access panel. Azure AD 有關于來賓如何 審查群組或應用程式存取權的指示。Azure AD has instructions for guests on how to review access to groups or applications.

  3. 在檢閱者提供輸入後,停止存取權檢閱並套用變更。After the reviewers give input, stop the access review and apply the changes. 如需詳細資訊,請參閱 完成群組或應用程式的存取權檢查For more information, see Complete an access review of groups or applications.

  4. 除了那些拒絕持續存取權需求的使用者外,您可能也想要移除未回應的來賓使用者。In addition to users who denied their own need for continued access, you also can remove guest users who didn't respond. 未回應的使用者可能不會再收到電子郵件。Non-responding users potentially no longer receive email. 您也可以移除未獲選參與的來賓使用者,尤其如果他們最近未獲邀請。You also can remove guest users who weren't selected to participate, especially if they weren't recently invited. 這些使用者未接受邀請,因此無法存取應用程式。Those users didn't accept their invitation and so didn't have access to the application.

要求贊助者檢閱來賓的應用程式存取權Ask a sponsor to review a guest's access to an application

您可以要求贊助者 (例如應用程式的擁有者) 檢閱來賓是否需要應用程式的持續存取權。You can ask a sponsor, such as the owner of an application, to review guest's need for continued access to the application.

  1. 若要建立應用程式的存取權檢查,請選取要包含來賓的評論。To create an access review for the application, select the review to include guests only. 然後指定一或多個使用者作為檢閱者。Then specify one or more users as reviewers. 如需詳細資訊,請參閱 建立群組或應用程式的存取權審核For more information, see Create an access review of groups or applications.

  2. 要求檢閱者提供意見。Ask the reviewers to give input. 根據預設,每個使用者都會收到來自 Azure AD 的電子郵件,其中包含存取面板的連結,可在其中 查看群組或應用程式的存取權By default, they each receive an email from Azure AD with a link to the access panel, where they review access to groups or applications.

  3. 在檢閱者提供輸入後,停止存取權檢閱並套用變更。After the reviewers give input, stop the access review and apply the changes. 如需詳細資訊,請參閱 完成群組或應用程式的存取權檢查For more information, see Complete an access review of groups or applications.

要求來賓檢閱其一般的存取權需求Ask guests to review their need for access, in general

在某些組織中,來賓可能無法得知其群組成員資格。In some organizations, guests might not be aware of their group memberships.

注意

舊版的 Azure 入口網站不允許 UserType 是「來賓」的使用者具備系統管理存取權。Earlier versions of the Azure portal didn't permit administrative access by users with the UserType of Guest. 在某些情況下,您目錄中的系統管理員可能已使用 PowerShell 將來賓的 UserType 值變更為「成員」。In some cases, an administrator in your directory might have changed a guest's UserType value to Member by using PowerShell. 如果您的目錄之前有過這項變更,先前的查詢可能不會包括過去具有系統管理存取權限的所有使用者。If this change previously occurred in your directory, the previous query might not include all guest users who historically had administrative access rights. 在此情況下,您需要變更來賓的 UserType 或在群組成員資格中手動加入來賓。In this case, you need to either change the guest's UserType or manually include the guest in the group membership.

  1. 如果不存在適當的群組,請在 Azure AD 中建立成員是來賓的安全性群組。Create a security group in Azure AD with the guests as members, if a suitable group doesn't already exist. 比方說,您可以建立手動保留來賓成員資格的群組。For example, you can create a group with a manually maintained membership of guests. 或者,您可針對 Contoso 租用戶中 UserType 屬性值為「來賓」的使用者,建立具有「Contoso 來賓」之類名稱的動態群組。Or, you can create a dynamic group with a name such as "Guests of Contoso" for users in the Contoso tenant who have the UserType attribute value of Guest. 為了提高效率,請確定群組絕大多數是來賓 - 請勿選取具有成員使用者的群組,因為不需要檢閱成員使用者。For efficiency, ensure the group is predominately guests - don't select a group that has member users, as member users don't need to be reviewed. 此外請記住,身為群組成員的來賓使用者可以看見群組的其他成員。Also, keep in mind that a guest user who is a member of the group can see the other members of the group.

  2. 若要建立該群組的存取權審核,請選取要成為成員本身的審核者。To create an access review for that group, select the reviewers to be the members themselves. 如需詳細資訊,請參閱 建立群組或應用程式的存取權審核For more information, see Create an access review of groups or applications.

  3. 要求每個來賓檢閱他們自己的成員資格。Ask each guest to review their own membership. 根據預設,已接受邀請的每個來賓會收到 Azure AD 的電子郵件,其中的連結可連至您組織的存取面板以執行存取權檢閱。By default, each guest who accepted an invitation receives an email from Azure AD with a link to the access review in your organization's access panel. Azure AD 有關于來賓如何 審查群組或應用程式存取權的指示。Azure AD has instructions for guests on how to review access to groups or applications. 未接受邀請的來賓會在檢閱結果中顯示為「未通知到」。Those guests who didn't accept their invite will appear in the review results as "Not Notified".

  4. 在檢閱者提供輸入後,停止存取權檢閱。After the reviewers give input, stop the access review. 如需詳細資訊,請參閱 完成群組或應用程式的存取權檢查For more information, see Complete an access review of groups or applications.

  5. 移除被拒絕、未完成檢閱,或先前未接受邀請之來賓的來賓存取權。Remove guest access for guests who were denied, didn't complete the review, or didn't previously accept their invitation. 如果某些來賓是連絡人且獲選參與檢閱,或是他們未接受邀請,您可以使用 Azure 入口網站或 PowerShell 來停用其帳戶。If some of the guests are contacts who were selected to participate in the review or they didn't previously accept an invitation, you can disable their accounts by using the Azure portal or PowerShell. 如果來賓不再需要存取權、也不是連絡人,您可以使用 Azure 入口網站或 PowerShell 刪除來賓使用者物件,以從您的目錄中移除其使用者物件。If the guest no longer needs access and isn't a contact, you can remove their user object from your directory by using the Azure portal or PowerShell to delete the guest user object.

後續步驟Next steps

建立群組或應用程式的存取權檢閱Create an access review of groups or applications