使用受管理來賓建立 B2B 外部網路Create a B2B extranet with managed guests

您可以使用 Azure Active Directory 的權利管理 建立 B2B 外部網路,以與使用 Azure Active Directory 的夥伴組織共同作業。You can use Azure Active Directory Entitlement Management to create a B2B extranet to collaborate with a partner organization that uses Azure Active Directory. 這可讓使用者在外部網路網站或小組中自我註冊,並透過核准工作流程接收存取權。This allows users to self-enroll in the extranet site or team and receive access via an approval workflow.

透過這種共用資源進行共同作業,合作夥伴組織可以協助維護和核准其結束的客人,減少 IT 部門的負擔,並讓您能夠熟悉共同作業合約,以管理使用者存取。With this method of sharing resources for collaboration, the partner organization can help maintain and approve the guests on their end, reducing the burden on your IT department and allowing those most familiar with the collaboration agreement to manage user access.

本文逐步逐步完成建立資源套件的步驟, (在此案例中,您可以透過自助存取註冊模型與夥伴組織共用的網站或小組) 。This article walks through the steps to create a package of resources (in this case, a site or team) that you can share with a partner organization through a self-service access registration model.

開始之前,請先建立您想要與夥伴組織共用的網站或小組,並為其啟用來賓共用。Before you begin, create the site or team that you want to share with the partner organization and enable it for guest sharing. 請參閱 與網站中的客人共同 作業,或 與小組的客人共同合作 以取得詳細資訊。See Collaborate with guests in a site or Collaborate with guests in a team for more information. 我們也建議您複查 建立安全來賓共用環境 ,以取得安全性與合規性功能的相關資訊,以協助您在與來賓合作時維持您的管理原則。We also recommend that you review Create a secure guest sharing environment for information about security and compliance features that you can use to help maintain your governance policies when collaborating with guests.

授權需求License requirements

若要使用此功能,則需要 Azure AD Premium P2 授權。Using this feature requires an Azure AD Premium P2 license.

專用的雲彩(如 Azure 德國和 Azure 中國)目前不能使用。Specialized clouds, such as Azure Germany and Azure China 21Vianet, are not currently available for use.

影片示範Video demonstration

這段影片會示範本文所述的程式。This video demonstrates the procedures covered in this article.

連接夥伴組織Connect the partner organization

為了從夥伴組織邀請來賓,您必須將該夥伴的網域新增為 Azure Active Directory 中的連線組織。In order to invite guests from a partner organization, you need to add the partner's domain as a connected organization in Azure Active Directory.

新增連線的組織To add a connected organization

  1. 在 [ Azure Active Directory] 中,按一下 [身分 識別管理]。In Azure Active Directory, click Identity Governance.

  2. 按一下 [ 連線的組織]。Click Connected organizations.

  3. 按一下 [ 新增連線的組織]。Click Add connected organization.

  4. 輸入組織的名稱和描述,然後按 [下一步:目錄 + 網域]Type a name and description for the organization, and then click Next: Directory + domain.

  5. 按一下 [ 新增目錄 + 網域]。Click Add directory + domain.

  6. 輸入您要連線之組織的網域,然後按一下 [ 新增]。Type the domain for the organization that you want to connect, and then click Add.

  7. 按一下 [連線],然後按 [下一步:主辦方]。Click Connect, and then click Next: Sponsors.

  8. 從您的組織或您要連線的組織,新增您要核准來賓存取權之組織的人員。Add people from your organization or the organization that you're connecting to who you want to approve access for guests.

  9. [下一步:審閱 + 建立]。Click Next: Review + Create.

  10. 檢查您所選擇的設定,然後按一下 [ 建立]。Review the settings that you've chosen and then click Create.

    Azure Active Directory 中連線之組織頁面的螢幕擷取畫面

選擇要共用的資源Choose the resources to share

選取要與夥伴組織共用之資源的第一個步驟是建立包含這些資源的目錄。The first step in selecting resources to share with a partner organization is to create a catalog to contain them.

建立目錄To create a catalog

  1. 在 [ Azure Active Directory] 中,按一下 [身分 識別管理]。In Azure Active Directory, click Identity Governance.

  2. 按一下 [ 目錄]。Click Catalogs.

  3. 按一下 [ 新增目錄]。Click New catalog.

  4. 輸入目錄的名稱和描述,並確定 外部使用者Enabled 及 enabled 皆已設定為 [是]Type a name and description for the catalog and ensure that Enabled and Enabled for external users are both set to Yes.

  5. 按一下 [建立]Click Create.

    Azure Active Directory 身分識別管理中目錄頁面的螢幕擷取畫面

建立目錄之後,您可以新增您要與夥伴組織共用的 SharePoint 網站或團隊。Once the catalog has been created, you add the SharePoint site or team that you want to share with the partner organization.

將資源新增至目錄To add resources to a catalog

  1. 在 [Azure AD 身分識別管理] 中,按一下 [ 目錄],然後按一下您要新增資源的目錄。In Azure AD Identity Governance, click Catalogs, and then click the catalog where you want to add resources.

  2. 按一下 [ 資源 ],然後按一下 [ 新增資源]。Click Resources and then click Add resources.

  3. 選取您要包含在外部網路的小組或 SharePoint 網站,然後按一下 [ 新增]。Select the teams or SharePoint sites that you want to include in your extranet, and then click Add.

    Azure Active Directory 身分識別管理中目錄資源頁面的螢幕擷取畫面

在您定義要共用的資源之後,下一步是建立訪問套件,該套件會定義授與夥伴使用者的存取類型,以及要求存取之新夥伴使用者的核准程式。Once you've defined the resources that you want to share, the next step is to create an access package, which defines the type of access that partner users are granted and the approval process for new partner users requesting access.

建立 access 套件To create an access package

  1. 在 [Azure AD 身分識別管理] 中,按一下 [ 目錄],然後按一下您要建立訪問套件的目錄。In Azure AD Identity Governance, click Catalogs, and then click the catalog where you want to create an access package.

  2. 按一下 [ Access 套裝],然後按一下 [ 新的 access 套件]。Click Access packages, and then click New access package.

  3. 輸入 access 套件的名稱和描述,然後按一下 [下一步:資源角色]Type a name and description for the access package, and then click Next: Resource roles.

  4. 選擇您要用於外部網路的目錄中的資源。Choose the resources from the catalog that you want to use for your extranet.

  5. 針對每個資源,在 [ 角色 ] 欄中,選擇您要授與使用外部網路之來賓的使用者角色。For each resource, in the Role column, choose the user role you want to grant to the guests who use the extranet.

  6. [下一步:要求]Click Next: Requests.

  7. 在 [ 可要求存取權的使用者] 底下,選擇 [ 不在您的目錄中的使用者]。Under Users who can request access, choose For users not in your directory.

  8. 確定已選取 [ 特定連接的組織 ] 選項,然後按一下 [ 新增目錄]。Ensure that the Specific connected organizations option is selected, and then click Add directories.

  9. 選擇您先前新增的連線組織,然後按一下 [選取]Choose the connected organization that you add earlier, and then click Select

  10. 在 [ 核准] 底下,選擇 [是] 以 [ 要求核准]。Under Approval, choose Yes for Require approval.

  11. 在 [ 第一位核准者] 底下,選擇您先前新增的其中一個主辦方,或選擇特定使用者。Under First approver, choose one of the sponsors that you added earlier or choose a specific user.

  12. 按一下 [ 新增回退 ],然後選取一個回退核准者。Click Add fallback and select a fallback approver.

  13. 在 [ 啟用] 下,選擇 [是]Under Enable, choose Yes.

  14. [下一步:生命週期]Click Next: Lifecycle.

  15. 選擇您要使用的 [到期] 和 [存取權複查] 設定,然後按 [下一步]: [審閱 + 建立]Choose the expiration and access review settings that you want to use, and then click Next: Review + Create.

  16. 請複查您的設定,然後按一下 [ 建立]。Review your settings, and then click Create.

    Azure Active Directory 身分識別管理中 access 套件畫面的螢幕擷取畫面

如果您與大型組織合作,您可能想要隱藏存取套件。If you're partnering with a large organization, you may want to hide the access package. 如果已隱藏此套件,則夥伴組織中的使用者將不會在其「 我的存取 入口網站」上看到此套件。If the package is hidden, then users in the partner organization will not see the package on their My Access portal. 相反地,必須傳送直接連結才能註冊套件。Instead, they must be sent a direct link to sign up for the package. 隱藏存取封裝可以減少不適當的存取要求數目,也有助於保留夥伴組織入口網站中可用的訪問套件組織。Hiding the access package can reduce the number of inappropriate access requests and can also help keep available access packages organized in the partner organization's portal.

若要將訪問套件設定為隱藏To set an access package to hidden

  1. 在 [Azure AD 身分識別管理] 中,按一下 [ access 套裝],然後按一下您的 Access 套件。In Azure AD Identity Governance, click Access packages, and then click your access package.

  2. 在 [ 概覽 ] 頁面上,按一下 [ 編輯]。On the Overview page, click Edit.

  3. 在 [屬性] 底下,選擇 [隱藏],然後按一下 [儲存 ]Under Properties, choose Yes for Hidden, and then click Save.

    編輯 access 套件屬性畫面的螢幕擷取畫面

邀請夥伴使用者Invite partner users

如果您將訪問套件設定為隱藏,您必須將直接連結傳送至夥伴組織,以便他們可以要求網站或小組的存取權。If you set the access package to hidden, you need to send a direct link to the partner organization so that they can request access to your site or team.

尋找存取入口網站連結To find the access portal link

  1. 在 [Azure AD 身分識別管理] 中,按一下 [ access 套裝],然後按一下您的 Access 套件。In Azure AD Identity Governance, click Access packages, and then click your access package.

  2. 在 [概述] 頁面上,按一下 [我的 Access 入口網站] 連結 的 [複製到剪貼簿] 連結。On the Overview page, click Copy to clipboard link for the My Access portal link.

    Access 入口網站連結的 access 套件屬性螢幕擷取畫面

複製連結後,您就可以在夥伴組織中與連絡人共用,也可以將它傳送給其共同作業小組的使用者。Once you have copied the link, you can share it with your contact at the partner organization and they can send it to the users on their collaboration team.

另請參閱See Also

建立安全的來賓共用環境Create a secure guest sharing environment