允许或阻止向特定组织中的 B2B 用户发送邀请Allow or block invitations to B2B users from specific organizations

可以使用允许列表或拒绝列表,来允许或阻止向特定组织中的 B2B 用户发送邀请。You can use an allow list or a deny list to allow or block invitations to B2B users from specific organizations. 例如,如果你要阻止个人电子邮件地址域,可以设置一个拒绝列表,并在其中包含类似于 Gmail.com 和 Outlook.com 的域。For example, if you want to block personal email address domains, you can set up a deny list that contains domains like Gmail.com and Outlook.com. 或者,如果你的企业与 Contoso.com、Fabrikam.com 和 Litware.com 等其他企业建立了合作关系,并且你希望将邀请限制为这些组织,则可以将 Contoso.com、Fabrikam.com 和 Litware.com 添加到允许列表。Or, if your business has a partnership with other businesses like Contoso.com, Fabrikam.com, and Litware.com, and you want to restrict invitations to only these organizations, you can add Contoso.com, Fabrikam.com, and Litware.com to your allow list.

重要注意事项Important considerations

  • 可以创建允许列表或拒绝列表。You can create either an allow list or a deny list. 不能同时设置这两种类型的列表。You can't set up both types of lists. 默认情况下,不在允许列表中的任何域都会包含在拒绝列表中,反之亦然。By default, whatever domains are not in the allow list are on the deny list, and vice versa.
  • 对于每个组织,只能创建一个策略。You can create only one policy per organization. 可以更新策略以包含更多的域,或者删除策略以创建新策略。You can update the policy to include more domains, or you can delete the policy to create a new one.
  • 可以添加到允许列表或拒绝列表的域数仅受策略大小限制。The number of domains you can add to an allow list or deny list is limited only by the size of the policy. 整个策略的最大大小为 25 KB(25,000 个字符),其中包括允许列表或拒绝列表以及为其他功能配置的任何其他参数。The maximum size of the entire policy is 25 KB (25,000 characters), which includes the allow list or deny list and any other parameters configured for other features.
  • 此列表独立于 OneDrive for Business 和 SharePoint Online 允许/阻止列表。This list works independently from OneDrive for Business and SharePoint Online allow/block lists. 若要在 SharePoint Online 中限制单个文件的共享,需要为 OneDrive for Business 和 SharePoint Online 设置允许或拒绝列表。If you want to restrict individual file sharing in SharePoint Online, you need to set up an allow or deny list for OneDrive for Business and SharePoint Online. 有关详细信息,请参阅 SharePoint Online 和 OneDrive for Business 中受限制的域共享For more information, see Restricted domains sharing in SharePoint Online and OneDrive for Business.
  • 此列表不适用于已兑换邀请的外部用户。The list does not apply to external users who have already redeemed the invitation. 设置列表后,将强制实施该列表。The list will be enforced after the list is set up. 如果用户邀请处于挂起状态,而你设置了一个阻止该用户的域的策略,则该用户在尝试兑换邀请时将会失败。If a user invitation is in a pending state, and you set a policy that blocks their domain, the user's attempt to redeem the invitation will fail.

在门户中设置允许或拒绝列表策略Set the allow or deny list policy in the portal

“允许将邀请发送到任何域(最大范围)”默认已启用。 By default, the Allow invitations to be sent to any domain (most inclusive) setting is enabled. 在这种情况下,可以邀请任何组织中的 B2B 用户。In this case, you can invite B2B users from any organization.

添加拒绝列表Add a deny list

这是一个最典型的场景:你的组织希望能够与绝大多数组织合作,但同时想要避免邀请某些域的用户作为 B2B 用户。This is the most typical scenario, where your organization wants to work with almost any organization, but wants to prevent users from specific domains to be invited as B2B users.

添加拒绝列表:To add a deny list:

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 选择“Azure Active Directory” > “用户” > “用户设置”。 Select Azure Active Directory > Users > User settings.

  3. 在“外部用户”下,选择“管理外部协作设置”。 Under External users, select Manage external collaboration settings.

  4. 在“协作限制”下,选择“拒绝向指定的域发送邀请”。 Under Collaboration restrictions, select Deny invitations to the specified domains.

  5. 在“目标域”下,输入要阻止的某个域的名称。 Under TARGET DOMAINS, enter the name of one of the domains that you want to block. 若要阻止多个域,请分行输入每个域。For multiple domains, enter each domain on a new line. 例如:For example:

    显示针对添加的域的拒绝选项

  6. 完成后,单击“保存”。 When you're done, click Save.

设置策略后,如果尝试邀请被阻止域中的用户,将会收到一条消息,指出该用户的域当前已被邀请策略阻止。After you set the policy, if you try to invite a user from a blocked domain, you receive a message saying that the domain of the user is currently blocked by your invitation policy.

添加允许列表Add an allow list

这是限制性更强的配置。使用此配置可在允许列表中设置特定的域,并将邀请限制为列表中未提到的其他任何组织或域。This is a more restrictive configuration, where you can set specific domains in the allow list and restrict invitations to any other organizations or domains that aren't mentioned.

若要使用允许列表,请确保花些时间来全面评估业务需求。If you want to use an allow list, make sure that you spend time to fully evaluate what your business needs are. 如果此策略的限制性过于严格,则用户可能会选择通过电子邮件发送文档,或者寻求 IT 部门未批准的其他协作方式。If you make this policy too restrictive, your users may choose to send documents over email, or find other non-IT sanctioned ways of collaborating.

若要添加允许列表,请执行以下操作:To add an allow list:

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 选择“Azure Active Directory” > “用户” > “用户设置”。 Select Azure Active Directory > Users > User settings.

  3. 在“外部用户”下,选择“管理外部协作设置”。 Under External users, select Manage external collaboration settings.

  4. 在“协作限制”下,选择“只允许向指定的域发送邀请(限制性最强)”。 Under Collaboration restrictions, select Allow invitations only to the specified domains (most restrictive).

  5. 在“目标域”下,输入要允许的某个域的名称。 Under TARGET DOMAINS, enter the name of one of the domains that you want to allow. 若要阻止多个域,请分行输入每个域。For multiple domains, enter each domain on a new line. 例如:For example:

    显示已添加域的允许选项

  6. 完成后,单击“保存”。 When you're done, click Save.

设置策略后,如果尝试邀请的用户来自不在允许列表中的域,则会收到一条消息,指出该用户的域当前已被邀请策略阻止。After you set the policy, if you try to invite a user from a domain that's not on the allow list, you receive a message saying that the domain of the user is currently blocked by your invitation policy.

从允许列表切换到拒绝列表或反之Switch from allow to deny list and vice versa

如果从一种策略切换到另一种策略,则会丢弃现有的策略配置。If you switch from one policy to the other, this discards the existing policy configuration. 在执行这种切换之前,请务必备份配置详细信息。Make sure to back up details of your configuration before you perform the switch.

使用 PowerShell 设置允许或拒绝列表策略Set the allow or deny list policy using PowerShell

先决条件Prerequisite

备注

AzureADPreview 模块不是完全支持的模块,因为它处于预览状态。The AzureADPreview Module is not a fully supported module as it is in preview.

若要使用 PowerShell 设置允许或拒绝列表,必须安装适用于 Windows PowerShell 的 Azure Active Directory 模块预览版。To set the allow or deny list by using PowerShell, you must install the preview version of the Azure Active Directory Module for Windows PowerShell. 具体而言,请安装 AzureADPreview 模块 2.0.0.98 或更高版本。Specifically, install the AzureADPreview module version 2.0.0.98 or later.

检查模块版本(及查看是否已安装):To check the version of the module (and see if it's installed):

  1. 以权限提升的用户身份(以管理员身份运行)打开 Windows PowerShell。Open Windows PowerShell as an elevated user (Run as Administrator).

  2. 运行以下命令,查看计算机上是否已安装任何版本的适用于 Windows PowerShell 的 Azure Active Directory 模块:Run the following command to see if you have any versions of the Azure Active Directory Module for Windows PowerShell installed on your computer:

    Get-Module -ListAvailable AzureAD*
    

如果未安装该模块或者未安装所需的版本,请执行以下操作之一:If the module is not installed, or you don't have a required version, do one of the following:

  • 如果未返回任何结果,请运行以下命令安装最新版本的 AzureADPreview 模块:If no results are returned, run the following command to install the latest version of the AzureADPreview module:

    Install-Module AzureADPreview
    
  • 如果结果中只显示了 AzureAD 模块,请运行以下命令安装 AzureADPreview 模块:If only the AzureAD module is shown in the results, run the following commands to install the AzureADPreview module:

    Uninstall-Module AzureAD 
    Install-Module AzureADPreview 
    
  • 如果结果中只显示了 AzureADPreview 模块,但版本低于 2.0.0.98,请运行以下命令更新该模块:If only the AzureADPreview module is shown in the results, but the version is less than 2.0.0.98, run the following commands to update it:

    Uninstall-Module AzureADPreview 
    Install-Module AzureADPreview 
    
  • 如果结果中同时显示了 AzureAD 和 AzureADPreview 模块,但 AzureADPreview 模块的版本低于 2.0.0.98,请运行以下命令更新该模块:If both the AzureAD and AzureADPreview modules are shown in the results, but the version of the AzureADPreview module is less than 2.0.0.98, run the following commands to update it:

    Uninstall-Module AzureAD 
    Uninstall-Module AzureADPreview 
    Install-Module AzureADPreview 
    

使用 AzureADPolicy cmdlet 配置策略Use the AzureADPolicy cmdlets to configure the policy

若要创建允许或拒绝列表,请使用 New-AzureADPolicy cmdlet。To create an allow or deny list, use the New-AzureADPolicy cmdlet. 以下示例演示如何设置阻止“live.com”域的拒绝列表。The following example shows how to set a deny list that blocks the "live.com" domain.

$policyValue = @("{`"B2BManagementPolicy`":{`"InvitationsAllowedAndBlockedDomainsPolicy`":{`"AllowedDomains`": [],`"BlockedDomains`": [`"live.com`"]}}}")

New-AzureADPolicy -Definition $policyValue -DisplayName B2BManagementPolicy -Type B2BManagementPolicy -IsOrganizationDefault $true 

下面是一个类似的示例,其中包含内联的策略定义。The following shows the same example, but with the policy definition inline.

New-AzureADPolicy -Definition @("{`"B2BManagementPolicy`":{`"InvitationsAllowedAndBlockedDomainsPolicy`":{`"AllowedDomains`": [],`"BlockedDomains`": [`"live.com`"]}}}") -DisplayName B2BManagementPolicy -Type B2BManagementPolicy -IsOrganizationDefault $true 

若要设置允许或拒绝列表策略,请使用 Set-AzureADPolicy cmdlet。To set the allow or deny list policy, use the Set-AzureADPolicy cmdlet. 例如:For example:

Set-AzureADPolicy -Definition $policyValue -Id $currentpolicy.Id 

若要获取策略,请使用 Get-AzureADPolicy cmdlet。To get the policy, use the Get-AzureADPolicy cmdlet. 例如:For example:

$currentpolicy = Get-AzureADPolicy | ?{$_.Type -eq 'B2BManagementPolicy'} | select -First 1 

若要删除策略,请使用 Remove-AzureADPolicy cmdlet。To remove the policy, use the Remove-AzureADPolicy cmdlet. 例如:For example:

Remove-AzureADPolicy -Id $currentpolicy.Id 

后续步骤Next steps