启用 B2B 外部协作并管理谁可以邀请来宾Enable B2B external collaboration and manage who can invite guests

本文介绍如何启用 Azure Active Directory (Azure AD) B2B 协作并确定谁可以邀请来宾。This article describes how to enable Azure Active Directory (Azure AD) B2B collaboration and determine who can invite guests. 默认情况下,目录中的所有用户和来宾都可以邀请来宾,即使未为他们分配管理员角色。By default, all users and guests in your directory can invite guests even if they're not assigned to an admin role. 使用外部协作设置可为组织中不同类型的用户启用或禁用来宾邀请功能。External collaboration settings let you turn guest invitations on or off for different types of users in your organization. 还可以将邀请委托给个人用户,只需向他们分配有权邀请来宾的角色即可。You can also delegate invitations to individual users by assigning roles that allow them to invite guests.

配置 B2B 外部协作设置Configure B2B external collaboration settings

使用 Azure AD B2B 协作,租户管理员可以设置以下邀请策略:With Azure AD B2B collaboration, a tenant admin can set the following invitation policies:

  • 关闭邀请Turn off invitations
  • 只有管理员和具有“来宾邀请者”角色的用户可以邀请Only admins and users in the Guest Inviter role can invite
  • 管理员、“来宾邀请者”角色和成员可以邀请Admins, the Guest Inviter role, and members can invite
  • 所有用户(包括来宾)都可以邀请All users, including guests, can invite

默认情况下,所有用户(包括来宾)都可以邀请来宾用户。By default, all users, including guests, can invite guest users.

若要配置外部协作设置,请执行以下操作:To configure external collaboration settings:

  1. 以租户管理员身份登录到 Azure 门户Sign in to the Azure portal as a tenant administrator.

  2. 选择“Azure Active Directory” 。Select Azure Active Directory.

  3. 依次选择“组织关系” > “设置”(或选择“外部标识” > “外部协作设置”) 。Select Organizational Relationships > Settings (or select External Identities > External collaboration settings).

  4. 在“外部协作设置”页上,选择要启用的策略。On the External collaboration settings page, choose the policies you want to enable.

    外部协作设置

  • 来宾用户权限处于限制状态:此策略确定目录中来宾的权限。Guest users permissions are limited: This policy determines permissions for guests in your directory. 选择“是”会阻止来宾执行某些目录任务,例如枚举用户、组或其他目录资源。Select Yes to block guests from certain directory tasks, like enumerating users, groups, or other directory resources. 选择“否”会向来宾授予与目录中普通用户相同的目录数据访问权限。Select No to give guests the same access to directory data as regular users in your directory.
  • 管理员和具有“来宾邀请者”角色的用户可以邀请:若要允许充当“来宾邀请者”角色的管理员和用户邀请来宾,请将此策略设置为“是”。Admins and users in the guest inviter role can invite: To allow admins and users in the "Guest Inviter" role to invite guests, set this policy to Yes.
  • 成员可以邀请:若要允许目录的非管理员成员邀请来宾,请将此策略设置为“是”。Members can invite: To allow non-admin members of your directory to invite guests, set this policy to Yes.
  • 来宾可以邀请:若要允许来宾邀请其他来宾,请将此策略设置为“是”。Guests can invite: To allow guests to invite other guests, set this policy to Yes.
  • 协作限制:若要详细了解如何允许或阻止向特定的域发送邀请,请参阅允许或阻止向特定组织中的 B2B 用户发送邀请Collaboration restrictions: For more information about allowing or blocking invitations to specific domains, see Allow or block invitations to B2B users from specific organizations.

将“来宾邀请者”角色分配给用户Assign the Guest Inviter role to a user

“来宾邀请者”角色可让个人用户邀请来宾,无需向他们分配全局管理员角色或其他管理员角色。With the Guest Inviter role, you can give individual users the ability to invite guests without assigning them a global administrator or other admin role. 将“来宾邀请者”角色分配给个人。Assign the Guest inviter role to individuals. 然后,确保将“管理员和具有‘来宾邀请者’角色的用户可以邀请”设置为“是” 。Then make sure you set Admins and users in the guest inviter role can invite to Yes.

下面是一个示例,它展示了如何使用 PowerShell 将用户添加到“来宾邀请者”角色:Here's an example that shows how to use PowerShell to add a user to the Guest Inviter role:

Add-MsolRoleMember -RoleObjectId 95e79109-95c0-4d8e-aee3-d01accf2d47b -RoleMemberEmailAddress <RoleMemberEmailAddress>

后续步骤Next steps

请参阅以下有关 Azure AD B2B 协作的文章:See the following articles on Azure AD B2B collaboration: