Azure Active Directory B2B 协作邀请兑换Azure Active Directory B2B collaboration invitation redemption

本文介绍来宾用户如何访问你的资源及其遇到的同意过程。This article describes the ways guest users can access your resources and the consent process they'll encounter. 如果你向来宾发送邀请电子邮件,邀请中会包含一个链接,来宾可以通过该链接兑换访问应用或门户的权限。If you send an invitation email to the guest, the invitation includes a link the guest can redeem to get access to your app or portal. 邀请电子邮件只是供来宾获取资源访问权限的方式之一。The invitation email is just one of the ways guests can get access to your resources. 替代方法是将来宾添加到目录,并为其提供指向门户或你想要共享的应用的直接链接。As an alternative, you can add guests to your directory and give them a direct link to the portal or app you want to share. 无论来宾使用哪种方法,系统都会引导他们完成首次同意过程。Regardless of the method they use, guests are guided through a first-time consent process.

将来宾用户添加到目录时,来宾用户帐户的同意状态(可在 PowerShell 中查看)最初设置为 PendingAcceptance。When you add a guest user to your directory, the guest user account has a consent status (viewable in PowerShell) that’s initially set to PendingAcceptance. 在来宾接受邀请并同意你的隐私策略和使用条款之前,会一直保留此设置。This setting remains until the guest accepts your invitation and agrees to your privacy policy and terms of use. 此后,同意状态会更改为“已接受”,且不再向来宾显示同意页。After that, the consent status changes to Accepted, and the consent pages are no longer presented to the guest.

通过邀请电子邮件兑换Redemption through the invitation email

使用 Azure 门户将来宾用户添加到目录的过程中,会向来宾发送邀请电子邮件。When you add a guest user to your directory by using the Azure portal, an invitation email is sent to the guest in the process. 使用 PowerShell 将来宾用户添加到目录时,也可选择发送邀请电子邮件。You can also choose to send invitation emails when you’re using PowerShell to add guest users to your directory. 下面是来宾按照电子邮件中的链接进行兑换时的体验说明。Here’s a description of the guest’s experience when they redeem the link in the email.

  1. 来宾收到从 Microsoft 邀请发送的邀请电子邮件The guest receives an invitation email that's sent from Microsoft Invitations.
  2. 来宾选择电子邮件中的“接受邀请”。The guest selects Accept invitation in the email.
  3. 来宾根据下面所述完成同意体验The guest is guided through the consent experience described below.

可以向来宾提供应用或门户的直接链接,作为邀请电子邮件的替代方法。As an alternative to the invitation email, you can give a guest a direct link to your app or portal. 首先需要通过 Azure 门户或 PowerShell 将来宾用户添加到目录。You first need to add the guest user to your directory via the Azure portal or PowerShell. 当来宾使用直接链接而不是邀请电子邮件时,系统仍会引导他们完成首次同意体验。When a guest uses a direct link instead of the invitation email, they’ll still be guided through the first-time consent experience.

重要

直接链接必须特定于租户。The direct link must be tenant-specific. 换言之,它必须包含租户 ID 或已验证的域,以便能够在共享应用所在的租户中对来宾进行身份验证。In other words, it must include a tenant ID or verified domain so the guest can be authenticated in your tenant, where the shared app is located. 常见的 URL(如 https://account.activedirectory.windowsazure.cn/r#/applications )对来宾不起作用,因为它会重定向到来宾的主租户进行身份验证。A common URL like https://account.activedirectory.windowsazure.cn/r#/applications won’t work for a guest because it will redirect to their home tenant for authentication. 下面是使用租户上下文的直接链接的一些示例:Here are some examples of direct links with tenant context:

  • Azure 门户:https://portal.azure.cn/<tenant id>Azure portal: https://portal.azure.cn/<tenant id>

在某些情况下,建议使用邀请电子邮件而不要使用直接链接。There are some cases where the invitation email is recommended over a direct link. 如果这些特殊情况对贵组织而言很重要,建议使用仍会发送邀请电子邮件的方法来邀请用户:If these special cases are important to your organization, we recommend that you invite users by using methods that still send the invitation email:

  • 有时,由于与联系人对象(例如,Outlook 联系人对象)存在冲突,受邀用户对象可能会没有电子邮件地址。Sometimes the invited user object may not have an email address because of a conflict with a contact object (for example, an Outlook contact object). 在这种情况下,用户必须单击邀请电子邮件中的兑换 URL。In this case, the user must click the redemption URL in the invitation email.
  • 用户可使用受邀电子邮件地址的别名登录。The user may sign in with an alias of the email address that was invited. (别名指与电子邮件帐户关联的其他电子邮件地址。)在这种情况下,用户必须单击邀请电子邮件中的兑换 URL。(An alias is an additional email address associated with an email account.) In this case, the user must click the redemption URL in the invitation email.

当来宾首次登录访问合作伙伴组织中的资源时,系统会引导他们在以下页中完成操作。When a guest signs in to access resources in a partner organization for the first time, they're guided through the following pages.

  1. 来宾查看“查看权限”页,其中描述了邀请组织的隐私声明。The guest reviews the Review permissions page describing the inviting organization's privacy statement. 用户若要继续操作,必须接受允许他人根据邀请组织的隐私策略使用用户信息这一条件。A user must Accept the use of their information in accordance to the inviting organization's privacy policies to continue.

    显示“查看权限”页的屏幕截图

    备注

    有关如何以租户管理员身份链接到组织隐私声明的信息,请参阅如何:在 Azure Active Directory 中添加组织的隐私信息For information about how you as a tenant administrator can link to your organization's privacy statement, see How-to: Add your organization's privacy info in Azure Active Directory.

  2. 如果配置了使用条款,则来宾需打开并查看使用条款,然后选择“接受”。If terms of use are configured, the guest opens and reviews the terms of use, and then selects Accept.

    显示新使用条款的屏幕截图

  3. 除非另有指定,否则来宾会被重定向到应用访问面板,其中列出了来宾可以访问的应用程序。Unless otherwise specified, the guest is redirected to the Apps access panel, which lists the applications the guest can access.

    显示应用访问面板的屏幕截图

在目录中,来宾的“邀请已接受”值将更改为“是” 。In your directory, the guest's Invitation accepted value changes to Yes. 有关来宾用户帐户属性的详细信息,请参阅 Azure AD B2B 协作用户的属性For more information about guest user account properties, see Properties of an Azure AD B2B collaboration user.

后续步骤Next steps