了解多个 Azure Active Directory 组织如何交互Understand how multiple Azure Active Directory organizations interact

在 Azure Active Directory (Azure AD) 中,每个 Azure AD 组织都是完全独立的:也就是说,对等租户与你管理的其他 Azure AD 组织在逻辑上相互独立。In Azure Active Directory (Azure AD), each Azure AD organization is fully independent: a peer that is logically independent from the other Azure AD organizations that you manage. 组织之间的这种独立性包括资源独立性、管理独立性和同步独立性。This independence between organizations includes resource independence, administrative independence, and synchronization independence. 组织之间不存在父子关系。There is no parent-child relationship between organizations.

资源独立性Resource independence

  • 如果在一个组织中创建或删除了 Azure AD 资源,这不影响另一个组织中的任何资源,但对于外部用户来说,情况并非完全如此。If you create or delete an Azure AD resource in one organization, it has no impact on any resource in another organization, with the partial exception of external users.
  • 如果向一个组织注册了某个域名,则任何其他组织都不能使用该域名。If you register one of your domain names with one organization, it can't be used by any other organization.

管理独立性Administrative independence

如果组织“Contoso”的某个非管理用户创建了测试组织“Test”,那么:If a non-administrative user of organization 'Contoso' creates a test organization 'Test,' then:

  • 默认情况下,会在该新组织中将创建组织的用户添加为外部用户,并在该组织中为其分配全局管理员角色。By default, the user who creates a organization is added as an external user in that new organization, and assigned the global administrator role in that organization.
  • 组织“Contoso”的管理员对组织“Test”没有直接管理特权,除非“Test”的管理员专门向其授予了这些特权。The administrators of organization 'Contoso' have no direct administrative privileges to organization 'Test,' unless an administrator of 'Test' specifically grants them these privileges. 不过,如果“Contoso”的管理员控制创建“Test”的用户帐户,则可以控制对组织“Test”的访问。However, administrators of 'Contoso' can control access to organization 'Test' if they control the user account that created 'Test.'
  • 如果为一个组织中的用户添加或删除 Azure AD 角色,则此更改不会影响在任何其他 Azure AD 组织中为该用户分配的角色。If you add or remove an Azure AD role for a user in one organization, the change does not affect the roles that the user is assigned in any other Azure AD organization.

同步独立性Synchronization independence

可以独立配置每个 Azure AD 组织,以便通过下列任一工具的单个实例同步数据:You can configure each Azure AD organization independently to get data synchronized from a single instance of either:

  • Azure AD Connect 工具,用于将数据与一个 AD 林同步。The Azure AD Connect tool, to synchronize data with a single AD forest.
  • 适用于 Forefront Identity Manager 的 Azure Active Directory 连接器,用于将数据与一个或多个本地林和/或非 Azure AD 数据源同步。The Azure Active Directory Connector for Forefront Identity Manager, to synchronize data with one or more on-premises forests, and/or non-Azure AD data sources.

添加 Azure AD 组织Add an Azure AD organization

若要在 Azure 门户中添加 Azure AD 组织,请使用作为 Azure AD 全局管理员的帐户登录到 Azure 门户,然后选择“新建”。To add an Azure AD organization in the Azure portal, sign in to the Azure portal with an account that is an Azure AD global administrator, and select New.

备注

与其他 Azure 资源不同,你的 Azure AD 组织不是 Azure 订阅的子资源。Unlike other Azure resources, your Azure AD organizations are not child resources of an Azure subscription. 如果 Azure 订阅已取消或已过期,你仍可以使用 Azure PowerShell、Microsoft Graph API 或 Microsoft 365 管理中心来访问你的 Azure AD 组织的数据。If your Azure subscription is canceled or expired, you can still access your Azure AD organization's data using Azure PowerShell, the Microsoft Graph API, or the Microsoft 365 admin center. 还可以将其他订阅与组织相关联You can also associate another subscription with the organization.

后续步骤Next steps

有关 Azure AD 许可注意事项和最佳做法,请参阅 什么是 Azure Active Directory 许可?For Azure AD licensing considerations and best practices, see What is Azure Active Directory licensing?.