Azure Active Directory 中的外部标识是什么?What are External Identities in Azure Active Directory?

借助 Azure AD 中的外部标识,可以允许组织外部人员访问应用和资源,而让他们使用所需的任何标识进行登录。With External Identities in Azure AD, you can allow people outside your organization to access your apps and resources, while letting them sign in using whatever identity they prefer. 合作伙伴、分销商、供应商和其他来宾用户可以“自带标识”。Your partners, distributors, suppliers, vendors, and other guest users can "bring their own identities." 他们可能是 Azure AD 或其他 IT 托管系统的一部分,也可能有非托管社交标识,不管什么情况,他们都可以使用自己的凭据登录。Whether they're part of Azure AD or another IT-managed system, or have an unmanaged social identity, they can use their own credentials to sign in. 标识提供程序管理外部用户的标识,而你使用 Azure AD 管理对应用的访问,以便保护资源。The identity provider manages the external user’s identity, and you manage access to your apps with Azure AD to keep your resources protected.

外部标识方案External Identities scenarios

Azure AD 外部标识在用户与组织的关系上关注较少,而在个人想要登录到应用和资源的方式上关注较多。Azure AD External Identities focuses less on a user's relationship to your organization and more on the way an individual wants to sign in to your apps and resources. 借助此框架,Azure AD 支持各种方案,从企业对企业 (B2B) 协作到面向客户和消费者(企业对消费者或 B2C)的应用开发。Within this framework, Azure AD supports a variety of scenarios from business-to-business (B2B) collaboration to app development for customers and consumers (business-to-consumer, or B2C).

  • 与外部用户共享应用(B2B 协作)。Share apps with external users (B2B collaboration). 邀请外部用户加入你自己的租户,作为可向其分配权限(用于授权)的“来宾”用户,同时允许他们使用现有凭据(用于身份验证)。Invite external users into your own tenant as "guest" users that you can assign permissions to (for authorization) while allowing them to use their existing credentials (for authentication). 用户使用其工作帐户或学校帐户通过简单的邀请和兑换过程登录到共享资源。Users sign in to the shared resources using a simple invitation and redemption process with their work account or school account.

  • 开发面向其他 Azure AD 租户(单租户或多租户)的应用。Develop apps intended for other Azure AD tenants (single-tenant or multi-tenant). 为 Azure AD 开发应用程序时,可以定向到单个组织中的用户(单租户),或已具有 Azure AD 租户的任何组织的用户(称为多租户应用程序)。When developing applications for Azure AD, you can target users from a single organization (single tenant), or users from any organization that already has an Azure AD tenant (called multi-tenant applications). 这些多租户应用程序在你自己的 Azure AD 中自行注册过一次,但随后可以由任何组织中的任何 Azure AD 用户使用,不需要你做任何额外的工作。These multi-tenant applications are registered once by yourself in your own Azure AD, but can then be used by any Azure AD user from any organization without any additional work on your part.

  • 为消费者和客户 (Azure AD B2C) 开发白标应用。Develop white-labeled apps for consumers and customers (Azure AD B2C). 如果你是创建面向客户的应用的业务或开发人员,则可以使用 Azure AD B2C 扩展到消费者、客户或公民。If you're a business or developer creating customer-facing apps, you can scale to consumers, customers, or citizens by using an Azure AD B2C. 开发人员可将 Azure AD 作为其应用程序的全功能标识系统,而让客户使用其已建立的标识进行登录。Developers can use Azure AD as the full-featured identity system for their application, while letting customers sign in with an identity they already have established. 借助 Azure AD B2C,可以在使用你的应用程序时,完全自定义和控制客户的注册和登录方式以及管理其个人资料。With Azure AD B2C, you can completely customize and control how customers sign up, sign in, and manage their profiles when using your applications. 有关详细信息,请参阅 Azure AD B2C 文档For more information, see the Azure AD B2C documentation.

比较外部标识解决方案Compare External Identities solutions

下表提供了可使用 Azure AD 外部标识实现的各种方案的详细比较。The table below gives a detailed comparison of the various scenarios you can enable with Azure AD External Identities.

多租户应用程序Multi-tenant applications 外部用户协作 (B2B)External user collaboration (B2B) 面向消费者或客户 (B2C) 的应用Apps for consumers or customers (B2C)
适用于:希望向许多企业客户提供软件的组织。Intended for: Organizations that want to provide software to many enterprise customers. 适用于:希望在不考虑标识提供者的情况下验证合作伙伴组织中用户的身份的组织。Intended for: Organizations that want to be able to authenticate users from a partner organization, regardless of identity provider. 适用于:邀请移动和 Web 应用的客户(无论是个人、机构还是组织客户)加入到不同于自己组织的目录的 Azure AD 目录。Intended for: Inviting customers of your mobile and web apps, whether individuals, institutional or organizational customers into an Azure AD directory separate from your own organization's directory.
支持的标识:具有 Azure AD 帐户的员工。Identities supported: Employees with Azure AD accounts. 支持的标识:使用工作或学校帐户的员工、使用工作或学校帐户的合作伙伴或者任何电子邮件地址。Identities supported: Employees with work or school accounts, partners with work or school accounts, or any email address. 支持的标识:使用本地应用程序帐户的使用者用户(任何电子邮件地址或用户名)。Identities supported: Consumer users with local application accounts (any email address or user name).
外部用户在其自己的目录中管理,该目录与注册应用程序所在的目录相隔离。External users are managed in their own directory, isolated from the directory where the application was registered. 外部用户在员工所在的目录中进行托管(特别备注的除外)。External users are managed in the same directory as employees, but annotated specially. 可采用与员工相同的方式进行管理,还可将其添加到相同组,等等。They can be managed the same way as employees, they can be added to the same groups, and so on. 外部用户在应用程序目录中管理。External users are managed in the application directory. 他们与组织的员工和合作伙伴目录(若有)分开管理。They're managed separately from the organization's employee and partner directory (if any).
单一登录:支持 SSO 到所有 Azure AD 连接的应用。Single sign-on: SSO to all Azure AD-connected apps is supported. 单一登录:支持 SSO 到所有 Azure AD 连接的应用。Single sign-on: SSO to all Azure AD-connected apps is supported. 例如,可以提供对 Microsoft 365 或本地应用的访问权限。For example, you can provide access to Microsoft 365 or on-premises apps. 单一登录:支持在 Azure AD B2C 租户中单一登录到客户自有应用。Single sign-on: SSO to customer owned apps within the Azure AD B2C tenants is supported. 不支持 SSO 到 Microsoft 365 或其他 Microsoft SaaS 应用。SSO to Microsoft 365 or to other Microsoft SaaS apps is not supported.
客户生命周期:由用户的本组织管理。Customer lifecycle: Managed by the user's home organization. 合作伙伴生命周期:由主办/邀请组织管理。Partner lifecycle: Managed by the host/inviting organization. 客户生命周期:自助服务或由应用程序管理。Customer lifecycle: Self-serve or managed by the application.
安全策略和符合性:由主办/邀请组织管理(例如,通过条件访问策略)。Security policy and compliance: Managed by the host/inviting organization (for example, with Conditional Access policies). 安全策略和符合性:由主办/邀请组织管理(例如,通过条件访问策略)。Security policy and compliance: Managed by the host/inviting organization (for example, with Conditional Access policies). 安全策略和符合性:由应用程序管理。Security policy and compliance: Managed by the application.
品牌:使用主办/邀请组织的品牌。Branding: Host/inviting organization's brand is used. 品牌:使用主办/邀请组织的品牌。Branding: Host/inviting organization's brand is used. 品牌:由应用程序管理。Branding: Managed by application. 通常是带品牌的产品,组织退居幕后。Typically tends to be product branded, with the organization fading into the background.
详细信息:操作指南More info: How-to Guide 详细信息:博客文章文档More info: Blog post, Documentation 详细信息:产品页文档More info: Product page, Documentation

使用 Azure AD 外部标识保护和管理超出组织边界的客户和合作伙伴。Secure and manage customers and partners beyond your organizational boundaries with Azure AD External Identities.

后续步骤Next steps