Azure Active Directory 中的外部标识是什么?What are External Identities in Azure Active Directory?

借助 Azure AD 中的外部标识,可以允许组织外部人员访问应用和资源,而让他们使用所需的任何标识进行登录。With External Identities in Azure AD, you can allow people outside your organization to access your apps and resources, while letting them sign in using whatever identity they prefer. 合作伙伴、分销商、供应商和其他来宾用户可以“自带标识”。Your partners, distributors, suppliers, vendors, and other guest users can "bring their own identities." 无论他们是具有公司或政府颁发的数字标识,还是具有非托管社交标识,他们都可以使用自己的凭据登录。Whether they have a corporate or government-issued digital identity, or an unmanaged social identity, they can use their own credentials to sign in. 外部用户的标识提供程序管理他们的标识,而你使用 Azure AD 管理对应用的访问,以便保护资源。The external user’s identity provider manages their identity, and you manage access to your apps with Azure AD to keep your resources protected.

外部标识方案External Identities scenarios

Azure AD 外部标识在用户与组织的关系上关注较少,而更多地关注用户想要如何登录到应用和资源。Azure AD External Identities focuses less on a user's relationship to your organization and more on how the user wants to sign in to your apps and resources. 在此框架中,Azure AD 支持各种场景,从企业对企业 (B2B) 协作到面向消费者/客户或公民的应用程序(企业对客户或 B2C)的访问管理。Within this framework, Azure AD supports a variety of scenarios from business-to-business (B2B) collaboration to access management for consumer/customer- or citizen-facing applications (business-to-customer, or B2C).

  • 与外部用户共享应用和资源(B2B 协作)。Share your apps and resources with external users (B2B collaboration). 邀请外部用户加入你自己的租户,作为可向其分配权限(用于授权)的“来宾”用户,同时允许他们使用现有凭据(用于身份验证)。Invite external users into your own tenant as "guest" users that you can assign permissions to (for authorization) while letting them use their existing credentials (for authentication). 用户使用其工作帐户、学校帐户或其他电子邮件帐户通过简单的邀请和兑换过程登录到共享资源。Users sign in to the shared resources using a simple invitation and redemption process with their work, school, or other email account. 还可以使用 Azure AD 权利管理配置管理外部用户访问权限的策略。You can also use Azure AD entitlement management to configure policies that manage access for external users. 可以自定义体验,以允许使用工作、学校或社交标识进行注册。The experience can be customized to allow sign-up with a work, school, or social identity. 你还可以在注册过程中收集有关用户的信息。You can also collect information about the user during the sign-up process. 有关详细信息,请参阅 Azure AD B2B 文档For more information, see the Azure AD B2B documentation.

  • 使用面向消费者和客户的应用 (Azure AD B2C) 的白标标识管理解决方案来构建用户旅程。Build user journeys with a white-label identity management solution for consumer- and customer-facing apps (Azure AD B2C). 如果你是一个创建面向客户的应用的企业或开发人员,则可以使用 Azure AD B2C 扩展到数百万消费者、客户或公民。If you're a business or developer creating customer-facing apps, you can scale to millions of consumers, customers, or citizens by using Azure AD B2C. 开发人员可以将 Azure AD 用作其应用程序的全功能客户标识和访问管理 (CIAM) 系统。Developers can use Azure AD as the full-featured Customer Identity and Access Management (CIAM) system for their applications. 客户可以使用已建立的标识登录。Customers can sign in with an identity they already have established. 借助 Azure AD B2C,可以在使用你的应用程序时,完全自定义和控制客户的注册和登录方式以及管理其个人资料。With Azure AD B2C, you can completely customize and control how customers sign up, sign in, and manage their profiles when using your applications. 有关详细信息,请参阅 Azure AD B2C 文档For more information, see the Azure AD B2C documentation.

比较外部标识解决方案Compare External Identities solutions

下表详细比较了可使用 Azure AD 外部标识实现的场景。The following table gives a detailed comparison of the scenarios you can enable with Azure AD External Identities.

外部用户协作 (B2B)External user collaboration (B2B) 访问面向消费者/客户的应用 (B2C)Access to consumer/customer-facing apps (B2C)
主要场景Primary scenario 使用 Microsoft 应用程序(Microsoft 365、Teams 等)或你自己的应用程序(SaaS 应用、自定义开发的应用等)进行协作。Collaboration using Microsoft applications (Microsoft 365, Teams, etc.) or your own applications (SaaS apps, custom-developed apps, etc.). 新式 SaaS 或自定义开发的应用程序(非第一方 Microsoft 应用)的标识和访问管理。Identity and access management for modern SaaS or custom-developed applications (not first-party Microsoft apps).
适用对象Intended for 与外部组织(如供应商和合作伙伴)的业务合作伙伴协作。Collaborating with business partners from external organizations like suppliers, partners, vendors. 用户在目录中显示为来宾用户。Users appear as guest users in your directory. 这些用户可能管理过 IT,也可能没有管理过 IT。These users may or may not have managed IT. 产品的客户。Customers of your product. 这些用户在单独的 Azure AD 目录中进行管理。These users are managed in a separate Azure AD directory.
支持的标识提供程序Identity providers supported 外部用户可以使用工作帐户、学校帐户、任何电子邮件地址、SAML 和基于 WS 联合身份验证的标识提供者进行协作。External users can collaborate using work accounts, school accounts, any email address, SAML and WS-Fed based identity providers. 具有本地应用程序帐户的客户用户(任何电子邮件地址或用户名)、各种受支持的社交标识。Consumer users with local application accounts (any email address or user name), various supported social identities.
外部用户管理External user management 外部用户在员工所在的目录中进行管理,但通常批注为来宾用户。External users are managed in the same directory as employees, but are typically annotated as guest users. 可采用与员工相同的方式管理来宾用户,还可将其添加到相同组等。Guest users can be managed the same way as employees, added to the same groups, and so on. 外部用户在 Azure AD B2C 目录中管理。External users are managed in the Azure AD B2C directory. 他们与组织的员工和合作伙伴目录(若有)分开管理。They're managed separately from the organization's employee and partner directory (if any).
单一登录 (SSO)Single sign-on (SSO) 支持 SSO 到所有 Azure AD 连接的应用。SSO to all Azure AD-connected apps is supported. 例如,可允许访问 Microsoft 365 或本地应用以及其他 SaaS 应用(例如 Salesforce 或 Workday)。For example, you can provide access to Microsoft 365 or on-premises apps, and to other SaaS apps such as Salesforce or Workday. 支持在 Azure AD B2C 租户中单一登录到客户自有应用。SSO to customer owned apps within the Azure AD B2C tenants is supported. 不支持单一登录到 Microsoft 365 或其他 Microsoft SaaS 应用。SSO to Microsoft 365 or to other Microsoft SaaS apps isn't supported.
安全策略和合规性Security policy and compliance 由主办/邀请组织管理(例如,通过条件访问策略)。Managed by the host/inviting organization (for example, with Conditional Access policies). 由组织通过条件访问进行管理。Managed by the organization via Conditional Access.
品牌打造Branding 使用主办/邀请组织的品牌。Host/inviting organization's brand is used. 每个应用程序或组织可完全自定义的品牌。Fully customizable branding per application or organization.
计费模式Billing model 基于月度活跃用户 (MAU) 的外部标识定价External Identities pricing based on monthly active users (MAU).
(另请参阅:B2B 设置详细信息(See also: B2B setup details)
基于月度活跃用户 (MAU) 的外部标识定价External Identities pricing based on monthly active users (MAU).
(另请参阅:B2C 设置详细信息(See also: B2C setup details)
详细信息More information 博客文章文档Blog post, Documentation 产品页文档Product page, Documentation

使用 Azure AD 外部标识保护和管理超出组织边界的客户和合作伙伴。Secure and manage customers and partners beyond your organizational boundaries with Azure AD External Identities.

关于多租户应用程序About multitenant applications

如果你将应用作为服务提供,而不想管理客户的用户帐户,那么多租户应用可能是你的最佳选择。If you're providing an app as a service and you don't want to manage your customers' user accounts, a multitenant app is likely the right choice for you. 当你开发面向其他 Azure AD 租户的应用程序时,可以定向到单个组织中的用户(单租户),或已具有 Azure AD 租户的任何组织的用户(多租户应用程序)。When you develop applications intended for other Azure AD tenants, you can target users from a single organization (single tenant), or users from any organization that already has an Azure AD tenant (multitenant applications). 默认情况下,Azure AD 中的应用注册是单租户,但你可以将注册设置为多租户。App registrations in Azure AD are single tenant by default, but you can make your registration multitenant. 这个多租户应用程序由你在自己的 Azure AD 中注册一次。This multitenant application is registered once by yourself in your own Azure AD. 但之后,任何组织的任何 Azure AD 用户都可以使用该应用程序,而无需你执行其他操作。But then any Azure AD user from any organization can use the application without additional work on your part. 有关详细信息,请参阅操作指南For more information, see How-to Guide.

后续步骤Next steps