B2B 协作用户的条件访问Conditional Access for B2B collaboration users

针对 B2B 用户的多重身份验证Multi-factor authentication for B2B users

通过 Azure AD B2B 协作,组织可以针对 B2B 用户强制实施多重身份验证 (MFA) 策略。With Azure AD B2B collaboration, organizations can enforce multi-factor authentication (MFA) policies for B2B users. 可以在租户、应用或个人用户级别强制实施这些策略,与针对全职员工和组织成员启用这些策略的方式相同。These policies can be enforced at the tenant, app, or individual user level, the same way that they are enabled for full-time employees and members of the organization. 资源组织中强制实施 MFA 策略。MFA policies are enforced at the resource organization.


  1. 公司 A 中的管理员或信息工作者邀请公司 B 中的用户加入公司 A 中的应用程序 Foo 。Admin or information worker in Company A invites user from company B to an application Foo in company A.
  2. 公司 A 中的应用程序 Foo 配置为在访问时需要进行 MFA。Application Foo in company A is configured to require MFA on access.
  3. 公司 B 中的用户尝试访问公司 A 租户中的应用 Foo 时,会要求其完成 MFA 质询 。When the user from company B attempts to access app Foo in the company A tenant, they are asked to complete an MFA challenge.
  4. 用户可设置公司 A 对其的 MFA,并选择 MFA 选项。The user can set up their MFA with company A, and chooses their MFA option.
  5. 此方案适用于任何标识(Azure AD,例如,如果公司 B 中的用户使用社交 ID 进行身份验证)This scenario works for any identity (Azure AD, for example, if users in Company B authenticate using social ID)
  6. 公司 A 必须具有足够的支持 MFA 的高级 Azure AD 许可证。Company A must have sufficient Premium Azure AD licenses that support MFA. 公司 B 中的用户使用公司 A 提供的此许可证。The user from company B consumes this license from company A.

邀请方租户始终负责对合作伙伴组织中的用户进行 MFA(即使合作伙伴组织具有 MFA 功能)。The inviting tenancy is always responsible for MFA for users from the partner organization, even if the partner organization has MFA capabilities.

为 B2B 协作用户设置 MFASetting up MFA for B2B collaboration users

若要了解为 B2B 协作用户设置 MFA 有多轻松,请参阅以下视频:To discover how easy it is to set up MFA for B2B collaboration users, see how in the following video:

用于产品/服务兑换的 B2B 用户 MFA 体验B2B users MFA experience for offer redemption

请查看下面的动画了解兑换体验:Check out the following animation to see the redemption experience:

为 B2B 协作用户重置 MFAMFA reset for B2B collaboration users

目前,管理员可以要求 B2B 协作用户只使用以下 PowerShell cmdlet 再次进行身份验证:Currently, the admin can require B2B collaboration users to proof up again only by using the following PowerShell cmdlets:

  1. 连接到 Azure ADConnect to Azure AD

    $cred = Get-Credential
    Connect-MsolService -AzureEnvironment AzureChinaCloud -Credential $cred
  2. 使用身份验证方法获取所有用户Get all users with proof up methods

    Get-MsolUser | where { $_.StrongAuthenticationMethods} | select UserPrincipalName, @{n="Methods";e={($_.StrongAuthenticationMethods).MethodType}}

    以下是示例:Here is an example:

    Get-MsolUser | where { $_.StrongAuthenticationMethods} | select UserPrincipalName, @{n="Methods";e={($_.StrongAuthenticationMethods).MethodType}}
  3. 重置特定用户的 MFA 方法,以要求该 B2B 协作用户再次设置身份验证方法。Reset the MFA method for a specific user to require the B2B collaboration user to set proof-up methods again. 示例:Example:

    Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName gsamoogle_gmail.com#EXT#@ WoodGroveAzureAD.partner.onmschina.cn

为什么在资源租户中执行 MFA?Why do we perform MFA at the resource tenancy?

在当前版本中,为确保可预测性,资源租户始终需要执行 MFA。In the current release, MFA is always in the resource tenancy, for reasons of predictability. 例如,假设 Contoso 用户 (Sally) 被邀请到 Fabrikam,并且 Fabrikam 针对 B2B 用户启用了 MFA。For example, let’s say a Contoso user (Sally) is invited to Fabrikam and Fabrikam has enabled MFA for B2B users.

如果 Contoso 对 App1 启用了 MFA 策略,但未对 App2 启用,那么查看令牌中的 Contoso MFA 声明时,可能会发现以下问题:If Contoso has MFA policy enabled for App1 but not App2, then if we look at the Contoso MFA claim in the token, we might see the following issue:

  • 第 1 天:用户在 Contoso 中进行了 MFA 并访问 App1,因此 Fabrikam 中没有显示其他 MFA 提示。Day 1: A user has MFA in Contoso and is accessing App1, then no additional MFA prompt is shown in Fabrikam.

  • 第 2 天:用户在 Contoso 中访问了 App2,那么如果现在访问 Fabrikam,就必须在其中注册 MFA。Day 2: The user has accessed App 2 in Contoso, so now when accessing Fabrikam, they must register for MFA there.

这个过程可能会令人困惑,并可能会导致成功登录的次数降低。This process can be confusing and could lead to drop in sign-in completions.

此外,即使 Contoso 启用了 MFA 功能,Fabrikam 也不可能一直信任 Contoso MFA 策略。Moreover, even if Contoso has MFA capability, it is not always the case the Fabrikam would trust the Contoso MFA policy.

最后,资源租户 MFA 还适用于社交 ID,以及尚未设置 MFA 的合作伙伴组织。Finally, resource tenant MFA also works for social IDs and for partner orgs that do not have MFA set up.

因此,在针对 B2B 用户进行 MFA 方面,建议始终需要在邀请方租户中进行 MFA。Therefore, the recommendation for MFA for B2B users is to always require MFA in the inviting tenant. 此要求可能会导致有些情况下需要进行两次 MFA,但是无论在什么时候访问邀请方租户,最终用户体验都是可以预测的:Sally 必须注册邀请方租户的 MFA。This requirement could lead to double MFA in some cases, but whenever accessing the inviting tenant, the end-users experience is predictable: Sally must register for MFA with the inviting tenant.

B2B 用户基于设备、位置和风险的条件访问Device-based, location-based, and risk-based Conditional Access for B2B users

Contoso 为其公司数据启用基于设备的条件访问策略时,会阻止从不受 Contoso 管理并且不符合 Contoso 设备策略的设备进行访问。When Contoso enables device-based Conditional Access policies for their corporate data, access is prevented from devices that are not managed by Contoso and not compliant with the Contoso device policies.

如果 B2B 用户的设备不受 Contoso 管理,则在强制实施这些策略的任何上下文中,合作伙伴组织中的 B2B 用户进行的访问都将被阻止。If the B2B user’s device isn't managed by Contoso, access of B2B users from the partner organizations is blocked in whatever context these policies are enforced. 但是,Contoso 可以创建包含特定合作伙伴用户的排除列表,将其排除在基于设备的条件访问策略之外。However, Contoso can create exclusion lists containing specific partner users to exclude them from the device-based Conditional Access policy.

B2B 的移动应用程序管理策略Mobile application management policies for B2B

条件访问应用保护策略无法应用于 B2B 用户,因为邀请组织无法查看 B2B 用户的本组织。Conditional Access app protection policies cannot be applied to B2B users because the inviting organization has no visibility into the B2B user's home organization.

针对 B2B 的基于位置的条件访问Location-based Conditional Access for B2B

如果邀请组织能够创建定义其合作伙伴组织的受信任 IP 地址范围,则可针对 B2B 用户强制实施基于位置的条件访问策略。Location-based Conditional Access policies can be enforced for B2B users if the inviting organization is able to create a trusted IP address range that defines their partner organizations.

针对 B2B 的基于风险的条件访问Risk-based Conditional Access for B2B

目前是在 B2B 用户的本组织中进行风险评估,因此不能对 B2B 用户应用基于风险的登录策略。Currently, risk-based sign-in policies cannot be applied to B2B users because the risk evaluation is performed at the B2B user’s home organization.

后续步骤Next steps

请参阅以下有关 Azure AD B2B 协作的文章:See the following articles on Azure AD B2B collaboration: