启用 B2B 外部协作并管理谁可以邀请来宾Enable B2B external collaboration and manage who can invite guests

本文介绍如何启用 Azure Active Directory (Azure AD) B2B 协作、指定谁可以邀请来宾,并确定来宾用户在你的 Azure AD 中所具有的权限。This article describes how to enable Azure Active Directory (Azure AD) B2B collaboration, designate who can invite guests, and determine the permissions that guest users have in your Azure AD.

默认情况下,目录中的所有用户和来宾都可以邀请来宾,即使未为他们分配管理员角色。By default, all users and guests in your directory can invite guests even if they're not assigned to an admin role. 使用外部协作设置可为组织中不同类型的用户启用或禁用来宾邀请功能。External collaboration settings let you turn guest invitations on or off for different types of users in your organization. 还可以将邀请委托给个人用户,只需向他们分配有权邀请来宾的角色即可。You can also delegate invitations to individual users by assigning roles that allow them to invite guests.

Azure AD 允许你限制外部来宾用户可以在你的 Azure AD 目录中所看到的内容。Azure AD allows you to restrict what external guest users can see in your Azure AD directory. 默认情况下,来宾用户设置为受限权限级别,该权限级别阻止来宾用户枚举用户、组或其他目录资源,但允许他们查看非隐藏组的成员身份。By default, guest users are set to a limited permission level that blocks them from enumerating users, groups, or other directory resources, but lets them see membership of non-hidden groups. 新的预览设置可让你进一步限制来宾访问权限,使来宾只能查看其自己的个人资料信息。A new preview setting lets you restrict guest access even further, so that guests can only view their own profile information. 有关详细信息,请参阅限制来宾访问权限(预览版)For details, see Restrict guest access permissions (preview).

配置 B2B 外部协作设置Configure B2B external collaboration settings

使用 Azure AD B2B 协作,租户管理员可以设置以下邀请策略:With Azure AD B2B collaboration, a tenant admin can set the following invitation policies:

  • 关闭邀请Turn off invitations
  • 只有管理员和具有“来宾邀请者”角色的用户可以邀请Only admins and users in the Guest Inviter role can invite
  • 管理员、“来宾邀请者”角色和成员可以邀请Admins, the Guest Inviter role, and members can invite
  • 所有用户(包括来宾)都可以邀请All users, including guests, can invite

默认情况下,所有用户(包括来宾)都可以邀请来宾用户。By default, all users, including guests, can invite guest users.

若要配置外部协作设置,请执行以下操作:To configure external collaboration settings:

  1. 以租户管理员身份登录到 Azure 门户Sign in to the Azure portal as a tenant administrator.

  2. 选择“Azure Active Directory” 。Select Azure Active Directory.

  3. 选择“组织关系” > “设置” 。Select Organizational relationships > Settings.

  4. 在页面上,选择要启用的策略。On the page, choose the policies you want to enable.

    外部协作设置

  • 来宾用户权限处于限制状态:此策略确定目录中来宾的权限。Guest users permissions are limited: This policy determines permissions for guests in your directory. 选择“是”会阻止来宾执行某些目录任务,例如枚举用户、组或其他目录资源。Select Yes to block guests from certain directory tasks, like enumerating users, groups, or other directory resources. 选择“否”会向来宾授予与目录中普通用户相同的目录数据访问权限。Select No to give guests the same access to directory data as regular users in your directory.
  • 管理员和具有“来宾邀请者”角色的用户可以邀请:若要允许充当“来宾邀请者”角色的管理员和用户邀请来宾,请将此策略设置为“是”。Admins and users in the guest inviter role can invite: To allow admins and users in the "Guest Inviter" role to invite guests, set this policy to Yes.
  • 成员可以邀请:若要允许目录的非管理员成员邀请来宾,请将此策略设置为“是”。Members can invite: To allow non-admin members of your directory to invite guests, set this policy to Yes.
  • 来宾可以邀请:若要允许来宾邀请其他来宾,请将此策略设置为“是”。Guests can invite: To allow guests to invite other guests, set this policy to Yes.
  • 协作限制:若要详细了解如何允许或阻止向特定的域发送邀请,请参阅 允许或阻止向特定组织中的 B2B 用户发送邀请Collaboration restrictions: For more information about allowing or blocking invitations to specific domains, see Allow or block invitations to B2B users from specific organizations.

备注

如果“成员可以邀请”设为“否”,而“来宾邀请者角色中的管理员和用户可以邀请”设为“是”,则“来宾邀请者”角色中的用户仍将能够邀请来宾。If Members can invite is set to No and Admins and users in the guest inviter role can invite is set to Yes, users in the Guest Inviter role will still be able to invite guests.

将“来宾邀请者”角色分配给用户Assign the Guest Inviter role to a user

“来宾邀请者”角色可让个人用户邀请来宾,无需向他们分配全局管理员角色或其他管理员角色。With the Guest Inviter role, you can give individual users the ability to invite guests without assigning them a global administrator or other admin role. 将“来宾邀请者”角色分配给个人。Assign the Guest inviter role to individuals. 然后,确保将“管理员和具有‘来宾邀请者’角色的用户可以邀请”设置为“是” 。Then make sure you set Admins and users in the guest inviter role can invite to Yes.

下面是一个示例,它展示了如何使用 PowerShell 将用户添加到“来宾邀请者”角色:Here's an example that shows how to use PowerShell to add a user to the Guest Inviter role:

Add-MsolRoleMember -RoleObjectId 95e79109-95c0-4d8e-aee3-d01accf2d47b -RoleMemberEmailAddress <RoleMemberEmailAddress>

后续步骤Next steps

请参阅以下有关 Azure AD B2B 协作的文章:See the following articles on Azure AD B2B collaboration: