Azure Active Directory B2B 协作常见问题解答Azure Active Directory B2B collaboration FAQs

有关 Azure Active Directory (Azure AD) 企业到企业 (B2B) 协作的常见问题解答 (FAQ) 会定期更新,以包含新主题。These frequently asked questions (FAQs) about Azure Active Directory (Azure AD) business-to-business (B2B) collaboration are periodically updated to include new topics.

B2B 协作用户能否访问 SharePoint Online 和 OneDrive?Can B2B collaboration users access SharePoint Online and OneDrive?

是的。Yes. 不过,在 SharePoint Online 中使用人员选取器搜索现有来宾用户的功能默认已 关闭However, the ability to search for existing guest users in SharePoint Online by using the people picker is Off by default. 要启用该选项来搜索现有来宾用户,请将 ShowPeoplePickerSuggestionsForGuestUsersOnTo turn on the option to search for existing guest users, set ShowPeoplePickerSuggestionsForGuestUsers to On. 可以在租户级别或站点集合级别启用此设置。You can turn this setting on either at the tenant level or at the site collection level. 可以使用 Set-SPOTenant 和 Set-SPOSite cmdlet 更改此设置。You can change this setting by using the Set-SPOTenant and Set-SPOSite cmdlets. 使用这些 cmdlet,成员可以搜索目录中的所有现有来宾用户。With these cmdlets, members can search all existing guest users in the directory. 租户范围中的更改不会影响已经预配的 SharePoint Online 站点。Changes in the tenant scope don't affect SharePoint Online sites that have already been provisioned.

是否仍支持 CSV 上传功能?Is the CSV upload feature still supported?

是的。Yes. 有关使用 .csv 文件上传功能的详细信息,请参阅此 PowerShell 示例For more information about using the .csv file upload feature, see this PowerShell sample.

我能否自定义邀请电子邮件?How can I customize my invitation emails?

使用 B2B 邀请 API,几乎可以自定义有关邀请者过程的所有内容。You can customize almost everything about the inviter process by using the B2B invitation APIs.

来宾用户是否可以重置其多重身份验证方法?Can guest users reset their multi-factor authentication method?

是的。Yes. 来宾用户可以像普通用户一样重置其多重身份验证方法。Guest users can reset their multi-factor authentication method the same way that regular users do.

哪家组织负责提供多重身份验证许可证?Which organization is responsible for multi-factor authentication licenses?

邀请方组织执行多重身份验证。The inviting organization performs multi-factor authentication. 邀请方组织必须确保为其使用多重身份验证的 B2B 用户提供足够的许可证。The inviting organization must make sure that the organization has enough licenses for their B2B users who are using multi-factor authentication.

如果合作伙伴组织已设置多重身份验证会怎样?What if a partner organization already has multi-factor authentication set up? 我们是否可以信任他们的多重身份验证,而不使用我们自己的多重身份验证?Can we trust their multi-factor authentication, and not use our own multi-factor authentication?

目前不支持此功能。This feature is currently not supported. 如果需要进行多重身份验证才能访问你的组织的资源,则合作伙伴组织需要在(发出邀请的)组织中注册多重身份验证。If access to your organization's resources requires multi-factor authentication, the partner organization will need to register for multi-factor authentication in your (the inviting) organization.

如何使用延迟的邀请?How can I use delayed invitations?

某家组织想要添加 B2B 协作用户,根据需要将这些用户预配到应用程序中,然后发送邀请。An organization might want to add B2B collaboration users, provision them to applications as needed, and then send invitations. 可以使用 B2B 协作邀请 API 自定义载入工作流。You can use the B2B collaboration invitation API to customize the onboarding workflow.

能否在 Exchange 全局地址列表中显示来宾用户?Can I make guest users visible in the Exchange Global Address List?

是的。Yes. 默认情况下,来宾对象在组织的全局地址列表 (GAL) 中不可见,但你可以使用 Azure Active Directory PowerShell 使其可见。Guest objects aren't visible in your organization's global address list (GAL) by default, but you can use Azure Active Directory PowerShell to make them visible. 请参阅能否在全局地址列表中显示来宾对象?See Can I make guest objects visible in the global address list?

是否可将来宾用户指定为受限制的管理员?Can I make a guest user a limited administrator?

绝对是。Absolutely. 有关详细信息,请参阅将来宾用户添加到角色For more information, see Adding guest users to a role.

Azure AD B2B 协作是否允许 B2B 用户访问 Azure 门户?Does Azure AD B2B collaboration allow B2B users to access the Azure portal?

除非 B2B 协作用户分配有受限管理员角色,否则他们不需要对 Azure 门户的访问权限。Unless a user is assigned the role of limited administrator, B2B collaboration users won't require access to the Azure portal. 但是,分配有受限管理员角色的 B2B 协作用户可以访问门户。However, B2B collaboration users who are assigned the role of limited administrator can access the portal. 另外,如果未被分配这些管理员角色之一的来宾用户访问门户,该用户可以访问某些部分的体验。Also, if a guest user who isn't assigned one of these admin roles accesses the portal, the user might be able to access certain parts of the experience. 来宾用户角色具有目录中的某些权限。The guest user role has some permissions in the directory.

我能否阻止来宾用户访问 Azure 门户?Can I block access to the Azure portal for guest users?

能!Yes! 你可以创建一个条件访问策略,阻止所有来宾用户和外部用户访问 Azure 门户。You can create a Conditional Access policy that blocks all guest and external users from accessing the Azure portal. 配置此策略时请小心,避免意外阻止成员和管理员的访问。When you configure this policy, be careful to avoid accidentally blocking access to members and admins.

  1. 以安全管理员或条件访问管理员的身份登录到 Azure 门户Sign in to your Azure portal as a security administrator or a Conditional Access administrator.
  2. 在 Azure 门户中,选择“Azure Active Directory”。 In the Azure portal, select Azure Active Directory.
  3. 在“管理”下,选择“安全性” 。Under Manage, select Security.
  4. 在“保护”下,选择“条件访问” 。Under Protect, select Conditional Access. 选择“新策略” 。Select New policy.
  5. 在“新建” 页的“名称” 文本框中,为策略输入一个名称(例如“阻止来宾访问门户”)。On the New page, in the Name textbox, enter a name for the policy (for example "Block guests from accessing the portal").
  6. 在“分配” 下,选择“用户和组” 。Under Assignments, select Users and groups.
  7. 在“包括”选项卡上,选择“选择用户和组”,然后选择“所有来宾和外部用户(预览版)” 。On the Include tab, choose Select users and groups, and then select All guest and external users (Preview).
  8. 选择“完成” 。Select Done.
  9. 在“新建”页的“分配”部分,选择“云应用或操作” 。On the New page, in the Assignments section, select Cloud apps or actions.
  10. 在“云应用或操作”页上,选择“选择应用”,然后选择“选择” 。On the Cloud apps or actions page, choose Select apps, and then choose Select.
  11. 在“选择”页上,选择“Azure 管理”,然后选择“选择” 。On the Select page, choose Azure Management, and then choose Select.
  12. 在“云应用或操作”页上,选择“完成” 。On the Cloud apps or actions page, select Done.

Azure AD B2B 协作是否支持多重身份验证和使用者电子邮件帐户?Does Azure AD B2B collaboration support multi-factor authentication and consumer email accounts?

是的。Yes. Azure AD B2B 协作同时支持多重身份验证和使用者电子邮件帐户。Multi-factor authentication and consumer email accounts are both supported for Azure AD B2B collaboration.

是否支持 Azure AD B2B 协作用户的密码重置?Do you support password reset for Azure AD B2B collaboration users?

如果 Azure AD 租户是用户的主目录,则可以从 Azure 门户重置用户的密码If your Azure AD tenant is the home directory for a user, you can reset the user's password from the Azure portal. 但是,对于使用由其他 Azure AD 目录或外部标识提供者管理的帐户登录的来宾用户,无法直接重置其密码。But you can't directly reset a password for a guest user who signs in with an account that's managed by another Azure AD directory or external identity provider. 只有用户主目录中的来宾用户或管理员可以重置密码。Only the guest user or an administrator in the user’s home directory can reset the password. 以下示例演示来宾用户如何重置密码:Here are some examples of how password reset works for guest users:

  • 使用 Microsoft 帐户(例如 guestuser@live.com)登录的来宾用户可以使用 Microsoft 帐户自助密码重置 (SSPR) 来重置其自己的密码。Guest users who sign in with a Microsoft account (for example guestuser@live.com) can reset their own passwords using Microsoft account self-service password reset (SSPR). 请参阅如何重置 Microsoft 帐户密码See How to reset your Microsoft account password.

  • 使用外部标识提供者登录的来宾用户可以使用其标识提供者的 SSPR 方法来重置自己的密码。Guest users who sign in with an external identity provider can reset their own passwords using their identity provider’s SSPR method.

  • 如果标识租户是实时 (JIT) 或“病毒性”租户(独立的不受管 Azure 租户),则只有来宾用户可以重置其密码。If the identity tenant is a just-in-time (JIT) or "viral" tenant (meaning it's a separate, unmanaged Azure tenant), only the guest user can reset their password. 有时,组织会接管员工在使用其工作电子邮件地址注册服务时创建的病毒性租户的管理。Sometimes an organization will take over management of viral tenants that are created when employees use their work email addresses to sign up for services. 组织接管病毒性租户后,只有该组织中的管理员可以重置用户密码或启用 SSPR。After the organization takes over a viral tenant, only an administrator in that organization can reset the user's password or enable SSPR. 如果需要,作为邀请方组织,你可以从目录中删除来宾用户帐户并重新发送邀请。If necessary, as the inviting organization, you can remove the guest user account from your directory and resend an invitation.

  • 如果来宾用户的主目录是 Azure AD 租户,则你可以重置该用户的密码。If the guest user's home directory is your Azure AD tenant, you can reset the user's password. 例如,你可能在本地 Active Directory 中创建了用户或同步了用户,并将其 UserType 设置为 Guest。For example, you might have created a user or synced a user from your on-premises Active Directory and set their UserType to Guest. 由于此用户位于你的目录中,因此,可以从 Azure 门户重置其密码。Because this user is homed in your directory, you can reset their password from the Azure portal.

Microsoft Dynamics 365 是否为 Azure AD B2B 协作提供联机支持?Does Microsoft Dynamics 365 provide online support for Azure AD B2B collaboration?

是的,Dynamics 365 (Online) 支持 Azure AD B2B 协作。Yes, Dynamics 365 (online) supports Azure AD B2B collaboration. 有关详细信息,请参阅 Dynamics 365 文章通过 Azure AD B2B 协作邀请用户For more information, see the Dynamics 365 article Invite users with Azure AD B2B collaboration.

新创建的 B2B 协作用户的初始密码的生存期是什么?What is the lifetime of an initial password for a newly created B2B collaboration user?

Azure AD 具有固定的字符集、密码强度和帐户锁定要求,同样适用于所有 Azure AD 云用户帐户。Azure AD has a fixed set of character, password strength, and account lockout requirements that apply equally to all Azure AD cloud user accounts. 云用户帐户是没有与其他标识提供者联合的帐户,例如Cloud user accounts are accounts that aren't federated with another identity provider, such as

  • Active Directory 联合身份验证服务Active Directory Federation Services
  • 其他云租户(用于 B2B 协作)Another cloud tenant (for B2B collaboration)

对于联合帐户,密码策略取决于在本地租户中应用的策略和用户的 Microsoft 帐户设置。For federated accounts, password policy depends on the policy that is applied in the on-premises tenancy and the user's Microsoft account settings.

组织可能希望在其应用程序中为租户用户和来宾用户提供不同的体验。An organization might want to have different experiences in their applications for tenant users and guest users. 是否有针对此事项的标准指南?Is there standard guidance for this? 标识提供者声明是否是可用的适当模型?Is the presence of the identity provider claim the correct model to use?

来宾用户可以使用任何标识提供者进行身份验证。A guest user can use any identity provider to authenticate. 有关详细信息,请参阅 B2B 协作用户的属性For more information, see Properties of a B2B collaboration user. 使用 UserType 属性确定用户体验。Use the UserType property to determine user experience. 令牌中当前未包括 UserType 声明。The UserType claim isn't currently included in the token. 应用程序应当使用 Microsoft Graph API 从目录中查询用户并获取其 UserType。Applications should use the Microsoft Graph API to query the directory for the user, and to get the UserType.

可在何处找到 B2B 协作社区以共享解决方案和提交意见?Where can I find a B2B collaboration community to share solutions and to submit ideas?

我们会在改进 B2B 协作的过程中不断听取反馈。We're constantly listening to your feedback, to improve B2B collaboration. 请分享你的用户方案和最佳做法,并分享 Azure AD B2B 协作中让你钟意的方面。Please share your user scenarios, best practices, and what you like about Azure AD B2B collaboration. 欢迎在 Microsoft 技术社区参与讨论。Join the discussion in the Microsoft Tech Community.

我们还力邀你在 B2B 协作意见中提交意见并为未来的功能投票。We also invite you to submit your ideas and vote for future features at B2B Collaboration Ideas.

是否可以发送自动兑换的邀请,以便用户只需“准备前往”即可?Can we send an invitation that is automatically redeemed, so that the user is just “ready to go”? 或者,用户始终需要单击到达兑换 URL?Or does the user always have to click through to the redemption URL?

可以使用 UI、PowerShell 脚本或 API 邀请合作伙伴组织中的其他用户。You can invite other users in the partner organization by using the UI, PowerShell scripts, or APIs. 然后,可以向来宾用户发送指向共享应用的直接链接。You can then send the guest user a direct link to a shared app. 在大多数情况下,不再需要打开电子邮件邀请并单击兑换 URL。In most cases, there's no longer a need to open the email invitation and click a redemption URL. 请参阅 Azure Active Directory B2B 协作邀请兑换See Azure Active Directory B2B collaboration invitation redemption.

受邀合作伙伴使用联合添加自己的本地身份验证时,B2B 协作如何工作?How does B2B collaboration work when the invited partner is using federation to add their own on-premises authentication?

如果合作伙伴具有联合到本地身份验证基础架构的 Azure AD 租户,则会自动实现本地单一登录 (SSO)。If the partner has an Azure AD tenant that is federated to the on-premises authentication infrastructure, on-premises single sign-on (SSO) is automatically achieved. 如果合作伙伴没有 Azure AD 租户,则会为新用户创建 Azure AD 帐户。If the partner doesn't have an Azure AD tenant, an Azure AD account is created for new users.

Azure AD B2B 是否不接受 gmail.com 和 outlook.com 电子邮件地址,此类帐户是否使用 B2C?I thought Azure AD B2B didn't accept gmail.com and outlook.com email addresses, and that B2C was used for those kinds of accounts?

我们将去除 B2B 和企业对消费者 (B2C) 的协作在所支持的标识这方面的差异。We are removing the differences between B2B and business-to-consumer (B2C) collaboration in terms of which identities are supported. 根据所使用的标识决定使用 B2B 还是 B2C 并不是一个合理的原因。The identity used isn't a good reason to choose between using B2B or using B2C. 有关选择协作选项的信息,请参阅在 Azure Active Directory 中比较 B2B 协作和 B2CFor information about choosing your collaboration option, see Compare B2B collaboration and B2C in Azure Active Directory.

是否可以邀请 Azure AD B2C 本地帐户加入 Azure AD 租户进行 B2B 协作?Can an Azure AD B2C local account be invited to an Azure AD tenant for B2B collaboration?

错误。No. Azure AD B2C 本地帐户只能用于登录 Azure AD B2C 租户。An Azure AD B2C local account can only be used to sign in to the Azure AD B2C tenant. 该帐户不能用于登录 Azure AD 租户。The account can't be used to sign into an Azure AD tenant. 不支持邀请 Azure AD B2C 本地帐户加入 Azure AD 租户来进行 B2B 协作。Inviting an Azure AD B2C local account to an Azure AD tenant for B2B collaboration isn't supported.

哪些应用程序和服务支持 Azure B2B 来宾用户?What applications and services support Azure B2B guest users?

所有与 Azure AD 集成的应用程序都可以支持 Azure B2B 来宾用户,但必须使用设置为租户的终结点对来宾用户进行身份验证。All Azure AD-integrated applications can support Azure B2B guest users, but they must use an endpoint set up as a tenant to authenticate guest users.

如果合作伙伴未启用多重身份验证,我们是否可以强制 B2B 来宾用户使用多重身份验证?Can we force multi-factor authentication for B2B guest users if our partners don't have multi-factor authentication?

是的。Yes. 有关详细信息,请参阅 B2B 协作用户的条件访问For more information, see Conditional Access for B2B collaboration users.

在 SharePoint 中,可以为外部用户定义“允许”和“拒绝”列表。In SharePoint, you can define an "allow" or "deny" list for external users. 在 Azure 中是否可以执行此操作?Can we do this in Azure?

是的。Yes. Azure AD B2B 协作支持允许列表和拒绝列表。Azure AD B2B collaboration supports allow lists and deny lists.

使用 Azure AD B2B 需要哪些许可证?What licenses do we need to use Azure AD B2B?

若要了解组织使用 Azure AD B2B 所需的许可证,请参阅外部标识定价For information about what licenses your organization needs to use Azure AD B2B, see External Identities pricing.

后续步骤Next steps