动态组和 Azure Active Directory B2B 协作Dynamic groups and Azure Active Directory B2B collaboration

什么是动态组?What are dynamic groups?

Azure Active Directory (Azure AD) 的安全组成员身份动态配置在 Azure 门户中提供。Dynamic configuration of security group membership for Azure Active Directory (Azure AD) is available in the Azure portal. 管理员可以设置规则以填充在 Azure AD 中基于用户属性(如 userType、部门或国家/地区)创建的组。Administrators can set rules to populate groups that are created in Azure AD based on user attributes (such as userType, department, or country/region). 可基于成员属性自动在安全组中添加或删除成员。Members can be automatically added to or removed from a security group based on their attributes. 这些组可以为成员提供对应用程序或云资源(SharePoint 站点、文档)的访问权限并分配许可证。These groups can provide access to applications or cloud resources (SharePoint sites, documents) and to assign licenses to members. Azure Active Directory 中的专用组中阅读有关动态组的详细信息。Read more about dynamic groups in Dedicated groups in Azure Active Directory.

创建和使用动态组需要相应的 Azure AD Premium P1 或 P2 授权The appropriate Azure AD Premium P1 or P2 licensing is required to create and use dynamic groups. 有关详细信息,请参阅在 Azure Active Directory 中为动态组成员身份创建基于属性的规则一文。Learn more in the article Create attribute-based rules for dynamic group membership in Azure Active Directory.

创建“所有用户”动态组Creating an "all users" dynamic group

可使用成员资格规则创建包含租户中所有用户的组。You can create a group containing all users within a tenant using a membership rule. 以后向租户添加用户或从中删除用户时,将自动调整该组的成员资格。When users are added or removed from the tenant in the future, the group's membership is adjusted automatically.

  1. 使用在租户中分配有全局管理员或用户管理员角色的帐户登录到 Azure 门户Sign in to the Azure portal with an account that is assigned the Global administrator or User administrator role in the tenant.

  2. 选择“Azure Active Directory” 。Select Azure Active Directory.

  3. 在“管理”下选择“组”,然后选择“新建组” 。Under Manage, select Groups, and then select New group.

  4. 在“新建组” 页的“组类型” 下选择“安全性” 。On the New Group page, under Group type, select Security. 为新组输入“组名称” 和“组说明” 。Enter a Group name and Group description for the new group.

  5. 在“成员身份类型” 下,选择“动态用户” ,然后选择“添加动态查询” 。Under Membership type, select Dynamic User, and then select Add dynamic query.

  6. 在“规则语法” 文本框上方,选择“编辑” 。Above the Rule syntax text box, select Edit. 在“编辑规则语法” 页上的文本框中键入以下表达式:On the Edit rule syntax page, type the following expression in the text box:

    user.objectId -ne null
    
  7. 选择“确定” 。Select OK. 规则会出现在“规则语法”框中:The rule appears in the Rule syntax box:

    “所有用户”动态组的规则语法

  8. 选择“保存” 。Select Save. 新的动态组现在将包含 B2B 来宾用户和成员用户。The new dynamic group will now include B2B guest users as well as member users.

  9. 在“新建组”页中,选择“创建”以创建该组。 Select Create on the New group page to create the group.

仅创建成员组Creating a group of members only

如果希望组排除来宾用户,只包含租户的成员,请按照上述要求创建动态组,但在“规则语法” 框中,请输入以下表达式:If you want your group to exclude guest users and include only members of your tenant, create a dynamic group as described above, but in the Rule syntax box, enter the following expression:

(user.objectId -ne null) and (user.userType -eq "Member")

下图显示了已修改为仅包括成员并排除来宾的动态组的规则语法。The following image shows the rule syntax for a dynamic group modified to include members only and exclude guests.

显示了用户类型为“成员”的规则

仅创建来宾组Creating a group of guests only

你可能还会发现创建仅包含来宾用户的新动态组很有用,这样就可以向来宾用户应用策略(例如 Azure AD 条件访问策略)。You might also find it useful to create a new dynamic group that contains only guest users, so that you can apply policies (such as Azure AD Conditional Access policies) to them. 根据上述要求创建动态组,但在“规则语法” 框中,请输入以下表达式:Create a dynamic group as described above, but in the Rule syntax box, enter the following expression:

(user.objectId -ne null) and (user.userType -eq "Guest")

下图显示了已修改为仅包括来宾并排除成员用户的动态组的规则语法。The following image shows the rule syntax for a dynamic group modified to include guests only and exclude member users.

显示用户类型等于“来宾”的规则

后续步骤Next steps