Azure Active Directory B2B 协作用户的属性Properties of an Azure Active Directory B2B collaboration user

本文介绍了邀请兑换前后 Azure Active Directory (Azure AD) 中的 B2B 来宾用户对象的属性和状态。This article describes the properties and states of the B2B guest user object in Azure Active Directory (Azure AD) before and after invitation redemption. Azure AD 企业对企业 (B2B) 协作用户是 UserType = Guest 的用户。An Azure AD business-to-business (B2B) collaboration user is a user with UserType = Guest. 此来宾用户通常来自某个合作伙伴组织,默认情况下,对邀请方的目录拥有有限的特权。This guest user typically is from a partner organization and has limited privileges in the inviting directory, by default.

根据邀请方组织的需要,Azure AD B2B 协作用户可以处于以下帐户状态之一:Depending on the inviting organization's needs, an Azure AD B2B collaboration user can be in one of the following account states:

  • 状态 1:驻留在 Azure AD 的外部实例中,代表邀请方组织中的来宾用户。State 1: Homed in an external instance of Azure AD and represented as a guest user in the inviting organization. 在这种情况下,B2B 用户需使用属于受邀方租户的 Azure AD 帐户进行登录。In this case, the B2B user signs in by using an Azure AD account that belongs to the invited tenant.

  • 状态 2:驻留在宿主组织的本地 Active Directory 中,并且与宿主组织的 Azure AD 同步。State 2: Homed in the host organization's on-premises Active Directory and synced with the host organization's Azure AD. 可以使用 Azure AD Connect 将合作伙伴帐户作为 Azure AD B2B 用户(即 UserType = Guest 的用户)同步到云。You can use Azure AD Connect to sync the partner accounts to the cloud as Azure AD B2B users with UserType = Guest. 请参阅向本地托管的合作伙伴帐户授予对云资源的访问权限See Grant locally-managed partner accounts access to cloud resources.

  • 状态 3:驻留在宿主组织的 Azure AD 中并且 UserType = Guest,其凭据由宿主组织管理。State 3: Homed in the host organization's Azure AD with UserType = Guest and credentials that the host organization manages.

    描述四个用户状态的关系图

现在,让我们看看 Azure AD B2B 协作用户在 Azure AD 中的大致情况。Now, let's see what an Azure AD B2B collaboration user looks like in Azure AD.

兑换邀请之前Before invitation redemption

状态 1 帐户是邀请来宾用户使用来宾用户自己的凭据进行协作的结果。State 1 accounts are the result of inviting guest users to collaborate by using the guest users' own credentials. 最初向来宾用户发送邀请时,会在目录中创建帐户。When the invitation is initially sent to the guest user, an account is created in your directory. 这个帐户没有与之关联的任何凭据,因为是由来宾用户的标识提供者执行身份验证。This account doesn’t have any credentials associated with it because authentication is performed by the guest user's identity provider. 目录中来宾用户帐户的“源”属性设置为“受邀用户” 。The Source property for the guest user account in your directory is set to Invited user.

屏幕截图,显示提供兑换之前的用户属性

兑换邀请之后After invitation redemption

来宾用户接受邀请之后,将根据来宾用户的标识提供者更新“源”属性。After the guest user accepts the invitation, the Source property is updated based on the guest user’s identity provider.

对于状态 1 中的来宾用户,“源”为“外部 Azure Active Directory” 。For guest users in State 1, the Source is External Azure Active Directory.

兑换产品之后,状态 1 的来宾用户

对于状态 2 和状态 3 中的来宾用户,“Source”属性设置为“Azure Active Directory”或“Windows Server Active Directory”,如下一部分所述 。For guest users in State 2 and State 3, the Source property is set to Azure Active Directory or Windows Server Active Directory, as described in the next section.

Azure AD B2B 协作用户的关键属性Key properties of the Azure AD B2B collaboration user

UserTypeUserType

此属性表示用户与宿主租户之间的关系。This property indicates the relationship of the user to the host tenancy. 此属性可以具有两个值:This property can have two values:

  • 成员:此值表示宿主组织的某位员工,即组织的工资单中的某个用户。Member: This value indicates an employee of the host organization and a user in the organization's payroll. 例如,此用户应当对仅限内部站点具有访问权限。For example, this user expects to have access to internal-only sites. 此用户不被视为外部协作者。This user is not considered an external collaborator.

  • 来宾:此值表示不被视为公司内部成员的用户,例如外部协作者、合作伙伴或客户。Guest: This value indicates a user who isn't considered internal to the company, such as an external collaborator, partner, or customer. 此类用户不会接收 CEO 的内部备注,也不会享受公司福利等。Such a user isn't expected to receive a CEO's internal memo or receive company benefits, for example.

    备注

    UserType 与用户的登录方式、用户的目录角色等等之间没有关系。The UserType has no relation to how the user signs in, the directory role of the user, and so on. 此属性只是指明该用户与宿主组织之间的关系,使该组织能够实施依赖于此属性的策略。This property simply indicates the user's relationship to the host organization and allows the organization to enforce policies that depend on this property.

SourceSource

此属性指示用户如何登录。This property indicates how the user signs in.

  • 受邀用户:此用户已受邀但尚未兑换其邀请。Invited User: This user has been invited but has not yet redeemed an invitation.

  • 外部 Azure Active Directory:此用户驻留在外部组织中,使用属于另一组织的 Azure AD 帐户进行身份验证。External Azure Active Directory: This user is homed in an external organization and authenticates by using an Azure AD account that belongs to the other organization. 此登录类型对应于状态 1。This type of sign-in corresponds to State 1.

  • Windows Server Active Directory:此用户从属于此组织的本地 Active Directory 进行登录。Windows Server Active Directory: This user is signed in from on-premises Active Directory that belongs to this organization. 此登录类型对应于状态 2。This type of sign-in corresponds to State 2.

  • Azure Active Directory:此用户使用属于此组织的 Azure AD 帐户进行身份验证。Azure Active Directory: This user authenticates by using an Azure AD account that belongs to this organization. 此登录类型对应于状态 3。This type of sign-in corresponds to State 3.

    备注

    Source 和 UserType 是独立的属性。Source and UserType are independent properties. Source 的值并不暗示特定的 UserType 值。A value of Source does not imply a particular value for UserType.

是否可将 Azure AD B2B 用户添加为成员而非来宾?Can Azure AD B2B users be added as members instead of guests?

通常,Azure AD B2B 用户和来宾用户是同义词。Typically, an Azure AD B2B user and guest user are synonymous. 因此,默认情况下,Azure AD B2B 协作用户将添加为 UserType = Guest 的用户。Therefore, an Azure AD B2B collaboration user is added as a user with UserType = Guest by default. 但在某些情况下,合作伙伴组织又是一家更大型上级组织的成员,而宿主组织也属于该大型组织。However, in some cases, the partner organization is a member of a larger organization to which the host organization also belongs. 如果是这样,宿主组织可能希望将合作伙伴组织中的用户视为成员而非来宾。If so, the host organization might want to treat users in the partner organization as members instead of guests. 可以使用 Azure AD B2B 邀请管理器 API 将合作伙伴组织中的用户作为成员添加或邀请到宿主组织。Use the Azure AD B2B Invitation Manager APIs to add or invite a user from the partner organization to the host organization as a member.

对目录中的来宾用户进行筛选Filter for guest users in the directory

屏幕截图,显示用于来宾用户的筛选器

转换 UserTypeConvert UserType

可使用 PowerShell 将 UserType 从“成员”转换为“来宾”,反之亦然。It's possible to convert UserType from Member to Guest and vice-versa by using PowerShell. 但是,UserType 属性表示用户与组织之间的关系。However, the UserType property represents the user's relationship to the organization. 因此,只有当用户与组织之间的关系发生更改时,才应当更改此属性。Therefore, you should change this property only if the relationship of the user to the organization changes. 如果用户的关系发生更改,用户主体名称 (UPN) 是否应该更改?If the relationship of the user changes, should the user principal name (UPN) change? 用户是否应该继续有权访问同样的资源?Should the user continue to have access to the same resources? 是否应该分配邮箱?Should a mailbox be assigned? 我们不建议使用 PowerShell 以原子活动的形式更改 UserType。We don't recommend changing the UserType by using PowerShell as an atomic activity. 此外,为防止使用 PowerShell 导致此属性不可变,我们不建议对此值产生依赖关系。Also, in case this property becomes immutable by using PowerShell, we don't recommend taking a dependency on this value.

删除来宾用户限制Remove guest user limitations

在某些情况下,你可能想要为来宾用户提供更高的特权。There may be cases where you want to give your guest users higher privileges. 可将来宾用户添加到任何角色,甚至可在目录中删除默认的来宾用户限制,向用户提供与成员相同的特权。You can add a guest user to any role and even remove the default guest user restrictions in the directory to give a user the same privileges as members.

可以禁用默认限制,便于为公司目录中的来宾用户提供与成员用户相同的权限。It's possible to turn off the default limitations so that a guest user in the company directory has the same permissions as a member user.

屏幕截图,显示用户设置中的“外部用户”选项

能否在 Exchange 全局地址列表中显示来宾用户?Can I make guest users visible in the Exchange Global Address List?

是的。Yes. 默认情况下,来宾对象在组织的全局地址列表中不可见,但可使用 Azure Active Directory PowerShell 使其可见。By default, guest objects aren't visible in your organization's global address list, but you can use Azure Active Directory PowerShell to make them visible. 有关详细信息,请参阅在 Office 365 组中管理来宾访问权限中的能否在全局地址列表中显示来宾对象?For details, see Can I make guest objects visible in the global address list? in Manage guest access in Office 365 Groups.

是否可以更新来宾用户的电子邮件地址?Can I update a guest user's email address?

如果来宾用户接受邀请,并随后更改其电子邮件地址,新电子邮件不会自动同步到目录中的来宾用户对象。If a guest user accepts your invitation and they subsequently change their email address, the new email doesn't automatically sync to the guest user object in your directory. 邮件属性是通过 Microsoft Graph API 创建的。The mail property is created via Microsoft Graph API. 可以通过 Microsoft Graph API、Exchange 管理中心或 Exchange Online PowerShell 更新邮件属性。You can update the mail property via the Microsoft Graph API, the Exchange admin center, or Exchange Online PowerShell. 此更改将反映在 Azure AD 来宾用户对象中。The change will be reflected in the Azure AD guest user object.

后续步骤Next steps