通过 Azure Active Directory B2B 协作转换到受管控的协作Transition to governed collaboration with Azure Active Directory B2B collaboration

使协作受控是确保对资源进行的外部访问安全的关键。Getting your collaboration under control is key to securing external access to your resources. 继续阅读本文之前,请确保满足以下条件:Before going forward with this article, be sure that you have:

完成这些事项后,就已准备就绪,可以转换到受控协作了。Once you’ve done those things, you're ready to move into controlled collaboration. 本文会指导你将所有外部协作转换到 Azure Active Directory B2B 协作 (Azure AD B2B)。This article will guide you to move all your external collaboration into Azure Active Directory B2B collaboration (Azure AD B2B). Azure AD B2B 是 Azure AD 外部标识的一项功能。Azure Ad B2B is a feature of Azure AD External Identities.

控制组织的协作方Control who your organization collaborates with

你必须决定是否对用户可以与哪些组织协作以及组织中的哪些用户可以发起协作进行限制。You must decide whether to limit which organizations your users can collaborate with, and who within your organization can initiate collaboration. 大多数组织采取的方法是允许业务单位决定与谁协作,并根据需要委托审批和监督权限。Most organizations take the approach of permitting business units to decide with whom they collaborate, and delegating the approval and oversight as needed. 例如,一些教育和金融服务组织不允许开放式协作。For example, some education, and financial services organizations don't permit open collaboration. 你可能希望使用 Azure AD 功能来确定协作范围,如本节的其余部分所述。You may wish to use the Azure AD features to scope collaboration, as discussed in the rest of this section.

确定协作伙伴Determine collaboration partners

首先,请确保你已记录当前的协作组织,以及这些组织的用户的域。First, ensure you've documented the organizations you're currently collaborating with, and the domains for those organizations' users. 一个协作伙伴可能有多个域。One collaboration partner may have multiple domains. 例如,一个伙伴可能有多个业务单位,这些业务单位的域各不相同。For example, a partner may have multiple business units with separate domains.

接下来,确定是否要启用将来与以下域的协作:Next, determine if you want to enable future collaboration with

  • 任何域(包容性最高)any domain (most inclusive)

  • 除了明确拒绝的域之外的所有域all domains except those explicitly denied

  • 仅特定域(限制性最强)only specific domains (most restrictive)


协作设置的限制性越强,用户超出批准的协作框架的可能性越大。The more restrictive your collaboration settings, the more likely that your users will go outside of your approved collaboration framework. 建议你启用安全需求所允许的最广泛的协作,并密切审查该协作,而不必过于严格。We recommend enabling the broadest collaboration your security needs will allow, and closely reviewing that collaboration rather than being overly restrictive.

另请注意,限于单一域可能会无意中阻止与组织进行的已授权协作,这些组织有其他用于用户的不相关域。Also note that limiting to a single domain may inadvertently prevent authorized collaboration with organizations, which have other unrelated domains for their users. 例如,如果与 Contoso 组织开展业务,则与 Contoso 的初始联系点可能是电子邮件域为“.com”的美国员工之一。For example, if doing business with an organization Contoso, the initial point of contact with Contoso might be one of their US-based employees who has an email with a ".com" domain. 但是,如果只允许“.com”域,则可能会无意中忽略域为“.ca”的加拿大员工。However if you only allow the ".com" domain you may inadvertently omit their Canadian employees who have ".ca" domain.

在某些情况下,你希望只允许特定的协作伙伴。There are circumstances in which you would want to only allow specific collaboration partners. 例如,大学系统可能只希望允许自己的教职员工访问资源租户。For example, a university system may only want to allow their own faculty access to a resource tenant. 又比如,集团可能只希望允许特定的子公司按照所需框架互相协作。Or a conglomerate may only want to allow specific subsidiaries to collaborate with each other to achieve compliance with a required framework.

使用允许列表和拒绝列表Using allow and deny lists

可以使用允许列表或拒绝列表,以便限制向特定组织中的 B2B 用户发送邀请You can use an allow list or deny list to restrict invitations to B2B users from specific organizations. 只能使用允许列表或拒绝列表,二者不能同时使用。You can use only an allow or a deny list, not both.

  • 允许列表将协作范围限制为仅列出的那些域;所有其他域实际上是在拒绝列表中。An allow list limits collaboration to only those domains listed; all other domains are effectively on the deny list.

  • 拒绝列表允许与不在拒绝列表中的任何域协作。A deny list allows collaboration with any domain not on the deny list.


这些列表不适用于已在你的目录中的用户。These lists do not apply to users who are already in your directory. 这些列表也不适用于 OneDrive for Business 和 SharePoint 的允许/拒绝列表,它们是独立的。They also do not apply to OneDrive for Business and SharePoint allow deny lists which are separate.

某些组织使用一个列表,其中包含托管安全提供程序为这些组织的拒绝列表提供的已知“恶意行动者”域。Some organizations use a list of known ‘bad actor’ domains provided by their managed security provider for their deny list. 例如,如果组织与使用 .com 域的 Contoso 合法开展业务,则可能存在一个不相关的组织,该组织一直在使用 Contoso 的 .org 域并尝试通过网络钓鱼攻击来模拟 Contoso 员工。For example, if the organization is legitimately doing business with Contoso and using a .com domain, there may be an unrelated organization that has been using the Contoso .org domain and attempting a phishing attack to impersonate Contoso employees.

控制外部用户获取访问权限的方式Control how external users gain access

可以使用 Azure AD B2B 通过多种方式与外部合作伙伴协作。There are many ways to collaborate with external partners using Azure AD B2B. 若要开始协作,可以通过邀请的方式或其他方式让合作伙伴可以访问你的资源。To begin collaboration, you invite or otherwise enable your partner to access your resources. 用户可通过对以下事项进行响应来获取访问权限:Users can gain access by responding to :

启用 Azure AD B2B 后,默认情况下可以通过直接链接和电子邮件邀请来邀请来宾用户。When you enable Azure AD B2B, you enable the ability to invite guest users via direct links and email invitations by default. 通过电子邮件 OTP 和自助服务门户进行的邀请目前为预览版,必须在 Azure AD 门户的“外部标识 | 外部协作设置”中启用。Invitations via Email OTP and a self-service portal are currently in preview and must be enabled within the External Identities | External collaboration settings in the Azure AD portal.

控制谁可以邀请来宾用户Control who can invite guest users

确定谁可以邀请来宾用户访问资源。Determine who can invite guest users to access resources.

  • 最严格的设置是仅允许管理员和那些被授予来宾邀请者角色的用户邀请来宾。The most restrictive setting is to allow only administrators and those users granted the guest inviter role to invite guests.

  • 如果你的安全要求允许,我们建议你允许 userType 为“Member”的所有用户邀请来宾。If your security requirements allow it, we recommend allowing all users with a userType of Member to invite guests.

  • 确定你是否希望 userType 为“Guest”(Azure AD B2B 用户的默认帐户类型)的用户能够邀请其他来宾。Determine if you want users with a userType of Guest, which is the default account type for Azure AD B2B users, to be able to invite other guests.


收集有关外部用户的其他信息Collect additional information about external users

如果使用 Azure AD 权利管理,则可配置要求外部用户回答的问题。If you use Azure AD entitlement management, you can configure questions for external users to answer. 然后,会向审批者显示这些问题,让他们做出决定。The questions will then be shown to approvers to help them make a decision. 你可以为每项访问包策略配置不同的问题集,以便审批者可以获取其审批的访问权限的相关信息。You can configure different sets of questions for each access package policy so that approvers can have relevant information for the access they're approving. 例如,如果一个访问包用于供应商访问权限,则可要求请求者提供其供应商合同号。For example, if one access package is intended for vendor access, then the requestor may be asked for their vendor contract number. 另一个用于供应商的访问包可以要求供应商提供原国籍。A different access package intended for suppliers, may ask for their country of origin.

排查 Azure AD 用户的邀请兑换问题Troubleshoot invitation redemption to Azure AD users

在下面的三种情况下,通过 Azure AD 从协作伙伴处邀请的来宾用户会存在邀请兑换问题。There are three instances when invited guest users from a collaboration partner using Azure AD will have trouble redeeming an invitation.

  • 使用了允许列表,但用户的域未包含在允许列表中。If using an allow list and the user’s domain isn't included in an allow list.

  • 协作伙伴的主租户存在租户限制,导致无法与外部用户协作。If the collaboration partner’s home tenant has tenant restrictions that prevent collaboration with external users..

  • 用户不在协作伙伴的 Azure AD 租户中。If the user isn't part of the partner’s Azure AD tenant. 例如,有 contoso.com 用户只存在于 Active Directory(或其他本地 IdP)中,他们只能通过电子邮件 OTP 过程兑换邀请。For example, there are users at contoso.com who are only in Active Directory (or another on-premises IdP), they'll only be able to redeem invitations via the email OTP process. 有关详细信息,请参阅邀请兑换流for more information, see the invitation redemption flow.

控制外部用户可以访问的内容Control what external users can access

大多数组织不是单一的组织。Most organizations aren't monolithic. 也就是说,有些资源可以与外部用户共享,有些资源不允许外部用户访问。That is, there are some resources that are fine to share with external users, and some you will not want external users to access. 因此,必须控制外部用户可以访问哪些内容。Therefore, you must control what external users access. 请考虑使用权利管理和访问包来控制对特定资源的访问权限Consider using Entitlement management and access packages to control access to specific resources.

默认情况下,来宾用户可以查看有关租户成员和其他合作伙伴的信息和属性,包括组成员身份。By default, guest users can see information and attributes about tenant members and other partners, including group memberships. 请考虑你的安全要求是否要求限制外部用户对该信息的访问。Consider if your security requirements call for limiting external user access to this information.


建议对来宾用户进行以下限制。We recommend the following restrictions for guest users.

  • 将来宾访问权限限制为浏览目录中的组和其他属性Limit guest access to browsing groups and other properties in the directory

    • 使用外部协作设置来限制来宾读取他们不属于的组的能力。Use the external collaboration settings to restrict guest ability to read groups they aren't members of.
  • 阻止访问仅限员工访问的应用。Block access to employee-only apps.

    • 创建条件访问策略,阻止访问那些仅适用于非来宾用户的 Azure AD 集成应用程序。Create a Conditional Access policy to block access to Azure AD-integrated applications that are only appropriate for non-guest users.
  • 阻止访问 Azure 门户。可以设置罕见但必要的例外。Block access to the Azure portal. You can make rare necessary exceptions.

删除不再需要访问权限的用户Remove users who no longer need access

评估当前的访问权限,以便评审和删除不再需要访问权限的用户Evaluate current access so that you can review and remove users who no longer need access. 包括租户中身份为来宾的外部用户,以及那些有成员帐户的用户。Include external users in your tenant as guests, and those with member accounts.

某些组织添加了外部用户(如供应商、合作伙伴和承包商)作为成员。Some organizations added external users such as vendors, partners, and contractors as members. 这些成员可能有特定属性或以下列字符开头的用户名,例如:These members may have a specific attribute, or usernames that begin with, for example

  • v-,代表供应商v- for vendors

  • p-,代表合作伙伴p- for partners

  • c-,代表承包商c- for contractors

评估具有成员帐户的任何外部用户,以确定其是否仍然需要访问权限。Evaluate any external users with member accounts to determine if they still need access. 如果这些用户仍然需要访问权限,请按下一部分所述将他们转换为 Azure AD B2B 用户。If so, transition these users to Azure AD B2B as described in the next section.

你可能还有未通过权利管理或 Azure AD B2B 邀请的来宾用户You may also have guest users who weren't invited through Entitlement Management or Azure AD B2B

若要查找这些用户,可执行以下操作:To find these users, you can:

按下一部分所述将这些用户转换为 Azure AD B2B 用户。Transition these users to Azure AD B2B users as described in the following section.

将当前外部用户转换为 B2B 用户Transition your current external users to B2B

如果你一直未使用 Azure AD B2B,那么你的租户中可能有非员工用户。If you haven’t been using Azure AD B2B, you likely have non-employee users in your tenant. 建议将这些帐户转换为 Azure AD B2B 外部用户帐户,然后将其 UserType 更改为“Guest”。We recommend you transition these accounts to Azure AD B2B external user accounts and then change their UserType to Guest. 这样你就可以利用 Azure AD 和 Microsoft 365 允许你使用的多种方法,以不同方式处理外部用户。This enables you to take advantage of the many ways Azure AD and Microsoft 365 allow you to treat external users differently. 其中一些方法包括:Some of these ways include:

  • 在条件访问策略中轻松地包括或排除来宾用户Easily including or excluding guest users in Conditional Access policies

  • 在访问包和访问评审中轻松地包括或排除来宾用户Easily including or excluding guest users in Access Packages and Access Reviews

  • 轻松地包括或排除对 Teams、SharePoint 等资源的外部访问权限。Easily including or excluding external access to Teams, SharePoint, and other resources.

停用不需要的协作方法Decommission undesired collaboration methods

若要完成转换到受管控协作,应停用不需要的协作方法To complete your transition to governed collaboration, you should decommission undesired collaboration methods. 停用哪些方法取决于你希望 IT 部门对协作施加的控制程度,以及你的安全状况。Which you decommission is based on the degree of control you wish IT to exert over collaboration, and your security posture. 有关 IT 部门与最终用户控制的信息,请参阅确定与外部访问相关的安全状况For information about IT versus end-user control, see Determine your security posture for external access.

下面是你可能需要评估的协作工具。The following are collaboration vehicles you may wish to evaluate.

通过 Microsoft Teams 进行直接邀请Direct invitation through Microsoft Teams

默认情况下,Teams 允许外部访问,这意味着组织可以与所有外部域进行通信。By default Teams allows external access, which means that organization can communicate with all external domains. 如果只需针对 Teams 限制或允许特定域,可以在 Teams 管理门户中这样做。If you want to restrict or allow specific domains just for Teams, you can do so in the Teams Admin portal.

通过 SharePoint 和 OneDrive 进行直接共享Direct sharing through SharePoint and OneDrive

通过 SharePoint 和 OneDrive 进行直接共享可以在权利管理流程之外添加用户。Direct sharing through SharePoint and OneDrive can add users outside of the Entitlement Management process. 若要深入了解这些配置,请参阅使用 Microsoft Teams、SharePoint 和 OneDrive for Business 管理访问权限。你也可以根据需要阻止使用用户的个人 OneDriveFor an in-depth look at these configurations see Manage Access with Microsoft Teams, SharePoint, and OneDrive for business You can also block the use of user’s personal OneDrive if desired.

通过电子邮件发送文档Sending documents through email

用户会通过电子邮件将文档发送给外部用户。Your users will send documents through email to external users. 考虑如何根据需要使用敏感度标签来限制和加密对这些文档的访问权限。Consider how you want to restrict and encrypt access to these documents by using sensitivity labels. 有关详细信息,请参阅“使用敏感度标签管理访问权限”。For more information, see Manage access with Sensitivity labels.

未批准的协作工具Unsanctioned collaboration tools

协作工具的范围很广。The landscape of collaboration tools is vast. 你的用户可能会使用许多非公务功能,包括 Google 文档、DropBox、Slack 或 Zoom 之类的平台。Your users likely use many outside of their official duties, including platforms like Google Docs, DropBox, Slack, or Zoom. 对于组织管理的设备,可以在防火墙级别阻止在企业网络中使用此类工具,也可以通过移动应用程序管理来这样做。It's possible to block the use of such tools from a corporate network at the Firewall level and with mobile application management for organization-managed devices. 但是,这也会阻止这些平台的所有批准的实例,并且不会阻止从非管理的设备进行的访问。However, this will also block any sanctioned instances of these platforms and wouldn't block access from unmanaged devices. 可以根据需要阻止那些你不希望使用的平台,并针对那些需要使用的平台的未批准的使用情况创建业务策略。Block platforms you don’t want any use of if necessary, and create business policies for no unsanctioned usage for the platforms you need to use.

若要详细了解如何管理未批准的应用程序,请参阅:For more information on managing unsanctioned applications, see:

后续步骤Next steps

请参阅以下文章,了解如何保护对资源的外部访问。See the following articles on securing external access to resources. 建议你按列出顺序执行这些操作。We recommend you take the actions in the listed order.

  1. 确定与外部访问相关的安全状况Determine your security posture for external access

  2. 了解当前状况Discover your current state

  3. 创建治理计划Create a governance plan

  4. 使用组进行安全保护Use groups for security

  5. 转换到 Azure AD B2B(你在这里。)Transition to Azure AD B2B (You are here.)

  6. 通过权利管理实现安全访问Secure access with Entitlement Management

  7. 通过条件访问策略实现安全访问Secure access with Conditional Access policies

  8. 通过敏感度标签实现安全访问Secure access with Sensitivity labels

  9. 实现对 Microsoft Teams、OneDrive 和 SharePoint 的安全访问Secure access to Microsoft Teams, OneDrive, and SharePoint