在 Azure AD 权利管理中管理外部用户的访问权限Govern access for external users in Azure AD entitlement management

Azure AD 权利管理利用 Azure AD 企业对企业 (B2B) 解决方案与另一目录中的组织外部人员协作。Azure AD entitlement management utilizes Azure AD business-to-business (B2B) to collaborate with people outside your organization in another directory. 使用 Azure AD B2B 解决方案时,外部用户会向其主目录进行身份验证,但在你的目录中会有一个表示形式。With Azure AD B2B, external users authenticate to their home directory, but have a representation in your directory. 可以通过你的目录中的该表示形式为用户分配资源访问权限。The representation in your directory enables the user to be assigned access to your resources.

本文介绍了可以指定哪些设置来管理外部用户的访问权限。This article describes the settings you can specify to govern access for external users.

权利管理的具体用途How entitlement management can help

使用 Azure AD B2B 邀请体验时,你必须已经知道要引入到资源目录中并与之合作的外部来宾用户的电子邮件地址。When using the Azure AD B2B invite experience, you must already know the email addresses of the external guest users you want to bring into your resource directory and work with. 如果你处理的项目较小或者期限较短,而且你已经知道所有参与者,这会非常有用;但如果你有很多要与之合作的用户,或者参与者会随着时间推移而变化,则较难管理这种情况。This works great when you're working on a smaller or short-term project and you already know all the participants, but this is harder to manage if you have lots of users you want to work with or if the participants change over time. 例如,你可能在与另一组织合作,与该组织有一个联系点,但随着时间的推移,该组织中的其他用户也需要访问权限。For example, you might be working with another organization and have one point of contact with that organization, but over time additional users from that organization will also need access.

使用权利管理,你可以定义一个策略,允许指定组织中的用户自行请求访问包。With entitlement management, you can define a policy that allows users from organizations you specify to be able to self-request an access package. 你可以指定是否需要批准,还可以指定访问的到期日期。You can specify whether approval is required and an expiration date for the access. 如果需要批准,你还可以将外部组织中的一个或多个用户邀请到你的目录,将其指定为审批者,因为他们可能知道其组织中的哪些外部用户需要访问权限。If approval is required, you can also invite one or more users from the external organization to your directory and designate them as approvers - since they are likely to know which external users from their organization need access. 配置访问包后,可以将访问包的链接发送给外部组织的联系人(发起人)。Once you have configured the access package, you can send the access package's link to your contact person (sponsor) at the external organization. 该联系人可以将其与外部组织中的其他用户共享,这些用户可以使用此链接来请求访问包。That contact can share with other users in the external organization, and they can use this link to request the access package. 该组织中已被邀请到你的目录的用户也可以使用该链接。Users from that organization who have already been invited into your directory can also use that link.

批准请求后,权利管理会为用户预配必要的访问权限。如果用户尚未加入你的目录,则可能还需要邀请该用户。When a request is approved, entitlement management will provision the user with the necessary access, which may include inviting the user if they're not already in your directory. Azure AD 会自动为其创建 B2B 来宾帐户。Azure AD will automatically create a B2B guest account for them. 请注意,管理员以前可能已通过设置 B2B 允许或拒绝列表来允许或阻止邀请到其他组织,对允许哪些组织进行协作进行了限制。Note that an administrator may have previously limited which organizations are permitted for collaboration, by setting a B2B allow or deny list to allow or block invites to other organizations. 如果允许或阻止列表不允许某个用户,则不会邀请该用户。If the user is not permitted by the allow or block list, then they will not be invited.

由于你不希望外部用户的访问权限永远有效,因此请在策略中指定一个过期日期,例如 180 天。Since you do not want the external user's access to last forever, you specify an expiration date in the policy, such as 180 days. 180 天后,如果其访问权限未延长,则权利管理会删除与该访问包关联的所有访问权限。After 180 days, if their access is not extended, entitlement management will remove all access associated with that access package. 默认情况下,如果通过权利管理邀请的用户没有其他访问包分配,则当其失去最后一次分配时,系统会阻止其来宾帐户在 30 天内登录,随后会将其删除。By default, if the user who was invited through entitlement management has no other access package assignments, then when they lose their last assignment, their guest account will be blocked from signing in for 30 days, and subsequently removed. 这可以防止不必要帐户的激增。This prevents the proliferation of unnecessary accounts. 如以下部分所述,这些设置是可配置的。As described in the following sections, these settings are configurable.

外部用户访问权限的工作方式How access works for external users

下面的图和步骤概要介绍了如何向外部用户授予对访问包的访问权限。The following diagram and steps provide an overview of how external users are granted access to an access package.

显示了外部用户的生命周期的关系图

  1. 为你想要与之协作的 Azure AD 目录或域添加连接的组织You add a connected organization for the Azure AD directory or domain you want to collaborate with.

  2. 在目录中创建一个访问包,使其包含应用于不在目录中的用户的策略。You create an access package in your directory that includes a policy For users not in your directory.

  3. “我的访问权限门户”链接发送给外部组织的联系人,此联系人可以与其用户共享此链接,以便请求访问包。You send a My Access portal link to your contact at the external organization that they can share with their users to request the access package.

  4. 外部用户(在此示例中为“请求者 A”)使用“我的访问权限”门户链接来针对访问包请求访问权限An external user (Requestor A in this example) uses the My Access portal link to request access to the access package. 用户如何登录取决于在连接的组织中定义的目录或域的身份验证类型。How the user signs in depends on the authentication type of the directory or domain defined in the connected organization.

  5. 审批者批准请求(或者由系统自动批准请求)。An approver approves the request (or the request is auto-approved).

  6. 请求进入“正在传递”状态The request goes into the delivering state.

  7. 使用 B2B 邀请过程,在目录中创建来宾用户帐户(在此示例中为“请求者 A (来宾)”)。Using the B2B invite process, a guest user account is created in your directory (Requestor A (Guest) in this example). 如果定义了允许列表或拒绝列表,则会应用列表设置。If an allow list or a deny list is defined, the list setting will be applied.

  8. 为来宾用户分配对访问包中所有资源的访问权限。The guest user is assigned access to all of the resources in the access package. 在 Azure AD 中进行更改并将其传播到其他 Microsoft Online Services 或连接的 SaaS 应用程序可能需要一些时间。It can take some time for changes to be made in Azure AD and to other Microsoft Online Services or connected SaaS applications. 有关详细信息,请参阅应用更改时For more information, see When changes are applied.

  9. 外部用户会收到一封指示其访问权限已传递的电子邮件。The external user receives an email indicating that their access was delivered.

  10. 若要访问资源,外部用户可以单击电子邮件中的链接,或者尝试直接访问任何目录资源来完成邀请过程。To access the resources, the external user can either click the link in the email or attempt to access any of the directory resources directly to complete the invitation process.

  11. 根据策略设置,随着时间的推移,外部用户的访问包分配会过期,系统会删除外部用户的访问权限。Depending on the policy settings, as time passes, the access package assignment for the external user expires, and the external user's access is removed.

  12. 根据外部用户设置的生命周期,当外部用户不再有任何访问包分配时,系统会阻止外部用户登录,并从目录中删除来宾用户帐户。Depending on the lifecycle of external users settings, when the external user no longer has any access package assignments, the external user is blocked from signing in and the guest user account is removed from your directory.

外部用户的设置Settings for external users

若要确保组织外部的人员可以请求访问包并获取对这些访问包中的资源的访问权限,应验证某些设置是否已正确配置。To ensure people outside of your organization can request access packages and get access to the resources in those access packages, there are some settings that you should verify are properly configured.

为外部用户启用目录Enable catalog for external users

  • 默认情况下,当你创建新目录时,会启用新目录以允许外部用户请求目录中的访问包。By default, when you create a new catalog, it is enabled to allow external users to request access packages in the catalog. 确保“为外部用户启用”已设置为“是” 。Make sure Enabled for external users is set to Yes.

    编辑目录设置

配置 Azure AD B2B 外部协作设置Configure your Azure AD B2B external collaboration settings

  • 允许来宾将其他来宾邀请到你的目录意味着来宾邀请可以在权利管理外部进行。Allowing guests to invite other guests to your directory means that guest invites can occur outside of entitlement management. 建议将“来宾可邀请”设置为“否” ,只允许正确控制的邀请。We recommend setting Guests can invite to No to only allow for properly governed invitations.

  • 如果你使用的是 B2B 允许列表,则必须确保将你需要通过权利管理与之合作的任何域添加到该列表中。If you are using the B2B allow list, you must make sure any domain you want to partner with using entitlement management is added to the list. 另外,如果你使用的是 B2B 拒绝列表,则必须确保不将你需要与之合作的任何域添加到该列表中。Alternatively, if you are using the B2B deny list, you must make sure any domain you want to partner with is not added to the list.

  • 如果你为所有用户(所有连接的组织 + 任何新的外部用户)创建了权利管理策略,则你的任何 B2B 允许列表或拒绝列表设置将具有优先权限。If you create an entitlement management policy for All users (All connected organizations + any new external users), any B2B allow or deny list settings you have will take precedence. 因此,请务必将要包含在此策略中的域添加到允许列表(如果你使用的是允许列表),或将其从拒绝列表中排除(如果你使用的是拒绝列表)。Therefore, be sure to include the domains you intend to include in this policy to your allow list if you are using one, and exclude them from your deny list if you are using a deny list.

  • 有关 Azure AD B2B 外部协作设置的详细信息,请参阅启用 B2B 外部协作并管理谁可以邀请来宾For more information about Azure AD B2B external collaboration settings, see Enable B2B external collaboration and manage who can invite guests.

    Azure AD 外部协作设置

查看条件访问策略Review your Conditional Access policies

  • 确保在新来宾用户无法满足的任何条件访问策略中排除来宾,因为这样会阻止他们登录到你的目录。Make sure to exclude guests from any Conditional Access policies that new guest users will not be able to meet as this will block them from being able to sign in to your directory. 例如,来宾可能没有已注册的设备,不在已知的位置,并且不想重新注册多重身份验证 (MFA),因此在条件访问策略中添加这些要求会阻止来宾使用权利管理。For example, guests likely don't have a registered device, aren't in a known location, and don't want to re-register for multi-factor authentication (MFA), so adding these requirements in a Conditional Access policy will block guests from using entitlement management. 有关详细信息,请参阅 Azure Active Directory 条件访问中的条件是什么?For more information, see What are conditions in Azure Active Directory Conditional Access?.

    Azure AD 条件访问策略的排除设置

查看 SharePoint Online 外部共享设置Review your SharePoint Online external sharing settings

  • 若要在外部用户的访问包中包括 SharePoint Online 站点,请确保将组织级别的外部共享设置为“任何人”(用户不需要登录)或“新的和现有的来宾”(来宾必须登录或提供验证码)。If you want to include SharePoint Online sites in your access packages for external users, make sure that your organization-level external sharing setting is set to Anyone (users don't require sign in) or New and existing guests (guests must sign in or provide a verification code). 有关详细信息,请参阅打开或关闭外部共享For more information, see Turn external sharing on or off.

  • 如果要限制权利管理外部的任何外部共享,可以将外部共享设置设为“现有来宾”。If you want to restrict any external sharing outside of entitlement management, you can set the external sharing setting to Existing guests. 这样,只有通过权利管理邀请的新用户才能访问这些站点。Then, only new users that are invited through entitlement management will be able to gain access to these sites. 有关详细信息,请参阅打开或关闭外部共享For more information, see Turn external sharing on or off.

  • 确保站点级设置启用来宾访问(与前面列出的选项选择相同)。Make sure that the site-level settings enable guest access (same option selections as previously listed). 有关详细信息,请参阅为站点打开或关闭外部共享For more information, see Turn external sharing on or off for a site.

查看 Microsoft 365 组共享设置Review your Microsoft 365 group sharing settings

查看 Teams 共享设置Review your Teams sharing settings

管理外部用户的生命周期Manage the lifecycle of external users

你可以选择当外部用户(已通过正在审批的访问包请求邀请到你的目录的用户)不再有任何访问包分配时将发生什么情况。You can select what happens when an external user, who was invited to your directory through an access package request being approved, no longer has any access package assignments. 如果用户放弃其所有访问包分配,或者其最后一个访问包分配过期,则可能会发生这种情况。This can happen if the user relinquishes all their access package assignments, or their last access package assignment expires. 默认情况下,当外部用户不再有任何访问包分配时,系统会阻止其登录到你的目录。By default, when an external user no longer has any access package assignments, they are blocked from signing in to your directory. 30 天后,系统会从你的目录中删除外部用户的来宾用户帐户。After 30 days, their guest user account is removed from your directory.

必备角色: 全局管理员或用户管理员Prerequisite role: Global administrator or User administrator

  1. 在 Azure 门户中,依次单击“Azure Active Directory”、“标识监管”。 In the Azure portal, click Azure Active Directory and then click Identity Governance.

  2. 在“权利管理”部分的左侧菜单中,单击“设置”。In the left menu, in the Entitlement management section, click Settings.

  3. 单击 “编辑”Click Edit.

    用于管理外部用户的生命周期的设置

  4. 在“管理外部用户的生命周期”部分中,为外部用户选择不同的设置。In the Manage the lifecycle of external users section, select the different settings for external users.

  5. 当外部用户失去其对任何访问包的最后一个分配时,如果想要阻止其登录到此目录,请将“阻止外部用户登录到此目录”设置为“是” 。Once an external user loses their last assignment to any access packages, if you want to block them from signing in to this directory, set the Block external user from signing in to this directory to Yes.

    备注

    如果阻止用户登录到此目录,则用户将无法在此目录中重新请求访问包或请求其他访问权限。If a user is blocked from signing in to this directory, then the user will be unable to re-request the access package or request additional access in this directory. 如果用户以后需要请求访问其他访问包,请不要通过配置阻止其登录。Do not configure blocking them from signing in if they will subsequently need to request access to other access packages.

  6. 当外部用户失去其对任何访问包的最后一个分配时,如果想要删除其在此目录中的来宾用户帐户,请将“删除外部用户”设置为“是” 。Once an external user loses their last assignment to any access packages, if you want to remove their guest user account in this directory, set Remove external user to Yes.

    备注

    权利管理仅删除通过权利管理邀请的帐户。Entitlement management only removes accounts that were invited through entitlement management. 另请注意,系统会阻止用户登录并从此目录中删除用户,即使已将该用户添加到此目录中不是访问包分配的资源。Also, note that a user will be blocked from signing in and removed from this directory even if that user was added to resources in this directory that were not access package assignments. 如果来宾在接收访问包分配之前已存在于此目录中,则会将其保留。If the guest was present in this directory prior to receiving access package assignments, they will remain. 但是,如果是通过访问包分配邀请的来宾,并且在邀请之后还将其分配给了 OneDrive for Business 或 SharePoint Online 站点,则仍会将其删除。However, if the guest was invited through an access package assignment, and after being invited was also assigned to a OneDrive for Business or SharePoint Online site, they will still be removed.

  7. 如果要删除此目录中的来宾用户帐户,可以设置一个天数,该天数过后即可将其删除。If you want to remove the guest user account in this directory, you can set the number of days before it is removed. 如果要在来宾用户帐户丢失其对任何访问包的最后一个分配时立即将其删除,请将“从此目录中删除外部用户之前需等待的天数”设置为“0”。 If you want to remove the guest user account as soon as they lose their last assignment to any access packages, set Number of days before removing external user from this directory to 0.

  8. 单击“ 保存”。Click Save.

后续步骤Next steps