在 Azure AD 权利管理中添加连接的组织Add a connected organization in Azure AD entitlement management

使用 Azure Active Directory (Azure AD) 权利管理,你可以与组织外部的人员进行协作。With Azure Active Directory (Azure AD) entitlement management, you can collaborate with people outside your organization. 如果你经常与外部 Azure AD 目录或域中的用户协作,则可以将其添加为连接的组织。If you frequently collaborate with users in an external Azure AD directory or domain, you can add them as a connected organization. 本文介绍了如何添加连接的组织,以便允许组织外部的用户请求目录中的资源。This article describes how to add a connected organization so that you can allow users outside your organization to request resources in your directory.

什么是连接的组织?What is a connected organization?

连接的组织是你与之有关系的另一个组织。A connected organization is another organization that you have a relationship with. 为了使该组织中的用户能够访问你的资源(例如 SharePoint Online 站点或应用),你需要在该目录中具有表示该组织的用户。In order for the users in that organization to be able to access your resources, such as your SharePoint Online sites or apps, you'll need a representation of that organization's users in that directory. 因为在大多数情况下,该组织中的用户不在你的 Azure AD 目录中,你可以根据需要使用权利管理将他们引入你的 Azure AD 目录。Because in most cases the users in that organization aren't already in your Azure AD directory, you can use entitlement management to bring them into your Azure AD directory as needed.

权利管理有三种方法可让你指定形成连接的组织的用户。There are three ways that entitlement management lets you specify the users that form a connected organization. 他可以是It could be

  • 其他 Azure AD 目录中的用户,users in another Azure AD directory,
  • 已配置为直接联合的另一个非 Azure AD 目录中的用户,或users in another non-Azure AD directory that has been configured for direct federation, or
  • 其他非 Azure AD 目录中的用户,他们的电子邮件地址都具有相同的域名。users in another non-Azure AD directory, whose email addresses all have the same domain name in common.

例如,假设你在 Woodgrove Bank 工作,想要与两个外部组织协作。For example, suppose you work at Woodgrove Bank and you want to collaborate with two external organizations. 这两个组织具有不同的配置:These two organizations have different configurations:

  • Graphic Design Institute 使用 Azure AD,其用户的用户主体名称以 graphicdesigninstitute.com 结尾。Graphic Design Institute uses Azure AD, and their users have a user principal name that ends with graphicdesigninstitute.com.
  • Contoso 尚未使用 Azure AD。Contoso does not yet use Azure AD. Contoso 用户的用户主体名称以 contoso.com 结尾。Contoso users have a user principal name that ends with contoso.com.

在这种情况下,你可以配置两个连接的组织。In this case, you can configure two connected organizations. 分别为 Graphic Design Institute 和 Contoso 创建一个连接的组织。You create one connected organization for Graphic Design Institute and one for Contoso. 如果随后将两个连接的组织添加到策略,则每个组织中具有与该策略相匹配的用户主体名称的用户都可以请求访问包。If you then add the two connected organizations to a policy, users from each organization with a user principal name that matches the policy can request access packages. 用户主体名称中的域为 graphicdesigninstitute.com 的用户将与 Graphic Design Institute 连接组织匹配,这些用户获允提交请求。Users with a user principal name that has a domain of graphicdesigninstitute.com would match the Graphic Design Institute-connected organization and be allowed to submit requests. 用户主体名称中的域为 contoso.com 的用户将与 Contoso 连接组织匹配,这些用户获允请求包。Users with a user principal name that has a domain of contoso.com would match the Contoso-connected organization and would also be allowed to request packages. 而且,由于 Graphic Design Institute 使用 Azure AD,因此其主体名称与已添加到其租户的已验证域匹配的任何用户(例如 graphicdesigninstitute.example)也可以通过使用相同的策略来请求访问包。And, because Graphic Design Institute uses Azure AD, any users with a principal name that matches a verified domain that's added to their tenant, such as graphicdesigninstitute.example, would also be able to request access packages by using the same policy.

连接的组织示例

Azure AD 目录或域中的用户进行身份验证的方式取决于身份验证类型。How users from the Azure AD directory or domain authenticate depends on the authentication type. 连接的组织的身份验证类型为:The authentication types for connected organizations are:

  • Azure ADAzure AD

添加连接的组织Add a connected organization

若要将外部 Azure AD 目录或域添加为连接的组织,请按照此部分中的说明进行操作。To add an external Azure AD directory or domain as a connected organization, follow the instructions in this section.

必备角色:全局管理员或用户管理员 Prerequisite role: Global administrator or User administrator

  1. 在 Azure 门户中,依次选择“Azure Active Directory”、“标识监管”。 In the Azure portal, select Azure Active Directory, and then select Identity Governance.

  2. 在左窗格中,选择“连接的组织”,然后选择“添加连接的组织”。In the left pane, select Connected organizations, and then select Add connected organization.

    “添加连接的组织”按钮

  3. 选择“基本信息”选项卡,然后输入组织的显示名称和描述。Select the Basics tab, and then enter a display name and description for the organization.

    “添加连接的组织”基本信息窗格

  4. 当你创建新的连接的组织时,状态将自动设置为“已配置”。The state will automatically be set to Configured when you create a new connected organization. 有关状态属性的详细信息,请参阅连接的组织的状态属性For more information about state properties, see State properties of connected organizations

  5. 选择“目录 + 域”选项卡,然后选择“添加目录 + 域”。Select the Directory + domain tab, and then select Add directory + domain.

    此时会打开“选择目录 + 域”窗格。The Select directories + domains pane opens.

  6. 在搜索框中,输入一个域名来搜索 Azure AD 目录或域。In the search box, enter a domain name to search for the Azure AD directory or domain. 请务必输入整个域名。Be sure to enter the entire domain name.

  7. 验证组织名称和身份验证类型是否正确无误。Verify that the organization name and authentication type are correct. 用户如何登录取决于身份验证类型。How users sign in depends on the authentication type.

    “选择目录 + 域”窗格

  8. 选择“添加”以添加 Azure AD 目录或域。Select Add to add the Azure AD directory or domain. 目前只能为每个连接的组织添加一个 Azure AD 目录或域。Currently, you can add only one Azure AD directory or domain per connected organization.

    备注

    该 Azure AD 目录或域中的所有用户都可请求此访问包。All users from the Azure AD directory or domain will be able to request this access package. 这包括来自与该目录关联的所有子域的 Azure AD 中的用户,除非这些域被 Azure AD 企业对企业 (B2B) 允许或拒绝列表阻止。This includes users in Azure AD from all subdomains associated with the directory, unless those domains are blocked by the Azure AD business to business (B2B) allow or deny list. 有关详细信息,请参阅允许或阻止向特定组织中的 B2B 用户发送邀请For more information, see Allow or block invitations to B2B users from specific organizations.

  9. 添加 Azure AD 目录或域后,选择“选择”。After you've added the Azure AD directory or domain, select Select.

    组织将显示在列表中。The organization appears in the list.

    “目录 + 域”窗格

  10. 选择“发起人”选项卡,然后为此连接的组织添加可选的发起人。Select the Sponsors tab, and then add optional sponsors for this connected organization.

    发起人是已在你的目录中的内部或外部用户,他们是与此连接的组织建立关系的联系点。Sponsors are internal or external users already in your directory that are the point of contact for the relationship with this connected organization. 内部发起人是你的目录中的成员用户。Internal sponsors are member users in your directory. 外部发起人是来自连接的组织且以前已受邀并已在你的目录中的来宾用户。External sponsors are guest users from the connected organization that were previously invited and are already in your directory. 当此连接的组织中的用户请求访问此访问包时,可将发起人用作审批者。Sponsors can be utilized as approvers when users in this connected organization request access to this access package. 若要了解如何将来宾用户邀请到目录,请参阅在 Azure 门户中添加 Azure Active Directory B2B 协作用户For information about how to invite a guest user to your directory, see Add Azure Active Directory B2B collaboration users in the Azure portal.

    选择“添加/删除”时,会打开一个窗格,可在其中选择内部或外部发起人。When you select Add/Remove, a pane opens in which you can choose internal or external sponsors. 此窗格显示你的目录中用户和组的未筛选列表。The pane displays an unfiltered list of users and groups in your directory.

    “发起人”窗格

  11. 选择“查看 + 创建”选项卡,查看你的组织设置,然后选择“创建”。 Select the Review + create tab, review your organization settings, and then select Create.

    “查看 + 创建”窗格

更新连接的组织Update a connected organization

如果连接的组织更改为其他域、组织名称发生更改,或者你想要更改发起人,则可以按照本部分中的说明更新连接的组织。If the connected organization changes to a different domain, the organization's name changes, or you want to change the sponsors, you can update the connected organization by following the instructions in this section.

必备角色:全局管理员或用户管理员 Prerequisite role: Global administrator or User administrator

  1. 在 Azure 门户中,依次选择“Azure Active Directory”、“标识监管”。 In the Azure portal, select Azure Active Directory, and then select Identity Governance.

  2. 在左窗格中,选择“连接的组织”,然后选择连接的组织以将其打开。In the left pane, select Connected organizations, and then select the connected organization to open it.

  3. 在连接的组织的概览窗格中,选择“编辑”以更改组织名称、描述或状态。In the connected organization's overview pane, select Edit to change the organization name, description, or state.

  4. 在“目录 + 域”窗格中选择“更新目录 + 域”,改为使用其他目录或域。In the Directory + domain pane, select Update directory + domain to change to a different directory or domain.

  5. 在“发起人”窗格中选择“添加内部发起人”或“添加外部发起人”,将某个用户添加为发起人。In the Sponsors pane, select Add internal sponsors or Add external sponsors to add a user as a sponsor. 若要删除某个发起人,请选择该发起人,然后在右窗格中选择“删除”。To remove a sponsor, select the sponsor and, in the right pane, select Delete.

删除连接的组织Delete a connected organization

如果你与某个外部 Azure AD 目录或域不再有关系,则可以删除该连接的组织。If you no longer have a relationship with an external Azure AD directory or domain, you can delete the connected organization.

必备角色:全局管理员或用户管理员 Prerequisite role: Global administrator or User administrator

  1. 在 Azure 门户中,依次选择“Azure Active Directory”、“标识监管”。 In the Azure portal, select Azure Active Directory, and then select Identity Governance.

  2. 在左窗格中,选择“连接的组织”,然后选择连接的组织以将其打开。In the left pane, select Connected organizations, and then select the connected organization to open it.

  3. 在连接的组织的概览窗格中,选择“删除”以将其删除。In the connected organization's overview pane, select Delete to delete it.

    连接的组织的“删除”按钮

以编程方式管理连接的组织Managing a connected organization programmatically

你还可以使用 Microsoft Graph 创建、列出、更新和删除连接的组织。You can also create, list, update, and delete connected organizations using Microsoft Graph. 通过具有委托的 EntitlementManagement.ReadWrite.All 权限的应用程序,相应角色中的用户可以调用 API 来管理 connectedOrganization 对象并为其设置发起人。A user in an appropriate role with an application that has the delegated EntitlementManagement.ReadWrite.All permission can call the API to manage connectedOrganization objects and set sponsors for them.

连接的组织的状态属性State properties of connected organizations

目前,在 Azure AD 权利管理中,连接的组织有两种不同类型的状态属性,即“已配置”和“建议”:There are two different types of state properties for connected organizations in Azure AD entitlement management currently, configured and proposed:

  • 已配置的连接的组织是功能齐全的连接的组织,它允许该组织中的用户对访问包进行访问。A configured connected organization is a fully functional connected organization that allows users within that organization access to access packages. 当管理员在 Azure 门户中创建新的连接的组织时,默认情况下,它将处于“已配置”状态,因为管理员已创建并需要使用此连接的组织。When an admin creates a new connected organization in the Azure portal, it will be in the configured state by default since the administrator created and wants to use this connected organization. 此外,当通过 API 以编程方式创建连接的组织时,除非显式设置为另一种状态,否则默认状态应为“已配置”。Additionally, when a connected org is created programmatically via the API, the default state should be configured unless set to another state explicitly.

    已配置的连接的组织将显示在连接的组织的选取器中,并将在面向所有连接的组织的任何策略范围内。Configured connected organizations will show up in the pickers for connected organizations and will be in scope for any policies that target “all” connected organizations.

  • 建议的连接的组织是已自动创建但没有管理员创建或批准该组织的连接的组织。A proposed connected organization is a connected organization that has been automatically created, but hasn't had an administrator create or approve the organization. 当用户在已配置的连接的组织之外注册访问包时,任何自动创建的连接的组织都将处于“建议”状态,因为租户中没有管理员设置该合作关系。When a user signs up for an access package outside of a configured connected organization, any automatically created connected organizations will be in the proposed state since no administrator in the tenant set-up that partnership.

    建议的连接的组织不在任何策略的“所有已配置的连接的组织”设置的范围内,但只能在面向特定组织的策略中使用。Proposed connected organizations are not in scope for the “all configured connected organizations” setting on any policies but can be used in policies only for policies targeting specific organizations.

只有已配置的连接的组织中的用户才能请求对所有已配置组织的用户可用的访问包。Only users from configured connected organizations can request access packages that are available to users from all configured organizations. 建议的连接的组织中用户的体验就好像该域没有连接的组织一样;只能查看和请求范围限于其特定组织或限定为任何用户的访问包。Users from proposed connected organizations have an experience as if there is no connected organization for that domain; can only see and request access packages scoped to their specific organization or scoped to any user.

备注

在推出这一新功能的过程中,20/09/09 之前创建的所有连接的组织都被视为“已配置”。As part of rolling out this new feature, all connected organizations created before 09/09/20 were considered configured. 如果你有允许来自任何组织的用户进行注册的访问包,则应查看在该日期之前创建的连接的组织列表,以确保未将其误分类为“已配置”。If you had an access package that allowed users from any organization to sign up, you should review your list of connected organizations that were created before that date to ensure none are miscategorized as configured. 管理员可以根据需要更新“状态”属性。An admin can update the State property as appropriate. 有关指南,请参阅更新连接的组织For guidance, see Update a connected organization.

后续步骤Next steps