在 Azure AD 权利管理中添加连接的组织Add a connected organization in Azure AD entitlement management

使用 Azure Active Directory (Azure AD) 权利管理,你可以与组织外部的人员进行协作。With Azure Active Directory (Azure AD) entitlement management, you can collaborate with people outside your organization. 如果你经常与外部 Azure AD 目录或域中的用户协作,则可以将其添加为连接的组织。If you frequently collaborate with users in an external Azure AD directory or domain, you can add them as a connected organization. 本文介绍了如何添加连接的组织,以便允许组织外部的用户请求目录中的资源。This article describes how to add a connected organization so that you can allow users outside your organization to request resources in your directory.

什么是连接的组织?What is a connected organization?

连接的组织是与你有关系的外部 Azure AD 目录或域。A connected organization is an external Azure AD directory or domain that you have a relationship with.

例如,假设你在 Woodgrove Bank 工作,想要与两个外部组织协作。For example, suppose you work at Woodgrove Bank and you want to collaborate with two external organizations. 这两个组织具有不同的配置:These two organizations have different configurations:

  • Graphic Design Institute 使用 Azure AD,其用户的用户主体名称以 graphicdesigninstitute.com 结尾。Graphic Design Institute uses Azure AD, and their users have a user principal name that ends with graphicdesigninstitute.com.
  • Contoso 尚未使用 Azure AD。Contoso does not yet use Azure AD. Contoso 用户的用户主体名称以 contoso.com 结尾。Contoso users have a user principal name that ends with contoso.com.

在这种情况下,你可以配置两个连接的组织。In this case, you can configure two connected organizations. 分别为 Graphic Design Institute 和 Contoso 创建一个连接的组织。You create one connected organization for Graphic Design Institute and one for Contoso. 如果随后将两个连接的组织添加到策略,则每个组织中具有与该策略相匹配的用户主体名称的用户都可以请求访问包。If you then add the two connected organizations to a policy, users from each organization with a user principal name that matches the policy can request access packages. 用户主体名称中的域为 graphicdesigninstitute.com 的用户将与 Graphic Design Institute 连接组织匹配,这些用户获允提交请求。Users with a user principal name that has a domain of graphicdesigninstitute.com would match the Graphic Design Institute-connected organization and be allowed to submit requests. 用户主体名称中的域为 contoso.com 的用户将与 Contoso 连接组织匹配,这些用户获允请求包。Users with a user principal name that has a domain of contoso.com would match the Contoso-connected organization and would also be allowed to request packages. 而且,由于 Graphic Design Institute 使用 Azure AD,因此其主体名称与已添加到其租户的已验证域匹配的任何用户(例如 graphicdesigninstitute.example)也可以通过使用相同的策略来请求访问包。And, because Graphic Design Institute uses Azure AD, any users with a principal name that matches a verified domain that's added to their tenant, such as graphicdesigninstitute.example, would also be able to request access packages by using the same policy.

连接的组织示例

Azure AD 目录或域中的用户进行身份验证的方式取决于身份验证类型。How users from the Azure AD directory or domain authenticate depends on the authentication type. 连接的组织的身份验证类型为:The authentication types for connected organizations are:

  • Azure ADAzure AD

添加连接的组织Add a connected organization

若要将外部 Azure AD 目录或域添加为连接的组织,请按照此部分中的说明进行操作。To add an external Azure AD directory or domain as a connected organization, follow the instructions in this section.

必备角色:全局管理员或用户管理员 Prerequisite role: Global administrator or User administrator

  1. 在 Azure 门户中,依次选择“Azure Active Directory”、“标识监管”。 In the Azure portal, select Azure Active Directory, and then select Identity Governance.

  2. 在左窗格中,选择“连接的组织”,然后选择“添加连接的组织”。In the left pane, select Connected organizations, and then select Add connected organization.

    “添加连接的组织”按钮

  3. 选择“基本信息”选项卡,然后输入组织的显示名称和描述。Select the Basics tab, and then enter a display name and description for the organization.

    “添加连接的组织”基本信息窗格

  4. 选择“目录 + 域”选项卡,然后选择“添加目录 + 域”。Select the Directory + domain tab, and then select Add directory + domain.

    此时会打开“选择目录 + 域”窗格。The Select directories + domains pane opens.

  5. 在搜索框中,输入一个域名来搜索 Azure AD 目录或域。In the search box, enter a domain name to search for the Azure AD directory or domain. 请务必输入整个域名。Be sure to enter the entire domain name.

  6. 验证组织名称和身份验证类型是否正确无误。Verify that the organization name and authentication type are correct. 用户如何登录取决于身份验证类型。How users sign in depends on the authentication type.

    “选择目录 + 域”窗格

  7. 选择“添加”以添加 Azure AD 目录或域。Select Add to add the Azure AD directory or domain. 目前只能为每个连接的组织添加一个 Azure AD 目录或域。Currently, you can add only one Azure AD directory or domain per connected organization.

    备注

    该 Azure AD 目录或域中的所有用户都可请求此访问包。All users from the Azure AD directory or domain will be able to request this access package. 这包括来自与该目录关联的所有子域的 Azure AD 中的用户,除非这些域被 Azure AD 企业对企业 (B2B) 允许或拒绝列表阻止。This includes users in Azure AD from all subdomains associated with the directory, unless those domains are blocked by the Azure AD business to business (B2B) allow or deny list. 有关详细信息,请参阅允许或阻止向特定组织中的 B2B 用户发送邀请For more information, see Allow or block invitations to B2B users from specific organizations.

  8. 添加 Azure AD 目录或域后,选择“选择”。After you've added the Azure AD directory or domain, select Select.

    组织将显示在列表中。The organization appears in the list.

    “目录 + 域”窗格

  9. 选择“发起人”选项卡,然后为此连接的组织添加可选的发起人。Select the Sponsors tab, and then add optional sponsors for this connected organization.

    发起人是已在你的目录中的内部或外部用户,他们是与此连接的组织建立关系的联系点。Sponsors are internal or external users already in your directory that are the point of contact for the relationship with this connected organization. 内部发起人是你的目录中的成员用户。Internal sponsors are member users in your directory. 外部发起人是来自连接的组织且以前已受邀并已在你的目录中的来宾用户。External sponsors are guest users from the connected organization that were previously invited and are already in your directory. 当此连接的组织中的用户请求访问此访问包时,可将发起人用作审批者。Sponsors can be utilized as approvers when users in this connected organization request access to this access package. 若要了解如何将来宾用户邀请到目录,请参阅在 Azure 门户中添加 Azure Active Directory B2B 协作用户For information about how to invite a guest user to your directory, see Add Azure Active Directory B2B collaboration users in the Azure portal.

    选择“添加/删除”时,会打开一个窗格,可在其中选择内部或外部发起人。When you select Add/Remove, a pane opens in which you can choose internal or external sponsors. 此窗格显示你的目录中用户和组的未筛选列表。The pane displays an unfiltered list of users and groups in your directory.

    “发起人”窗格

  10. 选择“查看 + 创建”选项卡,查看你的组织设置,然后选择“创建”。 Select the Review + create tab, review your organization settings, and then select Create.

    “查看 + 创建”窗格

更新连接的组织Update a connected organization

如果连接的组织更改为其他域、组织名称发生更改,或者你想要更改发起人,则可以按照本部分中的说明更新连接的组织。If the connected organization changes to a different domain, the organization's name changes, or you want to change the sponsors, you can update the connected organization by following the instructions in this section.

必备角色:全局管理员或用户管理员 Prerequisite role: Global administrator or User administrator

  1. 在 Azure 门户中,依次选择“Azure Active Directory”、“标识监管”。 In the Azure portal, select Azure Active Directory, and then select Identity Governance.

  2. 在左窗格中,选择“连接的组织”,然后选择连接的组织以将其打开。In the left pane, select Connected organizations, and then select the connected organization to open it.

  3. 在连接的组织的概览窗格中,选择“编辑”以更改组织名称或描述。In the connected organization's overview pane, select Edit to change the organization name or description.

  4. 在“目录 + 域”窗格中选择“更新目录 + 域”,改为使用其他目录或域。In the Directory + domain pane, select Update directory + domain to change to a different directory or domain.

  5. 在“发起人”窗格中选择“添加内部发起人”或“添加外部发起人”,将某个用户添加为发起人。In the Sponsors pane, select Add internal sponsors or Add external sponsors to add a user as a sponsor. 若要删除某个发起人,请选择该发起人,然后在右窗格中选择“删除”。To remove a sponsor, select the sponsor and, in the right pane, select Delete.

删除连接的组织Delete a connected organization

如果你与某个外部 Azure AD 目录或域不再有关系,则可以删除该连接的组织。If you no longer have a relationship with an external Azure AD directory or domain, you can delete the connected organization.

必备角色:全局管理员或用户管理员 Prerequisite role: Global administrator or User administrator

  1. 在 Azure 门户中,依次选择“Azure Active Directory”、“标识监管”。 In the Azure portal, select Azure Active Directory, and then select Identity Governance.

  2. 在左窗格中,选择“连接的组织”,然后选择连接的组织以将其打开。In the left pane, select Connected organizations, and then select the connected organization to open it.

  3. 在连接的组织的概览窗格中,选择“删除”以将其删除。In the connected organization's overview pane, select Delete to delete it.

    目前,只有不存在连接的用户时,才能删除连接的组织。Currently, you can delete a connected organization only if there are no connected users.

    连接的组织的“删除”按钮

以编程方式管理连接的组织Managing a connected organization programmatically

你还可以使用 Microsoft Graph 创建、列出、更新和删除连接的组织。You can also create, list, update, and delete connected organizations using Microsoft Graph. 通过具有委托的 EntitlementManagement.ReadWrite.All 权限的应用程序,相应角色中的用户可以调用 API 来管理 connectedOrganization 对象并为其设置发起人。A user in an appropriate role with an application that has the delegated EntitlementManagement.ReadWrite.All permission can call the API to manage connectedOrganization objects and set sponsors for them.

后续步骤Next steps