使用 Azure AD 访问评审管理来宾访问权限Manage guest access with Azure AD access reviews

使用 Azure Active Directory (Azure AD),可以借助 Azure AD B2B 功能轻松实现跨组织边界的协作。With Azure Active Directory (Azure AD), you can easily enable collaboration across organizational boundaries by using the Azure AD B2B feature. 管理员其他用户可以邀请其他租户中的来宾用户。Guest users from other tenants can be invited by administrators or by other users. 此功能也适用于 Microsoft 帐户等社交标识。This capability also applies to social identities such as Microsoft accounts.

可以轻松确保来宾用户拥有适当的访问权限。You also can easily ensure that guest users have appropriate access. 为此,可让来宾本人或决策人参与访问评审,鉴定(或“证明”)来宾的访问权限。You can ask the guests themselves or a decision maker to participate in an access review and recertify (or attest) to the guests' access. 审阅者可基于 Azure AD 的建议,针对每个用户就继续访问的需求提供意见。The reviewers can give their input on each user's need for continued access, based on suggestions from Azure AD. 访问评审完成后,即可进行更改,并删除不再需要访问权限的来宾的访问权限。When an access review is finished, you can then make changes and remove access for guests who no longer need it.

备注

本文档重点介绍如何评审来宾用户的访问权限。This document focuses on reviewing guest users' access. 如果想要评审所有用户的访问权限,而不仅仅是来宾,请参阅通过访问评审管理用户访问权限If you want to review all users' access, not just guests, see Manage user access with access reviews. 如果希望评审具有管理角色(如全局管理员)的用户成员身份,请参阅在 Azure AD Privileged Identity Management 中启动访问评审If you want to review users' membership in administrative roles, such as global administrator, see Start an access review in Azure AD Privileged Identity Management.

先决条件Prerequisites

  • Azure AD Premium P2Azure AD Premium P2

有关详细信息,请参阅许可证要求For more information, License requirements.

创建和执行来宾的访问评审Create and perform an access review for guests

首先,作为全局管理员或用户管理员,请转到“Identity Governance”页,确保访问评审已为你的组织准备就绪。First, as a global administrator or user administrator, go to the Identity Governance page to ensure that access reviews is ready for your organization.

Azure AD 支持采用多种方案评审来宾用户。Azure AD enables several scenarios for reviewing guest users.

你可以评审以下任何一项:You can review either:

  • Azure AD 中具有一个或多个来宾成员的组。A group in Azure AD that has one or more guests as members.
  • 连接到 Azure AD(已为其分配一个或多个来宾用户)的应用程序。An application connected to Azure AD that has one or more guest users assigned to it.

然后可以决定是要求每个来宾评审其自己的访问权限还是要求一个或多个用户评审每个来宾的访问权限。You can then decide whether to ask each guest to review their own access or to ask one or more users to review every guest's access.

以下部分介绍了这些方案。These scenarios are covered in the following sections.

让来宾自我评审他们在组中的成员身份Ask guests to review their own membership in a group

可以使用访问评审确保受邀并已添加到组中的用户需要持续提供访问权限。You can use access reviews to ensure that users who were invited and added to a group continue to need access. 可以轻松让来宾自我评审他们在组中的成员身份。You can easily ask guests to review their own membership in that group.

  1. 若要为组创建访问评审,请选择仅包括来宾用户成员的评审,然后,这些成员会自我评审。To create an access review for the group, select the review to include guest user members only and that members review themselves. 有关详细信息,请参阅创建组或应用程序的访问评审For more information, see Create an access review of groups or applications.

  2. 让每个来宾自我评审其成员身份。Ask each guest to review their own membership. 默认情况下,接受邀请的每个来宾会收到来自 Azure AD 的电子邮件,其中包含访问评审的链接。By default, each guest who accepted an invitation receives an email from Azure AD with a link to the access review. Azure AD 向来宾说明了如何查看对组或应用程序的访问权限Azure AD has instructions for guests on how to review access to groups or applications.

  3. 审阅者提供输入后,将停止访问评审并应用更改。After the reviewers give input, stop the access review and apply the changes. 有关详细信息,请参阅完成组或应用程序的访问评审For more information, see Complete an access review of groups or applications.

  4. 除了表明自己不需要持续访问权限的这些用户以外,还可以删除未做出答复的用户。In addition to those users who denied their own need for continued access, you can also remove users who didn't respond. 未做出答复的用户可能不会再收到电子邮件。Non-responding users potentially no longer receive email.

  5. 如果未将组用于访问管理,还可以删除未选择参与评审的用户,因为他们未接受邀请。If the group isn't used for access management, you also can remove users who weren't selected to participate in the review because they didn't accept their invitation. 未接受邀请可能表示受邀用户的电子邮件地址拼写错误。Not accepting might indicate that the invited user's email address had a typo. 如果某个组被用作通讯组,则可能没有选择某些来宾用户让其参与,因为他们是联系人对象。If a group is used as a distribution list, perhaps some guest users weren't selected to participate because they're contact objects.

让发起人评审来宾在组中的成员身份Ask a sponsor to review a guest's membership in a group

可以让发起人(例如组的所有者)评审来宾是否持续需要获得组中的成员身份。You can ask a sponsor, such as the owner of a group, to review a guest's need for continued membership in a group.

  1. 若要为组创建访问评审,请选择仅包括来宾用户成员的评审。To create an access review for the group, select the review to include guest user members only. 然后指定一个或多个审阅者。Then specify one or more reviewers. 有关详细信息,请参阅创建组或应用程序的访问评审For more information, see Create an access review of groups or applications.

  2. 要求审阅者提供输入。Ask the reviewers to give input. 默认情况下,他们每个人都会收到来自 Azure AD 的电子邮件,其中包含指向访问面板的链接,他们将在访问面板中评审组或应用程序的访问权限By default, they each receive an email from Azure AD with a link to the access panel, where they review access to groups or applications.

  3. 审阅者提供输入后,将停止访问评审并应用更改。After the reviewers give input, stop the access review and apply the changes. 有关详细信息,请参阅完成组或应用程序的访问评审For more information, see Complete an access review of groups or applications.

让来宾自我评审他们对应用程序的访问权限Ask guests to review their own access to an application

可以使用访问评审确保受邀参与特定应用程序的用户需要持续提供访问权限。You can use access reviews to ensure that users who were invited for a particular application continue to need access. 可以轻松让来宾自己评审他们的访问权限需求。You can easily ask the guests themselves to review their own need for access.

  1. 若要为应用程序创建访问评审,请选择仅包括来宾的评审,然后,这些用户会评审自己的访问权限。To create an access review for the application, select the review to include guests only and that users review their own access. 有关详细信息,请参阅创建组或应用程序的访问评审For more information, see Create an access review of groups or applications.

  2. 让每个来宾自我评审他们对应用程序的访问权限。Ask each guest to review their own access to the application. 默认情况下,接受邀请的每个来宾会收到来自 Azure AD 的电子邮件。By default, each guest who accepted an invitation receives an email from Azure AD. 该电子邮件中包含指向组织访问面板中访问评审的链接。That email has a link to the access review in your organization's access panel. Azure AD 向来宾说明了如何查看对组或应用程序的访问权限Azure AD has instructions for guests on how to review access to groups or applications.

  3. 审阅者提供输入后,将停止访问评审并应用更改。After the reviewers give input, stop the access review and apply the changes. 有关详细信息,请参阅完成组或应用程序的访问评审For more information, see Complete an access review of groups or applications.

  4. 除了表明自己不需要持续访问权限的用户以外,还可以删除未做出答复的来宾用户。In addition to users who denied their own need for continued access, you also can remove guest users who didn't respond. 未做出答复的用户可能不会再收到电子邮件。Non-responding users potentially no longer receive email. 还可以删除未选择让其参与的来宾用户,尤其是最近未邀请其参与的用户。You also can remove guest users who weren't selected to participate, especially if they weren't recently invited. 这些用户未接受其邀请,因此没有应用程序的访问权限。Those users didn't accept their invitation and so didn't have access to the application.

让发起人评审来宾对应用程序的访问权限Ask a sponsor to review a guest's access to an application

可以让发起人(例如应用程序的所有者)评审来宾是否需要持续获得应用程序的访问权限。You can ask a sponsor, such as the owner of an application, to review guest's need for continued access to the application.

  1. 若要为应用程序创建访问评审,请选择仅包括来宾的评审。To create an access review for the application, select the review to include guests only. 然后指定一个或多个用户作为审阅者。Then specify one or more users as reviewers. 有关详细信息,请参阅创建组或应用程序的访问评审For more information, see Create an access review of groups or applications.

  2. 要求审阅者提供输入。Ask the reviewers to give input. 默认情况下,他们每个人都会收到来自 Azure AD 的电子邮件,其中包含指向访问面板的链接,他们将在访问面板中评审组或应用程序的访问权限By default, they each receive an email from Azure AD with a link to the access panel, where they review access to groups or applications.

  3. 审阅者提供输入后,将停止访问评审并应用更改。After the reviewers give input, stop the access review and apply the changes. 有关详细信息,请参阅完成组或应用程序的访问评审For more information, see Complete an access review of groups or applications.

让来宾评审访问权限的一般需求Ask guests to review their need for access, in general

在某些组织中,来宾可能不知道其组成员身份。In some organizations, guests might not be aware of their group memberships.

备注

早期版本的 Azure 门户不允许 UserType 为“来宾”的用户具有管理访问权限。Earlier versions of the Azure portal didn't permit administrative access by users with the UserType of Guest. 在某些情况下,目录中的管理员可能已使用 PowerShell 将来宾的 UserType 值更改为“成员”。In some cases, an administrator in your directory might have changed a guest's UserType value to Member by using PowerShell. 如果之前目录中已发生此更改,则之前的查询可能不包括以前具有管理访问权限的所有来宾用户。If this change previously occurred in your directory, the previous query might not include all guest users who historically had administrative access rights. 在这种情况下,需要更改来宾的 UserType 或手动将来宾包含在组成员身份中。In this case, you need to either change the guest's UserType or manually include the guest in the group membership.

  1. 如果尚不存在适当的组,请在 Azure AD 中创建一个安全组并在其中以成员的形式包含来宾。Create a security group in Azure AD with the guests as members, if a suitable group doesn't already exist. 例如,可以创建一个组并在其中包含手动维护的来宾成员身份。For example, you can create a group with a manually maintained membership of guests. 为了提高效率,请确保该组主要是来宾 - 不要选择包含成员用户的组,因为成员用户不需要进行评审。For efficiency, ensure the group is predominately guests - don't select a group that has member users, as member users don't need to be reviewed. 另外,请记住,作为组成员的来宾用户可以看到该组的其他成员。Also, keep in mind that a guest user who is a member of the group can see the other members of the group.

  2. 若要为该组创建访问评审,请将成员自己选择为评审者。To create an access review for that group, select the reviewers to be the members themselves. 有关详细信息,请参阅创建组或应用程序的访问评审For more information, see Create an access review of groups or applications.

  3. 让每个来宾自我评审其成员身份。Ask each guest to review their own membership. 默认情况下,接受邀请的每个来宾会收到来自 Azure AD 的电子邮件,其中包含组织访问面板中访问评审的链接。By default, each guest who accepted an invitation receives an email from Azure AD with a link to the access review in your organization's access panel. Azure AD 向来宾说明了如何查看对组或应用程序的访问权限Azure AD has instructions for guests on how to review access to groups or applications. 未接受其邀请的这些来宾将在评审结果中显示为“未通知”。Those guests who didn't accept their invite will appear in the review results as "Not Notified".

  4. 审阅者提供输入后,将停止访问评审。After the reviewers give input, stop the access review. 有关详细信息,请参阅完成组或应用程序的访问评审For more information, see Complete an access review of groups or applications.

  5. 删除已拒绝评审、未完成评审或者事先未接受邀请的来宾的来宾访问权限。Remove guest access for guests who were denied, didn't complete the review, or didn't previously accept their invitation. 如果某些来宾是已被选择参加评审或以前未接受邀请的联系人,则可以使用 Azure 门户或 PowerShell 禁用其帐户。If some of the guests are contacts who were selected to participate in the review or they didn't previously accept an invitation, you can disable their accounts by using the Azure portal or PowerShell. 如果来宾不再需要访问权限并且不是联系人,则可以使用 Azure 门户或 PowerShell 从目录中删除其来宾用户对象。If the guest no longer needs access and isn't a contact, you can remove their user object from your directory by using the Azure portal or PowerShell to delete the guest user object.

后续步骤Next steps

创建组或应用程序的访问评审Create an access review of groups or applications