什么是 Azure Active Directory 的自助注册?What is self-service sign-up for Azure Active Directory?

本文介绍如何使用自助注册在 Azure Active Directory (Azure AD) 中填充组织。This article explains how to use self-service sign-up to populate an organization in Azure Active Directory (Azure AD).

为何使用自助注册?Why use self-service sign-up?

  • 让客户更快获得所需的服务Get customers to services they want faster
  • 为服务创建基于电子邮件的促销Create email-based offers for a service
  • 创建基于电子邮件的注册流程,让用户使用易记的工作电子邮件别名快速创建标识Create email-based sign-up flows that quickly allow users to create identities using their easy-to-remember work email aliases
  • 通过自助服务创建的 Azure AD 目录可转变为托管目录,以供其他服务使用A self-service-created Azure AD directory can be turned into a managed directory that can be used for other services

术语和定义Terms and definitions

  • 自助注册:用户注册云服务并让系统根据其电子邮件域在 Azure AD 中自动为其创建标识的方法。Self-service sign-up: This is the method by which a user signs up for a cloud service and has an identity automatically created for them in Azure AD based on their email domain.
  • 非托管 Azure 目录:在其中创建标识的目录。Unmanaged Azure AD directory: This is the directory where that identity is created. 非托管目录是没有全局管理员的目录。An unmanaged directory is a directory that has no global administrator.
  • 电子邮件验证的用户:Azure AD 中的一种用户帐户类型。Email-verified user: This is a type of user account in Azure AD. 在注册自助服务产品后自动创建标识的用户称为电子邮件验证的用户。A user who has an identity created automatically after signing up for a self-service offer is known as an email-verified user. 电子邮件验证的用户是目录的常规成员,带有 creationmethod=EmailVerified 标记。An email-verified user is a regular member of a directory tagged with creationmethod=EmailVerified.

如何控制自助服务设置?How do I control self-service settings?

目前,管理员有两种自助服务控制方式。Admins have two self-service controls today. 他们可以控制:They can control whether:

  • 用户是否可以通过电子邮件加入目录Users can join the directory via email
  • 用户是否可以对自身授权以获取应用程序和服务Users can license themselves for applications and services

如何控制这些功能?How can I control these capabilities?

管理员可以使用以下 Azure AD cmdlet Set-MsolCompanySettings 参数配置这些功能:An admin can configure these capabilities using the following Azure AD cmdlet Set-MsolCompanySettings parameters:

  • AllowEmailVerifiedUsers 控制用户是否可以创建或加入目录。AllowEmailVerifiedUsers controls whether a user can create or join a directory. 如果将该参数设置为 $false,则电子邮件验证的用户不可以加入目录。If you set that parameter to $false, no email-verified user can join the directory.
  • AllowAdHocSubscriptions 控制用户执行自助注册的能力。AllowAdHocSubscriptions controls the ability for users to perform self-service sign-up. 如果将该参数设置为 $false,则任何用户都无法执行自助注册。If you set that parameter to $false, no user can perform self-service sign-up.

AllowEmailVerifiedUsers 和 AllowAdHocSubscriptions 是可应用于托管或非托管目录的目录范围的设置。AllowEmailVerifiedUsers and AllowAdHocSubscriptions are directory-wide settings that can be applied to a managed or unmanaged directory. 此处有一个示例,其中:Here's an example where:

  • 你管理具有已验证域(例如 contoso.com)的目录You administer a directory with a verified domain such as contoso.com
  • 主目录已开启 AllowEmailVerifiedUsersThe home directory has the AllowEmailVerifiedUsers turned on

如果满足上述条件,则会在主目录中创建一个成员用户。If the preceding conditions are true, then a member user is created in the home directory.

这些控制方式如何配合工作?How do the controls work together?

可以结合使用这两个参数,以更准确地定义如何控制自助注册。These two parameters can be used in conjunction to define more precise control over self-service sign-up. 例如,以下命令允许用户执行自助注册,但前提是这些用户已在 Azure AD 中拥有一个帐户(换言之,需要先创建电子邮件验证帐户的用户无法执行自助注册):For example, the following command will allow users to perform self-service sign-up, but only if those users already have an account in Azure AD (in other words, users who would need an email-verified account to be created first cannot perform self-service sign-up):

    Set-MsolCompanySettings -AllowEmailVerifiedUsers $false -AllowAdHocSubscriptions $true

以下流程图说明了这些参数的不同组合,以及目录和自助注册的最终状态。The following flowchart explains the different combinations for these parameters and the resulting conditions for the directory and self-service sign-up.

自助注册控件的流程图

有关如何使用这些参数的详细信息和示例,请参阅 Set-MsolCompanySettingsFor more information and examples of how to use these parameters, see Set-MsolCompanySettings.

后续步骤Next steps