使用 Azure 门户为外部来宾用户添加或删除 Azure 角色分配Add or remove Azure role assignments for external guest users using the Azure portal

Azure 基于角色的访问控制 (RBAC) 可以为大型组织和中小型企业提供更好的安全管理,与中小企业合作的外部协作者、供应商或自由职业者需要访问你环境中的特定资源,但不一定需要访问整个基础架构或任何与计费相关的范围。Azure role-based access control (Azure RBAC) allows better security management for large organizations and for small and medium-sized businesses working with external collaborators, vendors, or freelancers that need access to specific resources in your environment, but not necessarily to the entire infrastructure or any billing-related scopes. 你可以使用 Azure Active Directory B2B 中的功能与外部来宾用户合作,并且可以使用 Azure RBAC 仅授予来宾用户在你的环境中需要的权限。You can use the capabilities in Azure Active Directory B2B to collaborate with external guest users and you can use Azure RBAC to grant just the permissions that guest users need in your environment.

先决条件Prerequisites

若要添加或删除角色分配,必须拥有以下权限:To add or remove role assignments, you must have:

你何时将邀请来宾用户?When would you invite guest users?

下面是一些你可能会将来宾用户邀请到你的组织并向其授权的示例场景:Here are a couple example scenarios when you might invite guest users to your organization and grant permissions:

  • 允许仅拥有电子邮件帐户的外部个体私营供应商访问项目的 Azure 资源。Allow an external self-employed vendor that only has an email account to access your Azure resources for a project.
  • 允许外部合作伙伴管理某些资源或整个订阅。Allow an external partner to manage certain resources or an entire subscription.
  • 允许组织外的支持工程师(如 Microsoft 支持部门)临时访问 Azure 资源,以解决问题。Allow support engineers not in your organization (such as Microsoft support) to temporarily access your Azure resource to troubleshoot issues.

成员用户与来宾用户之间的权限差异Permission differences between member users and guest users

目录的原生成员(成员用户)具有的权限不同于从另一个目录作为 B2B 协作来宾(来宾用户)邀请的用户。Native members of a directory (member users) have different permissions than users invited from another directory as a B2B collaboration guest (guest users). 例如,成员用户可以读取几乎所有目录信息,而来宾用户的目录权限则受限。For example, members user can read almost all directory information while guest users have restricted directory permissions. 有关成员用户和来宾用户的详细信息,请参阅 Azure Active Directory 中的默认用户权限是什么?For more information about member users and guest users, see What are the default user permissions in Azure Active Directory?.

将来宾用户添加到目录Add a guest user to your directory

按照以下步骤,使用“Azure Active Directory”页将来宾用户添加到你的目录。Follow these steps to add a guest user to your directory using the Azure Active Directory page.

  1. 请确保你的组织的外部协作设置已配置为允许你邀请来宾。Make sure your organization's external collaboration settings are configured such that you're allowed to invite guests. 有关详细信息,请参阅启用 B2B 外部协作并管理谁可以邀请来宾For more information, see Enable B2B external collaboration and manage who can invite guests.

  2. 在 Azure 门户中,单击“Azure Active Directory” > “用户” > “新建来宾用户”。 In the Azure portal, click Azure Active Directory > Users > New guest user.

    Azure 门户中的“新建来宾用户”功能

  3. 按照步骤添加新的来宾用户。Follow the steps to add a new guest user. 有关详细信息,请参阅在 Azure 门户中添加 Azure Active Directory B2B 协作用户For more information, see Add Azure Active Directory B2B collaboration users in the Azure portal.

将来宾用户添加到目录后,你可以向来宾用户发送指向共享应用程序的直接链接,或者来宾用户可以单击邀请电子邮件中的兑换 URL。After you add a guest user to the directory, you can either send the guest user a direct link to a shared app, or the guest user can click the redemption URL in the invitation email.

来宾用户邀请电子邮件

来宾用户要想能够访问你的目录,必须完成邀请过程。For the guest user to be able to access your directory, they must complete the invitation process.

来宾用户邀请审阅权限

有关邀请过程的详细信息,请参阅 Azure Active Directory B2B 协作邀请兑换For more information about the invitation process, see Azure Active Directory B2B collaboration invitation redemption.

为来宾用户添加角色分配Add a role assignment for a guest user

在 Azure RBAC 中,若要授予访问权限,需分配一个角色。In Azure RBAC, to grant access, you assign a role. 若要为来宾用户添加角色分配,请执行与适用于成员用户、组、服务主体或托管标识的步骤相同的步骤To add a role assignment for a guest user, you follow same steps as you would for a member user, group, service principal, or managed identity. 按照以下步骤在不同的作用域为来宾用户添加角色分配。Follow these steps add a role assignment for a guest user at different scopes.

  1. 在 Azure 门户中,单击“所有服务”。In the Azure portal, click All services.

  2. 选择访问权限适用的资源集,也称为作用域。Select the set of resources that the access applies to, also known as the scope. 例如,可以选择“管理组”、“订阅”、“资源组”或某个资源 。For example, you can select Management groups, Subscriptions, Resource groups, or a resource.

  3. 单击特定的资源。Click the specific resource.

  4. 单击“访问控制(IAM)”。Click Access control (IAM).

    下面的屏幕截图显示了某个资源组的“访问控制(标识和访问管理)”边栏选项卡的示例。The following screenshot shows an example of the Access control (IAM) blade for a resource group. 如果在此处进行任何访问控制更改,则这些更改将仅应用于资源组。If you make any access control changes here, they would apply to just to the resource group.

    资源组的“访问控制(IAM)”边栏选项卡

  5. 单击“角色分配”选项卡以查看在此范围内的所有角色分配。Click the Role assignments tab to view all the role assignments at this scope.

  6. 单击“添加” > “添加角色分配”以打开“添加角色分配”窗格。 Click Add > Add role assignment to open the Add role assignment pane.

    如果没有分配角色的权限,则将禁用“添加角色分配”选项。If you don't have permissions to assign roles, the Add role assignment option will be disabled.

    添加菜单

  7. 在“角色”下拉列表中选择一个角色,例如“虚拟机参与者”。 In the Role drop-down list, select a role such as Virtual Machine Contributor.

  8. 在“选择”列表中,选择来宾用户。In the Select list, select the guest user. 如果没有在列表中看到用户,则可在“选择”框中键入相应内容,以便在目录中搜索显示名称、电子邮件地址和对象标识符。If you don't see the user in the list, you can type in the Select box to search the directory for display names, email addresses, and object identifiers.

    “添加角色分配”窗格

  9. 单击“保存”以在选定的作用域分配角色。Click Save to assign the role at the selected scope.

    “虚拟机参与者”角色分配

为还不在你的目录中的来宾用户添加角色分配Add a role assignment for a guest user not yet in your directory

若要为来宾用户添加角色分配,请执行与适用于成员用户、组、服务主体或托管标识的步骤相同的步骤To add a role assignment for a guest user, you follow same steps as you would for a member user, group, service principal, or managed identity.

如果来宾用户还不在你的目录中,则可直接从“添加角色分配”窗格邀请用户。If the guest user is not yet in your directory, you can invite the user directly from the Add role assignment pane.

  1. 在 Azure 门户中,单击“所有服务”。In the Azure portal, click All services.

  2. 选择访问权限适用的资源集,也称为作用域。Select the set of resources that the access applies to, also known as the scope. 例如,可以选择“管理组”、“订阅”、“资源组”或某个资源 。For example, you can select Management groups, Subscriptions, Resource groups, or a resource.

  3. 单击特定的资源。Click the specific resource.

  4. 单击“访问控制(IAM)”。Click Access control (IAM).

  5. 单击“角色分配”选项卡以查看在此范围内的所有角色分配。Click the Role assignments tab to view all the role assignments at this scope.

  6. 单击“添加” > “添加角色分配”以打开“添加角色分配”窗格。 Click Add > Add role assignment to open the Add role assignment pane.

    添加菜单

  7. 在“角色”下拉列表中选择一个角色,例如“虚拟机参与者”。 In the Role drop-down list, select a role such as Virtual Machine Contributor.

  8. 在“选择”列表中,键入要邀请的人员的电子邮件地址,然后选择该人员。In the Select list, type the email address of the person you want to invite and select that person.

    在“添加角色分配”窗格中邀请来宾用户

  9. 单击“保存”将来宾用户添加到目录,分配角色并发送邀请。Click Save to add the guest user to your directory, assign the role, and send an invite.

    过一会儿,你将看到有关角色分配的通知和有关邀请的信息。After a few moments, you'll see a notification of the role assignment and information about the invite.

    角色分配和已邀请用户通知

  10. 若要手动邀请来宾用户,请右键单击并复制通知中的邀请链接。To manually invite the guest user, right-click and copy the invitation link in the notification. 请勿单击此邀请链接,因为它会启动邀请过程。Don't click the invitation link because it starts the invitation process.

    邀请链接将采用以下格式:The invitation link will have the following format:

    https://invitations.microsoft.com/redeem/...

  11. 将邀请链接发送给来宾用户以完成邀请过程。Send the invitation link to the guest user to complete the invitation process.

    有关邀请过程的详细信息,请参阅 Azure Active Directory B2B 协作邀请兑换For more information about the invitation process, see Azure Active Directory B2B collaboration invitation redemption.

从目录中删除来宾用户Remove a guest user from your directory

在从目录中删除来宾用户之前,应该先删除该来宾用户的所有角色分配。Before you remove a guest user from a directory, you should first remove any role assignments for that guest user. 遵循以下步骤从目录中删除来宾用户。Follow these steps to remove a guest user from a directory.

  1. 在来宾用户具有角色分配的某个作用域(例如管理组、订阅、资源组或资源)内打开“访问控制(标识和访问管理)”。Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.

  2. 单击“角色分配”选项卡以查看所有角色分配。Click the Role assignments tab to view all the role assignments.

  3. 在角色分配列表中,在具有要删除的角色分配的来宾用户旁边添加一个复选标记。In the list of role assignments, add a checkmark next to the guest user with the role assignment you want to remove.

    删除角色分配

  4. 单击“删除”。Click Remove.

    “删除角色分配”消息

  5. 在显示的“删除角色分配”消息中,单击“是”。In the remove role assignment message that appears, click Yes.

  6. 在左侧导航栏中,单击“Azure Active Directory” > “用户”。 In the left navigation bar, click Azure Active Directory > Users.

  7. 单击要删除的来宾用户。Click the guest user you want to remove.

  8. 单击“删除” 。Click Delete.

    删除来宾用户

  9. 在出现的删除消息中单击“是”。In the delete message that appears, click Yes.

故障排除Troubleshoot

来宾用户无法浏览目录Guest user cannot browse the directory

来宾用户的目录权限受到限制。Guest users have restricted directory permissions. 例如,来宾用户无法浏览目录,也无法搜索组或应用程序。For example, guest users cannot browse the directory and cannot search for groups or applications. 有关详细信息,请参阅 Azure Active Directory 中的默认用户权限是什么?For more information, see What are the default user permissions in Azure Active Directory?.

来宾用户无法浏览目录中的用户

如果来宾用户在目录中需要额外的权限,则可以向来宾用户分配某个目录角色。If a guest user needs additional privileges in the directory, you can assign a directory role to the guest user. 如果你确实希望来宾用户对目录拥有完全读取访问权限,则可以在 Azure AD 中将来宾用户添加到目录读取者角色。If you really want a guest user to have full read access to your directory, you can add the guest user to the Directory Readers role in Azure AD. 有关详细信息,请参阅在 Azure Active Directory 租户中向来自合作伙伴组织的用户授予权限For more information, see Grant permissions to users from partner organizations in your Azure Active Directory tenant.

分配“目录读取者”角色

来宾用户无法浏览用户、组或服务主体来分配角色Guest user cannot browse users, groups, or service principals to assign roles

来宾用户的目录权限受到限制。Guest users have restricted directory permissions. 即使来宾用户在某个作用域是所有者,但如果他们尝试通过添加角色分配向他人授予访问权限,他们也无法浏览用户、组或服务主体的列表。Even if a guest user is an Owner at a scope, if they try to add a role assignment to grant someone else access, they cannot browse the list of users, groups, or service principals.

来宾用户无法浏览安全主体来分配角色

如果来宾用户知道某人在目录中的确切登录名,则他们可以授予访问权限。If the guest user knows someone's exact sign-in name in the directory, they can grant access. 如果你确实希望来宾用户对目录拥有完全读取访问权限,则可以在 Azure AD 中将来宾用户添加到目录读取者角色。If you really want a guest user to have full read access to your directory, you can add the guest user to the Directory Readers role in Azure AD. 有关详细信息,请参阅在 Azure Active Directory 租户中向来自合作伙伴组织的用户授予权限For more information, see Grant permissions to users from partner organizations in your Azure Active Directory tenant.

来宾用户无法注册应用程序或创建服务主体Guest user cannot register applications or create service principals

来宾用户的目录权限受到限制。Guest users have restricted directory permissions. 如果来宾用户需要能够注册应用程序或创建服务主体,你可以在 Azure AD 中将来宾用户添加到应用程序开发者角色。If a guest user needs to be able to register applications or create service principals, you can add the guest user to the Application Developer role in Azure AD. 有关详细信息,请参阅在 Azure Active Directory 租户中向来自合作伙伴组织的用户授予权限For more information, see Grant permissions to users from partner organizations in your Azure Active Directory tenant.

来宾用户无法注册应用程序

来宾用户看不到新目录Guest user does not see the new directory

如果已向来宾用户授予了对某个目录的访问权限,但当他们尝试在其“目录 + 订阅”窗格中切换时,他们看不到新目录在 Azure 门户中列出,则请确保来宾用户已完成邀请过程。If a guest user has been granted access to a directory, but they do not see the new directory listed in the Azure portal when they try to switch in their Directory + subscription pane, make sure the guest user has completed the invitation process. 有关邀请过程的详细信息,请参阅 Azure Active Directory B2B 协作邀请兑换For more information about the invitation process, see Azure Active Directory B2B collaboration invitation redemption.

来宾用户看不到资源Guest user does not see resources

如果已向来宾用户授予了对某个目录的访问权限,但他们在 Azure 门户中看不到自己有权访问的资源,请确保来宾用户选择了正确的目录。If a guest user has been granted access to a directory, but they do not see the resources they have been granted access to in the Azure portal, make sure the guest user has selected the correct directory. 来宾用户可能有权访问多个目录。A guest user might have access to multiple directories. 若要切换目录,请在左上方单击“目录 + 订阅”,然后单击相应的目录。To switch directories, in the upper left, click Directory + subscription, and then click the appropriate directory.

Azure 门户中的“目录 + 订阅”窗格

后续步骤Next steps