B2B来宾对安全组的权限 [英] B2B guest permissions to security groups
问题描述
是否有可能使访客只能将访客添加到他们所属的安全组中,却被阻止将其添加到同一Azure AD中的其他安全组中?
Is it possible to have guests be able to add guests only to a security group that they are a member of, but be blocked from adding them to other security groups within the same Azure AD?
一些细节.单个Azure AD上有许多订阅.我们希望将应用发布到这些单独的订阅中,并允许外部支持公司在出现任何问题时访问各自的订阅以进行故障排除.我们 希望每个外部公司也能够邀请他们自己的公司来宾(因此,每个外部支持公司的一个人将负责邀请他们的同事,而无需我们进行任何互动).
Some detail. We have a number of subscriptions on a single Azure AD. We want to publish apps to these separate subscriptions, and allow external support companies to access their respective subscription for troubleshooting, should any problems arise. We want each external company to also be able to invite guests in from their own company as well (so one person from each external support company will be in charge of inviting in their colleagues, without us having to have any interaction).
我们创建了许多安全组,每个外部公司一个.但是,当我们邀请一个人作为访客,并使用动态规则将其添加到各自的安全组时,他们可以邀请访客,然后不仅将其添加到组中 他们是其成员和所有者,但也属于其他既不是所有者也不是成员的安全组,这对我们来说是一个安全问题.
We have created a number of security groups, one for each external company. However, when we invite one in as a guest, and use a dynamic rule to add them to their respective security group, they can invite guests in and then add them to not only the group that they are a member and owner of, but also to other security groups which they are neither owners nor members of, which is a security issue for us.
现在看来,执行此操作的唯一方法是为每个订阅拥有单独的Azure AD,但是我们宁愿保留单个Azure AD并根据需要为每个客户添加订阅,然后将应用发布到该订阅,创建安全性团体 对于每个订阅或应用程序,请邀请第三方支持代表加入,然后根据需要邀请他们来邀请其他同事,这样他们就可以自己解决应用程序的任何问题,而无需我们的参与.这种情况可能吗?
Right now it appears the only way to do this is to have separate Azure AD's for each subscription, but we would rather keep our single Azure AD and add subscriptions per customer as necessary then publish our app to that subscription, create a security group for each subscription or app, invite the 3rd party support rep in, then leave them to it to invite additional colleagues as required so they can work on any issues with the app by themselves, without involving us. Is this scenario possible?
谢谢
推荐答案
已分配了哪些角色?也许您需要创建一个自定义角色.
What role(s) have they been assigned? Maybe you need to create a custom role.
这可能也值得在这里发布:
This might be worth posting here as well:
https://techcommunity.microsoft.com/t5/Azure-Active -Directory-B2B/bd-p/AzureAD_B2b
这篇关于B2B来宾对安全组的权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
