|
1 | 1 | --- |
2 | | -title: Delegate invitations for B2B collaboration - Azure Active Directory | Microsoft Docs |
3 | | -description: Azure Active Directory B2B collaboration user properties are configurable |
| 2 | +title: Enable B2B external collaboration settings - Azure Active Directory | Microsoft Docs |
| 3 | +description: Learn how to enable Active Directory B2B external collaboration and manage who can invite guest users. Use the Guest Inviter role to delegate invitations. |
4 | 4 |
|
5 | 5 | services: active-directory |
6 | 6 | ms.service: active-directory |
7 | 7 | ms.subservice: B2B |
8 | 8 | ms.topic: conceptual |
9 | | -ms.date: 12/14/2018 |
| 9 | +ms.date: 04/11/2019 |
10 | 10 |
|
11 | 11 | ms.author: mimart |
12 | 12 | author: msmimart |
13 | | -manager: daveba |
14 | | -ms.reviewer: sasubram |
| 13 | +manager: celested |
| 14 | +ms.reviewer: mal |
15 | 15 |
|
16 | 16 | ms.collection: M365-identity-device-management |
17 | 17 | --- |
18 | 18 |
|
19 | | -# Delegate invitations for Azure Active Directory B2B collaboration |
| 19 | +# Enable B2B external collaboration and manage who can invite guests |
20 | 20 |
|
21 | | -With Azure Active Directory (Azure AD) business-to-business (B2B) collaboration, you do not have to be a global admin to send invitations. Instead, you can use policies and delegate invitations to users whose roles allow them to send invitations. An important new way to delegate guest user invitations is through the Guest Inviter role. |
| 21 | +This article describes how to enable Azure Active Directory (Azure AD) B2B collaboration and determine who can invite guests. By default, all users and guests in your directory can invite guests even if they're not assigned to an admin role. External collaboration settings let you turn guest invitations on or off for different types of users in your organization. You can also delegate invitations to individual users by assigning roles that allow them to invite guests. |
22 | 22 |
|
23 | | -## Guest Inviter role |
24 | | -We can assign the user to Guest Inviter role to send invitations. You don't have to be member of the global admin role to send invitations. By default, regular users can also invoke the invite API unless a global admin disabled invitations for regular users. A user can also invoke the API using the Azure portal or PowerShell. |
| 23 | +## Configure B2B external collaboration settings |
25 | 24 |
|
26 | | -Here's an example that shows how to use PowerShell to add a user to the Guest Inviter role: |
| 25 | +With Azure AD B2B collaboration, a tenant admin can set the following invitation policies: |
27 | 26 |
|
28 | | -``` |
29 | | -Add-MsolRoleMember -RoleObjectId 95e79109-95c0-4d8e-aee3-d01accf2d47b -RoleMemberEmailAddress <RoleMemberEmailAddress> |
30 | | -``` |
| 27 | +- Turn off invitations |
| 28 | +- Only admins and users in the Guest Inviter role can invite |
| 29 | +- Admins, the Guest Inviter role, and members can invite |
| 30 | +- All users, including guests, can invite |
31 | 31 |
|
32 | | -## Control who can invite |
| 32 | +By default, all users, including guests, can invite guest users. |
33 | 33 |
|
34 | | -In Azure Active Directory, select **User Settings**. Under **External users**, select **Manage External Collaboration Settings**. |
| 34 | +### To configure external collaboration settings: |
35 | 35 |
|
36 | | -> [!NOTE] |
37 | | -> The **External collaboration settings** are also available from the **Organizational relationships** page. In Azure Active Directory, under **Manage**, go to **Organizational relationships** > **Settings**. |
| 36 | +1. Sign in to the [Azure portal](https://portal.azure.com) as a tenant administrator. |
| 37 | +2. Select **Azure Active Directory** > **Users** > **User settings**. |
| 38 | +3. Under **External users**, select **Manage external collaboration settings**. |
| 39 | + > [!NOTE] |
| 40 | + > The **External collaboration settings** are also available from the **Organizational relationships** page. In Azure Active Directory, under **Manage**, go to **Organizational relationships** > **Settings**. |
| 41 | +4. On the **External collaboration settings** page, choose the policies you want to enable. |
38 | 42 |
|
39 | | - |
| 43 | +  |
40 | 44 |
|
41 | | -With Azure AD B2B collaboration, a tenant admin can set the following invitation policies: |
| 45 | + - **Guest users permissions are limited**: This policy determines permissions for guests in your directory. Select **Yes** to block guests from certain directory tasks, like enumerating users, groups, or other directory resources. Select **No** to give guests the same access to directory data as regular users in your directory. |
| 46 | + - **Admins and users in the guest inviter role can invite**: To allow admins and users in the "Guest Inviter" role to invite guests, set this policy to **Yes**. |
| 47 | + - **Members can invite**: To allow non-admin members of your directory to invite guests, set this policy to **Yes**. |
| 48 | + - **Guests can invite**: To allow guests to invite other guests, set this policy to **Yes**. |
| 49 | + - **Enable Email One-Time Passcode for guests (Preview)**: For more information about the one-time passcode feature, see [Email one-time passcode authentication (preview)](one-time-passcode.md). |
| 50 | + - **Collaboration restrictions**: For more information about allowing or blocking invitations to specific domains, see [Allow or block invitations to B2B users from specific organizations](allow-deny-list.md). |
42 | 51 |
|
43 | | -- Turn off invitations |
44 | | -- Only admins and users in the Guest Inviter role can invite |
45 | | -- Admins, the Guest Inviter role, and members can invite |
46 | | -- All users, including guests, can invite |
| 52 | +## Assign the Guest Inviter role to a user |
| 53 | + |
| 54 | +With the Guest Inviter role, you can give individual users the ability to invite guests without assigning them a global administrator or other admin role. Assign the Guest inviter role to individuals. Then make sure you set **Admins and users in the guest inviter role can invite** to **Yes**. |
47 | 55 |
|
48 | | -By default, tenants are set to #4. (All users, including guests, can invite B2B users.) |
| 56 | +Here's an example that shows how to use PowerShell to add a user to the Guest Inviter role: |
| 57 | + |
| 58 | +``` |
| 59 | +Add-MsolRoleMember -RoleObjectId 95e79109-95c0-4d8e-aee3-d01accf2d47b -RoleMemberEmailAddress <RoleMemberEmailAddress> |
| 60 | +``` |
49 | 61 |
|
50 | 62 | ## Next steps |
51 | 63 |
|
|
0 commit comments