Azure AD B2C:常见问题 (FAQ)Azure AD B2C: Frequently asked questions (FAQ)

此页面解答了有关 Azure Active Directory B2C (Azure AD B2C) 的常见问题。This page answers frequently asked questions about the Azure Active Directory B2C (Azure AD B2C). 请随时返回查看更新信息。Keep checking back for updates.

为什么我在 Azure 门户中无法访问 Azure AD B2C 扩展?Why can't I access the Azure AD B2C extension in the Azure portal?

如果 Azure AD 扩展无法正常工作,通常有两个原因。There are two common reasons for why the Azure AD extension is not working for you. Azure AD B2C 要求你在目录中具备全局管理员的用户角色。Azure AD B2C requires your user role in the directory to be global administrator. 如果你认为应具有访问权限,请与管理员联系。Please contact your administrator if you think you should have access. 如果你拥有全局管理员权限,请确保处于 Azure AD B2C 目录(而不是 Azure Active Directory 目录)中。If you have global administrator privileges, make sure that you are in an Azure AD B2C directory and not an Azure Active Directory directory. 可以查看有关创建 Azure AD B2C 租户的说明。You can see instructions for creating an Azure AD B2C tenant.

我可以在基于员工的现有 Azure AD 租户中使用 Azure AD B2C 功能吗?Can I use Azure AD B2C features in my existing, employee-based Azure AD tenant?

Azure AD 和 Azure AD B2C 是独立的产品/服务,不能在同一租户中共存。Azure AD and Azure AD B2C are separate product offerings and cannot coexist in the same tenant. Azure AD 租户表示组织。An Azure AD tenant represents an organization. Azure AD B2C 租户表示信赖方应用使用的标识集合。An Azure AD B2C tenant represents a collection of identities to be used with relying party applications. 通过在“Azure AD B2C”>“标识提供者”下添加“新的 OpenID Connect 提供程序”,或者通过使用自定义策略,Azure AD B2C 可以联合 Azure AD,以便对组织中的员工进行身份验证。 By adding New OpenID Connect provider under Azure AD B2C > Identity providers or with custom policies, Azure AD B2C can federate to Azure AD allowing authentication of employees in an organization.

什么是 Azure AD B2C 中的本地帐户?What are local accounts in Azure AD B2C? 它们与 Azure AD 中的工作或学校帐户有何不同?How are they different from work or school accounts in Azure AD?

在 Azure AD 租户中,属于租户的用户使用 <xyz>@<tenant domain> 形式的电子邮件地址登录。In an Azure AD tenant, users that belong to the tenant sign-in with an email address of the form <xyz>@<tenant domain>. <tenant domain> 是租户中已验证域之一或初始的 <...>.partner.onmschina.cn 域。The <tenant domain> is one of the verified domains in the tenant or the initial <...>.partner.onmschina.cn domain. 此类型的帐户是工作或学校帐户。This type of account is a work or school account.

在 Azure AD B2C 租户中,大多数应用都希望用户使用任意电子邮件地址(例如 joe@comcast.net、bob@gmail.com、sarah@contoso.com 或 jim@live.com)登录。In an Azure AD B2C tenant, most apps want the user to sign-in with any arbitrary email address (for example, joe@comcast.net, bob@gmail.com, sarah@contoso.com, or jim@live.com). 此类型的帐户是本地帐户。This type of account is a local account. 我们还支持任意用户名作为本地帐户(例如,joe、bob、sarah 或 jim)。We also support arbitrary user names as local accounts (for example, joe, bob, sarah, or jim). 在 Azure 门户中配置 Azure AD B2C 的标识提供者时,可以选择这两种本地帐户类型中的一种。You can choose one of these two local account types when configuring identity providers for Azure AD B2C in the Azure portal. 在 Azure AD B2C 租户中,依次选择“标识提供者”、“本地帐户”和“用户名”。In your Azure AD B2C tenant, select Identity providers, select Local account, and then select Username.

可以通过注册用户流、注册或登录用户流、Microsoft Graph API 或 Azure 门户来创建应用程序的用户帐户。User accounts for applications can be created through a sign-up user flow, sign-up or sign-in user flow, the Microsoft Graph API, or in the Azure portal.

现在支持哪些社交标识提供者?Which social identity providers do you support now? 计划在未来支持哪些?Which ones do you plan to support in the future?

目前,我们支持多个社交标识提供者,包括 QQ(预览版)、WeChat(预览版)和 Weibo(预览版)。We currently support several social identity providers including QQ (preview), WeChat (preview), and Weibo (preview). 我们会根据客户需求来评估是否增加对其他常见社交标识提供者的支持。We evaluate adding support for other popular social identity providers based on customer demand.

Azure AD B2C 还支持自定义策略Azure AD B2C also supports custom policies. 自定义策略允许你为支持 OpenID Connect 或 SAML 的任何标识提供者创建自己的策略。Custom policies allow you to create your own policy for any identity provider that supports OpenID Connect or SAML. 查看我们的自定义策略初学者包,开始使用自定义策略。Get started with custom policies by checking out our custom policy starter pack.

必须在 Azure 上运行应用程序才能将其与 Azure AD B2C 一起使用吗?Does my application have to be run on Azure for it work with Azure AD B2C?

不,可以在任何位置(在云中或本地)托管应用程序。No, you can host your application anywhere (in the cloud or on-premises). 只要能在公共可访问的端点上发送和接收 HTTP 请求,它就可以与 Azure AD B2C 进行交互。All it needs to interact with Azure AD B2C is the ability to send and receive HTTP requests on publicly accessible endpoints.

我有多个 Azure AD B2C 租户。I have multiple Azure AD B2C tenants. 如何在 Azure 门户上管理它们?How can I manage them on the Azure portal?

在 Azure 门户的左侧菜单中打开“Azure AD B2C”之前,必须切换到要管理的目录。Before opening 'Azure AD B2C' in the left side menu of the Azure portal, you must switch into the directory you want to manage. 通过单击 Azure 门户右上方的标识切换目录,然后在出现的下拉列表中选择目录。Switch directories by clicking your identity in the upper right of the Azure portal, then choose a directory in the drop down that appears.

如何将我现有的用户名、密码和配置文件从数据库迁移到 Azure AD B2C?How can I migrate my existing user names, passwords, and profiles from my database to Azure AD B2C?

可以使用 Microsoft Graph API 编写迁移工具。You can use the Microsoft Graph API to write your migration tool. 有关详细信息,请参阅用户迁移指南See the User migration guide for details.

Azure AD B2C 中的本地帐户使用什么密码用户流?What password user flow is used for local accounts in Azure AD B2C?

本地帐户的 Azure AD B2C 密码用户流以 Azure AD 的策略为基础。The Azure AD B2C password user flow for local accounts is based on the policy for Azure AD. Azure AD B2C 的注册、注册或登录和密码重置用户流使用“强”密码强度,并且不会让任何密码过期。Azure AD B2C's sign-up, sign-up or sign-in and password reset user flows use the "strong" password strength and don't expire any passwords. 有关详细信息,请参阅 Azure Active Directory 中的密码策略和限制For more details, see Password policies and restrictions in Azure Active Directory.

有关帐户锁定和密码的信息,请参阅管理对 Azure Active Directory B2C 中资源和数据的威胁For information about account lockouts and passwords, see Manages threats to resources and data in Azure Active Directory B2C.

我可以使用 Azure AD Connect 将存储在本地 Active Directory 中的使用者标识迁移到 Azure AD B2C 吗?Can I use Azure AD Connect to migrate consumer identities that are stored on my on-premises Active Directory to Azure AD B2C?

不可以,Azure AD Connect 不是为与 Azure AD B2C 一起使用而设计的。No, Azure AD Connect is not designed to work with Azure AD B2C. 请考虑使用 Microsoft Graph API 进行用户迁移。Consider using the Microsoft Graph API for user migration. 有关详细信息,请参阅用户迁移指南See the User migration guide for details.

我的应用是否可在 iFrame 中打开 Azure AD B2C 页?Can my app open up Azure AD B2C pages within an iFrame?

不可以,出于安全的考虑,无法在 iFrame 中打开 Azure AD B2C 页。No, for security reasons, Azure AD B2C pages cannot be opened within an iFrame. 我们的服务将与浏览器通信以禁止 iFrame。Our service communicates with the browser to prohibit iFrames. 由于点击劫持的风险,安全社区和 OAUTH2 规范一般建议不要使用 iFrame 进行标识体验。The security community in general and the OAUTH2 specification, recommend against using iFrames for identity experiences due to the risk of click-jacking.

Azure AD B2C 是否可以与 Microsoft Dynamics 之类的 CRM 系统一起使用?Does Azure AD B2C work with CRM systems such as Microsoft Dynamics?

与 Microsoft Dynamics 365 门户的集成可用。Integration with Microsoft Dynamics 365 Portal is available. 请参阅配置 Dynamics 365 门户以使用 Azure AD B2C 进行身份验证See Configuring Dynamics 365 Portal to use Azure AD B2C for authentication.

Azure AD B2C 是否可以与 SharePoint 本地 2016 或更早版本一起使用?Does Azure AD B2C work with SharePoint on-premises 2016 or earlier?

Azure AD B2C 不适用于 SharePoint 外部合作伙伴共享的情况;请改为参阅 Azure AD B2BAzure AD B2C is not meant for the SharePoint external partner-sharing scenario; see Azure AD B2B instead.

我应该使用 Azure AD B2C 还是 B2B 来管理外部标识?Should I use Azure AD B2C or B2B to manage external identities?

请阅读比较 Azure AD 中的 B2B 协作和 B2C,详细了解如何将适当功能应用于外部标识方案。Read Compare B2B collaboration and B2C in Azure AD to learn more about applying the appropriate features to your external identity scenarios.

Azure AD B2C 提供哪些报告和审核功能?What reporting and auditing features does Azure AD B2C provide? 它们是否与 Azure AD Premium 中提供的功能相同?Are they the same as in Azure AD Premium?

否,Azure AD B2C 不支持与 Azure AD Premium 相同的报告集。No, Azure AD B2C does not support the same set of reports as Azure AD Premium. 但是,有许多共性:However there are many commonalities:

  • 登录报告提供每次登录的记录以及简短的详细信息。Sign-in reports provide a record of each sign-in with reduced details.
  • 审核报告包括管理活动和应用程序活动。Audit reports include both admin activity as well as application activity.
  • 使用情况报告包括用户数、登录次数和 MFA 次数。Usage reports include the number of users, number of logins, and volume of MFA.

我可以本地化 Azure AD B2C 所提供页面的 UI 吗?Can I localize the UI of pages served by Azure AD B2C? 支持哪些语言?What languages are supported?

可以,请参阅语言自定义Yes, see language customization. 我们提供 36 种语言的翻译版本,并且你可以根据需要替代任何字符串。We provide translations for 36 languages, and you can override any string to suit your needs.

我可以在 Azure AD B2C 提供的注册和登录页面上使用自己的 URL 吗?Can I use my own URLs on my sign-up and sign-in pages that are served by Azure AD B2C? 例如,可以将 URL 从 contoso.b2clogin.cn 更改为 login.contoso.com 吗?For instance, can I change the URL from contoso.b2clogin.cn to login.contoso.com?

目前不可以。Not currently. 该功能在我们的计划之中。This feature is on our roadmap. 在 Azure 门户上的“域”选项卡中验证域并不能实现此目标。Verifying your domain in the Domains tab in the Azure portal does not accomplish this goal. 但是,通过 b2clogin.cn,我们提供了中立顶级域,因此可以在不提及 Microsoft 的情况下实现外部外观。However, with b2clogin.cn, we offer a neutral top level domain, and thus the external appearance can be implemented without the mention of Microsoft.

如何删除 Azure AD B2C 租户?How do I delete my Azure AD B2C tenant?

请按照以下步骤删除 Azure AD B2C 租户。Follow these steps to delete your Azure AD B2C tenant.

可以使用新的统一“应用注册”体验或遗留下来的“应用程序(旧版)”体验。You can use our new unified App registrations experience or our legacy Applications (Legacy) experience. 详细了解此新体验Learn more about the new experience.

  1. 以订阅管理员身份登录到 Azure 门户Sign in to the Azure portal as the Subscription Administrator. 使用在注册 Azure 时使用的同一工作或学校帐户。Use the same work or school account that you used to sign up for Azure.
  2. 在顶部菜单中选择“目录 + 订阅”筛选器,然后选择包含Azure AD B2C 租户的目录。Select the Directory + subscription filter in the top menu, and then select the directory that contains your Azure AD B2C tenant.
  3. 在左侧菜单中,选择“Azure AD B2C”。In the left menu, select Azure AD B2C. 或者,选择“所有服务”并搜索并选择“Azure AD B2C”。Or, select All services and search for and select Azure AD B2C.
  4. 删除 Azure AD B2C 租户中的所有用户流(策略)Delete all User flows (policies) in your Azure AD B2C tenant.
  5. 选择“应用注册”,然后选择“所有应用程序”选项卡。 Select App registrations, then select the All applications tab.
  6. 删除已注册的所有应用程序。Delete all applications that you registered.
  7. 删除 b2c-extensions-appDelete the b2c-extensions-app.
  8. 在“管理”下,选择“用户” 。Under Manage, select Users.
  9. 依次选择每个用户(不包括你当前作为用户登录的订阅管理员用户)。Select each user in turn (exclude the Subscription Administrator user you are currently signed in as). 选择页面底部的“删除”,并在出现提示时选择“是”。Select Delete at the bottom of the page and select Yes when prompted.
  10. 在左侧菜单中,选择“Azure Active Directory”。Select Azure Active Directory on the left-hand menu.
  11. 在“管理”下,选择“用户设置” 。Under Manage, select User settings.
  12. 如果存在,请在“LinkedIn 帐户连接”下选择“否”,然后选择“保存”。If present, under LinkedIn account connections, select No, then select Save.
  13. 在“管理”下,选择“属性” Under Manage, select Properties
  14. 在“Azure 资源的访问管理”下,选择“是”,然后选择“保存”。Under Access management for Azure resources, select Yes, and then select Save.
  15. 从 Azure 门户注销,然后重新登录以刷新你的访问权限。Sign out of the Azure portal and then sign back in to refresh your access.
  16. 在左侧菜单中,选择“Azure Active Directory”。Select Azure Active Directory on the left-hand menu.
  17. 在“概述”页上,选择“删除租户” 。On the Overview page, select Delete tenant. 按照屏幕上的说明完成该过程。Follow the on-screen instructions to complete the process.

我可以将 Azure AD B2C 作为企业移动性套件的一部分吗?Can I get Azure AD B2C as part of Enterprise Mobility Suite?

不,Azure AD B2C 是即用即付 Azure 服务,不是企业移动套件的一部分。No, Azure AD B2C is a pay-as-you-go Azure service and is not part of Enterprise Mobility Suite.

如何报告 Azure AD B2C 存在的问题?How do I report issues with Azure AD B2C?

请参阅提出针对 Azure Active Directory B2C 的支持请求See File support requests for Azure Active Directory B2C.