在 Azure Active Directory B2C 中管理用户数据Manage user data in Azure Active Directory B2C

本文介绍如何使用 Microsoft Graph API 提供的操作在 Azure Active Directory B2C (Azure AD B2C) 中管理用户数据。This article discusses how you can manage the user data in Azure Active Directory B2C (Azure AD B2C) by using the operations that are provided by the Microsoft Graph API. 管理用户数据包括从审核日志中删除或导出数据。Managing user data includes deleting or exporting data from audit logs.

Note

本文介绍如何删除设备或服务中的个人数据,并且可为 GDPR 下的任务提供支持。This article provides steps for how to delete personal data from the device or service and can be used to support your obligations under the GDPR. 如需关于 GDPR 的常规信息,请参阅服务信任门户的 GDPR 部分If you're looking for general info about GDPR, see the GDPR section of the Service Trust portal.

删除用户数据Delete user data

用户数据存储在 Azure AD B2C 目录,且位于审核日志中。User data is stored in the Azure AD B2C directory and in the audit logs. 所有用户审核数据都会在 Azure AD B2C 中保留 7 天。All user audit data is retained for 7 days in Azure AD B2C. 如果在该 7 天期限内想要删除用户数据,可以使用删除用户操作。If you want to delete user data within that 7-day period, you can use the Delete a user operation. 对于数据可能驻留的每个 Azure AD B2C 租户,删除操作是必需的。A DELETE operation is required for each of the Azure AD B2C tenants where data might reside.

Azure AD B2C 中的每个用户都分配有一个对象 ID。Every user in Azure AD B2C is assigned an object ID. 对象 ID 可为你提供明确标识符,以用于删除 Azure AD B2C 中的用户数据。The object ID provides an unambiguous identifier for you to use to delete user data in Azure AD B2C. 对象 ID 可以是其他服务(如财务、营销和客户关系管理数据库)中有用的相关标识符,具体取决于你的体系结构。Depending on your architecture, the object ID can be a useful correlation identifier across other services, such as financial, marketing, and customer relationship management databases.

在对 Azure AD B2C 进行身份验证的过程中获取用户的对象 ID,这是最准确的方式。The most accurate way to get the object ID for a user is to obtain it as part of an authentication journey with Azure AD B2C. 如果使用其他方法从用户收到有效的数据请求,可能需要使用脱机处理(例如通过客户服务支持代理进行搜索)查找用户并记下关联的对象 ID。If you receive a valid request for data from a user by using other methods, an offline process, such as a search by a customer service support agent, might be necessary to find the user and note the associated object ID.

下面的示例演示了可能的数据删除流程:The following example shows a possible data-deletion flow:

  1. 用户进行登录,然后选择“删除我的数据” 。The user signs in and selects Delete my data.
  2. 从应用程序中选择删除应用程序管理部分中的数据。The application offers an option to delete the data within an administration section of the application.
  3. 应用程序会强制对 Azure AD B2C 进行身份验证。The application forces an authentication to Azure AD B2C. Azure AD B2C 反过来向应用程序提供具有用户对象 ID 的令牌。Azure AD B2C provides a token with the object ID of the user back to the application.
  4. 应用程序接收该令牌并使用对象 ID 通过调用 Microsoft Graph API 删除用户数据。The token is received by the application, and the object ID is used to delete the user data through a call to the Microsoft Graph API. Microsoft Graph API 删除用户数据,并返回状态代码“200 正常”。The Microsoft Graph API deletes the user data and returns a status code of 200 OK.
  5. 根据需要,应用程序使用对象 ID 或其他标识符在其他组织系统中安排删除用户数据。The application orchestrates the deletion of user data in other organizational systems as needed by using the object ID or other identifiers.
  6. 应用程序确认数据删除,并向用户提供后续步骤。The application confirms the deletion of data and provides next steps to the user.

导出客户数据Export customer data

从 Azure AD B2C 导出客户数据的过程类似于删除过程。The process of exporting customer data from Azure AD B2C is similar to the deletion process.

Azure AD B2C 用户数据仅限于:Azure AD B2C user data is limited to:

  • 存储在 Azure Active Directory 中的数据:可使用对象 ID 或任何登录名(如电子邮件地址或用户名)在 Azure AD B2C 身份验证用户旅程中检索数据。Data stored in the Azure Active Directory: You can retrieve data in an Azure AD B2C authentication user journey by using the object ID or any sign-in name, such as an email address or username.
  • 特定于用户的审核事件报表:可使用对象 ID 为数据编制索引。User-specific audit events report: You can index data by using the object ID.

在下面的导出数据流示例中,由应用程序执行的所述步骤也能由目录中的后端进程或具有管理员角色的用户执行:In the following example of an export data flow, the steps that are described as being performed by the application can also be performed by either a backend process or a user with an administrator role in the directory:

  1. 用户登录到应用程序。The user signs in to the application. 如果需要,Azure AD B2C 将使用 Azure 多重身份验证强制执行身份验证。Azure AD B2C enforces authentication with Azure Multi-Factor Authentication if needed.
  2. 应用程序使用用户凭据来调用 Microsoft Graph API 操作,以检索用户属性。The application uses the user credentials to call a Microsoft Graph API operation to retrieve the user attributes. Microsoft Graph API 以 JSON 格式提供属性数据。The Microsoft Graph API provides the attribute data in JSON format. 可以将 ID 令牌内容设置为包括用户的所有个人数据,具体取决于架构。Depending on the schema, you can set the ID token contents to include all personal data about a user.
  3. 应用程序检索用户审核活动。The application retrieves the user audit activity. Microsoft Graph API 向应用程序提供事件数据。The Microsoft Graph API provides the event data to the application.
  4. 应用程序聚合数据,并使其可供用户使用。The application aggregates the data and makes it available to the user.

后续步骤Next steps

如需了解用户如何访问应用程序,请参阅管理用户访问权限To learn how to manage how users access your application, see Manage user access.