Azure Active Directory B2C 的技术和功能概述Technical and feature overview of Azure Active Directory B2C

本文是关于 Azure Active Directory B2C 一文的配套文档,其中更深入地介绍了该服务。A companion to About Azure Active Directory B2C, this article provides a more in-depth introduction to the service. 本文介绍你将在该服务中使用的主要资源和该服务的功能,以及如何通过这些功能为应用程序中的客户提供完全自定义的标识体验。Discussed here are the primary resources you work with in the service, its features, and how these enable you to provide a fully custom identity experience for your customers in your applications.

Azure AD B2C 租户Azure AD B2C tenant

在 Azure Active Directory B2C (Azure AD B2C) 中,租户表示组织,也是用户的目录。In Azure Active Directory B2C (Azure AD B2C), a tenant represents your organization and is a directory of users. 每个 Azure AD B2C 租户都是独特的,独立于其他 Azure AD B2C 租户。Each Azure AD B2C tenant is distinct and separate from other Azure AD B2C tenants. Azure AD B2C 租户不同于你可能已有的 Azure Active Directory 租户。An Azure AD B2C tenant is different than an Azure Active Directory tenant, which you may already have.

在 Azure AD B2C 租户中使用的主要资源包括:The primary resources you work with in an Azure AD B2C tenant are:

  • 目录 - 目录是 Azure AD B2C 将用户的凭据和配置文件数据以及应用程序注册存储到的位置。Directory - The directory is where Azure AD B2C stores your users' credentials and profile data, as well as your application registrations.
  • 应用程序注册 - 将 Web、移动和本机应用程序注册到 Azure AD B2C 以启用标识管理。Application registrations - You register your web, mobile, and native applications with Azure AD B2C to enable identity management. 此外,应用程序注册还包括要使用 Azure AD B2C 保护的 API。Also, any APIs you want to protect with Azure AD B2C.
  • 用户流自定义策略 - 应用程序的内置标识体验(用户流)和完全可自定义的标识体验(自定义策略)。User flows and custom policies - The built-in (user flows) and fully customizable (custom policies) identity experiences for your applications.
    • 使用用户流可以快速配置和启用常见标识任务,例如注册、登录和配置文件编辑。Use user flows for quick configuration and enablement of common identity tasks like sign up, sign in, and profile editing.
    • 使用自定义策略不仅可为常见标识任务启用用户体验,而且还能为组织、客户、员工、合作伙伴和市民的独特复杂标识工作流构建支持。Use custom policies to enable user experiences not only for the common identity tasks, but also for crafting support for complex identity workflows unique to your organization, customers, employees, partners, and citizens.
  • 标识提供者 - 以下对象的联合设置:Identity providers - Federation settings for:
    • 要在应用程序中支持的社交标识提供者,例如 LinkedIn。Social identity providers like LinkedIn that you want to support in your applications.
    • 支持 OAuth 2.0、OpenID Connect 等标准标识协议的外部标识提供者。External identity providers that support standard identity protocols like OAuth 2.0, OpenID Connect, and more.
    • 可让用户使用用户名(或者电子邮件地址或其他 ID)和密码注册和登录的本地帐户。Local accounts that enable users to sign up and sign in with a username (or email address or other ID) and password.
  • 密钥 - 添加和管理用于签名和验证令牌、客户端密码、证书和密码的加密密钥。Keys - Add and manage encryption keys for signing and validating tokens, client secrets, certificates, and passwords.

Azure AD B2C 租户是开始使用 Azure AD B2C 之前必须先创建的第一个资源。An Azure AD B2C tenant is the first resource you need to create to get started with Azure AD B2C. 有关如何创建该资源,请参阅教程:创建 Azure Active Directory B2C 租户中的步骤创建一个。Learn how in Tutorial: Create an Azure Active Directory B2C tenant.

Azure AD B2C 中的帐户Accounts in Azure AD B2C

Azure AD B2C 定义多种类型的用户帐户。Azure AD B2C defines several types of user accounts. Azure Active Directory、Azure Active Directory B2B 和 Azure Active Directory B2C 共享这些帐户类型。Azure Active Directory, Azure Active Directory B2B, and Azure Active Directory B2C share these account types.

  • 工作帐户 - 具有工作帐户的用户可以管理租户中的资源,而具有管理员角色的用户还可以管理租户。Work account - Users with work accounts can manage resources in a tenant, and with an administrator role, can also manage tenants. 具有工作帐户的用户可以创建新的使用者帐户、重置密码、阻止/解除阻止帐户,以及设置权限或将帐户分配到安全组。Users with work accounts can create new consumer accounts, reset passwords, block/unblock accounts, and set permissions or assign an account to a security group.
  • 来宾帐户 - 邀请你作为来宾加入其租户的外部用户。Guest account - External users you invite to your tenant as guests. 邀请来宾用户访问 Azure AD B2C 租户的典型方案是共享管理职责。A typical scenario for inviting a guest user to your Azure AD B2C tenant is to share administration responsibilities.
  • 使用者帐户 - 使用者帐户是当用户在你已注册到租户的应用程序中完成注册用户旅程后,在 Azure AD B2C 目录中创建的帐户。Consumer account - Consumer accounts are the accounts created in your Azure AD B2C directory when users complete the sign-up user journey in an application you've registered in your tenant.

Azure 门户中的 Azure AD B2C 用户管理页Azure AD B2C user management page in the Azure portal
图:Azure 门户中 Azure AD B2C 租户内的用户目录Figure: User directory within an Azure AD B2C tenant in the Azure portal

使用者帐户Consumer accounts

用户可以通过使用者帐户登录到通过 Azure AD B2C 保护的应用程序。With a consumer account, users can sign in to the applications that you've secured with Azure AD B2C. 但是,具有使用者帐户的用户无法访问 Azure 资源(例如 Azure 门户)。Users with consumer accounts can't, however, access Azure resources, for example the Azure portal.

可将使用者帐户关联到以下标识类型:A consumer account can be associated with these identity types:

  • 本地标识:将用户名和密码存储在 Azure AD B2C 目录本地。Local identity, with the username and password stored locally in the Azure AD B2C directory. 我们通常将此类标识称为“本地帐户”。We often refer to these identities as "local accounts."
  • 社交企业标识:用户的标识由 Microsoft、ADFS 或 Salesforce 等联合标识提供者进行管理。Social or enterprise identities, where the identity of the user is managed by a federated identity provider like Microsoft, ADFS, or Salesforce.

具有使用者帐户的用户可以通过多个标识(例如用户名、电子邮件、员工 ID、政府 ID 等)登录。A user with a consumer account can sign in with multiple identities, for example username, email, employee ID, government ID, and others. 单个帐户可以有多个本地和社交标识。A single account can have multiple identities, both local and social.

使用者帐户标识Consumer account identities
图:在 Azure AD B2C 中具有多个标识的单个使用者帐户Figure: A single consumer account with multiple identities in Azure AD B2C

在 Azure AD B2C 中可以管理使用者帐户配置文件的通用属性,例如显示名称、姓氏、名字、城市,等等。Azure AD B2C lets you manage common attributes of consumer account profiles like display name, surname, given name, city, and others. 还可以扩展 Azure AD 架构以存储有关用户的其他信息。You can also extend the Azure AD schema to store additional information about your users. 例如,用户所在的国家/地区或居住地、首选语言和偏好(例如,是否想要订阅新闻稿或启用多重身份验证)。For example, their country/region or residency, preferred language, and preferences like whether they want to subscribe to a newsletter or enable multi-factor authentication.

Azure Active Directory B2C 中的用户帐户概述中详细了解 Azure AD B2C 中的用户帐户类型。Learn more about the user account types in Azure AD B2C in Overview of user accounts in Azure Active Directory B2C.

外部标识提供者External identity providers

可以配置 Azure AD B2C,以允许用户使用外部社交或企业标识提供者 (IdP) 提供的凭据登录到你的应用程序。You can configure Azure AD B2C to allow users to sign in to your application with credentials from external social or enterprise identity providers (IdP). Azure AD B2C 支持外部标识提供者和任何支持 OAuth 1.0、OAuth 2.0、OpenID Connect 和 SAML 协议的标识提供者。Azure AD B2C supports external identity providers and any identity provider that supports OAuth 1.0, OAuth 2.0, OpenID Connect, and SAML protocols.

使用外部标识提供者联合,可让使用者通过其现有的社交帐户或企业帐户登录,而不必仅仅出于访问你的应用程序的目的创建一个新帐户。With external identity provider federation, you can offer your consumers the ability to sign in with their existing social or enterprise accounts, without having to create a new account just for your application.

在注册或登录页上,Azure AD B2C 会提供外部标识提供者的列表,供用户选择用来登录。On the sign-up or sign-in page, Azure AD B2C presents a list of external identity providers the user can choose for sign-in. 用户选择一个外部标识提供者后,将会转到(重定向到)所选提供者的网站,以完成登录过程。Once they select one of the external identity providers, they're taken (redirected) to the selected provider's website to complete the sign in process. 用户成功登录后,将返回到 Azure AD B2C,以便对应用程序中的帐户进行身份验证。After the user successfully signs in, they're returned back to Azure AD B2C for authentication of the account in your application.

标识体验:用户流或自定义策略Identity experiences: user flows or custom policies

Azure AD B2C 的核心优势在于它的可扩展策略框架。The extensible policy framework of Azure AD B2C is its core strength. 策略描述用户的标识体验,例如注册、登录和配置文件编辑。Policies describe your users' identity experiences such as sign up, sign in, and profile editing.

在 Azure AD B2C 中,可以通过两个主要途径来提供这些标识体验:用户流和自定义策略。In Azure AD B2C, there are two primary paths you can take to provide these identity experiences: user flows and custom policies.

  • 用户流是我们提供的预定义的内置可配置策略,使你能够在几分钟内创建注册、登录和策略编辑体验。User flows are predefined, built-in, configurable policies that we provide so you can create sign-up, sign-in, and policy editing experiences in minutes.

  • 使用自定义策略可为复杂的标识体验方案创建自己的用户旅程。Custom policies enable you to create your own user journeys for complex identity experience scenarios.

用户流和自定义策略均由 Identity Experience Framework(Azure AD B2C 的策略业务流程引擎)提供支持。Both user flows and custom policies are powered by the Identity Experience Framework, Azure AD B2C's policy orchestration engine.

用户流User flow

为了帮助你快速设置最常见的标识任务,Azure 门户中包含了多个称作“用户流”的预定义可配置策略。To help you quickly set up the most common identity tasks, the Azure portal includes several predefined and configurable policies called user flows.

可以配置如下所述的用户流设置,以控制应用程序中的标识体验行为:You can configure user flow settings like these to control identity experience behaviors in your applications:

  • 用于登录的帐户类型,例如使用电子邮件地址和密码登录的社交帐户或本地帐户Account types used for sign-in, such as social accounts or local accounts that use an email address and password for sign-in
  • 要从使用者收集的属性,例如名字、邮政编码,或居住地所在国家/地区Attributes to be collected from the consumer, such as first name, postal code, or country/region of residency
  • Azure 多重身份验证 (MFA)Azure Multi-Factor Authentication (MFA)
  • 用户界面的自定义Customization of the user interface
  • 在用户完成用户流后由应用程序接收的令牌中的声明集Set of claims in a token that your application receives after the user completes the user flow
  • 会话管理Session management
  • 等等。...and more.

使用用户流可以有效地定义和实现大多数移动、Web 和单页应用程序的最常见标识方案。Most common identity scenarios for the majority of mobile, web, and single-page applications can be defined and implemented effectively with user flows. 除非你的复杂用户旅程方案要求自定义策略具有完全灵活性,否则我们建议使用内置用户流。We recommend that you use the built-in user flows unless you have complex user journey scenarios that require the full flexibility of custom policies.

Azure Active Directory B2C 中的用户流中详细了解用户流。Learn more about user flows in User flows in Azure Active Directory B2C.

自定义策略Custom policy

自定义策略可以解锁对 Identity Experience Framework (IEF) 业务流程引擎的全部功能的访问。Custom policies unlock access to the full power of the Identity Experience Framework (IEF) orchestration engine. 借助自定义策略,可以利用 IEF 来构建可以想象到的几乎任何身份验证、用户注册或配置文件编辑体验。With custom policies, you can leverage IEF to build almost any authentication, user registration, or profile editing experience that you can imagine.

Identity Experience Framework 可让你使用步骤的任意组合来构造用户旅程。The Identity Experience Framework gives you the ability to construct user journeys with any combination of steps. 例如:For example:

  • 与其他标识提供者联合Federate with other identity providers
  • 第一方和第三方多重身份验证 (MFA) 质询First- and third-party multi-factor authentication (MFA) challenges
  • 收集任何用户输入Collect any user input
  • 使用 REST API 通信来与外部系统集成Integrate with external systems using REST API communication

每个此类用户旅程都由策略定义,你可以根据需要构建任意数量的策略,以便为组织启用最佳用户体验。Each such user journey is defined by a policy, and you can build as many or as few policies as you need to enable the best user experience for your organization.

显示 IEF 启用的复杂用户旅程示例的图示

自定义策略由多个 XML 文件定义,这些文件在分层链中相互引用。A custom policy is defined by several XML files that refer to each other in a hierarchical chain. XML 元素定义声明架构、声明转换、内容定义、声明提供程序、技术配置文件、用户旅程业务流程步骤,以及标识体验的其他方面。The XML elements define the claims schema, claims transformations, content definitions, claims providers, technical profiles, user journey orchestration steps, and other aspects of the identity experience.

需要构建复杂的标识方案时,自定义策略的极高灵活性可以发挥最大的作用。The powerful flexibility of custom policies is most appropriate for when you need to build complex identity scenarios. 配置自定义策略的开发人员必须严谨地定义信任关系,以包含元数据终结点和确切的声明交换定义,并配置每个标识提供者所需的机密、密钥和证书。Developers configuring custom policies must define the trusted relationships in careful detail to include metadata endpoints, exact claims exchange definitions, and configure secrets, keys, and certificates as needed by each identity provider.

Azure Active Directory B2C 中的自定义策略中详细了解自定义策略。Learn more about custom policies in Custom policies in Azure Active Directory B2C.

协议和令牌Protocols and tokens

  • 对于应用程序,Azure AD B2C 支持对用户旅程使用 OAuth 2.0OpenID Connect 和 SAML 协议。For applications, Azure AD B2C supports the OAuth 2.0, OpenID Connect, and SAML protocols for user journeys. 应用程序通过向 Azure AD B2C 发出身份验证请求,来启动此用户旅程。Your application starts the user journey by issuing authentication requests to Azure AD B2C. 向 Azure AD B2C 发出请求后会获得一个安全令牌,例如 ID 令牌、访问令牌或 SAML 令牌。The result of a request to Azure AD B2C is a security token, such as an ID token, access token, or SAML token. 此安全令牌定义应用程序中用户的标识。This security token defines the user's identity within the application.

  • 对于外部标识,Azure AD B2C 支持与任何 OAuth 1.0、OAuth 2.0、OpenID Connect、SAML 标识提供者联合。For external identities, Azure AD B2C supports federation with any OAuth 1.0, OAuth 2.0, OpenID Connect, and SAML identity providers.

  1. 信赖方应用程序使用 OpenID Connect 向 Azure AD B2C 发起授权请求。The relying party application initiates an authorization request to Azure AD B2C using OpenID Connect.
  2. 当应用程序的用户选择通过使用 SAML 协议的外部标识提供者登录时,Azure AD B2C 将调用 SAML 协议来与该标识提供者通信。When a user of the application chooses to sign in using an external identity provider that uses the SAML protocol, Azure AD B2C invokes the SAML protocol to communicate with that identity provider.
  3. 用户使用外部标识提供者完成登录操作后,Azure AD B2C 会使用 OpenID Connect 将令牌返回给信赖方应用程序。After the user completes the sign-in operation with the external identity provider, Azure AD B2C then returns the token to the relying party application using OpenID Connect.

应用程序集成Application integration

当用户想要登录到你的应用程序时(无论是 Web、移动、桌面还是单页应用程序 (SPA)),该应用程序都会向用户流或自定义策略提供的终结点发起授权请求。When a user wants to sign in to your application, whether it's a web, mobile, desktop, or single-page application (SPA), the application initiates an authorization request to a user flow- or custom policy-provided endpoint. 用户流或自定义策略定义并控制用户的体验。The user flow or custom policy defines and controls the user's experience. 当用户完成用户流(例如注册或登录流)后,Azure AD B2C 会生成一个令牌,然后将用户重定向回到应用程序。When they complete a user flow, for example the sign-up or sign-in flow, Azure AD B2C generates a token, then redirects the user back to your application.

移动应用,其中的箭头显示 Azure AD B2C 登录页之间的流

多个应用程序可以使用同一个用户流或自定义策略。Multiple applications can use the same user flow or custom policy. 单个应用程序可以使用多个用户流或自定义策略。A single application can use multiple user flows or custom policies.

例如,若要登录到某个应用程序,该应用程序将使用注册或登录用户流。For example, to sign in to an application, the application uses the sign up or sign in user flow. 用户登录后,他们可能想要编辑其配置文件,在这种情况下,应用程序将发起另一个授权请求(这一次使用的是配置文件编辑用户流)。After the user has signed in, they may want to edit their profile, so the application initiates another authorization request, this time using the profile edit user flow.

无缝用户体验Seamless user experiences

在 Azure AD B2C 中,可以创建用户的标识体验,使显示的页面能够与品牌形象无缝融合。In Azure AD B2C, you can craft your users' identity experiences so that the pages they're shown blend seamlessly with the look and feel of your brand. 当用户完成应用程序的标识旅程时,你几乎可以获得向用户显示的 HTML 和 CSS 内容的完全控制权。You get nearly full control of the HTML and CSS content presented to your users when they proceed through your application's identity journeys. 凭借这种灵活性,可以在应用程序与 Azure AD B2C 之间保持品牌和视觉一致性。With this flexibility, you can maintain brand and visual consistency between your application and Azure AD B2C.

按品牌自定义的注册/登录页的屏幕截图

有关 UI 自定义的信息,请参阅关于 Azure Active Directory B2C 中的用户界面自定义For information on UI customization, see About user interface customization in Azure Active Directory B2C.

本地化Localization

借助 Azure AD B2C 中的语言自定义可以适应不同的语言以满足客户需求。Language customization in Azure AD B2C allows you to accommodate different languages to suit your customer needs. Microsoft 提供 36 种语言的翻译,但你也可以为任何语言提供自己的翻译。Microsoft provides the translations for 36 languages, but you can also provide your own translations for any language. 即使体验是针对一种语言提供的,也可以自定义页面上的任何文本。Even if your experience is provided for only a single language, you can customize any text on the pages.

Azure Active Directory B2C 中的语言自定义中了解本地化的工作原理。See how localization works in Language customization in Azure Active Directory B2C.

添加自己的业务逻辑Add your own business logic

如果你选择使用自定义策略,可与用户旅程中的 RESTful API 相集成,以将自己的业务逻辑添加到旅程中。If you choose to use custom policies, you can integrate with a RESTful API in a user journey to add your own business logic to the journey. 例如,Azure AD B2C 可与 RESTful 服务交换数据,以便:For example, Azure AD B2C can exchange data with a RESTful service to:

  • 显示用户友好的自定义错误消息。Display custom user-friendly error messages.
  • 验证用户输入,以防止在用户目录中保存格式不当的数据。Validate user input to prevent malformed data from persisting in your user directory. 例如,可以修改用户输入的数据(例如,将用户以全小写形式输入的名字大写)。For example, you can modify the data entered by the user, such as capitalizing their first name if they entered it in all lowercase.
  • 通过进一步与企业业务线应用程序集成来扩充用户数据。Enrich user data by further integrating with your corporate line-of-business application.
  • 使用 RESTful 调用可以发送推送通知、更新企业数据库、运行用户迁移过程、管理权限、审核数据库,以及执行其他操作。Using RESTful calls, you can send push notifications, update corporate databases, run a user migration process, manage permissions, audit databases, and more.

会员计划是 Azure AD B2C 为了支持调用 REST API 而实现的另一种方案。Loyalty programs are another scenario enabled by Azure AD B2C's support for calling REST APIs. 例如,RESTful 服务可以接收用户的电子邮件地址、查询客户数据库,然后向 Azure AD B2C 返回用户的会员号。For example, your RESTful service can receive a user's email address, query your customer database, then return the user's loyalty number to Azure AD B2C. 返回数据可以存储在 Azure AD B2C 的用户目录帐户中,然后在策略的后续步骤中进一步评估,或包含在访问令牌中。The return data can be stored in the user's directory account in Azure AD B2C, then be further evaluated in subsequent steps in the policy, or be included in the access token.

移动应用程序中的业务线集成

可在自定义策略定义的用户旅程中的任意步骤中添加 REST API 调用。You can add a REST API call at any step in the user journey defined by a custom policy. 例如,可在以下时机调用 REST API:For example, you can call a REST API:

  • 登录期间在 Azure AD B2C 验证凭据之前的那一刻During sign-in, just before Azure AD B2C validates the credentials
  • 登录后立即调用Immediately after sign-in
  • Azure AD B2C 在目录中创建新帐户之前Before Azure AD B2C creates a new account in the directory
  • Azure AD B2C 在目录中创建新帐户之后After Azure AD B2C creates a new account in the directory
  • Azure AD B2C 颁发访问令牌之前Before Azure AD B2C issues an access token

若要了解如何对 Azure AD B2C 中的 RESTful API 集成使用自定义策略,请参阅在 Azure AD B2C 自定义策略中集成 REST API 声明交换To see how to use custom policies for RESTful API integration in Azure AD B2C, see Integrate REST API claims exchanges in your Azure AD B2C custom policy.

保护客户标识Protect customer identities

Azure AD B2C 符合 Azure 信任中心中所述的安全性、隐私和其他承诺。Azure AD B2C complies with the security, privacy, and other commitments described in the Azure Trust Center.

会话将通过只有 Azure AD B2C 安全令牌服务知道的解密密钥建模为加密数据。Sessions are modeled as encrypted data, with the decryption key known only to the Azure AD B2C Security Token Service. 使用强加密算法 AES-192。A strong encryption algorithm, AES-192, is used. 为实现保密性和完整性,所有通信路径将通过 TLS 进行保护。All communication paths are protected with TLS for confidentiality and integrity. 我们的安全令牌服务对 TLS 使用扩展验证 (EV) 证书。Our Security Token Service uses an Extended Validation (EV) certificate for TLS. 一般而言,安全令牌服务不会呈现不受信任的输入,因此可以缓解跨站点脚本 (XSS) 攻击。In general, the Security Token Service mitigates cross-site scripting (XSS) attacks by not rendering untrusted input.

保护传输中数据和静态数据的示意图

访问用户数据Access to user data

Azure AD B2C 租户与用于员工和合作伙伴的企业 Azure Active Directory 租户共享多个特征。Azure AD B2C tenants share many characteristics with enterprise Azure Active Directory tenants used for employees and partners. 共享的方面包括用于查看管理角色、分配角色和审核活动的机制。Shared aspects include mechanisms for viewing administrative roles, assigning roles, and auditing activities.

可以分配角色来控制谁能够在 Azure AD B2C 中执行特定的管理操作,包括:You can assign roles to control who can perform certain administrative actions in Azure AD B2C, including:

  • 创建和管理用户流的所有方面Create and manage all aspects of user flows
  • 创建和管理可用于所有用户流的属性架构Create and manage the attribute schema available to all user flows
  • 配置要在直接联合中使用的标识提供者Configure identity providers for use in direct federation
  • 在 Identity Experience Framework 中创建和管理信任框架策略(自定义策略)Create and manage trust framework policies in the Identity Experience Framework (custom policies)
  • 在 Identity Experience Framework 中管理用于联合身份验证和加密的机密(自定义策略)Manage secrets for federation and encryption in the Identity Experience Framework (custom policies)

有关 Azure AD 角色的详细信息,包括 Azure AD B2C 管理角色支持,请参阅 Azure Active Directory 中的管理员角色权限For more information about Azure AD roles, including Azure AD B2C administration role support, see Administrator role permissions in Azure Active Directory.

多重身份验证 (MFA)Multi-factor authentication (MFA)

Azure AD B2C 多重身份验证 (MFA) 有助于保护对数据和应用程序的访问,同时满足用户对简单性的需求。Azure AD B2C multi-factor authentication (MFA) helps safeguard access to data and applications while maintaining simplicity for your users. 它通过要求另一种形式的身份验证来提供额外的安全性,并通过提供一系列易于使用的身份验证方法来实现强式身份验证。It provides additional security by requiring a second form of authentication, and delivers strong authentication by offering a range of easy-to-use authentication methods. 根据管理员做出的配置决策,用户可能会受到 MFA 的质询,也可能不会受到 MFA 的质询。Your users may or may not be challenged for MFA based on configuration decisions that you can make as an administrator.

有关如何在用户流中启用 MFA,请参阅在 Azure Active Directory B2C 中启用多重身份验证See how to enable MFA in user flows in Enable multi-factor authentication in Azure Active Directory B2C.

智能帐户锁定Smart account lockout

为了防止密码猜测暴力破解攻击,Azure AD B2C 可使用一种复杂的策略,根据请求的 IP、输入的密码和其他多个因素来锁定帐户。To prevent brute-force password guessing attempts, Azure AD B2C uses a sophisticated strategy to lock accounts based on the IP of the request, the passwords entered, and several other factors. 锁定持续时间根据风险和尝试次数自动延长。The duration of the lockout is automatically increased based on risk and the number of attempts.

帐户智能锁定

有关管理密码保护设置的详细信息,请参阅管理 Azure Active Directory B2C 中的资源和数据受到的威胁For more information about managing password protection settings, see Manage threats to resources and data in Azure Active Directory B2C.

密码复杂性Password complexity

在注册或密码重置期间,用户必须提供符合复杂性规则的密码。During sign up or password reset, your users must supply a password that meets complexity rules. 默认情况下,Azure AD B2C 实施强密码策略。By default, Azure AD B2C enforces a strong password policy. Azure AD B2C 还提供相应的配置选项用于指定客户所用密码的复杂性要求。Azure AD B2C also provides configuration options for specifying the complexity requirements of the passwords your customers use.

可以在用户流和自定义策略中配置密码复杂性要求。You can configure password complexity requirements in both user flows and custom policies.

审核和日志Auditing and logs

Azure AD B2C 发出审核日志,其中包含有关其资源、颁发的令牌和管理员访问权限的活动信息。Azure AD B2C emits audit logs containing activity information about its resources, issued tokens, and administrator access. 可以使用这些审核日志来了解平台活动和诊断问题。You can use these audit logs to understand platform activity and diagnose issues. 在生成事件的活动发生后,会立即提供审核日志条目。Audit log entries are available soon after the activity that generated the event occurs.

在适用于 Azure AD B2C 租户或特定用户的审核日志中,可以找到以下信息:In an audit log, which is available for your Azure AD B2C tenant or for a particular user, you can find information including:

  • 涉及授权用户访问 B2C 资源(例如,管理员访问 B2C 策略列表)的活动Activities concerning the authorization of a user to access B2C resources (for example, an administrator accessing a list of B2C policies)
  • 与管理员使用 Azure 门户登录时检索到的目录属性相关的活动Activities related to directory attributes retrieved when an administrator signs in using the Azure portal
  • 对 B2C 应用程序执行的创建、读取、更新和删除 (CRUD) 操作Create, read, update, and delete (CRUD) operations on B2C applications
  • 对 B2C 密钥容器中存储的密钥执行的 CRUD 操作CRUD operations on keys stored in a B2C key container
  • 与 B2C 资源(如策略和标识提供者)相关的 CRUD 操作CRUD operations on B2C resources (for example, policies and identity providers)
  • 用户凭据和令牌颁发的验证Validation of user credentials and token issuance

Azure 门户中显示的单个用户审核日志

后续步骤Next steps

更深入地了解 Azure Active Directory B2C 的功能和技术方面后,可以通过创建一个 B2C 租户开始使用该服务:Now that you have deeper view into the features and technical aspects of Azure Active Directory B2C, get started with the service by creating a B2C tenant: