将用户迁移到 Azure AD B2CMigrate users to Azure AD B2C

从另一标识提供者迁移到 Azure Active Directory B2C (Azure AD B2C) 可能还需要迁移现有的用户帐户。Migrating from another identity provider to Azure Active Directory B2C (Azure AD B2C) might also require migrating existing user accounts. 本文介绍两种迁移方法:预迁移和无缝迁移。 Two migration methods are discussed here, pre migration and seamless migration. 无论使用哪种方法,都需要编写一个应用程序或脚本,以使用 Microsoft Graph API 在 Azure AD B2C 中创建用户帐户。With either approach, you're required to write an application or script that uses the Microsoft Graph API to create user accounts in Azure AD B2C.

预迁移Pre migration

在预迁移流中,迁移应用程序将对每个用户帐户执行以下步骤:In the pre migration flow, your migration application performs these steps for each user account:

  1. 读取旧标识提供者中的用户帐户,包括其当前凭据(用户名和密码)。Read the user account from the old identity provider, including its current credentials (username and password).
  2. 使用当前凭据在 Azure AD B2C 目录中创建相应的帐户。Create a corresponding account in your Azure AD B2C directory with the current credentials.

对于以下两种情况,请使用预迁移流:Use the pre migration flow in either of these two situations:

  • 你有权访问用户的纯文本凭据(用户名和密码)。You have access to a user's plaintext credentials (their username and password).
  • 凭据已加密,但可将其解密。The credentials are encrypted, but you can decrypt them.

有关以编程方式创建用户帐户的信息,请参阅使用 Microsoft Graph 管理 Azure AD B2C 用户帐户For information about programmatically creating user accounts, see Manage Azure AD B2C user accounts with Microsoft Graph.

无缝迁移Seamless migration

如果无法访问旧标识提供者中的纯文本密码,请使用无缝迁移流。Use the seamless migration flow if plaintext passwords in the old identity provider are not accessible. 例如,在以下情况下使用该流:For example, when:

  • 密码是以单向加密格式存储的(例如,使用哈希函数)。The password is stored in a one-way encrypted format, such as with a hash function.
  • 旧式标识提供者以你无法访问的方式存储了密码。The password is stored by the legacy identity provider in a way that you can't access. 例如,标识提供者通过调用 Web 服务来验证凭据。For example, when the identity provider validates credentials by calling a web service.

无缝迁移流仍需将用户帐户预迁移,但随后需使用自定义策略来查询某个 REST API(由你创建),以便在每个用户首次登录时设置其密码。The seamless migration flow still requires pre migration of user accounts, but then uses a custom policy to query a REST API (which you create) to set each users' password at first sign-in.

因此,无缝迁移流包括两个阶段:预迁移和设置凭据。 The seamless migration flow thus has two phases: pre migration and set credentials.

阶段 1:预迁移Phase 1: Pre migration

  1. 迁移应用程序读取旧标识提供者中的用户帐户。Your migration application reads the user accounts from the old identity provider.
  2. 迁移应用程序在 Azure AD B2C 目录中创建相应的用户帐户,但不设置密码。 The migration application creates corresponding user accounts in your Azure AD B2C directory, but does not set passwords.

阶段 2:设置凭据Phase 2: Set credentials

将帐户预迁移完以后,自定义策略和 REST API 随后会在用户登录时执行以下操作:After pre migration of the accounts is complete, your custom policy and REST API then perform the following when a user signs in:

  1. 读取对应于所输入的电子邮件地址的 Azure AD B2C 用户帐户。Read the Azure AD B2C user account corresponding to the email address entered.
  2. 通过评估某个布尔扩展属性来检查是否已将该帐户标记为待迁移。Check whether the account is flagged for migration by evaluating a boolean extension attribute.
    • 如果该扩展属性返回 True,则会调用 REST API 根据旧标识提供者验证密码。If the extension attribute returns True, call your REST API to validate the password against the legacy identity provider.
      • 如果 REST API 确定密码不正确,则向用户返回友好的错误消息。If the REST API determines the password is incorrect, return a friendly error to the user.
      • 如果 REST API 确定密码正确,则将密码写入 Azure AD B2C 帐户,并将该布尔扩展属性更改为 FalseIf the REST API determines the password is correct, write the password to the Azure AD B2C account and change the boolean extension attribute to False.
    • 如果该布尔扩展属性返回 False,则像平时一样继续执行登录过程。If the boolean extension attribute returns False, continue the sign-in process as normal.

若要查看示例自定义策略和 REST API,请参阅 GitHub 上的无缝用户迁移示例To see an example custom policy and REST API, see the seamless user migration sample on GitHub.

用户无缝迁移方法的流程图Flowchart diagram of the seamless migration approach to user migration
示意图:无缝迁移流Diagram: Seamless migration flow

最佳实践Best practices

安全性Security

无缝迁移方法使用你自己的自定义 REST API 根据旧标识提供者验证用户的凭据。The seamless migration approach uses your own custom REST API to validate a user's credentials against the legacy identity provider.

必须保护 REST API,使其免遭暴力破解攻击。You must protect your REST API against brute-force attacks. 攻击者可能会提交多个密码,最终猜出用户的凭据。An attacker can submit several passwords in the hope of eventually guessing a user's credentials. 为了帮助抵御此类攻击,请在登录尝试次数超过特定的阈值时,停止向 REST API 提供请求。To help defeat such attacks, stop serving requests to your REST API when the number of sign-in attempts passes a certain threshold. 此外,请保护 Azure AD B2C 与 REST API 之间的通信。Also, secure the communication between Azure AD B2C and your REST API.

用户属性User attributes

并非要将旧标识提供者中的所有信息都迁移到 Azure AD B2C 目录。Not all information in the legacy identity provider should be migrated to your Azure AD B2C directory. 在迁移之前,请确定要存储在 Azure AD B2C 中的适当用户属性集。Identify the appropriate set of user attributes to store in Azure AD B2C before migrating.

  • 存储在 Azure AD B2C 中DO store in Azure AD B2C
    • 用户名、密码、电子邮件地址、电话号码、会员号/标识符。Username, password, email addresses, phone numbers, membership numbers/identifiers.
    • 隐私策略和最终用户许可协议的同意标记。Consent markers for privacy policy and end-user license agreements.
  • 不要存储在 Azure AD B2C 中DO NOT store in Azure AD B2C
    • 敏感数据,例如信用卡号、社会安全号码 (SSN)、医疗记录,或其他由政府或行业法规实体管制的数据。Sensitive data like credit card numbers, social security numbers (SSN), medical records, or other data regulated by government or industry compliance bodies.
    • 营销或沟通偏好、用户行为和见解。Marketing or communication preferences, user behaviors, and insights.

目录清理Directory clean-up

在启动迁移过程之前,请借机清理目录。Before you start the migration process, take the opportunity to clean up your directory.

  • 确定要存储在 Azure AD B2C 中的用户属性集,仅迁移所需的属性。Identify the set of user attributes to be stored in Azure AD B2C, and migrate only what you need. 如有需要,可以创建自定义属性来存储有关用户的更多数据。If necessary, you can create custom attributes to store more data about a user.
  • 如果从包含多个身份验证源的环境迁移(例如,每个应用程序具有自身的用户目录),请迁移到 Azure AD B2C 中的统一帐户。If you're migrating from an environment with multiple authentication sources (for example, each application has its own user directory), migrate to a unified account in Azure AD B2C.
  • 如果多个应用程序具有不同的用户名,可以使用标识集合将其全部存储在 Azure AD B2C 用户帐户中。If multiple applications have different usernames, you can store all of them in an Azure AD B2C user account by using the identities collection. 对于密码,请让用户选择密码,并在目录中设置该密码。With regard to the password, let the user choose one and set it in the directory. 例如,使用无缝迁移时,只应在 Azure AD B2C 帐户中存储所选的密码。For example, with the seamless migration, only the chosen password should be stored in the Azure AD B2C account.
  • 在迁移之前删除未使用的用户帐户,或者不迁移已过时的帐户。Remove unused user accounts before migration, or do not migrate stale accounts.

密码策略Password policy

如果与 Azure AD B2C 强制实施的强密码强度相比,所要迁移的帐户的密码强度更弱,你可以禁用强密码要求。If the accounts you're migrating have weaker password strength than the strong password strength enforced by Azure AD B2C, you can disable the strong password requirement. 有关详细信息,请参阅密码策略属性For more information, see Password policy property.

后续步骤Next steps

GitHub 上的 azure-ad-b2c/user-migration 存储库包含了无缝迁移自定义策略示例和 REST API 代码示例:The azure-ad-b2c/user-migration repository on GitHub contains a seamless migration custom policy example and REST API code sample:

无缝用户迁移自定义策略和 REST API 代码示例Seamless user migration custom policy & REST API code sample