用户配置文件属性User profile attributes

Azure Active Directory (Azure AD) B2C 目录用户配置文件附带了一组内置属性,例如名字、姓氏、城市、邮政编码和电话号码。Your Azure Active Directory (Azure AD) B2C directory user profile comes with a built-in set of attributes, such as given name, surname, city, postal code, and phone number. 可以使用自己的应用程序数据来扩展用户配置文件,而无需外部数据存储。You can extend the user profile with your own application data without requiring an external data store. 可用于 Azure AD B2C 用户配置文件的大多数属性也受 Microsoft Graph 的支持。Most of the attributes that can be used with Azure AD B2C user profiles are also supported by Microsoft Graph. 本文介绍了支持的 Azure AD B2C 用户配置文件属性。This article describes supported Azure AD B2C user profile attributes. 本文还说明了 Microsoft Graph 不支持的属性,以及不应该用于 Azure AD B2C 的 Microsoft Graph 属性。It also notes those attributes that are not supported by Microsoft Graph, as well as Microsoft Graph attributes that should not be used with Azure AD B2C.

重要

不应使用内置或扩展属性来存储敏感的个人数据,例如帐户凭据、政府身份证号、持卡人数据、财务帐户数据、医疗保健信息或敏感背景信息。You should not use built-in or extension attributes to store sensitive personal data, such as account credentials, government identification numbers, cardholder data, financial account data, healthcare information, or sensitive background information.

还可以与外部系统相集成。You can also integrate with external systems. 例如,可以使用 Azure AD B2C 进行身份验证,但将权限委托给用作客户数据的权威来源的外部客户关系管理 (CRM) 或客户忠诚度数据库。For example, you can use Azure AD B2C for authentication, but delegate to an external customer relationship management (CRM) or customer loyalty database as the authoritative source of customer data. 有关详细信息,请参阅远程配置文件解决方案。For more information, see the remote profile solution.

下表列出了 Azure AD B2C 目录用户配置文件支持的用户资源类型属性。The table below lists the user resource type attributes that are supported by the Azure AD B2C directory user profile. 其中提供了有关每个属性的以下信息:It gives the following information about each attribute:

  • Azure AD B2C 使用的属性名称(如果不同,后面的括号中会包含 Microsoft Graph 名称)Attribute name used by Azure AD B2C (followed by the Microsoft Graph name in parentheses, if different)
  • 属性数据类型Attribute data type
  • 属性说明Attribute description
  • 该属性是否可在 Azure 门户中可用If the attribute is available in the Azure portal
  • 该属性是否可在用户流中使用If the attribute can be used in a user flow
  • 该属性是否可在自定义策略 Azure AD 技术配置文件中使用,以及可在哪个部分(<InputClaims>、<OutputClaims> 或 <PersistedClaims>)中使用If the attribute can be used in a custom policy Azure AD technical profile and in which section (<InputClaims>, <OutputClaims>, or <PersistedClaims>)
名称Name 类型Type 说明Description Azure 门户Azure portal 用户流User flows 自定义策略Custom policy
accountEnabledaccountEnabled BooleanBoolean 用户帐户是已启用还是已禁用:如果已启用帐户,则为“true”,否则为“false” 。Whether the user account is enabled or disabled: true if the account is enabled, otherwise false. Yes No 持久化、输出Persisted, Output
ageGroupageGroup 字符串String 用户的年龄组。The user's age group. 可能的值:null、Undefined、Minor、Adult、NotAdult。Possible values: null, Undefined, Minor, Adult, NotAdult. Yes No 持久化、输出Persisted, Output
alternativeSecurityId(标识alternativeSecurityId (Identities) 字符串String 来自外部标识提供者的单个用户标识。A single user identity from the external identity provider. No No 输入、持久化、输出Input, Persisted, Output
alternativeSecurityIds(标识alternativeSecurityIds (Identities) 备用 securityId 集合alternative securityId collection 来自外部标识提供者的用户标识集合。A collection of user identities from external identity providers. No No 持久化、输出Persisted, Output
citycity 字符串String 用户所在的城市。The city in which the user is located. 最大长度为 128。Max length 128. Yes Yes 持久化、输出Persisted, Output
consentProvidedForMinorconsentProvidedForMinor 字符串String 是否为未成年人提供了许可。Whether the consent has been provided for a minor. 允许的值:null、granted、denied 或 notRequired。Allowed values: null, granted, denied, or notRequired. Yes No 持久化、输出Persisted, Output
countrycountry 字符串String 用户所在的国家/地区。The country/region in which the user is located. 示例:“US”或“UK”。Example: "US" or "UK". 最大长度为 128。Max length 128. Yes Yes 持久化、输出Persisted, Output
createdDateTimecreatedDateTime DateTimeDateTime 创建用户对象的日期。The date the user object was created. 只读。Read only. No No 持久化、输出Persisted, Output
creationTypecreationType 字符串String 如果用户帐户是作为 Azure Active Directory B2C 租户的本地帐户创建的,则值为 LocalAccount 或 nameCoexistence。If the user account was created as a local account for an Azure Active Directory B2C tenant, the value is LocalAccount or nameCoexistence. 只读。Read only. No No 持久化、输出Persisted, Output
dateOfBirthdateOfBirth DateDate 出生日期。Date of birth. No No 持久化、输出Persisted, Output
departmentdepartment 字符串String 用户所在部门的名称。The name for the department in which the user works. 最大长度为 64。Max length 64. Yes No 持久化、输出Persisted, Output
displayNamedisplayName 字符串String 用户的显示名称。The display name for the user. 最大长度为 256。Max length 256. Yes Yes 持久化、输出Persisted, Output
facsimileTelephoneNumber1facsimileTelephoneNumber1 字符串String 用户的业务传真号码。The telephone number of the user's business fax machine. Yes No 持久化、输出Persisted, Output
givenNamegivenName 字符串String 用户的名字(名)。The given name (first name) of the user. 最大长度为 64。Max length 64. Yes Yes 持久化、输出Persisted, Output
jobTitlejobTitle 字符串String 用户的职务。The user's job title. 最大长度为 128。Max length 128. Yes Yes 持久化、输出Persisted, Output
immutableIdimmutableId 字符串String 从本地 Active Directory 迁移的用户通常使用的标识符。An identifier which is typically used for users migrated from on-premises Active Directory. No No 持久化、输出Persisted, Output
legalAgeGroupClassificationlegalAgeGroupClassification 字符串String 法定年龄组分类。Legal age group classification. 基于 ageGroup 和 consentProvidedForMinor 属性计算的只读属性。Read-only and calculated based on ageGroup and consentProvidedForMinor properties. 允许的值:null、minorWithOutParentalConsent、minorWithParentalConsent、minorNoParentalConsentRequired、notAdult 和 adult。Allowed values: null, minorWithOutParentalConsent, minorWithParentalConsent, minorNoParentalConsentRequired, notAdult and adult. Yes No 持久化、输出Persisted, Output
legalCountry1legalCountry1 字符串String 用于法律目的的国家/地区。Country/Region for legal purposes. No No 持久化、输出Persisted, Output
mailmail 字符串String 用户的 SMTP 地址,例如“bob@contoso.com”。The SMTP address for the user, for example, "bob@contoso.com". 只读。Read-only. No No 持久化、输出Persisted, Output
mailNickNamemailNickName 字符串String 用户的邮件别名。The mail alias for the user. 最大长度为 64。Max length 64. No No 持久化、输出Persisted, Output
mobile (mobilePhone)mobile (mobilePhone) 字符串String 用户的主要手机号码。The primary cellular telephone number for the user. 最大长度为 64。Max length 64. Yes No 持久化、输出Persisted, Output
netIdnetId 字符串String 网络 ID。Net ID. No No 持久化、输出Persisted, Output
objectIdobjectId 字符串String 全局唯一标识符 (GUID)(用户的唯一标识符)。A globally unique identifier (GUID) that is the unique identifier for the user. 示例:12345678-9abc-def0-1234-56789abcde。Example: 12345678-9abc-def0-1234-56789abcde. 只读,不可变。Read only, Immutable. 只读Read only Yes 输入、持久化、输出Input, Persisted, Output
otherMailsotherMails 字符串集合String collection 用户的其他电子邮件地址列表。A list of additional email addresses for the user. 示例:[“bob@contoso.com”、“Robert@fabrikam.com”]。Example: ["bob@contoso.com", "Robert@fabrikam.com"]. 是(备用电子邮件)Yes (Alternate email) No 持久化、输出Persisted, Output
passwordpassword 字符串String 创建用户期间用于本地帐户的密码。The password for the local account during user creation. No No 持久化Persisted
passwordPoliciespasswordPolicies 字符串String 密码策略。Policy of the password. 它是由逗号分隔的不同策略名称构成的字符串。It's a string consisting of different policy name separated by comma. 例如“DisablePasswordExpiration, DisableStrongPassword”。i.e. "DisablePasswordExpiration, DisableStrongPassword". No No 持久化、输出Persisted, Output
physicalDeliveryOfficeName (officeLocation)physicalDeliveryOfficeName (officeLocation) 字符串String 用户营业地点的办公室位置。The office location in the user's place of business. 最大长度为 128。Max length 128. Yes No 持久化、输出Persisted, Output
postalCodepostalCode 字符串String 用户邮政地址的邮政编码。The postal code for the user's postal address. 该邮政编码特定于用户所在的国家/地区。The postal code is specific to the user's country/region. 在美国,此属性包含邮政编码。In the United States of America, this attribute contains the ZIP code. 最大长度为 40。Max length 40. Yes No 持久化、输出Persisted, Output
preferredLanguagepreferredLanguage 字符串String 用户的首选语言。The preferred language for the user. 应遵循 ISO 639-1 代码。Should follow ISO 639-1 Code. 示例:“en-US”。Example: "en-US". No No 持久化、输出Persisted, Output
refreshTokensValidFromDateTimerefreshTokensValidFromDateTime DateTimeDateTime 在此时间之前颁发的所有刷新令牌无效,使用无效刷新令牌获取新的访问令牌时,应用程序会收到错误。Any refresh tokens issued before this time are invalid, and applications will get an error when using an invalid refresh token to acquire a new access token. 如果发生这种情况,应用程序需要通过向授权终结点发出请求来获取新的刷新令牌。If this happens, the application will need to acquire a new refresh token by making a request to the authorize endpoint. 只读。Read-only. No No 输出Output
signInNames(标识signInNames (Identities) 字符串String 目录中任何类型的本地帐户用户的唯一登录名。The unique sign-in name of the local account user of any type in the directory. 使用此属性可以获取具有登录值的用户,而无需指定本地帐户类型。Use this to get a user with sign-in value without specifying the local account type. No No 输入Input
signInNames.userName(标识signInNames.userName (Identities) 字符串String 目录中本地帐户用户的唯一用户名。The unique username of the local account user in the directory. 使用此属性可以创建或获取具有特定登录用户名的用户。Use this to create or get a user with a specific sign-in username. 在执行修补操作期间,在 PersistedClaims 中单独指定此属性会删除其他 signInNames 类型。Specifying this in PersistedClaims alone during Patch operation will remove other types of signInNames. 若要添加新的 signInNames 类型,还需要保存现有的 signInNames。If you would like to add a new type of signInNames, you also need to persist existing signInNames. No No 输入、持久化、输出Input, Persisted, Output
signInNames.phoneNumber(标识signInNames.phoneNumber (Identities) 字符串String 目录中本地帐户用户的唯一电话号码。The unique phone number of the local account user in the directory. 使用此属性可以创建或获取具有特定登录电话号码的用户。Use this to create or get a user with a specific sign-in phone number. 在执行修补操作期间,在 PersistedClaims 中单独指定此属性会删除其他 signInNames 类型。Specifying this in PersistedClaims alone during Patch operation will remove other types of signInNames. 若要添加新的 signInNames 类型,还需要保存现有的 signInNames。If you would like to add a new type of signInNames, you also need to persist existing signInNames. No No 输入、持久化、输出Input, Persisted, Output
signInNames.emailAddress(标识signInNames.emailAddress (Identities) 字符串String 目录中本地帐户用户的唯一电子邮件地址。The unique email address of the local account user in the directory. 使用此属性可以创建或获取具有特定登录电子邮件地址的用户。Use this to create or get a user with a specific sign-in email address. 在执行修补操作期间,在 PersistedClaims 中单独指定此属性会删除其他 signInNames 类型。Specifying this in PersistedClaims alone during Patch operation will remove other types of signInNames. 若要添加新的 signInNames 类型,还需要保存现有的 signInNames。If you would like to add a new type of signInNames, you also need to persist existing signInNames. No No 输入、持久化、输出Input, Persisted, Output
statestate 字符串String 用户地址中的省/自治区/直辖市。The state or province in the user's address. 最大长度为 128。Max length 128. Yes Yes 持久化、输出Persisted, Output
streetAddressstreetAddress 字符串String 用户营业地点的街道地址。The street address of the user's place of business. 最大长度为 1024。Max length 1024. Yes Yes 持久化、输出Persisted, Output
strongAuthentication AlternativePhoneNumber1strongAuthentication AlternativePhoneNumber1 字符串String 用户的次要电话号码,用于多重身份验证。The secondary telephone number of the user, used for multi-factor authentication. Yes No 持久化、输出Persisted, Output
strongAuthenticationEmailAddress1strongAuthenticationEmailAddress1 字符串String 用户的 SMTP 地址。The SMTP address for the user. 示例:“bob@contoso.com”。此属性在通过用户名策略进行登录时用于存储用户电子邮件地址。Example: "bob@contoso.com" This attribute is used for sign-in with username policy, to store the user email address. 然后,该电子邮件地址将在密码重置流中使用。The email address then used in a password reset flow. Yes No 持久化、输出Persisted, Output
strongAuthenticationPhoneNumber1strongAuthenticationPhoneNumber1 字符串String 用户的主要电话号码,用于多重身份验证。The primary telephone number of the user, used for multi-factor authentication. Yes No 持久化、输出Persisted, Output
surnamesurname 字符串String 用户的姓(家族名或姓氏)。The user's surname (family name or last name). 最大长度为 64。Max length 64. Yes Yes 持久化、输出Persisted, Output
telephoneNumber(businessPhones 的第一个条目)telephoneNumber (first entry of businessPhones) 字符串String 用户营业地点的主要电话号码。The primary telephone number of the user's place of business. Yes No 持久化、输出Persisted, Output
userPrincipalNameuserPrincipalName 字符串String 用户的用户主体名称 (UPN)。The user principal name (UPN) of the user. UPN 是用户的 Internet 样式登录名,基于 Internet 标准 RFC 822。The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. 域必须存在于租户的已验证域集合中。The domain must be present in the tenant's collection of verified domains. 创建帐户时必须使用此属性。This property is required when an account is created. 不可变。Immutable. No No 输入、持久化、输出Input, Persisted, Output
usageLocationusageLocation 字符串String 这对由于法律要求要向其分配许可证的用户而言为必填项,以检查服务在国家/地区中的可用性。Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries/regions. 不可为 Null。Not nullable. 双字母国家/地区代码(ISO 标准 3166)。A two letter country/region code (ISO standard 3166). 示例:示例:“US”、“JP”和“GB”。Examples: "US", "JP", and "GB". Yes No 持久化、输出Persisted, Output
userTypeuserType 字符串String 一个字符串值,可用于分类目录中的用户类型。A string value that can be used to classify user types in your directory. 值必须为 Member。Value must be Member. 只读。Read-only. 只读Read only No 持久化、输出Persisted, Output
userState (externalUserState)2userState (externalUserState)2 字符串String 仅适用于 Azure AD B2B 帐户,指示邀请是 PendingAcceptance 还是 Accepted。For Azure AD B2B account only, indicates whether the invitation is PendingAcceptance or Accepted. No No 持久化、输出Persisted, Output
userStateChangedOn (externalUserStateChangeDateTime)2userStateChangedOn (externalUserStateChangeDateTime)2 DateTimeDateTime 显示 UserState 属性最新更改的时间戳。Shows the timestamp for the latest change to the UserState property. No No 持久化、输出Persisted, Output
1 不受 Microsoft Graph 支持1 Not supported by Microsoft Graph
2 不应该与 Azure AD B2C 一起使用2 Should not be used with Azure AD B2C

扩展属性Extension attributes

你经常需要创建自己的属性,如以下情况所示:You'll often need to create your own attributes, as in the following cases:

  • 面向客户的应用程序需要保留如“LoyaltyNumber”等属性。A customer-facing application needs to persist for an attribute like LoyaltyNumber.
  • 标识提供者具有必须保存的唯一用户标识符,例如 uniqueUserGUID。An identity provider has a unique user identifier like uniqueUserGUID that must be saved.
  • 自定义用户旅程需要保留用户的状态,例如“migrationStatus”。A custom user journey needs to persist for a state of a user, like migrationStatus.

Azure AD B2C 扩展存储在每个用户帐户中的属性集。Azure AD B2C extends the set of attributes stored on each user account. 扩展属性扩展目录中用户对象的架构。Extension attributes extend the schema of the user objects in the directory. 尽管扩展属性可以包含用户的数据,但它们只能在应用程序对象中注册。The extension attributes can only be registered on an application object, even though they might contain data for a user. 扩展属性附加到名为 b2c-extensions-app 的应用程序。The extension attribute is attached to the application called b2c-extensions-app. 请不要修改此应用程序,因为 Azure AD B2C 使用它来存储用户数据。Do not modify this application, as it's used by Azure AD B2C for storing user data. 可在 Azure Active Directory 应用注册下找到此应用程序。You can find this application under Azure Active Directory App registrations.

备注

  • 最多可将 100 个扩展属性写入任一用户帐户。Up to 100 extension attributes can be written to any user account.
  • 如果删除 b2c-extensions-app 应用程序,则将删除所有用户的这些扩展属性及其包含的任何数据。If the b2c-extensions-app application is deleted, those extension attributes are removed from all users along with any data they contain.
  • 如果应用程序删除了某个扩展属性,则将从所有用户帐户中删除该属性,同时会删除值。If an extension attribute is deleted by the application, it's removed from all user accounts and the values are deleted.
  • 扩展属性的基础名称以“Extension_”+ 应用程序 ID +“”+ 属性名称的格式生成。The underlying name of the extension attribute is generated in the format "Extension" + Application ID + "_" + Attribute name. 例如,如果创建扩展属性 LoyaltyNumber,b2c-extensions-app 应用程序 ID 为 831374b3-bd50-41bf-aa54-263ec9e050fc,则基础扩展属性名称将为:extension_831374b3bd5041bfaa54263ec9e050fc_LoyaltyNumber。For example, if you create an extension attribute LoyaltyNumber, and the b2c-extensions-app Application ID is 831374b3-bd50-41bf-aa54-263ec9e050fc, the underlying extension attribute name will be: extension_831374b3bd5041bfaa54263ec9e050fc_LoyaltyNumber. 运行图形 API 查询创建或更新用户帐户时,将使用基础名称。You use the underlying name when you run Graph API queries to create or update user accounts.

在架构扩展中定义属性时,支持以下数据类型:The following data types are supported when defining a property in a schema extension:

属性类型Property type 备注Remarks
BooleanBoolean 可能的值:“true”或“false” 。Possible values: true or false.
DateTimeDateTime 必须以 ISO 8601 格式指定。Must be specified in ISO 8601 format. 将以 UTC 格式存储。Will be stored in UTC.
IntegerInteger 32 位值。32-bit value.
字符串String 最多 256 个字符。256 characters maximum.

后续步骤Next steps

了解有关扩展属性的详细信息:Learn more about extension attributes: