自助式密码重置常见问题解答Self-service password reset frequently asked questions

下面是与自助式密码重置相关的所有事项的一些常见问题解答 (FAQ)。The following are some frequently asked questions (FAQ) for all things related to self-service password reset.

如果遇到 Azure Active Directory (Azure AD) 和自助密码重置 (SSPR) 的一般性问题,而在本文中又找不到答案,可以在 Azure Active Directory 的 Microsoft Q&A 问题页中请求社区帮助。If you have a general question about Azure Active Directory (Azure AD) and self-service password reset (SSPR) that's not answered here, you can ask the community for assistance on the Microsoft Q&A question page for Azure Active Directory. 社区的成员包括工程师、产品经理、MVP 和其他 IT 专业人员。Members of the community include engineers, product managers, MVPs, and fellow IT professionals.

本“常见问题”主题分为以下几部分:This FAQ is split into the following sections:

密码重置注册Password reset registration

  • 问:用户是否可以注册其自己的密码重置数据?Q: Can my users register their own password reset data?

    答: 是的。A: Yes. 只要已经启用密码重置功能并且用户已获得许可,他们就可以访问密码重置注册门户(https://account.activedirectory.windowsazure.cn/PasswordReset/Register.aspx?regref=ssprsetup) 来注册其身份验证信息。As long as password reset is enabled and they are licensed, users can go to the password reset registration portal (https://account.activedirectory.windowsazure.cn/PasswordReset/Register.aspx?regref=ssprsetup) to register their authentication information. 用户也可通过访问面板 (https://account.activedirectory.windowsazure.cn/r#/applications) 来注册。Users can also register through the Access Panel (https://account.activedirectory.windowsazure.cn/r#/applications). 若要通过访问面板来注册,需选择个人资料图片,然后选择“个人资料”,再选择“注册密码重置”选项。 To register through the Access Panel, they need to select their profile picture, select Profile, and then select the Register for password reset option.

  • 问:如果为某个组启用密码重置,然后决定为每个人启用它,我的用户是否需要重新注册?Q: If I enable password reset for a group and then decide to enable it for everyone are my users required re-register?

    答: 不是。A: No. 已填充身份验证数据的用户不需要重新注册。Users who have populated authentication data are not required to re-register.

  • 问:我能否代表用户定义密码重置数据?Q: Can I define password reset data on behalf of my users?

    答: 能。可以使用 Azure AD Connect、PowerShell、Azure 门户或 Microsoft 365 管理中心实现此目的。A: Yes, you can do so with Azure AD Connect, PowerShell, the Azure portal, or the Microsoft 365 admin center. 有关详细信息,请参阅 Azure AD 自助密码重置使用的数据For more information, see Data used by Azure AD self-service password reset.

  • 问:我能否从本地同步安全问题数据?Q: Can I synchronize data for security questions from on-premises?

    答: 否。目前还做不到。A: No, this is not possible today.

  • 问:用户在注册数据时能否选择不让其他用户看到?Q: Can my users register data in such a way that other users can't see this data?

    答: 是的。A: Yes. 当用户使用密码重置注册门户注册数据时,数据会保存到私有身份验证字段中,只有全局管理员和用户才能看到这些字段。When users register data by using the password reset registration portal, the data is saved into private authentication fields that are visible only to global administrators and the user.

  • 问:是否用户只有在注册之后才能使用密码重置功能?Q: Do my users have to be registered before they can use password reset?

    答: 不是。A: No. 如果为他们定义了足够的身份验证信息,用户就不必进行注册。If you define enough authentication information on their behalf, users don't have to register. 只要已正确设置了目录中的相应字段中存储的数据的格式,密码重置将正常工作。Password reset works as long as you have properly formatted the data stored in the appropriate fields in the directory.

  • 问:我是否可以代表用户同步或设置“身份验证电话”、“身份验证电子邮件”或“备用身份验证电话”字段?Q: Can I synchronize or set the authentication phone, authentication email, or alternate authentication phone fields on behalf of my users?

    答:SSPR 数据要求一文中定义了能够由全局管理员设置的字段。A: The fields that are able to be set by a Global Administrator are defined in the article SSPR Data requirements.

  • 问:注册门户如何确定为用户显示哪些选项?Q: How does the registration portal determine which options to show my users?

    答: 密码重置注册门户只会显示为用户启用的选项。A: The password reset registration portal shows only the options that you have enabled for your users. 可以在目录的“配置”选项卡的“用户密码重置策略”部分找到这些选项 。例如,如果没有启用安全问题,则用户无法针对该选项进行注册。These options are found under the User Password Reset Policy section of your directory's Configure tab. For example, if you don't enable security questions, then users are not able to register for that option.

  • 问:用户何时才会被视为已注册用户?Q: When is a user considered registered?

    答: 如果用户已至少注册了在 Azure 门户中设置的“重置一个密码所需的方法数”,则此用户即会被视为已注册 SSPR。A: A user is considered registered for SSPR when they have registered at least the Number of methods required to reset a password that you have set in the Azure portal.

密码重置Password reset

  • 问:是否会阻止用户在短时间内为了重置密码而进行多次尝试?Q: Do you prevent users from multiple attempts to reset a password in a short period of time?

    答: 是的。密码重置内置了安全功能来防止滥用。A: Yes, there are security features built into password reset to protect it from misuse.

    用户在 24 小时内尝试密码重置不能超过五次,否则会被锁定 24 小时。Users can try only five password reset attempts within a 24 hour period before they're locked out for 24 hours.

    在被锁定 24 小时前的一个小时内,用户可以尝试验证电话号码、发送 SMS 或验证安全性问题并仅回答五次。Users can try to validate a phone number, send a SMS, or validate security questions and answers only five times within an hour before they're locked out for 24 hours.

    在被锁定 24 小时前,用户可以在 10 分钟内最多发送 10 次电子邮件。Users can send an email a maximum of 10 times within a 10 minute period before they're locked out for 24 hours.

    一旦用户重置密码则会重置计数器。The counters are reset once a user resets their password.

  • 问:多长时间会收到来自密码重置的电子邮件、短信或接到电话?Q: How long should I wait to receive an email, SMS, or phone call from password reset?

    答: 电子邮件、短信和电话应在一分钟内收到或接到。A: Emails, SMS messages, and phone calls should arrive in under a minute. 正常情况下为 5 到 20 秒。The normal case is 5 to 20 seconds. 如果在此时间范围内未收到通知:If you don't receive the notification in this time frame:

    • 请检查垃圾邮件文件夹。Check your junk folder.
    • 请检查所联系的号码或电子邮件是否正确。Check that the number or email being contacted is the one you expect.
    • 请检查是否对目录中的身份验证数据进行了正确的格式设置,例如,+1 4255551234 或 user@contoso.com。Check that the authentication data in the directory is correctly formatted, for example, +1 4255551234 or user@contoso.com.
  • 问:密码重置支持哪些语言?Q: What languages are supported by password reset?

    答: 密码重置 UI、短信和语音呼叫以 Microsoft 365 支持的相同语言本地化。A: The password reset UI, SMS messages, and voice calls are localized in the same languages that are supported in Microsoft 365.

  • 问:在自己目录的配置选项卡中设置组织品牌项目后,哪些密码重置体验部分会带有品牌信息?Q: What parts of the password reset experience get branded when I set the organizational branding items in my directory's configure tab?

    答: 密码重置门户不但会显示组织徽标,而且支持配置指向某一自定义电子邮件或 URL 的“请与管理员联系”链接。A: The password reset portal shows your organization's logo and allows you to configure the "Contact your administrator" link to point to a custom email or URL. 密码重置发送的任何电子邮件都会在电子邮件正文中包括组织的徽标、颜色及名称,且都是根据该特定名称的设置自定义的。Any email that's sent by password reset includes your organization's logo, colors, and name in the body of the email, and is customized from the settings for that particular name.

  • 问:如何告知用户可在何处重置密码?Q: How can I educate my users about where to go to reset their passwords?

    答: 请尝试 SSPR 部署一文中的一些建议。A: Try some of the suggestions in our SSPR deployment article.

  • 问:能否在移动设备上使用此页面?Q: Can I use this page from a mobile device?

    答: 可以,此页面可以在移动设备上使用。A: Yes, this page works on mobile devices.

  • 问:当用户重置密码时是否支持解锁本地 Active Directory 帐户?Q: Do you support unlocking local Active Directory accounts when users reset their passwords?

    答: 是的。A: Yes. 如果用户重置其密码且已通过 Azure AD Connect 部署密码写回,则当该用户重置其密码时,会自动解锁其帐户。When a user resets their password, if password writeback has been deployed through Azure AD Connect, that user's account is automatically unlocked when they reset their password.

  • 问:如何将密码重置直接集成到用户的桌面登录体验中?Q: How can I integrate password reset directly into my user's desktop sign-in experience?

    答: 如果是 Azure AD Premium 客户,可以在无需额外付费的情况下安装 Microsoft 标识管理器并部署本地密码重置解决方案。A: If you're an Azure AD Premium customer, you can install Microsoft Identity Manager at no additional cost and deploy the on-premises password reset solution.

  • 问:我能否针对不同的区域设置设定不同的安全问题?Q: Can I set different security questions for different locales?

    答: 否。目前还做不到。A: No, this is not possible today.

  • 问:可为“安全问题”身份验证选项配置多少个问题?Q: How many questions can I configure for the security questions authentication option?

    答: 最多可以在 Azure 门户中配置 20 个自定义安全问题。A: You can configure up to 20 custom security questions in the Azure portal.

  • 问:安全问题可设置为多长?Q: How long can security questions be?

    答: 安全问题可以是 3 到 200 个字符长。A: Security questions can be 3 to 200 characters long.

  • 问:安全问题的答案可设置为多长?Q: How long can the answers to security questions be?

    答: 答案的长度可以是 3 到 40 个字符。A: Answers can be 3 to 40 characters long.

  • 问:重复的安全问题答案是否会被拒绝?Q: Are duplicate answers to security questions rejected?

    答: 是的,我们将拒绝重复的安全问题答案。A: Yes, we reject duplicate answers to security questions.

  • 问:用户是否可以注册多个相同的安全问题?Q: Can a user register the same security question more than once?

    答: 不是。A: No. 一旦用户注册了某个特定问题,他们就不能再次注册该问题。After a user registers a particular question, they can't register for that question a second time.

  • 问:是否可以针对注册和重置设置安全问题下限?Q: Is it possible to set a minimum limit of security questions for registration and reset?

    答: 可以,设置一个注册限制和一个重置限制。A: Yes, one limit can be set for registration and another for reset. 注册可能需要三到五个安全问题,重置也可能需要三到五个问题。Three to five security questions can be required for registration, and three to five questions can be required for reset.

  • 问:我配置了策略,要求用户使用安全问题进行重置,但 Azure 管理员似乎进行了不同的配置。Q: I configured my policy to require users to use security questions for reset, but the Azure administrators seem to be configured differently.

    答: 这是预期的行为。A: This is the expected behavior. Microsoft 为任意 Azure 管理员角色强制实施默认强双门密码重置策略。Microsoft enforces a strong default two-gate password reset policy for any Azure administrator role. 这会阻止管理员使用安全问题。This prevents administrators from using security questions. 有关此策略的详细信息,请参阅 Azure Active Directory 中的密码策略和限制一文。You can find more information about this policy in the Password policies and restrictions in Azure Active Directory article.

  • 问:如果用户注册的重置问题超出了所需的最大问题数量,如何在重置期间选择安全问题?Q: If a user has registered more than the maximum number of questions required to reset, how are the security questions selected during reset?

    答: N 个安全问题是从用户已注册的所有问题中随机选择的,其中 N 是针对“重置所需的问题数”选项设置的一个数。A: N number of security questions are selected at random out of the total number of questions a user has registered for, where N is the amount that is set for the Number of questions required to reset option. 例如,如果用户注册了五个安全问题,但重置密码只需三个,则会从五个问题中随机选择三个在重置时提出。For example, if a user has registered five security questions, but only three are required to reset a password, three of the five questions are randomly selected and are presented at reset. 为了防止 问题攻击,如果用户提供的问题答案不正确,则选择过程会从头开始。To prevent question hammering, if the user gets the answers to the questions wrong the selection process starts over.

  • 问:电子邮件和短信的一次性密码的有效期有多长?Q: How long are the email and SMS one-time passcodes valid?

    答: 进行密码重置的会话生存期为 15 分钟。A: The session lifetime for password reset is 15 minutes. 从密码重置操作开始算,用户有 15 分钟的时间来重置其密码。From the start of the password reset operation, the user has 15 minutes to reset their password. 在密码重置会话期间,电子邮件和短信一次性密码的有效时间为 5 分钟。The email and SMS one-time passcode are valid for 5 minutes during the password reset session.

  • 问:可否阻止用户重置其密码?Q: Can I block users from resetting their password?

    答: 可以。如果使用组来启用 SSPR,则可将用户从允许用户重置其密码的组中删除。A: Yes, if you use a group to enable SSPR, you can remove an individual user from the group that allows users to reset their password. 如果用户是全局管理员,他们将保留重置密码的权限,并且不能禁用此权限。If the user is a Global Administrator they will retain the ability to reset their password and this cannot be disabled.

密码更改Password change

  • 问:我的用户应当到何处去更改其密码?Q: Where should my users go to change their passwords?

    答: 用户可以在能够看到其个人资料图片或图标的任何位置(例如在其 访问面板体验的右上角)更改其密码。A: Users can change their passwords anywhere they see their profile picture or icon, like in the upper-right corner of their Access Panel experiences. 用户可以从访问面板个人资料页更改其密码。Users can change their passwords from the Access Panel Profile page. 如果用户的密码已过期,还可以在 Azure AD 登录页上自动要求他们更改其密码。Users can also be asked to change their passwords automatically at the Azure AD sign-in page if their passwords have expired. 最后,如果用户希望更改其密码,可以直接浏览到 Azure AD 密码更改门户Finally, users can browse to the Azure AD password change portal directly if they want to change their passwords.

  • 问:当用户的本地密码过期时,他们是否可以在 Office 门户中收到通知?Q: Can my users be notified in the Office portal when their on-premises password expires?

    答: 可以。如果使用 Active Directory 联合身份验证服务 (AD FS),这在目前是可以的。A: Yes, this is possible today if you use Active Directory Federation Services (AD FS). 如果使用 AD FS,请按 Sending password policy claims with AD FS(使用 AD FS 发送密码策略声明)一文中的说明操作。If you use AD FS, follow the instructions in the Sending password policy claims with AD FS article. 如果使用密码哈希同步,这在目前是不可以的。If you use password hash synchronization, this is not possible today. 我们不从本地目录同步密码策略,因此无法将过期通知发布到云体验。We don't sync password policies from on-premises directories, so it's not possible for us to post expiration notifications to cloud experiences. 在任一情况下,都还可以通过 PowerShell 向其密码即将过期的用户发送通知In either case, it's also possible to notify users whose passwords are about to expire through PowerShell.

  • 问:可否阻止用户更改其密码?Q: Can I block users from changing their password?

    答: 对于仅限云的用户来说,不能阻止密码更改。A: For cloud-only users, password changes can't be blocked. 对于本地用户,可将“用户不能更改密码”选项设置为选定。For on-premises users, you can set the User cannot change password option to selected. 选定的用户不能更改其密码。The selected users can't change their password.

密码管理报告Password management reports

  • 问:需要多长时间才能在密码管理报告上看到数据?Q: How long does it take for data to show up on the password management reports?

    答: 数据应在 5 到 10 分钟内显示在密码管理报告中。A: Data should appear on the password management reports in 5 to 10 minutes. 某些情况下,需要一个小时才能显示。In some instances, it might take up to an hour to appear.

  • 问:如何筛选密码管理报告?Q: How can I filter the password management reports?

    答: 选择报告顶部附近列标签最右侧的小放大镜即可筛选密码管理报告。A: To filter the password management reports, select the small magnifying glass to the extreme right of the column labels, near the top of the report. 如果希望进行更丰富的筛选,可以将报告下载到 Excel 并创建数据透视表。If you want to do richer filtering, you can download the report to Excel and create a pivot table.

  • 问:密码管理报告中存储的事件数目上限是多少?Q: What is the maximum number of events that are stored in the password management reports?

    答: 密码管理报告中最多存储 75,000 个密码重置事件或密码重置注册事件,时间跨度为过去的 30 天。A: Up to 75,000 password reset or password reset registration events are stored in the password management reports, spanning back as far as 30 days. 我们正在努力增大此数目,以包含更多事件。We are working to expand this number to include more events.

  • 问:密码管理报告可向前追溯多久?Q: How far back do the password management reports go?

    答: 密码管理报告可显示在过去 30 天内发生的操作。A: The password management reports show operations that occurred within the last 30 days. 现在,如果需要存档此数据,可以定期下载报告并将它们保存在单独的位置。For now, if you need to archive this data, you can download the reports periodically and save them in a separate location.

  • 问:密码管理报告中显示的行数是否存在上限?Q: Is there a maximum number of rows that can appear on the password management reports?

    答: 是的。A: Yes. 任一密码管理报告都最多只能显示 75,000 行,不论是 UI 中正在显示的行数还是正在下载的行数都存在此限制。A maximum of 75,000 rows can appear on either of the password management reports, whether they are shown in the UI or are downloaded.

  • 问:是否可以使用一个 API 来访问密码重置数据或注册报告数据?Q: Is there an API to access the password reset or registration reporting data?

    答: 是的。A: Yes. 若要了解如何访问密码重置报告数据,请参阅 Azure Log Analytics REST API 引用To learn how you can access the password reset reporting data, see the Azure Log Analytics REST API Reference.

密码写回Password writeback

  • 问:密码写回如何在后台工作?Q: How does password writeback work behind the scenes?

    答: 请参阅 密码写回的工作原理一文,了解有关启用密码写回时发生的情况以及数据如何通过系统流回本地环境的说明。A: See the article How password writeback works for an explanation of what happens when you enable password writeback and how data flows through the system back into your on-premises environment.

  • 问:密码写回需要多长时间才工作?是否和使用密码哈希同步一样也存在同步延迟?Q: How long does password writeback take to work? Is there a synchronization delay like there is with password hash sync?

    答: 密码写回是即时的。A: Password writeback is instant. 它是一种同步管道,其工作方式从根本上不同于密码哈希同步。It is a synchronous pipeline that works fundamentally differently than password hash synchronization. 密码写回向用户提供关于其密码重置或更改操作成功的实时反馈。Password writeback allows users to get real-time feedback about the success of their password reset or change operation. 成功的密码写回的平均时间少于 500 毫秒。The average time for a successful writeback of a password is under 500 ms.

  • 问:如果我的本地帐户被禁用,我的云帐户和访问权限会受到怎样的影响?Q: If my on-premises account is disabled, how is my cloud account and access affected?

    答: 如果本地 ID 被禁用,则在下一个同步间隔,也会通过 Azure AD Connect 禁用云 ID 和访问权限。A: If your on-premises ID is disabled, your cloud ID and access will also be disabled at the next sync interval through Azure AD Connect. 默认情况下,此同步是每隔 30 分钟进行一次。By default, this sync is every 30 minutes.

  • 问:如果我的本地帐户受到本地 Active Directory 密码策略的约束,当我更改密码时,SSPR 是否遵循此策略?Q: If my on-premises account is constrained by an on-premises Active Directory password policy, does SSPR obey this policy when I change my password?

    答: 是。SSPR 基于并遵守本地 Active Directory 密码策略。A: Yes, SSPR relies on and abides by the on-premises Active Directory password policy. 此策略包括典型的 Active Directory 域密码策略,以及任何已定义并细化的针对用户的密码策略。This policy includes the typical Active Directory domain password policy, as well as any defined, fine-grained password policies that are targeted to a user.

  • 问:密码写回适用于哪些帐户类型?Q: What types of accounts does password writeback work for?

    答: 密码写回适用于从本地 Active Directory 同步到 Azure AD 的用户帐户,包括联合用户和密码哈希同步用户。A: Password writeback works for user accounts that are synchronized from on-premises Active Directory to Azure AD, including federated and password hash synchronized Users.

  • 问:密码写回是否会强制实施我的域密码策略?Q: Does password writeback enforce my domain's password policies?

    答: 是的。A: Yes. 密码写回会强制实施密码使用期限、历史记录、复杂性、筛选器以及可能对本地域密码实施的任何其他限制。Password writeback enforces password age, history, complexity, filters, and any other restriction you might put in place on passwords in your local domain.

  • 问:密码写回是否安全?如何确保我不会受到黑客攻击?Q: Is password writeback secure? How can I be sure I won't get hacked?

    答: 是的。密码写回具有很高的安全性。A: Yes, password writeback is secure. 若要阅读有关密码写回服务实施的多个安全层的详细信息,请查看密码写回概述一文中的密码写回安全性部分。To read more about the multiple layers of security implemented by the password writeback service, check out the Password writeback security section in the Password writeback overview article.

后续步骤Next steps