为自助密码重置自定义 Azure AD 功能Customize the Azure AD functionality for self-service password reset

想要在 Azure Active directory (Azure AD) 中部署自助服务密码重置 (SSPR) 的 IT 专业人员可以自定义与其用户需求相符的体验。IT professionals who want to deploy self-service password reset (SSPR) in Azure Active directory (Azure AD) can customize the experience to match their users' needs.

自助式密码重置用户在密码重置门户中有一个“联系管理员”链接可供他们使用。Self-service password reset users have a "Contact your administrator" link available to them in the password reset portal. 如果用户选择此链接,它将执行以下两个操作之一:If a user selects this link, it will do one of two things:

  • 如果处于默认状态:If left in the default state:
    • 将向管理员发送电子邮件,请求他们提供更改用户密码的帮助。Email is sent to your administrators and asks them to provide assistance in changing the user's password. 请参阅下面的示例电子邮件See the sample email below.
  • 如果已自定义:If customized:
    • 将用户发送到管理员指定的网页或电子邮件地址以获得帮助。Sends your user to a webpage or email address specified by the administrator for assistance.

Tip

如果自定义此设置,我们建议将其设置为用户已经熟悉的内容以获得支持If you customize this, we recommend setting this to something users are already familiar with for support

Warning

如果你使用需要密码重置的电子邮件地址和帐户自定义此设置,则用户可能无法请求协助。If you customize this setting with an email address and account that needs a password reset the user may be unable to ask for assistance.

示例电子邮件Sample email

发送给管理员的重置电子邮件的示例请求Sample request to reset email sent to Administrator

此联系人电子邮件按以下顺序发送到以下收件人:The contact email is sent to the following recipients in the following order:

  1. 如果已分配“密码管理员” 角色,则会通知充当此角色的管理员。If the password administrator role is assigned, administrators with this role are notified.
  2. 如果未分配密码管理员,则会通知充当“用户管理员” 角色的管理员。If no password administrators are assigned, then administrators with the user administrator role are notified.
  3. 如果上述两个角色都未分配,则会通知“全局管理员” 。If neither of the previous roles are assigned, then the global administrators are notified.

在所有情况下,最多会向 100 个收件人发送通知。In all cases, a maximum of 100 recipients are notified.

若要了解有关不同管理员角色以及如何分配它们的详细信息,请参阅在 Azure Active Directory 中分配管理员角色To find out more about the different administrator roles and how to assign them, see Assigning administrator roles in Azure Active Directory.

禁用“联系管理员”电子邮件Disable "Contact your administrator" emails

如果组织不希望向管理员通知密码重置请求,可启用以下配置:If your organization does not want to notify administrators about password reset requests, you can enable the following configuration:

  • 为所有最终用户启用自助密码重置。Enable self-service password reset for all end users. 可在“密码重置” > “属性” 下面找到此选项。This option is under Password Reset > Properties. 如果不希望用户重置其自己的密码,可以将访问权限限制为某个空组。If you don't want users to reset their own passwords, you can scope access to an empty group. 我们不建议使用此选项 。We don't recommend this option.
  • 自定义帮助台链接,以提供可让用户获得帮助的 Web URL 或 mailto: 地址。Customize the helpdesk link to provide a web URL or mailto: address that users can use to get assistance. 可在“密码重置” > “自定义” > “自定义支持人员电子邮件或 URL” 下面找到此选项。This option is under Password Reset > Customization > Custom helpdesk email or URL.

为 SSPR 自定义 AD FS 登录页Customize the AD FS sign-in page for SSPR

Active Directory 联合身份验证服务 (AD FS) 管理员可以使用添加登录页说明一文中的指导将链接添加到登录页。Active Directory Federation Services (AD FS) administrators can add a link to their sign-in page by using the guidance found in the Add sign-in page description article.

若要将链接添加到 AD FS 登录页,请在 AD FS 服务器上使用以下命令。To add a link to the AD FS sign-in page, use the following command on your AD FS server. 用户可以使用此页输入 SSPR 工作流。Users can use this page to enter the SSPR workflow.

Set-ADFSGlobalWebContent -SigninPageDescriptionText "<p><A href='https://passwordreset.activedirectory.windowsazure.cn' target='_blank'>Can’t access your account?</A></p>"

自定义登录页和访问面板的外观Customize the sign-in page and access panel look and feel

可以自定义登录页。You can customize the sign-in page. 可以添加一个徽标,它将随适合公司品牌的图像一起显示。You can add a logo that appears along with the image that fits your company branding.

在以下情况下会显示所选图形:The graphics you choose are shown in the following circumstances:

  • 用户输入其用户名后After a user enters their username
  • 如果用户通过以下方式访问自定义的 URL:If the user accesses the customized URL:
    • 通过将 whr 参数传递到密码重置页,如 https://login.partner.microsoftonline.cn/?whr=contoso.comBy passing the whr parameter to the password reset page, like https://login.partner.microsoftonline.cn/?whr=contoso.com
    • 通过将 username 参数传递到密码重置页,如 https://login.partner.microsoftonline.cn/?username=admin@contoso.comBy passing the username parameter to the password reset page, like https://login.partner.microsoftonline.cn/?username=admin@contoso.com

目录名称Directory name

可以在“Azure Active Directory” > “属性” 下更改目录名称属性。You can change the directory name attribute under Azure Active Directory > Properties. 可以在门户中以及在自动通信中显示友好的组织名称。You can show a friendly organization name that is seen in the portal and in the automated communications. 在自动发送的电子邮件中,此选项以下列形式出现时最显眼:This option is the most visible in automated emails in the forms that follow:

  • 电子邮件中的友好名称,例如“Microsoft 代表 CONTOSO 演示”The friendly name in the email, for example “Microsoft on behalf of CONTOSO demo”
  • 电子邮件中的主题行,例如“CONTOSO 演示帐户电子邮件验证码”The subject line in the email, for example “CONTOSO demo account email verification code”

后续步骤Next steps