工作原理:Azure AD 自助密码重置How it works: Azure AD self-service password reset

Azure Active Directory (Azure AD) 自助式密码重置 (SSPR) 使用户能够更改或重置其密码,而不需要管理员或支持人员的干预。Azure Active Directory (Azure AD) self-service password reset (SSPR) gives users the ability to change or reset their password, with no administrator or help desk involvement. 如果用户的帐户被锁定或用户忘记了自己的密码,他们可以按照提示取消对自己的阻止,回到工作状态。If a user's account is locked or they forget their password, they can follow prompts to unblock themselves and get back to work. 当用户无法登录到其设备或应用程序时,此功能可减少呼叫支持人员的次数,降低生产力损失。This ability reduces help desk calls and loss of productivity when a user can't sign in to their device or an application.

重要

此概念文章向管理员介绍了自助式密码重置的工作原理。This conceptual article explains to an administrator how self-service password reset works. 如果你是已注册了自助式密码重置的最终用户并且需要返回到你的帐户,请转到 https://passwordreset.activedirectory.windowsazure.cnIf you're an end user already registered for self-service password reset and need to get back into your account, go to https://passwordreset.activedirectory.windowsazure.cn.

如果你的 IT 团队尚未启用重置自己密码的功能,请联系支持人员以获得更多帮助。If your IT team hasn't enabled the ability to reset your own password, reach out to your helpdesk for additional assistance.

密码重置过程如何工作?How does the password reset process work?

用户可以使用 SSPR 门户来重置或更改其密码。A user can reset or change their password using the SSPR portal. 他们必须首先注册其所需的身份验证方法。They must first have registered their desired authentication methods. 当用户访问 SSPR 门户时,Azure 平台会考虑以下因素:When a user accesses the SSPR portal, the Azure platform considers the following factors:

  • 如何本地化该页面?How should the page be localized?
  • 用户帐户是否有效?Is the user account valid?
  • 该用户属于哪个组织?What organization does the user belong to?
  • 该用户的密码在哪个位置管理?Where is the user's password managed?
  • 是否已授权该用户使用该功能?Is the user licensed to use the feature?

如果用户从某个应用程序或页面选择了“无法访问你的帐户”链接,或直接转到了 https://passwordreset.activedirectory.windowsazure.cn,则 SSPR 门户中使用的语言基于以下选项:When a user selects the Can't access your account link from an application or page, or goes directly to https://passwordreset.activedirectory.windowsazure.cn, the language used in the SSPR portal is based on the following options:

  • 默认情况下,将使用浏览器区域设置以相应的语言显示 SSPR。By default, the browser locale is used to display the SSPR in the appropriate language. 密码重置体验已本地化为 Microsoft 365 支持的相同语言。The password reset experience is localized into the same languages that Microsoft 365 supports.
  • 如果要链接到采用特定本地化语言的 SSPR,请将 ?mkt= 连同所需的区域设置一起追加到密码重置 URL 末尾。If you want to link to the SSPR in a specific localized language, append ?mkt= to the end of the password reset URL along with the required locale.

使用所需的语言显示 SSPR 门户之后,系统会提示用户输入用户 ID 并传递 captcha。After the SSPR portal is displayed in the required language, the user is prompted to enter a user ID and pass a captcha. Azure AD 现在通过执行以下检查来验证用户是否能够使用 SSPR:Azure AD now verifies that the user is able to use SSPR by doing the following checks:

  • 检查用户是否启用了 SSPR 并分配有 Azure AD 许可证。Checks that the user has SSPR enabled and is assigned an Azure AD license.
    • 如果用户未启用 SSPR 或未分配有许可证,则会要求用户联系其管理员来重置其密码。If the user isn't enabled for SSPR or doesn't have a license assigned, the user is asked to contact their administrator to reset their password.
  • 检查用户是否具有针对其帐户定义且符合管理员策略的正确身份验证方法。Checks that the user has the right authentication methods defined on their account in accordance with administrator policy.
    • 如果策略仅要求使用一种方法,请检查用户是否为通过管理员策略启用的至少一种身份验证方法定义了合适的数据。If the policy requires only one method, check that the user has the appropriate data defined for at least one of the authentication methods enabled by the administrator policy.
      • 如果未配置身份验证方法,则建议用户联系其管理员来重置其密码。If the authentication methods aren't configured, the user is advised to contact their administrator to reset their password.
    • 如果策略要求使用两种方法,请检查用户是否为通过管理员策略启用的至少两种身份验证方法定义了合适的数据。If the policy requires two methods, check that the user has the appropriate data defined for at least two of the authentication methods enabled by the administrator policy.
      • 如果未配置身份验证方法,则建议用户联系其管理员来重置其密码。If the authentication methods aren't configured, the user is advised to contact their administrator to reset their password.
    • 如果为用户分配了 Azure 管理员角色,则会强制实施强双门密码策略。If an Azure administrator role is assigned to the user, then the strong two-gate password policy is enforced. 有关详细信息,请参阅管理员重置策略差异For more information, see Administrator reset policy differences.
  • 检查是否在本地管理用户密码,例如,Azure AD 租户使用的是联合还是密码哈希同步:Checks to see if the user's password is managed on-premises, such as if the Azure AD tenant is using federated, or password hash synchronization:
    • 如果已配置 SSPR 写回且在本地管理用户密码,则允许用户继续进行身份验证并重置其密码。If SSPR writeback is configured and the user's password is managed on-premises, the user is allowed to proceed to authenticate and reset their password.
    • 如果未部署 SSPR 写回且在本地管理用户密码,则要求用户联系其管理员重置其密码。If SSPR writeback isn't deployed and the user's password is managed on-premises, the user is asked to contact their administrator to reset their password.

如果前面的所有检查都已成功完成,则指导用户完成重置或更改其密码的过程。If all of the previous checks are successfully completed, the user is guided through the process to reset or change their password.

备注

SSPR 可能会在密码重置过程中向用户发送电子邮件通知。SSPR may send email notifications to users as part of the password reset process. 这些电子邮件是使用 SMTP 中继服务发送的,该服务跨多个区域以主动-主动模式运行。These emails are sent using the SMTP relay service, which operates in an active-active mode across several regions.

SMTP 中继服务接收并处理电子邮件正文,但不存储它。SMTP relay services receive and process the email body, but don't store it. 可能包含客户提供的信息的 SSPR 电子邮件正文未存储在 SMTP 中继服务日志中。The body of the SSPR email that may potentially contain customer provided info isn't stored in the SMTP relay service logs. 这些日志只包含协议元数据。The logs only contain protocol metadata.

若要开始使用 SSPR,请完成以下教程:To get started with SSPR, complete the following tutorial:

注册选项Registration options

用户必须先注册自己以及要使用的身份验证方法,然后才能使用 SSPR 重置或更改其密码。Before users can reset or change their password using SSPR, they must register themselves and the authentication methods to use. 如前一部分所述,用户必须注册 SSPR,并应用相应的许可证。As mentioned in the previous section, a user must be registered for SSPR, and have an appropriate license applied.

要求用户在登录时注册Require users to register when they sign in

可以启用此选项在用户使用 Azure AD 登录到任何应用程序时要求用户完成 SSPR 注册。You can enable the option to require a user to complete the SSPR registration if they sign in to any applications using Azure AD. 此工作流包括以下应用程序:This workflow includes the following applications:

  • Microsoft 365Microsoft 365
  • Azure 门户Azure portal
  • 访问面板Access Panel
  • 联合应用程序Federated applications
  • 使用 Azure AD 的自定义应用程序Custom applications using Azure AD

如果不需要注册,则在登录时不会提示用户,但用户可以手动注册。When you don't require registration, users aren't prompted during sign-in, but they can manually register. 用户可以访问 https://account.activedirectory.windowsazure.cn/PasswordReset/Register.aspx?regref=ssprsetup,也可以选择访问面板中“配置文件”选项卡下的“注册密码重置”链接 。Users can either visit https://account.activedirectory.windowsazure.cn/PasswordReset/Register.aspx?regref=ssprsetup or select the Register for password reset link under the Profile tab in the Access Panel.

Azure 门户中 SSPR 的注册选项Registration options for SSPR in the Azure portal

备注

用户可以通过选择“取消”或关闭窗口来关闭 SSPR 注册门户。Users can dismiss the SSPR registration portal by selecting cancel or by closing the window. 但是,在完成注册之前,每当他们登录时,系统都会提示他们注册。However, they're prompted to register each time they sign in until they complete their registration.

如果用户已登录,则用于注册 SSPR 的此中断不会中断用户的连接。This interrupt to register for SSPR doesn't break the user's connection if they're already signed in.

设置用户必须在几天后重新确认其身份验证信息Set the number of days before users are asked to reconfirm their authentication information

为了在需要使用身份验证方法来重置或更改用户的密码时确保身份验证方法正确,你可以要求用户在某段时间过后确认其已注册的信息。To make sure that authentication methods are correct when they're needed to reset or change their password, you can require users confirm their info registered information after a certain period of time. 仅当你启用了“要求用户在登录时注册”选项时,此选项才可用。This option is only available if you enable the Require users to register when signing in option.

有效值(用于提示用户确认其注册的方法)的范围为 0 到 730 天。Valid values to prompt a user to confirm their registered methods are from 0 to 730 days. 将此值设置为 0 意味着永远不会要求用户确认其身份验证信息。Setting this value to 0 means that users are never asked to confirm their authentication information.

身份验证方法Authentication methods

如果为用户启用了 SSPR,则他们必须注册至少一种身份验证方法。When a user is enabled for SSPR, they must register at least one authentication method. 强烈建议你选择两种或更多种身份验证方法,让用户在无法使用所需的一种方法时,能够更灵活地选择其他方法。We highly recommend that you choose two or more authentication methods so that your users have more flexibility in case they're unable to access one method when they need it.

以下身份验证方法可用于 SSPR:The following authentication methods are available for SSPR:

  • 移动应用通知Mobile app notification
  • 移动应用代码Mobile app code
  • 电子邮件Email
  • 移动电话Mobile phone
  • 办公电话Office phone
  • 安全性问题Security questions

用户只有在注册了管理员启用的身份验证方法时才能重置其密码。Users can only reset their password if they have registered an authentication method that the administrator has enabled.

警告

若要使用管理员重置策略差异部分定义的方法,需要使用分配了 Azure 管理员角色的帐户。Accounts assigned Azure administrator roles are required to use methods as defined in the section Administrator reset policy differences.

Azure 门户中的身份验证方法选择Authentication methods selection in the Azure portal

所需身份验证方法的数量Number of authentication methods required

你可以配置用户为了重置或解锁其密码而必须提供的可用身份验证方法的数目。You can configure the number of the available authentication methods a user must provide to reset or unlock their password. 可将此值设置为 1 或 2。 This value can be set to either one or two.

用户可以并且应当注册多种身份验证方法。Users can, and should, register multiple authentication methods. 同样,强烈建议用户注册两种或更多种身份验证方法,以便在无法使用所需的一种方法时,能够更灵活地选择其他方法。Again, it's highly recommended that users register two or more authentication methods so they have more flexibility in case they're unable to access one method when they need it.

如果用户没有注册最低数目的必需方法,则会在尝试使用 SSPR 时看到一个错误页面,该页面会引导他们请求管理员重置其密码。If a user doesn't have the minimum number of required methods registered when they try to use SSPR, they see an error page that directs them to request that an administrator reset their password. 如果你有已注册 SSPR 的现有用户,但这些用户无法使用该功能,则在将所需方法的数量从一种增加到两种时应小心谨慎。Take care if you increase the number of methods required from one to two if you have existing users registered for SSPR and they're then unable to use the feature. 有关详细信息,请参阅下一部分:更改身份验证方法For more information, see the following section to Change authentication methods.

移动应用和 SSPRMobile app and SSPR

使用移动应用(例如 Microsoft Authenticator 应用)作为密码重置方法时,应注意以下问题:When using a mobile app as a method for password reset, like the Microsoft Authenticator app, the following considerations apply:

  • 当管理员要求使用一种方法来重置密码时,验证码是唯一可用的选项。When administrators require one method be used to reset a password, verification code is the only option available.
  • 当管理员要求使用两种方法来重置密码时,用户可以使用通知或验证码进行重置,此外还能使用其他任何已启用的方法。When administrators require two methods be used to reset a password, users are able to use notification OR verification code in addition to any other enabled methods.
重置所需的方法数Number of methods required to reset 一个One 两个Two
可用的移动应用功能Mobile app features available 代码Code 代码或通知Code or Notification

用户通过 https://account.activedirectory.windowsazure.cn/PasswordReset/Register.aspx?regref=ssprsetup 注册自助式密码重置时,无法选择注册其移动应用。Users don't have the option to register their mobile app when registering for self-service password reset from https://account.activedirectory.windowsazure.cn/PasswordReset/Register.aspx?regref=ssprsetup. 用户可以在 https://account.activedirectory.windowsazure.cn/proofup.aspx?culture=en-US 中注册其移动应用。Users can register their mobile app at https://account.activedirectory.windowsazure.cn/proofup.aspx?culture=en-US.

重要

当只要求使用一种方法时,不能选择 Authenticator 应用作为唯一的身份验证方法。The Authenticator app can't be selected as the only authentication method when only method is required. 同样,如果要求使用两种方法,则不能选择 Authenticator 应用和另一种额外的方法。Similarly, the Authenticator app and only one additional method cannot be selected when requiring two methods.

在配置将 Authenticator 应用作为一种方法的 SSPR 策略时,如果要求在使用一种方法时应选择至少一种额外的方法,则当要求配置两种方法时,应选择至少两种额外的方法。When configuring SSPR policies that include the Authenticator app as a method, at least one additional method should be selected when one method is required, and at least two additional methods should be selected when configuring two methods are required.

之所以有此要求,是因为当前 SSPR 注册体验未包含用于注册 Authenticator 应用的选项。This requirement is because the current SSPR registration experience doesn't include the option to register the authenticator app.

如果允许的策略仅使用 Authenticator 应用(要求使用一种方法时)或使用 Authenticator 应用和另一种额外的方法(要求使用两种方法时),则可能会导致系统阻止用户注册 SSPR,直到将其配置为使用新的组合注册体验为止。Allowing policies that only use the Authenticator app (when one method is required), or the Authenticator app and only one additional method (when two methods are required), could lead to users being blocked from registering for SSPR until they're configured to use the new combined registration experience.

更改身份验证方法Change authentication methods

如果最初的策略仅注册了一种身份验证方法用于重置或解锁,将其更改为两种方法会发生什么情况?If you start with a policy that has only one required authentication method for reset or unlock registered and you change that to two methods, what happens?

注册的方法数Number of methods registered 必选方法数Number of methods required 结果Result
大于等于 11 or more 11 能够重置或解锁Able to reset or unlock
11 22 不可重置或解锁Unable to reset or unlock
2 或更大2 or more 22 能够重置或解锁Able to reset or unlock

更改可用的身份验证方法也可能会给用户带来问题。Changing the available authentication methods may also cause problems for users. 如果更改了用户可用的身份验证方法类型,则可能会在无意间阻止用户使用 SSPR(如果不具有可用的最小数据量)。If you change the types of authentication methods that a user can use, you might inadvertently stop users from being able to use SSPR if they don't have the minimum amount of data available.

请考虑以下示例场景:Consider the following example scenario:

  1. 原始策略配置为需要两种身份验证方法。The original policy is configured with two authentication methods required. 该策略使用办公电话和安全提问。It uses only the office phone number and the security questions.
  2. 管理员将策略更改为不再使用安全提问,而是允许使用移动电话和备用电子邮件。The administrator changes the policy to no longer use the security questions, but allows the use of a mobile phone and an alternate email.
  3. 未填写移动电话或备用电子邮件字段的用户现在无法重置密码。Users without the mobile phone or alternate email fields populated now can't reset their passwords.

通知Notifications

SSPR 允许你为用户和标识管理员配置通知,以便及时获知密码事件。To improve awareness of password events, SSPR lets you configure notifications for both the users and identity administrators.

重置密码时通知用户Notify users on password resets

如果此选项设置为“是”,则重置其密码的用户会收到一封告知其密码已更改的电子邮件。If this option is set to Yes, users resetting their password receive an email notifying them that their password has been changed. 该电子邮件通过 SSPR 门户发送到 Azure AD 中存储的主要和备用电子邮件地址。The email is sent via the SSPR portal to their primary and alternate email addresses that are stored in Azure AD. 不会向其他任何人告知已发生重置事件。No one else is notified of the reset event.

当其他管理员重置其密码时通知所有管理员Notify all admins when other admins reset their passwords

如果此选项设置为“是”,则所有其他 Azure 管理员都会通过他们在 Azure AD 中存储的主要电子邮件地址收到一封电子邮件。If this option is set to Yes, then all other Azure administrators receive an email to their primary email address stored in Azure AD. 该电子邮件告知另一位管理员已使用 SSPR 更改了他们的密码。The email notifies them that another administrator has changed their password by using SSPR.

请考虑以下示例场景:Consider the following example scenario:

  • 某个环境中有四名管理员。There are four administrators in an environment.
  • 管理员 A 使用 SSPR 重置了其他管理员的密码。Administrator A resets their password by using SSPR.
  • 管理员 B、C、D 会收到一封电子邮件,告知其已发生密码重置。 Administrators B, C, and D receive an email alerting them of the password reset.

本地集成On-premises integration

如果你有一个混合环境,则可将 Azure AD Connect 配置为将密码更改事件从 Azure AD 写回到本地目录。If you have a hybrid environment, you can configure Azure AD Connect to write password change events back from Azure AD to an on-premises directory.

验证密码写回是否已启用且正常工作Validating password writeback is enabled and working

Azure AD 会检查当前的混合连接,并在 Azure 门户中提供以下消息之一:Azure AD checks your current hybrid connectivity and provides one of the following messages in the Azure portal:

  • 已启动并运行本地写回客户端。Your on-premises writeback client is up and running.
  • Azure AD 处于联机状态并连接到本地写回客户端。Azure AD is online and is connected to your on-premises writeback client. 但是,似乎 Azure AD Connect 的已安装版本已经过期了。However, it looks like the installed version of Azure AD Connect is out-of-date. 请考虑更新 Azure AD Connect,确保拥有最新连接功能和重要 bug 修复。Consider Upgrading Azure AD Connect to ensure that you have the latest connectivity features and important bug fixes.
  • 很遗憾,因为 Azure AD Connect 的已安装版本已过期,我们无法查看你的本地写回客户端状态。Unfortunately, we can't check your on-premises writeback client status because the installed version of Azure AD Connect is out-of-date. 更新 Azure AD Connect 可查看连接状态。Upgrade Azure AD Connect to be able to check your connection status.
  • 很遗憾,现在似乎无法连接到本地写回客户端。Unfortunately, it looks like we can't connect to your on-premises writeback client right now. 对 Azure AD Connect 进行故障排除以还原连接。Troubleshoot Azure AD Connect to restore the connection.
  • 很遗憾,因为密码写回未正确配置,无法连接到本地写回客户端。Unfortunately, we can't connect to your on-premises writeback client because password writeback has not been properly configured. 配置密码写回以还原连接。Configure password writeback to restore the connection.
  • 很遗憾,现在似乎无法连接到本地写回客户端。Unfortunately, it looks like we can't connect to your on-premises writeback client right now. 这可能是因我们终端的临时问题导致。This may be due to temporary issues on our end. 如果问题仍然存在,对 Azure AD Connect 进行故障排除以还原连接。If the problem persists, Troubleshoot Azure AD Connect to restore the connection.

若要开始 SSPR 写回,请完成以下教程:To get started with SSPR writeback, complete the following tutorial:

将密码写回到本地目录Write back passwords to your on-premises directory

可以通过 Azure 门户启用密码写回。You can enable password writeback using the Azure portal. 还可以暂时禁用密码写回,无需重新配置 Azure AD Connect。You can also temporarily disable password writeback without having to reconfigure Azure AD Connect.

  • 如果将此选项设置为“是”,则会启用写回。If the option is set to Yes, then writeback is enabled. 联合的或密码哈希同步的用户无法重置其密码。Federated, or password hash synchronized users are able to reset their passwords.
  • 如果将此选项设置为“否”,则会禁用写回。If the option is set to No, then writeback is disabled. 联合的或密码哈希同步的用户无法重置其密码。Federated, or password hash synchronized users aren't able to reset their passwords.

允许用户在不重置密码的情况下解锁帐户Allow users to unlock accounts without resetting their password

默认情况下,Azure AD 在执行密码重置时会解锁帐户。By default, Azure AD unlocks accounts when it performs a password reset. 为了提供灵活性,你可以选择允许用户在不需重置其密码的情况下解锁其本地帐户。To provide flexibility, you can choose to allow users to unlock their on-premises accounts without having to reset their password. 使用此设置可区分这两项操作。Use this setting to separate those two operations.

  • 如果设置为“是”,将为用户提供重置其密码和解锁帐户的选项,或者在无需重置密码的情况下解锁其帐户的选项。If set to Yes, users are given the option to reset their password and unlock the account, or to unlock their account without having to reset the password.
  • 如果设置为“否”,用户只能同时执行密码重置和帐户解锁的操作。If set to No, users are only be able to perform a combined password reset and account unlock operation.

本地 Active Directory 密码筛选器On-premises Active Directory password filters

SSPR 在 Active Directory 中执行管理员发起的密码重置的等效操作。SSPR performs the equivalent of an admin-initiated password reset in Active Directory. 如果你使用第三方密码筛选器来强制实施自定义密码规则,并且你要求在 Azure AD 自助式密码重置期间检查此密码筛选器,请确保将第三方密码筛选器解决方案配置为应用于管理员密码重置场景。If you use a third-party password filter to enforce custom password rules, and you require that this password filter is checked during Azure AD self-service password reset, ensure that the third-party password filter solution is configured to apply in the admin password reset scenario.

B2B 用户的密码重置Password reset for B2B users

所有企业到企业 (B2B) 配置完全支持密码重置和更改。Password reset and change are fully supported on all business-to-business (B2B) configurations. 以下三种情况支持 B2B 用户密码重置:B2B user password reset is supported in the following three cases:

  • 已有 Azure AD 租户的合作伙伴组织中的用户:如果与你合作的组织已有 Azure AD 租户,我们将遵守该租户中已启用的任何密码重置策略。Users from a partner organization with an existing Azure AD tenant: If the organization you partner with has an existing Azure AD tenant, we respect whatever password reset policies are enabled on that tenant. 要使密码重置正常工作,合作伙伴组织只需确保启用 Azure AD SSPR。For password reset to work, the partner organization just needs to make sure that Azure AD SSPR is enabled. 对于 Microsoft 365 客户,不会额外收费。There is no additional charge for Microsoft 365 customers.
  • 通过自助注册注册的用户:如果与你合作的组织使用自助注册功能来访问租户,我们会允许他们使用已注册的电子邮件来重置密码。Users who sign up through self-service sign-up: If the organization you partner with used the self-service sign-up feature to get into a tenant, we let them reset the password with the email they registered.
  • B2B 用户:使用新的 Azure AD B2B 功能创建的任何新的 B2B 用户也可以使用他们在邀请过程中注册的电子邮件来重置其密码。B2B users: Any new B2B users created by using the new Azure AD B2B capabilities can also reset their passwords with the email they registered during the invite process.

若要测试此方案,请通过这些合作伙伴用户之一转到 https://passwordreset.activedirectory.windowsazure.cn。To test this scenario, go to https://passwordreset.activedirectory.windowsazure.cn with one of these partner users. 如果他们定义了备用电子邮件或身份验证电子邮件,则密码重置就能按预期方式工作。If they have an alternate email or authentication email defined, password reset works as expected.

备注

已被授予 Azure AD 租户来宾访问权限的 Microsoft 帐户(例如 Hotmail.com、Outlook.com 的电子邮件地址或其他个人电子邮件地址)无法使用 Azure AD SSPR。Microsoft accounts that have been granted guest access to your Azure AD tenant, such as those from Hotmail.com, Outlook.com, or other personal email addresses, aren't able to use Azure AD SSPR. 他们需要使用当你无法登录到 Microsoft 帐户时文章中的信息重置其密码。They need to reset their password by using the information found in the When you can't sign in to your Microsoft account article.

后续步骤Next steps

若要开始使用 SSPR,请完成以下教程:To get started with SSPR, complete the following tutorial:

以下文章提供了有关通过 Azure AD 进行密码重置的更多信息:The following articles provide additional information regarding password reset through Azure AD: