Azure Active Directory 中的密码策略和账户限制Password policies and account restrictions in Azure Active Directory

在 Azure Active Directory (Azure AD) 中,有一个密码策略用于定义密码复杂性、长度或期限等设置。In Azure Active Directory (Azure AD), there's a password policy that defines settings like the password complexity, length, or age. 还有一个策略可用于定义用户名可接受的字符和长度。There's also a policy that defines acceptable characters and length for usernames.

使用自助服务密码重置 (SSPR) 在 Azure AD 中更改或重置密码时,将检查密码策略。When self-service password reset (SSPR) is used to change or reset a password in Azure AD, the password policy is checked. 如果密码不满足策略要求,则系统会提示用户重试。If the password doesn't meet the policy requirements, the user is prompted to try again. Azure 管理员对使用与普通用户帐户不同的 SSPR 有一些限制。Azure administrators have some restrictions on using SSPR that are different to regular user accounts.

本文介绍与 Azure AD 租户中的用户帐户关联的密码策略设置和复杂性要求,以及如何使用 PowerShell 来检查或设置密码过期设置。This article describes the password policy settings and complexity requirements associated with user accounts in your Azure AD tenant, and how you can use PowerShell to check or set password expiration settings.

用户名策略Username policies

登录到 Azure AD 的每个帐户都必须有唯一的与其帐户关联的用户主体名称 (UPN) 属性值。Every account that signs in to Azure AD must have a unique user principal name (UPN) attribute value associated with their account. 在混合环境中,如果其中有一个本地 Active Directory 域服务 (AD DS) 环境使用 Azure AD Connect 同步到 Azure AD,默认情况下,Azure AD UPN 设置为本地 UPN。In hybrid environments with an on-premises Active Directory Domain Services (AD DS) environment synchronized to Azure AD using Azure AD Connect, by default the Azure AD UPN is set to the on-prem UPN.

下表概括了既应用于同步到 Azure AD 的本地 AD DS 账户又应用于直接在 Azure AD 中创建的仅限云的用户帐户的用户名策略:The following table outlines the username policies that apply to both on-premises AD DS accounts that are synchronized to Azure AD, and for cloud-only user accounts created directly in Azure AD:

属性Property UserPrincipalName 要求UserPrincipalName requirements
允许的字符Characters allowed
  • A - ZA - Z
  • a - za - z
  • 0 - 90 - 9
  • ' .' . - _ ! - _ ! # ^ ~# ^ ~
不允许的字符Characters not allowed
  • 任何不分隔用户名和域的“@"”字符。Any "@" character that's not separating the username from the domain.
  • 不能包含紧靠在“@"”符号前面的点字符“.”Can't contain a period character "." immediately preceding the "@" symbol
长度约束Length constraints
  • 总长度不能超过 113 个字符The total length must not exceed 113 characters
  • 在“@"”符号前最多能有 64 个字符There can be up to 64 characters before the "@" symbol
  • 在“@"”符号后最多能有 48 个字符There can be up to 48 characters after the "@" symbol

Azure AD 密码指南Azure AD password policies

密码策略应用于直接在 Azure AD 中创建和管理的所有用户帐户。A password policy is applied to all user accounts that are created and managed directly in Azure AD.

默认情况下,使用错误的密码尝试登录 10 次失败后,帐户会被锁定。By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. 用户会被锁定一分钟。The user is locked out for one minute. 后续的错误登录尝试会增加用户被锁定的时间。Further incorrect sign-in attempts lock out the user for increasing durations of time. 智能锁定跟踪最后三个错误的密码哈希,以避免对相同密码增大锁定计数器。Smart lockout tracks the last three bad password hashes to avoid incrementing the lockout counter for the same password. 如果有人多次输入同一个错误密码,此行为不会导致帐户被锁定。你可以定义智能锁定阈值和持续时间。If someone enters the same bad password multiple times, this behavior will not cause the account to lock out. You can define the smart lockout threshold and duration.

除非启用 EnforceCloudPasswordPolicyForPasswordSyncedUsers,否则 Azure AD 密码策略不适用于使用 Azure AD Connect 从本地 AD DS 环境同步的用户帐户。The Azure AD password policy doesn't apply to user accounts synchronized from an on-premises AD DS environment using Azure AD Connect, unless you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers.

定义了以下 Azure AD 密码策略选项。The following Azure AD password policy options are defined. 除非另行说明,否则无法更改这些设置:Unless noted, you can't change these settings:

属性Property 要求Requirements
允许的字符Characters allowed
  • A - ZA - Z
  • a - za - z
  • 0 - 90 - 9
  • @ # $ % ^ & * - _ !@ # $ % ^ & * - _ ! + = [ ] { } | \ : ' , .+ = [ ] { } | \ : ' , . ?? / ` ~ " ( ) ; / ` ~ " ( ) ;
  • 空白blank space
不允许的字符Characters not allowed Unicode 字符。Unicode characters.
密码限制Password restrictions
  • 至少 8 个字符,最多包含 256 个字符。A minimum of 8 characters and a maximum of 256 characters.
  • 需满足以下 4 项中的 3 项:Requires three out of four of the following:
    • 小写字符。Lowercase characters.
    • 大写字符。Uppercase characters.
    • 数字 (0-9)。Numbers (0-9).
    • 符号(请参阅前面的密码限制)。Symbols (see the previous password restrictions).
密码过期期限(最长密码期限)Password expiry duration (Maximum password age)
  • 默认值:“90”天。Default value: 90 days.
  • 可通过 Windows PowerShell 的 Azure Active Directory 模块中的 Set-MsolPasswordPolicy cmdlet 来配置该值。The value is configurable by using the Set-MsolPasswordPolicy cmdlet from the Azure Active Directory Module for Windows PowerShell.
密码到期通知(何时通知用户密码到期)Password expiry notification (When users are notified of password expiration)
  • 默认值:“14”天(密码到期前)。Default value: 14 days (before password expires).
  • 可使用 Set-MsolPasswordPolicy cmdlet 配置该值。The value is configurable by using the Set-MsolPasswordPolicy cmdlet.
密码过期(让密码永不过期)Password expiry (Let passwords never expire)
  • 默认值: false (指示密码有到期日期)。Default value: false (indicates that password's have an expiration date).
  • 可使用 Set-MsolUser cmdlet 配置单个用户帐户的值。The value can be configured for individual user accounts by using the Set-MsolUser cmdlet.
密码更改历史记录Password change history 用户更改密码时,上一个密码 不能 再次使用。The last password can't be used again when the user changes a password.
密码重置历史记录Password reset history 用户重置忘记的密码时,上一个密码 可以 再次使用。The last password can be used again when the user resets a forgotten password.

管理员重置策略差异Administrator reset policy differences

默认情况下,将为管理员帐户启用自助式密码重置,并强制执行严格的默认双门密码重置策略。By default, administrator accounts are enabled for self-service password reset, and a strong default two-gate password reset policy is enforced. 此策略可能与你为用户定义的策略不同,因此无法更改此策略。This policy may be different from the one you have defined for your users, and this policy can't be changed. 你应始终以未被分配任何 Azure 管理员角色的用户身份测试密码重置功能。You should always test password reset functionality as a user without any Azure administrator roles assigned.

使用双门策略,管理员将无法使用安全问题。With a two-gate policy, administrators don't have the ability to use security questions.

双门策略需要两条身份验证数据(如电子邮件地址、身份验证应用或电话号码)。The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number. 双门策略在以下情况下适用:A two-gate policy applies in the following circumstances:

  • 以下所有 Azure 管理员角色将受到影响:All the following Azure administrator roles are affected:

    • 支持管理员Helpdesk administrator
    • 服务支持管理员Service support administrator
    • 计费管理员Billing administrator
    • 合作伙伴一线支持人员Partner Tier1 Support
    • 合作伙伴二线支持人员Partner Tier2 Support
    • Exchange 管理员Exchange administrator
    • Skype for Business 管理员Skype for Business administrator
    • 用户管理员User administrator
    • 目录写入者Directory writers
    • 全局管理员或公司管理员Global administrator or company administrator
    • SharePoint 管理员SharePoint administrator
    • 法规管理员Compliance administrator
    • 应用程序管理员Application administrator
    • 安全管理员Security administrator
    • 特权角色管理员Privileged role administrator
    • Intune 管理员Intune administrator
    • Dynamics 365 管理员Dynamics 365 administrator
    • Power BI 服务管理员Power BI service administrator
    • 身份验证管理员Authentication administrator
    • 特权身份验证管理员Privileged Authentication administrator
  • 如果在试用订阅中已过 30 天;或If 30 days have elapsed in a trial subscription; or

  • 已为 Azure AD 租户配置了自定义域,如 contoso.com ;或A custom domain has been configured for your Azure AD tenant, such as contoso.com ; or

  • Azure AD Connect 正在从本地目录同步标识Azure AD Connect is synchronizing identities from your on-premises directory

可以使用 Set-MsolCompanySettings PowerShell cmdlet 为管理员帐户禁用 SSPR。You can disable the use of SSPR for administrator accounts using the Set-MsolCompanySettings PowerShell cmdlet. -SelfServePasswordResetEnabled $False 参数为管理员禁用 SSPR。The -SelfServePasswordResetEnabled $False parameter disables SSPR for administrators.

异常Exceptions

单门策略需要一条身份验证数据,如电子邮件地址或电话号码。A one-gate policy requires one piece of authentication data, such as an email address or phone number. 单门策略在以下情况下适用:A one-gate policy applies in the following circumstances:

  • 它在试用订阅的前 30 天中;或It's within the first 30 days of a trial subscription; or
  • 尚未为 Azure AD 租户配置自定义域,因此使用的是默认值(即,*.partner.onmschina.cn)。A custom domain hasn't been configured for your Azure AD tenant so is using the default * .partner.onmschina.cn. 建议不要将默认的“*.partner.onmschina.cn”域用于生产环境;并且The default * .partner.onmschina.cn domain isn't recommended for production use; and
  • Azure AD Connect 未同步标识Azure AD Connect isn't synchronizing identities

密码过期策略Password expiration policies

一个“全局管理员”或“用户管理员”可使用用于 Windows PowerShell 的 Azure AD 模块将用户密码设置为不过期 。A global administrator or user administrator can use the Azure AD Module for Windows PowerShell to set user passwords not to expire.

还可以使用 PowerShell cmdlet 删除永不过期配置,或者查看已将哪些用户密码设置为永不过期。You can also use PowerShell cmdlets to remove the never-expires configuration or to see which user passwords are set to never expire.

本指南适用于其他提供程序(如 Intune 和 Microsoft 365),这些提供程序也依赖于 Azure AD 提供标识和目录服务。This guidance applies to other providers, such as Intune and Microsoft 365, which also rely on Azure AD for identity and directory services. 密码过期是策略中唯一可更改的部分。Password expiration is the only part of the policy that can be changed.

备注

只能将未通过 Azure AD Connect 进行同步的用户帐户的密码配置为永不过期。Only passwords for user accounts that aren't synchronized through Azure AD Connect can be configured to not expire. 有关目录同步的详细信息,请参阅将 AD 与 Azure AD 连接For more information about directory synchronization, see Connect AD with Azure AD.

使用 PowerShell 设置或检查密码策略Set or check the password policies by using PowerShell

首先,下载并安装 Azure AD PowerShell 模块,然后将其连接到 Azure AD 租户To get started, download and install the Azure AD PowerShell module and connect it to your Azure AD tenant.

安装该模块后,请按照以下步骤完成每个所需任务。After the module is installed, use the following steps to complete each task as needed.

检查密码过期策略Check the expiration policy for a password

  1. 使用“全局管理员”或“用户管理员”帐户打开 PowerShell 提示符,并连接到 Azure AD 租户Open a PowerShell prompt and connect to your Azure AD tenant using a global administrator or user administrator account.

  2. 为单个用户或所有用户运行以下命令之一:Run one of the following commands for either an individual user or for all users:

    • 若要查看单个用户的密码是否设置为永不过期,请运行以下 cmdlet。To see if a single user's password is set to never expire, run the following cmdlet. <user ID> 替换为要检查的用户的用户 ID,如 "driley@contoso.partner.onmschina.cn":Replace <user ID> with the user ID of the user you want to check, such as driley@contoso.partner.onmschina.cn :

      Get-AzureADUser -ObjectId <user ID> | Select-Object @{N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"}}
      
    • 若要查看所有用户的“密码永不过期”设置,请运行以下 cmdlet:To see the Password never expires setting for all users, run the following cmdlet:

      Get-AzureADUser -All $true | Select-Object UserPrincipalName, @{N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"}}
      

设置密码过期Set a password to expire

  1. 使用“全局管理员”或“用户管理员”帐户打开 PowerShell 提示符,并连接到 Azure AD 租户Open a PowerShell prompt and connect to your Azure AD tenant using a global administrator or user administrator account.

  2. 为单个用户或所有用户运行以下命令之一:Run one of the following commands for either an individual user or for all users:

    • 若要将某一用户的密码设置为会过期的密码,请运行以下 cmdlet。To set the password of one user so that the password expires, run the following cmdlet. <user ID> 替换为要检查的用户的用户 ID,如 "driley@contoso.partner.onmschina.cn"Replace <user ID> with the user ID of the user you want to check, such as driley@contoso.partner.onmschina.cn

      Set-AzureADUser -ObjectId <user ID> -PasswordPolicies None
      
    • 若要将组织中所有用户的密码设置为过期,请使用以下 cmdlet:To set the passwords of all users in the organization so that they expire, use the following cmdlet:

      Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies None
      

将密码设置为永不过期Set a password to never expire

  1. 使用“全局管理员”或“用户管理员”帐户打开 PowerShell 提示符,并连接到 Azure AD 租户Open a PowerShell prompt and connect to your Azure AD tenant using a global administrator or user administrator account.

  2. 为单个用户或所有用户运行以下命令之一:Run one of the following commands for either an individual user or for all users:

    • 若要将某一用户的密码设置为永不过期,请运行以下 cmdlet。To set the password of one user to never expire, run the following cmdlet. <user ID> 替换为要检查的用户的用户 ID,如 "driley@contoso.partner.onmschina.cn"Replace <user ID> with the user ID of the user you want to check, such as driley@contoso.partner.onmschina.cn

      Set-AzureADUser -ObjectId <user ID> -PasswordPolicies DisablePasswordExpiration
      
    • 若要将组织中所有用户的密码设置为永不过期,请运行以下 cmdlet:To set the passwords of all the users in an organization to never expire, run the following cmdlet:

      Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies DisablePasswordExpiration
      

    警告

    设置为 -PasswordPolicies DisablePasswordExpiration 的密码仍会基于 pwdLastSet 属性过时。Passwords set to -PasswordPolicies DisablePasswordExpiration still age based on the pwdLastSet attribute. 基于 pwdLastSet 属性,如果将过期更改为 -PasswordPolicies None,则所有 pwdLastSet 早于 90 天的密码将需要用户在下一次登录时更改它们。Based on the pwdLastSet attribute, if you change the expiration to -PasswordPolicies None, all passwords that have a pwdLastSet older than 90 days require the user to change them the next time they sign in. 此更改可能会影响很多用户。This change can affect a large number of users.

后续步骤Next steps

若要开始进行 SSPR,请参阅教程:使用户能够使用 Azure Active Directory 自助式密码重置来解锁其帐户或重置密码To get started with SSPR, see Tutorial: Enable users to unlock their account or reset passwords using Azure Active Directory self-service password reset.

如果你或用户遇到 SSPR 问题,请参阅排查自助式密码重置问题If you or users have problems with SSPR, see Troubleshoot self-service password reset