自助式密码重置写回在 Azure Active Directory 中的工作原理。How does self-service password reset writeback work in Azure Active Directory?

Azure Active Directory (Azure AD) 自助式密码重置 (SSPR) 允许用户在云中重置其密码,但大多数公司还具有其用户所在的本地 Active Directory 域服务 (AD DS) 环境。Azure Active Directory (Azure AD) self-service password reset (SSPR) lets users reset their passwords in the cloud, but most companies also have an on-premises Active Directory Domain Services (AD DS) environment where their users exist. 密码写回是使用 Azure AD Connect 启用的功能,可将云中的密码更改实时写回到现有的本地目录。Password writeback is a feature enabled with Azure AD Connect that allows password changes in the cloud to be written back to an existing on-premises directory in real time. 在此配置中,当用户在云中使用 SSPR 更改或重置其密码时,更新后的密码也将写回到本地 AD DS 环境In this configuration, as users change or reset their passwords using SSPR in the cloud, the updated passwords also written back to the on-premises AD DS environment


此概念文章向管理员介绍了自助式密码重置写回的工作原理。This conceptual article explains to an administrator how self-service password reset writeback works. 如果你是已注册自助式密码重置的最终用户并且需要返回到你的帐户,请转到 https://passwordreset.activedirectory.windowsazure.cnIf you're an end user already registered for self-service password reset and need to get back into your account, go to https://passwordreset.activedirectory.windowsazure.cn.

如果你的 IT 团队尚未启用重置自己密码的功能,请联系支持人员以获得更多帮助。If your IT team hasn't enabled the ability to reset your own password, reach out to your helpdesk for additional assistance.

使用以下混合标识模型的环境支持密码写回:Password writeback is supported in environments that use the following hybrid identity models:

密码写回提供以下功能:Password writeback provides the following features:

  • 本地 Active Directory 域服务 (AD DS) 密码策略的实施:如果用户重置密码,系统会检查此请求,以确保它符合本地 AD DS 策略要求,然后再将请求提交到相应目录。Enforcement of on-premises Active Directory Domain Services (AD DS) password policies: When a user resets their password, it's checked to ensure it meets your on-premises AD DS policy before committing it to that directory. 此评审包括检查历史记录、复杂性、期限、密码筛选器,以及在 AD DS 中定义的其他任何密码限制。This review includes checking the history, complexity, age, password filters, and any other password restrictions that you define in AD DS.
  • 零延迟反馈:密码写回是一项同步操作。Zero-delay feedback: Password writeback is a synchronous operation. 如果用户的密码不符合策略或因任何原因而无法重置或更改,用户会立即收到通知。Users are notified immediately if their password doesn't meet the policy or can't be reset or changed for any reason.
  • 支持从访问面板和 Microsoft 365 更改密码:如果联合用户或密码哈希同步用户更改已过期或未过期的密码,这些密码会写回到 AD DS。Supports password changes from the access panel and Microsoft 365: When federated or password hash synchronized users come to change their expired or non-expired passwords, those passwords are written back to AD DS.
  • 支持当管理员在 Azure 门户中重置密码时写回密码:当管理员在 Azure 门户中重置用户密码时,如果该用户是联合用户或密码哈希同步用户,则密码会写回到本地。Supports password writeback when an admin resets them from the Azure portal: When an admin resets a user's password in the Azure portal, if that user is federated or password hash synchronized, the password is written back to on-premises. Office 管理门户暂不支持此功能。This functionality is currently not supported in the Office admin portal.
  • 不需要任何入站防火墙规则:密码写回服务使用 Azure 服务总线中继作为基础信道。Doesn't require any inbound firewall rules: Password writeback uses an Azure Service Bus relay as an underlying communication channel. 所有通信都是通过端口 443 进行的出站通信。All communication is outbound over port 443.


本地 AD 中受保护组内的管理员帐户可与密码写回一起使用。Administrator accounts that exist within protected groups in on-premises AD can be used with password writeback. 管理员可以在云中更改其密码,但不能使用密码重置来重置遗忘的密码。Administrators can change their password in the cloud but can't use password reset to reset a forgotten password. 有关受保护组的详细信息,请参阅 AD DS 中的受保护帐户和组For more information about protected groups, see Protected accounts and groups in AD DS.

若要开始 SSPR 写回,请完成以下教程:To get started with SSPR writeback, complete the following tutorial:

密码写回的工作原理How password writeback works

当联合或密码哈希同步用户尝试在云中重置或更改其密码时,将执行以下操作:When a federated or password hash synchronized user attempts to reset or change their password in the cloud, the following actions occur:

  1. 执行检查,以确定用户具有何种类型的密码。A check is performed to see what type of password the user has. 如果密码在本地管理:If the password is managed on-premises:

    • 执行检查,以确定写回服务是否在正常运行。A check is performed to see if the writeback service is up and running. 如果是,则用户可以继续操作。If it is, the user can proceed.
    • 如果写回服务已关闭,则告知用户暂不能重置密码。If the writeback service is down, the user is informed that their password can't be reset right now.
  2. 接下来,用户通过相应的身份验证入口,到达“重置密码”页。Next, the user passes the appropriate authentication gates and reaches the Reset password page.

  3. 用户选择一个新密码并进行确认。The user selects a new password and confirms it.

  4. 如果用户选择“提交”,则使用写回设置过程中创建的对称密钥来加密纯文本密码。When the user selects Submit, the plaintext password is encrypted with a symmetric key created during the writeback setup process.

  5. 加密的密码将包含在一个有效负载中,该负载通过 HTTPS 通道发送到租户特定的服务总线中继(已在写回设置过程中设置此中继)。The encrypted password is included in a payload that gets sent over an HTTPS channel to your tenant-specific service bus relay (that is set up for you during the writeback setup process). 此中继受随机生成的密码保护,只有本地安装知道该密码。This relay is protected by a randomly generated password that only your on-premises installation knows.

  6. 在消息到达服务总线后,密码重置终结点便自动唤醒,并看到有待处理的重置请求。After the message reaches the service bus, the password-reset endpoint automatically wakes up and sees that it has a reset request pending.

  7. 然后,服务使用云定位点属性查找用户。The service then looks for the user by using the cloud anchor attribute. 若要成功完成此查找,必须符合以下条件:For this lookup to succeed, the following conditions must be met:

    • 该用户对象必须存在于 AD DS 连接器空间中。The user object must exist in the AD DS connector space.
    • 用户对象必须链接到相应的 metaverse (MV) 对象。The user object must be linked to the corresponding metaverse (MV) object.
    • 该用户对象必须链接到相应的 Azure AD 连接器对象。The user object must be linked to the corresponding Azure AD connector object.
    • 从 AD DS 连接器对象到 MV 的链接必须设有同步规则 Microsoft.InfromADUserAccountEnabled.xxxThe link from the AD DS connector object to the MV must have the synchronization rule Microsoft.InfromADUserAccountEnabled.xxx on the link.

    当云中有调用发出时,同步引擎使用 cloudAnchor 属性来查找 Azure AD 连接器空间对象。When the call comes in from the cloud, the synchronization engine uses the cloudAnchor attribute to look up the Azure AD connector space object. 然后,它依次链接回 MV 对象和 AD DS 对象。It then follows the link back to the MV object, and then follows the link back to the AD DS object. 由于同一用户可能有多个 AD DS 对象(多林),因此,同步引擎将依赖 Microsoft.InfromADUserAccountEnabled.xxx 链接选取正确的对象。Because there can be multiple AD DS objects (multi-forest) for the same user, the sync engine relies on the Microsoft.InfromADUserAccountEnabled.xxx link to pick the correct one.

  8. 找到用户帐户后,我们会尝试直接在相应的 AD DS 林中重置密码。After the user account is found, an attempt to reset the password directly in the appropriate AD DS forest is made.

  9. 如果密码设置操作成功,将告知用户其密码已更改。If the password set operation is successful, the user is told their password has been changed.


    如果用户密码哈希已使用密码哈希同步功能同步到 Azure AD,本地密码策略可能会弱于云密码策略。If the user's password hash is synchronized to Azure AD by using password hash synchronization, there's a chance that the on-premises password policy is weaker than the cloud password policy. 在这种情况下,将实施本地策略。In this case, the on-premises policy is enforced. 此策略可确保在云中强制实施本地策略,无论使用密码哈希同步还是联合身份验证来提供单一登录,都不例外。This policy ensures that your on-premises policy is enforced in the cloud, no matter if you use password hash synchronization or federation to provide single sign-on.

  10. 如果密码设置操作失败,错误消息会提示用户重试。If the password set operation fails, an error prompts the user to try again. 操作失败的原因如下:The operation might fail because of the following reasons:

    • 服务已关闭。The service was down.
    • 用户选择的密码不符合组织策略。The password they selected doesn't meet the organization's policies.
    • 在本地 AD DS 环境中找不到用户。Unable to find the user in local AD DS environment.

    错误消息会向用户提供指导,让他们尝试解决问题,而无需管理员的干预。The error messages provide guidance to users so they can attempt to resolve without administrator intervention.

密码写回安全性Password writeback security

密码写回是高度安全的服务。Password writeback is a highly secure service. 为确保信息受到保护,我们启用了四层安全模型,如下所述:To ensure your information is protected, a four-tiered security model is enabled as follows:

  • 租户特定的服务总线中继Tenant-specific service-bus relay
    • 当你设置服务时,我们会设置租户特定的服务总线中继,此中继受随机生成的强密码保护,而 Microsoft 永远无法访问此密码。When you set up the service, a tenant-specific service bus relay is set up that's protected by a randomly generated strong password that Microsoft never has access to.
  • 锁定的加密强密码加密密钥Locked down, cryptographically strong, password encryption key
    • 创建服务总线中继后,将创建强对称密钥,用于在密码通过线路时加密密码。After the service bus relay is created, a strong symmetric key is created that is used to encrypt the password as it comes over the wire. 此密钥仅驻留在公司在云中的密钥存储内,会被牢牢锁定并接受审核,就像目录中的其他任何密码一样。This key only lives in your company's secret store in the cloud, which is heavily locked down and audited, just like any other password in the directory.
  • 行业标准传输层安全性 (TLS)Industry standard Transport Layer Security (TLS)
    1. 云中发生密码重置或更改操作时,我们会使用公钥来加密纯文本密码。When a password reset or change operation occurs in the cloud, the plaintext password is encrypted with your public key.
    2. 加密密码将放入到使用 Microsoft TLS/SSL 证书通过加密通道发送到服务总线中继的 HTTPS 消息中。The encrypted password is placed into an HTTPS message that's sent over an encrypted channel by using Microsoft TLS/SSL certs to your service bus relay.
    3. 此消息到达服务总线后,本地代理便会唤醒,并使用先前生成的强密码对服务总线进行身份验证。After the message arrives in the service bus, your on-premises agent wakes up and authenticates to the service bus by using the strong password that was previously generated.
    4. 本地代理选取加密的消息,并使用私钥解密消息。The on-premises agent picks up the encrypted message and decrypts it by using the private key.
    5. 本地代理尝试通过 AD DS SetPassword API 设置密码。The on-premises agent attempts to set the password through the AD DS SetPassword API. 执行此步骤可在云中强制实施 AD DS 本地密码策略(例如复杂性、期限、历史记录和筛选器)。This step is what allows enforcement of your AD DS on-premises password policy (such as the complexity, age, history, and filters) in the cloud.
  • 消息过期策略Message expiration policies
    • 如果由于本地服务关闭而导致消息位于服务总线中,消息会超时并在几分钟后遭到删除。If the message sits in service bus because your on-premises service is down, it times out and is removed after several minutes. 消息超时和删除进一步提高了安全性。The time-out and removal of the message increases security even further.

密码写回加密详细信息Password writeback encryption details

在用户提交密码重置请求后,重置请求会先经历多个加密步骤,然后才会到达本地环境。After a user submits a password reset, the reset request goes through several encryption steps before it arrives in your on-premises environment. 这些加密步骤可确保实现最高的服务可靠性和安全性。These encryption steps ensure maximum service reliability and security. 这些步骤如下所述:They are described as follows:

  1. 使用 2048 位 RSA 密钥加密密码:在用户提交要写回本地的密码后,提交的密码本身会使用 2048 位 RSA 密钥进行加密。Password encryption with 2048-bit RSA Key: After a user submits a password to be written back to on-premises, the submitted password itself is encrypted with a 2048-bit RSA key.
  2. 使用 AES-GCM 进行包级加密:使用 AES-GCM 加密整个包(密码及所需的元数据)。Package-level encryption with AES-GCM: The entire package, the password plus the required metadata, is encrypted by using AES-GCM. 此加密可防止任何可直接访问基础服务总线通道的人员查看或篡改内容。This encryption prevents anyone with direct access to the underlying Service Bus channel from viewing or tampering with the contents.
  3. 所有通信都是通过 TLS/SSL 进行:与服务总线的所有通信都在 SSL/TLS 通道中发生。All communication occurs over TLS/SSL: All the communication with Service Bus happens in an SSL/TLS channel. 此加密可保护内容不被未经授权的第三方查看/篡改。This encryption secures the contents from unauthorized third parties.
  4. 每隔六个月自动滚动更新密钥:每隔六个月,或者每当在 Azure AD Connect 中禁用再重新启用密码写回时,滚动更新所有密钥,确保最高的服务安全性与可靠性。Automatic key rollover every six months: All keys roll over every six months, or every time password writeback is disabled and then re-enabled on Azure AD Connect, to ensure maximum service security and safety.

密码写回带宽用量Password writeback bandwidth usage

密码写回服务是低带宽服务,只有在以下情况下,才会将请求发送回本地代理:Password writeback is a low-bandwidth service that only sends requests back to the on-premises agent under the following circumstances:

  • 通过 Azure AD Connect 启用或禁用此功能时,发送两条消息。Two messages are sent when the feature is enabled or disabled through Azure AD Connect.
  • 在服务运行的持续时间内,如果服务有检测信号,则每隔 5 分钟发送一条消息。One message is sent once every five minutes as a service heartbeat for as long as the service is running.
  • 每当提交新密码时,发送两条消息:Two messages are sent each time a new password is submitted:
    • 第一条消息是操作执行请求。The first message is a request to perform the operation.
    • 第二条消息包含操作结果,在以下情况下发送:The second message contains the result of the operation, and is sent in the following circumstances:
      • 每次在用户自助重置密码期间提交新密码时。Each time a new password is submitted during a user self-service password reset.
      • 每次在用户执行密码更改操作期间提交新密码时。Each time a new password is submitted during a user password change operation.
      • 每当在管理员发起的用户密码重置操作期间提交新密码时(仅限通过 Azure 管理门户)。Each time a new password is submitted during an admin-initiated user password reset (only from the Azure admin portals).

消息大小和带宽注意事项Message size and bandwidth considerations

上述每条消息的大小通常小于 1KB。The size of each of the message described previously is typically under 1 KB. 即使是在承受极高负载的情况下,密码写回服务本身占用的带宽也就是每秒几个 KB。Even under extreme loads, the password writeback service itself is consuming a few kilobits per second of bandwidth. 由于每条消息是只在密码更新操作要求时才实时发送的,并且消息很小,因此密码写回功能的带宽用量微不足道,产生的影响可以忽略不计。Because each message is sent in real time, only when required by a password update operation, and because the message size is so small, the bandwidth usage of the writeback capability is too small to have a measurable impact.

支持的写回操作Supported writeback operations

在以下所有情况下,都会写回密码:Passwords are written back in all the following situations:

  • 支持的最终用户操作Supported end-user operations

    • 最终用户以自助形式执行的任何自愿更改密码操作。Any end-user self-service voluntary change password operation.
    • 任何最终用户自助强制更改密码操作(例如,密码到期)。Any end-user self-service force change password operation, for example, password expiration.
    • 源自密码重置门户的任何最终用户自助密码重置操作。Any end-user self-service password reset that originates from the password reset portal.
  • 支持的管理员操作Supported administrator operations

    • 管理员以自助形式执行的任何自愿更改密码操作。Any administrator self-service voluntary change password operation.
    • 任何管理员自助强制更改密码操作(例如,密码到期)。Any administrator self-service force change password operation, for example, password expiration.
    • 源自密码重置门户的任何管理员自助密码重置操作。Any administrator self-service password reset that originates from the password reset portal.
    • 任何管理员通过 Azure 门户发起的任何最终用户密码重置操作。Any administrator-initiated end-user password reset from the Azure portal.
    • 任何管理员通过 Microsoft Graph API beta 发起的任何最终用户密码重置操作。Any administrator-initiated end-user password reset from the Microsoft Graph API beta.

不支持的写回操作Unsupported writeback operations

在以下任意情况下,都不会写回密码:Passwords aren't written back in any of the following situations:

  • 不支持的最终用户操作Unsupported end-user operations
    • 任何最终用户使用 PowerShell 版本 1、版本 2 或 Microsoft Graph API 重置自己的密码。Any end user resetting their own password by using PowerShell version 1, version 2, or the Microsoft Graph API.
  • 不支持的管理员操作Unsupported administrator operations
    • 任何由管理员通过 PowerShell 版本 1、版本 2 或 Microsoft Graph API(支持 Microsoft Graph API beta)发起的最终用户密码重置操作。Any administrator-initiated end-user password reset from PowerShell version 1, version 2, or the Microsoft Graph API (the Microsoft Graph API beta is supported).
    • 管理员通过 Microsoft 365 管理中心发起的任何最终用户密码重置。Any administrator-initiated end-user password reset from the Microsoft 365 admin center.
    • 任何管理员都不能使用密码重置工具来重置其密码以进行密码写回。Any administrator cannot use password reset tool to reset their own password for password writeback.


Azure AD Connect 支持在本地 AD DS 管理工具(如 Active Directory 用户和计算机)或 Active Directory 管理中心使用其预览功能,“用户在下次登录时必须更改密码”复选框。Use of the checkbox "User must change password at next logon" in on-premises AD DS administrative tools like Active Directory Users and Computers or the Active Directory Administrative Center is supported as a preview feature of Azure AD Connect. 有关详细信息,请参阅使用 Azure AD Connect 同步实现密码哈希同步For more information, see Implement password hash synchronization with Azure AD Connect sync.

后续步骤Next steps

若要开始 SSPR 写回,请完成以下教程:To get started with SSPR writeback, complete the following tutorial: