为用户配置和启用通过 Azure Active Directory 进行基于短信的身份验证(预览版)Configure and enable users for SMS-based authentication using Azure Active Directory (preview)

为了降低用户登录到应用程序和服务所存在的复杂性和安全风险,Azure Active Directory (Azure AD) 提供了多个身份验证选项。To reduce the complexity and security risks for users to sign in to applications and services, Azure Active Directory (Azure AD) provides multiple authentication options. 借助目前以预览版提供的基于短信的身份验证,用户无需提供(甚至无需知道)其用户名和密码即可登录。SMS-based authentication, currently in preview, lets users sign in without needing to provide, or even know, their username and password. 在标识管理员创建用户的帐户后,用户可以在登录提示下输入其电话号码,然后提供通过短信收到的验证码。After their account is created by an identity administrator, they can enter their phone number at the sign-in prompt, and provide an authentication code that's sent to them via text message. 此身份验证方法简化了对应用程序和服务的访问,尤其是对于一线工作人员。This authentication method simplifies access to applications and services, especially for front line workers.

本文介绍如何在 Azure AD 中为选定的用户或组启用基于短信的身份验证。This article shows you how to enable SMS-based authentication for select users or groups in Azure AD.

备注

面向用户的基于短信的身份验证是 Azure Active Directory 的一项公共预览版功能。SMS-based authentication for users is a public preview feature of Azure Active Directory. 有关预览版的详细信息,请参阅 Azure 预览版补充使用条款For more information about previews, see Supplemental Terms of Use for Azure Previews.

准备阶段Before you begin

需有以下资源和特权才能完成本文:To complete this article, you need the following resources and privileges:

限制Limitations

公共预览版的基于短信的身份验证存在以下限制:During the public preview of SMS-based authentication, the following limitations apply:

  • 基于短信的身份验证目前与 Azure 多重身份验证不兼容。SMS-based authentication isn't currently compatible with Azure Multi-Factor Authentication.
  • 基于短信的身份验证目前与本机 Office 应用程序不兼容,但 Teams 除外。With the exception of Teams, SMS-based authentication isn't currently compatible with native Office applications.
  • 不建议对 B2B 帐户使用基于短信的身份验证。SMS-based authentication isn't recommended for B2B accounts.
  • 联合用户不会在主租户中进行身份验证。Federated users won't authenticate in the home tenant. 他们只会在云中进行身份验证。They only authenticate in the cloud.

启用基于短信的身份验证方法Enable the SMS-based authentication method

若要在组织中启用和使用基于短信的身份验证,需要执行三个主要步骤:There are three main steps to enable and use SMS-based authentication in your organization:

  • 启用身份验证方法策略。Enable the authentication method policy.
  • 选择可以使用基于短信的身份验证方法的用户或组。Select users or groups that can use the SMS-based authentication method.
  • 为每个用户帐户分配一个电话号码。Assign a phone number for each user account.
    • 可以在 Azure 门户、“我的员工”或“我的个人资料”中分配此电话号码,本文将介绍门户中的分配方法。 This phone number can be assigned in the Azure portal (which is shown in this article), and in My Staff or My Profile.

首先,让我们为 Azure AD 租户启用基于短信的身份验证。First, let's enable SMS-based authentication for your Azure AD tenant.

  1. 以全局管理员的身份登录到 Azure 门户Sign in to the Azure portal as a global administrator.

  2. 搜索并选择“Azure Active Directory”。Search for and select Azure Active Directory.

  3. 在“Azure Active Directory”窗口左侧的导航菜单中,选择“安全性”>“身份验证方法”>“身份验证方法策略(预览版)”。From the navigation menu on the left-hand side of the Azure Active Directory window, select Security > Authentication methods > Authentication method policy (preview).

    在 Azure 门户中浏览到“身份验证方法策略(预览版)”窗口并将其选中。Browse to and select the Authentication method policy (preview) window in the Azure portal.

  4. 从可用身份验证方法列表中选择“短信”。From the list of available authentication methods, select Text message.

  5. 将“启用”设置为“是”。Set Enable to Yes.

    在身份验证方法策略窗口中启用短信身份验证

    可以选择为“所有用户”启用基于短信的身份验证,或者选择用户和组。 You can choose to enable SMS-based authentication for All users or Select users and groups. 在下一部分,你将为测试用户启用基于短信的身份验证。In the next section, you enable SMS-based authentication for a test user.

向用户和组分配身份验证方法Assign the authentication method to users and groups

在 Azure AD 租户中启用基于短信的身份验证后,现在请选择要被允许使用此身份验证方法的某些用户或组。With SMS-based authentication enabled in your Azure AD tenant, now select some users or groups to be allowed to use this authentication method.

  1. 在短信身份验证策略窗口中,将“目标”设置为“选择用户”。In the text message authentication policy window, set Target to Select users.

  2. 选择“添加用户或组”,然后选择某个测试用户或组,例如“Contoso 用户”或“Contoso 短信用户”。 Choose to Add users or groups, then select a test user or group, such as Contoso User or Contoso SMS Users.

    在 Azure 门户中选择要启用基于短信的身份验证的用户或组。Choose users or groups to enable for SMS-based authentication in the Azure portal.

  3. 选择用户或组后,选择“选择”,然后保存更新的身份验证方法策略。 When you've selected your users or groups, choose Select, then Save the updated authentication method policy.

短信身份验证方法策略中启用的每个用户都必须获得许可,即使他们不使用该方法也是如此。Each user that's enabled in the text message authentication method policy must be licensed, even if they don't use it. 确保为在身份验证方法策略中启用的用户提供适当的许可证,尤其是为大型用户组启用此功能时。Make sure you have the appropriate licenses for the users you enable in the authentication method policy, especially when you enable the feature for large groups of users.

为用户帐户设置电话号码Set a phone number for user accounts

现在已为用户启用了基于短信的身份验证,但必须将其电话号码与 Azure AD 中的用户个人资料相关联,然后用户才能登录。Users are now enabled for SMS-based authentication, but their phone number must be associated with the user profile in Azure AD before they can sign in. 用户可以在“我的个人资料”中自行设置此电话号码,或者,也可以由你使用 Azure 门户分配电话号码。The user can set this phone number themselves in My Profile, or you can assign the phone number using the Azure portal. 电话号码可由全局管理员、身份验证管理员或特权身份验证管理员进行设置。Phone numbers can be set by global admins, authentication admins, or privileged authentication admins.

设置用于短信登录的电话号码后,在进行 Azure 多重身份验证自助式密码重置时,也可以使用此电话号码。When a phone number is set for SMS-sign, it's also then available for use with Azure Multi-Factor Authentication and self-service password reset.

  1. 搜索并选择“Azure Active Directory”。Search for and select Azure Active Directory.

  2. 在“Azure Active Directory”窗口左侧的导航菜单中,选择“用户”。From the navigation menu on the left-hand side of the Azure Active Directory window, select Users.

  3. 选择在上一部分中为其启用了基于短信的身份验证的用户(例如“Contoso 用户”),然后选择“身份验证方法”。Select the user you enabled for SMS-based authentication in the previous section, such as Contoso User, then select Authentication methods.

  4. 输入用户的电话号码,包括国家/地区代码,例如 +1 xxxxxxxxx。Enter the user's phone number, including the country code, such as +1 xxxxxxxxx. Azure 门户将验证电话号码的格式是否正确。The Azure portal validates the phone number is in the correct format.

    在 Azure 门户中为用户设置一个用于基于短信的身份验证的电话号码

    该电话号码在租户中必须是唯一的。The phone number must be unique in your tenant. 如果尝试为多个用户使用同一个电话号码,将显示错误消息。If you try to use the same phone number for multiple users, an error message is shown.

  5. 若要将该电话号码应用到用户的帐户,请选择“保存”。To apply the phone number to a user's account, select Save.

成功预配后,会出现一个勾选标记,表示已启用短信登录。When successfully provisioned, a check mark appears for SMS Sign-in enabled.

测试基于短信的登录Test SMS-based sign-in

若要测试现已启用基于短信的登录的用户帐户,请完成以下步骤:To test the user account that's now enabled for SMS-based sign-in, complete the following steps:

  1. 在新的 InPrivate 或 Incognito Web 浏览器窗口中打开 https://www.office.comOpen a new InPrivate or Incognito web browser window to https://www.office.com

  2. 在右上角选择“登录”。In the top right-hand corner, select Sign in.

  3. 在登录提示下,输入在上一部分中设置的与用户关联的电话号码,然后选择“下一步”。At the sign-in prompt, enter the phone number associated with the user in the previous section, then select Next.

    在登录提示下为测试用户输入电话号码

  4. 一条短信将发送到提供的电话号码。A text message is sent to the phone number provided. 若要完成登录过程,请在登录提示下输入短信中提供的 6 位数代码。To complete the sign-in process, enter the 6-digit code provided in the text message at the sign-in prompt.

    输入通过短信发送到用户电话号码的确认代码

  5. 现在,用户无需提供用户名或密码就已登录。The user is now signed in without the need to provide a username or password.

排查基于短信的登录的问题Troubleshoot SMS-based sign-in

如果在启用和使用基于短信的登录时遇到问题,可以使用以下方案和故障排除步骤。The following scenarios and troubleshooting steps can used if you have problems with enabling and using SMS-based sign in.

已经为用户帐户设置了电话号码Phone number already set for a user account

如果用户已经注册了 Azure 多重身份验证和/或自助式密码重置 (SSPR),则他们已有一个电话号码与其帐户相关联。If a user has already registered for Azure Multi-Factor Authentication and / or self-service password reset (SSPR), they already have a phone number associated with their account. 此电话号码不会自然而然就可用于基于短信的登录。This phone number is not automatically available for use with SMS-based sign-in.

对于已经为其帐户设置了电话号码的用户,其“我的个人资料”页中会显示一个“启用短信登录”按钮。A user that has a phone number already set for their account is displayed a button to Enable for SMS sign-in in their My Profile page. 选中此按钮,然后,该帐户即启用了基于短信的登录和以前的 Azure 多重身份验证或 SSPR 注册。Select this button, and the account is enabled for use with SMS-based sign-in and the previous Azure Multi-Factor Authentication or SSPR registration.

有关最终用户体验的详细信息,请参阅使用电话号码的短信登录用户体验(预览版)For more information on the end-user experience, see SMS sign-in user experience for phone number (preview).

尝试对用户帐户设置电话号码时出错Error when trying to set a phone number on a user's account

如果在 Azure 门户中尝试为用户帐户设置电话号码时收到错误,请查看以下故障排除步骤:If you receive an error when you try to set a phone number for a user account in the Azure portal, review the following troubleshooting steps:

  1. 确保你已启用了基于短信的登录预览版。Make sure that you're enabled for the SMS-based sign-in preview.
  2. 确认用户帐户已在“短信”身份验证方法策略中启用。Confirm that the user account is enabled in the Text message authentication method policy.
  3. 确保使用已在 Azure 门户中经过验证的正确格式设置电话号码(例如 +1 4251234567)。Make sure you set the phone number with the proper formatting, as validated in the Azure portal (such as +1 4251234567).
  4. 确保电话号码未在租户中的其他地方使用。Make sure that the phone number isn't used elsewhere in your tenant.
  5. 检查帐户中是否设置了语音号码。Check there's no voice number set on the account. 如果设置了语音号码,请将其删除,然后再次尝试设置电话号码。If a voice number is set, delete and try to the phone number again.