为 Azure Active Directory 自助式密码重置 (SSPR) 预填用户身份验证联系信息Pre-populate user authentication contact information for Azure Active Directory self-service password reset (SSPR)

若要使用 Azure Active Directory (Azure AD) 自助式密码重置 (SSPR),用户的身份验证联系信息必须存在。To use Azure Active Directory (Azure AD) self-service password reset (SSPR), authentication contact information for a user must be present. 有些组织让用户自行注册其身份验证数据。Some organizations have users register their authentication data themselves. 其他组织会选择从 Active Directory 域服务 (AD DS) 中已经存在的身份验证数据同步。Other organizations prefer to synchronize from authentication data that already exists in Active Directory Domain Services (AD DS). 这些已同步的数据会提供给 Azure AD 和 SSPR,无需用户交互。This synchronized data is made available to Azure AD and SSPR without requiring user interaction. 用户可以根据其需要随时更改或重置其密码,即使他们以前未注册其联系信息,也是如此。When users need to change or reset their password, they can do so even if they haven't previously registered their contact information.

如果满足以下要求,则可以预填身份验证联系信息:You can pre-populate authentication contact information if you meet the following requirements:

  • 已在本地目录中正确设置了数据的格式。You have properly formatted the data in your on-premises directory.
  • 已为 Azure AD 租户配置了 Azure AD ConnectYou have configured Azure AD Connect for your Azure AD tenant.

电话号码格式必须是“+国家/地区代码 电话号码”,如 +1 4251234567 。Phone numbers must be in the format +CountryCode PhoneNumber , such as +1 4251234567.

备注

在国家/地区代码和电话号码之间必须有一个空格。There must be a space between the country code and the phone number.

密码重置不支持电话分机。Password reset doesn't support phone extensions. 即使采用“1 4251234567X12345”格式,在拨出电话前也会删除分机。Even in the +1 4251234567X12345 format, extensions are removed before the call is placed.

填充的字段Fields populated

如果使用 Azure AD Connect 中的默认设置,则会进行以下映射来为 SSPR 填充身份验证联系信息:If you use the default settings in Azure AD Connect, the following mappings are made to populate authentication contact information for SSPR:

本地 Active DirectoryOn-premises Active Directory Azure ADAzure AD
telephoneNumbertelephoneNumber 办公电话Office phone
mobilemobile 移动电话Mobile phone

用户验证其移动电话号码后,Azure AD 中的“身份验证联系人信息”下的“电话”字段也将填充该号码。After a user verifies their mobile phone number, the Phone field under Authentication contact info in Azure AD is also populated with that number.

身份验证联系人信息Authentication contact info

在 Azure 门户中 Azure AD 用户的“身份验证方法”页上,全局管理员可以手动设置身份验证联系人信息。On the Authentication methods page for an Azure AD user in the Azure portal, a Global Administrator can manually set the authentication contact information.

以下注意事项适用于这些身份验证联系信息:The following considerations apply for this authentication contact info:

  • 如果“电话”字段已填充且在 SSPR 策略中启用了“移动电话”,则用户会在密码重置注册页和密码重置工作流中看到该号码。If the Phone field is populated and Mobile phone is enabled in the SSPR policy, the user sees that number on the password reset registration page and during the password reset workflow.
  • 如果“电子邮件”字段已填充且在 SSPR 策略中启用了“电子邮件”,则用户会在密码重置注册页和密码重置工作流中看到该电子邮件。If the Email field is populated and Email is enabled in the SSPR policy, the user sees that email on the password reset registration page and during the password reset workflow.

安全问题和答案Security questions and answers

安全问题和答案安全地存储在 Azure AD 租户中,用户仅可通过 SSPR 注册门户进行访问。The security questions and answers are stored securely in your Azure AD tenant and are only accessible to users via the SSPR registration portal. 管理员无法查看、设置或修改其他用户问题和答案的内容。Administrators can't see, set, or modify the contents of another users' questions and answers.

当用户注册时会发生什么情况?What happens when a user registers

当用户注册时,注册页面设置以下字段:When a user registers, the registration page sets the following fields:

  • 身份验证电话Authentication Phone
  • 身份验证电子邮件Authentication Email
  • 安全问答Security Questions and Answers

如果已提供“移动电话”或“备用电子邮件”的值,用户就可以立即使用这些值来重置其密码,即使他们尚未注册该服务也是如此。 If you provided a value for Mobile phone or Alternate email , users can immediately use those values to reset their passwords, even if they haven't registered for the service.

用户在首次注册时也会看到那些值,并且可以根据需要进行修改。Users also see those values when they register for the first time, and can modify them if they want to. 成功注册之后,这些值会分别保存在“身份验证电话”和“身份验证电子邮件”字段中。 After they successfully register, these values are persisted in the Authentication Phone and Authentication Email fields, respectively.

通过 PowerShell 设置和读取身份验证数据Set and read the authentication data through PowerShell

可以通过 PowerShell 设置以下字段:The following fields can be set through PowerShell:

  • 备用电子邮件Alternate email
  • 移动电话Mobile phone
  • 办公电话Office phone
    • 仅当未与本地目录同步时才能设置。Can only be set if you're not synchronizing with an on-premises directory.

重要

已知 PowerShell v1 和 PowerShell v2 之间的命令功能中缺少奇偶一致性。There's a known lack of parity in command features between PowerShell v1 and PowerShell v2. 对于提供新式交互,用于身份验证方法的 Microsoft Graph REST API (beta) 是当前的工程重点。The Microsoft Graph REST API (beta) for authentication methods is the current engineering focus to provide modern interaction.

使用 PowerShell 版本 1Use PowerShell version 1

首先,下载并安装 Azure AD PowerShell 模块To get started, download and install the Azure AD PowerShell module. 安装该模块后,请使用以下步骤来配置各个字段。After it's installed, use the following steps to configure each field.

使用 PowerShell 版本 1 设置身份验证数据Set the authentication data with PowerShell version 1

Connect-MsolService -AzureEnvironment AzureChinaCloud

Set-MsolUser -UserPrincipalName user@domain.com -AlternateEmailAddresses @("email@domain.com")
Set-MsolUser -UserPrincipalName user@domain.com -MobilePhone "+1 4251234567"
Set-MsolUser -UserPrincipalName user@domain.com -PhoneNumber "+1 4252345678"

Set-MsolUser -UserPrincipalName user@domain.com -AlternateEmailAddresses @("email@domain.com") -MobilePhone "+1 4251234567" -PhoneNumber "+1 4252345678"

使用 PowerShell 版本 1 读取身份验证数据Read the authentication data with PowerShell version 1

Connect-MsolService -AzureEnvironment AzureChinaCloud

Get-MsolUser -UserPrincipalName user@domain.com | select AlternateEmailAddresses
Get-MsolUser -UserPrincipalName user@domain.com | select MobilePhone
Get-MsolUser -UserPrincipalName user@domain.com | select PhoneNumber

Get-MsolUser | select DisplayName,UserPrincipalName,AlternateEmailAddresses,MobilePhone,PhoneNumber | Format-Table

读取“身份验证电话”和“身份验证电子邮件”选项Read the Authentication Phone and Authentication Email options

若要在使用 PowerShell 版本 1 时读取 身份验证电话身份验证电子邮件 ,请使用以下命令:To read the Authentication Phone and Authentication Email when you use PowerShell version 1, use the following commands:

Connect-MsolService -AzureEnvironment AzureChinaCloud
Get-MsolUser -UserPrincipalName user@domain.com | select -Expand StrongAuthenticationUserDetails | select PhoneNumber
Get-MsolUser -UserPrincipalName user@domain.com | select -Expand StrongAuthenticationUserDetails | select Email

使用 PowerShell 版本 2Use PowerShell version 2

若要开始使用,请下载并安装 Azure AD 版本 2 PowerShell 模块To get started, download and install the Azure AD version 2 PowerShell module.

若要从支持 Install-Module 的 PowerShell 的最近版本中快速安装,请运行以下命令。To quickly install from recent versions of PowerShell that support Install-Module, run the following commands. 第一行检查是否已安装该模块:The first line checks to see if the module is already installed:

Get-Module AzureADPreview
Install-Module AzureADPreview
Connect-AzureAD -AzureEnvironmentName AzureChinaCloud

安装该模块后,请按照以下步骤配置每个字段。After the module is installed, use the following steps to configure each field.

使用 PowerShell 版本 2 设置身份验证数据Set the authentication data with PowerShell version 2

Connect-AzureAD -AzureEnvironmentName AzureChinaCloud

Set-AzureADUser -ObjectId user@domain.com -OtherMails @("email@domain.com")
Set-AzureADUser -ObjectId user@domain.com -Mobile "+1 4251234567"
Set-AzureADUser -ObjectId user@domain.com -TelephoneNumber "+1 4252345678"

Set-AzureADUser -ObjectId user@domain.com -OtherMails @("emails@domain.com") -Mobile "+1 4251234567" -TelephoneNumber "+1 4252345678"

使用 PowerShell 版本 2 读取身份验证数据Read the authentication data with PowerShell version 2

Connect-AzureAD -AzureEnvironmentName AzureChinaCloud

Get-AzureADUser -ObjectID user@domain.com | select otherMails
Get-AzureADUser -ObjectID user@domain.com | select Mobile
Get-AzureADUser -ObjectID user@domain.com | select TelephoneNumber

Get-AzureADUser | select DisplayName,UserPrincipalName,otherMails,Mobile,TelephoneNumber | Format-Table

后续步骤Next steps

为用户预填身份验证联系信息后,请完成以下教程以启用自助式密码重置:Once authentication contact information is pre-populated for users, complete the following tutorial to enable self-service password reset: