自定义 Azure Active Directory 自助式密码重置的用户体验Customize the user experience for Azure Active Directory self-service password reset

自助式密码重置 (SSPR) 使 Azure Active Directory (Azure AD) 中的用户能够更改或重置其密码,而不需要管理员或支持人员的干预。Self-service password reset (SSPR) gives users in Azure Active Directory (Azure AD) the ability to change or reset their password, with no administrator or help desk involvement. 如果用户的帐户被锁定或用户忘记了自己的密码,他们可以按照提示取消对自己的阻止,回到工作状态。If a user's account is locked or they forget their password, they can follow prompts to unblock themselves and get back to work. 当用户无法登录到其设备或应用程序时,此功能可减少呼叫支持人员的次数,降低生产力损失。This ability reduces help desk calls and loss of productivity when a user can't sign in to their device or an application.

若要改善用户的 SSPR 体验,可以自定义密码重置页面、电子邮件通知或登录页面的外观。To improve the SSPR experience for users, you can customize the look and feel of the password reset page, email notifications, or sign-in pages. 利用这些自定义选项,可让用户明确地知道他们处于适当的位置,并让他们自信地访问公司资源。These customization options let you make it clear to the user they're in the right place, and give them confidence they're accessing company resources.

本文介绍如何自定义用户的 SSPR 电子邮件链接、公司品牌和 AD FS 登录页面链接。This article shows you how to customize the SSPR e-mail link for users, company branding, and AD FS sign-in page link.

为了帮助用户获得自助式密码重置的协助,密码重置门户中显示了“联系管理员”链接。To help users reach out for assistance with self-service password reset, a "Contact your administrator" link is shown in the password reset portal. 如果用户选择此链接,将执行以下两项操作之一:If a user selects this link, it does one of two things:

  • 如果此联系链接保持默认状态,则会向管理员发送一封电子邮件,请求他们在更改用户密码方面提供帮助。If this contact link is left in the default state, an email is sent to your administrators and asks them to provide assistance in changing the user's password. 以下示例电子邮件显示了此默认电子邮件消息:The following sample e-mail shows this default e-mail message:

    发送给管理员的重置电子邮件的示例请求

  • 如果已自定义此链接,则会将用户定向到管理员指定的网页或电子邮件地址以请求帮助。If customized, sends the user to a webpage or email address specified by the administrator for assistance.

    • 如果你自定义此链接,我们建议你将其设置为用户已经熟悉的用于请求支持的内容。If you customize this, we recommend setting this to something users are already familiar with for support.

    警告

    如果你使用需要密码重置的电子邮件地址和帐户自定义此设置,则用户可能无法请求协助。If you customize this setting with an email address and account that needs a password reset the user may be unable to ask for assistance.

默认电子邮件行为Default email behavior

默认的联系电子邮件按以下顺序发送给收件人:The default contact email is sent to recipients in the following order:

  1. 如果已分配“支持管理员” 角色或“密码管理员” 角色,则会通知具有这些角色的管理员。If the helpdesk administrator role or password administrator role is assigned, administrators with these roles are notified.
  2. 如果未分配支持管理员和密码管理员,则会通知具有“用户管理员” 角色的管理员。If no helpdesk administrator or password administrator is assigned, then administrators with the user administrator role are notified.
  3. 如果上述角色均未分配,则会通知“全局管理员” 。If none of the previous roles are assigned, then the global administrators are notified.

在所有情况下,最多会向 100 个收件人发送通知。In all cases, a maximum of 100 recipients are notified.

若要了解有关不同管理员角色以及如何分配它们的详细信息,请参阅在 Azure Active Directory 中分配管理员角色To find out more about the different administrator roles and how to assign them, see Assigning administrator roles in Azure Active Directory.

禁用“联系管理员”电子邮件Disable "Contact your administrator" emails

如果组织不希望向管理员通知密码重置请求,可以使用以下配置选项:If your organization doesn't want to notify administrators about password reset requests, the following configuration options can be used:

  • 自定义帮助台链接,以提供可让用户获得帮助的 Web URL 或 mailto: 地址。Customize the helpdesk link to provide a web URL or mailto: address that users can use to get assistance. 可在“密码重置” > “自定义” > “自定义支持人员电子邮件或 URL” 下面找到此选项。This option is under Password Reset > Customization > Custom helpdesk email or URL.
  • 为所有用户启用自助式密码重置。Enable self-service password reset for all users. 可在“密码重置” > “属性” 下面找到此选项。This option is under Password Reset > Properties. 如果不希望用户重置其自己的密码,可以将访问权限限制为某个空组。If you don't want users to reset their own passwords, you can scope access to an empty group. 我们不建议使用此选项 。We don't recommend this option.

自定义登录页面和访问面板Customize the sign-in page and access panel

可以自定义登录页面,例如,添加一个与符合公司品牌形象的图像一起显示的徽标。You can customize the sign-in page, such as to add a logo that appears along with the image that fits your company branding.

在以下情况下会显示所选图形:The graphics you choose are shown in the following circumstances:

  • 用户输入其用户名后After a user enters their username
  • 如果用户通过以下方式访问自定义的 URL:If the user accesses the customized URL:
    • 通过将 whr 参数传递到密码重置页,如 https://login.partner.microsoftonline.cn/?whr=contoso.comBy passing the whr parameter to the password reset page, like https://login.partner.microsoftonline.cn/?whr=contoso.com
    • 通过将 username 参数传递到密码重置页,如 https://login.partner.microsoftonline.cn/?username=admin@contoso.comBy passing the username parameter to the password reset page, like https://login.partner.microsoftonline.cn/?username=admin@contoso.com

目录名称Directory name

为了提高内容的用户友好度,可以在门户和自动通讯中更改组织名称。To make things look more user-friendly, you can change organization name in the portal and in the automated communications. 若要在 Azure 门户中更改目录名称特性,请浏览到“Azure Active Directory” > “属性” 。To change the directory name attribute in the Azure portal, browse to Azure Active Directory > Properties. 此友好组织名称选项在自动电子邮件中最为醒目,如以下示例中所示:This friendly organization name option is the most visible in automated emails, as in the following examples:

  • 电子邮件中的易记名称,例如“Microsoft 代表 CONTOSO 演示” The friendly name in the email, for example "Microsoft on behalf of CONTOSO demo"
  • 电子邮件中的主题行,例如“CONTOSO 演示帐户电子邮件验证码” The subject line in the email, for example "CONTOSO demo account email verification code"

自定义 AD FS 登录页面Customize the AD FS sign-in page

如果对用户登录事件使用 Active Directory 联合身份验证服务 (AD FS),可以根据添加登录页面说明一文中的指导添加登录页面的链接。If you use Active Directory Federation Services (AD FS) for user sign-in events, you can add a link to the sign-in page by using the guidance in the article to Add sign-in page description.

为用户提供该页面的链接(例如 https://passwordreset.activedirectory.windowsazure.cn ),让他们进入 SSPR 工作流。Provide users with a link to the page for them to enter the SSPR workflow, such as https://passwordreset.activedirectory.windowsazure.cn. 若要添加 AD FS 登录页面的链接,请在 AD FS 服务器上使用以下命令:To add a link to the AD FS sign-in page, use the following command on your AD FS server:

Set-ADFSGlobalWebContent -SigninPageDescriptionText "<p><a href='https://passwordreset.activedirectory.windowsazure.cn' target='_blank'>Can't access your account?</a></p>"

后续步骤Next steps

若要了解如何在环境中使用 SSPR,请参阅用于 Azure AD 密码管理的报告选项To understand the usage of SSPR in your environment, see Reporting options for Azure AD password management.

如果你或用户遇到 SSPR 问题,请参阅排查自助式密码重置问题If you or users have problems with SSPR, see Troubleshoot self-service password reset