规划 Azure Active Directory 自助式密码重置部署Plan an Azure Active Directory self-service password reset deployment

重要

本部署计划提供有关部署 Azure AD 自助式密码重置 (SSPR) 的指导和最佳做法。This deployment plan offers guidance and best practices for deploying Azure AD self-service password reset (SSPR).

如果你是最终用户并且需要返回到你的帐户,请转到 https://passwordreset.activedirectory.windowsazure.cnIf you're an end user and need to get back into your account, go to https://passwordreset.activedirectory.windowsazure.cn.

自助式密码重置 (SSPR) 是一项 Azure Active Directory (AD) 功能,可让用户自行重置其密码,无需求助于 IT 工作人员。Self-Service Password Reset (SSPR)is an Azure Active Directory (AD) feature that enables users to reset their passwords without contacting IT staff for help. 无论何时何地,用户都可以快速解锁帐户并继续工作。The users can quickly unblock themselves and continue working no matter where they are or time of day. 由于员工可以自行解锁,组织可以降低大多数常见密码相关问题造成的非产出时间和较高的支持成本。By allowing the employees to unblock themselves, your organization can reduce the non-productive time and high support costs for most common password-related issues.

SSPR 提供以下重要功能:SSPR has the following key capabilities:

  • 自助式服务可让最终用户重置其过期或未过期的密码,而无需请求管理员或帮助台提供支持。Self-service allows end users to reset their expired or non-expired passwords without contacting an administrator or helpdesk for support.
  • 密码写回可以通过云管理本地密码以及解决帐户锁定问题。Password Writeback allows management of on-premises passwords and resolution of account lockout though the cloud.
  • 借助密码管理活动报告,管理员能够深入了解发生在其组织中的密码重置和注册活动。Password management activity reports give administrators insight into password reset and registration activity occurring in their organization.

本部署指南展示了如何规划并测试 SSPR 推出策略。This deployment guide shows you how to plan and then test an SSPR roll-out.

若要在实际操作中快速了解 SSPR,然后再返回来了解其他部署注意事项,请执行以下操作:To quickly see SSPR in action and then come back to understand additional deployment considerations:

了解 SSPRLearn about SSPR

详细了解 SSPR。Learn more about SSPR. 参阅工作原理:Azure AD 自助式密码重置See How it works: Azure AD self-service password reset.

主要优点Key benefits

启用 SSPR 的重要优势包括:The key benefits of enabling SSPR are:

  • 控制成本Manage cost. SSPR 可让用户自行重置密码,从而可降低 IT 支持成本。SSPR reduces IT support costs by enabling users to reset passwords on their own. 它还减少了因密码丢失和帐户锁定而造成的时间损失成本。It also reduces the cost of time lost due to lost passwords and lockouts.

  • 直观的用户体验Intuitive user experience. 它提供直观的一次性用户注册过程,使用户能够在任何设备上或位置按需重置密码及解锁帐户。It provides an intuitive one-time user registration process that allows users to reset passwords and unblock accounts on-demand from any device or location. SSPR 可让用户更快地恢复工作并提高工作效率。SSPR allows users to get back to work faster and be more productive.

  • 灵活性和安全性Flexibility and security. SSPR 使企业能够获得云平台所提供的安全性和灵活性。SSPR enables enterprises to access the security and flexibility that a cloud platform provides. 管理员可以更改设置以适应新的安全要求,并在不干扰用户登录的情况下将这些更改应用到用户。Administrators can change settings to accommodate new security requirements and roll these changes out to users without disrupting their sign-in.

  • 可靠的审核和使用情况跟踪Robust auditing and usage tracking. 组织可以确保在用户重置其自己的密码时业务系统保持安全。An organization can ensure that the business systems remain secure while its users reset their own passwords. 可靠的审核日志包括密码重置过程的每个步骤的信息。Robust audit logs include information of each step of the password reset process. 可以通过 API 访问这些日志,用户可将数据导入到所选的安全事故和事件监视 (SIEM) 系统。These logs are available from an API and enable the user to import the data into a Security Incident and Event Monitoring (SIEM) system of choice.

授权Licensing

Azure Active Directory 按用户许可,这意味着,每个用户需要为其使用的功能购买相应的许可证。Azure Active Directory is licensed per-user meaning each user requires an appropriate license for the features they use. 建议对 SSPR 启用基于组的许可。We recommend group-based licensing for SSPR.

若要比较版本和功能并启用基于组或基于用户的许可,请参阅 Azure AD 自助式密码重置的许可要求To compare editions and features and enable group or user-based licensing, see Licensing requirements for Azure AD self-service password reset.

有关定价的详细信息,请参阅 Azure Active Directory 定价For more information about pricing, see Azure Active Directory pricing.

先决条件Prerequisites

  • 一个至少启用了试用版许可证的有效 Azure AD 租户。A working Azure AD tenant with at least a trial license enabled. 如果需要,可创建一个If needed, create one.

  • 一个具有全局管理员权限的帐户。An account with Global Administrator privileges.

培训资源Training resources

资源Resources 链接和说明Link and Description
如何为 Azure AD 中的用户配置自助式密码重置?How to configure self-service password reset for users in Azure AD?
在线课程Online courses 管理 Azure Active Directory 中的标识 使用 SSPR 为用户指定新式受保护体验。Managing Identities in Azure Active Directory Use SSPR to give your users a modern, protected experience. 请专门参阅管理 Azure Active Directory 用户和组模块。See especially the "Managing Azure Active Directory Users and Groups" module.
Pluralsight 付费课程Pluralsight Paid courses 标识和访问管理问题 了解你的组织中需要得到关注的 IAM 和安全问题。The Issues of Identity and Access Management Learn about IAM and security issues to be aware of in your organization. 请专门参阅“其他身份验证方法”模块。See especially the "Other Authentication Methods" module.
Microsoft 企业移动性套件入门 了解有关以支持身份验证、授权、加密和安全移动体验的方式,将本地资产扩展到云的最佳做法。Getting Started with the Microsoft Enterprise Mobility Suite Learn the best practices for extending on-premises assets to the cloud in a manner that allows for authentication, authorization, encryption, and a secured mobile experience. 请专门参阅“配置 Azure Active Directory Premium 的高级功能”模块。See especially the "Configuring Advanced Features of Azure Active Directory Premium" module.
教程Tutorials 完成 Azure AD 自助式密码重置试点推行Complete an Azure AD self-service password reset pilot roll out
启用密码写回Enabling password writeback
Windows 10 登录屏幕中的 Azure AD 密码重置Azure AD password reset from the login screen for Windows 10
常见问题FAQ 密码管理常见问题解答Password management frequently asked questions

解决方案体系结构Solution architecture

以下示例描述了常见混合环境的密码重置解决方案体系结构。The following example describes the password reset solution architecture for common hybrid environments.

解决方案体系结构图

工作流的说明Description of workflow

若要重置密码,用户需转到密码重置门户To reset the password, users go to the password reset portal. 他们必须验证以前注册的一种或多种身份验证方法来证明其身份。They must verify the previously registered authentication method or methods to prove their identity. 如果用户成功重置了密码,重置过程将会开始。If they successfully reset the password, they begin the reset process.

  • 对于仅限云的用户,SSPR 会将新密码存储在 Azure AD 中。For cloud-only users, SSPR stores the new password in Azure AD.

  • 对于混合用户,SSPR 会通过 Azure AD Connect 服务将密码写回到本地 Active Directory。For hybrid users, SSPR writes back the password to the on-prem Active Directory via the Azure AD Connect service.

注意:对于已禁用密码哈希同步 (PHS) 的用户,SSPR 仅将密码存储在本地 Active Directory 中。Note: For users who have Password hash synchronization (PHS) disabled, SSPR stores the passwords in the on-prem Active Directory only.

最佳实践Best practices

连同组织中的其他常用应用程序或服务一起部署 SSPR 可帮助用户快速完成注册。You can help users register quickly by deploying SSPR alongside another popular application or service in the organization. 此操作会产生大量登录,可推进注册操作。This action will generate a large volume of sign-ins and will drive registration.

在部署 SSPR 之前,可以选择确定每个密码重置调用的数量和平均成本。Before deploying SSPR, you may opt to determine the number and the average cost of each password reset call. 可以使用此“数据发布”部署来展示 SSPR 为组织带来的价值。You can use this data post deployment to show the value SSPR is bringing to the organization.

启用 SSPR 和 MFA 的组合注册Enable combined registration for SSPR and MFA

Microsoft 建议组织为 SSPR 和多重身份验证启用组合注册体验。Microsoft recommends that organizations enable the combined registration experience for SSPR and multi-factor authentication. 启用此组合注册体验后,用户只需选择其注册信息一次即可启用这两项功能。When you enable this combined registration experience, users need only select their registration information once to enable both features.

组合注册体验不需要组织同时启用 SSPR 和 Azure 多重身份验证。The combined registration experience does not require organizations to enable both SSPR and Azure Multi-Factor Authentication. 组合注册为组织提供更好的用户体验。Combined registration provides organizations a better user experience.

规划部署项目Plan the deployment project

在环境中确定此部署的策略时,请考虑组织的需求。Consider your organizational needs while you determine the strategy for this deployment in your environment.

让合适的利益干系人参与Engage the right stakeholders

当技术项目失败时,失败的原因往往是对影响、结果和责任的预期不符。When technology projects fail, they typically do so due to mismatched expectations on impact, outcomes, and responsibilities. 若要避免这些问题,请确保吸引适当的利益干系人,并通过阐述利益干系人及其项目输入和责任,来充分了解项目中的利益干系人角色。To avoid these pitfalls, ensure that you are engaging the right stakeholders and that stakeholder roles in the project are well understood by documenting the stakeholders and their project input and accountabilities.

所需的管理员角色Required administrator roles

业务角色/角色Business Role/Persona Azure AD 角色(如有必要)Azure AD Role (if necessary)
1 级支持人员Level 1 helpdesk 密码管理员Password administrator
2 级支持人员Level 2 helpdesk 用户管理员User administrator
SSPR 管理员SSPR administrator 全局管理员Global administrator

规划沟通Plan communications

通信对于任何新服务的成功至关重要。Communication is critical to the success of any new service. 主动与用户沟通,告诉他们其体验会发怎样的变化,何时会有变化,以及在遇到问题时如何获取支持。You should proactively communicate with your users how their experience will change, when it will change, and how to gain support if they experience issues. 请查看 Microsoft 下载中心上的自助式密码重置推出材料,了解有关如何规划最终用户通信策略的建议。Review the Self-service password reset rollout materials on the Microsoft download center for ideas on how to plan your end-user communication strategy.

规划试点Plan a pilot

建议使用测试环境中的 SSPR 初始配置。We recommend that the initial configuration of SSPR is in a test environment. 从一个试点组开始,为组织中的一部分用户启用 SSPR。Start with a pilot group by enabling SSPR for a subset of users in your organization.

若要创建组,请参阅如何在 Azure Active Directory 中创建组并添加成员To create a group, see how to create a group and add members in Azure Active Directory.

规划配置Plan configuration

若要启用 SSPR 并使用推荐值,需要以下设置。The following settings are required to enable SSPR along with recommended values.

区域Area 设置Setting ValueValue
SSPR 属性SSPR Properties 已启用自助式密码重置Self-service password reset enabled 在试运行环境中为“选定组”/在生产环境中为“全部” Selected group for pilot / All for production
身份验证方法Authentication methods 注册所需的身份验证方法数Authentication methods required to register 至少比重置所需的数目多 1 个Always 1 more than required for reset
重置所需的身份验证方法数Authentication methods required to reset 1 或 2One or two
注册Registration 要求用户在登录时注册Require users to register when signing in Yes
用户必须在几天后重新确认其身份验证信息Number of days before users are asked to reconfirm their authentication information 90 - 180 天90 - 180 days
通知Notifications 重置密码时通知用户Notify users on password resets Yes
当其他管理员重置其密码时通知所有管理员Notify all admins when other admins reset their password Yes
自定义Customization 自定义服务台链接Customize helpdesk link Yes
自定义服务台电子邮件或 URLCustom helpdesk email or URL 支持站点或电子邮件地址Support site or email address
本地集成On-premises integration 将密码写回到本地 ADWrite back passwords to on-premises AD Yes
允许用户在不重置密码的情况下解锁帐户Allow users to unlock account without resetting password Yes

SSPR 属性SSPR properties

启用 SSPR 时,请在试点环境中选择适当的安全组。When enabling SSPR, choose an appropriate security group in the pilot environment.

  • 若要为每个人强制实施 SSPR 注册,我们建议使用“全部”选项。To enforce SSPR registration for everyone, we recommend using the All option.
  • 否则,请选择适当的 Azure AD 或 AD 安全组。Otherwise, select the appropriate Azure AD or AD security group.

身份验证方法Authentication methods

启用 SSPR 后,仅当用户在管理员启用的身份验证方法中提供了数据时,他们才能重置其密码。When SSPR is enabled, users can only reset their password if they have data present in the authentication methods that the administrator has enabled. 方法包括电话呼叫、Authenticator 应用通知、安全性问题等。Methods include phone, Authenticator app notification, security questions, etc.

我们建议使用以下身份验证方法设置:We recommend the following authentication method settings:

  • 将“注册所需的身份验证方法数”设置为至少比重置所需的身份验证方法数多 1 个。Set the Authentication methods required to register to at least one more than the number required to reset. 允许使用多种身份验证方法可让用户在需要重置时获得灵活性。Allowing multiple authentications gives users flexibility when they need to reset.

  • 将“重置时所需的方法数”设置为适合你的组织的数量。Set Number of methods required to reset to a level appropriate to your organization. 如果只设置一种方法,只能提供最低程度的安全保障,设置两种就可能进一步改善安全状况。One requires the least friction, while two may increase your security posture.

注意:必须根据 Azure Active Directory 中的密码策略和限制为用户配置身份验证方法。Note: The user must have the authentication methods configured in the Password policies and restrictions in Azure Active Directory.

注册设置Registration settings

将“要求用户在登录时注册”设置为“是” 。Set Require users to register when signing in to Yes. 此设置要求用户在登录时注册,确保所有用户受到保护。This setting requires users to register when signing in, ensuring that all users are protected.

将“用户必须在几天后重新确认其身份验证信息”设置为 90180 天,除非组织需要使用更短的时限。Set Number of days before users is asked to reconfirm their authentication information to between 90 and 180 days, unless your organization has a business need for a shorter time frame.

通知设置Notifications settings

将“在密码重置时通知用户”和“当有管理员重置其密码时通知所有管理员”均设置为“是” 。Configure both the Notify users on password resets and the Notify all admins when other admins reset their password to Yes. 对这两个选项都选择“是”可以提高安全性,因为这可以确保用户知道其密码已重置。Selecting Yes on both increases security by ensuring that users are aware when their password is reset. 此外,可以确保当某个管理员更改密码时,所有管理员都知道这种情况。It also ensures that all admins are aware when an admin changes a password. 如果用户或管理员收到通知但他们并未发起更改,他们可以立即报告潜在的安全问题。If users or admins receive a notification and they haven't initiated the change, they can immediately report a potential security issue.

自定义设置Customization settings

自定义支持电子邮件或 URL,确保遇到问题的用户能够立即获得帮助,这一点至关重要。It's critical to customize the helpdesk email or URL to ensure users who experience problems can get help immediately. 将此选项设置为用户熟悉的常见支持人员电子邮件地址或网页。Set this option to a common helpdesk email address or web page that your users are familiar with.

有关详细信息,请参阅自定义自助式密码重置的 Azure AD 功能For more information, see Customize the Azure AD functionality for self-service password reset.

密码写回Password Writeback

密码写回Azure AD Connect 一同启用,可以实时将云中的密码重置写回到现有的本地目录。Password Writeback is enabled with Azure AD Connect and writes password resets in the cloud back to an existing on-premises directory in real time. 有关详细信息,请参阅什么是密码写回?For more information, see What is Password Writeback?

我们建议使用以下设置:We recommend the following settings:

  • 确保“将密码写回到本地 AD”设置为“是”。 Ensure that Write back passwords to on-premises AD is set to Yes.
  • 将“允许用户在不重置密码的情况下解锁帐户”设置为“是”。 Set the Allow users to unlock account without resetting password to Yes.

默认情况下,Azure AD 在执行密码重置时会解锁帐户。By default, Azure AD unlocks accounts when it performs a password reset.

管理员密码设置Administrator password setting

管理员帐户拥有提升的权限。Administrator accounts have elevated permissions. 本地企业或域管理员无法通过 SSPR 重置其密码。The on-premises enterprise or domain administrators can't reset their passwords through SSPR. 本地管理员帐户具有以下限制:On-premises admin accounts have the following restrictions:

  • 只能在本地环境中更改其密码。can only change their password in their on-prem environment.
  • 不得使用机密问题和回答作为重置密码的方法。can never use the secret questions and answers as a method to reset their password.

建议不要将本地 Active Directory 管理员帐户与 Azure AD 同步。We recommend that you don't sync your on-prem Active Directory admin accounts with Azure AD.

具有多个标识管理系统的环境Environments with multiple identity management systems

某些环境具有多个标识管理系统。Some environments have multiple identity management systems. Oracle AM 和 SiteMinder 等本地标识管理器要求与 AD 同步以管理密码。On-premises identity managers like Oracle AM and SiteMinder, require synchronization with AD for passwords. 为此,可以将密码更改通知服务 (PCNS) 这类工具与 Microsoft Identity Manager (MIM) 配合使用。You can do this using a tool like the Password Change Notification Service (PCNS) with Microsoft Identity Manager (MIM). 若要查找更为复杂的相关方案的信息,请参阅文章在域控制器上部署 MIM 密码更改通知服务To find information on this more complex scenario, see the article Deploy the MIM Password Change Notification Service on a domain controller.

规划测试和支持Plan Testing and Support

在从初始试点组到组织范围的部署的每个阶段,请确保结果与预期相符。At each stage of your deployment from initial pilot groups through organization-wide, ensure that results are as expected.

规划测试Plan testing

为了确保部署按预期方式工作,请规划好一套可用于验证实施结果的测试用例。To ensure that your deployment works as expected, plan a set of test cases to validate the implementation. 若要评估测试用例,需要一个带密码的非管理员测试用户。To assess the test cases, you need a non-administrator test user with a password. 如果需要创建用户,请参阅将新用户添加到 Azure Active DirectoryIf you need to create a user, see Add new users to Azure Active Directory.

下表提供了有用的测试方案,你可以参考这些方案根据自己的策略来阐述组织预期的结果。The following table includes useful test scenarios you can use to document your organizations expected results based on your policies.

业务案例Business case 预期结果Expected results
可以从企业网络内部访问 SSPR 门户SSPR portal is accessible from within the corporate network 由组织确定Determined by your organization
可从企业网络外部访问 SSPR 门户SSPR portal is accessible from outside the corporate network 由组织确定Determined by your organization
未为用户启用密码重置时从浏览器重置用户密码Reset user password from browser when user is not enabled for password reset 用户无法访问密码重置流User is not able to access the password reset flow
用户未注册密码重置时从浏览器重置用户密码Reset user password from browser when user has not registered for password reset 用户无法访问密码重置流User is not able to access the password reset flow
强制实施密码重置注册时用户登录User signs in when enforced to do password reset registration 提示用户注册安全信息Prompts the user to register security information
密码重置注册完成时用户登录User signs in when password reset registration is complete 提示用户注册安全信息Prompts the user to register security information
当用户没有许可证时,可以访问 SSPR 门户SSPR portal is accessible when the user does not have a license 可访问Is accessible
从已加入 Windows 10 Azure AD 或已加入混合 Azure AD 的设备锁屏界面重置用户密码Reset user password from Windows 10 Azure AD joined or hybrid Azure AD joined device lock screen 用户可以重置密码User can reset password
管理员可以近实时地使用 SSPR 注册和使用情况数据SSPR registration and usage data are available to administrators in near real time 可通过审核日志获取Is available via audit logs

另请参阅 全面完成 Azure AD 自助式密码重置试点推行You can also refer to Complete out an Azure AD self-service password reset pilot roll. 在本教程中,你将在组织中启用 SSPR 的试点推行,并使用非管理员帐户进行测试。In this tutorial, you will enable a pilot roll out of SSPR in your organization and test using a non-administrator account.

规划支持Plan support

尽管 SSPR 通常不会产生用户问题,但支持人员必须准备好应对可能出现的问题。While SSPR does not typically create user issues, it is important to prepare support staff to deal with issues that may arise. 虽然管理员可以通过 Azure AD 门户为最终用户重置密码,但最好是借助自助式支持过程来解决问题。While an administrator can reset the password for end users through the Azure AD portal, it is better to help resolve the issue via a self-service support process.

为使支持团队取得成功,可以根据用户发来的问题撰写常见问题解答。To enable your support team's success, you can create a FAQ based on questions you receive from your users. 以下是一些示例:Here are a few examples:

方案Scenarios 说明Description
用户无法使用任何已注册的可用身份验证方法User doesn't have any registered authentication methods available 用户正在尝试重置其密码,但无法使用已注册的任何身份验证方法(例如:其手机遗忘在家中,并且无法访问电子邮件)A user is trying to reset their password but doesn't have any of the authentication methods that they registered available (Example: they left their cell phone at home and can't access email)
用户未在其办公室电话或手机上收到短信或呼叫User isn't receiving a text or call on their office or cell phone 用户正在尝试通过短信或呼叫来验证其身份,但未收到短信/呼叫。A user is trying to verify their identity via text or call but isn't receiving a text/call.
用户无法访问密码重置门户User can't access the password reset portal 用户想要重置其密码,但未启用密码重置,因此无法访问该页来更新密码。A user wants to reset their password but isn't enabled for password reset and can't access the page to update passwords.
用户无法设置新密码User can't set a new password 用户在密码重置流期间完成了验证,但无法设置新密码。A user completes verification during the password reset flow but can't set a new password.
用户在 Windows 10 设备上未看到“重置密码”链接User doesn't see a Reset Password link on a Windows 10 device 用户尝试从 Windows 10 锁屏界面重置密码,但设备未加入 Azure AD,或 Intune 设备策略未启用A user is trying to reset password from the Windows 10 lock screen, but the device is either not joined to Azure AD, or the Intune device policy isn't enabled

规划回滚Plan rollback

若要回滚部署:To roll back the deployment:

  • 对于单个用户,可从安全组中删除该用户for a single user, remove the user from the security group

  • 对于某个组,可从 SSPR 配置中删除该组for a group, remove the group from SSPR configuration

  • 对于所有人,可对 Azure AD 租户禁用 SSPRFor everyone, disable SSPR for the Azure AD tenant

部署 SSPRDeploy SSPR

在部署之前,请确保已完成以下操作:Before deploying, ensure that you have done the following:

  1. 已创建并开始执行沟通计划Created and begun executing your communication plan.

  2. 确定适当的配置设置Determined the appropriate configuration settings.

  3. 已确定试点和生产环境的用户与组。Identified the users and groups for the pilot and production environments.

  4. 已确定注册和自助服务的配置设置Determined configuration settings for registration and self-service.

  5. 已配置密码写回(如果使用混合环境)。Configured password writeback if you have a hybrid environment.

现在可以开始部署 SSPR!You're now ready to deploy SSPR!

有关配置以下各个方面的完整分步指导,请参阅启用自助式密码重置See Enable self-service password reset for complete step-by-step directions on configuring the following areas.

  1. 身份验证方法Authentication methods

  2. 注册设置Registration settings

  3. 通知设置Notifications settings

  4. 自定义设置Customization settings

  5. 本地集成On-premises integration

在 Windows 中启用 SSPREnable SSPR in Windows

对于运行 Windows 7、8、8.1、10 的计算机,可以在 Windows 登录屏幕上允许用户重置其密码For machines running Windows 7, 8, 8.1, and 10 you can enable users to reset their password at the Windows sign in screen

管理 SSPRManage SSPR

Azure AD 可以通过审核和报告提供有关 SSPR 性能的附加信息。Azure AD can provide additional information on your SSPR performance through audits and reports.

密码管理活动报告Password management activity reports

可以使用 Azure 门户上预生成的报告来衡量 SSPR 性能。You can use pre-built reports on Azure portal to measure the SSPR performance. 如果有相应的授权,还可以创建自定义查询。If you're appropriately licensed, you can also create custom queries. 有关详细信息,请参阅 Azure AD 密码管理的报告选项For more information, see Reporting options for Azure AD password management

备注

必须是全局管理员,并且必须选择为组织收集这些数据。You must be a global administrator, and you must opt-in for this data to be gathered for your organization. 若要做出此选择,必须在 Azure 门户上至少访问“报告”选项卡或审核日志一次。To opt in, you must visit the Reporting tab or the audit logs on the Azure Portal at least once. 在此之前,不会为组织收集数据。Until then, the data doesn't collect for your organization.

注册和密码重置的审核日志可供使用 30 天。Audit logs for registration and password reset are available for 30 days. 如果企业中的安全审核需要更长的保留期,则需导出日志,并在 Azure Sentinel、Splunk 或 ArcSight 等 SIEM 工具中使用它。If security auditing within your corporation requires longer retention, the logs need to be exported and consumed into a SIEM tool such as Azure Sentinel, Splunk, or ArcSight.

SSPR 报告屏幕截图

身份验证方法 - 使用情况和见解Authentication methods- Usage and Insights

使用使用情况和见解可以了解针对 Azure MFA 和 SSPR 等功能的身份验证方法在组织中的运作方式。Usage and insights enable you to understand how authentication methods for features like Azure MFA and SSPR are working in your organization. 此报告功能可让组织了解注册的方法,以及这些方法的用法。This reporting capability provides your organization with the means to understand what methods register and how to use them.

故障排除Troubleshoot

有用的文档Helpful documentation

后续步骤Next steps