教程:使用户能够使用 Azure Active Directory 自助式密码重置来解锁其帐户或重置密码Tutorial: Enable users to unlock their account or reset passwords using Azure Active Directory self-service password reset

Azure Active Directory (Azure AD) 自助式密码重置 (SSPR) 使用户能够更改或重置其密码,而不需要管理员或支持人员的干预。Azure Active Directory (Azure AD) self-service password reset (SSPR) gives users the ability to change or reset their password, with no administrator or help desk involvement. 如果 Azure AD 锁定用户帐户或用户忘记了自己的密码,他们可以按照提示自行解锁,恢复工作。If Azure AD locks a user's account or they forget their password, they can follow prompts to unblock themselves and get back to work. 当用户无法登录到其设备或应用程序时,此功能可减少呼叫支持人员的次数,降低生产力损失。This ability reduces help desk calls and loss of productivity when a user can't sign in to their device or an application.

重要

本教程向管理员展示如何启用自助式密码重置。This tutorial shows an administrator how to enable self-service password reset. 如果你是已注册自助式密码重置的最终用户并且需要恢复你的帐户,请转到 Microsoft Online 密码重置If you're an end user already registered for self-service password reset and need to get back into your account, go to the Microsoft Online password reset page.

如果你的 IT 团队尚未启用重置自己密码的功能,请联系支持人员以获得更多帮助。If your IT team hasn't enabled the ability to reset your own password, reach out to your helpdesk for additional assistance.

本教程介绍如何执行下列操作:In this tutorial you learn how to:

  • 为一组 Azure AD 用户启用自助式密码重置Enable self-service password reset for a group of Azure AD users
  • 设置身份验证方法和注册选项Set up authentication methods and registration options
  • 以用户身份测试 SSPR 过程Test the SSPR process as a user

先决条件Prerequisites

你需有以下资源和特权才能完成本教程:To finish this tutorial, you need the following resources and privileges:

  • 一个至少启用了 Azure AD Free 或试用版许可证的有效 Azure AD 租户。A working Azure AD tenant with at least an Azure AD free or trial license enabled. 在免费层中,SSPR 仅适用于 Azure AD 中的云用户。In the Free tier, SSPR only works for cloud users in Azure AD.
    • 对于本系列的后续教程,系统需要 Azure AD Premium P1 或试用版许可证才能将本地密码写回。For later tutorials in this series, you'll need an Azure AD Premium P1 or trial license for on-premises password writeback.
    • 如果需要,请 创建 Azure 试用帐户If needed, create an Azure trial account.
  • 一个拥有“全局管理员”特权的帐户。An account with Global Administrator privileges.
  • 你知道其密码的非管理员测试用户,例如 testuser。A non-administrator user with a password you know, like testuser. 在本教程,你将使用此帐户测试最终用户的 SSPR 体验。You'll test the end-user SSPR experience using this account in this tutorial.
  • 该非管理员用户所属的组,例如 SSPR-Test-Group。A group that the non-administrator user is a member of, likes SSPR-Test-Group. 在本教程中,你将为此组启用 SSPR。You'll enable SSPR for this group in this tutorial.

启用自助式密码重置Enable self-service password reset

Azure AD 可让你为“无”、“选定”或“所有”用户启用 SSPR。Azure AD lets you enable SSPR for None, Selected, or All users. 借助这种粒度,可以选择一部分用户来测试 SSPR 注册过程和工作流。This granular ability lets you choose a subset of users to test the SSPR registration process and workflow. 如果你很熟悉能够与一组更广泛的用户传达相关要求的过程和时机,则可以选择一组用户来为他们启用 SSPR。When you're comfortable with the process and the time is right to communicate the requirements with a broader set of users, you can select a group of users to enable for SSPR. 或者,可为 Azure AD 租户中的每个人启用 SSPR。Or, you can enable SSPR for everyone in the Azure AD tenant.

备注

目前,你只能使用 Azure 门户为 SSPR 启用一个 Azure AD 组。Currently, you can only enable one Azure AD group for SSPR using the Azure portal. Azure AD 作为 SSPR 更广泛部署的一部分,可以支持嵌套组。As part of a wider deployment of SSPR, Azure AD supports nested groups. 确保为所选组中的用户分配适当的许可证。Make sure that the users in the group(s) you choose have the appropriate licenses assigned. 目前不会针对这些许可要求运行验证过程。There's currently no validation process of these licensing requirements.

在本教程,为测试组中的一组用户设置 SSPR。In this tutorial, set up SSPR for a set of users in a test group. 使用 SSPR-Test-Group 并根据需要提供自己的 Azure AD 组:Use the SSPR-Test-Group and provide your own Azure AD group as needed:

  1. 使用拥有全局管理员权限的帐户登录到 Azure 门户Sign in to the Azure portal using an account with global administrator permissions.

  2. 搜索并选择“Azure Active Directory”,然后从左侧菜单中选择“密码重置” 。Search for and select Azure Active Directory, then select Password reset from the menu on the left side.

  3. 在“属性”页的“已启用自助式密码重置”选项下,选择“选择组”From the Properties page, under the option Self service password reset enabled, select Select group

  4. 浏览并选择 Azure AD 组(例如 SSPR-Test-Group),然后选择“选择” 。Browse for and select your Azure AD group, like SSPR-Test-Group, then choose Select.

    在 Azure 门户中选择要为其启用自助式密码重置的组Select a group in the Azure portal to enable for self-service password reset

  5. 若要为所选用户启用 SSPR,请选择“保存”。To enable SSPR for the select users, select Save.

选择身份验证方法和注册选项Select authentication methods and registration options

当用户需要解锁帐户或重置其密码时,系统会提示他们选择另一种确认方法。When users need to unlock their account or reset their password, they're prompted for another confirmation method. 这一额外的身份验证因素确保 Azure AD 仅完成已批准的 SSPR 事件。This extra authentication factor makes sure that Azure AD finished only approved SSPR events. 可以根据用户提供的注册信息,选择允许哪些身份验证方法。You can choose which authentication methods to allow, based on the registration information the user provides.

  1. 从“身份验证方法”页的左侧菜单中,将必填的方法数重置为 1 。From the menu on the left side of the Authentication methods page, set the Number of methods required to reset to 1.

    若要提高安全性,可以增加 SSPR 所需的身份验证方法数。To improve security, you can increase the number of authentication methods required for SSPR.

  2. 选择组织允许的“可供用户使用的方法”。Choose the Methods available to users that your organization wants to allow. 对于本教程,请选中相应的框来启用以下方法:For this tutorial, check the boxes to enable the following methods:

    • 移动应用通知Mobile app notification
    • 移动应用代码Mobile app code
    • 电子邮件Email
    • 移动电话Mobile phone

    你可以根据需要启用其他身份验证方法(如办公电话或安全性问题),以满足业务要求 。You can enable other authentication methods, like Office phone or Security questions, as needed to fit your business requirements.

  3. 若要应用身份验证方法,请选择“保存”。To apply the authentication methods, select Save.

用户必须先注册其联系信息,然后才能解锁其帐户或重置密码。Before users can unlock their account or reset a password, they must register their contact information. Azure AD 使用此联系信息来实现前面步骤中的不同身份验证方法设置。Azure AD uses this contact information for the different authentication methods set up in the previous steps.

管理员可以手动提供此联系信息,或者用户可以转到注册门户来自行提供信息。An administrator can manually provide this contact information, or users can go to a registration portal to provide the information themselves. 在本教程,将 Azure AD 设置为在用户下次登录时提示其进行注册。In this tutorial, set up Azure AD to prompt the users for registration the next time they sign in.

  1. 在“注册”页的左侧菜单中,对“要求用户在登录时注册”选择“是”。From the menu on the left side of the Registration page, select Yes for Require users to register when signing in.

  2. 将“在多少天后要求用户重新确认其身份验证信息”设置为“180”。Set Number of days before users are asked to reconfirm their authentication information to 180.

    务必将联系人信息保持最新状态。It's important to keep the contact information up to date. 如果在启动 SSPR 事件时联系信息已过时,用户可能无法解锁帐户或重置密码。If outdated contact information exists when an SSPR event starts, the user may not be able to unlock their account or reset their password.

  3. 若要应用注册设置,请选择“保存”。To apply the registration settings, select Save.

配置通知和自定义项Set up notifications and customizations

若要使用户了解帐户活动,你可以设置 Azure AD 在发生 SSPR 事件时发送电子邮件通知。To keep users informed about account activity, you can set up Azure AD to send email notifications when an SSPR event happens. 这些通知可以涵盖普通用户帐户和管理员帐户。These notifications can cover both regular user accounts and admin accounts. 对于管理员帐户,当使用 SSPR 重置特权管理员帐户密码时,此通知将提供另外一层意识。For admin accounts, this notification provides another layer of awareness when a privileged administrator account password is reset using SSPR. 如果有人对管理员帐户使用 SSPR,Azure AD 会通知所有全局管理员。Azure AD will notify all global admins when someone uses SSPR on an admin account.

  1. 在“通知”页的左侧菜单中,设置以下选项:From the menu on the left side of the Notifications page, set up the following options:

    • 将“重置密码时通知用户”选项设置为“是”。Set Notify users on password resets option to Yes.
    • 将“当其他管理员重置其密码时通知所有管理员”设置为“是”。Set Notify all admins when other admins reset their password to Yes.
  2. 若要应用通知首选项,请选择“保存”。To apply the notification preferences, select Save.

如果用户在执行 SSPR 过程时需要更多帮助,你可以自定义“联系管理员”链接。If users need more help with the SSPR process, you can customize the "Contact your administrator" link. 用户可以在 SSPR 注册过程中,以及用户解锁帐户或重置密码时选择此链接。The user can select this link in the SSPR registration process and when they unlock their account or resets their password. 为确保用户获得所需的支持,我们强烈建议提供自定义的支持电子邮件或 URL。To make sure your users get the support needed, we highly recommend you provide a custom helpdesk email or URL.

  1. 在“自定义”页的左侧菜单中,将“自定义支持链接”设置为“是” 。From the menu on the left side of the Customization page, set Customize helpdesk link to Yes.
  2. 在“自定义支持电子邮件或 URL”字段中提供电子邮件地址或网页 URL(例如 https://support.contoso.com/),通过此链接,用户可从你的组织获得更多帮助In the Custom helpdesk email or URL field, provide an email address or web page URL where your users can get more help from your organization, like https://support.contoso.com/
  3. 若要应用自定义链接,请选择“保存”。To apply the custom link, select Save.

测试自助式密码重置Test self-service password reset

启用并配置 SSPR 后,使用在上一部分所选组(例如 Test-SSPR-Group)中的用户测试 SSPR 过程。With SSPR enabled and set up, test the SSPR process with a user that's part of the group you selected in the previous section, like Test-SSPR-Group. 下面的示例使用 testuser 帐户。The following example uses the testuser account. 提供你自己的用户帐户。Provide your own user account. 它属于本教程第一部分中为 SSPR 启用的组。It's part of the group you enabled for SSPR in the first section of this tutorial.

备注

测试自助式密码重置时,请使用非管理员帐户。When you test self-service password reset, use a non-administrator account. 默认情况下,Azure AD 为管理员启用自助式密码重置。By default, Azure AD enables self-service password reset for admins. 管理员需要使用两种身份验证方法重置密码。They're required to use two authentication methods to reset their password. 有关详细信息,请参阅管理员重置策略差异For more information, see Administrator reset policy differences.

  1. 若要查看手动注册过程,请以 InPrivate 或无痕窗口模式打开新的浏览器窗口,并浏览到 https://aka.ms/ssprsetup。To see the manual registration process, open a new browser window in InPrivate or incognito mode, and browse to https://aka.ms/ssprsetup. Azure AD 将在用户下次登录时将其定向到此注册门户。Azure AD will direct users to this registration portal when they sign in next time.

  2. 使用非管理员测试用户(如 testuser)登录并注册身份验证方法的联系信息。Sign in with a non-administrator test user, like testuser, and register your authentication methods contact information.

  3. 完成后,选择标记为“看起来不错”的按钮并关闭浏览器窗口。Once finished, select the button marked Looks good and close the browser window.

  4. 在 InPrivate 或无痕窗口模式下打开新的浏览器窗口,并浏览到 https://aka.ms/sspr。Open a new browser window in InPrivate or incognito mode, and browse to https://aka.ms/sspr.

  5. 输入非管理员测试用户的用户帐户信息(如 testuser)、来自 CAPTCHA 的字符,然后选择“下一步”。Enter your non-administrator test users' account information, like testuser, the characters from the CAPTCHA, and then select Next.

    输入用户帐户信息以重置密码

  6. 按验证步骤重置密码。Follow the verification steps to reset your password. 完成后,你会收到一条电子邮件通知,表明你的密码已重置。When finished, you'll receive an email notification that your password was reset.

清理资源Clean up resources

在本系列的后续教程中,你将设置密码写回。In a later tutorial in this series, you'll set up password writeback. 此功能将 Azure AD SSPR 中的密码更改写回到本地 AD 环境。This feature writes password changes from Azure AD SSPR back to an on-premises AD environment. 若要继续学习本教程系列来设置密码写回,请不要立即禁用 SSPR。If you want to continue with this tutorial series to set up password writeback, don't disable SSPR now.

如果你不再想要使用你在本教程中配置的 SSPR 功能,请使用以下步骤将 SSPR 状态设置为“无”:If you no longer want to use the SSPR functionality you have set up as part of this tutorial, set the SSPR status to None using the following steps:

  1. 登录到 Azure 门户Sign in to the Azure portal.
  2. 搜索并选择“Azure Active Directory”,然后从左侧菜单中选择“密码重置” 。Search for and select Azure Active Directory, then select Password reset from the menu on the left side.
  3. 在“属性”页的“已启用自助式密码重置”选项下,选择“无”。From the Properties page, under the option Self service password reset enabled, select None.
  4. 若要应用 SSPR 更改,请选择“保存”。To apply the SSPR change, select Save.

常见问题FAQs

本部分介绍管理员和最终用户尝试 SSPR 的常见问题:This section explains common questions from administrators and end-users who try SSPR:

  • 为什么联合用户在看到 已重置你的密码 之后最多等待 2 分钟后,才可以使用从本地同步的密码?Why do federated users wait up to 2 minutes after they see Your password has been reset before they can use passwords that are synchronized from on-premises?

    对于已同步其密码的联合用户,密码的颁发机构来源为本地。For federated users whose passwords are synchronized, the source of authority for the passwords is on-premises. 因此,SSPR 仅更新本地密码。As a result, SSPR updates only the on-premises passwords. 每 2 分钟计划一次密码哈希同步回 Azure AD。Password hash synchronization back to Azure AD is scheduled for every 2 minutes.

  • 预先填充 SSPR 数据(如电话和电子邮件)的新建用户访问 SSPR 注册页时,不要失去对帐户的访问权限!When a newly created user who is pre-populated with SSPR data such as phone and email visits the SSPR registration page, Don’t lose access to your account! 显示为页面的标题。appears as the title of the page. 为什么预先填充 SSPR 数据的其他用户看不到该消息?Why don't other users who have SSPR data pre-populated see the message?

    看到此消息的用户 不要失去对帐户的访问权限!A user who sees Don’t lose access to your account! 是为租户配置的 SSPR/合并注册组的成员。is a member of SSPR/combined registration groups that are configured for the tenant. 看不到此消息的用户 不要失去对帐户的访问权限!Users who don’t see Don’t lose access to your account! 不是 SSPR/合并注册组的一部分。were not part of the SSPR/combined registration groups.

  • 当某些用户进行 SSPR 过程并重置其密码时,为什么看不到密码强度指示器?When some users go through SSPR process and reset their password, why don't they see the password strength indicator?

    看不到弱/强密码强度的用户已启用同步密码写回。Users who don’t see weak/strong password strength have synchronized password writeback enabled. 由于 SSPR 无法确定客户本地环境的密码策略,因此无法验证密码强弱。Since SSPR can’t determine the password policy of the customer’s on-premises environment, it cannot validate password strength or weakness.

后续步骤Next steps

在本教程中,你为选定的用户组启用了 Azure AD 自助式密码重置。In this tutorial, you enabled Azure AD self-service password reset for a selected group of users. 你已了解如何执行以下操作:You learned how to:

  • 为一组 Azure AD 用户启用自助式密码重置Enable self-service password reset for a group of Azure AD users
  • 设置身份验证方法和注册选项Set up authentication methods and registration options
  • 以用户身份测试 SSPR 过程Test the SSPR process as a user