教程:使用户能够使用 Azure Active Directory 自助式密码重置来解锁其帐户或重置密码Tutorial: Enable users to unlock their account or reset passwords using Azure Active Directory self-service password reset

Azure Active Directory (Azure AD) 自助式密码重置 (SSPR) 使用户能够更改或重置其密码,而不需要管理员或支持人员的干预。Azure Active Directory (Azure AD) self-service password reset (SSPR) gives users the ability to change or reset their password, with no administrator or help desk involvement. 如果用户的帐户被锁定或用户忘记了自己的密码,他们可以按照提示取消对自己的阻止,回到工作状态。If a user's account is locked or they forget their password, they can follow prompts to unblock themselves and get back to work. 当用户无法登录到其设备或应用程序时,此功能可减少呼叫支持人员的次数,降低生产力损失。This ability reduces help desk calls and loss of productivity when a user can't sign in to their device or an application.

重要

本教程向管理员展示如何启用自助式密码重置。This tutorial shows an administrator how to enable self-service password reset. 如果你是已注册自助式密码重置的最终用户并且需要返回到你的帐户,请转到 https://passwordreset.activedirectory.windowsazure.cnIf you're an end user already registered for self-service password reset and need to get back into your account, go to https://passwordreset.activedirectory.windowsazure.cn.

如果你的 IT 团队尚未启用重置自己密码的功能,请联系支持人员以获得更多帮助。If your IT team hasn't enabled the ability to reset your own password, reach out to your helpdesk for additional assistance.

本教程介绍如何执行下列操作:In this tutorial you learn how to:

  • 为一组 Azure AD 用户启用自助式密码重置Enable self-service password reset for a group of Azure AD users
  • 配置身份验证方法和注册选项Configure authentication methods and registration options
  • 以用户身份测试 SSPR 过程Test the SSPR process as a user

先决条件Prerequisites

需有以下资源和特权才能完成本教程:To complete this tutorial, you need the following resources and privileges:

  • 一个至少启用了 Azure AD Premium P1 或试用版许可证的有效 Azure AD 租户。A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled.
  • 一个拥有“全局管理员”特权的帐户。An account with Global Administrator privileges.
  • 你知道其密码的非管理员测试用户,例如 testuserA non-administrator user with a password you know, such as testuser. 在本教程中,你将使用此帐户来测试最终用户的 SSPR 体验。You test the end-user SSPR experience using this account in this tutorial.
  • 该非管理员用户所属的组,例如 SSPR-Test-GroupA group that the non-administrator user is a member of, such as SSPR-Test-Group. 在本教程中,你将为此组启用 SSPR。You enable SSPR for this group in this tutorial.

启用自助式密码重置Enable self-service password reset

Azure AD 可让你为“无”、“选定”或“所有”用户启用 SSPR。Azure AD lets you enable SSPR for None, Selected, or All users. 借助这种粒度,可以选择一部分用户来测试 SSPR 注册过程和工作流。This granular ability lets you choose a subset of users to test the SSPR registration process and workflow. 如果你不介意使用此流程并能与更广泛的用户传达相关要求,可以选择一组用户为其启用 SSPR。When you're comfortable with the process and can communicate the requirements with a broader set of users, you can select a group of users to enable for SSPR. 或者,可为 Azure AD 租户中的每个人启用 SSPR。Or, you can enable SSPR for everyone in the Azure AD tenant.

备注

当前只能使用 Azure 门户为 SSPR 启用一个 Azure AD 组。Only one Azure AD group can currently be enabled for SSPR using the Azure portal. 支持使用嵌套组作为较广泛 SSPR 部署的一部分。As part of a wider deployment of SSPR, nested groups are supported. 确保为所选组中的用户分配适当的许可证。Make sure that the users in the group(s) you choose have the appropriate licenses assigned. 目前不会针对这些许可要求运行验证过程。There's currently no validation process of these licensing requirements.

本教程将为测试组中的一组用户配置 SSPR。In this tutorial, configure SSPR for a set of users in a test group. 以下示例使用组 SSPR-Test-GroupIn the following example, the group SSPR-Test-Group is used. 根据需要提供自己的 Azure AD 组:Provide your own Azure AD group as needed:

  1. 使用拥有全局管理员权限的帐户登录到 Azure 门户Sign in to the Azure portal using an account with global administrator permissions.

  2. 搜索并选择“Azure Active Directory”,然后从左侧菜单中选择“密码重置”。Search for and select Azure Active Directory, then choose Password reset from the menu on the left-hand side.

  3. 在“属性”页中的“已启用自助式密码重置”选项下,选择“选择组”。From the Properties page, under the option Self service password reset enabled, choose Select group

  4. 浏览并选择 Azure AD 组(例如 SSPR-Test-Group),然后选择“选择”。Browse for and select your Azure AD group, such as SSPR-Test-Group, then choose Select.

    在 Azure 门户中选择要为其启用自助式密码重置的组 Select a group in the Azure portal to enable for self-service password reset

  5. 若要为所选用户启用 SSPR,请选择“保存”。To enable SSPR for the select users, select Save.

选择身份验证方法和注册选项Select authentication methods and registration options

当用户需要解锁其帐户或重置其密码时,系统会提示他们选择额外的确认方法。When users need to unlock their account or reset their password, they're prompted for an additional confirmation method. 此额外的身份验证因素可确保只会完成已批准的 SSPR 事件。This additional authentication factor makes sure that only approved SSPR events are completed. 可以根据用户提供的注册信息,选择允许哪些身份验证方法。You can choose which authentication methods to allow, based on the registration information the user provides.

  1. 在“身份验证方法”页上的左侧菜单中,将“重置所需的方法数”设置为 1On the Authentication methods page from the menu in the left-hand side, set the Number of methods required to reset to 1.

    若要提高安全性,可以增加 SSPR 所需的身份验证方法数。To improve security, you can increase the number of authentication methods required for SSPR.

  2. 选择组织允许的“可供用户使用的方法”。Choose the Methods available to users that your organization wants to allow. 对于本教程,请选中相应的框来启用以下方法:For this tutorial, check the boxes to enable the following methods:

    • 移动应用通知Mobile app notification
    • 移动应用代码Mobile app code
    • 电子邮件Email
    • 移动电话Mobile phone

    可以根据需要启用其他身份验证方法(如办公电话或安全问题),用以满足业务要求。Additional authentication methods, such as Office phone or Security questions, can be enabled as needed to fit your business requirements.

  3. 若要应用身份验证方法,请选择“保存”。To apply the authentication methods, select Save.

用户必须先注册其联系信息,然后才能解锁其帐户或重置密码。Before users can unlock their account or reset a password, they must register their contact information. 此联系信息用于前面步骤中配置的不同身份验证方法。This contact information is used for the different authentication methods configured in the previous steps.

管理员可以手动提供此联系信息,或者用户可以转到注册门户来自行提供信息。An administrator can manually provide this contact information, or users can go to a registration portal to provide the information themselves. 在本教程中,请配置为在用户下次登录时提示其注册。In this tutorial, configure the users to be prompted for registration when they next sign in.

  1. 在“注册”页上的左侧菜单中,对“要求用户在登录时注册”选择“是”。On the Registration page from the menu in the left-hand side, select Yes for Require users to register when signing in.

  2. 联系信息必须是最新的,这一点很重要。It's important that contact information is kept up to date. 如果在启动 SSPR 事件时联系信息已过时,用户可能无法解锁其帐户或重置其密码。If the contact information is outdated when an SSPR event is started, the user may not be able to unlock their account or reset their password.

    将“在多少天后要求用户重新确认其身份验证信息”设置为“180”。Set Number of days before users are asked to reconfirm their authentication information to 180.

  3. 若要应用注册设置,请选择“保存”。To apply the registration settings, select Save.

配置通知和自定义项Configure notifications and customizations

若要使用户随时了解帐户活动,可以配置电子邮件通知,以便在发生 SSPR 事件时发送通知。To keep users informed about account activity, you can configure e-mail notifications to be sent when an SSPR event happens. 这些通知可以涵盖普通用户帐户和管理员帐户。These notifications can cover both regular user accounts and admin accounts. 对于管理员帐户,当使用 SSPR 重置特权管理员帐户密码时,此通知将提供额外的意识层。For admin accounts, this notification provides an additional layer of awareness when a privileged administrator account password is reset using SSPR. 在管理员帐户上使用 SSPR 时,所有全局管理员都将收到通知。All global admins would be notified when SSPR is used on an admin account.

  1. 在“通知”页上的左侧菜单中配置以下选项:On the Notifications page from the menu in the left-hand side, configure the following options:

    • 将“重置密码时通知用户”选项设置为“是”。Set Notify users on password resets option to Yes.
    • 将“当其他管理员重置其密码时通知所有管理员”设置为“是”。Set Notify all admins when other admins reset their password to Yes.
  2. 若要应用通知首选项,请选择“保存”。To apply the notification preferences, select Save.

如果用户在执行 SSPR 过程时需要更多帮助,你可以自定义“联系管理员”链接。If users need additional help with the SSPR process, you can customize the link for "Contact your administrator". 此链接将在 SSPR 注册过程中以及在用户解锁其帐户或重置其密码时使用。This link is used in the SSPR registration process and when a user unlocks their account or resets their password. 为确保用户获得所需的支持,我们强烈建议提供自定义的支持电子邮件或 URL。To make sure your users get the support needed, it's highly recommended to provide a custom helpdesk email or URL.

  1. 在“自定义”页上的左侧菜单中,将“自定义支持链接”设置为“是”。On the Customization page from the menu in the left-hand side, set Customize helpdesk link to Yes.
  2. 在“自定义支持电子邮件或 URL”字段中提供电子邮件地址或网页 URL(例如 https://support.contoso.com/ ),通过此链接,用户可从你的组织获得更多帮助。In the Custom helpdesk email or URL field, provide an email address or web page URL where your users can get additional help from your organization, such as https://support.contoso.com/
  3. 若要应用自定义链接,请选择“保存”。To apply the custom link, select Save.

测试自助式密码重置Test self-service password reset

启用并配置 SSPR 后,使用在上一部分选择的组(例如 Test-SSPR-Group)中的用户测试 SSPR 过程。With SSPR enabled and configured, test the SSPR process with a user that's part of the group you selected in the previous section, such as Test-SSPR-Group. 以下示例使用了 testuser 帐户。In the following example, the testuser account is used. 提供自己的用户帐户,该帐户属于在本教程的第一部分为其启用了 SSPR 的组。Provide your own user account that's part of the group you enabled for SSPR in the first section of this tutorial.

备注

测试自助式密码重置时,请使用非管理员帐户。When you test the self-service password reset, use a non-administrator account. 始终为管理员启用自助式密码重置,且管理员需要使用两种身份验证方法来重置其密码。Admins are always enabled for self-service password reset and are required to use two authentication methods to reset their password.

  1. 若要查看手动注册过程,请以 InPrivate 或 incognito 模式打开新的浏览器窗口,并浏览到 https://account.activedirectory.windowsazure.cn/PasswordReset/Register.aspx?regref=ssprsetupTo see the manual registration process, open a new browser window in InPrivate or incognito mode, and browse to https://account.activedirectory.windowsazure.cn/PasswordReset/Register.aspx?regref=ssprsetup. 用户在下次登录时,应会定向到此注册门户。Users should be directed to this registration portal when they next sign-in.

  2. 使用非管理员测试用户(例如 testuser)登录,并注册身份验证方法的联系信息。Sign in with a non-administrator test user, such as testuser, and register your authentication methods contact information.

  3. 完成后,选择标记为“正常”的按钮并关闭浏览器窗口。Once complete, select the button marked Looks good and close the browser window.

  4. 在 InPrivate 或 incognito 模式下打开一个新的浏览器窗口并浏览到 https://passwordreset.activedirectory.windowsazure.cnOpen a new browser window in InPrivate or incognito mode, and browse to https://passwordreset.activedirectory.windowsazure.cn.

  5. 输入非管理员测试用户的帐户信息(例如 testuser)和 CAPTCHA(验证码)中的字符,然后选择“下一步”。Enter your non-administrator test users' account information, such as testuser, the characters from the CAPTCHA, and then select Next.

    输入用户帐户信息以重置密码

  6. 按验证步骤重置密码。Follow the verification steps to reset your password. 完成后,应会收到电子邮件通知,其中指出密码已重置。When complete, you should receive an e-mail notification that your password was reset.

清理资源Clean up resources

本教程系列的下一篇教程介绍如何配置密码写回。In a following tutorial in this series, you configure password writeback. 此功能将 Azure AD SSPR 中的密码更改写回到本地 AD 环境。This feature writes password changes from Azure AD SSPR back to an on-premises AD environment. 若要继续学习本教程系列来配置密码写回,请暂时不要禁用 SSPR。If you want to continue with this tutorial series to configure password writeback, don't disable SSPR now.

如果你不再想要使用本教程中配置的 SSPR 功能,请使用以下步骤将 SSPR 状态设置为“无”:If you no longer want to use the SSPR functionality you have configured as part of this tutorial, set the SSPR status to None using the following steps:

  1. 登录 Azure 门户Sign in to the Azure portal.
  2. 搜索并选择“Azure Active Directory”,然后从左侧菜单中选择“密码重置”。Search for and select Azure Active Directory, then choose Password reset from the menu on the left-hand side.
  3. 在“属性”页中的“已启用自助式密码重置”选项下,选择“无”。From the Properties page, under the option Self service password reset enabled, choose None.
  4. 若要应用 SSPR 更改,请选择“保存”。To apply the SSPR change, select Save.

后续步骤Next steps

在本教程中,你为选定的用户组启用了 Azure AD 自助式密码重置。In this tutorial, you enabled Azure AD self-service password reset for a selected group of users. 你已了解如何执行以下操作:You learned how to:

  • 为一组 Azure AD 用户启用自助式密码重置Enable self-service password reset for a group of Azure AD users
  • 配置身份验证方法和注册选项Configure authentication methods and registration options
  • 以用户身份测试 SSPR 过程Test the SSPR process as a user