教程:完成 Azure AD 自助密码重置试点推广Tutorial: Complete an Azure AD self-service password reset pilot roll out

在本教程中,你将在组织中启用 Azure AD 自助密码重置 (SSPR) 的试点推广,并使用非管理员帐户进行测试。In this tutorial, you will enable a pilot roll out of Azure AD self-service password reset (SSPR) in your organization and test using a non-administrator account.

对自助式密码重置进行的任何测试都必须使用非管理员帐户。It is important that any testing of self-service password reset is done with non-administrator accounts. Microsoft 管理管理员帐户的密码重置策略,需要使用更严格的身份验证方法。Microsoft manages the password reset policy for administrator accounts and requires the use of stronger authentication methods. 此策略不允许使用安全性问题和回答,而要求使用两种重置方法。This policy does not allow the use of security questions and answers, and requires the use of two methods for reset.

  • 启用自助服务密码重置Enable self-service password reset
  • 以用户身份测试 SSPRTest SSPR as a user

先决条件Prerequisites

  • 全局管理员帐户A Global Administrator account

启用自助服务密码重置Enable self-service password reset

  1. 使用全局管理员帐户登录到 Azure 门户Sign in to the Azure portal using a Global Administrator account.
  2. 浏览到“Azure Active Directory”,然后选择“密码重置”。 Browse to Azure Active Directory and select Password reset.
  3. 开始使用试点组时,请为组织中的部分用户启用自助密码。Start with a pilot group by enabling self-service password for a subset of users in your organization.
    • 在“属性”页中的“启用自助式密码重置”选项下,选择“已选”,然后选取一个试点组。 From the Properties page, under the option Self Service Password Reset Enabled, choose Selected, and pick a pilot group.
      • 仅所选特定 Azure AD 组的成员可以使用 SSPR 功能。Only members of the specific Azure AD group that you choose can use the SSPR functionality. 建议定义一组用户,在为概念证明部署此功能时使用此设置。We recommend that you define a group of users and use this setting when you deploy this functionality for a proof of concept. 此处支持安全组嵌套。Nesting of security groups is supported here.
      • 确保所选组中的用户已获得适当的许可。Ensure the users in the group you picked have been appropriately licensed.
    • 单击“保存” Click Save
  4. 在“身份验证方法”页上 On the Authentication methods page
    • 将“重置所需的方法数”设置为 1 Set the Number of methods required to reset to 1
    • 选择组织允许的“可供用户使用的方法”。 Choose which Methods available to users your organization wants to allow. 对于本教程,请选中启用电子邮件移动电话办公室电话移动应用通知移动应用代码所对应的复选框。For this tutorial, check the boxes to enable Email, Mobile phone, Office phone, Mobile app notification, and Mobile app code.
    • 单击“保存” Click Save
  5. 在“注册”页上 On the Registration page
    • 针对“要求用户在登录时注册”选择“是”。 Select Yes for Require users to register when signing in.
    • 将“在多少天后要求用户重新确认其身份验证信息”设置为“180”。 Set Number of days before users are asked to reconfirm their authentication information to 180.
    • 单击“保存” Click Save
  6. 在“通知”页上 On the Notifications page
    • 将“重置密码时通知用户”选项设置为“是”。 Set Notify users on password resets option to Yes.
    • 将“当其他管理员重置其密码时通知所有管理员”设置为“是”。 Set Notify all admins when other admins reset their password to Yes.
  7. 在“自定义”页上 On the Customization page
    • Microsoft 建议你将“自定义帮助台链接”设置为“是”, 并在“自定义帮助台电子邮件或 URL”字段中提供电子邮件地址或网页 URL,以便用户能够从你的组织获取其他帮助。 Microsoft recommends that you set Customize helpdesk link to Yes and provide either an email address or web page URL where your users can get additional help from your organization in the Custom helpdesk email or URL field.
    • 在本教程中,我们会将“自定义支持人员链接”保留设置为“否”。 For this tutorial, we will leave Customize helpdesk link set to No.

现在,已为试点组中的云用户配置了自助密码重置。Self-service password reset is now configured for cloud users in your pilot group.

以用户身份测试 SSPRTest SSPR as a user

使用非管理员测试用户(属于试点组的成员)测试自助密码重置。Test self-service password reset using a non-administrator test user that is a member of your pilot group. 如果你使用的帐户分配有任何管理员角色,则身份验证方法和号码可能与你选择的身份验证方法和号码不同,因为由 Microsoft 管理管理员策略。If you use an account that has any administrator roles assigned to it the authentication methods and number may be different than what you selected as Microsoft manages the administrator policy.

  1. 打开一个新的 InPrivate 或 incognito 模式浏览器窗口。Open a new InPrivate or incognito mode browser window.
  2. 通过 https://account.activedirectory.windowsazure.cn/PasswordReset/Register.aspx?regref=ssprsetup 中的注册门户使用测试用户注册自助密码重置。Using a test user register for self-service password reset using the registration portal located at https://account.activedirectory.windowsazure.cn/PasswordReset/Register.aspx?regref=ssprsetup.
  3. 使用同一测试用户浏览到自助密码重置门户 https://passwordreset.activedirectory.windowsazure.cn,尝试使用在上一步提供的信息来重置密码。Using the same test user browse to the self-service password reset portal https://passwordreset.activedirectory.windowsazure.cn and attempt to reset your password using the information you provided in the previous step.
  4. 应该能够成功重置密码。You should be able to successfully reset your password.

清理资源Clean up resources

如果你决定不再使用作为本教程的一部分配置的功能,请进行以下更改。If you decide you no longer want to use the functionality you have configured as part of this tutorial, make the following change.

  1. 登录到 Azure 门户Sign in to the Azure portal.
  2. 浏览到“Azure Active Directory”,然后选择“密码重置”。 Browse to Azure Active Directory and select Password reset.
  3. 在“属性”页中,在“启用自助密码重置”选项下,选择“无”。 From the Properties page, under the option Self Service Password Reset Enabled, choose None.
  4. 单击“保存” Click Save

后续步骤Next steps

在本教程中,你已经启用了 Azure AD 自助密码重置。In this tutorial, you have enabled Azure AD self-service password reset. 请继续学习下一教程,了解如何将本地 Active Directory 域服务基础结构集成到自助密码重置体验中。Continue on to the next tutorial to see how an on-premises Active Directory Domain Services infrastructure can be integrated into the self-service password reset experience.