您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

配置 Azure Active Directory B2C 中的密码复杂性要求Configure complexity requirements for passwords in Azure Active Directory B2C

开始之前,请使用上面的选择器选择要配置的策略类型。Before you begin, use the selector above to choose the type of policy you’re configuring. Azure AD B2C 提供了两种定义用户如何与应用程序交互的方法:通过预定义的用户流,或者通过可完全配置的自定义策略Azure AD B2C offers two methods of defining how users interact with your applications: through predefined user flows, or through fully configurable custom policies. 对于每种方法,本文中所需的步骤都不同。The steps required in this article are different for each method.

Azure Active Directory B2C (Azure AD B2C) 支持更改由最终用户在创建帐户时提供的密码复杂性要求。Azure Active Directory B2C (Azure AD B2C) supports changing the complexity requirements for passwords supplied by an end user when creating an account. 默认情况下,Azure AD B2C 使用“强”密码。By default, Azure AD B2C uses Strong passwords. 此外,Azure AD B2C 还支持用于控制客户可以使用的密码复杂性的配置选项。Azure AD B2C also supports configuration options to control the complexity of passwords that customers can use.

先决条件Prerequisites

密码规则强制实施Password rule enforcement

在注册或密码重置期间,最终用户必须提供符合复杂性规则的密码。During sign-up or password reset, an end user must supply a password that meets the complexity rules. 根据用户流要求,需强制实施密码复杂性规则。Password complexity rules are enforced per user flow. 可能有一个用户流在注册期间需要一个四位数的 pin,而另一个用户流在注册期间需要一个八字符的字符串。It is possible to have one user flow require a four-digit pin during sign-up while another user flow requires an eight character string during sign-up. 例如,可以使用针对成人(而非儿童)的不同密码复杂性的用户流。For example, you may use a user flow with different password complexity for adults than for children.

在登录期间绝不会强制实施密码复杂性。Password complexity is never enforced during sign-in. 登录时不会提示用户更改密码,因为它不符合当前的复杂性要求。Users are never prompted during sign-in to change their password because it doesn't meet the current complexity requirement.

可在以下类型的用户流中配置密码复杂性:Password complexity can be configured in the following types of user flows:

  • 注册或登录用户流Sign-up or Sign-in user flow
  • 密码重置用户流Password Reset user flow

如果使用自定义策略,可以(在自定义策略中配置密码复杂性)。If you are using custom policies, you can (configure password complexity in a custom policy).

配置密码复杂性Configure password complexity

  1. 登录到 Azure 门户Sign in to the Azure portal.
  2. 在门户工具栏中选择“目录 + 订阅”图标,然后选择包含 Azure AD B2C 租户的目录。Select the Directory + Subscription icon in the portal toolbar, and then select the directory that contains your Azure AD B2C tenant.
  3. 在 Azure 门户中,搜索并选择“Azure AD B2C” 。In the Azure portal, search for and select Azure AD B2C.
  4. 选择“用户流”。Select User flows.
  5. 选择一个用户流,然后单击“属性” 。Select a user flow, and click Properties.
  6. 在“密码复杂性” 下,将此用户流的密码复杂性更改为“简单” 、“强” 或“自定义” 。Under Password complexity, change the password complexity for this user flow to Simple, Strong, or Custom.

比较图表Comparison Chart

复杂性Complexity 说明Description
简单Simple 为至少 8 到 64 个字符的密码。A password that is at least 8 to 64 characters.
Strong 为至少 8 到 64 个字符的密码。A password that is at least 8 to 64 characters. 它需要 4 个小写字母、大写字母、数字或符号中的 3 个。It requires 3 out of 4 of lowercase, uppercase, numbers, or symbols.
“自定义”Custom 此选项提供了对密码复杂性规则的最大控制。This option provides the most control over password complexity rules. 可以配置自定义长度。It allows configuring a custom length. 还可以接受仅为数字的密码 (pin)。It also allows accepting number-only passwords (pins).

自定义选项Custom options

字符集Character Set

允许你接受仅为数字 (pin) 或完整的字符集。Allows you to accept digits only (pins) or the full character set.

  • “仅数字” 仅限输入数字 (0-9) 密码。Numbers only allows digits only (0-9) while entering a password.
  • “所有” 则允许任何字母、数字或符号。All allows any letter, number, or symbol.

LengthLength

允许你控制密码的长度要求。Allows you to control the length requirements of the password.

  • 最小长度 必须至少为 4。Minimum Length must be at least 4.
  • 最大长度必须大于或等于最小长度,最多可包含 256 个字符。Maximum Length must be greater or equal to minimum length and at most can be 256 characters.

字符类Character classes

允许你控制密码中使用的不同字符类型。Allows you to control the different character types used in the password.

  • 4 选 2:小写字符、大写字符、数字 (0-9)、符号 确保密码包含至少两种字符类型。2 of 4: Lowercase character, Uppercase character, Number (0-9), Symbol ensures the password contains at least two character types. 例如,数字和小写字符。For example, a number and a lowercase character.

  • 4 选 3:小写字符、大写字符、数字 (0-9)、符号 确保密码包含至少三种字符类型。3 of 4: Lowercase character, Uppercase character, Number (0-9), Symbol ensures the password contains at least three character types. 例如,数字、小写字符和大写字符。For example, a number, a lowercase character and an uppercase character.

  • 全部 4 个:小写字符、大写字符、数字 (0-9)、符号 确保密码包含所有字符类型。4 of 4: Lowercase character, Uppercase character, Number (0-9), Symbol ensures the password contains all for character types.

    备注

    要求“全部 4 个” 可能会对最终用户造成困扰。Requiring 4 of 4 can result in end-user frustration. 某些研究表明此要求不会改善密码熵。Some studies have shown that this requirement does not improve password entropy. 请参阅 NIST 密码指南See NIST Password Guidelines

密码谓词验证Password predicate validation

若要配置密码复杂性,请使用对谓词验证的引用替代 newPasswordreenterPassword 声明类型To configure the password complexity, override the newPassword and reenterPassword claim types with a reference to predicate validations. PredicateValidations 元素对一组谓词进行分组,以形成可应用于声明类型的用户输入验证。The PredicateValidations element groups a set of predicates to form a user input validation that can be applied to a claim type. 打开策略的扩展文件,Open the extensions file of your policy. 例如,SocialAndLocalAccounts/``TrustFrameworkExtensions.xmlFor example, SocialAndLocalAccounts/TrustFrameworkExtensions.xml.

  1. 搜索 BuildingBlocks 元素。Search for the BuildingBlocks element. 如果该元素不存在,请添加该元素。If the element doesn't exist, add it.

  2. 找到 ClaimsSchema 元素。Locate the ClaimsSchema element. 如果该元素不存在,请添加该元素。If the element doesn't exist, add it.

  3. newPasswordreenterPassword 声明添加到 ClaimsSchema 元素。Add the newPassword and reenterPassword claims to the ClaimsSchema element.

    <!-- 
<BuildingBlocks>
  <ClaimsSchema> -->
    <ClaimType Id="newPassword">
      <PredicateValidationReference Id="CustomPassword" />
    </ClaimType>
    <ClaimType Id="reenterPassword">
      <PredicateValidationReference Id="CustomPassword" />
    </ClaimType>
  <!-- 
  </ClaimsSchema>
</BuildingBlocks>-->

  4. 谓词定义基本验证,用以检查声明类型的值并返回 true 或 false。Predicates defines a basic validation to check the value of a claim type and returns true or false. 可通过使用指定的方法元素和与该方法相关的一组参数来完成验证。The validation is done by using a specified method element, and a set of parameters relevant to the method. 将以下谓词添加到 BuildingBlocks 元素中,紧跟在 </ClaimsSchema> 元素结束之后:Add the following predicates to the BuildingBlocks element, immediately after the closing of the </ClaimsSchema> element:

    <!-- 
<BuildingBlocks>-->
  <Predicates>
    <Predicate Id="LengthRange" Method="IsLengthRange">
      <UserHelpText>The password must be between 6 and 64 characters.</UserHelpText>
      <Parameters>
        <Parameter Id="Minimum">6</Parameter>
        <Parameter Id="Maximum">64</Parameter>
      </Parameters>
    </Predicate>
    <Predicate Id="Lowercase" Method="IncludesCharacters">
      <UserHelpText>a lowercase letter</UserHelpText>
      <Parameters>
        <Parameter Id="CharacterSet">a-z</Parameter>
      </Parameters>
    </Predicate>
    <Predicate Id="Uppercase" Method="IncludesCharacters">
      <UserHelpText>an uppercase letter</UserHelpText>
      <Parameters>
        <Parameter Id="CharacterSet">A-Z</Parameter>
      </Parameters>
    </Predicate>
    <Predicate Id="Number" Method="IncludesCharacters">
      <UserHelpText>a digit</UserHelpText>
      <Parameters>
        <Parameter Id="CharacterSet">0-9</Parameter>
      </Parameters>
    </Predicate>
    <Predicate Id="Symbol" Method="IncludesCharacters">
      <UserHelpText>a symbol</UserHelpText>
      <Parameters>
        <Parameter Id="CharacterSet">@#$%^&amp;*\-_+=[]{}|\\:',.?/`~"();!</Parameter>
      </Parameters>
    </Predicate>
  </Predicates>
<!-- 
</BuildingBlocks>-->

  5. 将以下谓词验证添加到 BuildingBlocks 元素中,紧跟在 </Predicates> 元素结束之后:Add the following predicate validations to the BuildingBlocks element, immediately after the closing of the </Predicates> element:

    <!-- 
<BuildingBlocks>-->
  <PredicateValidations>
    <PredicateValidation Id="CustomPassword">
      <PredicateGroups>
        <PredicateGroup Id="LengthGroup">
          <PredicateReferences MatchAtLeast="1">
            <PredicateReference Id="LengthRange" />
          </PredicateReferences>
        </PredicateGroup>
        <PredicateGroup Id="CharacterClasses">
          <UserHelpText>The password must have at least 3 of the following:</UserHelpText>
          <PredicateReferences MatchAtLeast="3">
            <PredicateReference Id="Lowercase" />
            <PredicateReference Id="Uppercase" />
            <PredicateReference Id="Number" />
            <PredicateReference Id="Symbol" />
          </PredicateReferences>
        </PredicateGroup>
      </PredicateGroups>
    </PredicateValidation>
  </PredicateValidations>
<!-- 
</BuildingBlocks>-->

禁用强密码Disable strong password

以下技术配置文件是 Active Directory 技术配置文件,它们会在 Azure Active Directory 中读写数据。The following technical profiles are Active Directory technical profiles, which read and write data to Azure Active Directory. 在扩展文件中覆盖这些技术配置文件。Override these technical profiles in the extension file. 使用 PersistedClaims 禁用强密码策略。Use PersistedClaims to disable the strong password policy. 找到 ClaimsProviders 元素。Find the ClaimsProviders element. 添加以下声明提供程序,如下所示:Add the following claim providers as follows:

<!-- 
<ClaimsProviders>-->
  <ClaimsProvider>
    <DisplayName>Azure Active Directory</DisplayName>
    <TechnicalProfiles>
      <TechnicalProfile Id="AAD-UserWriteUsingLogonEmail">
        <PersistedClaims>
          <PersistedClaim ClaimTypeReferenceId="passwordPolicies" DefaultValue="DisablePasswordExpiration, DisableStrongPassword"/>
        </PersistedClaims>
      </TechnicalProfile>
      <TechnicalProfile Id="AAD-UserWritePasswordUsingObjectId">
        <PersistedClaims>
          <PersistedClaim ClaimTypeReferenceId="passwordPolicies" DefaultValue="DisablePasswordExpiration, DisableStrongPassword"/>
        </PersistedClaims>
      </TechnicalProfile>
    </TechnicalProfiles>
  </ClaimsProvider>
<!-- 
</ClaimsProviders>-->

如果使用基于用户名的登录策略,请使用 DisableStrongPassword 策略更新 AAD-UserWriteUsingLogonEmailAAD-UserWritePasswordUsingObjectIdLocalAccountWritePasswordUsingObjectId 技术配置文件。If you use the username based sign-in policy, update the AAD-UserWriteUsingLogonEmail, AAD-UserWritePasswordUsingObjectId, and LocalAccountWritePasswordUsingObjectId technical profiles with the DisableStrongPassword policy.

保存策略文件。Save the policy file.

测试策略Test your policy

上传文件Upload the files

  1. 登录 Azure 门户Sign in to the Azure portal.
  2. 请确保使用包含 Azure AD B2C 租户的目录,方法是选择顶部菜单中的“目录 + 订阅”筛选器,然后选择包含租户的目录。Make sure you're using the directory that contains your Azure AD B2C tenant by selecting the Directory + subscription filter in the top menu and choosing the directory that contains your tenant.
  3. 选择 Azure 门户左上角的“所有服务”,然后搜索并选择“Azure AD B2C” 。Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
  4. 选择“标识体验框架”。Select Identity Experience Framework.
  5. 在“自定义策略”页上,单击“上传策略”。On the Custom Policies page, click Upload Policy.
  6. 选择“覆盖策略(若存在)”,然后搜索并选择 TrustFrameworkExtensions.xml 文件。Select Overwrite the policy if it exists, and then search for and select the TrustFrameworkExtensions.xml file.
  7. 单击“上载” 。Click Upload.

运行策略Run the policy

  1. 打开注册或登录策略。Open the sign-up or sign-in policy. 例如,B2C_1A_signup_signinFor example, B2C_1A_signup_signin.
  2. 对于“应用程序” ,选择你之前注册的应用程序。For Application, select your application that you previously registered. 若要查看令牌,“回复 URL”应当显示 https://jwt.msTo see the token, the Reply URL should show https://jwt.ms.
  3. 单击“立即运行”。Click Run now.
  4. 选择“立即注册”,输入电子邮件地址,并输入新密码。Select Sign up now, enter an email address, and enter a new password. 密码限制中会显示相关指导。Guidance is presented on password restrictions. 完成输入用户信息,然后单击“创建”。Finish entering the user information, and then click Create. 应看到返回的令牌的内容。You should see the contents of the token that was returned.

后续步骤Next steps