您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

在 Azure AD 中配置临时访问传递 (预览) 注册无密码身份验证方法Configure Temporary Access Pass in Azure AD to register Passwordless authentication methods (Preview)

无密码身份验证方法(如 FIDO2 和无密码)通过 Microsoft Authenticator 应用登录,使用户无需密码即可安全登录。Passwordless authentication methods, such as FIDO2 and Passwordless Phone Sign-in through the Microsoft Authenticator app, enable users to sign in securely without a password. 用户可以通过以下两种方式之一来启动无密码方法:Users can bootstrap Passwordless methods in one of two ways:

  • 使用现有 Azure AD 多重身份验证方法Using existing Azure AD multi-factor authentication methods
  • 使用临时访问 PassUsing a Temporary Access Pass

临时访问传递是由管理人员颁发的、用于满足强身份验证要求并可用于载入其他身份验证方法(包括无密码)的时间限制的密码。A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones. 当用户丢失或忘记其强身份验证因素(如 FIDO2 安全密钥或 Microsoft Authenticator 应用程序),但需要登录来注册新的强身份验证方法时,临时访问传递还可以更轻松地进行恢复。A Temporary Access Pass also makes recovery easier when a user has lost or forgotten their strong authentication factor like a FIDO2 security key or Microsoft Authenticator app, but needs to sign in to register new strong authentication methods.

本文说明如何使用 Azure 门户在 Azure AD 中启用和使用临时访问处理。This article shows you how to enable and use a Temporary Access Pass in Azure AD using the Azure portal. 你还可以使用 REST Api 执行这些操作。You can also perform these actions using the REST APIs.

备注

暂时访问 Pass 目前为公共预览版。Temporary Access Pass is currently in public preview. 某些功能可能不受支持或功能有限。Some features might not be supported or have limited capabilities.

启用临时访问通过策略Enable the Temporary Access Pass policy

临时访问通过策略定义了设置,例如在租户中创建的传递的生存期,或者可以使用临时访问传递登录的用户和组。A Temporary Access Pass policy defines settings, such as the lifetime of passes created in the tenant, or the users and groups who can use a Temporary Access Pass to sign-in. 在任何人都可以使用临时访问权限登录之前,你需要启用身份验证方法策略,并使用临时访问权限选择可以登录的用户和组。Before anyone can sign in with a Temporary Access Pass, you need to enable the authentication method policy and choose which users and groups can sign in by using a Temporary Access Pass. 尽管可以为任何用户创建临时访问权限,但只有包含在策略中的用户才能使用它进行登录。Although you can create a Temporary Access Pass for any user, only those included in the policy can sign-in with it.

全局管理员和身份验证方法策略管理员角色持有者可以更新临时访问通过身份验证方法策略。Global administrator and Authentication Method Policy administrator role holders can update the Temporary Access Pass authentication method policy. 若要配置临时访问通过身份验证方法策略,请执行以下操作:To configure the Temporary Access Pass authentication method policy:

  1. 以全局管理员身份登录到 Azure 门户,然后单击 Azure Active Directory > 安全 > 身份验证方法 的 > 临时访问权限Sign in to the Azure portal as a Global admin and click Azure Active Directory > Security > Authentication methods > Temporary Access Pass.

  2. 单击 "是" 以启用策略,选择应用策略的用户以及任何 常规 设置。Click Yes to enable the policy, select which users have the policy applied, and any General settings.

    如何启用临时访问通过身份验证方法策略的屏幕截图

    下表介绍了默认值和允许值的范围。The default value and the range of allowed values are described in the following table.

    设置Setting 默认值Default values 允许的值Allowed values 注释Comments
    最小生存期Minimum lifetime 1 小时1 hour 10–43200分钟 (30 天) 10 – 43200 Minutes (30 days) 临时访问传递有效的最小分钟数。Minimum number of minutes that the Temporary Access Pass is valid.
    最长生存期Maximum lifetime 24 小时24 hours 10–43200分钟 (30 天) 10 – 43200 Minutes (30 days) 临时访问传递有效的最大分钟数。Maximum number of minutes that the Temporary Access Pass is valid.
    默认生存期Default lifetime 1 小时1 hour 10–43200分钟 (30 天) 10 – 43200 Minutes (30 days) 默认值可以在策略所配置的最小和最大生存期内由各个传递覆盖Default values can be override by the individual passes, within the minimum and maximum lifetime configured by the policy
    一次性使用One-time use FalseFalse True/FalseTrue / False 如果将策略设置为 "false",则可以在租户有效期内使用一次或多次(最长 (生存期) )。When the policy is set to false, passes in the tenant can be used either once or more than once during its validity (maximum lifetime). 通过在临时访问 Pass 策略中强制使用一次性,在租户中创建的所有传递都将创建为一次性使用。By enforcing one-time use in the Temporary Access Pass policy, all passes created in the tenant will be created as one-time use.
    长度Length 88 8-48 个字符8-48 characters 定义密码的长度。Defines the length of the passcode.

在 Azure AD 门户中创建临时访问阶段Create a Temporary Access Pass in the Azure AD Portal

启用策略后,你可以为 Azure AD 中的用户创建临时访问处理。After you enable a policy, you can create a Temporary Access Pass for a user in Azure AD. 这些角色可以执行与临时访问传递相关的下列操作。These roles can perform the following actions related to a Temporary Access Pass.

  • 全局管理员可以创建、删除、查看任何用户 (的临时访问权限,) Global administrator can create, delete, view a Temporary Access Pass on any user (except themselves)
  • 特权身份验证管理员可以创建、删除、查看管理员和成员的临时访问权限, (除了自身) Privileged Authentication administrators can create, delete, view a Temporary Access Pass on admins and members (except themselves)
  • 身份验证管理员可以创建、删除、查看成员 (的临时访问权限) Authentication administrators can create, delete, view a Temporary Access Pass on members (except themselves)
  • 全局管理员可以在用户 (上查看临时访问权限传递详细信息,而无需) 读取代码本身。Global Administrator can view the Temporary Access Pass details on the user (without reading the code itself).

若要创建临时访问权限,请执行以下操作:To create a Temporary Access Pass:

  1. 以 "全局管理员"、"特权身份验证管理员" 或 "身份验证管理员" 身份登录到门户。Sign in to the portal as either a Global administrator, Privileged Authentication administrator, or Authentication administrator.

  2. 单击 " Azure Active Directory",浏览到 "用户",选择一个用户(如 Chris 绿色),然后选择 " 身份验证方法"。Click Azure Active Directory, browse to Users, select a user, such as Chris Green, then choose Authentication methods.

  3. 如果需要,请选择相应的选项以 尝试新的用户身份验证方法If needed, select the option to Try the new user authentication methods experience.

  4. 选择用于 添加身份验证方法 的选项。Select the option to Add authentication methods.

  5. 在 " 选择方法" 下,单击 " 临时访问传递 (预览")Below Choose method, click Temporary Access Pass (Preview).

  6. 定义自定义激活时间或持续时间,并单击 " 添加"。Define a custom activation time or duration and click Add.

    如何创建临时访问权限的屏幕截图

  7. 添加后,将显示临时访问 Pass 的详细信息。Once added, the details of the Temporary Access Pass are shown. 记下实际的临时访问传递值。Make a note of the actual Temporary Access Pass value. 你向用户提供此值。You provide this value to the user. 单击 "确定" 后将无法查看此值。You can't view this value after you click Ok.

    临时访问 Pass 详细信息的屏幕截图

使用临时访问 PassUse a Temporary Access Pass

临时访问 Pass 的最常见用途是让用户在第一次登录期间注册身份验证详细信息,而无需完成额外的安全提示。The most common use for a Temporary Access Pass is for a user to register authentication details during the first sign-in, without the need to complete additional security prompts. 身份验证方法在上注册 https://aka.ms/mysecurityinfoAuthentication methods are registered at https://aka.ms/mysecurityinfo. 用户还可以在此处更新现有的身份验证方法。Users can also update existing authentication methods here.

  1. 在 web 浏览器中打开 https://aka.ms/mysecurityinfoOpen a web browser to https://aka.ms/mysecurityinfo.

  2. 输入为其创建了临时访问传递的帐户的 UPN,如 tapuser@contoso.comEnter the UPN of the account you created the Temporary Access Pass for, such as tapuser@contoso.com.

  3. 如果用户已包含在临时访问 Pass 策略中,他们将看到一个屏幕来输入其临时访问权限。If the user is included in the Temporary Access Pass policy, they will see a screen to enter their Temporary Access Pass.

  4. 输入 Azure 门户中显示的临时访问阶段。Enter the Temporary Access Pass that was displayed in the Azure portal.

    如何进入临时访问权限的屏幕截图

备注

对于联合域,优先使用临时访问通过。For federated domains, a Temporary Access Pass is preferred over federation. 具有临时访问权限的用户将在 Azure AD 中完成身份验证,并且不会重定向到联合标识提供程序 (IdP) 。A user with a Temporary Access Pass will complete the authentication in Azure AD and will not get redirected to the federated Identity Provider (IdP).

用户现已登录,可以更新或注册方法,如 FIDO2 安全密钥。The user is now signed in and can update or register a method such as FIDO2 security key. 因丢失凭据或设备而更新其身份验证方法的用户应确保它们删除旧的身份验证方法。Users who update their authentication methods due to losing their credentials or device should make sure they remove the old authentication methods.

用户还可以使用其临时访问 Pass 直接从验证器应用注册无密码手机登录。Users can also use their Temporary Access Pass to register for Passwordless phone sign-in directly from the Authenticator app. 有关详细信息,请参阅 将工作或学校帐户添加到 Microsoft Authenticator 应用For more information, see Add your work or school account to the Microsoft Authenticator app.

如何使用工作或学校帐户输入临时访问权限的屏幕截图

删除临时访问权限传递Delete a Temporary Access Pass

无法使用过期的临时访问权限传递。An expired Temporary Access Pass can’t be used. 在用户的 身份验证方法 下," 详细信息 " 列会显示临时访问通过过期的时间。Under the Authentication methods for a user, the Detail column shows when the Temporary Access Pass expired. 您可以使用以下步骤删除过期的临时访问阶段:You can delete an expired Temporary Access Pass using the following steps:

  1. 在 Azure AD 门户中,浏览到 " 用户",选择一个用户(如 点击用户),然后选择 " 身份验证方法"。In the Azure AD portal, browse to Users, select a user, such as Tap User, then choose Authentication methods.
  2. 在 " 临时访问 Pass" (预览 ") 身份验证方法" 列表中,选择 " 删除"。On the right-hand side of the Temporary Access Pass (Preview) authentication method shown in the list, select Delete.

替换临时访问密码Replace a Temporary Access Pass

  • 一个用户只能进行一次临时访问。A user can only have one Temporary Access Pass. 密码可在临时访问经历的开始和结束时间使用。The passcode can be used during the start and end time of the Temporary Access Pass.
  • 如果用户需要新的临时访问权限,请执行以下操作:If the user requires a new Temporary Access Pass:
    • 如果现有的临时访问 Pass 有效,则管理员需要删除现有的临时访问权限,并为用户创建新的密码。If the existing Temporary Access Pass is valid, the admin needs to delete the existing Temporary Access Pass and create a new pass for the user. 删除有效的临时访问权限将吊销用户会话。Deleting a valid Temporary Access Pass will revoke the user’s sessions.
    • 如果现有的临时访问传递已过期,则新的临时访问阶段将覆盖现有的临时访问权限,而不会撤销用户会话。If the existing Temporary Access Pass has expired, a new Temporary Access Pass will override the existing Temporary Access Pass and will not revoke the user’s sessions.

有关用于载入和恢复的 NIST 标准的详细信息,请参阅 Nist 特殊发布 800-63AFor more information about NIST standards for onboarding and recovery, see NIST Special Publication 800-63A.

限制Limitations

请记住以下限制:Keep these limitations in mind:

  • 使用一次性临时访问传递来注册无密码方法(如 FIDO2 或手机登录)时,用户必须在10分钟内完成注册,并使用一次性临时访问处理。When using a one-time Temporary Access Pass to register a Passwordless method such as FIDO2 or Phone sign-in, the user must complete the registration within 10 minutes of sign-in with the one-time Temporary Access Pass. 此限制不适用于可多次使用的临时访问阶段。This limitation does not apply to a Temporary Access Pass that can be used more than once.
  • 来宾用户无法使用临时访问权限登录。Guest users can't sign in with a Temporary Access Pass.
  • 在用户使用临时访问权限进行登录后,将需要在 "自助服务密码重置" (SSPR) 注册策略范围内的用户注册一个 SSPR 方法。Users in scope for Self Service Password Reset (SSPR) registration policy will be required to register one of the SSPR methods after they have signed in with a Temporary Access Pass. 如果用户只是要使用 FIDO2 密钥,则从 SSPR 策略中排除这些密钥,或者禁用 SSPR 注册策略。If the user is only going to use FIDO2 key, exclude them from the SSPR policy or disable the SSPR registration policy.
  • 不能将临时访问 Pass 用于网络策略服务器 (NPS) 扩展和 Active Directory 联合身份验证服务 (AD FS) 适配器。A Temporary Access Pass cannot be used with the Network Policy Server (NPS) extension and Active Directory Federation Services (AD FS) adapter.
  • 如果在租户上启用了无缝 SSO,则会提示用户输入密码。When Seamless SSO is enabled on the tenant, the users are prompted to enter a password. " 使用临时访问 pass " 链接将可供用户使用临时访问权限登录进行登录。The Use your Temporary Access Pass instead link will be available for the user to sign-in with a Temporary Access Pass.

改用临时访问传递的屏幕截图

疑难解答Troubleshooting

  • 如果在登录过程中未向用户提供临时访问权限,请检查以下各项:If a Temporary Access Pass is not offered to a user during sign-in, check the following:
    • 用户处于临时访问通过身份验证方法策略的范围内。The user is in scope for the Temporary Access Pass authentication method policy.
    • 用户具有有效的临时访问权限,并且如果它是一次性的,则尚未使用。The user has a valid Temporary Access Pass, and if it is one-time use, it wasn’t used yet.
  • 如果在使用临时访问权限登录的过程中出现 " 用户凭据被阻止,导致暂时访问 Pass 登录 ",请检查以下各项:If Temporary Access Pass sign in was blocked due to User Credential Policy appears during sign-in with a Temporary Access Pass, check the following:
    • 用户具有多用途的临时访问阶段,而身份验证方法策略需要一次性临时访问。The user has a multi-use Temporary Access Pass while the authentication method policy requires a one-time Temporary Access Pass.
    • 已使用一次临时访问通过。A one-time Temporary Access Pass was already used.

后续步骤Next steps