運作方式:Azure AD 自助式密碼重設How it works: Azure AD self-service password reset

自助式密碼重設 (SSPR) 如何運作?How does self-service password reset (SSPR) work? 該選項在介面中的意義為何?What does that option mean in the interface? 繼續閱讀以深入了解 Azure Active Directory (Azure AD) SSPR。Continue reading to find out more about Azure Active Directory (Azure AD) SSPR.

以行動應用程式通知和行動應用程式程式碼作為 Azure AD 自助式密碼重設的方法,是 Azure Active Directory 的公開預覽功能。Mobile app notification and Mobile app code as methods for Azure AD self-service password reset are public preview features of Azure Active Directory. 如需有關預覽版的詳細資訊,請參閱 Microsoft Azure 預覽版增補使用條款For more information about previews, see Supplemental Terms of Use for Microsoft Azure Previews

密碼重設入口網站的運作方式How does the password reset portal work?

當使用者移至密碼重設入口網站時,工作流程就會開始判斷︰When a user goes to the password reset portal, a workflow is kicked off to determine:

  • 如何將頁面當地語系化?How should the page be localized?
  • 使用者帳戶是否有效?Is the user account valid?
  • 使用者屬於哪個組織?What organization does the user belong to?
  • 何處負責管理使用者的密碼?Where is the user’s password managed?
  • 使用者是否已獲得授權使用此功能?Is the user licensed to use the feature?

請看完下列步驟,以了解密碼重設頁面背後的邏輯:Read through the following steps to learn about the logic behind the password reset page:

  1. 使用者選取 [無法存取帳戶] 連結或直接移至 https://aka.ms/ssprThe user selects the Can't access your account link or goes directly to https://aka.ms/sspr.
    • 根據瀏覽器的地區設定,此體驗會以適當的語言呈現。Based on the browser locale, the experience is rendered in the appropriate language. 密碼重設體驗會當地語系化為 Office 365 支援的相同語言。The password reset experience is localized into the same languages that Office 365 supports.
    • 若要檢視不同當地語系化語言中的密碼重設入口網站,請將 "?mkt=" 附加至密碼重設 URL 的結尾;後續範例中是當地語系化為西班牙文 https://passwordreset.microsoftonline.com/?mkt=es-usTo view the password reset portal in a different localized language append "?mkt=" to the end of the password reset URL with the example that follows localizing to Spanish https://passwordreset.microsoftonline.com/?mkt=es-us.
  2. 使用者輸入使用者識別碼並通過文字驗證。The user enters a user ID and passes a captcha.
  3. Azure AD 執行下列檢查,驗證使用者是否能夠使用這項功能:Azure AD verifies that the user is able to use this feature by doing the following checks:
    • 檢查使用者是否已啟用這項功能,並已獲得 Azure AD 授權。Checks that the user has this feature enabled and has an Azure AD license assigned.
      • 如果使用者未啟用這項功能或未獲得授權,便會要求使用者連絡其管理員來重設其密碼。If the user does not have this feature enabled or have a license assigned, the user is asked to contact their administrator to reset their password.
    • 檢查使用者是否已按照系統管理員原則,在其帳戶上定義正確的驗證方法。Checks that the user has the right authentication methods defined on their account in accordance with administrator policy.
      • 如果原則只需要一項方法,則表示使用者必定已針對管理員原則所啟用、至少一項驗證方法定義適當的資料。If the policy requires only one method, then it ensures that the user has the appropriate data defined for at least one of the authentication methods enabled by the administrator policy.
        • 如果未設定驗證方法,便會建議使用者連絡其管理員來重設其密碼。If the authentication methods are not configured, then the user is advised to contact their administrator to reset their password.
      • 如果原則需要兩項方法,則表示使用者必定已針對管理員原則所啟用、至少兩項驗證方法定義適當的資料。If the policy requires two methods, then it ensures that the user has the appropriate data defined for at least two of the authentication methods enabled by the administrator policy.
        • 如果未設定驗證方法,便會建議使用者連絡其管理員來重設其密碼。If the authentication methods are not configured, then the user is advised to contact their administrator to reset their password.
      • 如果將 Azure 系統管理員角色指派給使用者,則會強制執行強式雙閘道密碼原則。If an Azure administrator role is assigned to the user, then the strong two-gate password policy is enforced. 如需關於此原則的詳細資訊,請參閱系統管理員重設原則差異一節。More information about this policy can be found in the section Administrator reset policy differences.
    • 查看使用者的密碼是否會在內部部署進行管理 (同盟、傳遞驗證或密碼雜湊同步處理)。Checks to see if the user’s password is managed on-premises (federated, pass-through authentication, or password hash synchronized).
      • 如果在內部部署中有部署回寫和管理使用者的密碼,則允許使用者進行驗證及重設其密碼。If writeback is deployed and the user’s password is managed on-premises, then the user is allowed to proceed to authenticate and reset their password.
      • 如果在內部部署中未部署回寫但有管理使用者的密碼,則會要求使用者連絡其管理員來重設其密碼。If writeback is not deployed and the user’s password is managed on-premises, then the user is asked to contact their administrator to reset their password.
  4. 如果判斷使用者能夠成功重設其密碼,則會引導使用者完成重設程序。If it's determined that the user is able to successfully reset their password, then the user is guided through the reset process.

驗證方法Authentication methods

如果已啟用 SSPR,您必須針對驗證方法至少選取下面其中一個選項。If SSPR is enabled, you must select at least one of the following options for the authentication methods. 有時這些選項會被稱為「閘道」。Sometimes you hear these options referred to as "gates." 強烈建議您選擇兩個或多個驗證方法,以便使用者在需要卻無法存取時,能擁有更大的彈性。We highly recommend that you choose two or more authentication methods so that your users have more flexibility in case they are unable to access one when they need it. 其他詳細資料如下所列的方法可在發行項什麼是驗證方法?Additional details about the methods listed below can be found in the article What are authentication methods?.

  • 行動應用程式通知 (預覽)Mobile app notification (preview)
  • 行動應用程式代碼 (預覽)Mobile app code (preview)
  • EmailEmail
  • 行動電話Mobile phone
  • 辦公室電話Office phone
  • 安全性問題Security questions

使用者只有在系統管理員已啟用的驗證方法中有資料存在時,才能夠重設其密碼。Users can only reset their password if they have data present in the authentication methods that the administrator has enabled.

重要

從於 2019 年 3 月開始撥打電話選項將無法使用免費/試用 Azure AD 租用戶中的 MFA 和 SSPR 的使用者。Starting in March of 2019 the phone call options will not be available to MFA and SSPR users in free/trial Azure AD tenants. 這項變更不會影響簡訊。SMS messages are not impacted by this change. 通話會繼續在使用者可使用付費 Azure AD 租用戶。Phone call will continue to be available to users in paid Azure AD tenants. 這項變更只會影響免費/試用 Azure AD 租用戶。This change only impacts free/trial Azure AD tenants.

警告

已指派 Azure 系統管理員角色的帳戶將必須使用系統管理員重設原則差異一節中所定義的方法。Accounts assigned Azure Administrator roles will be required to use methods as defined in the section Administrator reset policy differences.

在 Azure 入口網站中的驗證方法選取範圍Authentication methods selection in the Azure portal

必要驗證方法數目Number of authentication methods required

此選項可判斷使用者必須通過才能重設或將其密碼解除鎖定的可用驗證方法或閘道數目下限。This option determines the minimum number of the available authentication methods or gates a user must go through to reset or unlock their password. 其可設定為 1 或 2。It can be set to either one or two.

如果管理員啟用該驗證方法,使用者可以選擇提供更多驗證方法。Users can choose to supply more authentication methods if the administrator enables that authentication method.

如果使用者並未註冊所需的最少方法,他們會看到錯誤頁面,引導他們要求管理員重設其密碼。If a user does not have the minimum required methods registered, they see an error page that directs them to request that an administrator reset their password.

行動應用程式和 SSPR (預覽)Mobile app and SSPR (Preview)

使用行動應用程式 (例如 Microsoft Authenticator 應用程式) 時,若要作為重設密碼的方法,您應該注意下列事項:When using a mobile app, like the Microsoft Authenticator app, as a method for password reset, you should be aware of the following caveats:

  • 當系統管理員需要一個可用來重設密碼的方法時,驗證碼是唯一可用的選項。When administrators require one method be used to reset a password, verification code is the only option available.
  • 當系統管理員需要兩種可用來重設密碼的方法時,使用者除了任何其他已啟用的方法之外,還能夠使用 通知驗證碼。When administrators require two methods be used to reset a password, users are able to use EITHER notification OR verification code in addition to any other enabled methods.
需要重設的方法數Number of methods required to reset 一個One 兩個Two
可用的行動應用程式功能Mobile app features available 代碼Code 程式碼或通知Code or Notification

使用者在從 https://aka.ms/ssprsetup 註冊自助式密碼重設時,不可選擇註冊其行動應用程式。Users do not have the option to register their mobile app when registering for self-service password reset from https://aka.ms/ssprsetup. 使用者可以在 https://aka.ms/mfasetup 上,或在 https://aka.ms/setupsecurityinfo 上新的安全性資訊註冊預覽中,註冊其行動應用程式。Users can register their mobile app at https://aka.ms/mfasetup, or in the new security info registration preview at https://aka.ms/setupsecurityinfo.

變更驗證方法Change authentication methods

如果您從只有註冊一個重設或解除鎖定所需之驗證方法的原則開始,然後變更成兩個驗證方法,會發生什麼情況?If you start with a policy that has only one required authentication method for reset or unlock registered and you change that to two methods, what happens?

已註冊的方法數Number of methods registered 所需的方法數Number of methods required 結果Result
1 或多個1 or more 11 能夠重設或解除鎖定Able to reset or unlock
11 22 無法重設或解除鎖定Unable to reset or unlock
2 以上2 or more 22 能夠重設或解除鎖定Able to reset or unlock

如果您變更使用者可使用的驗證方法類型,可能會不小心導致使用者在沒有最基本可用資料量時無法使用 SSPR。If you change the types of authentication methods that a user can use, you might inadvertently stop users from being able to use SSPR if they don't have the minimum amount of data available.

範例:Example:

  1. 原始原則已設定兩個必要的驗證方法。The original policy is configured with two authentication methods required. 該原則僅使用辦公室電話號碼和安全性問題。It uses only the office phone number and the security questions.
  2. 管理員將原則變更為不再使用安全性問題,但允許使用行動電話和備用電子郵件。The administrator changes the policy to no longer use the security questions, but allows the use of a mobile phone and an alternate email.
  3. 使用者若未填入行動電話或備用電子郵件欄位,便無法重設其密碼。Users without the mobile phone or alternate email fields populated can't reset their passwords.

註冊Registration

登入時要求使用者註冊Require users to register when they sign in

如果使用者使用 Azure AD 登入任何應用程式,啟用此選項需要使用者完成密碼重設註冊。Enabling this option requires a user to complete the password reset registration if they sign in to any applications using Azure AD. 此工作流程包括下列應用程式︰This workflow includes the following applications:

  • Office 365Office 365
  • Azure 入口網站Azure portal
  • 存取面板Access Panel
  • 同盟應用程式Federated applications
  • 使用 Azure AD 自訂應用程式Custom applications using Azure AD

當要求註冊功能已停用時,使用者可以手動註冊。When requiring registration is disabled, users can manually register. 使用者可以造訪 https://aka.ms/ssprsetup 或選取存取面板中 [設定檔] 索引標籤下方的 [註冊密碼重設] 連結。They can either visit https://aka.ms/ssprsetup or select the Register for password reset link under the Profile tab in the Access Panel.

注意

選取 [取消] 或關閉視窗,即可關閉密碼重設註冊入口網站。Users can dismiss the password reset registration portal by selecting cancel or by closing the window. 但是當使用者每次登錄時,系統都會提示註冊,直到他們完成註冊為止。But they are prompted to register each time they sign in until they complete their registration.

如果使用者已經登入,則此中斷不會中斷其連線。This interrupt doesn't break the user's connection if they are already signed in.

設定要求使用者重新確認其驗證資訊的等候天數Set the number of days before users are asked to reconfirm their authentication information

此選項可決定設定和重新確認驗證資訊之間的期間,且只有在您啟用 [登入時要求使用者註冊] 選項才可以使用。This option determines the period of time between setting and reconfirming authentication information and is available only if you enable the Require users to register when signing in option.

有效值為 0 到 730 天,「0」表示永不要求使用者重新確認其驗證資訊。Valid values are 0 to 730 days, with "0" meaning users are never asked to reconfirm their authentication information.

通知Notifications

通知使用者密碼重設Notify users on password resets

如果此選項設定為 [是] ,則正在重設其密碼的使用者會收到一封電子郵件,通知他們密碼已變更。If this option is set to Yes, then users resetting their password receive an email notifying them that their password has been changed. 電子郵件會透過 SSPR 入口網站傳送至 Azure AD 中歸檔的主要電子郵件地址和備用電子郵件地址。The email is sent via the SSPR portal to their primary and alternate email addresses that are on file in Azure AD. 沒有人會接獲此重設事件的通知。No one else is notified of the reset event.

當其他系統管理員重設其密碼時通知所有系統管理員Notify all admins when other admins reset their passwords

如果此選項設定為 [是] ,則所有管理員會收到一封電子郵件 (送至 Azure AD 中歸檔的主要電子郵件地址)。If this option is set to Yes, then all administrators receive an email to their primary email address on file in Azure AD. 此電子郵件會通知他們有其他管理員已使用 SSPR 變更其密碼。The email notifies them that another administrator has changed their password by using SSPR.

範例:環境中有四個系統管理員。Example: There are four administrators in an environment. 管理員 A 使用 SSPR 重設其密碼。Administrator A resets their password by using SSPR. 管理員 B、C 和 D 收到一封電子郵件,警示他們密碼已重設。Administrators B, C, and D receive an email alerting them of the password reset.

內部部署整合On-premises integration

如果您已安裝、設定及啟用 Azure AD Connect,就會有下列其他的內部部署整合選項。If you install, configure, and enable Azure AD Connect, you have the following additional options for on-premises integrations. 如果這些選項呈現灰色,即未正確設定回寫。If these options are grayed out, then writeback has not been properly configured. 如需詳細資訊,請參閱設定密碼回寫For more information, see Configuring password writeback.

驗證密碼回寫會啟用和使用Validating password writeback is enabled and working

此頁面提供內部部署回寫用戶端的快速狀態,系統會根據目前的設定顯示下列其中一個訊息:This page provides you a quick status of the on-premises writeback client, one of the following messages is displayed based on the current configuration:

  • 您的內部部署回寫用戶端已啟動並執行。Your On-premises writeback client is up and running.
  • Azure AD 已上線,並已連線至您的內部部署回寫用戶端。Azure AD is online and is connected to your on-premises writeback client. 不過,Azure AD Connect 的已安裝版本似乎已過期。However, it looks like the installed version of Azure AD Connect is out-of-date. 請考慮升級 Azure AD Connect,以確保您具有最新的連線功能及重要錯誤修正。Consider Upgrading Azure AD Connect to ensure that you have the latest connectivity features and important bug fixes.
  • 抱歉,因為安裝的 Azure AD Connect 版本已過期,所以我們無法檢查您的內部部署回寫用戶端狀態。Unfortunately, we can’t check your on-premises writeback client status because the installed version of Azure AD Connect is out-of-date. 升級 Azure AD Connect 以檢查您的連線狀態。Upgrade Azure AD Connect to be able to check your connection status.
  • 抱歉,我們目前似乎無法連線至您的內部部署回寫用戶端。Unfortunately, it looks like we can't connect to your on-premises writeback client right now. 對 Azure AD Connect 進行疑難排解以還原連線。Troubleshoot Azure AD Connect to restore the connection.
  • 抱歉,因為密碼回寫未正確設定,所以我們無法連線至您的內部部署回寫用戶端。Unfortunately, we can't connect to your on-premises writeback client because password writeback has not been properly configured. 設定密碼回寫以還原連線。Configure password writeback to restore the connection.
  • 抱歉,我們目前似乎無法連線至您的內部部署回寫用戶端。Unfortunately, it looks like we can't connect to your on-premises writeback client right now. 這可能是我們這端的暫時性問題所造成。This may be due to temporary issues on our end. 如果問題持續發生,請對 Azure AD Connect 進行疑難排解以還原連線。If the problem persists, Troubleshoot Azure AD Connect to restore the connection.

將密碼寫回至內部部署目錄Write back passwords to your on-premises directory

此控制項可決定是否要為此目錄啟用密碼回寫。This control determines whether password writeback is enabled for this directory. 如果回寫處於開啟狀態,則表示了內部部署回寫服務的狀態。If writeback is on, it indicates the status of the on-premises writeback service. 如果您需要暫時停用密碼回寫,而不想要重新設定 Azure AD Connect,此控制就很有用。This control is useful if you want to temporarily disable password writeback without having to reconfigure Azure AD Connect.

  • 如果將此參數設定為 [是] ,則會啟用回寫,而同盟、傳遞驗證或密碼雜湊同步處理的使用者能夠重設其密碼。If the switch is set to Yes, then writeback is enabled, and federated, pass-through authentication, or password hash synchronized users are able to reset their passwords.
  • 如果將此參數設定為 [否] ,則會停用回寫,而同盟、傳遞驗證或密碼雜湊同步處理的使用者無法重設其密碼。If the switch is set to No, then writeback is disabled, and federated, pass-through authentication, or password hash synchronized users are not able to reset their passwords.

允許使用者在不重設密碼的情況下解除鎖定帳戶Allow users to unlock accounts without resetting their password

此控制項可指定是否應為瀏覽密碼重設入口網站的使用者提供選項,讓他們在不重設密碼的情況下解除鎖定內部部署的 Active Directory 帳戶。This control designates whether users who visit the password reset portal should be given the option to unlock their on-premises Active Directory accounts without having to reset their password. 根據預設,Azure AD 可以在執行密碼重設時解除鎖定帳戶。By default, Azure AD unlocks accounts when it performs a password reset. 您可以使用此設定來分隔這兩項作業。You use this setting to separate those two operations.

  • 如果設為 [是] ,會提供使用者重設其密碼與解除鎖定帳戶的選項,或是在不重設密碼的情況下解除鎖定其帳戶的選項。If set to Yes, then users are given the option to reset their password and unlock the account, or to unlock their account without having to reset the password.
  • 如果設定為 [否] ,使用者將只能執行合併的密碼重設和帳戶解除鎖定作業。If set to No, then users are only be able to perform a combined password reset and account unlock operation.

內部部署 Active Directory 密碼篩選器On-premises Active Directory password filters

Azure AD 自助式密碼重設會執行等同 Active Directory 中管理員起始密碼重設的工作。Azure AD self-service password reset performs the equivalent of an admin-initiated password reset in Active Directory. 如果您使用的是第三方密碼篩選器來強制執行自訂的密碼規則,且您需要在 Azure AD 自助式密碼重設期間檢查此密碼篩選器,請確定第三方密碼篩選器解決方案已設定為在管理員密碼重設案例中套用。If you are using a third-party password filter to enforce custom password rules, and you require that this password filter is checked during Azure AD self-service password reset, ensure that the third-party password filter solution is configured to apply in the admin password reset scenario. 預設支援 Windows Server Active Directory 的 Azure AD 密碼保護Azure AD password protection for Windows Server Active Directory is supported by default.

B2B 使用者的密碼重設Password reset for B2B users

所有企業對企業 (B2B) 組態完全支援密碼重設和變更。Password reset and change are fully supported on all business-to-business (B2B) configurations. 下列三種案例支援 B2B 使用者密碼重設:B2B user password reset is supported in the following three cases:

  • 使用者來自具備現有 Azure AD 租用戶的合作夥伴組織:如果您合作的組織具備現有的 Azure AD 租用戶,我們會「遵守該租用戶中啟用的任何密碼重設原則」 。Users from a partner organization with an existing Azure AD tenant: If the organization you're partnering with has an existing Azure AD tenant, we respect whatever password reset policies are enabled on that tenant. 若要讓密碼重設得以運作,合作夥伴組織只需要確定已啟用 Azure AD SSPR。For password reset to work, the partner organization just needs to make sure that Azure AD SSPR is enabled. 若為 Office 365 的客戶,則不需收取額外費用,按照開始使用密碼管理指南中的步驟即可啟用。There is no additional charge for Office 365 customers, and it can be enabled by following the steps in our Get started with password management guide.
  • 使用自助式註冊功能註冊的使用者:如果您合作的組織是使用自助式註冊功能進入租用戶,我們會讓他們利用其註冊的電子郵件重設密碼。Users who sign up through self-service sign-up: If the organization you're partnering with used the self-service sign-up feature to get into a tenant, we let them reset the password with the email they registered.
  • B2B 使用者:任何使用新的 Azure AD B2B 功能建立的新 B2B 使用者,也能夠利用其在邀請程序期間註冊的電子郵件重設其密碼。B2B users: Any new B2B users created by using the new Azure AD B2B capabilities will also be able to reset their passwords with the email they registered during the invite process.

若要測試此案例,請使用其中一個合作夥伴使用者前往 https://passwordreset.microsoftonline.comTo test this scenario, go to https://passwordreset.microsoftonline.com with one of these partner users. 如果他們有定義備用電子郵件或驗證電子郵件,密碼重設就會如預期般運作。If they have an alternate email or authentication email defined, password reset works as expected.

注意

若 Microsoft 帳戶已獲得存取您的 Azure AD 租用戶的權限 (例如來自 Hotmail.com、Outlook.com 或其他個人電子郵件地址的帳戶),則無法使用 Azure AD SSPR。Microsoft accounts that have been granted guest access to your Azure AD tenant, such as those from Hotmail.com, Outlook.com, or other personal email addresses, are not able to use Azure AD SSPR. 他們需要使用當您無法登入您的 Microsoft 帳戶時文章所述的資訊來重設其密碼。They need to reset their password by using the information found in the When you can't sign in to your Microsoft account article.

後續步驟Next steps

下列文章提供有關透過 Azure AD 重設密碼的其他資訊:The following articles provide additional information regarding password reset through Azure AD: