電子郵件單次密碼驗證Email one-time passcode authentication

本文說明如何針對 B2B 來賓使用者啟用電子郵件單次密碼驗證。This article describes how to enable email one-time passcode authentication for B2B guest users. 當您無法透過 Azure AD、Microsoft 帳戶 (MSA) 或 Google 同盟等其他方式來驗證 B2B 來賓使用者時,這項電子郵件單次密碼功能會對其進行驗證。The email one-time passcode feature authenticates B2B guest users when they can't be authenticated through other means like Azure AD, a Microsoft account (MSA), or Google federation. 使用單次密碼驗證時,不需要建立 Microsoft 帳戶。With one-time passcode authentication, there's no need to create a Microsoft account. 當來賓使用者兌換邀請或存取共用資源時,他們可以要求一個暫時性驗證碼,此驗證碼會傳送到他們的電子郵件地址。When the guest user redeems an invitation or accesses a shared resource, they can request a temporary code, which is sent to their email address. 之後,他們便可輸入此驗證碼繼續登入。Then they enter this code to continue signing in.

電子郵件單次密碼總覽圖表

重要

  • 從2021年10月開始,將會針對所有現有的租使用者開啟 [電子郵件單次密碼] 功能,並預設為新的租使用者啟用。Starting October 2021, the email one-time passcode feature will be turned on for all existing tenants and enabled by default for new tenants. 如果您不想要讓這項功能自動開啟,您可以將它停用。If you don't want to allow this feature to turn on automatically, you can disable it. 請參閱下方 的停用電子郵件一次性密碼See Disable email one-time passcode below.
  • 在 Azure 入口網站中,從外部共同作業 設定 移至 所有身分識別提供者 的電子郵件一次性密碼設定。Email one-time passcode settings have moved in the Azure portal from External collaboration settings to All identity providers.

注意

單次密碼使用者必須使用包含租用戶內容的連結 (例如 https://myapps.microsoft.com/?tenantid=<tenant id>https://portal.azure.com/<tenant id>,如果是已驗證的網域,則為 https://myapps.microsoft.com/<verified domain>.onmicrosoft.com) 來登入。One-time passcode users must sign in using a link that includes the tenant context (for example, https://myapps.microsoft.com/?tenantid=<tenant id> or https://portal.azure.com/<tenant id>, or in the case of a verified domain, https://myapps.microsoft.com/<verified domain>.onmicrosoft.com). 應用程式和資源的直接連結只要包含租用戶內容,也可有同樣作用。Direct links to applications and resources also work as long as they include the tenant context. 來賓使用者目前無法使用沒有租用戶內容的端點來登入。Guest users are currently unable to sign in using endpoints that have no tenant context. 例如,使用 https://myapps.microsoft.com https://portal.azure.com 會導致錯誤。For example, using https://myapps.microsoft.com, https://portal.azure.com will result in an error.

單次密碼來賓使用者的使用者體驗User experience for one-time passcode guest users

啟用電子郵件單次密碼功能時, 符合特定條件 的新邀使用者將會使用單次密碼驗證。When the email one-time passcode feature is enabled, newly invited users who meet certain conditions will use one-time passcode authentication. 在啟用電子郵件單次密碼的情況下,兌換邀請的來賓使用者將繼續使用相同的驗證方法。Guest users who redeemed an invitation before email one-time passcode was enabled will continue to use their same authentication method.

使用單次密碼驗證時,來賓使用者可以兌換您的邀請,方法是按一下直接連結,或使用邀請電子郵件。With one-time passcode authentication, the guest user can redeem your invitation by clicking a direct link or by using the invitation email. 無論是哪一種方法,瀏覽器中會顯示訊息,指出驗證碼將傳送到來賓使用者的電子郵件地址。In either case, a message in the browser indicates that a code will be sent to the guest user's email address. 來賓使用者可選取 [傳送驗證碼]:The guest user selects Send code:

顯示 [傳送驗證碼] 按鈕的螢幕擷取畫面

密碼會傳送到使用者的電子郵件地址。A passcode is sent to the user’s email address. 使用者可從電子郵件中擷取該密碼,並在瀏覽器視窗中輸入:The user retrieves the passcode from the email and enters it in the browser window:

顯示 [輸入驗證碼] 頁面的螢幕擷取畫面

來賓使用者現在已通過驗證,可看見共用資源或繼續登入。The guest user is now authenticated, and they can see the shared resource or continue signing in.

注意

單次密碼的有效時間為 30 分鐘。One-time passcodes are valid for 30 minutes. 30 分鐘之後,該特定的單次密碼不再有效,使用者必須要求新的密碼。After 30 minutes, that specific one-time passcode is no longer valid, and the user must request a new one. 使用者工作階段會在 24 小時後過期。User sessions expire after 24 hours. 在此之後,來賓使用者在存取資源時會收到新密碼。After that time, the guest user receives a new passcode when they access the resource. 工作階段到期能夠增加安全性,尤其是在來賓使用者離開公司或不再需要存取時。Session expiration provides added security, especially when a guest user leaves their company or no longer needs access.

來賓使用者何時會收到單次密碼?When does a guest user get a one-time passcode?

在下列情況下,當來賓使用者兌換邀請,或使用已與他們共用的資源連結時,便會收到單次密碼:When a guest user redeems an invitation or uses a link to a resource that has been shared with them, they’ll receive a one-time passcode if:

  • 他們沒有 Azure AD 帳戶They do not have an Azure AD account
  • 他們沒有 Microsoft 帳戶They do not have a Microsoft account
  • 邀請方租用戶未為 @gmail.com 和 @googlemail.com 使用者設定 Google 同盟The inviting tenant did not set up Google federation for @gmail.com and @googlemail.com users

邀請時,不會指出您邀請的使用者將使用單次密碼驗證。At the time of invitation, there's no indication that the user you're inviting will use one-time passcode authentication. 但當來賓使用者登入時,如果沒有其他驗證方法可使用,單次密碼驗證將作為後援方法。But when the guest user signs in, one-time passcode authentication will be the fallback method if no other authentication methods can be used.

您可以查看使用者的詳細資料中的 [ 來源 ] 屬性,以查看來賓使用者是否使用單次密碼進行驗證。You can see whether a guest user authenticates using one-time passcodes by viewing the Source property in the user's details. 在 azure 入口網站中,移至 azure Active Directory > 使用者,然後選取使用者以開啟 [詳細資料] 頁面。In the Azure portal, go to Azure Active Directory > Users, and then select the user to open the details page.

螢幕擷取畫面,其中顯示具有 OTP 來源值的一次性密碼使用者

注意

當使用者兌換單次密碼,並稍後取得 MSA、Azure AD 帳戶或其他同盟帳戶時,系統仍會繼續使用單次密碼進行驗證。When a user redeems a one-time passcode and later obtains an MSA, Azure AD account, or other federated account, they'll continue to be authenticated using a one-time passcode. 如果您想要更新驗證方法,您可以刪除來賓使用者帳戶,然後重新邀請他們。If you want to update their authentication method, you can delete their guest user account and reinvite them.

範例Example

邀請來賓使用者 teri@gmail.com 到 Fabrikam,該使用者尚未設定 Google 同盟。Guest user teri@gmail.com is invited to Fabrikam, which does not have Google federation set up. Teri 沒有 Microsoft 帳戶。Teri does not have a Microsoft account. 他們會收到一次性密碼進行驗證。They'll receive a one-time passcode for authentication.

停用電子郵件一次性密碼Disable email one-time passcode

從2021年10月開始,將會針對所有現有的租使用者開啟 [電子郵件單次密碼] 功能,並預設為新的租使用者啟用。Starting October 2021, the email one-time passcode feature will be turned on for all existing tenants and enabled by default for new tenants. 屆時,Microsoft 將不再支援藉由為 B2B 共同作業案例建立非受控 ( 「病毒」或「即時」 ) Azure AD 帳戶和租使用者,來兌換邀請。At that time, Microsoft will no longer support the redemption of invitations by creating unmanaged ("viral" or "just-in-time") Azure AD accounts and tenants for B2B collaboration scenarios. 我們會啟用電子郵件單次密碼功能,因為它會為您的來賓使用者提供順暢的回溯驗證方法。We're enabling the email one-time passcode feature because it provides a seamless fallback authentication method for your guest users. 但是,如果您選擇不使用此功能,您可以選擇停用此功能。However, you have the option of disabling this feature if you choose not to use it.

注意

如果您的租使用者中已啟用電子郵件單次密碼功能,而您將其關閉,則已兌換單次密碼的任何來賓使用者將無法登入。If the email one-time passcode feature has been enabled in your tenant and you turn it off, any guest users who have redeemed a one-time passcode will not be able to sign in. 您可以刪除來賓使用者並加以重新邀請,讓他們可以使用另一個驗證方法再次登入。You can delete the guest user and reinvite them so they can sign in again using another authentication method.

停用電子郵件單次密碼功能To disable the email one-time passcode feature

  1. 以 Azure AD 全域管理員身分登入 Azure 入口網站Sign in to the Azure portal as an Azure AD global administrator.

  2. 在導覽窗格中,選取 [Azure Active Directory]。In the navigation pane, select Azure Active Directory.

  3. 選取 [外部身分識別] > [所有識別提供者]。Select External Identities > All identity providers.

  4. 選取 [ 電子郵件一次性密碼],然後選取 [ 停用來賓的電子郵件一次性密碼]。Select Email one-time passcode, and then select Disable email one-time passcode for guests.

    注意

    在 Azure 入口網站中,從外部共同作業 設定 移至 所有身分識別提供者 的電子郵件一次性密碼設定。Email one-time passcode settings have moved in the Azure portal from External collaboration settings to All identity providers. 如果您看到切換,而不是電子郵件單次密碼選項,這表示您先前已啟用、停用或加入宣告功能的預覽。If you see a toggle instead of the email one-time passcode options, this means you've previously enabled, disabled, or opted into the preview of the feature. 選取 [ ] 以停用此功能。Select No to disable the feature.

    電子郵件單次密碼切換已停用

  5. 選取 [儲存]。Select Save.

公開預覽客戶注意事項Note for public preview customers

如果您先前已選擇使用電子郵件單次密碼公開預覽,則2021年10月的自動功能啟用日期不適用於您,因此您的相關商務程式不會受到影響。If you've previously opted in to the email one-time passcode public preview, the October 2021 date for automatic feature enablement doesn't apply to you, so your related business processes won't be affected. 此外,在 Azure 入口網站的 [來賓內容的 電子郵件單次密碼 ] 下,您將不會看到在 2021 年10月起,為來賓自動啟用電子郵件單次密碼 的選項。Additionally, in the Azure portal, under the Email one-time passcode for guests properties, you won't see the option to Automatically enable email one-time passcode for guests starting October 2021. 相反地,您會看到下列 [ 是] 或 [ ] 切換:Instead, you'll see the following Yes or No toggle:

電子郵件單次密碼已選擇

但是,如果您想要選擇不使用此功能,並允許它在2021年10月自動啟用,您可以使用 Microsoft Graph API 電子郵件驗證方法設定資源類型來還原為預設值。However, if you'd prefer to opt out of the feature and allow it to be automatically enabled in October 2021, you can revert to the default settings by using the Microsoft Graph API email authentication method configuration resource type. 還原為預設值之後, 來賓的電子郵件單次密碼 下將提供下列選項:After you revert to the default settings, the following options will be available under Email one-time passcode for guests:

啟用電子郵件單次密碼選擇

  • 從2021年10月起,自動為來賓啟用電子郵件單次密碼Automatically enable email one-time passcode for guests starting October 2021. (預設) 如果您的租使用者尚未啟用電子郵件單次密碼功能,則會在2021年10月開始自動開啟。(Default) If the email one-time passcode feature is not already enabled for your tenant, it will be automatically turned on starting October 2021. 如果您想要在該時間啟用功能,則不需要採取任何進一步的動作。No further action is necessary if you want the feature enabled at that time. 如果您已經啟用或停用此功能,將無法使用此選項。If you've already enabled or disabled the feature, this option will be unavailable.

  • 為來賓啟用電子郵件單次密碼立即生效Enable email one-time passcode for guests effective now. 開啟租使用者的電子郵件一次性密碼功能。Turns on the email one-time passcode feature for your tenant.

  • 停用來賓的電子郵件一次性密碼Disable email one-time passcode for guests. 關閉您租使用者的電子郵件單次密碼功能,並防止此功能于2021年10月開啟。Turns off the email one-time passcode feature for your tenant, and prevents the feature from turning on in October 2021.

適用于 Azure 美國政府客戶的注意事項Note for Azure US Government customers

在 Azure 美國政府雲端中,預設會停用電子郵件一次性密碼功能。The email one-time passcode feature is disabled by default in the Azure US Government cloud.

電子郵件單次密碼已停用

若要在 Azure 美國政府雲端啟用電子郵件單次密碼功能:To enable the email one-time passcode feature in Azure US Government cloud:

  1. 以 Azure AD 全域管理員身分登入 Azure 入口網站Sign in to the Azure portal as an Azure AD global administrator.

  2. 在導覽窗格中,選取 [Azure Active Directory]。In the navigation pane, select Azure Active Directory.

  3. 選取 [組織關係   >  設定]。Select Organizational relationships > Settings.

    注意

    • 如果您沒有看到 組織關聯 性,請在頂端的搜尋列中搜尋「外部身分識別」。If you don't see Organizational relationships, search for "External Identities” in the search bar at the top.
  4. 選取 [ 電子郵件一次性密碼],然後選取 [是]Select Email one-time passcode, and then select Yes.

  5. 選取 [儲存]。Select Save.

如需目前限制的詳細資訊,請參閱 AZURE 美國政府雲端。For more information about current limitations, see Azure US Government clouds.