使用MFA创建可以立即登录的B2C用户 [英] Creating a B2C user with MFA that can immediately login
问题描述
我使用以下PowerShell为不允许自我注册的应用创建B2B用户.租户可以重置自助服务密码,并且需要MFA.
I use the following PowerShell to create B2B users for an app that doesn't allow self signup. The tenant allows self service password resets and requires MFA.
# B2C allows you to sign in either with your user name or email address (not both for some reason)
$SignInNames = @(
(New-Object `
Microsoft.Open.AzureAD.Model.SignInName `
-Property @{Type = "userName"; Value = $UserName}),
(New-Object `
Microsoft.Open.AzureAD.Model.SignInName `
-Property @{Type = "emailAddress"; Value = $EmailAddress})
)
# I can't actually sign in with this user.
$PasswordProfile = New-Object `
-TypeName Microsoft.Open.AzureAD.Model.PasswordProfile `
-Property @{
'Password' = $Password;
'ForceChangePasswordNextLogin' = $true;
};
New-AzureADUser `
-DisplayName $UserName.Replace('_', ' ') `
-CreationType "LocalAccount" `
-AccountEnabled $true `
-PasswordProfile $PasswordProfile `
-PasswordPolicies "DisablePasswordExpiration" `
-SignInNames $SignInNames
已创建用户,但我使用的密码不起作用.用户可以使用自助服务密码重置,这将提示他们输入其MFA的电话号码.
The user is created, but the password I used does not work. The user can use self service password reset, which will prompt them for their phone number for MFA.
如果我通过以下Azure Graph调用搜索本地用户:
If I search for local users with the following Azure Graph call:
https://graph.windows.net/ {{tenantId}}/users/?api -version = 1.6& $ filter = creationType eq'LocalAccount'我看到了这样的用户:
https://graph.windows.net/{{tenantId}}/users/?api-version=1.6&$filter=creationType eq 'LocalAccount' I see the user like so:
{
"odata.type": "Microsoft.DirectoryServices.User",
"objectType": "User",
"objectId": "__OBJECT_ID__",
"deletionTimestamp": null,
"accountEnabled": true,
"ageGroup": null,
"assignedLicenses": [],
"assignedPlans": [],
"city": null,
"companyName": null,
"consentProvidedForMinor": null,
"country": null,
"creationType": "LocalAccount",
"department": null,
"dirSyncEnabled": null,
"displayName": "Justin Dearing",
"employeeId": null,
"facsimileTelephoneNumber": null,
"givenName": null,
"immutableId": null,
"isCompromised": null,
"jobTitle": null,
"lastDirSyncTime": null,
"legalAgeGroupClassification": null,
"mail": null,
"mailNickname": "__MAIL_NICKNAME__",
"mobile": null,
"onPremisesDistinguishedName": null,
"onPremisesSecurityIdentifier": null,
"otherMails": [],
"passwordPolicies": null,
"passwordProfile": null,
"physicalDeliveryOfficeName": null,
"postalCode": null,
"preferredLanguage": null,
"provisionedPlans": [],
"provisioningErrors": [],
"proxyAddresses": [],
"refreshTokensValidFromDateTime": "2018-02-27T19:46:09Z",
"showInAddressList": null,
"signInNames": [
{
"type": "emailAddress",
"value": "justin.dearing@somedomain.com"
},
{
"type": "userName",
"value": "JDearing"
}
],
"sipProxyAddress": null,
"state": null,
"streetAddress": null,
"surname": null,
"telephoneNumber": null,
"usageLocation": null,
"userIdentities": [],
"userPrincipalName": "__A_GUID__@__TENANT_NAME__.onmicrosoft.com",
"userType": "Member"
},
在确定之前和之后,用户注册唯一更改的地方是refreshTokensValidFromDateTime
字段.使用Microsoft图形查询,您获得的字段更少:
The only thing that changes there before and after finalizing the users registration is the refreshTokensValidFromDateTime
field. You get even less fields with the Microsoft graph query:
https://graph.microsoft.com/v1.0/users ?$ filter = creationType eq'LocalAccount'
https://graph.microsoft.com/v1.0/users?$filter=creationType eq 'LocalAccount'
甚至$select=*
都无法解决该问题.为了创建更好的用户体验,我如何创建B2C用户,使最初提供给该用户的密码可以与MFA帐户一起使用,而无需单击忘记密码".
And not even $select=*
fixes that. To create a better user experience, how can I create a B2C user where the password I initially provide to the user will work with an MFA account without them having to click "forgot password".
是的,我也希望我为用户提供的密码是一次性用户.不过那是另一回事.
Yes I'd also like the password I give the user to be of one time user. That's a separate matter though.
推荐答案
我针对我的B2C租户执行了您的脚本,并且能够创建用户并登录而没有问题.我已经针对为用户名和电子邮件配置的本地帐户尝试了相同的脚本.没问题.
I executed your script against my B2C tenant and I was able to create a user and sign-in w/o issue. I've tried the same script against local accounts configured for usernames and emails. No issue w/ that either.
我通过本地B2C管理员帐户创建了用户.
I created the user via a local B2C admin account.
您需要使用B2C租户本地的B2C租户管理员帐户.这些帐户如下所示:myusername@myb2ctenant.onmicrosoft.com.
You need to use a B2C tenant administrator account that is local to the B2C tenant. These accounts look like this: myusername@myb2ctenant.onmicrosoft.com.
Powershell脚本
$AzureAdCred = Get-Credential
#enter local B2C admin credential in the popup
Connect-AzureAD -Credential $AzureAdCred
$UserName="blah6985"
$EmailAddress="blah6985@outlook.com"
$Password="UEDsda;lad-8af:L;"
$SignInNames = @(
(New-Object `
Microsoft.Open.AzureAD.Model.SignInName `
-Property @{Type = "userName"; Value = $UserName}),
(New-Object `
Microsoft.Open.AzureAD.Model.SignInName `
-Property @{Type = "emailAddress"; Value = $EmailAddress})
)
$PasswordProfile = New-Object `
-TypeName Microsoft.Open.AzureAD.Model.PasswordProfile `
-Property @{
'Password' = $Password;
'ForceChangePasswordNextLogin' = $false;
};
New-AzureADUser `
-DisplayName $UserName.Replace('_', ' ') `
-CreationType "LocalAccount" `
-AccountEnabled $true `
-PasswordProfile $PasswordProfile `
-SignInNames $SignInNames
这篇关于使用MFA创建可以立即登录的B2C用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!