Azure AD B2C 密码重置 [英] Azure AD B2C Password Reset

问题描述

我正在尝试了解如何使用 Azure AD B2C 密码重置.

I am trying to understand how Azure AD B2C password reset is meant to be used.

似乎有多种方法可以处理密码重置.这些有什么区别?这些之间有价格差异吗?其中一些是 Azure AD 的功能，而另一些是 Azure AD B2C 的功能吗?为什么下面的方法 3 似乎不起作用?

It appears there are a number of ways password reset can be handled. What is the difference between these? Is there is a price difference between these? Are some of these features of Azure AD, whilst some are features of Azure AD B2C? Why does method 3 below not appear to work?

1. 通过 Azure B2C 用户流(策略).

1. Via an Azure B2C user flows (policies).

• 登录 v1 的政策转到下面的 AD 密码重置.
• 虽然所有其他政策都涉及 B2C 密码重置，但它允许用户通过存储在其用户个人资料中的主电子邮件地址重置密码.

通过 Azure Active Directory 自助服务密码重置.可通过 https://passwordreset.microsoftonline.com 访问.这允许用户通过存储在其个人资料中的任何电子邮件地址重置密码.

Via Azure Active Directory Self Service Password Reset. Which is accessible via https://passwordreset.microsoftonline.com. This allows the user to reset their password via any email address stored on their profile.

用户配置文件上的重置密码按钮.这提供了一个临时密码，但临时密码似乎不起作用.

Reset password button on user profile. This provides a temporary password, however the temporary password does not seem to work.

推荐答案

AAD B2C ≠ AAD ===> AAD B2C 用户≠ AAD 用户

目前，一般场景下我们只支持两种方式重置Azure AD B2C用户密码:

AAD B2C ≠ AAD ===> AAD B2C users ≠ AAD users

Currently, we only support two ways to reset Azure AD B2C users' password in general scenario:

1. 使用 Azure AD B2C 密码重置策略/用户流程的自助服务重置密码 (SSPR).

管理员使用 Azure AD Graph API 帮助用户重置密码:https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/api/users-operations#reset-a-users-password--

Admins help users to reset password with Azure AD Graph API:https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/api/users-operations#reset-a-users-password--

回答您的问题:

这些有什么区别?是否有价格差异在这些之间?其中一些是 Azure AD 的功能，而另一些是Azure AD B2C 的功能?

What is the difference between these? Is there is a price difference between these? Are some of these features of Azure AD, whilst some are features of Azure AD B2C?

• 密码重置策略/用户流程适用于 AAD B2C 用户.您可以直接使用它.AAD B2C 用户可以使用它自行重置密码.这也是一种SSPR.

  • Password reset policy/user flow is for AAD B2C users. You can use it directly. AAD B2C users can use this to reset their password by themselves. It's also a kind of SSPR.

    Azure Active Directory 自助服务密码重置.通常，它适用于企业用户.作为这个功能仅用于V1登录用户流程仅限，不建议您使用这种方式.

    Azure Active Directory Self Service Password Reset. Generally, it's for enterprise users. As this feature is just for V1 Sign in user flow only, I don't recommend you use this way.

    用户个人资料上的重置密码按钮.仅适用于 AAD(组织/企业)用户.不要为 AAD B2C 用户使用此按钮.

    Reset password button on user profile. It's for AAD (organization/enterprise) users only. Don't use this button for AAD B2C users.

    为什么下面的方法 3 似乎不起作用?

    Why does method 3 below not appear to work?

    正如我在上面提到的，此功能仅适用于 Azure AD 用户.不是 AAD B2C 用户.因此，您无法在此处重置 B2C 用户的密码.

    As I mentioned in the above, this feature is just for Azure AD users. NOT AAD B2C users. Therefore, you cannot reset B2C users' password here.

    正如 Alex 所说，AAD B2C 用户不是 Azure AD 用户.B2C 用户适用于 2c 场景.普通 Azure AD 用户用于组织/企业场景.

    As Alex said, AAD B2C user is not Azure AD user. B2C users is for 2c senario. Normal Azure AD user is for organization/enterprise scenario.

    您也可以参考我对 Azure AD B2C 租户和普通 Azure AD 租户有什么区别?

    详细了解 B2C 密码重置政策的工作原理:

    • 点击注册/登录策略中的忘记密码"按钮后，AAD B2C 将向应用程序发送带有AADB2C90118"的消息.

    • After clicked "forget your password" button in Signup/in policy, AAD B2C will send a message with "AADB2C90118" back to Application.

    例如，在 ASP.NET MVC Web App 中，它应该挑战

    For example, in a ASP.NET MVC Web App, then it should challenge

    private Task OnAuthenticationFailed(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
                {
                notification.HandleResponse();
                // Handle the error code that Azure AD B2C throws when trying to reset a password from the login page 
                // because password reset is not supported by a "sign-up or sign-in policy"
                if (notification.ProtocolMessage.ErrorDescription != null && notification.ProtocolMessage.ErrorDescription.Contains("AADB2C90118"))
                {
                    // If the user clicked the reset password link, redirect to the reset password route
                    notification.Response.Redirect("/Account/ResetPassword");
                }
    

    • 表示Application会在收到此消息后将其/Account/ResetPassword重定向到.

      /Account/ResetPassword 在此处从 Account Controller 定义.它应该由您定义的密码重置策略名称确定.

      /Account/ResetPassword is defined here from Account Controller. It should be determined by the password reset policy name which defined by you.

          public void ResetPassword()
                  {
                      // Let the middleware know you are trying to use the reset password policy (see OnRedirectToIdentityProvider in Startup.Auth.cs)
                      HttpContext.GetOwinContext().Set("Policy", Startup.ResetPasswordPolicyId);
      
                      // Set the page to redirect to after changing passwords
                      var authenticationProperties = new AuthenticationProperties { RedirectUri = "/" };
                      HttpContext.GetOwinContext().Authentication.Challenge(authenticationProperties);
      
                      return;
                  }
      

      • 然后用户将被重定向到 B2C 密码重置策略以更改其密码.

      这篇关于Azure AD B2C 密码重置的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！