Azure AD B2C 密码过期 [英] Azure AD B2C password expiration

问题描述

我们通过注册或登录"政策在我们的解决方案中利用 Azure AD B2C.定期(我没有计算确切的天数)，当我尝试登录时，我得到:无效的用户名或密码".我必须重设密码才能使用.

We leverage Azure AD B2C in our solution with a "sign up or sign in" policy. On a regular basis (I have not counted the exact number of days), when I try to login, I got : "invalid username or password". I have to reset my password to make it work.

所以我有两个问题:

• 是否有默认密码过期策略?Azure B2C Connect 上的功能请求之一是启用此类自定义过期策略的定义，但我在文档中没有发现默认策略已到位的事实.有什么办法可以消除这种默认行为(即没有过期)?

• Is there a default password expiration policy? One of the feature request on Azure B2C Connect is to enable the definition of such custom expiration policy but I have not found in the documentation the fact that a default one was in place. Is there any way to remove this default behavior (i.e. no expiration)?

消息无效的用户名或密码"具有误导性，应该是您的密码已过期".有什么办法改变吗?

The message "invalid username or password" is misleading and should be "your password has expired". Any way to change that ?

谢谢！

推荐答案

是否有默认密码过期策略?

Is there a default password expiration policy?

对于 B2C 本地帐户:

注意:本地帐户只能通过注册或 AAD Graph API 创建.您无法通过在 B2C 租户 AAD 中单击新用户来创建它.

默认情况下本地帐户没有密码过期策略. Azure AD B2C 的注册、注册或登录和密码重置策略使用强"密码强度，并且不要t 使 Azure AD B2C 中本地帐户的所有密码过期.您可以在 此常见问题解答.

There is no password expiration policy for local accounts by default. Azure AD B2C's sign-up, sign-up or sign-in and password reset policies use the "strong" password strength and don't expire any passwords for local accounts in Azure AD B2C. You can see this in this FAQ.

但是，B2C 本地账户用户密码过期也可能会遇到一些情况.

Howerver, there are also some conditions which you may come across the B2C local account users password expiration.

• 默认情况下，如果本地帐户是通过内置密码策略创建的，则此策略会将 passwordPolicies 属性设置为 DisablePasswordExpiration.所以B2C本地用户的密码不会过期.

• Defaultly, if a local account is created by built-in password policy, then this policy sets the passwordPolicies property to DisablePasswordExpiration. So the passwords of B2C local users won't expire.

但是，如果本地帐户是由自定义策略或 Azure AD Graph API 创建的，则必须将 passwordPolicies 属性设置为 DisablePasswordExpiration手动.

However, if a local account is created by either a custom policy or Azure AD Graph API, then you have to set the passwordPolicies property to be DisablePasswordExpiration manually.

因此，如果您未将密码策略的属性设置为 DisablePasswordExpiration，则您的本地用户的密码可能会在 90 天后过期而不通知.

So, If your local users' passwords may expire after 90 days without notification if you don't set the property of the Password policy to be DisablePasswordExpiration.

有没有办法消除这种默认行为(即没有过期)?无效的用户名或密码"消息具有误导性，应为您的密码已过期".有什么办法改变吗?

Is there any way to remove this default behavior (i.e. no expiration)? The message "invalid username or password" is misleading and should be "your password has expired". Any way to change that?

本地帐户的解决方案:

1. 可以参考此示例 通过 AAD Graph API 创建密码过期的 B2C 本地用户:

1. You can refer to this example to create B2C local users without password expiration via AAD Graph API:

POST https://graph.windows.net/contosob2c.onmicrosoft.com/users?api-version=1.6
Authorization: Bearer eyJhbGciOiJSUzI1NiIsIng1dCI6IjdkRC1nZWNOZ1gxWmY3R0xrT3ZwT0IyZGNWQSIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJod...
Content-Type: application/json
Content-Length: 338
{
// All of these properties are required to create consumer users.
"accountEnabled": true,
"signInNames": [                            // controls which identifier the user uses to sign in to the account
    {
        "type": "emailAddress",             // can be 'emailAddress' or 'userName'
        "value": "joeconsumer@gmail.com"
    }
],
"creationType": "LocalAccount",            // always set to 'LocalAccount'
"displayName": "Joe Consumer",                // a value that can be used for displaying to the end user
"mailNickname": "joec",                        // an email alias for the user
"passwordProfile": {
    "password": "P@ssword!",
    "forceChangePasswordNextLogin": false   // always set to false
},
"passwordPolicies": "DisablePasswordExpiration"
}

通过 AAD Graph API 使用 PATCH 方法更新受影响用户的 Password Policy 属性为 DisablePasswordExpiration，可以参考本文档来更新您的b2c 用户.

Update the Password Polices's property of affected users to be DisablePasswordExpiration with PATCH method via AAD Graph API, you can refer to this documentation to update your b2c users.

要求所有受影响的 B2C 用户更改密码.

Ask all affected B2C users to change their passwords.

<小时>

对于社交帐户:

密码到期取决于身份提供者的密码策略.AAD 也可以是AAD B2C 中的身份提供者.

仅适用于工作或学校帐户的 AAD 密码过期政策.可应用于在 Azure AD 中创建和管理的用户帐户的可用密码策略设置.

AAD Password Expiration policies that apply only to work or school accounts. The available password policy settings that can be applied to user accounts that are created and managed in Azure AD.

因此，如果您将 AAD 作为 AAD B2C 的社交帐户，密码过期政策将影响这些社交帐户.

So, if you make the AAD as a social account for the AAD B2C, the Password Expiration policies will affect those social accounts.

如果您的帐户是 Azure AD 中的社交帐户，请使用您的公司管理员凭据连接到该租户.执行以下命令之一:

If your account is a social account in Azure AD, connect to that Tenant using your company administrator credentials. Execute one of the following commands:

1. 要将一个用户的密码设置为永不过期，请使用用户主体名称 (UPN) 或用户的用户 ID 运行以下 cmdlet:Set-MsolUser -UserPrincipalName ;-PasswordNeverExpires $true

要将组织中所有用户的密码设置为永不过期，请运行以下 cmdlet:Get-MSOLUser |Set-MsolUser -PasswordNeverExpires $true

To set the passwords of all the users in an organization to never expire, run the following cmdlet: Get-MSOLUser | Set-MsolUser -PasswordNeverExpires $true

您可以在 本文档.

这篇关于Azure AD B2C 密码过期的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！