集成自助服务密码重置 [英] Integrating Self Service Password Reset
问题描述
我正在寻找最好的方法来部署Azure AD自助服务密码重置作为其他所有内部部署的附件.这是我当前的设置:
I'm looking for the best way to deploy Azure AD self service password reset as an add-on to an otherwise all on premise deployment. Here is my current setup:
1)本地AD域是xxx.org
2)现场ADFS已用于所有SSO
3)Azure AD主要是xxx.edu
4)xxx.org已添加为自定义域名
5)用户正在从本地同步到Azure
6)自助密码重置正在工作
7)密码同步功能正常工作
1) Onsite AD domain is xxx.org
2) Onsite ADFS is being used for all SSO
3) Azure AD main is xxx.edu
4) xxx.org has been added as a custom domain name
5) Users are synching from onsite to Azure
6) Self service password reset is working
7) Password synch back is working
现在是问题所在.自助密码重置有效...但是用户必须使用name@xxx.org(与现场AD匹配).他们不能使用name@xxx.edu.为了使事情更复杂,他们的电子邮件地址在技术上为name@students.xxx.edu.现在我能 向他们指示要使用他们从未明确使用过的域,但这很麻烦.
Now here's the problem. Self service password reset works ..... but users have to use name@xxx.org (matches the onsite AD). They cannot use name@xxx.edu. To further complicate things their email addresses are technically name@students.xxx.edu. Now I can give them instructions to use a domain that they've never explicitly used, but that's cumbersome.
是否可以使用当前的电子邮件地址作为登录名来实现此目的?禁止使用我的现场ADFS将经过身份验证的用户链接到他们在Azure SSPR中的链接帐户吗?有更好的答案吗?
Is there a way to make this work with the current email address as the login? Barring that is there a way to link the authenticated user using my onsite ADFS to their linked account in Azure SSPR? Is there a better answer?
谢谢,
迈克
Thanks,
Mike
推荐答案
嗨!
对于一个客户,我们已经通过创建自定义登录页面解决了这一问题.他们将引导用户转到该页面,该页面具有有关如何重置其密码的说明,并且在最后一步中,该页面将询问用户的登录名以及开始"字样. 按钮.单击开始后,我们将启动一个JavaScript,该JavaScript将UPN xxx.org替换为xxx.edu,并重定向到https://passwordreset.microsoftonline.com/?username=user@xxx.edu
For one customer, we've solved this by creating a custom landing page. They'd direct users to go to that page, which has instructions on how to reset their password and as a last step, would ask for the user's sign-in name, alongside a "Start" button. Upon clicking start, we'd fire a JavaScript that replaces the UPN xxx.org with xxx.edu and redirect to https://passwordreset.microsoftonline.com/?username=user@xxx.edu
使用参数重定向到该URL会触发用户ID框被填充并加载承租人的品牌(如果已配置).
Redirecting to that URL with the parameters triggers the user ID box to be filled and loads the tenant's branding (if configured).
对您有用吗?
我们正在讨论有关允许用户在SSPR重置流程中使用其电子邮件地址作为用户ID的指示,但是目前尚无此方法.
We have discussions about allowing users to use their email address in the SSPR reset flow as a user ID indication, but there's no ETA for that, yet.
谢谢
弗洛里安
这篇关于集成自助服务密码重置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
