Azure AD B2C密码到期 [英] Azure AD B2C password expiration

问题描述

我们在解决方案中使用 Azure AD B2C 并采用了注册或登录"政策.定期地(我没有计算确切的天数)，当我尝试登录时，我得到:无效的用户名或密码".我必须重置密码才能使其正常工作.

We leverage Azure AD B2C in our solution with a "sign up or sign in" policy. On a regular basis (I have not counted the exact number of days), when I try to login, I got : "invalid username or password". I have to reset my password to make it work.

所以我有两个问题:

• 是否有默认的密码过期政策? Azure B2C Connect上的一项功能请求是启用这种自定义过期策略的定义，但我在文档中没有发现默认设置已经存在的事实.有什么办法可以消除此默认行为(即没有过期)?

• Is there a default password expiration policy? One of the feature request on Azure B2C Connect is to enable the definition of such custom expiration policy but I have not found in the documentation the fact that a default one was in place. Is there any way to remove this default behavior (i.e. no expiration)?

消息无效的用户名或密码"具有误导性，应为您的密码已过期".有什么办法改变吗?

The message "invalid username or password" is misleading and should be "your password has expired". Any way to change that ?

谢谢！

推荐答案

有默认的密码过期策略吗?

Is there a default password expiration policy?

对于B2C本地帐户:

注意:只能通过注册或AAD Graph API创建本地帐户.您不能通过单击BAD租户AAD中的新用户"来创建它.

默认情况下，本地帐户没有密码过期策略..AzureAD B2C的注册，注册或登录和密码重置策略使用"strong"密码强度，而"t使Azure AD B2C中的本地帐户密码失效.您可以在

There is no password expiration policy for local accounts by default. Azure AD B2C's sign-up, sign-up or sign-in and password reset policies use the "strong" password strength and don't expire any passwords for local accounts in Azure AD B2C. You can see this in this FAQ.

但是，在某些情况下，您可能会遇到B2C本地帐户用户密码过期的情况.

Howerver, there are also some conditions which you may come across the B2C local account users password expiration.

• 默认情况下，如果通过内置密码策略创建本地帐户，则此策略会将passwordPolicies属性设置为DisablePasswordExpiration.因此，B2C本地用户的密码不会过期.

• Defaultly, if a local account is created by built-in password policy, then this policy sets the passwordPolicies property to DisablePasswordExpiration. So the passwords of B2C local users won't expire.

但是，如果通过自定义策略或Azure AD Graph API创建本地帐户，则必须将passwordPolicies属性手动设置为DisablePasswordExpiration.

However, if a local account is created by either a custom policy or Azure AD Graph API, then you have to set the passwordPolicies property to be DisablePasswordExpiration manually.

因此，如果您未将密码"策略的属性设置为DisablePasswordExpiration，则本地用户的密码可能在90天后过期而没有通知.

So, If your local users' passwords may expire after 90 days without notification if you don't set the property of the Password policy to be DisablePasswordExpiration.

是否可以删除此默认行为(即没有过期)?消息无效的用户名或密码"具有误导性，应为您的密码已过期".有什么办法改变吗?

Is there any way to remove this default behavior (i.e. no expiration)? The message "invalid username or password" is misleading and should be "your password has expired". Any way to change that?

本地帐户的解决方案:

1. 您可以参考

1. You can refer to this example to create B2C local users without password expiration via AAD Graph API:

POST https://graph.windows.net/contosob2c.onmicrosoft.com/users?api-version=1.6
Authorization: Bearer eyJhbGciOiJSUzI1NiIsIng1dCI6IjdkRC1nZWNOZ1gxWmY3R0xrT3ZwT0IyZGNWQSIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJod...
Content-Type: application/json
Content-Length: 338
{
// All of these properties are required to create consumer users.
"accountEnabled": true,
"signInNames": [                            // controls which identifier the user uses to sign in to the account
    {
        "type": "emailAddress",             // can be 'emailAddress' or 'userName'
        "value": "joeconsumer@gmail.com"
    }
],
"creationType": "LocalAccount",            // always set to 'LocalAccount'
"displayName": "Joe Consumer",                // a value that can be used for displaying to the end user
"mailNickname": "joec",                        // an email alias for the user
"passwordProfile": {
    "password": "P@ssword!",
    "forceChangePasswordNextLogin": false   // always set to false
},
"passwordPolicies": "DisablePasswordExpiration"
}

通过AAD Graph API使用 PATCH 方法将受影响用户的密码策略属性更新为DisablePasswordExpiration，您可以参考

Update the Password Polices's property of affected users to be DisablePasswordExpiration with PATCH method via AAD Graph API, you can refer to this documentation to update your b2c users.

要求所有受影响的B2C用户更改其密码.

Ask all affected B2C users to change their passwords.

---

对于社交帐户:

密码有效期取决于身份提供者的密码策略. AAD也可以是AAD B2C中的身份提供者.

---

For Social accounts:

The password expiration depends on the Identity provider's password policy. AAD can also be an identity provider in AAD B2C.

仅适用于工作或学校帐户的AAD密码过期政策.可以应用于在Azure AD中创建和管理的用户帐户的可用密码策略设置.

AAD Password Expiration policies that apply only to work or school accounts. The available password policy settings that can be applied to user accounts that are created and managed in Azure AD.

因此，如果将AAD作为AAD B2C的社交帐户，则密码过期策略将影响这些社交帐户.

So, if you make the AAD as a social account for the AAD B2C, the Password Expiration policies will affect those social accounts.

如果您的帐户是Azure AD中的社交帐户，请使用公司管理员凭据连接到该租户. 执行以下命令之一:

If your account is a social account in Azure AD, connect to that Tenant using your company administrator credentials. Execute one of the following commands:

1. 要将一个用户的密码设置为永不过期，请使用用户主体名称(UPN)或用户的用户ID运行以下cmdlet:Set-MsolUser -UserPrincipalName <user ID> -PasswordNeverExpires $true

要将组织中所有用户的密码设置为永不过期，请运行以下cmdlet:Get-MSOLUser | Set-MsolUser -PasswordNeverExpires $true

To set the passwords of all the users in an organization to never expire, run the following cmdlet: Get-MSOLUser | Set-MsolUser -PasswordNeverExpires $true

您可以在 查看全文