0

我试图创建一个自定义策略来复制默认密码重置策略的行为。我设置了 MFA,默认策略将要求对手机号码进行身份验证(如果尚未进行身份验证)。

我的自定义密码重置策略不要求验证用户移动设备,我不知道如何更改它以便它这样做。

密码重置.xml

<TrustFrameworkPolicy 
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" 
  PolicySchemaVersion="0.3.0.0" 
  TenantId="onmicrosoft.com" 
  PolicyId="B2C_1A_Branded_MFA_PasswordReset" 
  PublicPolicyUri="http://onmicrosoft.com/B2C_1A_Branded_MFA_PasswordReset" 
  TenantObjectId="">
  <BasePolicy>
    <TenantId>onmicrosoft.com</TenantId>
    <PolicyId>B2C_1A_Branded_MFA_SignIn_FrameworkExtensions</PolicyId>
  </BasePolicy>
  <RelyingParty>
    <DefaultUserJourney ReferenceId="PasswordReset" />
    <UserJourneyBehaviors>
      <SingleSignOn Scope="Tenant" KeepAliveInDays="14" />
      <SessionExpiryType>Absolute</SessionExpiryType>
      <SessionExpiryInSeconds>1200</SessionExpiryInSeconds>
      <ContentDefinitionParameters>
        <Parameter Name="branding">{OAUTH-KV:branding}</Parameter>
      </ContentDefinitionParameters>
    </UserJourneyBehaviors>
    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
      </OutputClaims>
      <SubjectNamingInfo ClaimType="sub" />
    </TechnicalProfile>
  </RelyingParty>
</TrustFrameworkPolicy>

这是所有策略 XML 文件Policy Files的链接

4

1 回答 1

1

B2C_1A_Branded_MFA_SignIn_TrustFrameworkBase.xml文件中,您必须在PasswordResetUsingEmailAddressExchangeNewCredentials编排步骤之间向PasswordReset用户旅程添加更多编排步骤,如下所示:

<OrchestrationSteps>
  <OrchestrationStep Order="1" Type="ClaimsExchange">
    <ClaimsExchanges>
      <ClaimsExchange Id="PasswordResetUsingEmailAddressExchange" TechnicalProfileReferenceId="LocalAccountDiscoveryUsingEmailAddress" />
    </ClaimsExchanges>
  </OrchestrationStep>
  <OrchestrationStep Order="2" Type="ClaimsExchange">
    <ClaimsExchanges>
      <ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify" />
    </ClaimsExchanges>
  </OrchestrationStep>
  <OrchestrationStep Order="3" Type="ClaimsExchange">
    <Preconditions>
      <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
        <Value>newPhoneNumberEntered</Value>
        <Action>SkipThisOrchestrationStep</Action>
      </Precondition>
    </Preconditions>
    <ClaimsExchanges>
      <ClaimsExchange Id="AADUserWriteWithObjectId" TechnicalProfileReferenceId="AAD-UserWritePhoneNumberUsingObjectId" />
    </ClaimsExchanges>
  </OrchestrationStep>
  <OrchestrationStep Order="4" Type="ClaimsExchange">
    <ClaimsExchanges>
      <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId" />
    </ClaimsExchanges>
  </OrchestrationStep>
  <OrchestrationStep Order="5" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>

第一个编排步骤必须为最终用户加载身份验证电话号码(如果已注册)。strongAuthenticationPhoneNumber声明必须作为输出声明添加到LocalAccountDiscoveryUsingEmailAddressAAD -UserReadUsingEmailAddress技术配置文件,如下所示:

<TechnicalProfile Id="LocalAccountDiscoveryUsingEmailAddress">
  <OutputClaims>
    ...
    <OutputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />
  </OutputClaims>
</TechnicalProfile>

和:

<TechnicalProfile Id="AAD-UserReadUsingEmailAddress">
  <OutputClaims>
    ...
    <OutputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />
  </OutputClaims>
</TechnicalProfile>

第二个编排步骤提示最终用户输入新的身份验证电话号码(如果尚未为其注册),或者验证现有电话号码。PhoneFactor -InputOrVerify技术配置文件声明如下:

<ClaimsProvider>
  <DisplayName>PhoneFactor</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="PhoneFactor-InputOrVerify">
      <DisplayName>PhoneFactor</DisplayName>
      <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.PhoneFactorProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
      <Metadata>
        <Item Key="ContentDefinitionReferenceId">api.phonefactor</Item>
        <Item Key="ManualPhoneNumberEntryAllowed">true</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
      </CryptographicKeys>
      <InputClaimsTransformations>
        <InputClaimsTransformation ReferenceId="CreateUserIdForMFA" />
      </InputClaimsTransformations>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="userIdForMFA" PartnerClaimType="UserId" />
        <InputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />
      </InputClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="Verified.strongAuthenticationPhoneNumber" PartnerClaimType="Verified.OfficePhone" />
        <OutputClaim ClaimTypeReferenceId="newPhoneNumberEntered" PartnerClaimType="newPhoneNumberEntered" />
      </OutputClaims>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-MFA" />
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

有关以下内容的更多信息,请参阅SocialAndLocalAccountsWithMFA文件:

  • api.phonefactor内容定义
  • CreateUserIdForMFA声明转换
  • SM -MFA技术简介

第三个编排步骤为最终用户保存身份验证电话号码(如果尚未注册)。AAD-UserWritePhoneNumberUsingObjectId技术配置文件声明如下:

<TechnicalProfile Id="AAD-UserWritePhoneNumberUsingObjectId">
  <Metadata>
    <Item Key="Operation">Write</Item>
    <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">false</Item>
    <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
  </Metadata>
  <IncludeInSso>false</IncludeInSso>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
  </InputClaims>
  <PersistedClaims>
    <PersistedClaim ClaimTypeReferenceId="objectId" />
    <PersistedClaim ClaimTypeReferenceId="Verified.strongAuthenticationPhoneNumber" PartnerClaimType="strongAuthenticationPhoneNumber" />
  </PersistedClaims>
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>
于 2019-03-04T09:50:20.860 回答