我使用以下PowerShell为不允许自行注册的应用创建B2B用户。租户允许自助服务密码重置并需要MFA。
# B2C allows you to sign in either with your user name or email address (not both for some reason)
$SignInNames = @(
(New-Object `
Microsoft.Open.AzureAD.Model.SignInName `
-Property @{Type = "userName"; Value = $UserName}),
(New-Object `
Microsoft.Open.AzureAD.Model.SignInName `
-Property @{Type = "emailAddress"; Value = $EmailAddress})
)
# I can't actually sign in with this user.
$PasswordProfile = New-Object `
-TypeName Microsoft.Open.AzureAD.Model.PasswordProfile `
-Property @{
'Password' = $Password;
'ForceChangePasswordNextLogin' = $true;
};
New-AzureADUser `
-DisplayName $UserName.Replace('_', ' ') `
-CreationType "LocalAccount" `
-AccountEnabled $true `
-PasswordProfile $PasswordProfile `
-PasswordPolicies "DisablePasswordExpiration" `
-SignInNames $SignInNames
用户已创建,但我使用的密码不起作用。用户可以使用自助服务密码重置,这将提示他们的MFA电话号码。
如果我使用以下Azure Graph调用搜索本地用户:
https://graph.windows.net/ {{tenantId}} / users /?api-version = 1.6& $ filter = creationType eq' LocalAccount'我看到用户是这样的:
{
"odata.type": "Microsoft.DirectoryServices.User",
"objectType": "User",
"objectId": "__OBJECT_ID__",
"deletionTimestamp": null,
"accountEnabled": true,
"ageGroup": null,
"assignedLicenses": [],
"assignedPlans": [],
"city": null,
"companyName": null,
"consentProvidedForMinor": null,
"country": null,
"creationType": "LocalAccount",
"department": null,
"dirSyncEnabled": null,
"displayName": "Justin Dearing",
"employeeId": null,
"facsimileTelephoneNumber": null,
"givenName": null,
"immutableId": null,
"isCompromised": null,
"jobTitle": null,
"lastDirSyncTime": null,
"legalAgeGroupClassification": null,
"mail": null,
"mailNickname": "__MAIL_NICKNAME__",
"mobile": null,
"onPremisesDistinguishedName": null,
"onPremisesSecurityIdentifier": null,
"otherMails": [],
"passwordPolicies": null,
"passwordProfile": null,
"physicalDeliveryOfficeName": null,
"postalCode": null,
"preferredLanguage": null,
"provisionedPlans": [],
"provisioningErrors": [],
"proxyAddresses": [],
"refreshTokensValidFromDateTime": "2018-02-27T19:46:09Z",
"showInAddressList": null,
"signInNames": [
{
"type": "emailAddress",
"value": "justin.dearing@somedomain.com"
},
{
"type": "userName",
"value": "JDearing"
}
],
"sipProxyAddress": null,
"state": null,
"streetAddress": null,
"surname": null,
"telephoneNumber": null,
"usageLocation": null,
"userIdentities": [],
"userPrincipalName": "__A_GUID__@__TENANT_NAME__.onmicrosoft.com",
"userType": "Member"
},
在最终确定用户注册之前和之后,唯一改变的是refreshTokensValidFromDateTime
字段。使用Microsoft图形查询可以获得更少的字段:
https://graph.microsoft.com/v1.0/users?$ filter = creationType eq' LocalAccount'
甚至$select=*
都没有解决这个问题。为了创造更好的用户体验,我如何创建一个B2C用户,我最初提供给用户的密码将使用MFA帐户,而无需点击"忘记密码"。
是的我也喜欢我给用户一次性用户的密码。但这是一个单独的问题。
答案 0 :(得分:1)
我针对我的B2C租户执行了您的脚本,我能够创建用户并登录w / o问题。我已针对为用户名和电子邮件配置的本地帐户尝试了相同的脚本。没有任何问题。
我通过本地B2C管理员帐户创建了用户。
您需要使用B2C租户本地的B2C租户管理员帐户。这些帐户如下所示:myusername@myb2ctenant.onmicrosoft.com。
Powershell脚本
$AzureAdCred = Get-Credential
#enter local B2C admin credential in the popup
Connect-AzureAD -Credential $AzureAdCred
$UserName="blah6985"
$EmailAddress="blah6985@outlook.com"
$Password="UEDsda;lad-8af:L;"
$SignInNames = @(
(New-Object `
Microsoft.Open.AzureAD.Model.SignInName `
-Property @{Type = "userName"; Value = $UserName}),
(New-Object `
Microsoft.Open.AzureAD.Model.SignInName `
-Property @{Type = "emailAddress"; Value = $EmailAddress})
)
$PasswordProfile = New-Object `
-TypeName Microsoft.Open.AzureAD.Model.PasswordProfile `
-Property @{
'Password' = $Password;
'ForceChangePasswordNextLogin' = $false;
};
New-AzureADUser `
-DisplayName $UserName.Replace('_', ' ') `
-CreationType "LocalAccount" `
-AccountEnabled $true `
-PasswordProfile $PasswordProfile `
-SignInNames $SignInNames