如何使用 B2C 自定义策略对手机进行身份验证

Question

我尝试创建一个自定义策略来复制默认密码重置策略的行为。我设置了 MFA，默认策略将要求对手机号码进行身份验证（如果尚未进行身份验证）。

我的自定义密码重置策略不要求验证用户的移动设备，我不知道如何更改它。

密码重置.xml

<TrustFrameworkPolicy 
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" 
  PolicySchemaVersion="0.3.0.0" 
  TenantId="onmicrosoft.com" 
  PolicyId="B2C_1A_Branded_MFA_PasswordReset" 
  PublicPolicyUri="http://onmicrosoft.com/B2C_1A_Branded_MFA_PasswordReset" 
  TenantObjectId="">
  <BasePolicy>
    <TenantId>onmicrosoft.com</TenantId>
    <PolicyId>B2C_1A_Branded_MFA_SignIn_FrameworkExtensions</PolicyId>
  </BasePolicy>
  <RelyingParty>
    <DefaultUserJourney ReferenceId="PasswordReset" />
    <UserJourneyBehaviors>
      <SingleSignOn Scope="Tenant" KeepAliveInDays="14" />
      <SessionExpiryType>Absolute</SessionExpiryType>
      <SessionExpiryInSeconds>1200</SessionExpiryInSeconds>
      <ContentDefinitionParameters>
        <Parameter Name="branding">{OAUTH-KV:branding}</Parameter>
      </ContentDefinitionParameters>
    </UserJourneyBehaviors>
    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
      </OutputClaims>
      <SubjectNamingInfo ClaimType="sub" />
    </TechnicalProfile>
  </RelyingParty>
</TrustFrameworkPolicy>

这里是所有政策 XML 文件的链接Policy Files

Answer 1

在 B2C_1A_Branded_MFA_SignIn_TrustFrameworkBase.xml 文件中，您必须在 PasswordResetUsingEmailAddressExchange 和 NewCredentials 编排步骤之间添加更多编排步骤到 PasswordReset用户旅程，如下：

<OrchestrationSteps>
  <OrchestrationStep Order="1" Type="ClaimsExchange">
    <ClaimsExchanges>
      <ClaimsExchange Id="PasswordResetUsingEmailAddressExchange" TechnicalProfileReferenceId="LocalAccountDiscoveryUsingEmailAddress" />
    </ClaimsExchanges>
  </OrchestrationStep>
  <OrchestrationStep Order="2" Type="ClaimsExchange">
    <ClaimsExchanges>
      <ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify" />
    </ClaimsExchanges>
  </OrchestrationStep>
  <OrchestrationStep Order="3" Type="ClaimsExchange">
    <Preconditions>
      <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
        <Value>newPhoneNumberEntered</Value>
        <Action>SkipThisOrchestrationStep</Action>
      </Precondition>
    </Preconditions>
    <ClaimsExchanges>
      <ClaimsExchange Id="AADUserWriteWithObjectId" TechnicalProfileReferenceId="AAD-UserWritePhoneNumberUsingObjectId" />
    </ClaimsExchanges>
  </OrchestrationStep>
  <OrchestrationStep Order="4" Type="ClaimsExchange">
    <ClaimsExchanges>
      <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId" />
    </ClaimsExchanges>
  </OrchestrationStep>
  <OrchestrationStep Order="5" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>

第一个编排步骤必须为最终用户加载身份验证电话号码（如果已注册）。 strongAuthenticationPhoneNumber 声明必须作为输出声明添加到 LocalAccountDiscoveryUsingEmailAddress 和 AAD-UserReadUsingEmailAddress 技术配置文件，如下所示：

<TechnicalProfile Id="LocalAccountDiscoveryUsingEmailAddress">
  <OutputClaims>
    ...
    <OutputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />
  </OutputClaims>
</TechnicalProfile>

和：

<TechnicalProfile Id="AAD-UserReadUsingEmailAddress">
  <OutputClaims>
    ...
    <OutputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />
  </OutputClaims>
</TechnicalProfile>

第二个编排步骤提示最终用户输入新的身份验证电话号码（如果尚未为其注册），或者验证现有电话号码。 PhoneFactor-InputOrVerify 技术配置文件声明如下：

<ClaimsProvider>
  <DisplayName>PhoneFactor</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="PhoneFactor-InputOrVerify">
      <DisplayName>PhoneFactor</DisplayName>
      <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.PhoneFactorProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
      <Metadata>
        <Item Key="ContentDefinitionReferenceId">api.phonefactor</Item>
        <Item Key="ManualPhoneNumberEntryAllowed">true</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
      </CryptographicKeys>
      <InputClaimsTransformations>
        <InputClaimsTransformation ReferenceId="CreateUserIdForMFA" />
      </InputClaimsTransformations>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="userIdForMFA" PartnerClaimType="UserId" />
        <InputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />
      </InputClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="Verified.strongAuthenticationPhoneNumber" PartnerClaimType="Verified.OfficePhone" />
        <OutputClaim ClaimTypeReferenceId="newPhoneNumberEntered" PartnerClaimType="newPhoneNumberEntered" />
      </OutputClaims>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-MFA" />
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

请参阅SocialAndLocalAccountsWithMFA 文件了解更多信息：

• api.phonefactor 内容定义
• CreateUserIdForMFA 声明转换
• SM-MFA 技术简介

第三个编排步骤会为最终用户保存身份验证电话号码（如果尚未注册）。 AAD-UserWritePhoneNumberUsingObjectId 技术配置文件声明如下：

<TechnicalProfile Id="AAD-UserWritePhoneNumberUsingObjectId">
  <Metadata>
    <Item Key="Operation">Write</Item>
    <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">false</Item>
    <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
  </Metadata>
  <IncludeInSso>false</IncludeInSso>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
  </InputClaims>
  <PersistedClaims>
    <PersistedClaim ClaimTypeReferenceId="objectId" />
    <PersistedClaim ClaimTypeReferenceId="Verified.strongAuthenticationPhoneNumber" PartnerClaimType="strongAuthenticationPhoneNumber" />
  </PersistedClaims>
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>