删除 Azure AD B2C 中密码重置策略中的电子邮件验证步骤

Question

我无法删除密码重置中的电子邮件验证步骤。我尝试将编排步骤添加到 trustframeworkextensions.xml。上传策略时，我不断收到错误消息。错误是：“错误：用户旅程必须在声明提供者选择之前”。

我在Azure AD B2C Password Reset policy without email verification step 看过类似的帖子。我尝试了删除验证中提到的解决方案，但仍然遇到同样的错误。有什么帮助吗？

这是从 TrustFrameworkExtensions.xml 移动到 TrustFrameworkBase.xml 的 UserJourney

<UserJourney Id="PasswordReset">
  <OrchestrationSteps>
    <OrchestrationStep Order="1" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="UserReadUsingEmailAddressExchange" TechnicalProfileReferenceId="AAD-UserReadUsingEmailAddress" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
  </OrchestrationSteps>
  <ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>

Answer 1

对于密码重置策略中的电子邮件验证，您可以检查 Azure 门户，然后尝试在门户中编辑此策略。 详情可以阅读build-in policies。

Answer 2

将 userjourney 从 trustframeworkextensions.xml 移动到 TrustFrameworkBase.xml 将解决此问题。

如果这不起作用。您尝试以下步骤，以下更改将要求用户提供用户名和电子邮件，并将针对 AD 进行验证。

1. 添加以下声明

   <ClaimType Id="EmailPlaceHolder"> <DisplayName>Enter your Email</DisplayName> <DataType>string</DataType> <UserHelpText>Enter your Email</UserHelpText> <UserInputType>TextBox</UserInputType> <Restriction> <Pattern RegularExpression="^[a-zA-Z0-9.+!#$%&amp;'^_{}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$" HelpText="Please enter a valid email address." /> </Restriction> </ClaimType>

   <ClaimType Id="UserNamePlaceHolder"> <DisplayName>Enter your Username</DisplayName> <DataType>string</DataType> <UserHelpText>Enter your Username</UserHelpText> <UserInputType>TextBox</UserInputType> </ClaimType>

2.添加以下用户旅程

`<UserJourney Id="PasswordReset">
  <OrchestrationSteps>
    <OrchestrationStep Order="1" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="PasswordResetUsingEmailAddressExchange" TechnicalProfileReferenceId="LocalAccountDiscoveryUsingLogonName" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="3" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
  </OrchestrationSteps>
  <ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>`

3.更改 LocalAccountDiscoveryUsingLogonName 技术配置文件

`<TechnicalProfile Id="LocalAccountDiscoveryUsingLogonName">
  <DisplayName>Reset password using logon name</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="IpAddressClaimReferenceId">IpAddress</Item>
    <Item Key="ContentDefinitionReferenceId">api.localaccountpasswordreset</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
  </CryptographicKeys>
  <IncludeInSso>false</IncludeInSso>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="UserNamePlaceHolder" Required="true" />
    <OutputClaim ClaimTypeReferenceId="EmailPlaceHolder" Required="true" />
    <OutputClaim ClaimTypeReferenceId="objectId" />
    <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
    <OutputClaim ClaimTypeReferenceId="authenticationSource" />
  </OutputClaims>
  <ValidationTechnicalProfiles>
    <ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingLogonName" />
  </ValidationTechnicalProfiles>
</TechnicalProfile>`

4.添加/修改 AAD-UserReadUsingLogonName 技术配置文件

`<TechnicalProfile Id="AAD-UserReadUsingLogonName">
  <Metadata>
    <Item Key="Operation">Read</Item>
    <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">true</Item>
  </Metadata>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="UserNamePlaceHolder" PartnerClaimType="signInNames.userName" Required="true" />
    <InputClaim ClaimTypeReferenceId="EmailPlaceHolder" PartnerClaimType="email" Required="true" />
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="objectId" />
    <OutputClaim ClaimTypeReferenceId="newUser" PartnerClaimType="newClaimsPrincipalCreated" />
    <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
    <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
  </OutputClaims>
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>`

如果您想添加其他要验证的属性，请将它们添加到 LocalAccountDiscoveryUsingLogonName 并在 AAD-UserReadUsingLogonName 中使用它们进行验证。

PartnerClaimType="Verified.Email" 会要求用户通过发送验证码来验证电子邮件。