Azure 是否提供任何以编程方式登录、重置密码或设备身份验证的功能,如 AWS Cognito?

我有一个 Web 应用程序,该应用程序在 Azure AD 中有一组用户,我想通过用户名/密码对其进行身份验证,但使用我自己风格的登录屏幕自定义解决方案,并具有类似于 AWS Cognito 的设备身份验证方式OTP/MFA.

I have a web app that has a group of users in Azure AD and I'd like to authenticate against that via username/password but customize the solution with my own styled login screen and have device authentication similar to how AWS Cognito has the OTP/MFA.

我寻求的用户流:

  1. 用户访问我的网站
  2. 我提供自己的登录表单
  3. 理论上,该表单将使用 AWS Cognito 提供的相同功能,以编程方式登录,无需 Microsoft 流程或重定向
  4. 无论是使用 Azure 功能/API 还是我自己的,我都会为 MFA 进行设备身份验证

所以,查看提供的流程列表:

So, looking at the list of flows provided:

我可以使用哪些可能的流程来完成我的需要?

What are the possible flows that I can use to accomplish what I need?

  1. 用户名/密码密码"授予仅在禁用 MFA 时才有效,因此我可以设想的一种情况是可以将其与我自己的执行 MFA 的代码(并且可能使用 MS Authenticator)结合起来.它似乎也不适用于重置密码.

  1. The username/password "password" grant only works if MFA is disabled, so one scenario I can envision is possible combining this with my own code that does MFA (and possibly using MS Authenticator). It also doesn't seemingly work for resetting passwords.

交互式流程是标准流程,将显示默认 MS 页面和 MFA,但不可自定义

The interactive flow is the standard flow and would show the default MS page along with MFA but it wouldn't be customizeable

是否可以使用自定义流程或设备代码流程,这是否仅限于 B2C 租户?

Would a custom flow be possible, or a device code flow and would this be limited to just a B2C tenant?

是否可以将 Azure AD 设置为联合身份并挂钩到 Cognito 的方法来执行此操作?我认为不是因为身份验证需要针对原始身份提供者,而且它似乎只能反向工作(认知用户可以访问 Azure).

Is it possible to setup Azure AD as a federated identity and hook into Cognito's methods to do this? I assume not because authentication needs to be against the original identity provider and it seems like it can only work the reverse (a cognito user gets access to Azure).

似乎唯一可能的解决方案是将 Azure 的 ROPC 与用户名/密码密码授予 API 端点结合使用我自己的设备身份验证,但这不会考虑密码重置,也不会提供任何 api 设备身份验证方法?

It seems like the only possible solution would be using Azure's ROPC with a username/password password grant API endpoint combined with my own device authentication, but this wouldn't account for password resetting nor does it seemingly provide any api device auth methods?

提前致谢

推荐答案

在 Azure AD(非 B2C)中自定义登录页面目前仅限于 品牌更新.但这仅在高级层中可用.

Customizing login page in Azure AD (not B2C) is currently limited to Branding update. But that is available only in Premium tier.

您可以在此处对反馈进行投票.

You can upvote the feedback here.

另一个选项是 资源所有者密码凭据 使用您自己的页面,但 Microsoft 建议 不 使用 ROPC 流.MFA 也不能在 ROPC 中工作.

Another option is Resource Owner Password Credentials with your own page but Microsoft recommends NOT to use ROPC flow. Also MFA would not work in ROPC.

当您说用户名/密码"时仅在启用 MFA 时授予才有效",不确定我是否可以遵循!你能解释一下吗?

When you said "The username/password "password" grant only works if MFA is enabled", not sure if I could follow that! Can you explain?

而且,自定义用户流仅限于 B2C.https://docs.microsoft.com/azure/active-directory-b2c/

And, custom user flow is only limited to B2C. https://docs.microsoft.com/azure/active-directory-b2c/

相关文章