有关 Azure 多重身份验证的常见问题Frequently asked questions about Azure Multi-Factor Authentication

本“常见问题解答”文章解答有关 Azure 多重身份验证和使用多重身份验证服务的常见问题。This FAQ answers common questions about Azure Multi-Factor Authentication and using the Multi-Factor Authentication service. 其中的问题已划分为常规服务问题、计费模式问题、用户体验问题和故障排除问题。It's broken down into questions about the service in general, billing models, user experiences, and troubleshooting.

常规General

计费Billing

可参阅 多重身份验证定价页获得大多数计费问题的答案。Most billing questions can be answered by referring to the Multi-Factor Authentication Pricing page.

问:通过电话或短信进行身份验证时,我的组织是否需要付费?Q: Is my organization charged for sending the phone calls and text messages that are used for authentication?

否。对于通过 Azure 多重身份验证拨打的每个电话或者向用户发送的每条短信,都不需要付费。No, you are not charged for individual phone calls placed or text messages sent to users through Azure Multi-Factor Authentication.

用户可能需要为收到的电话或短信支付费用,取决于个人电话服务。Your users might be charged for the phone calls or text messages they receive, according to their personal phone service.

管理和支持用户帐户Manage and support user accounts

问:如果用户的手机未收到响应,我该告诉他们怎么做?Q: What should I tell my users to do if they don’t receive a response on their phone?

让用户在 5 分钟内尝试最多 5 次,以便收到电话或短信进行身份验证。Have your users attempt up to 5 times in 5 minutes to get a phone call or SMS for authentication. Microsoft 使用多个提供程序,用于进行呼叫和发送短信。Microsoft uses multiple providers for delivering calls and SMS messages. 如果这不起作用,请使用 Microsoft 打开支持案例以进一步排除故障。If this doesn't work please open a support case with Microsoft to further troubleshoot.

如果上述步骤不起作用,但愿用户已配置多种验证方法。If the steps above do not work hopefully all your users configured more than one verification method. 请告诉他们再次尝试登录,但需要在登录页上选择另一种验证方法。Tell them to try signing in again, but select a different verification method on the sign-in page.

可以让用户转到最终用户故障排除指南You can point your users to the End-user troubleshooting guide.

问:如果某个用户无法进入其帐户,我该办什么?Q: What should I do if one of my users can't get in to their account?

可以要求用户再次完成注册过程来重置其帐户。You can reset the user's account by making them to go through the registration process again. 详细了解管理云中 Azure 多重身份验证的用户和设备设置Learn more about managing user and device settings with Azure Multi-Factor Authentication in the cloud.

问:我的用户指出,有时他们收不到短信,或者回复了双向短信但验证超时。Q: My users say that sometimes they don't receive the text message, or they reply to two-way text messages but the verification times out.

发送短信和接收双向短信回复无法得到保障,因为它们属于可能影响服务可靠性的不可控因素。Delivery of text messages and receipt of replies in two-way SMS are not guaranteed because there are uncontrollable factors that might affect the reliability of the service. 这些因素包括目标国家/地区、移动电话运营商和信号强度。These factors include the destination country/region, the mobile phone carrier, and the signal strength.

如果用户经常无法可靠地接收短信,请告诉他们改用移动应用或电话验证方法。If your users often have problems with reliably receiving text messages, tell them to use the mobile app or phone call method instead. 移动应用可以同时通过手机网络和 Wi-Fi 连接接收通知。The mobile app can receive notifications both over cellular and Wi-Fi connections. 此外,即使设备根本没有信号,也可以生成验证码。In addition, the mobile app can generate verification codes even when the device has no signal at all. Microsoft 验证器应用适用于 AndroidiOSWindows PhoneThe Microsoft Authenticator app is available for Android, IOS, and Windows Phone.

如果必须使用短信,建议尽可能使用单向短信,而不要使用双向短信。If you must use text messages, we recommend using one-way SMS rather than two-way SMS when possible. 单向短信更加可靠,并可以防止用户由于回复从其他国家/地区发来的短信而产生的全球短信费用。One-way SMS is more reliable and it prevents users from incurring global SMS charges from replying to a text message that was sent from another country/region.

问:为何系统提示用户注册其安全信息?Q: Why are my users being prompted to register their security information? 有多种原因会导致系统提示用户注册其安全信息:There are several reasons that users could be prompted to register their security information:

  • 该用户的管理员已在 Azure AD 中为其启用 MFA,但没有为其帐户注册安全信息。The user has been enabled for MFA by their administrator in Azure AD, but doesn't have security information registered for their account yet.
  • 该用户已在 Azure AD 中启用自助密码重置。The user has been enabled for self-service password reset in Azure AD. 以后如果用户忘记了密码,安全信息可帮助他们重置密码。The security information will help them reset their password in the future if they ever forget it.
  • 该用户访问的应用程序配置了一个要求使用 MFA 的条件访问策略,但该应用程序以前未注册 MFA。The user accessed an application that has a Conditional Access policy to require MFA and hasn’t previously registered for MFA.
  • 该用户正在将某个设备注册到 Azure AD(包括 Azure AD Join),并且组织要求使用 MFA 进行设备注册,但该用户以前未注册 MFA。The user is registering a device with Azure AD (including Azure AD Join), and your organization requires MFA for device registration, but the user has not previously registered for MFA.
  • 该用户正在 Windows 10 中生成 Windows Hello for Business(需要 MFA),但以前未注册 MFA。The user is generating Windows Hello for Business in Windows 10 (which requires MFA) and hasn’t previously registered for MFA.
  • 组织已创建并启用一个 MFA 注册策略,该策略已应用到该用户。The organization has created and enabled an MFA Registration policy that has been applied to the user.
  • 该用户以前已注册 MFA,但选择的验证方法后来被管理员禁用。The user previously registered for MFA, but chose a verification method that an administrator has since disabled. 因此,该用户必须再次完成 MFA 注册,以选择新的默认验证方法。The user must therefore go through MFA registration again to select a new default verification method.

错误Errors

问:如果用户使用移动应用通知时看到“身份验证请求不适用于已激活的帐户”错误消息,该怎么办?Q: What should users do if they see an “Authentication request is not for an activated account” error message when using mobile app notifications?

告诉他们按照此过程从移动应用中删除其帐户,并重新添加:Tell them to follow this procedure to remove their account from the mobile app, then add it again:

  1. 转到 Azure 门户配置文件,并使用组织帐户登录。Go to your Azure portal profile and sign in with your organizational account.
  2. 选择“其他安全性验证” 。Select Additional Security Verification.
  3. 从移动应用中删除现有帐户。Remove the existing account from the mobile app.
  4. 单击“配置” ,并按照说明重新配置移动应用。Click Configure, and then follow the instructions to reconfigure the mobile app.

问:如果用户在登录非浏览器应用程序时看到 0x800434D4L 错误消息,该怎么办?Q: What should users do if they see a 0x800434D4L error message when signing in to a non-browser application?

尝试登录在本地计算机上安装的非浏览器应用程序,且此应用程序无法使用需要双重验证的帐户时,将发生 0x800434D4L 错误。The 0x800434D4L error occurs when you try to sign in to a non-browser application, installed on a local computer, that doesn't work with accounts that require two-step verification.

此错误的解决方法是,使用不同的用户帐户执行管理员相关操作和非管理员操作。A workaround for this error is to have separate user accounts for admin-related and non-admin operations. 稍后,可以在管理员帐户与非管理员帐户之间链接邮箱,以便能够使用非管理员帐户登录到 Outlook。Later, you can link mailboxes between your admin account and non-admin account so that you can sign in to Outlook by using your non-admin account. 若要详细了解此解决方案,请了解如何让管理员能够打开和查看用户邮箱的内容For more details about this solution, learn how to give an administrator the ability to open and view the contents of a user's mailbox.

后续步骤Next steps

如果此处未解答问题,请将其留在页面底部的评论中。If your question isn't answered here, please leave it in the comments at the bottom of the page. 或者,以下是一些用于获取帮助的其他选项:Or, here are some additional options for getting help: