有关 Azure AD 多重身份验证的常见问题Frequently asked questions about Azure AD Multi-Factor Authentication

本“常见问题解答”文章解答有关 Azure AD 多重身份验证和使用多重身份验证服务的常见问题。This FAQ answers common questions about Azure AD Multi-Factor Authentication and using the Multi-Factor Authentication service. 其中的问题已划分为常规服务问题、计费模式问题、用户体验问题和故障排除问题。It's broken down into questions about the service in general, billing models, user experiences, and troubleshooting.

计费Billing

可参阅 多重身份验证定价页获得大多数计费问题的答案。Most billing questions can be answered by referring to the Multi-Factor Authentication Pricing page.

通过电话或短信进行身份验证时,我的组织是否需要付费?Is my organization charged for sending the phone calls and text messages that are used for authentication?

否。对于通过 Azure AD 多重身份验证拨打的每个电话或向用户发送的每条短信,都不需要付费。No, you're not charged for individual phone calls placed or text messages sent to users through Azure AD Multi-Factor Authentication.

用户可能需要为收到的电话或短信支付费用,取决于个人电话服务。Your users might be charged for the phone calls or text messages they receive, according to their personal phone service.

管理和支持用户帐户Manage and support user accounts

如果用户的手机未收到响应,我该告诉他们怎么做?What should I tell my users to do if they don't receive a response on their phone?

让用户在 5 分钟内最多尝试 5 次,以便收到用于身份验证的电话或短信。Have your users attempt up to five times in 5 minutes to get a phone call or SMS for authentication. Microsoft 使用多个提供程序,用于进行呼叫和发送短信。Microsoft uses multiple providers for delivering calls and SMS messages. 如果此方法不起作用,请创建支持案例进行进一步的故障排除。If this approach doesn't work, open a support case to troubleshoot further.

第三方安全应用程序也可能会阻止验证代码短信或电话呼叫。Third-party security apps may also block the verification code text message or phone call. 如果使用第三方安全应用,请尝试禁用保护,然后请求发送另一个 MFA 验证代码。If using a third-party security app, try disabling the protection, then request another MFA verification code be sent.

如果上述步骤不起作用,请检查是否为用户配置了多个验证方法。If the steps above don't work, check if users are configured for more than one verification method. 再次尝试登录,但需要在登录页上选择另一种验证方法。Try signing in again, but select a different verification method on the sign-in page.

有关详细信息,请参阅最终用户故障排除指南For more information, see the end-user troubleshooting guide.

如果某个用户无法进入其帐户,我该怎么做?What should I do if one of my users can't get in to their account?

可以要求用户再次完成注册过程来重置其帐户。You can reset the user's account by making them to go through the registration process again. 详细了解如何管理云中 Azure AD 多重身份验证的用户和设备设置Learn more about managing user and device settings with Azure AD Multi-Factor Authentication in the cloud.

我的用户说,有时他们收不到短信,或者验证超时。My users say that sometimes they don't receive the text message or the verification times out.

短信送达无法得到保障,因为存在可能影响服务可靠性的不可控因素。Delivery of SMS messages aren't guaranteed because there are uncontrollable factors that might affect the reliability of the service. 这些因素包括目标国家/地区、移动电话运营商和信号强度。These factors include the destination country or region, the mobile phone carrier, and the signal strength.

第三方安全应用程序也可能会阻止验证代码短信或电话呼叫。Third-party security apps may also block the verification code text message or phone call. 如果使用第三方安全应用,请尝试禁用保护,然后请求发送另一个 MFA 验证代码。If using a third-party security app, try disabling the protection, then request another MFA verification code be sent.

如果用户经常难以可靠地接收短信,请告诉他们改用 Microsoft Authenticator 应用或电话验证方法。If your users often have problems with reliably receiving text messages, tell them to use the Microsoft Authenticator app or phone call method instead. Microsoft Authenticator 应用可以通过手机网络和 Wi-Fi 连接接收通知。The Microsoft Authenticator can receive notifications both over cellular and Wi-Fi connections. 此外,即使设备根本没有信号,也可以生成验证码。In addition, the mobile app can generate verification codes even when the device has no signal at all. Microsoft Authenticator 应用适用于 AndroidiOSWindows PhoneThe Microsoft Authenticator app is available for Android, iOS, and Windows Phone.

为何系统提示用户注册其安全信息?Why are my users being prompted to register their security information?

有多种原因会导致系统提示用户注册其安全信息:There are several reasons that users could be prompted to register their security information:

  • 该用户的管理员已在 Azure AD 中为其启用 MFA,但没有为其帐户注册安全信息。The user has been enabled for MFA by their administrator in Azure AD, but doesn't have security information registered for their account yet.
  • 该用户已在 Azure AD 中启用自助密码重置。The user has been enabled for self-service password reset in Azure AD. 以后如果用户忘记了密码,安全信息可帮助他们重置密码。The security information will help them reset their password in the future if they ever forget it.
  • 该用户访问的应用程序有一个要求使用 MFA 的条件访问策略,但此应用程序以前未注册 MFA。The user accessed an application that has a Conditional Access policy to require MFA and hasn't previously registered for MFA.
  • 该用户正在将某个设备注册到 Azure AD(包括 Azure AD 加入),并且你的组织要求使用 MFA 进行设备注册,但该用户以前未注册 MFA。The user is registering a device with Azure AD (including Azure AD Join), and your organization requires MFA for device registration, but the user hasn't previously registered for MFA.
  • 该用户正在 Windows 10 中生成 Windows Hello 企业版(需要 MFA),但以前未注册 MFA。The user is generating Windows Hello for Business in Windows 10 (which requires MFA) and hasn't previously registered for MFA.
  • 组织已创建并启用一个 MFA 注册策略,该策略已应用到该用户。The organization has created and enabled an MFA Registration policy that has been applied to the user.
  • 该用户以前已注册 MFA,但选择的验证方法后来被管理员禁用。The user previously registered for MFA, but chose a verification method that an administrator has since disabled. 因此,该用户必须再次完成 MFA 注册,以选择新的默认验证方法。The user must therefore go through MFA registration again to select a new default verification method.

错误Errors

如果用户在使用移动应用通知时看到“身份验证请求不适用于已激活的帐户”错误消息,他们该怎么办?What should users do if they see an "Authentication request is not for an activated account" error message when using mobile app notifications?

要求用户完成以下过程以从 Microsoft Authenticator 中删除其帐户,并再次添加其帐户:Ask the user to complete the following procedure to remove their account from the Microsoft Authenticator, then add it again:

  1. 转到其 Azure 门户配置文件,并使用组织帐户登录。Go to their Azure portal profile and sign in with an organizational account.
  2. 选择“其他安全性验证” 。Select Additional Security Verification.
  3. 从 Microsoft Authenticator 应用中删除现有帐户。Remove the existing account from the Microsoft Authenticator app.
  4. 单击“配置”,并按照说明重新配置 Microsoft Authenticator。Click Configure, and then follow the instructions to reconfigure the Microsoft Authenticator.

如果用户在登录非浏览器应用程序时看到 0x800434D4L 错误消息,该怎么办?What should users do if they see a 0x800434D4L error message when signing in to a non-browser application?

如果尝试登录在本地计算机上安装的非浏览器应用程序,并且此应用程序无法使用需要双重验证的帐户,则将发生 0x800434D4L 错误。The 0x800434D4L error occurs when you try to sign in to a non-browser application, installed on a local computer, that doesn't work with accounts that require two-step verification.

此错误的解决方法是,使用不同的用户帐户执行管理员相关操作和非管理员操作。A workaround for this error is to have separate user accounts for admin-related and non-admin operations. 稍后,可以在管理员帐户与非管理员帐户之间链接邮箱,以便能够使用非管理员帐户登录到 Outlook。Later, you can link mailboxes between your admin account and non-admin account so that you can sign in to Outlook by using your non-admin account. 若要详细了解此解决方案,请了解如何让管理员能够打开和查看用户邮箱的内容For more details about this solution, learn how to give an administrator the ability to open and view the contents of a user's mailbox.

后续步骤Next steps

如果此处未解答你的问题,则可以使用以下支持选项:If your question isn't answered here, the following support options are available:

  • Microsoft 支持知识库中搜索常见技术问题的解决方法。Search the Microsoft Support Knowledge Base for solutions to common technical issues.
  • 在社区中搜索和浏览技术问题与答案,或者在 Azure Active Directory 问答中提出自己的问题。Search for and browse technical questions and answers from the community, or ask your own question in the Azure Active Directory Q&A.
  • 通过 Azure 多重身份验证服务器支持联系 Microsoft 专业人员。Contact Microsoft professional through Azure Multi-Factor Authentication Server support. 与我们联系时,尽可能包含有关问题的更多信息将很有帮助。When contacting us, it's helpful if you can include as much information about your issue as possible. 可提供的信息包括看到错误的页面、特定错误代码、特定会话 ID 和看到错误的用户的 ID。Information you can supply includes the page where you saw the error, the specific error code, the specific session ID, and the ID of the user who saw the error.