排查在 Azure Active Directory 中进行自助式密码重置时遇到的问题Troubleshoot self-service password reset in Azure Active Directory

通过 Azure Active Directory (Azure AD) 自助式密码重置 (SSPR),用户可在云中重置自己的密码。Azure Active Directory (Azure AD) self-service password reset (SSPR) lets users reset their passwords in the cloud.

如果你遇到 SSPR 方面的问题,以下故障排除步骤和常见错误可能会有所帮助。If you have problems with SSPR, the following troubleshooting steps and common errors may help.

如果找不到问题的解答,我们的支持团队始终愿意提供进一步的帮助。If you can't find the answer to your problem, our support teams are always available to assist you further.

Azure 门户中的 SSPR 配置SSPR configuration in the Azure portal

如果在 Azure 门户中查看或配置 SSPR 选项时遇到问题,请查看以下故障排除步骤:If you have problems seeing or configuring SSPR options in the Azure portal, review the following troubleshooting steps:

Azure 门户中的“Azure AD”下面未显示“密码重置”部分。I don't see the Password reset section under Azure AD in the Azure portal.

如果未向执行该操作的管理员分配 Azure AD 许可证,则不会看到“密码重置”菜单选项。You won't see if Password reset menu option if you don't have an Azure AD license assigned to the administrator performing the operation.

若要向相关管理员帐户分配许可证,请按照以下步骤来分配、验证许可证和解决相关问题To assign a license to the administrator account in question, follow the steps to Assign, verify, and resolve problems with licenses.

未看到某个特定的配置选项。I don't see a particular configuration option.

UI 的许多元素都是隐藏的,直到需要它们时才会显示。Many elements of the UI are hidden until they're needed. 在查找特定的配置选项之前,请确保已启用此选项。Make sure the option is enabled before you look for the specific configuration options.

未看到“本地集成”选项卡。I don't see the On-premises integration tab.

只有在已下载 Azure AD Connect 并配置了功能时,本地密码写回才可见。On-premises password writeback is only visible if you've downloaded Azure AD Connect and have configured the feature.

有关详细信息,请参阅 Azure AD Connect 入门For more information, see Getting started with Azure AD Connect.

SSPR 报告SSPR reporting

如果在 Azure 门户中遇到 SSPR 报告方面的问题,请查看以下故障排除步骤:If you have problems with SSPR reporting in the Azure portal, review the following troubleshooting steps:

“自助密码管理”审核事件类别中未显示任何密码管理活动类型。I don't see any password management activity types in the Self-Service Password Management audit event category.

如果未向执行该操作的管理员分配 Azure AD 许可证,可能会发生这种情况。This can happen if you don't have an Azure AD license assigned to the administrator performing the operation.

若要向相关管理员帐户分配许可证,请按照以下步骤来分配、验证许可证和解决相关问题To assign a license to the administrator account in question, follow the steps to Assign, verify, and resolve problems with licenses.

用户注册显示了多次。User registrations show multiple times.

目前,在用户注册时,我们会将所注册的每个单独的数据片记录为一个单独的事件。When a user registers, we currently log each individual piece of data that's registered as a separate event.

如果希望聚合此数据并更灵活地查看此数据,可以下载报告并在 excel 中作为数据透视表打开数据。If you want to aggregate this data and have greater flexibility in how you can view it, you can download the report and open the data as a pivot table in Excel.

SSPR 注册门户SSPR registration portal

如果用户在注册 SSPR 时遇到问题,请查看以下故障排除步骤:If your users have problems registering for SSPR, review the following troubleshooting steps:

未针对密码重置启用目录。The directory isn't enabled for password reset. 用户可能会看到报告“管理员未允许你使用此功能”的错误。The user may see an error that reports, "Your administrator has not enabled you to use this feature."

可为所有用户或所选的几组用户启用 SSPR,也可不对任何用户启用 SSPR。You can enable SSPR for all users, no users, or for selected groups of users. 当前只能使用 Azure 门户为 SSPR 启用一个 Azure AD 组。Only one Azure AD group can currently be enabled for SSPR using the Azure portal. 支持使用嵌套组作为较广泛 SSPR 部署的一部分。As part of a wider deployment of SSPR, nested groups are supported. 确保为所选组中的用户分配适当的许可证。Make sure that the users in the group(s) you choose have the appropriate licenses assigned.

在 Azure 门户中,将“自助式密码重置已启用”配置更改为“选定”或“全部”,然后选择“保存” 。In the Azure portal, change the Self-service password reset enabled configuration to Selected or All and then select Save.

用户未分配有 Azure AD 许可证。The user doesn't have an Azure AD license assigned. 用户可能会看到报告“管理员未允许你使用此功能”的错误。The user may see an error that reports, "Your administrator has not enabled you to use this feature."

当前只能使用 Azure 门户为 SSPR 启用一个 Azure AD 组。Only one Azure AD group can currently be enabled for SSPR using the Azure portal. 支持使用嵌套组作为较广泛 SSPR 部署的一部分。As part of a wider deployment of SSPR, nested groups are supported. 确保为所选组中的用户分配适当的许可证。Make sure that the users in the group(s) you choose have the appropriate licenses assigned. 查看之前的故障排除步骤,根据需要启用 SSPR。Review the previous troubleshooting step to enable SSPR as required.

另请查看故障排除步骤,确保向执行配置选项的管理员分配了许可证。Also review troubleshooting steps to make sure that the administrator performing the configuration options has a license assigned. 若要向相关管理员帐户分配许可证,请按照以下步骤来分配、验证许可证和解决相关问题To assign a license to the administrator account in question, follow the steps to Assign, verify, and resolve problems with licenses.

处理请求时出错。There's an error processing the request.

许多问题都可能会导致出现一般性的 SSPR 注册错误,但此错误通常是由服务中断或配置问题造成的。Generic SSPR registration errors can be caused by many issues, but generally this error is caused by either a service outage or a configuration issue. 如果在重试 SSPR 注册时仍然看到这个一般性错误,请联系 Microsoft 支持部门来获取更多帮助。If you continue to see this generic error when you retry the SSPR registration process, contact Microsoft support for additional assistance.

SSPR 用法SSPR usage

如果你或你的用户在使用 SSPR 时遇到问题,请查看以下故障排除方案和解决步骤:If you or your users have problems using SSPR, review the following troubleshooting scenarios and resolution steps:

错误Error 解决方案Solution
未针对密码重置启用目录。The directory isn't enabled for password reset. 在 Azure 门户中,将“自助式密码重置已启用”配置更改为“选定”或“全部”,然后选择“保存” 。In the Azure portal, change the Self-service password reset enabled configuration to Selected or All and then select Save.
用户未分配有 Azure AD 许可证。The user doesn't have an Azure AD license assigned. 如果未向所需的用户分配 Azure AD 许可证,则可能会发生这种情况。This can happen if you don't have an Azure AD license assigned to the desired user. 若要向相关管理员帐户分配许可证,请按照以下步骤来分配、验证许可证和解决相关问题To assign a license to the administrator account in question, follow the steps to Assign, verify, and resolve problems with licenses.
已针对密码重置启用了目录,但用户的身份验证信息缺失或格式错误。The directory is enabled for password reset, but the user has missing or malformed authentication information. 确保用户在目录下的文件中具有格式正确的联系人数据。Make sure that user has properly formed contact data on file in the directory. 有关详细信息,请参阅 Azure AD 自助密码重置使用的数据For more information, see Data used by Azure AD self-service password reset.
已针对密码重置启用目录,但用户在文件中只有一个联系人数据片段,而策略要求执行两种验证方法。The directory is enabled for password reset, but the user has only one piece of contact data on file when the policy is set to require two verification methods. 请确保用户至少有 2 个正确配置的联系方式。Make sure that the user has at least two properly configured contact methods. 例如,同时提供了移动电话号码和办公电话号码。An example is having both a mobile phone number and an office phone number.
已针对密码重置启用目录并正确配置用户,但无法联系到用户。The directory is enabled for password reset and the user is properly configured, but the user is unable to be contacted. 这可能是因临时服务错误或联系人数据错误而导致的,我们无法正确检测到这些错误。This can be the result of a temporary service error or if there's incorrect contact data that we can't properly detect.

如果用户等待 10 秒,会出现一个“重试”和“请联系管理员”链接。If the user waits 10 seconds, a link is displayed to "Try again" and "Contact your administrator". 如果用户选择“重试”,则会重新尝试电话联系。If the user selects "Try again," it retries the call. 如果用户选择“请联系管理员”,则向管理员发送一封表单电子邮件,请求其为该用户帐户执行密码重置。If the user selects "Contact your administrator," it sends a form email to the administrators requesting a password reset to be performed for that user account.
用户一直收不到密码重置短信或电话呼叫。The user never receives the password reset SMS or phone call. 这可能是由于目录中的电话号码格式不正确导致的。This can be the result of a malformed phone number in the directory. 请确保电话号码的格式为“+1 4251234567”。Make sure the phone number is in the format "+1 4251234567".

即使你在目录中指定了分机,密码重置也不支持分机。Password reset doesn't support extensions, even if you specify one in the directory. 分机号码会在呼叫前被剥离。The extensions are stripped before the call is made. 使用不带分机的号码,或者在专用交换机 (PBX) 中将分机集成到电话号码中。Use a number without an extension, or integrate the extension into the phone number in your private branch exchange (PBX).
用户一直收不到密码重置电子邮件。The user never receives the password reset email. 此问题的最常见原因是消息被垃圾邮件筛选器拒绝。The most common cause for this problem is that the message is rejected by a spam filter. 请检查垃圾邮件或已删除邮件文件夹中是否有电子邮件。Check your spam, junk, or deleted items folder for the email.

此外,请确保用户检查已注册 SSPR 的电子邮件帐户是否正确。Also, make sure the user checks the correct email account as registered with SSPR.
我已经设置了密码重置策略,但当管理员帐户使用密码重置时,该策略未应用。I've set a password reset policy, but when an admin account uses password reset, that policy isn't applied. 为确保最高级别的安全性,管理员密码重置策略由 Microsoft 进行管理和控制。Microsoft manages and controls the administrator password reset policy to ensure the highest level of security.
一天中阻止用户尝试密码重置的次数太多。The user is prevented from attempting a password reset too many times in a day. 自动扼制机制用于阻止用户在短时间内过多地尝试重置其密码。An automatic throttling mechanism is used to block users from attempting to reset their passwords too many times in a short period of time. 出现以下情况时会进行扼制:Throttling occurs the following scenarios:
  • 用户在一小时内 5 次尝试验证某个电话号码。The user attempts to validate a phone number five times in one hour.
  • 用户在一小时内 5 次尝试使用安全问题入口。The user attempts to use the security questions gate five times in one hour.
  • 用户在一小时内 5 次尝试为同一用户帐户重置密码。The user attempts to reset a password for the same user account five times in one hour.
如果用户遇到此问题,必须在上次尝试后等待 24 小时。If a user encounters this problem, they must wait 24 hours after the last attempt. 然后用户即可重置其密码。The user can then reset their password.
用户在验证其电话号码时看到了一个错误。The user sees an error when validating their phone number. 当输入的电话号码与存档的电话号码不匹配时,会发生此错误。This error occurs when the phone number entered doesn't match the phone number on file. 当尝试使用基于电话的方法进行密码重置时,请确保用户输入了完整的电话号码(包括区域和国家/地区代码)。Make sure the user is entering the complete phone number, including the area and country code, when they attempt to use a phone-based method for password reset.
处理请求时出错。There's an error processing the request. 许多问题都可能会导致出现一般性的 SSPR 注册错误,但此错误通常是由服务中断或配置问题造成的。Generic SSPR registration errors can be caused by many issues, but generally this error is caused by either a service outage or a configuration issue. 如果在重试 SSPR 注册过程时仍然看到这个一般性的错误,请联系 Microsoft 支持部门来获取更多帮助。If you continue to see this generic error when you re-try the SSPR registration process, contact Microsoft support for additional assistance.
本地策略冲突On-premises policy violation 该密码不符合本地 Active Directory 密码策略。The password doesn't meet the on-premises Active Directory password policy. 用户必须定义满足复杂性或强度要求的密码。The user must define a password that meets the complexity or strength requirements.
密码不符合模糊策略Password doesn't comply with fuzzy policy 使用的密码显示在禁用密码列表中,无法使用。The password that was used appears in the banned password list and can't be used. 用户必须定义满足或超过禁用密码列表策略要求的密码。The user must define a password that meets or exceeds the banned password list policy.

用户可能会看到的 SSPR 错误SSPR errors that a user might see

在 SSPR 过程中,用户可能会看到以下错误和技术详细信息。The following errors and technical details may be shown to a user as part of the SSPR process. 通常,他们自己并不能解决此问题,因为需要为他们的帐户启用、配置或注册 SSPR 功能。Often, the error isn't something they can resolve themselves, as the SSPR feature needs to enabled, configured, or registered for their account.

请通过以下信息了解问题以及需要在 Azure AD 租户或单个用户帐户上更正的内容。Use the following information to understand the problem and what needs to be corrected on the Azure AD tenant or individual user account.

错误Error 详细信息Details 技术详细信息Technical details
TenantSSPRFlagDisabled = 9TenantSSPRFlagDisabled = 9 抱歉,由于管理员已对组织禁用密码重置,目前无法重置密码。We're sorry, you can't reset your password at this time because your administrator has disabled password reset for your organization. 无法采取进一步操作来解决这种情况。There is no further action you can take to resolve this situation. 请联系管理员,并请求他们启用此功能。Please contact your admin and ask them to enable this feature.

若要了解详细信息,请参阅请为我提供帮助,我忘记了 Azure AD 密码To learn more, see Help, I forgot my Azure AD password.
SSPR_0009:我们检测到管理员尚未启用密码重置。SSPR_0009: We've detected that password reset has not been enabled by your administrator. 请联系管理员,并请求他们为组织启用密码重置。Please contact your admin and ask them to enable password reset for your organization.
WritebackNotEnabled = 10WritebackNotEnabled = 10 抱歉,由于管理员没有为组织启用必要服务,目前无法重置密码。We're sorry, you can't reset your password at this time because your administrator has not enabled a necessary service for your organization. 无法采取进一步操作来解决这种情况。There is no further action you can take to resolve this situation. 请联系管理员,并请求他们检查你组织的配置。Please contact your admin and ask them to check your organization's configuration.

若要了解此必要服务的详细信息,请参阅配置密码写回To learn more about this necessary service, see Configuring password writeback.
SSPR_0010:我们检测到尚未启用密码写回。SSPR_0010: We've detected that password writeback has not been enabled. 请联系管理员,并请求他们启用密码写回。Please contact your admin and ask them to enable password writeback.
SsprNotEnabledInUserPolicy = 11SsprNotEnabledInUserPolicy = 11 抱歉,由于管理员未为组织配置密码重置,目前无法重置密码。We're sorry, you can't reset your password at this time because your administrator has not configured password reset for your organization. 无法采取进一步操作来解决这种情况。There is no further action you can take to resolve this situation. 请联系管理员,并请求他们配置密码重置。Contact your admin and ask them to configure password reset.

若要了解有关密码重置配置的详细信息,请参阅快速入门:Azure AD 自助式密码重置To learn more about password reset configuration, see Quickstart: Azure AD self-service password reset.
SSPR_0011:你的组织尚未定义密码重置策略。SSPR_0011: Your organization has not defined a password reset policy. 请联系管理员,并请求他们定义密码重置策略。Please contact your admin and ask them to define a password reset policy.
UserNotLicensed = 12UserNotLicensed = 12 抱歉,由于组织缺少必要的许可证,目前无法重置密码。We're sorry, you can't reset your password at this time because required licenses are missing from your organization. 无法采取进一步操作来解决这种情况。There is no further action you can take to resolve this situation. 请联系管理员,并请求他们检查许可证分配。Please contact your admin and ask them to check your license assignment.

若要了解有关许可的详细信息,请参阅 Azure AD 自助密码重置的许可要求To learn more about licensing, see Licensing requirements for Azure AD self-service password reset.
SSPR_0012:你的组织没有执行密码重置所需的许可证。SSPR_0012: Your organization does not have the required licenses necessary to perform password reset. 请联系管理员,并请求他们查阅许可证分配。Please contact your admin and ask them to review the license assignments.
UserNotMemberOfScopedAccessGroup = 13UserNotMemberOfScopedAccessGroup = 13 抱歉,由于管理员未将帐户配置为使用密码重置,目前无法重置密码。We're sorry, you can't reset your password at this time because your administrator has not configured your account to use password reset. 无法采取进一步操作来解决这种情况。There is no further action you can take to resolve this situation. 请联系管理员,并请求他们配置你的帐户以进行密码重置。Please contact your admin and ask them to configure your account for password reset.

若要了解有关帐户配置以进行密码重置的详细信息,请参阅为用户推出密码重置To learn more about account configuration for password reset, see Roll out password reset for users.
SSPR_0013:你不是已启用密码重置的组的成员。SSPR_0013: You are not a member of a group enabled for password reset. 请联系管理员,并请求添加到组。Contact your admin and request to be added to the group.
UserNotProperlyConfigured = 14UserNotProperlyConfigured = 14 抱歉,由于帐户缺少必要信息,目前无法重置密码。We're sorry, you can't reset your password at this time because necessary information is missing from your account. 无法采取进一步操作来解决这种情况。There is no further action you can take to resolve this situation. 请联系管理员,并请求他们为你重置密码。Please contact you admin and ask them to reset your password for you. 有权重新访问帐户后,需要注册必要的信息。After you have access to your account again, you need to register the necessary information.

若要注册信息,请遵循注册自助密码重置一文中的步骤。To register information, follow the steps in the Register for self-service password reset article.
SSPR_0014:还需要提供其他安全信息才能重置密码。SSPR_0014: Additional security info is needed to reset your password. 若要继续,请联系管理员,并请求他们重置你的密码。To proceed, contact your admin and ask them to reset your password. 有权访问帐户后,可前往 https://account.activedirectory.windowsazure.cn/PasswordReset/Register.aspx?regref=ssprsetup 注册额外安全信息。After you have access to your account, you can register additional security info at https://account.activedirectory.windowsazure.cn/PasswordReset/Register.aspx?regref=ssprsetup. 管理员可按照为密码重置设置和读取身份验证数据中所述的步骤,向帐户添加额外安全信息。Your admin can add additional security info to your account by following the steps in Set and read authentication data for password reset.
OnPremisesAdminActionRequired = 29OnPremisesAdminActionRequired = 29 抱歉,由于你的组织的密码重置配置出现问题,目前无法重置密码。We're sorry, we can't reset your password at this time because of a problem with your organization's password reset configuration. 无法采取进一步操作来解决这种情况。There is no further action you can take to resolve this situation. 请联系管理员,并请求他们进行调查。Please contact your admin and ask them to investigate.

Or

由于你的组织的密码重置配置出现问题,目前无法重置密码。We cannot reset your password at this time because of a problem with your organization's password reset configuration. 无法采取进一步操作来解决此问题。There is no further action you can take to resolve this issue. 请联系管理员,并请求他们进行调查。Please contact your admin and ask them to investigate.

若要了解有关潜在问题的详细信息,请参阅排查密码写回问题To learn more about the potential problem, see Troubleshoot password writeback.
SSPR_0029:由于本地配置中的错误,无法重置你的密码。SSPR_0029: We are unable to reset your password due to an error in your on-premises configuration. 请联系管理员,并请求他们进行调查。Please contact your admin and ask them to investigate.
OnPremisesConnectivityError = 30OnPremisesConnectivityError = 30 抱歉,由于组织的连接问题,目前无法重置密码。We're sorry, we can't reset your password at this time because of connectivity issues to your organization. 当前没有可执行的操作,但如果稍后重新尝试,问题有可能已得到解决。There is no action to take right now, but the problem might be resolved if you try again later. 如果问题仍然存在,请联系管理员,并请求他们进行调查。If the problem persists, please contact your admin and ask them to investigate.

若要了解有关连接问题的详细信息,请参阅排查密码写回连接问题To learn more about connectivity issues, see Troubleshoot password writeback connectivity.
SSPR_0030:由于与本地环境的连接不佳,无法重置你的密码。SSPR_0030: We can't reset your password due to a poor connection with your on-premises environment. 请联系管理员,并请求他们进行调查。Contact your admin and ask them to investigate.

Azure AD 论坛Azure AD forums

如果遇到有关 Azure AD 和自助式密码重置的一般性问题,可在 Azure Active Directory 的 Microsoft Q&A 问答页中请求社区帮助。If you have general questions about Azure AD and self-service password reset, you can ask the community for assistance on the Microsoft Q&A question page for Azure Active Directory. 社区的成员包括工程师、产品经理、MVP 和其他 IT 专业人员。Members of the community include engineers, product managers, MVPs, and fellow IT professionals.

请与 Microsoft 支持部门联系Contact Microsoft support

如果找不到问题的解答,我们的支持团队始终愿意提供进一步的帮助。If you can't find the answer to a problem, our support teams are always available to assist you further.

为了能够提供适当的帮助,我们希望你在建立支持案例时提供尽量多的详细信息。To properly assist you, we ask that you provide as much detail as possible when opening a case. 这些详细信息包括:These details include the following:

  • 错误的一般描述:错误是什么?General description of the error: What is the error? 看到该错误时出现了哪种行为?What was the behavior that was noticed? 我们如何再现该错误?How can we reproduce the error? 请尽量提供详尽的信息。Provide as much detail as possible.
  • 页面:在哪个页面上看到了该错误?Page: What page were you on when you noticed the error? 请附送页面的 URL(如果可以)和屏幕截图。Include the URL if you're able to and a screenshot of the page.
  • 支持代码:用户看到该错误时生成了哪个支持代码?Support code: What was the support code that was generated when the user saw the error?
    • 若要找到此代码,请再现错误,然后选择屏幕底部的“支持代码”链接,将生成的 GUID 发送给支持工程师。To find this code, reproduce the error, then select the Support code link at the bottom of the screen and send the support engineer the GUID that results.

      支持代码位于 Web 浏览器窗口的右下角。

    • 如果所在页面的底部没有支持代码,请按 F12,搜索 SID 和 CID,然后将这两个结果发送给支持工程师。If you're on a page without a support code at the bottom, select F12 and search for the SID and CID and send those two results to the support engineer.

  • 日期、时间和时区:包含发生错误时的确切日期和时间及“时区”。Date, time, and time zone: Include the precise date and time with the time zone that the error occurred.
  • 用户 ID:哪个用户看到了该错误?User ID: Who was the user who saw the error? 例如,user@contoso.com。An example is user@contoso.com.
    • 是否是联合用户?Is this a federated user?
    • 是否是密码哈希同步的用户?Is this a password-hash-synchronized user?
    • 是否是仅限云的用户?Is this a cloud-only user?
  • 许可:用户是否分配有 Azure AD 许可证?Licensing: Does the user have an Azure AD license assigned?
  • 应用程序事件日志:如果你使用的是密码写回,并且错误发生在本地基础结构中,请包含 Azure AD Connect 服务器中的应用程序事件日志的压缩副本。Application event log: If you're using password writeback and the error is in your on-premises infrastructure, include a zipped copy of your application event log from the Azure AD Connect server.

后续步骤Next steps

若要详细了解 SSPR,请参阅工作原理:Azure AD 自助式密码重置Azure AD 中的自助式密码重置写回如何工作?To learn more about SSPR, see How it works: Azure AD self-service password reset or How does self-service password reset writeback work in Azure AD?.