排查 Azure Active Directory 中的自助式密码重置写回问题Troubleshoot self-service password reset writeback in Azure Active Directory

使用 Azure Active Directory (Azure AD) 自助式密码重置 (SSPR),用户可在云中重置自己的密码。Azure Active Directory (Azure AD) self-service password reset (SSPR) lets users reset their passwords in the cloud. 密码写回是使用 Azure AD Connect 启用的功能,可将云中的密码更改实时写回到现有的本地目录。Password writeback is a feature enabled with Azure AD Connect that allows password changes in the cloud to be written back to an existing on-premises directory in real time.

如果你在 SSPR 写回方面遇到问题,可以参阅以下故障排除步骤和常见错误。If you have problems with SSPR writeback, the following troubleshooting steps and common errors may help. 如果你找不到问题的解答,我们的支持团队始终愿意提供进一步的帮助。If you can't find the answer to your problem, our support teams are always available to assist you further.

排查连接问题Troubleshoot connectivity

如果 Azure AD Connect 的密码写回出现问题,请查看以下有助于解决此问题的步骤。If you have problems with password writeback for Azure AD Connect, review the following steps that may help resolve the problem. 若要恢复你的服务,建议按顺序执行这些步骤:To recover your service, we recommend that you follow these steps in order:

确认网络连接Confirm network connectivity

最常见的故障点是防火墙或代理端口或空闲超时未正确配置。The most common point of failure is that firewall or proxy ports, or idle timeouts are incorrectly configured.

对于 Azure AD Connect 1.1.443.0 及更高版本,需要对以下地址的出站 HTTPS 访问权限:For Azure AD Connect version 1.1.443.0 and above, outbound HTTPS access is required to the following addresses:

  • *.passwordreset.activedirectory.windowsazure.cn*.passwordreset.activedirectory.windowsazure.cn
  • *.servicebus.chinacloudapi.cn*.servicebus.chinacloudapi.cn

如果需要更细的粒度,请参阅 Azure 数据中心 IP 范围的列表If you need more granularity, see the list of Azure Datacenter IP Ranges. 此列表每周三更新一次,并在下个星期一生效。This list is updated every Wednesday and goes into effect the next Monday.

有关详细信息,请参阅 Azure AD Connect 的连接先决条件For more information, see the connectivity prerequisites for Azure AD Connect.

重启 Azure AD Connect Sync 服务Restart the Azure AD Connect Sync service

若要解决该服务的连接性问题或其他暂时性问题,请完成以下步骤来重启 Azure AD Connect Sync 服务:To resolve connectivity issues or other transient problems with the service, complete the following steps to restart the Azure AD Connect Sync service:

  1. 在运行 Azure AD Connect 的服务器上以管理员身份选择“启动”。As an administrator on the server that runs Azure AD Connect, select Start.

  2. 在搜索字段中输入 services.msc,按 EnterEnter services.msc in the search field and select Enter.

  3. 找到“Azure AD Sync”条目。Look for the Azure AD Sync entry.

  4. 右键单击该服务条目,选择“重启”,然后等待操作完成。Right-click the service entry, select Restart, and wait for the operation to finish.

    使用 GUI 重启 Azure AD Sync 服务

这些步骤将重新建立与 Azure AD 的连接,应该能够解决你的连接性问题。These steps re-establish your connection with Azure AD and should resolve your connectivity issues.

如果重启 Azure AD Connect Sync 服务无法解决问题,请尝试在下一部分禁用密码写回功能,然后再将其重新启用。If restarting the Azure AD Connect Sync service doesn't resolve your problem, try to disable and then re-enable the password writeback feature in the next section.

禁用再重新启用密码写回功能Disable and re-enable the password writeback feature

若要继续排查问题,请完成以下步骤来禁用密码写回功能,然后再将其重写启用:To continue to troubleshoot issues, complete the following steps to disable and then re-enable the password writeback feature:

  1. 在运行 Azure AD Connect 的服务器上以管理员身份打开“Azure AD Connect 配置向导”。As an administrator on the server that runs Azure AD Connect, open the Azure AD Connect Configuration wizard.
  2. 在“连接到 Azure AD”中,输入 Azure AD 全局管理员凭据。In Connect to Azure AD, enter your Azure AD global admin credentials.
  3. 在“连接到 AD DS”中,输入你的本地 Active Directory 域服务管理员凭据。In Connect to AD DS, enter your on-premises Active Directory Domain Services admin credentials.
  4. 在“唯一标识用户”中,选择“下一步”按钮。 In Uniquely identifying your users, select the Next button.
  5. 在“可选功能”中,清除“密码写回”复选框。 In Optional features, clear the Password writeback check box.
  6. 选择“下一步”完成剩余的对话框页,而不更改任何内容,直到转到“准备好配置”页。 Select Next through the remaining dialog pages without changing anything until you get to the Ready to configure page.
  7. 检查“准备好配置”页面是否将“密码写回”选项显示为“已禁用”。Check that the Ready to configure page shows the Password writeback option as disabled. 选择绿色的“配置”按钮以提交更改。Select the green Configure button to commit your changes.
  8. 在“已完成”中,清除“立即同步”选项,并选择“完成”关闭向导。 In Finished, clear the Synchronize now option, and then select Finish to close the wizard.
  9. 重新打开“Azure AD Connect 配置向导”。Reopen the Azure AD Connect Configuration wizard.
  10. 重复步骤 2-8,但这次请选中“可选功能”页上的“密码写回”选项以重新启用该服务。Repeat steps 2-8, this time selecting the Password writeback option on the Optional features page to re-enable the service.

这些步骤将重新建立与 Azure AD 的连接,应该能够解决你的连接性问题。These steps re-establish your connection with Azure AD and should resolve your connectivity issues.

如果禁用密码写回功能后再将其重写启用无法解决问题,请在下一部分重新安装 Azure AD Connect。If disabling and then re-enabling the password writeback feature doesn't resolve your problem, reinstall Azure AD Connect in the next section.

安装最新版本的 Azure AD ConnectInstall the latest Azure AD Connect release

重新安装 Azure AD Connect 可以解决 Azure AD 与本地 Active Directory 域服务环境之间的配置和连接性问题。Reinstalling Azure AD Connect can resolve configuration and connectivity issues between Azure AD and your local Active Directory Domain Services environment. 建议先尝试前面的步骤来验证和排查连接性问题,最后再执行此步骤。We recommend that you perform this step only after you attempt the previous steps to verify and troubleshoot connectivity.

警告

如果你自定义了现成的同步规则,请先备份这些规则,再继续进行升级,并在完成后手动重新部署这些规则。If you've customized the out-of-the-box sync rules, back them up before you proceed with the upgrade, then manually redeploy them after you're finished.

  1. Microsoft 下载中心下载最新版本的 Azure AD Connect。Download the latest version of Azure AD Connect from the Microsoft Download Center.

  2. 由于你已安装 Azure AD Connect,请执行就地升级将 Azure AD Connect 安装更新到最新版本。As you've already installed Azure AD Connect, perform an in-place upgrade to update your Azure AD Connect installation to the latest version.

    运行下载的程序包,然后按屏幕说明更新 Azure AD Connect。Run the downloaded package and follow the on-screen instructions to update Azure AD Connect.

这些步骤应当会重新建立与 Azure AD 的连接,应该能够解决你的连接性问题。These steps should re-establish your connection with Azure AD and resolve your connectivity issues.

如果安装最新版本的 Azure AD Connect 服务器无法解决问题,请在安装最新版本之后尝试禁用密码写回,然后再将其重新启用,这是最后的手段。If installing the latest version of the Azure AD Connect server doesn't resolve your problem, try disabling and then re-enabling password writeback as a final step after you install the latest release.

验证 Azure AD Connect 是否具有所需的权限Verify that Azure AD Connect has the required permissions

Azure AD Connect 需要 AD DS“重置密码”权限才能执行密码写回。Azure AD Connect requires AD DS Reset password permission to perform password writeback. 若要检查 Azure AD Connect 是否具有给定的本地 AD DS 用户帐户的所需权限,可使用 Windows 有效权限 功能:To check if Azure AD Connect has the required permission for a given on-premises AD DS user account, use the Windows Effective Permission feature:

  1. 登录到 Azure AD Connect 服务器,并选择“开始” > “同步服务”启动“Synchronization Service Manager”。Sign in to the Azure AD Connect server and start the Synchronization Service Manager by selecting Start > Synchronization Service.

  2. 在“连接器”选项卡下,选择本地“Active Directory 域服务器”连接器,并选择“属性”。 Under the Connectors tab, select the on-premises Active Directory Domain Services connector, and then select Properties.

    显示如何编辑属性的 Synchronization Service Manager

  3. 在弹出窗口中,选择“连接到 Active Directory 林”,并记下“用户名”属性 。In the pop-up window, select Connect to Active Directory Forest and make note of the User name property. 此属性是 Azure AD Connect 用于执行目录同步的 AD DS 帐户。This property is the AD DS account used by Azure AD Connect to perform directory synchronization.

    若要让 Azure AD Connect 执行密码写回,AD DS 帐户必须具有重置密码权限。For Azure AD Connect to perform password writeback, the AD DS account must have reset password permission. 通过以下步骤检查对此用户帐户的权限。You check the permissions on this user account in the following steps.

    查找同步服务 Active Directory 用户帐户

  4. 登录到本地域控制器并启动“Active Directory 用户和计算机”应用程序。Sign in to an on-premises domain controller and start the Active Directory Users and Computers application.

  5. 选择“视图”并确保已启用“高级功能”选项 。Select View and make sure the Advanced Features option is enabled.

    Active Directory 用户和计算机显示“高级功能”

  6. 查找要验证的 AD DS 用户帐户。Look for the AD DS user account you want to verify. 右键单击帐户名称并选择“属性”。Right-click the account name and select Properties.

  7. 在弹出窗口中,转到“安全”选项卡,并选择“高级” 。In the pop-up window, go to the Security tab and select Advanced.

  8. 在“管理员的高级安全设置”弹出窗口中,转到“有效访问权限”选项卡 。In the Advanced Security Settings for Administrator pop-up window, go to the Effective Access tab.

  9. 依次选择“选择用户”、Azure AD Connect 使用的 AD DS 帐户、“查看有效访问权限” 。Choose Select a user, select the AD DS account used by Azure AD Connect, and then select View effective access.

    显示同步帐户的“有效访问权限”选项卡

  10. 向下滚动并查找“重置密码”。Scroll down and look for Reset password. 如果已选中该条目,则表示 AD DS 帐户有权重置所选 Active Directory 用户帐户的密码。If the entry has a check mark, the AD DS account has permission to reset the password of the selected Active Directory user account.

    验证同步帐户是否具有重置密码权限

常见的密码写回错误Common password writeback errors

密码写回可能会出现以下更具体的问题。The following more specific issues may occur with password writeback. 如果遇到上述错误之一,请查看建议的解决方案并检查密码写回是否正常工作。If you have one of these errors, review the proposed solution and check if password writeback then works correctly.

错误Error 解决方案Solution
密码重置服务没有在本地启动。The password reset service doesn't start on-premises. Azure AD Connect 计算机的应用程序事件日志中出现错误 6800。Error 6800 appears in the Azure AD Connect machine's application event log.

在登记后,联合的或密码哈希同步的用户无法重置其密码。After onboarding, federated, or password-hash-synchronized users can't reset their passwords.
当启用了密码写回时,同步引擎将调用写回库通过与云登记服务进行通信来执行配置(登记)。When password writeback is enabled, the sync engine calls the writeback library to perform the configuration (onboarding) by communicating to the cloud onboarding service. 在登记期间或者为密码写回启动 Windows Communication Foundation (WCF) 终结点时遇到任何错误都将导致在 Azure AD Connect 计算机的事件日志中生成错误。Any errors encountered during onboarding or while starting the Windows Communication Foundation (WCF) endpoint for password writeback results in errors in the event log, on your Azure AD Connect machine.

在重启 Azure AD Sync (ADSync) 服务期间,如果配置了写回,则 WCF 终结点将启动。During restart of the Azure AD Sync (ADSync) service, if writeback was configured, the WCF endpoint starts up. 但是,如果终结点启动失败,我们将记录事件 6800 并允许同步服务启动。But, if the startup of the endpoint fails, we log event 6800 and let the sync service start up. 存在此事件意味着密码写回终结点未启动。The presence of this event means that the password writeback endpoint didn't start up. 此事件 6800 的事件日志详细信息以及 PasswordResetService 组件生成的事件日志条目将指明终结点无法启动的原因。Event log details for this event 6800, along with event log entries generate by the PasswordResetService component, indicate why you can't start up the endpoint. 请查看这些事件日志错误,如果密码写回仍不能正常工作,请尝试重启 Azure AD Connect。Review these event log errors and try to restart the Azure AD Connect if password writeback still isn't working. 如果问题仍然存在,请尝试禁用并重新启用密码写回。If the problem persists, try to disable and then re-enable password writeback.
如果用户尝试重置密码或解锁启用了密码写回功能的帐户,则操作会失败。When a user attempts to reset a password or unlock an account with password writeback enabled, the operation fails.

此外,在解锁操作执行后,Azure AD Connect 事件日志中将显示一个事件,其中包含:“同步引擎返回了错误 hr=800700CE,消息=文件名或扩展名太长”。In addition, you see an event in the Azure AD Connect event log that contains: "Synchronization Engine returned an error hr=800700CE, message=The filename or extension is too long" after the unlock operation occurs.
查找用于 Azure AD Connect 的 Active Directory 帐户并重置密码,使其包含的字符数不超过 256 个。Find the Active Directory account for Azure AD Connect and reset the password so that it contains no more than 256 characters. 接下来,从“开始”菜单打开“同步服务”。 Next, open the Synchronization Service from the Start menu. 浏览到“连接器”并找到“Active Directory 连接器”。 Browse to Connectors and find the Active Directory Connector. 选择它,然后选择“属性”。Select it and then select Properties. 浏览到“凭据”页,并输入新密码。Browse to the Credentials page and enter the new password. 选择“确定”关闭页面。Select OK to close the page.
在 Azure AD Connect 安装过程的最后一步,看到了一个错误,它指出无法配置密码写回。At the last step of the Azure AD Connect installation process, you see an error indicating that password writeback couldn't be configured.

Azure AD Connect 应用程序事件日志包含错误 32009,其文本为“获取身份验证令牌时出错”。The Azure AD Connect application event log contains error 32009 with the text "Error getting auth token."
在以下两种情况下会发生此错误:This error occurs in the following two cases:
  • 为在 Azure AD Connect 安装过程开始时提供的全局管理员帐户指定了错误的密码。You specified an incorrect password for the global administrator account provided at the beginning of the Azure AD Connect installation process.
  • 试图将联合用户用于在 Azure AD Connect 安装过程开始时指定的全局管理员帐户。You attempted to use a federated user for the global administrator account specified at the beginning of the Azure AD Connect installation process.
若要解决此问题,请确保未将联合帐户用于在安装过程开始时指定的全局管理员,并且指定的密码正确无误。To fix this problem, make sure that you're not using a federated account for the global administrator you specified at the beginning of the installation process, and that the password specified is correct.
Azure AD Connect 计算机事件日志包含运行 PasswordResetService 时引发的错误 32002。The Azure AD Connect machine event log contains error 32002 that is thrown by running PasswordResetService.

错误内容如下:“连接到 ServiceBus 时出错。The error reads: "Error Connecting to ServiceBus. 令牌提供程序无法提供安全令牌。”The token provider was unable to provide a security token."
本地环境无法连接到云中的 Azure 服务总线终结点。Your on-premises environment isn't able to connect to the Azure Service Bus endpoint in the cloud. 此错误是由于防火墙规则阻止了到特定端口或 web 地址的出站连接导致的。This error is normally caused by a firewall rule blocking an outbound connection to a particular port or web address. 有关详细信息,请参阅连接先决条件See Connectivity prerequisites for more info. 在更新这些规则后,重启 Azure AD Connect 服务器,密码写回应当会再次开始工作。After you update these rules, restart the Azure AD Connect server and password writeback should start working again.
在工作一段时间后,联合用户或密码哈希同步的用户无法重置其密码。After working for some time, federated, or password-hash-synchronized users can't reset their passwords. 在某些极少见的情况下,当 Azure AD Connect 已重启时,密码写回服务可能无法重启。In some rare cases, the password writeback service can fail to restart when Azure AD Connect has restarted. 在这些情况下,请首先检查是否已在本地启用了密码写回。In these cases, first check if password writeback is enabled on-premises. 可以使用 Azure AD Connect 向导或 PowerShell 执行检查。You can check by using either the Azure AD Connect wizard or PowerShell. 如果此功能显示为已启用,请尝试再次启用或禁用此功能。If the feature appears to be enabled, try enabling or disabling the feature again either. 如果此故障排除步骤不起作用,请尝试完全卸载并重新安装 Azure AD Connect。If this troubleshooting step doesn't work, try a complete uninstall and reinstall of Azure AD Connect.
尝试重置其密码的联合用户或密码哈希同步的用户在尝试提交密码后看到了一个错误。Federated, or password-hash-synchronized users who attempt to reset their passwords see an error after attempting to submit their password. 该错误指示存在服务问题。The error indicates that there was a service problem.

除此问题以外,在密码重置期间,可能会在本地事件日志中看到有关管理代理被拒绝访问的消息。In addition to this problem, during password reset operations, you might see an error that the management agent was denied access in your on-premises event logs.
如果在事件日志中看到这些错误,请确认 Active Directory 管理代理 (ADMA) 帐户(在配置时在向导中指定的帐户)具有进行密码写回所需的权限。If you see these errors in your event log, confirm that the Active Directory Management Agent (ADMA) account that was specified in the wizard at the time of configuration has the necessary permissions for password writeback.

在授予此权限后,权限可能需要最多一小时来通过域控制器 (DC) 上的 sdprop 后台任务进行渗透。After this permission is given, it can take up to one hour for the permissions to trickle down via the sdprop background task on the domain controller (DC).

要使密码重置工作,需要将此权限标记在为其重置密码的用户对象的安全描述符上。For password reset to work, the permission needs to be stamped on the security descriptor of the user object whose password is being reset. 在此权限显示在用户对象上之前,密码重置将持续失败并出现“访问被拒绝”消息。Until this permission shows up on the user object, password reset continues to fail with an access denied message.
尝试重置其密码的联合用户或密码哈希同步的用户在提交密码后看到了一个错误。Federated, or password-hash-synchronized users who attempt to reset their passwords, see an error after they submit their password. 该错误指示存在服务问题。The error indicates that there was a service problem.

除此问题以外,在密码重置期间,可能会在 Azure AD Connect 服务的事件日志中看到一个表示“找不到对象”错误的错误。In addition to this problem, during password reset operations, you might see an error in your event logs from the Azure AD Connect service indicating an "Object could not be found" error.
此错误通常表示同步引擎无法找到 Azure AD 连接器空间中的用户对象或者无法找到链接的 Metaverse (MV) 或 Azure AD 连接器空间对象。This error usually indicates that the sync engine is unable to find either the user object in the Azure AD connector space or the linked metaverse (MV) or Azure AD connector space object.

若要解决此问题,请确保用户确实已通过当前的 Azure AD Connect 实例从本地同步到了 Azure AD,并检查连接器空间和 MV 中的对象的状态。To troubleshoot this problem, make sure that the user is indeed synchronized from on-premises to Azure AD via the current instance of Azure AD Connect and inspect the state of the objects in the connector spaces and MV. 通过“Microsoft.InfromADUserAccountEnabled.xxx”规则确认 Active Directory 证书服务 (AD CS) 对象是否已连接到 MV 对象。Confirm that the Active Directory Certificate Services (AD CS) object is connected to the MV object via the "Microsoft.InfromADUserAccountEnabled.xxx" rule.
尝试重置其密码的联合用户或密码哈希同步的用户在提交密码后看到了一个错误。Federated, or password-hash-synchronized users who attempt to reset their passwords see an error after they submit their password. 该错误指示存在服务问题。The error indicates that there was a service problem.

除此问题以外,在密码重置操作过程中,可能会在 Azure AD Connect 服务的事件日志中看到一个错误,指出发生“找到多个匹配项”错误。In addition to this problem, during password reset operations, you might see an error in your event logs from the Azure AD Connect service that indicates that there's a "Multiple matches found" error.
这表示同步引擎通过“Microsoft.InfromADUserAccountEnabled.xxx”检测到 MV 对象连接到了多个 AD CS 对象。This indicates that the sync engine detected that the MV object is connected to more than one AD CS object via "Microsoft.InfromADUserAccountEnabled.xxx". 这意味着用户在多个林具有已启用的帐户。This means that the user has an enabled account in more than one forest. 密码写回不支持此方案。This scenario isn't supported for password writeback.
密码操作因为发生配置错误而失败。Password operations fail with a configuration error. 应用程序事件日志包含 Azure AD Connect 错误 6329,文本为:“0x8023061f (操作失败,因为未在此管理代理上启用密码同步)”。The application event log contains Azure AD Connect error 6329 with the text "0x8023061f (The operation failed because password synchronization is not enabled on this Management Agent)". 如果在启用密码写回功能之后将 Azure AD Connect 配置更改为添加新的 Active Directory 林(或者更改为删除现有林之后再重新添加),则会发生此错误。This error occurs if the Azure AD Connect configuration is changed to add a new Active Directory forest (or to remove and readd an existing forest) after the password writeback feature has already been enabled. 在这些最近添加的林中,用户的密码操作会失败。Password operations for users in these recently added forests fail. 要解决此问题,请在林配置更改完成后,先禁用密码写回功能,再重新启用它。To fix the problem, disable and then re-enable the password writeback feature after the forest configuration changes have been completed.

密码写回事件日志错误代码Password writeback event log error codes

在排查密码写回问题时,最佳做法是检查 Azure AD Connect 计算机上的应用程序事件日志。A best practice when you troubleshoot problems with password writeback is to inspect the application event log, on your Azure AD Connect machine. 此事件日志包含来自密码写回的两个源的事件。This event log contains events from two sources for password writeback. PasswordResetService 源描述与密码写回操作相关的操作和问题。The PasswordResetService source describes operations and problems related to the operation of password writeback. ADSync 源描述与在 Active Directory 域服务环境中设置密码相关的操作和问题。The ADSync source describes operations and problems related to setting passwords in your Active Directory Domain Services environment.

如果事件的源是 ADSyncIf the source of the event is ADSync

代码Code 名称或消息Name or message 说明Description
63296329 BAIL:MMS(4924) 0x80230619:“某个限制阻止将密码更改为当前指定的密码”。BAIL: MMS(4924) 0x80230619: "A restriction prevents the password from being changed to the current one specified." 当密码写回服务尝试在本地目录中设置的密码不符合域在密码期限、历史记录、复杂度或筛选方面的要求时,将发生此事件。This event occurs when the password writeback service attempts to set a password on your local directory that doesn't meet the password age, history, complexity, or filtering requirements of the domain.

如果使用最短密码期限,并且最近在此时间窗口内已更改过密码,将无法再次更改密码,直到它达到域中指定的期限。If you have a minimum password age and have recently changed the password within that window of time, you're not able to change the password again until it reaches the specified age in your domain. 对于测试目的,最短期限应设置为 0。For testing purposes, the minimum age should be set to 0.

如果启用了密码历史记录要求,则必须选择在最近 N 次未使用过的密码,其中 N 是密码历史记录设置。If you have password history requirements enabled, then you must select a password that hasn't been used in the last N times, where N is the password history setting. 如果选择了在最近 N 次中使用过的密码,则在此情况下会失败。If you do select a password that has been used in the last N times, then you see a failure in this case. 对于测试目的,密码历史记录应设置为 0。For testing purposes, the password history should be set to 0.

如果有密码复杂性要求,则当用户尝试更改或重置密码时会强制实施所有这些要求。If you have password complexity requirements, all of them are enforced when the user attempts to change or reset a password.

如果启用密码筛选器,并且用户选择了不满足筛选条件的密码,则重置或更改操作会失败。If you have password filters enabled and a user selects a password that doesn't meet the filtering criteria, then the reset or change operation fails.
63296329 MMS(3040): admaexport.cpp(2837):服务器不包含 LDAP 密码策略控件。MMS(3040): admaexport.cpp(2837): The server doesn't contain the LDAP password policy control. 如果未在 DC 中启用 LDAP_SERVER_POLICY_HINTS_OID 控件 (1.2.840.113556.1.4.2066),将会发生此问题。This problem occurs if LDAP_SERVER_POLICY_HINTS_OID control (1.2.840.113556.1.4.2066) isn't enabled on the DCs. 要使用密码写回功能,必须启用该控件。To use the password writeback feature, you must enable the control. 为此,DC 必须位于 Windows Server 2008R2 或更高版本上。To do so, the DCs must be on Windows Server 2008R2 or later.
HR 8023042HR 8023042 同步引擎返回了错误:hr = 80230402,消息 = 由于存在使用相同定位点的重复条目,尝试获取对象失败。Synchronization Engine returned an error hr=80230402, message=An attempt to get an object failed because there are duplicated entries with the same anchor. 在多个域中启用同一用户 ID 时会发生此错误。This error occurs when the same user ID is enabled in multiple domains. 例如,如果正在同步帐户和资源林,并且每个林中存在并启用了同一个用户 ID,则会发生此错误。An example is if you're syncing account and resource forests and have the same user ID present and enabled in each forest.

如果使用了不唯一的定位点属性(如别名或 UPN),并且两个用户共享了这同一个定位点属性,则也可能发生此错误。This error can also occur if you use a non-unique anchor attribute, like an alias or UPN, and two users share that same anchor attribute.

若要解决此问题,请确保域中没有任何重复的用户,并且每个用户使用唯一的定位点属性。To resolve this problem, ensure that you don't have any duplicated users within your domains and that you use a unique anchor attribute for each user.

如果事件源是 PasswordResetServiceIf the source of the event is PasswordResetService

代码Code 名称或消息Name or message 说明Description
3100131001 PasswordResetStartPasswordResetStart 此事件表示本地服务检测到从云中发起了联合用户或密码哈希同步的用户的密码重置请求。This event indicates that the on-premises service detected a password reset request for a federated, or password-hash-synchronized user that originates from the cloud. 此事件是每个密码重置写回操作中的第一个事件。This event is the first event in every password-reset writeback operation.
3100231002 PasswordResetSuccessPasswordResetSuccess 此事件表示用户在密码重置操作过程中选择了一个新密码。This event indicates that a user selected a new password during a password-reset operation. 我们确定该密码满足企业密码要求。We determined that this password meets corporate password requirements. 该密码已成功写回到本地 Active Directory 环境。The password has been successfully written back to the local Active Directory environment.
3100331003 PasswordResetFailPasswordResetFail 此事件表示用户选择了一个密码,并且该密码已成功到达本地环境。This event indicates that a user selected a password and the password arrived successfully to the on-premises environment. 但是,当我们尝试在本地 Active Directory 环境中设置该密码时发生失败。But when we attempted to set the password in the local Active Directory environment, a failure occurred. 失败的原因可能包括:This failure can happen for several reasons:
  • 用户的密码不满足域在期限、历史记录、复杂性或筛选器方面的要求。The user's password doesn't meet the age, history, complexity, or filter requirements for the domain. 若要解决此问题,请创建新密码。To resolve this problem, create a new password.
  • ADMA 服务帐户没有合适的权限在相关的用户帐户上设置新密码。The ADMA service account doesn't have the appropriate permissions to set the new password on the user account in question.
  • 该用户的帐户位于不允许密码设置操作的受保护组(例如,域管理员或企业管理员组)中。The user's account is in a protected group, such as domain or enterprise admin group, which disallows password set operations.
3100431004 OnboardingEventStartOnboardingEventStart 如果为 Azure AD Sync 启用了密码写回,并且我们已开始将组织登记到密码写回 Web 服务,则会发生此事件。This event occurs if you enable password writeback with Azure AD Connect and we've started onboarding your organization to the password writeback web service.
3100531005 OnboardingEventSuccessOnboardingEventSuccess 此事件表示加入过程成功,并且密码写回功能已就绪可用。This event indicates that the onboarding process was successful and that the password writeback capability is ready to use.
3100631006 ChangePasswordStartChangePasswordStart 此事件表示本地服务检测到从云中发起了联合用户或密码哈希同步的用户的密码更改请求。This event indicates that the on-premises service detected a password change request for a federated, or password-hash-synchronized user that originates from the cloud. 此事件是每个密码更改写回操作中的第一个事件。This event is the first event in every password-change writeback operation.
3100731007 ChangePasswordSuccessChangePasswordSuccess 此事件表示用户在密码更改操作过程中选择了一个新密码,我们确定该密码满足公司密码要求,并且该密码已成功写回到本地 Active Directory 环境。This event indicates that a user selected a new password during a password change operation, we determined that the password meets corporate password requirements, and that the password has been successfully written back to the local Active Directory environment.
3100831008 ChangePasswordFailChangePasswordFail 此事件表示用户选择了一个密码,并且该密码已成功到达本地环境,但当我们尝试在本地 Active Directory 环境中设置该密码时出现错误。This event indicates that a user selected a password and that the password arrived successfully to the on-premises environment, but when we attempted to set the password in the local Active Directory environment, a failure occurred. 失败的原因可能包括:This failure can happen for several reasons:
  • 用户的密码不满足域在期限、历史记录、复杂性或筛选器方面的要求。The user's password doesn't meet the age, history, complexity, or filter requirements for the domain. 若要解决此问题,请创建新密码。To resolve this problem, create a new password.
  • ADMA 服务帐户没有合适的权限在相关的用户帐户上设置新密码。The ADMA service account doesn't have the appropriate permissions to set the new password on the user account in question.
  • 该用户的帐户位于不允许密码设置操作的受保护组(例如,域管理员或企业管理员组)中。The user's account is in a protected group, such as domain or enterprise admins, which disallow password set operations.
3100931009 ResetUserPasswordByAdminStartResetUserPasswordByAdminStart 本地服务检测到管理员代表某个用户发起了联合用户或密码哈希同步的用户的密码重置请求。The on-premises service detected a password reset request for a federated, or password-hash-synchronized user originating from the administrator on behalf of a user. 此事件是每个由管理员启动的密码重置写回操作中的第一个事件。This event is the first event in every password-reset writeback operation that is initiated by an administrator.
3101031010 ResetUserPasswordByAdminSuccessResetUserPasswordByAdminSuccess 管理员在管理员启动的密码重置操作过程中选择了一个新密码。The admin selected a new password during an admin-initiated password-reset operation. 我们确定该密码满足企业密码要求。We determined that this password meets corporate password requirements. 该密码已成功写回到本地 Active Directory 环境。The password has been successfully written back to the local Active Directory environment.
3101131011 ResetUserPasswordByAdminFailResetUserPasswordByAdminFail 管理员代表用户选择了一个密码。The admin selected a password on behalf of a user. 密码已成功到达本地环境。The password arrived successfully to the on-premises environment. 但是,当我们尝试在本地 Active Directory 环境中设置该密码时发生失败。But when we attempted to set the password in the local Active Directory environment, a failure occurred. 失败的原因可能包括:This failure can happen for several reasons:
  • 用户的密码不满足域在期限、历史记录、复杂性或筛选器方面的要求。The user's password doesn't meet the age, history, complexity, or filter requirements for the domain. 尝试使用新密码来解决此问题。Try a new password to resolve this problem.
  • ADMA 服务帐户没有合适的权限在相关的用户帐户上设置新密码。The ADMA service account doesn't have the appropriate permissions to set the new password on the user account in question.
  • 该用户的帐户位于不允许密码设置操作的受保护组(例如,域管理员或企业管理员组)中。The user's account is in a protected group, such as domain or enterprise admins, which disallow password set operations.
3101231012 OffboardingEventStartOffboardingEventStart 如果为 Azure AD Sync 禁用了密码写回,则会发生此事件,它表示我们已开始将组织卸载到密码写回 web 服务。This event occurs if you disable password writeback with Azure AD Connect and indicates that we started offboarding your organization to the password writeback web service.
3101331013 OffboardingEventSuccessOffboardingEventSuccess 此事件表示脱离过程成功并且已成功地禁用了密码写回功能。This event indicates that the offboarding process was successful and that password writeback capability has been successfully disabled.
3101431014 OffboardingEventFailOffboardingEventFail 此事件表示卸载过程没有成功。This event indicates that the offboarding process wasn't successful. 这可能是由于在配置期间指定的云管理员帐户或本地管理员帐户存在权限错误导致的。This might be due to a permissions error on the cloud or on-premises administrator account specified during configuration. 也可能是由于在禁用密码写回时尝试使用了联合云全局管理员导致的。The error can also occur if you're attempting to use a federated cloud global administrator when disabling password writeback. 要解决此问题,请检查管理权限并确保在配置密码写回功能时未使用任何联合帐户。To fix this problem, check your administrative permissions and ensure that you're not using a federated account while configuring the password writeback capability.
3101531015 WriteBackServiceStartedWriteBackServiceStarted 此事件表示密码写回服务已成功启动。This event indicates that the password writeback service has started successfully. 该服务已准备好接受来自云的密码管理请求。It is ready to accept password management requests from the cloud.
3101631016 WriteBackServiceStoppedWriteBackServiceStopped 此事件表示密码写回服务已停止。This event indicates that the password writeback service has stopped. 来自云的任何密码管理请求都不会成功。Any password management requests from the cloud won't be successful.
3101731017 AuthTokenSuccessAuthTokenSuccess 此事件表示为启动卸载或登记过程,我们已成功检索到在设置 Azure AD Connect 期间指定的全局管理员的授权令牌。This event indicates that we successfully retrieved an authorization token for the global admin specified during Azure AD Connect setup to start the offboarding or onboarding process.
3101831018 KeyPairCreationSuccessKeyPairCreationSuccess 此事件表示已成功创建密码加密密钥。This event indicates that we successfully created the password encryption key. 此密钥用于对从云发送到本地环境的密码进行加密。This key is used to encrypt passwords from the cloud to be sent to your on-premises environment.
3103431034 ServiceBusListenerErrorServiceBusListenerError 此事件指示连接到租户的服务总线侦听器时发生错误。This event indicates that there was an error connecting to your tenant's Service Bus listener. 如果错误消息包含“远程证书无效”,请进行检查,以确保 Azure AD Connect 服务器具有所有必需的根 CA。If the error message includes "The remote certificate is invalid", check to make sure that your Azure AD Connect server has all the required Root CAs.
3200032000 UnknownErrorUnknownError 此事件表示在执行密码管理操作期间发生未知的错误。This event indicates an unknown error occurred during a password management operation. 有关更多详细信息,请查看事件中的异常文本。Look at the exception text in the event for more details. 如果有任何问题,请尝试禁用并重新启用密码写回。If you're having problems, try disabling and then re-enabling password writeback. 如果这没有帮助,请在提交支持请求时提供事件日志的副本以及指定的跟踪 ID。If this doesn't help, include a copy of your event log along with the tracking ID specified when you open a support request.
3200132001 ServiceErrorServiceError 此事件表示连接到云密码重置服务时发生错误。This event indicates there was an error connecting to the cloud password reset service. 此错误通常在本地服务无法连接到密码重置 web 服务时发生。This error generally occurs when the on-premises service was unable to connect to the password-reset web service.
3200232002 ServiceBusErrorServiceBusError 此事件表示连接到租户的服务总线实例时发生错误。This event indicates there was an error connecting to your tenant's Service Bus instance. 发生此错误的原因可能是在本地环境中阻止了出站连接。This can happen if you're blocking outbound connections in your on-premises environment. 请检查防火墙,确保允许基于 TCP 443 的连接或者到 https://ssprdedicatedsbprodncu.servicebus.chinacloudapi.cn 的连接,并重试。Check your firewall to ensure that you allow connections over TCP 443 and to https://ssprdedicatedsbprodncu.servicebus.chinacloudapi.cn, and then try again. 如果仍然出现问题,请尝试禁用并重新启用密码写回。If you're still having problems, try disabling and then re-enabling password writeback.
3200332003 InPutValidationErrorInPutValidationError 此事件表示传递给我们的 web 服务 API 的输入无效。This event indicates that the input passed to our web service API was invalid. 请重试操作。Try the operation again.
3200432004 DecryptionErrorDecryptionError 此事件表示解密从云到达的密码时出错。This event indicates that there was an error decrypting the password that arrived from the cloud. 这可能是因为云服务与本地环境之间存在解密密钥不匹配问题。This might be due to a decryption key mismatch between the cloud service and your on-premises environment. 若要解决此问题,请在本地环境中禁用再重新启用密码写回。To resolve this problem, disable and then re-enable password writeback in your on-premises environment.
3200532005 ConfigurationErrorConfigurationError 在登记期间,我们将特定于租户的信息保存到本地环境中的配置文件中。During onboarding, we save tenant-specific information in a configuration file in your on-premises environment. 此事件表示保存此文件时出错或者启动服务时读取此文件时出错。This event indicates that there was an error saving this file or that when the service was started, there was an error reading the file. 若要解决此问题,请尝试禁用并重新启用密码写回以强制重写此配置文件。To fix this problem, try disabling and then re-enabling password writeback to force a rewrite of the configuration file.
3200732007 OnBoardingConfigUpdateErrorOnBoardingConfigUpdateError 在登记期间,我们将数据从云发送到本地密码重置服务。During onboarding, we send data from the cloud to the on-premises password-reset service. 然后,在将数据发送到同步服务以安全地在磁盘上存储此信息之前,会将数据写入到一个内存中文件中。That data is then written to an in-memory file before it is sent to the sync service to be stored securely on disk. 此事件表示在内存中写入或更新该数据时出现问题。This event indicates that there's a problem with writing or updating that data in memory. 若要解决此问题,请尝试禁用并重新启用密码写回以强制重写此配置文件。To fix this problem, try disabling and then re-enabling password writeback to force a rewrite of this configuration file.
3200832008 ValidationErrorValidationError 此事件表示我们从密码重置 web 服务收到了无效的响应。This event indicates we received an invalid response from the password-reset web service. 若要解决此问题,请尝试禁用再重新启用密码写回。To fix this problem, try disabling and then re-enabling password writeback.
3200932009 AuthTokenErrorAuthTokenError 此事件表示我们无法获取在设置 Azure AD Sync 期间指定的全局管理员帐户的授权令牌。This event indicates that we couldn't get an authorization token for the global administrator account specified during Azure AD Connect setup. 此错误可能是由于为全局管理员帐户指定了错误的用户名或密码导致的。This error can be caused by a bad username or password specified for the global admin account. 此错误的另一个可能原因是指定的全局管理员帐户是联合的。This error can also occur if the global admin account specified is federated. 若要解决此问题,请使用正确的用户名和密码重新运行配置,并确保管理员是一个托管帐户(仅云帐户或密码同步的帐户)。To fix this problem, rerun the configuration with the correct username and password and ensure that the administrator is a managed (cloud-only or password-synchronized) account.
3201032010 CryptoErrorCryptoError 此事件表示在生成密码加密密钥时或者解密从云服务到达的密码时发生错误。This event indicates there was an error generating the password encryption key or decrypting a password that arrives from the cloud service. 此错误可能表示环境存在问题。This error likely indicates a problem with your environment. 请查看事件日志的详细信息来了解详细信息并解决此问题。Look at the details of your event log to learn more about how to resolve this problem. 还可以尝试禁用再重新启用密码写回服务。You can also try disabling and then re-enabling the password writeback service.
3201132011 OnBoardingServiceErrorOnBoardingServiceError 此事件表示本地服务无法正确地与密码重置 web 服务进行通信来启动登记过程。This event indicates that the on-premises service couldn't properly communicate with the password-reset web service to initiate the onboarding process. 这可能是由于防火墙规则导致的,也可能是因为获取租户的身份验证令牌时出现问题。This can happen as a result of a firewall rule or if there's a problem getting an authentication token for your tenant. 若要解决此问题,请确保没有阻止基于 TCP 443 和 TCP 9350-9354 的出站连接或者到 https://ssprdedicatedsbprodncu.servicebus.chinacloudapi.cn 的出站连接。To fix this problem, ensure that you're not blocking outbound connections over TCP 443 and TCP 9350-9354 or to https://ssprdedicatedsbprodncu.servicebus.chinacloudapi.cn. 另请确保用于登记的 Azure AD 管理员帐户不是联合帐户。Also ensure that the Azure AD admin account you're using to onboard isn't federated.
3201332013 OffBoardingErrorOffBoardingError 此事件表示本地服务无法正确地与密码重置 web 服务进行通信来启动卸载过程。This event indicates that the on-premises service couldn't properly communicate with the password-reset web service to initiate the offboarding process. 这可能是由于防火墙规则导致的,也可能是因为获取租户的授权令牌时出现问题。This can happen as a result of a firewall rule or if there's a problem getting an authorization token for your tenant. 若要解决此问题,请确保没有阻止基于 443 的出站连接或者到 https://ssprdedicatedsbprodncu.servicebus.chinacloudapi.cn 的出站连接,并确保用于卸载的 Azure Active Directory 管理员帐户不是联合帐户。To fix this problem, ensure that you're not blocking outbound connections over 443 or to https://ssprdedicatedsbprodncu.servicebus.chinacloudapi.cn, and that the Azure Active Directory admin account you're using to offboard isn't federated.
3201432014 ServiceBusWarningServiceBusWarning 此事件表示我们必须重新尝试连接到租户的服务总线实例。This event indicates that we had to retry to connect to your tenant's Service Bus instance. 正常情况下,这应当无需顾虑,但如果很多次看到此事件,请考虑检查到服务总线的网络连接,特别是当使用高延迟或低带宽连接时。Under normal conditions, this should not be a concern, but if you see this event many times, consider checking your network connection to Service Bus, especially if it's a high-latency or low-bandwidth connection.
3201532015 ReportServiceHealthErrorReportServiceHealthError 为了监视密码写回服务的运行状况,我们每五分钟向我们的密码重置 web 服务发送一次检测信号数据。In order to monitor the health of your password writeback service, we send heartbeat data to our password-reset web service every five minutes. 此事件表示将此运行状况信息发送回云 web 服务时发生错误。This event indicates that there was an error when sending this health information back to the cloud web service. 此运行状况信息不包含任何个人数据,是纯粹的检测信号和基本的服务统计信息,因此我们可以在云中提供服务状态信息。This health information doesn't include any personal data, and is purely a heartbeat and basic service statistics so that we can provide service status information in the cloud.
3300133001 ADUnKnownErrorADUnKnownError 此事件表示 Active Directory 返回了未知的错误。This event indicates that there was an unknown error returned by Active Directory. 有关详细信息,请检查 Azure AD Connect 服务器事件日志中来自 ADSync 源的事件。Check the Azure AD Connect server event log for events from the ADSync source for more information.
3300233002 ADUserNotFoundErrorADUserNotFoundError 此事件表示在本地目录中未找到尝试重置或更改密码的用户。This event indicates that the user who is trying to reset or change a password was not found in the on-premises directory. 如果已在本地删除了该用户但在云中未删除,则可能会发生此错误。This error can occur when the user has been deleted on-premises but not in the cloud. 如果出现了同步问题,也可能发生此错误。有关详细信息,请查看同步日志以及最近运行的几次同步的详细信息。This error can also occur if there's a problem with sync. Check your sync logs and the last few sync run details for more information.
3300333003 ADMutliMatchErrorADMutliMatchError 当密码重置或更改请求来自云时,我们使用在 Azure AD Connect 的设置过程中指定的云定位点来确定如何将该请求链接回本地环境中的用户。When a password reset or change request originates from the cloud, we use the cloud anchor specified during the setup process of Azure AD Connect to determine how to link that request back to a user in your on-premises environment. 此事件表示我们在本地目录中找到了具有相同的云定位点属性的两个用户。This event indicates that we found two users in your on-premises directory with the same cloud anchor attribute. 有关详细信息,请查看同步日志以及最近运行的几次同步的详细信息。Check your sync logs and the last few sync run details for more information.
3300433004 ADPermissionsErrorADPermissionsError 此事件表示 Active Directory 管理代理 (ADMA) 服务帐户在相关帐户上没有合适的权限来设置新密码。This event indicates that the Active Directory Management Agent (ADMA) service account doesn't have the appropriate permissions on the account in question to set a new password. 请确保用户的林中的 ADMA 帐户对林中的所有对象都具有重置密码的权限。Ensure that the ADMA account in the user's forest has reset password permissions on all objects in the forest. 有关如何设置权限的详细信息,请参阅“步骤 4:设置适当的 Active Directory 权限”。For more information on how to set the permissions, see Step 4: Set up the appropriate Active Directory permissions. 如果用户的属性 AdminCount 设置为 1,也会出现此错误。This error could also occur when the user's attribute AdminCount is set to 1.
3300533005 ADUserAccountDisabledADUserAccountDisabled 此事件表示我们试图重置或更改在本地已被禁用的帐户的密码。This event indicates that we attempted to reset or change a password for an account that was disabled on-premises. 请启用该帐户,并重试操作。Enable the account and try the operation again.
3300633006 ADUserAccountLockedOutADUserAccountLockedOut 此事件表示我们试图重置或更改在本地已被锁定的帐户的密码。This event indicates that we attempted to reset or change a password for an account that was locked out on-premises. 如果用户在短时间内尝试了太多次更改或重置密码操作,则会发生锁定。Lockouts can occur when a user has tried a change or reset password operation too many times in a short period. 请解锁该帐户并重试操作。Unlock the account and try the operation again.
3300733007 ADUserIncorrectPasswordADUserIncorrectPassword 此事件表示用户在执行密码更改操作时指定了错误的当前密码。This event indicates that the user specified an incorrect current password when performing a password change operation. 请指定正确的当前密码,并重试。Specify the correct current password and try again.
3300833008 ADPasswordPolicyErrorADPasswordPolicyError 当密码写回服务尝试在本地目录中设置的密码不符合域在密码期限、历史记录、复杂度或筛选方面的要求时,将发生此事件。This event occurs when the password writeback service attempts to set a password on your local directory that doesn't meet the password age, history, complexity, or filtering requirements of the domain.

如果使用最短密码期限,并且最近在此时间窗口内已更改过密码,将无法再次更改密码,直到它达到域中指定的期限。If you have a minimum password age and have recently changed the password within that window of time, you're not able to change the password again until it reaches the specified age in your domain. 对于测试目的,最短期限应设置为 0。For testing purposes, the minimum age should be set to 0.

如果启用了密码历史记录要求,则必须选择在最近 N 次未使用过的密码,其中 N 是密码历史记录设置。If you have password history requirements enabled, then you must select a password that has not been used in the last N times, where N is the password history setting. 如果选择了在最近 N 次中使用过的密码,则在此情况下会失败。If you do select a password that has been used in the last N times, then you see a failure in this case. 对于测试目的,密码历史记录应设置为 0。For testing purposes, the password history should be set to 0.

如果有密码复杂性要求,则当用户尝试更改或重置密码时会强制实施所有这些要求。If you have password complexity requirements, all of them are enforced when the user attempts to change or reset a password.

如果启用密码筛选器,并且用户选择了不满足筛选条件的密码,则重置或更改操作会失败。If you have password filters enabled and a user selects a password that doesn't meet the filtering criteria, then the reset or change operation fails.
3300933009 ADConfigurationErrorADConfigurationError 此事件表示将密码写回到本地目录时由于 Active Directory 存在配置问题而出现问题。This event indicates there was a problem writing a password back to your on-premises directory because of a configuration issue with Active Directory. 若要详细了解发生了什么错误,请检查 Azure AD Connect 计算机的应用程序事件日志以查找来自 ADSync 服务的消息。Check the Azure AD Connect machine's application event log for messages from the ADSync service for more information on which error occurred.

Azure AD 论坛Azure AD forums

如果遇到有关 Azure AD 和自助式密码重置的一般性问题,可在 Azure Active Directory 的 Microsoft Q&A 问答页中请求社区帮助。If you have general questions about Azure AD and self-service password reset, you can ask the community for assistance on the Microsoft Q&A question page for Azure Active Directory. 社区的成员包括工程师、产品经理、MVP 和其他 IT 专业人员。Members of the community include engineers, product managers, MVPs, and fellow IT professionals.

请与 Microsoft 支持部门联系Contact Microsoft support

如果找不到问题的解答,我们的支持团队始终愿意提供进一步的帮助。If you can't find the answer to a problem, our support teams are always available to assist you further.

为了能够提供适当的帮助,我们希望你在建立支持案例时提供尽量多的详细信息。To properly assist you, we ask that you provide as much detail as possible when opening a case. 这些详细信息包括:These details include the following:

  • 错误的一般描述:错误是什么?General description of the error: What is the error? 看到该错误时出现了哪种行为?What was the behavior that was noticed? 我们如何再现该错误?How can we reproduce the error? 请尽量提供详尽的信息。Provide as much detail as possible.
  • 页面:在哪个页面上看到了该错误?Page: What page were you on when you noticed the error? 请附送页面的 URL(如果可以)和屏幕截图。Include the URL if you're able to and a screenshot of the page.
  • 支持代码:用户看到该错误时生成了哪个支持代码?Support code: What was the support code that was generated when the user saw the error?
    • 若要找到此代码,请再现错误,然后选择屏幕底部的“支持代码”链接,将生成的 GUID 发送给支持工程师。To find this code, reproduce the error, then select the Support code link at the bottom of the screen and send the support engineer the GUID that results.

      支持代码位于 Web 浏览器窗口的右下角。

    • 如果所在页面的底部没有支持代码,请按 F12,搜索 SID 和 CID,然后将这两个结果发送给支持工程师。If you're on a page without a support code at the bottom, select F12 and search for the SID and CID and send those two results to the support engineer.

  • 日期、时间和时区:包含发生错误时的确切日期和时间及“时区”。Date, time, and time zone: Include the precise date and time with the time zone that the error occurred.
  • 用户 ID:哪个用户看到了该错误?User ID: Who was the user who saw the error? 例如,user@contoso.com。An example is user@contoso.com.
    • 是否是联合用户?Is this a federated user?
    • 是否是密码哈希同步的用户?Is this a password-hash-synchronized user?
    • 是否是仅限云的用户?Is this a cloud-only user?
  • 许可:用户是否分配有 Azure AD 许可证?Licensing: Does the user have an Azure AD license assigned?
  • 应用程序事件日志:如果你使用的是密码写回,并且错误发生在本地基础结构中,请包含 Azure AD Connect 服务器中的应用程序事件日志的压缩副本。Application event log: If you're using password writeback and the error is in your on-premises infrastructure, include a zipped copy of your application event log from the Azure AD Connect server.

后续步骤Next steps

若要详细了解 SSPR,请参阅工作原理:Azure AD 自助式密码重置Azure AD 中的自助式密码重置写回如何工作?To learn more about SSPR, see How it works: Azure AD self-service password reset or How does self-service password reset writeback work in Azure AD?.