排查使用条件访问时的登录问题Troubleshooting sign-in problems with Conditional Access

可以参考本文中的信息,使用错误消息和 Azure AD 登录日志来排查与条件访问相关的意外登录结果。The information in this article can be used to troubleshoot unexpected sign-in outcomes related to Conditional Access using error messages and Azure AD sign-ins log.

条件访问登录中断Conditional Access sign-in interrupt

第一种方法是查看显示的错误消息。The first way is to review the error message that appears. 对于使用 Web 浏览器登录时出现的问题,错误页面本身会包含详细信息。For problems signing in when using a web browser, the error page itself has detailed information. 此信息本身可能会描述具体的问题,并可能会建议解决方法。This information alone may describe what the problem is and that may suggest a solution.

登录错误 - 需要合规的设备

出现上述错误时,消息会指出只能从符合公司移动设备管理策略的设备或客户端应用程序访问该应用程序。In the above error, the message states that the application can only be accessed from devices or client applications that meet the company's mobile device management policy. 但在此场合下,应用程序和设备并不符合该策略。In this case, the application and device do not meet that policy.

Azure AD 登录事件Azure AD sign-in events

获取有关登录中断的详细信息的第二种方法是查看 Azure AD 登录事件,以确定应用了哪个(或哪些)条件访问策略,以及为何应用这个(这些)策略。The second method to get detailed information about the sign-in interruption is to review the Azure AD sign-in events to see which Conditional Access policy or policies were applied and why.

在初始错误页面中单击“更多详细信息”可以找到有关问题的详细信息。More information can be found about the problem by clicking More Details in the initial error page. 单击“更多详细信息”会显示故障排除信息,在 Azure AD 登录事件中搜索用户看到的特定失败事件时,或者在向 Microsoft 提出支持事件时,这些信息非常有用。Clicking More Details will reveal troubleshooting information that is helpful when searching the Azure AD sign-in events for the specific failure event the user saw or when opening a support incident with Microsoft.

有关条件访问策略中断的 Web 浏览器登录的更多详细信息。

若要查明已应用哪个(或哪些)条件访问策略,以及为何应用这个(这些)策略,请执行以下操作。To find out which Conditional Access policy or policies applied and why do the following.

  1. 以全局管理员、安全管理员或全局读取者的身份登录到 Azure 门户Sign in to the Azure portal as a global administrator, security administrator, or global reader.

  2. 浏览到“Azure Active Directory” > “登录”。Browse to Azure Active Directory > Sign-ins.

  3. 找到要查看的登录事件。Find the event for the sign-in to review. 添加或删除筛选器和列,以筛选掉不必要的信息。Add or remove filters and columns to filter out unnecessary information.

    1. 添加筛选器以缩小范围:Add filters to narrow the scope:
      1. 想要调查的特定事件时,请添加“关联 ID”。Correlation ID when you have a specific event to investigate.
      2. 要查看策略失败和成功事件,请添加“条件访问”。Conditional access to see policy failure and success. 限定筛选器的范围,以便仅显示失败事件来限制结果。Scope your filter to show only failures to limit results.
      3. 要查看与特定用户相关的信息,请添加“用户名”。Username to see information related to specific users.
      4. 添加已限定到相关时间范围的“日期”。Date scoped to the time frame in question.

    在登录日志中选择“条件访问”筛选器

  4. 找到与用户登录失败对应的登录事件后,选择“条件访问”选项卡。“条件访问”选项卡将显示导致登录中断的特定策略。Once the sign-in event that corresponds to the user's sign-in failure has been found select the Conditional Access tab. The Conditional Access tab will show the specific policy or policies that resulted in the sign-in interruption.

    1. “故障排除和支持”选项卡中的信息可能会明确地解释登录失败的原因,例如,设备不满足合规性要求。Information in the Troubleshooting and support tab may provide a clear reason as to why a sign-in failed such as a device that did not meet compliance requirements.
    2. 若要进一步调查,请单击“策略名称”向下钻取到策略的配置。To investigate further, drill down into the configuration of the policies by clicking on the Policy Name. 单击“策略名称”会显示所选策略的策略配置用户界面,供你进行查看和编辑。Clicking the Policy Name will show the policy configuration user interface for the selected policy for review and editing.
    3. 在登录事件的“基本信息”、“位置”、“设备信息”、“身份验证详细信息”和“其他详细信息”选项卡中,也提供了用于评估条件访问策略的客户端用户和设备详细信息。 The client user and device details that were used for the Conditional Access policy assessment are also available in the Basic Info, Location, Device Info, Authentication Details, and Additional Details tabs of the sign-in event.

策略详细信息Policy details

选择登录事件中策略右侧的省略号将显示策略详细信息。Selecting the ellipsis on the right side of the policy in a sign-in event brings up policy details. 这让管理员能进一步了解策略应用成功或失败的原因。This gives administrators additional information about why a policy was successfully applied or not.

登录事件的“条件访问”选项卡

策略详细信息(预览版)

左侧提供登录时收集的详细信息,右侧提供的详细信息介绍这些详细信息是否满足所应用的条件访问策略的要求。The left side provides details collected at sign-in and the right side provides details of whether those details satisfy the requirements of the applied Conditional Access policies. 仅当满足所有条件时,或者所有条件都未配置时,条件访问策略才适用。Conditional Access policies only apply when all conditions are satisfied or not configured.

如果事件中的信息不足以让你了解登录结果或调整策略来获取所需结果,可以提出支持事件。If the information in the event isn't enough to understand the sign-in results or adjust the policy to get desired results, then a support incident may be opened. 导航到该登录事件的“故障排除和支持”选项卡,然后选择“创建新的支持请求”。 Navigate to that sign-in event's Troubleshooting and support tab and select Create a new support request.

登录事件的“故障排除和支持”选项卡

提交事件时,请在事件提交详细信息中提供请求 ID,以及登录事件中的时间和日期。When submitting the incident, provide the request ID and time and date from the sign-in event in the incident submission details. Microsoft 支持人员将通过此信息找到你所关注的事件。This information will allow Microsoft support to find the event you're concerned about.

条件访问错误代码Conditional Access error codes

登录错误代码Sign-in Error Code 错误字符串Error String
5300053000 DeviceNotCompliantDeviceNotCompliant
5300153001 DeviceNotDomainJoinedDeviceNotDomainJoined
5300253002 ApplicationUsedIsNotAnApprovedAppApplicationUsedIsNotAnApprovedApp
5300353003 BlockedByConditionalAccessBlockedByConditionalAccess
5300453004 ProofUpBlockedDueToRiskProofUpBlockedDueToRisk

后续步骤Next steps