排查使用条件访问时的登录问题Troubleshooting sign-in problems with Conditional Access

可以参考本文中的信息,使用错误消息和 Azure AD 登录日志来排查与条件访问相关的意外登录结果。The information in this article can be used to troubleshoot unexpected sign-in outcomes related to Conditional Access using error messages and Azure AD sign-ins log.

选择“所有”后果Select "all" consequences

条件访问框架提供了极大的配置灵活性。The Conditional Access framework provides you with a great configuration flexibility. 不过,极大的灵活性也意味着应先仔细检查每个配置策略,然后才能发布,以免产生不良后果。However, great flexibility also means that you should carefully review each configuration policy before releasing it to avoid undesirable results. 在这种情况下,应该特别注意影响完整集的任务,例如 所有用户/组/云应用In this context, you should pay special attention to assignments affecting complete sets such as all users / groups / cloud apps.

组织应避免以下配置:Organizations should avoid the following configurations:

对于所有用户、所有云应用:For all users, all cloud apps:

  • 阻止访问 - 此配置将阻止整个组织访问。Block access - This configuration blocks your entire organization.
  • 需要标记为合规的设备 - 对于尚未注册其设备的用户,此策略将阻止所有访问权限(包括对 Intune 门户的访问权限)。Require device to be marked as compliant - For users that have not enrolled their devices yet, this policy blocks all access including access to the Intune portal. 如果是不具有注册设备的管理员,则此策略会阻止你回到 Azure 门户更改策略。If you are an administrator without an enrolled device, this policy blocks you from getting back into the Azure portal to change the policy.
  • 需要已建立混合 Azure AD 域联接的设备 - 如果他们不具有已建立混合 Azure AD 域联接的设备,此阻止访问权限的策略还可能会阻止组织中所有用户的访问权限。Require Hybrid Azure AD domain joined device - This policy block access has also the potential to block access for all users in your organization if they don't have a hybrid Azure AD joined device.
  • 需要应用保护策略 - 如果没有 Intune 策略,此阻止访问权限的策略还可能会阻止组织中所有用户的访问权限。Require app protection policy - This policy block access has also the potential to block access for all users in your organization if you don't have an Intune policy. 如果你是管理员,没有设置了 Intune 应用保护策略的客户端应用程序,则此策略会阻止你返回到 Intune 和 Azure 之类的门户。If you are an administrator without a client application that has an Intune app protection policy, this policy blocks you from getting back into portals such as Intune and Azure.

对于所有用户、所有云应用、所有设备平台:For all users, all cloud apps, all device platforms:

  • 阻止访问 - 此配置将阻止整个组织访问。Block access - This configuration blocks your entire organization.

条件访问登录中断Conditional Access sign-in interrupt

第一种方法是查看显示的错误消息。The first way is to review the error message that appears. 对于使用 Web 浏览器登录时出现的问题,错误页面本身会包含详细信息。For problems signing in when using a web browser, the error page itself has detailed information. 此信息本身可能会描述具体的问题,并可能会建议解决方法。This information alone may describe what the problem is and that may suggest a solution.

登录错误 - 需要合规的设备

出现上述错误时,消息会指出只能从符合公司移动设备管理策略的设备或客户端应用程序访问该应用程序。In the above error, the message states that the application can only be accessed from devices or client applications that meet the company's mobile device management policy. 但在此场合下,应用程序和设备并不符合该策略。In this case, the application and device do not meet that policy.

Azure AD 登录事件Azure AD sign-in events

获取有关登录中断的详细信息的第二种方法是查看 Azure AD 登录事件,以确定应用了哪个(或哪些)条件访问策略,以及为何应用这个(这些)策略。The second method to get detailed information about the sign-in interruption is to review the Azure AD sign-in events to see which Conditional Access policy or policies were applied and why.

在初始错误页面中单击“更多详细信息”可以找到有关问题的详细信息。More information can be found about the problem by clicking More Details in the initial error page. 单击“更多详细信息”会显示故障排除信息,在 Azure AD 登录事件中搜索用户看到的特定失败事件时,或者在向 Microsoft 提出支持事件时,这些信息非常有用。Clicking More Details will reveal troubleshooting information that is helpful when searching the Azure AD sign-in events for the specific failure event the user saw or when opening a support incident with Microsoft.

有关条件访问策略中断的 Web 浏览器登录的更多详细信息。

若要查明已应用哪个(或哪些)条件访问策略,以及为何应用这个(这些)策略,请执行以下操作。To find out which Conditional Access policy or policies applied and why do the following.

  1. 以全局管理员、安全管理员或全局读取者的身份登录到 Azure 门户Sign in to the Azure portal as a global administrator, security administrator, or global reader.

  2. 浏览到“Azure Active Directory” > “登录”。Browse to Azure Active Directory > Sign-ins.

  3. 找到要查看的登录事件。Find the event for the sign-in to review. 添加或删除筛选器和列,以筛选掉不必要的信息。Add or remove filters and columns to filter out unnecessary information.

    1. 添加筛选器以缩小范围:Add filters to narrow the scope:
      1. 想要调查的特定事件时,请添加“关联 ID”。Correlation ID when you have a specific event to investigate.
      2. 要查看策略失败和成功事件,请添加“条件访问”。Conditional access to see policy failure and success. 限定筛选器的范围,以便仅显示失败事件来限制结果。Scope your filter to show only failures to limit results.
      3. 要查看与特定用户相关的信息,请添加“用户名”。Username to see information related to specific users.
      4. 添加已限定到相关时间范围的“日期”。Date scoped to the time frame in question.

    在登录日志中选择“条件访问”筛选器

  4. 找到与用户登录失败对应的登录事件后,选择“条件访问”选项卡。“条件访问”选项卡将显示导致登录中断的特定策略。Once the sign-in event that corresponds to the user's sign-in failure has been found select the Conditional Access tab. The Conditional Access tab will show the specific policy or policies that resulted in the sign-in interruption.

    1. “故障排除和支持”选项卡中的信息可能会明确地解释登录失败的原因,例如,设备不满足合规性要求。Information in the Troubleshooting and support tab may provide a clear reason as to why a sign-in failed such as a device that did not meet compliance requirements.
    2. 若要进一步调查,请单击“策略名称”向下钻取到策略的配置。To investigate further, drill down into the configuration of the policies by clicking on the Policy Name. 单击“策略名称”会显示所选策略的策略配置用户界面,供你进行查看和编辑。Clicking the Policy Name will show the policy configuration user interface for the selected policy for review and editing.
    3. 在登录事件的“基本信息”、“位置”、“设备信息”、“身份验证详细信息”和“其他详细信息”选项卡中,也提供了用于评估条件访问策略的客户端用户和设备详细信息。 The client user and device details that were used for the Conditional Access policy assessment are also available in the Basic Info , Location , Device Info , Authentication Details , and Additional Details tabs of the sign-in event.

策略详细信息Policy details

选择登录事件中策略右侧的省略号将显示策略详细信息。Selecting the ellipsis on the right side of the policy in a sign-in event brings up policy details. 这让管理员能进一步了解策略应用成功或失败的原因。This gives administrators additional information about why a policy was successfully applied or not.

登录事件的“条件访问”选项卡

策略详细信息(预览版)

左侧提供登录时收集的详细信息,右侧提供的详细信息介绍这些详细信息是否满足所应用的条件访问策略的要求。The left side provides details collected at sign-in and the right side provides details of whether those details satisfy the requirements of the applied Conditional Access policies. 仅当满足所有条件时,或者所有条件都未配置时,条件访问策略才适用。Conditional Access policies only apply when all conditions are satisfied or not configured.

如果事件中的信息不足以让你了解登录结果或调整策略来获取所需结果,可以提出支持事件。If the information in the event isn't enough to understand the sign-in results or adjust the policy to get desired results, then a support incident may be opened. 导航到该登录事件的“故障排除和支持”选项卡,然后选择“创建新的支持请求”。 Navigate to that sign-in event's Troubleshooting and support tab and select Create a new support request.

登录事件的“故障排除和支持”选项卡

提交事件时,请在事件提交详细信息中提供请求 ID,以及登录事件中的时间和日期。When submitting the incident, provide the request ID and time and date from the sign-in event in the incident submission details. Microsoft 支持人员将通过此信息找到你所关注的事件。This information will allow Microsoft support to find the event you're concerned about.

条件访问错误代码Conditional Access error codes

登录错误代码Sign-in Error Code 错误字符串Error String
5300053000 DeviceNotCompliantDeviceNotCompliant
5300153001 DeviceNotDomainJoinedDeviceNotDomainJoined
5300253002 ApplicationUsedIsNotAnApprovedAppApplicationUsedIsNotAnApprovedApp
5300353003 BlockedByConditionalAccessBlockedByConditionalAccess
5300453004 ProofUpBlockedDueToRiskProofUpBlockedDueToRisk

如果你被锁定在 Azure 门户之外,该怎么办?What to do if you are locked out of the Azure portal?

如果你因为条件访问策略中的设置不正确而被锁定在 Azure 门户之外,请执行以下操作:If you are locked out of the Azure portal due to an incorrect setting in a Conditional Access policy:

  • 检查组织中是否有其他管理员尚未被阻止。Check is there are other administrators in your organization that aren't blocked yet. 具有 Azure 门户访问权限的管理员可以禁用影响你登录的策略。An administrator with access to the Azure portal can disable the policy that is impacting your sign-in.
  • 如果组织中没有管理员可以更新策略,请提交支持请求。If none of the administrators in your organization can update the policy, submit a support request. Microsoft 支持人员可以审核并在确认后更新妨碍访问的条件访问策略。Microsoft support can review and upon confirmation update the Conditional Access policies that are preventing access.

后续步骤Next steps