Azure AD 身份验证和授权错误代码Azure AD Authentication and authorization error codes

想要查找有关 Azure Active Directory (Azure AD) 安全令牌服务 (STS) 返回的 AADSTS 错误代码的信息?Looking for info about the AADSTS error codes that are returned from the Azure Active Directory (Azure AD) security token service (STS)? 请阅读本文档来查找 AADSTS 错误说明、修复方法和一些建议的解决方法。Read this document to find AADSTS error descriptions, fixes, and some suggested workarounds.

备注

本文中的信息属于初步信息,随时可能更改。This information is preliminary and subject to change. 遇到了问题或者找不到所需的内容?Have a question or can't find what you're looking for? 请创建 GitHub 问题,或查看面向开发人员的支持和帮助选项来了解其他可以获得帮助和支持的方法。Create a GitHub issue or see Support and help options for developers to learn about other ways you can get help and support.

本文档是为开发者和管理员提供的指导,但决不应当被客户自己使用。This documentation is provided for developer and admin guidance, but should never be used by the client itself. 错误代码可能会随时更改,以便提供更详细的错误消息,以在开发者构建应用程序时为其提供帮助。Error codes are subject to change at any time in order to provide more granular error messages that are intended to help the developer while building their application. 依赖于文本或错误代码的应用程序随着时间的推移将会损坏。Apps that take a dependency on text or error code numbers will be broken over time.

处理应用程序中的错误代码Handling error codes in your application

OAuth 2.0 规范介绍如何在身份验证期间使用错误响应的 error 部分处理错误。The OAuth2.0 spec provides guidance on how to handle errors during authentication using the error portion of the error response.

下面是一个错误响应示例:Here is a sample error response:

{
  "error": "invalid_scope",
  "error_description": "AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope https://example.contoso.com/activity.read is not valid.\r\nTrace ID: 255d1aef-8c98-452f-ac51-23d051240864\r\nCorrelation ID: fb3d2015-bc17-4bb9-bb85-30c5cf1aaaa7\r\nTimestamp: 2016-01-09 02:02:12Z",
  "error_codes": [
    70011
  ],
  "timestamp": "2016-01-09 02:02:12Z",
  "trace_id": "255d1aef-8c98-452f-ac51-23d051240864",
  "correlation_id": "fb3d2015-bc17-4bb9-bb85-30c5cf1aaaa7", 
  "error_uri":"https://login.partner.microsoftonline.cn/error?code=70011"
}
参数Parameter 说明Description
error 一个错误码字符串,可用来对发生的错误类型进行分类,并应当用来响应错误。An error code string that can be used to classify types of errors that occur, and should be used to react to errors.
error_description 帮助开发人员识别身份验证错误根本原因的特定错误消息。A specific error message that can help a developer identify the root cause of an authentication error. 绝对不要使用此字段来响应代码中的错误。Never use this field to react to an error in your code.
error_codes 可帮助诊断的 STS 特定错误代码列表。A list of STS-specific error codes that can help in diagnostics.
timestamp 发生错误的时间。The time at which the error occurred.
trace_id 可帮助诊断的请求唯一标识符。A unique identifier for the request that can help in diagnostics.
correlation_id 可帮助跨组件诊断的请求唯一标识符。A unique identifier for the request that can help in diagnostics across components.
error_uri 指向错误查找页面的链接,该页面中包含有关错误的其他信息。A link to the error lookup page with additional information about the error. 这仅供开发人员使用,不向用户提供。This is for developer usage only, do not present it to users. 仅当错误查找系统具有相关错误的其他信息时才提供 - 并非所有错误都提供了其他信息。Only present when the error lookup system has additional information about the error - not all error have additional information provided.

error 字段有多个可能值 - 请查看协议文档链接和 OAuth 2.0 规范来详细了解特定错误(例如,设备代码流中的 authorization_pending)以及如何响应它们。The error field has several possible values - review the protocol documentation links and OAuth 2.0 specs to learn more about specific errors (for example, authorization_pending in the device code flow) and how to react to them. 下面列出了一些常见错误:Some common ones are listed here:

错误代码Error Code 说明Description 客户端操作Client Action
invalid_request 协议错误,例如,缺少必需的参数。Protocol error, such as a missing required parameter. 修复并重新提交请求。Fix and resubmit the request.
invalid_grant 某些身份验证材料(身份验证代码、刷新令牌、访问令牌、PKCE 质询)无效、无法分析、缺失或在其他方面无法使用Some of the authentication material (auth code, refresh token, access token, PKCE challenge) was invalid, unparseable, missing, or otherwise unusable 尝试对 /authorize 终结点发出新请求来获取新的授权代码。Try a new request to the /authorize endpoint to get a new authorization code. 考虑查看和验证应用程序对协议的使用。Consider reviewing and validating that app's use of the protocols.
unauthorized_client 经过身份验证的客户端无权使用此权限授予类型。The authenticated client isn't authorized to use this authorization grant type. 客户端应用程序未注册到 Azure AD 中或者未添加到用户的 Azure AD 租户时,通常会出现这种情况。This usually occurs when the client application isn't registered in Azure AD or isn't added to the user's Azure AD tenant. 应用程序可以提示用户,并说明如何安装应用程序并将其添加到 Azure AD。The application can prompt the user with instruction for installing the application and adding it to Azure AD.
invalid_client 客户端身份验证失败。Client authentication failed. 客户端凭据无效。The client credentials aren't valid. 若要修复,应用程序管理员应更新凭据。To fix, the application administrator updates the credentials.
unsupported_grant_type 授权服务器不支持权限授予类型。The authorization server does not support the authorization grant type. 更改请求中的授权类型。Change the grant type in the request. 这种类型的错误应该只在开发过程中发生,并且应该在初始测试过程中检测到。This type of error should occur only during development and be detected during initial testing.
invalid_resource 目标资源无效,原因是它不存在,Azure AD 找不到它,或者未正确配置。The target resource is invalid because it does not exist, Azure AD can't find it, or it's not correctly configured. 这表示未在租户中配置该资源(如果存在)。This indicates the resource, if it exists, has not been configured in the tenant. 应用程序可以提示用户,并说明如何安装应用程序并将其添加到 Azure AD。The application can prompt the user with instruction for installing the application and adding it to Azure AD. 在开发过程中,这通常表示错误地设置了测试租户,或者在所请求范围的名称中有拼写错误。During development, this usually indicates an incorrectly setup test tenant or a typo in the name of the scope being requested.
interaction_required 请求需要用户交互。The request requires user interaction. 例如,需要额外的身份验证步骤。For example, an additional authentication step is required. 请以交互方式用同一资源重试请求,以便用户能够完成所需的任何质询。Retry the request with the same resource, interactively, so that the user can complete any challenges required.
temporarily_unavailable 服务器暂时繁忙,无法处理请求。The server is temporarily too busy to handle the request. 重试请求。Retry the request. 客户端应用程序可向用户说明,其响应由于临时状况而延迟。The client application might explain to the user that its response is delayed because of a temporary condition.

查找当前错误代码信息Lookup current error code information

错误代码和消息可能会更改。Error codes and messages are subject to change. 有关最新信息,请查看 https://login.partner.microsoftonline.cn/error 页,以查找 AADSTS 错误说明、修复程序和一些建议的解决方法。For the most current info, take a look at the https://login.partner.microsoftonline.cn/error page to find AADSTS error descriptions, fixes, and some suggested workarounds.

例如,如果收到错误代码“AADSTS50058”,则在 https://login.partner.microsoftonline.cn/error 中搜索“50058”。For example, if you received the error code "AADSTS50058" then do a search in https://login.partner.microsoftonline.cn/error for "50058". 还可以通过将错误代码编号添加到 URL https://login.partner.microsoftonline.cn/error?code=50058 来直接链接到特定错误。You can also link directly to a specific error by adding the error code number to the URL: https://login.partner.microsoftonline.cn/error?code=50058.

AADSTS 错误代码AADSTS error codes

错误Error 说明Description
AADSTS16000AADSTS16000 SelectUserAccount - 这是 Azure AD 引发的中断,使得 UI 允许用户从多个有效 SSO 会话中进行选择。SelectUserAccount - This is an interrupt thrown by Azure AD, which results in UI that allows the user to select from among multiple valid SSO sessions. 此错误相当常见。如果指定了 prompt=none,可能会在应用程序中返回此错误。This error is fairly common and may be returned to the application if prompt=none is specified.
AADSTS16001AADSTS16001 UserAccountSelectionInvalid - 如果用户单击会话选择逻辑已拒绝的某个磁贴,则会出现此错误。UserAccountSelectionInvalid - You'll see this error if the user clicks on a tile that the session select logic has rejected. 触发此错误时,用户可以从更新的磁贴/会话列表中进行选择或选择另一个帐户进行恢复。When triggered, this error allows the user to recover by picking from an updated list of tiles/sessions, or by choosing another account. 此错误的原因可能是代码缺陷或出现争用状况。This error can occur because of a code defect or race condition.
AADSTS16002AADSTS16002 AppSessionSelectionInvalid - 不符合应用指定的 SID 要求。AppSessionSelectionInvalid - The app-specified SID requirement was not met.
AADSTS16003AADSTS16003 SsoUserAccountNotFoundInResourceTenant - 指示尚未显式将用户添加到租户。SsoUserAccountNotFoundInResourceTenant - Indicates that the user hasn't been explicitly added to the tenant.
AADSTS17003AADSTS17003 CredentialKeyProvisioningFailed - Azure AD 无法预配用户密钥。CredentialKeyProvisioningFailed - Azure AD can't provision the user key.
AADSTS20001AADSTS20001 WsFedSignInResponseError - 联合标识提供者出现问题。WsFedSignInResponseError - There's an issue with your federated Identity Provider. 请联系 IDP 解决此问题。Contact your IDP to resolve this issue.
AADSTS20012AADSTS20012 WsFedMessageInvalid - 联合标识提供者出现问题。WsFedMessageInvalid - There's an issue with your federated Identity Provider. 请联系 IDP 解决此问题。Contact your IDP to resolve this issue.
AADSTS20033AADSTS20033 FedMetadataInvalidTenantName - 联合标识提供者出现问题。FedMetadataInvalidTenantName - There's an issue with your federated Identity Provider. 请联系 IDP 解决此问题。Contact your IDP to resolve this issue.
AADSTS40008AADSTS40008 OAuth2IdPUnretryableServerError - 联合标识提供者出现问题。OAuth2IdPUnretryableServerError - There's an issue with your federated Identity Provider. 请联系 IDP 解决此问题。Contact your IDP to resolve this issue.
AADSTS40009AADSTS40009 OAuth2IdPRefreshTokenRedemptionUserError - 联合标识提供者出现问题。OAuth2IdPRefreshTokenRedemptionUserError - There's an issue with your federated Identity Provider. 请联系 IDP 解决此问题。Contact your IDP to resolve this issue.
AADSTS40010AADSTS40010 OAuth2IdPRetryableServerError - 联合标识提供者出现问题。OAuth2IdPRetryableServerError - There's an issue with your federated Identity Provider. 请联系 IDP 解决此问题。Contact your IDP to resolve this issue.
AADSTS40015AADSTS40015 OAuth2IdPAuthCodeRedemptionUserError - 联合标识提供者出现问题。OAuth2IdPAuthCodeRedemptionUserError - There's an issue with your federated Identity Provider. 请联系 IDP 解决此问题。Contact your IDP to resolve this issue.
AADSTS50000AADSTS50000 TokenIssuanceError - 登录服务出现问题。TokenIssuanceError - There's an issue with the sign-in service. 开具支持票证以解决此问题。Open a support ticket to resolve this issue.
AADSTS50001AADSTS50001 InvalidResource - 资源已禁用或不存在。InvalidResource - The resource is disabled or does not exist. 请检查应用代码,确保为尝试访问的资源指定了确切的资源 URL。Check your app's code to ensure that you have specified the exact resource URL for the resource you are trying to access.
AADSTS50002AADSTS50002 NotAllowedTenant - 由于租户中的代理访问权限受限,登录失败。NotAllowedTenant - Sign-in failed because of a restricted proxy access on the tenant. 如果这是你自己的租户策略,可以更改受限的租户设置来解决此问题。If it's your own tenant policy, you can change your restricted tenant settings to fix this issue.
AADSTS50003AADSTS50003 MissingSigningKey - 由于缺少签名密钥或证书,登录失败。MissingSigningKey - Sign-in failed because of a missing signing key or certificate. 这可能是因为应用中未配置任何签名密钥。This might be because there was no signing key configured in the app. 如果仍然出现问题,请联系应用所有者或应用管理员。If you still see issues, contact the app owner or an app admin.
AADSTS50005AADSTS50005 DevicePolicyError - 用户尝试从条件访问策略目前不支持的平台登录到设备。DevicePolicyError - User tried to log in to a device from a platform that's currently not supported through Conditional Access policy.
AADSTS50006AADSTS50006 InvalidSignature - 由于签名无效,签名验证失败。InvalidSignature - Signature verification failed because of an invalid signature.
AADSTS50007AADSTS50007 PartnerEncryptionCertificateMissing - 未找到此应用的合作伙伴加密证书。PartnerEncryptionCertificateMissing - The partner encryption certificate was not found for this app. 请向 Microsoft 开具支持票证以解决此问题。Open a support ticket with Microsoft to get this fixed.
AADSTS50008AADSTS50008 InvalidSamlToken - SAML 断言在令牌中缺失或配置错误。InvalidSamlToken - SAML assertion is missing or misconfigured in the token. 请联系联合提供者。Contact your federation provider.
AADSTS50010AADSTS50010 AudienceUriValidationFailed - 由于未配置令牌受众,应用的受众 URI 验证失败。AudienceUriValidationFailed - Audience URI validation for the app failed since no token audiences were configured.
AADSTS50011AADSTS50011 InvalidReplyTo - 回复地址缺失、配置错误或者与为应用配置的回复地址不匹配。InvalidReplyTo - The reply address is missing, misconfigured, or does not match reply addresses configured for the app. 作为一种解决方法,请确保将此缺失的回复地址添加到 Azure Active Directory 应用程序,或者让有权在 Active Directory 中管理你的应用程序的人为你执行此操作。As a resolution ensure to add this missing reply address to the Azure Active Directory application or have someone with the permissions to manage your application in Active Directory do this for you.
AADSTS50012AADSTS50012 AuthenticationFailed - 身份验证由于以下原因之一而失败:AuthenticationFailed - Authentication failed for one of the following reasons:
  • 未授权签名证书的使用者名称The subject name of the signing certificate is not authorized
  • 找不到与已授权使用者名称匹配的受信任颁发机构策略A matching trusted authority policy was not found for the authorized subject name
  • 证书链无效The certificate chain is not valid
  • 签名证书无效The signing certificate is not valid
  • 未在租户中配置策略Policy is not configured on the tenant
  • 未授权签名证书的指纹Thumbprint of the signing certificate is not authorized
  • 客户端断言包含无效的签名Client assertion contains an invalid signature
AADSTS50013AADSTS50013 InvalidAssertion - 多种原因导致断言无效 - 令牌颁发者与令牌有效时间范围内的 API 版本不匹配 - 已过期 - 格式不正确 - 断言中的刷新令牌不是主要刷新令牌。InvalidAssertion - Assertion is invalid because of various reasons - The token issuer doesn't match the api version within its valid time range -expired -malformed - Refresh token in the assertion is not a primary refresh token.
AADSTS50014AADSTS50014 GuestUserInPendingState - 用户兑换处于挂起状态。GuestUserInPendingState - The user's redemption is in a pending state. 尚未完全创建来宾用户帐户。The guest user account is not fully created yet.
AADSTS50015AADSTS50015 ViralUserLegalAgeConsentRequiredState - 用户需要法定年龄组许可。ViralUserLegalAgeConsentRequiredState - The user requires legal age group consent.
AADSTS50017AADSTS50017 CertificateValidationFailed - 证书验证失败,原因如下:CertificateValidationFailed - Certification validation failed, reasons for the following reasons:
  • 在受信任的证书列表中找不到颁发证书Cannot find issuing certificate in trusted certificates list
  • 找不到所需的 CrlSegmentUnable to find expected CrlSegment
  • 在受信任的证书列表中找不到颁发证书Cannot find issuing certificate in trusted certificates list
  • 在没有对应 CRL 分发点的情况下配置了增量 CRL 分发点Delta CRL distribution point is configured without a corresponding CRL distribution point
  • 由于超时问题,无法检索有效的 CRL 段Unable to retrieve valid CRL segments because of a timeout issue
  • 无法下载 CRLUnable to download CRL
请联系租户管理员。Contact the tenant admin.
AADSTS50020AADSTS50020 UserUnauthorized - 未授权用户调用此终结点。UserUnauthorized - Users are unauthorized to call this endpoint.
AADSTS50027AADSTS50027 InvalidJwtToken - 以下原因导致 JWT 令牌无效:InvalidJwtToken - Invalid JWT token because of the following reasons:
  • 不包含 nonce 声明和子声明doesn't contain nonce claim, sub claim
  • 使用者标识符不匹配subject identifier mismatch
  • idToken 声明中存在重复声明duplicate claim in idToken claims
  • 意外的颁发者unexpected issuer
  • 意外的受众unexpected audience
  • 不在有效的时间范围内not within its valid time range
  • 令牌格式不正确token format is not proper
  • 颁发者的外部 ID 令牌未通过签名验证。External ID token from issuer failed signature verification.
AADSTS50029AADSTS50029 URI 无效 - 域名包含无效字符。Invalid URI - domain name contains invalid characters. 请联系租户管理员。Contact the tenant admin.
AADSTS50032AADSTS50032 WeakRsaKey - 指示错误的用户尝试使用弱 RSA 密钥。WeakRsaKey - Indicates the erroneous user attempt to use a weak RSA key.
AADSTS50033AADSTS50033 RetryableError - 指示与数据库操作不相关的暂时性错误。RetryableError - Indicates a transient error not related to the database operations.
AADSTS50034AADSTS50034 UserAccountNotFound - 若要登录到此应用程序,必须将帐户添加到目录中。UserAccountNotFound - To sign into this application, the account must be added to the directory.
AADSTS50042AADSTS50042 UnableToGeneratePairwiseIdentifierWithMissingSalt - 原则中缺少用于生成成对标识符的盐。UnableToGeneratePairwiseIdentifierWithMissingSalt - The salt required to generate a pairwise identifier is missing in principle. 请联系租户管理员。Contact the tenant admin.
AADSTS50043AADSTS50043 UnableToGeneratePairwiseIdentifierWithMultipleSaltsUnableToGeneratePairwiseIdentifierWithMultipleSalts
AADSTS50048AADSTS50048 SubjectMismatchesIssuer - 使用者与客户端断言中的颁发者声明不匹配。SubjectMismatchesIssuer - Subject mismatches Issuer claim in the client assertion. 请联系租户管理员。Contact the tenant admin.
AADSTS50049AADSTS50049 NoSuchInstanceForDiscovery - 未知或无效的实例。NoSuchInstanceForDiscovery - Unknown or invalid instance.
AADSTS50050AADSTS50050 MalformedDiscoveryRequest - 请求格式不正确。MalformedDiscoveryRequest - The request is malformed.
AADSTS50053AADSTS50053 IdsLocked - 帐户已锁定,因为用户尝试使用不正确的用户 ID 或密码登录的次数过多。IdsLocked - The account is locked because the user tried to sign in too many times with an incorrect user ID or password.
AADSTS50055AADSTS50055 InvalidPasswordExpiredPassword - 密码已过期。InvalidPasswordExpiredPassword - The password is expired.
AADSTS50056AADSTS50056 密码无效或为 null - 密码在此用户的存储中不存在。Invalid or null password -Password does not exist in store for this user.
AADSTS50057AADSTS50057 UserDisabled - 用户帐户处于禁用状态。UserDisabled - The user account is disabled. 帐户已被管理员禁用。The account has been disabled by an administrator.
AADSTS50058AADSTS50058 UserInformationNotProvided - 表示用户未登录。UserInformationNotProvided - This means that a user is not signed in. 这是一个常见的错误,如果用户未经过身份验证并且尚未登录,则预期会出现此错误。This is a common error that's expected when a user is unauthenticated and has not yet signed in.
如果在用户登录的 SSO 上下文中遇到此错误,则表示 SSO 会话未找到或无效。If this error is encouraged in an SSO context where the user has previously signed in, this means that the SSO session was either not found or invalid.
如果指定了 prompt=none,则可能会在应用程序中返回此错误。This error may be returned to the application if prompt=none is specified.
AADSTS50059AADSTS50059 MissingTenantRealmAndNoUserInformationProvided - 在请求中未找到租户标识信息,或者任何提供的凭据未隐式指定此信息。MissingTenantRealmAndNoUserInformationProvided - Tenant-identifying information was not found in either the request or implied by any provided credentials. 用户可以联系租户管理员来帮助解决此问题。The user can contact the tenant admin to help resolve the issue.
AADSTS50061AADSTS50061 SignoutInvalidRequest - 注销请求无效。SignoutInvalidRequest - The sign-out request is invalid.
AADSTS50064AADSTS50064 CredentialAuthenticationError - 用户名或密码凭据验证失败。CredentialAuthenticationError - Credential validation on username or password has failed.
AADSTS50068AADSTS50068 SignoutInitiatorNotParticipant - 注销失败。SignoutInitiatorNotParticipant - Sign out has failed. 发起注销的应用不是当前会话中的参与者。The app that initiated sign out is not a participant in the current session.
AADSTS50070AADSTS50070 SignoutUnknownSessionIdentifier - 注销失败。SignoutUnknownSessionIdentifier - Sign out has failed. 注销请求指定了与现有会话不匹配的名称标识符。The sign out request specified a name identifier that didn't match the existing session(s).
AADSTS50071AADSTS50071 SignoutMessageExpired - 注销请求已过期。SignoutMessageExpired - The logout request has expired.
AADSTS50072AADSTS50072 UserStrongAuthEnrollmentRequiredInterrupt - 用户需要注册双重身份验证(交互式)。UserStrongAuthEnrollmentRequiredInterrupt - User needs to enroll for second factor authentication (interactive).
AADSTS50074AADSTS50074 UserStrongAuthClientAuthNRequiredInterrupt - 需要强身份验证,用户未通过 MFA 质询。UserStrongAuthClientAuthNRequiredInterrupt - Strong authentication is required and the user did not pass the MFA challenge.
AADSTS50076AADSTS50076 UserStrongAuthClientAuthNRequired - 由于管理员做了配置更改,或者你已移到新位置,用户必须使用多重身份验证来访问资源。UserStrongAuthClientAuthNRequired - Due to a configuration change made by the admin, or because you moved to a new location, the user must use multi-factor authentication to access the resource. 请使用针对资源的新授权请求重试。Retry with a new authorize request for the resource.
AADSTS50079AADSTS50079 UserStrongAuthEnrollmentRequired - 由于管理员做了配置更改,或者用户已移到新位置,该用户需要使用多重身份验证。UserStrongAuthEnrollmentRequired - Due to a configuration change made by the administrator, or because the user moved to a new location, the user is required to use multi-factor authentication.
AADSTS50085AADSTS50085 刷新令牌需要社交 IDP 登录。Refresh token needs social IDP login. 请让用户尝试使用用户名和密码再次登录Have user try signing-in again with username -password
AADSTS50086AADSTS50086 SasNonRetryableErrorSasNonRetryableError
AADSTS50087AADSTS50087 SasRetryableError - 服务暂时不可用。SasRetryableError - The service is temporarily unavailable. 重试。Try again.
AADSTS50089AADSTS50089 流令牌过期 - 身份验证失败。Flow token expired - Authentication Failed. 请让用户尝试使用用户名和密码再次登录Have the user try signing-in again with username -password.
AADSTS50097AADSTS50097 DeviceAuthenticationRequired - 必须使用设备身份验证。DeviceAuthenticationRequired - Device authentication is required.
AADSTS50099AADSTS50099 PKeyAuthInvalidJwtUnauthorized - JWT 签名无效。PKeyAuthInvalidJwtUnauthorized - The JWT signature is invalid.
AADSTS50105AADSTS50105 EntitlementGrantsNotFound - 未向已登录用户分配已登录应用的角色。EntitlementGrantsNotFound - The signed in user is not assigned to a role for the signed in app. 请将该用户分配到该应用。Assign the user to the app.
AADSTS50107AADSTS50107 InvalidRealmUri - 请求的联合领域对象不存在。InvalidRealmUri - The requested federation realm object does not exist. 请联系租户管理员。Contact the tenant admin.
AADSTS50120AADSTS50120 ThresholdJwtInvalidJwtFormat - JWT 标头有问题。ThresholdJwtInvalidJwtFormat - Issue with JWT header. 请联系租户管理员。Contact the tenant admin.
AADSTS50124AADSTS50124 ClaimsTransformationInvalidInputParameter - 声明转换包含无效的输入参数。ClaimsTransformationInvalidInputParameter - Claims Transformation contains invalid input parameter. 请联系租户管理员来更新策略。Contact the tenant admin to update the policy.
AADSTS50125AADSTS50125 PasswordResetRegistrationRequiredInterrupt - 密码重置或密码注册条目导致登录中断。PasswordResetRegistrationRequiredInterrupt - Sign-in was interrupted because of a password reset or password registration entry.
AADSTS50126AADSTS50126 InvalidUserNameOrPassword - 无效的用户名或密码导致验证凭据时出错。InvalidUserNameOrPassword - Error validating credentials due to invalid username or password.
AADSTS50127AADSTS50127 BrokerAppNotInstalled - 用户需要安装中转站应用才能访问此内容。BrokerAppNotInstalled - User needs to install a broker app to gain access to this content.
AADSTS50128AADSTS50128 域名无效 - 未在请求中找到或提供的任何凭据均未暗示任何租户标识信息。Invalid domain name - No tenant-identifying information found in either the request or implied by any provided credentials.
AADSTS50129AADSTS50129 DeviceIsNotWorkplaceJoined - 需要加入工作区才能注册设备。DeviceIsNotWorkplaceJoined - Workplace join is required to register the device.
AADSTS50131AADSTS50131 ConditionalAccessFailed - 指示各种条件访问错误,例如,Windows 设备状态不正确,请求因活动可疑、访问策略和安全策略决策而被阻止。ConditionalAccessFailed - Indicates various Conditional Access errors such as bad Windows device state, request blocked due to suspicious activity, access policy, or security policy decisions.
AADSTS50132AADSTS50132 SsoArtifactInvalidOrExpired - 会话由于密码过期或最近更改了密码而无效。SsoArtifactInvalidOrExpired - The session is not valid due to password expiration or recent password change.
AADSTS50133AADSTS50133 SsoArtifactRevoked - 会话由于密码过期或最近更改了密码而无效。SsoArtifactRevoked - The session is not valid due to password expiration or recent password change.
AADSTS50134AADSTS50134 DeviceFlowAuthorizeWrongDatacenter - 错误的数据中心。DeviceFlowAuthorizeWrongDatacenter - Wrong data center. 若要授权 OAuth 2.0 设备流中的应用发起的请求,授权方必须与原始请求位于同一数据中心。To authorize a request that was initiated by an app in the OAuth 2.0 device flow, the authorizing party must be in the same data center where the original request resides.
AADSTS50135AADSTS50135 PasswordChangeCompromisedPassword - 由于帐户风险,需要更改密码。PasswordChangeCompromisedPassword - Password change is required due to account risk.
AADSTS50136AADSTS50136 RedirectMsaSessionToApp - 检测到单个 MSA 会话。RedirectMsaSessionToApp - Single MSA session detected.
AADSTS50139AADSTS50139 SessionMissingMsaOAuth2RefreshToken - 由于缺少外部刷新令牌,会话无效。SessionMissingMsaOAuth2RefreshToken - The session is invalid due to a missing external refresh token.
AADSTS50140AADSTS50140 KmsiInterrupt - 此错误是由于用户登录时出现“使我保持登录状态”中断而发生的。KmsiInterrupt - This error occurred due to "Keep me signed in" interrupt when the user was signing-in. 开具支持票证并提供相关性 ID、请求 ID 和错误代码,以获取更多详细信息。Open a support ticket with Correlation ID, Request ID, and Error code to get more details.
AADSTS50143AADSTS50143 会话不匹配 - 会话无效,因为不同的资源导致用户租户与域提示不匹配。Session mismatch - Session is invalid because user tenant does not match the domain hint due to different resource. 开具支持票证并提供相关性 ID、请求 ID 和错误代码,以获取更多详细信息。Open a support ticket with Correlation ID, Request ID, and Error code to get more details.
AADSTS50144AADSTS50144 InvalidPasswordExpiredOnPremPassword - 用户的 Active Directory 密码已过期。InvalidPasswordExpiredOnPremPassword - User's Active Directory password has expired. 为用户生成新密码,或者让用户使用自助重置工具重置其密码。Generate a new password for the user or have the user use the self-service reset tool to reset their password.
AADSTS50146AADSTS50146 MissingCustomSigningKey - 需要为此应用配置特定于应用的签名密钥。MissingCustomSigningKey - This app is required to be configured with an app-specific signing key. 没有为此应用程序配置签名密钥,或者密钥已过期或尚未生效。It is either not configured with one, or the key has expired or is not yet valid.
AADSTS50147AADSTS50147 MissingCodeChallenge - 代码质询参数的大小无效。MissingCodeChallenge - The size of the code challenge parameter is not valid.
AADSTS50155AADSTS50155 DeviceAuthenticationFailed - 此用户的设备身份验证失败。DeviceAuthenticationFailed - Device authentication failed for this user.
AADSTS50158AADSTS50158 ExternalSecurityChallenge - 不符合外部安全质询。ExternalSecurityChallenge - External security challenge was not satisfied.
AADSTS50161AADSTS50161 InvalidExternalSecurityChallengeConfiguration - 外部提供程序发送的声明不够,或者向外部提供程序请求的声明缺失。InvalidExternalSecurityChallengeConfiguration - Claims sent by external provider is not enough or Missing claim requested to external provider.
AADSTS50166AADSTS50166 ExternalClaimsProviderThrottled - 无法将请求发送到声明提供程序。ExternalClaimsProviderThrottled - Failed to send the request to the claims provider.
AADSTS50168AADSTS50168 ChromeBrowserSsoInterruptRequired - 客户端能够通过 Windows 10 帐户扩展获取 SSO 令牌,但在请求中找不到令牌,或提供的令牌已过期。ChromeBrowserSsoInterruptRequired - The client is capable of obtaining an SSO token through the Windows 10 Accounts extension, but the token was not found in the request or the supplied token was expired.
AADSTS50169AADSTS50169 InvalidRequestBadRealm - 领域不是当前服务命名空间的已配置领域。InvalidRequestBadRealm - The realm is not a configured realm of the current service namespace.
AADSTS50170AADSTS50170 MissingExternalClaimsProviderMapping - 缺少外部控制映射。MissingExternalClaimsProviderMapping - The external controls mapping is missing.
AADSTS50177AADSTS50177 ExternalChallengeNotSupportedForPassthroughUsers - 直通用户不支持外部质询。ExternalChallengeNotSupportedForPassthroughUsers - External challenge is not supported for passthrough users.
AADSTS50178AADSTS50178 SessionControlNotSupportedForPassthroughUsers - 直通用户不支持会话控制。SessionControlNotSupportedForPassthroughUsers - Session control is not supported for passthrough users.
AADSTS50180AADSTS50180 WindowsIntegratedAuthMissing - 需要 Windows 集成身份验证。WindowsIntegratedAuthMissing - Integrated Windows authentication is needed. 为租户启用无缝 SSO。Enable the tenant for Seamless SSO.
AADSTS50187AADSTS50187 DeviceInformationNotProvided - 服务无法执行设备身份验证。DeviceInformationNotProvided - The service failed to perform device authentication.
AADSTS50196AADSTS50196 LoopDetected - 检测到客户端循环。LoopDetected - A client loop has been detected. 检查应用的逻辑,以确保实现了令牌缓存,并且正确处理了错误情况。Check the app’s logic to ensure that token caching is implemented, and that error conditions are handled correctly. 该应用在太短的时间内发出了太多相同请求,表明它处于错误状态或滥用请求令牌。The app has made too many of the same request in too short a period, indicating that it is in a faulty state or is abusively requesting tokens.
AADSTS50197AADSTS50197 ConflictingIdentities - 找不到用户。ConflictingIdentities - The user could not be found. 请尝试再次登录。Try signing in again.
AADSTS50199AADSTS50199 CmsiInterrupt - 出于安全原因,此请求需要用户确认。CmsiInterrupt - For security reasons, user confirmation is required for this request. 由于这是“interaction_required”错误,因此客户端应进行交互式身份验证。之所以发生这种情况,是因为系统 Web 视图已用于请求本机应用程序的令牌,必须提示用户询问此应用是否确实为他们要登录的应用。Because this is an "interaction_required" error, the client should do interactive auth. This occurs because a system webview has been used to request a token for a native application - the user must be prompted to ask if this was actually the app they meant to sign into. 要避免此提示,重定向 URI 应是以下安全列表的一部分:To avoid this prompt, the redirect URI should be part of the following safe list:
http://http://
https://https://
msauth://(仅限 iOS)msauth://(iOS only)
msauthv2://(仅限 iOS)msauthv2://(iOS only)
chrome-extension://(仅限桌面 Chrome 浏览器)chrome-extension:// (desktop Chrome browser only)
AADSTS51000AADSTS51000 RequiredFeatureNotEnabled - 已禁用该功能。RequiredFeatureNotEnabled - The feature is disabled.
AADSTS51001AADSTS51001 DomainHintMustbePresent - 必须使用本地安全标识符或本地 UPN 提供域提示。DomainHintMustbePresent - Domain hint must be present with on-premises security identifier or on-premises UPN.
AADSTS51004AADSTS51004 UserAccountNotInDirectory - 目录中不存在该用户帐户。UserAccountNotInDirectory - The user account doesn’t exist in the directory.
AADSTS51005AADSTS51005 TemporaryRedirect - 等效于 HTTP 状态 307,表示请求的信息位于 location 标头中指定的 URI 处。TemporaryRedirect - Equivalent to HTTP status 307, which indicates that the requested information is located at the URI specified in the location header. 如果收到此状态,请遵循与响应关联的 location 标头操作。When you receive this status, follow the location header associated with the response. 如果原始请求方法是 POST,则重定向的请求也会使用 POST 方法。When the original request method was POST, the redirected request will also use the POST method.
AADSTS51006AADSTS51006 ForceReauthDueToInsufficientAuth - 需要 Windows 集成身份验证。ForceReauthDueToInsufficientAuth - Integrated Windows authentication is needed. 用户已使用缺少 Windows 集成身份验证声明的会话令牌登录。User logged in using a session token that is missing the Integrated Windows authentication claim. 请求用户重新登录。Request the user to log in again.
AADSTS52004AADSTS52004 DelegationDoesNotExistForLinkedIn - 用户未许可访问 LinkedIn 资源。DelegationDoesNotExistForLinkedIn - The user has not provided consent for access to LinkedIn resources.
AADSTS53000AADSTS53000 DeviceNotCompliant - 条件访问策略需要合规的设备,该设备不合规。DeviceNotCompliant - Conditional Access policy requires a compliant device, and the device is not compliant. 用户必须使用已批准的 MDM 提供程序(例如 Intune)注册其设备。The user must enroll their device with an approved MDM provider like Intune.
AADSTS53001AADSTS53001 DeviceNotDomainJoined - 条件访问策略需要已加入域的设备,而该设备未加入域。DeviceNotDomainJoined - Conditional Access policy requires a domain joined device, and the device is not domain joined. 让用户使用已加入域的设备。Have the user use a domain joined device.
AADSTS53002AADSTS53002 ApplicationUsedIsNotAnApprovedApp - 使用的应用不是批准用于条件访问的应用。ApplicationUsedIsNotAnApprovedApp - The app used is not an approved app for Conditional Access. 用户需使用可用的获批准应用列表中的某个应用才能获取访问权限。User needs to use one of the apps from the list of approved apps to use in order to get access.
AADSTS53003AADSTS53003 BlockedByConditionalAccess - 条件访问策略已阻止访问。BlockedByConditionalAccess - Access has been blocked by Conditional Access policies. 访问策略不允许令牌颁发。The access policy does not allow token issuance.
AADSTS53004AADSTS53004 ProofUpBlockedDueToRisk - 在访问此内容之前,用户需要完成多重身份验证注册过程。ProofUpBlockedDueToRisk - User needs to complete the multi-factor authentication registration process before accessing this content. 用户应注册多重身份验证。User should register for multi-factor authentication.
AADSTS54000AADSTS54000 MinorUserBlockedLegalAgeGroupRuleMinorUserBlockedLegalAgeGroupRule
AADSTS65001AADSTS65001 DelegationDoesNotExist - 用户或管理员尚未许可将应用程序与 ID X 配合使用。请发送针对该用户和资源的交互式授权请求。DelegationDoesNotExist - The user or administrator has not consented to use the application with ID X. Send an interactive authorization request for this user and resource.
AADSTS65004AADSTS65004 UserDeclinedConsent - 用户已拒绝许可访问该应用。UserDeclinedConsent - User declined to consent to access the app. 让用户重试登录并许可应用Have the user retry the sign-in and consent to the app
AADSTS65005AADSTS65005 MisconfiguredApplication - 应用所需的资源访问列表不包含可以通过资源来发现的应用,或者客户端应用请求访问的资源未在其必需的资源访问列表中指定,或者 Graph 服务返回了错误的请求,或者资源找不到。MisconfiguredApplication - The app required resource access list does not contain apps discoverable by the resource or The client app has requested access to resource, which was not specified in its required resource access list or Graph service returned bad request or resource not found. 如果应用支持 SAML,则原因可能是使用错误的标识符(实体)配置了应用。If the app supports SAML, you may have configured the app with the wrong Identifier (Entity).
AADSTS650052AADSTS650052 应用需要访问你的组织 \"{organization}\" 尚未订阅或启用的服务 (\"{name}\")The app needs access to a service (\"{name}\") that your organization \"{organization}\" has not subscribed to or enabled. 若要查看服务订阅的配置,请与 IT 管理员联系。Contact your IT Admin to review the configuration of your service subscriptions.
AADSTS67003AADSTS67003 ActorNotValidServiceIdentityActorNotValidServiceIdentity
AADSTS70000AADSTS70000 InvalidGrant - 身份验证失败。InvalidGrant - Authentication failed. 刷新令牌无效。The refresh token is not valid. 该错误的可能原因如下:Error may be due to the following reasons:
  • 令牌绑定标头为空Token binding header is empty
  • 令牌绑定哈希不匹配Token binding hash does not match
AADSTS70001AADSTS70001 UnauthorizedClient - 应用程序处于禁用状态。UnauthorizedClient - The application is disabled.
AADSTS70002AADSTS70002 InvalidClient - 验证凭据时出错。InvalidClient - Error validating the credentials. 指定的 client_secret 与此客户端的预期值不匹配。The specified client_secret does not match the expected value for this client. 请更正 client_secret,然后重试。Correct the client_secret and try again. 有关详细信息,请参阅使用授权代码请求访问令牌For more info, see Use the authorization code to request an access token.
AADSTS70003AADSTS70003 UnsupportedGrantType - 应用返回了不受支持的授权类型。UnsupportedGrantType - The app returned an unsupported grant type.
AADSTS70004AADSTS70004 InvalidRedirectUri - 应用返回了无效的重定向 URI。InvalidRedirectUri - The app returned an invalid redirect URI. 客户端指定的重定向地址与配置的任何地址或者 OIDC 批准列表中的任何地址都不匹配。The redirect address specified by the client does not match any configured addresses or any addresses on the OIDC approve list.
AADSTS70005AADSTS70005 UnsupportedResponseType - 由于以下原因,应用返回了不受支持的响应类型:UnsupportedResponseType - The app returned an unsupported response type due to the following reasons:
  • 没有为应用启用响应类型“token”response type 'token' is not enabled for the app
  • 响应类型“id_token”需要“OpenID”作用域 - 编码的 wctx 中包含不支持的 OAuth 参数值response type 'id_token' requires the 'OpenID' scope -contains an unsupported OAuth parameter value in the encoded wctx
AADSTS70007AADSTS70007 UnsupportedResponseMode - 请求令牌时,应用返回了不受支持的 response_mode 值。UnsupportedResponseMode - The app returned an unsupported value of response_mode when requesting a token.
AADSTS70008AADSTS70008 ExpiredOrRevokedGrant - 刷新令牌由于非活动状态而过期。ExpiredOrRevokedGrant - The refresh token has expired due to inactivity. 该令牌是在 XXX 颁发的,并在特定的时间内处于非活动状态。The token was issued on XXX and was inactive for a certain amount of time.
AADSTS70011AADSTS70011 InvalidScope - 应用请求的范围无效。InvalidScope - The scope requested by the app is invalid.
AADSTS70012AADSTS70012 MsaServerError - 对 MSA(使用者)用户进行身份验证时发生服务器错误。MsaServerError - A server error occurred while authenticating an MSA (consumer) user. 重试。Try again. 如果仍然失败,请开具支持票证If it continues to fail, open a support ticket
AADSTS70016AADSTS70016 AuthorizationPending - OAuth 2.0 设备流错误。AuthorizationPending - OAuth 2.0 device flow error. 授权处于挂起状态。Authorization is pending. 设备将重试轮询请求。The device will retry polling the request.
AADSTS70018AADSTS70018 BadVerificationCode - 由于用户为设备代码流键入了错误的用户代码,验证码无效。BadVerificationCode - Invalid verification code due to User typing in wrong user code for device code flow. 授权未获批准。Authorization is not approved.
AADSTS70019AADSTS70019 CodeExpired - 验证码已过期。CodeExpired - Verification code expired. 让用户重试登录。Have the user retry the sign-in.
AADSTS75001AADSTS75001 BindingSerializationError - SAML 消息绑定期间出错。BindingSerializationError - An error occurred during SAML message binding.
AADSTS75003AADSTS75003 UnsupportedBindingError - 应用返回了与不受支持的绑定相关的错误(无法通过 HTTP POST 以外的绑定发送 SAML 协议响应)。UnsupportedBindingError - The app returned an error related to unsupported binding (SAML protocol response cannot be sent via bindings other than HTTP POST).
AADSTS75005AADSTS75005 Saml2MessageInvalid - Azure AD 不支持应用针对 SSO 所发送的 SAML 请求。Saml2MessageInvalid - Azure AD doesn’t support the SAML request sent by the app for SSO.
AADSTS7500514AADSTS7500514 找不到支持的 SAML 响应类型。A supported type of SAML response was not found. 支持的响应类型为“Response”(在 XML 命名空间“'urn:oasis:names:tc:SAML:2.0:protocol”中)或“Assertion”(在 XML 命名空间“urn:oasis:names:tc:SAML:2.0:assertion”中)。The supported response types are 'Response' (in XML namespace 'urn:oasis:names:tc:SAML:2.0:protocol') or 'Assertion' (in XML namespace 'urn:oasis:names:tc:SAML:2.0:assertion'). 应用程序错误 - 开发人员会处理此错误。Application error - the developer will handle this error.
AADSTS75008AADSTS75008 RequestDeniedError - 由于 SAML 请求的目标不符合预期,来自应用的请求被拒绝。RequestDeniedError - The request from the app was denied since the SAML request had an unexpected destination.
AADSTS75011AADSTS75011 NoMatchedAuthnContextInOutputClaims - 用户在服务中用于身份验证的身份验证方法与请求的身份验证方法不匹配。NoMatchedAuthnContextInOutputClaims - The authentication method by which the user authenticated with the service doesn't match requested authentication method.
AADSTS75016AADSTS75016 Saml2AuthenticationRequestInvalidNameIDPolicy - SAML2 身份验证请求包含无效的 NameIdPolicy。Saml2AuthenticationRequestInvalidNameIDPolicy - SAML2 Authentication Request has invalid NameIdPolicy.
AADSTS80001AADSTS80001 OnPremiseStoreIsNotAvailable - 身份验证代理无法连接到 Active Directory。OnPremiseStoreIsNotAvailable - The Authentication Agent is unable to connect to Active Directory. 确保代理服务器是需要验证其密码的用户所在的 AD 林的成员,并且能够连接到 Active Directory。Make sure that agent servers are members of the same AD forest as the users whose passwords need to be validated and they are able to connect to Active Directory.
AADSTS80002AADSTS80002 OnPremisePasswordValidatorRequestTimedout - 密码验证请求超时。确保 Active Directory 可用,并且可以响应代理的请求。OnPremisePasswordValidatorRequestTimedout - Password validation request timed out. Make sure that Active Directory is available and responding to requests from the agents.
AADSTS80005AADSTS80005 OnPremisePasswordValidatorUnpredictableWebException - 处理来自身份验证代理的响应时发生未知的错误。OnPremisePasswordValidatorUnpredictableWebException - An unknown error occurred while processing the response from the Authentication Agent. 重试请求。Retry the request. 如果仍旧失败,请开具支持票证,获取有关该错误的更多详细信息。If it continues to fail, open a support ticket to get more details on the error.
AADSTS80007AADSTS80007 OnPremisePasswordValidatorErrorOccurredOnPrem - 身份验证代理无法验证用户的密码。OnPremisePasswordValidatorErrorOccurredOnPrem - The Authentication Agent is unable to validate user's password. 检查代理日志以了解更多信息,并验证 Active Directory 是否按预期方式运行。Check the agent logs for more info and verify that Active Directory is operating as expected.
AADSTS80010AADSTS80010 OnPremisePasswordValidationEncryptionException - 身份验证代理无法解密密码。OnPremisePasswordValidationEncryptionException - The Authentication Agent is unable to decrypt password.
AADSTS80012AADSTS80012 OnPremisePasswordValidationAccountLogonInvalidHours - 用户尝试在允许的时间(在 AD 中指定)以外登录。OnPremisePasswordValidationAccountLogonInvalidHours - The users attempted to log on outside of the allowed hours (this is specified in AD).
AADSTS80013AADSTS80013 OnPremisePasswordValidationTimeSkew - 由于运行身份验证代理的计算机与 AD 之间存在时间偏差,身份验证尝试无法完成。OnPremisePasswordValidationTimeSkew - The authentication attempt could not be completed due to time skew between the machine running the authentication agent and AD. 解决时间同步问题。Fix time sync issues.
AADSTS81004AADSTS81004 DesktopSsoIdentityInTicketIsNotAuthenticated - Kerberos 身份验证尝试失败。DesktopSsoIdentityInTicketIsNotAuthenticated - Kerberos authentication attempt failed.
AADSTS81005AADSTS81005 DesktopSsoAuthenticationPackageNotSupported - 不支持该身份验证包。DesktopSsoAuthenticationPackageNotSupported - The authentication package is not supported.
AADSTS81006AADSTS81006 DesktopSsoNoAuthorizationHeader - 找不到授权标头。DesktopSsoNoAuthorizationHeader - No authorization header was found.
AADSTS81007AADSTS81007 DesktopSsoTenantIsNotOptIn - 未为租户启用无缝 SSO。DesktopSsoTenantIsNotOptIn - The tenant is not enabled for Seamless SSO.
AADSTS81009AADSTS81009 DesktopSsoAuthorizationHeaderValueWithBadFormat - 无法验证用户的 Kerberos 票证。DesktopSsoAuthorizationHeaderValueWithBadFormat - Unable to validate user's Kerberos ticket.
AADSTS81010AADSTS81010 DesktopSsoAuthTokenInvalid - 由于用户的 Kerberos 票证已过期或无效,无缝 SSO 失败。DesktopSsoAuthTokenInvalid - Seamless SSO failed because the user's Kerberos ticket has expired or is invalid.
AADSTS81011AADSTS81011 DesktopSsoLookupUserBySidFailed - 无法根据用户的 Kerberos 票证中的信息找到用户对象。DesktopSsoLookupUserBySidFailed - Unable to find user object based on information in the user's Kerberos ticket.
AADSTS81012AADSTS81012 DesktopSsoMismatchBetweenTokenUpnAndChosenUpn - 尝试登录到 Azure AD 的用户不同于已登录到设备的用户。DesktopSsoMismatchBetweenTokenUpnAndChosenUpn - The user trying to sign in to Azure AD is different from the user signed into the device.
AADSTS90002AADSTS90002 InvalidTenantName - 在数据存储中找不到该租户名称。InvalidTenantName - The tenant name wasn't found in the data store. 请确保租户 ID 正确。Check to make sure you have the correct tenant ID.
AADSTS90004AADSTS90004 InvalidRequestFormat - 请求格式不正确。InvalidRequestFormat - The request is not properly formatted.
AADSTS90005AADSTS90005 InvalidRequestWithMultipleRequirements - 无法完成请求。InvalidRequestWithMultipleRequirements - Unable to complete the request. 由于不能同时使用标识符和登录提示,请求无效。The request is not valid because the identifier and login hint can't be used together.
AADSTS90006AADSTS90006 ExternalServerRetryableError - 服务暂时不可用。ExternalServerRetryableError - The service is temporarily unavailable.
AADSTS90007AADSTS90007 InvalidSessionId - 错误的请求。InvalidSessionId - Bad request. 无法分析传递的会话 ID。The passed session ID can't be parsed.
AADSTS90008AADSTS90008 TokenForItselfRequiresGraphPermission - 用户或管理员尚未许可使用该应用程序。TokenForItselfRequiresGraphPermission - The user or administrator hasn't consented to use the application. 最起码,应用程序需要通过指定登录并读取用户个人资料权限来访问 Azure AD。At the minimum, the application requires access to Azure AD by specifying the sign-in and read user profile permission.
AADSTS90009AADSTS90009 TokenForItselfMissingIdenticalAppIdentifier - 应用程序正在请求自身的令牌。TokenForItselfMissingIdenticalAppIdentifier - The application is requesting a token for itself. 仅当指定的资源使用基于 GUID 的应用程序 ID 时,才支持此方案。This scenario is supported only if the resource that's specified is using the GUID-based application ID.
AADSTS90010AADSTS90010 NotSupported - 无法创建该算法。NotSupported - Unable to create the algorithm.
AADSTS90012AADSTS90012 RequestTimeout - 请求超时。RequestTimeout - The requested has timed out.
AADSTS90013AADSTS90013 InvalidUserInput - 用户的输入无效。InvalidUserInput - The input from the user is not valid.
AADSTS90014AADSTS90014 MissingRequiredField - 如果预期的字段在凭据中不存在,则可能会显示此错误代码。MissingRequiredField - This error code may appear in various cases when an expected field is not present in the credential.
AADSTS90015AADSTS90015 QueryStringTooLong - 查询字符串过长。QueryStringTooLong - The query string is too long.
AADSTS90016AADSTS90016 MissingRequiredClaim - 访问令牌无效。MissingRequiredClaim - The access token isn't valid. 缺少必需的声明。The required claim is missing.
AADSTS90019AADSTS90019 MissingTenantRealm - Azure AD 无法确定请求中的租户标识符。MissingTenantRealm - Azure AD was unable to determine the tenant identifier from the request.
AADSTS90022AADSTS90022 AuthenticatedInvalidPrincipalNameFormat - 主体名称格式无效,或者不符合预期的 name[/host][@realm] 格式。AuthenticatedInvalidPrincipalNameFormat - The principal name format is not valid, or does not meet the expected name[/host][@realm] format. 主体名称是必需的,而主机和领域是可选的,可设置为 null。The principal name is required, host and realm are optional and may be set to null.
AADSTS90023AADSTS90023 InvalidRequest - 身份验证服务请求无效。InvalidRequest - The authentication service request is not valid.
AADSTS9002313AADSTS9002313 InvalidRequest - 请求格式错误或无效。InvalidRequest - Request is malformed or invalid. - 这里的问题是对某个终结点的请求出了问题。- The issue here is because there was something wrong with the request to a certain endpoint. 对此问题的建议是获取发生的错误的 fiddler 跟踪,并查看请求的格式是否确实正确。The suggestion to this issue is to get a fiddler trace of the error occurring and looking to see if the request is actually properly formatted or not.
AADSTS90024AADSTS90024 RequestBudgetExceededError - 发生了暂时性错误。RequestBudgetExceededError - A transient error has occurred. 重试。Try again.
AADSTS90033AADSTS90033 MsodsServiceUnavailable - Microsoft Online Directory Service (MSODS) 不可用。MsodsServiceUnavailable - The Microsoft Online Directory Service (MSODS) is not available.
AADSTS90036AADSTS90036 MsodsServiceUnretryableFailure - MSODS 托管的 WCF 服务发生意外的不可重试错误。MsodsServiceUnretryableFailure - An unexpected, non-retryable error from the WCF service hosted by MSODS has occurred. 开具支持票证,获取有关该错误的更多详细信息。Open a support ticket to get more details on the error.
AADSTS90038AADSTS90038 NationalCloudTenantRedirection - 指定的租户“Y”属于国家/地区云“X”。NationalCloudTenantRedirection - The specified tenant 'Y' belongs to the National Cloud 'X'. 当前云实例“Z”未与 X 联合。返回了云重定向错误。Current cloud instance 'Z' does not federate with X. A cloud redirect error is returned.
AADSTS90043AADSTS90043 NationalCloudAuthCodeRedirection - 已禁用该功能。NationalCloudAuthCodeRedirection - The feature is disabled.
AADSTS90051AADSTS90051 InvalidNationalCloudId - 国家云标识符包含无效的云标识符。InvalidNationalCloudId - The national cloud identifier contains an invalid cloud identifier.
AADSTS90055AADSTS90055 TenantThrottlingError - 传入的请求过多。TenantThrottlingError - There are too many incoming requests. 此异常是针对阻止的租户引发的。This exception is thrown for blocked tenants.
AADSTS90056AADSTS90056 BadResourceRequest - 若要兑换访问令牌的代码,应用应该向 /token 终结点发送 POST 请求。BadResourceRequest - To redeem the code for an access token, the app should send a POST request to the /token endpoint. 另外,在此之前,应该提供授权代码,并在发往 /token 终结点的 POST 请求中发送此代码。Also, prior to this, you should provide an authorization code and send it in the POST request to the /token endpoint. 有关 OAuth 2.0 授权代码流的概述,请参阅此文:../azuread-dev/v1-protocols-oauth-code.mdRefer to this article for an overview of OAuth 2.0 authorization code flow: ../azuread-dev/v1-protocols-oauth-code.md. 将用户定向到 /authorize 终结点,该终结点会返回 authorization_code。Direct the user to the /authorize endpoint, which will return an authorization_code. 通过向 /token 终结点发布请求,用户可以获取访问令牌。By posting a request to the /token endpoint, the user gets the access token. 在 Azure 门户中登录,并检查“应用注册”>“终结点”以确认是否正确配置了两个终结点。Log in the Azure portal, and check App registrations > Endpoints to confirm that the two endpoints were configured correctly.
AADSTS90072AADSTS90072 PassThroughUserMfaError - 用户登录时所用的外部帐户在其登录到的租户中不存在;因此,该用户无法满足该租户的 MFA 要求。PassThroughUserMfaError - The external account that the user signs in with doesn't exist on the tenant that they signed into; so the user can't satisfy the MFA requirements for the tenant. 如果用户已同步,但是 Active Directory 和 Azure AD 之间的 ImmutableID (sourceAnchor) 属性不匹配,也可能会发生此错误。This error also might occur if the users are synced, but there is a mismatch in the ImmutableID (sourceAnchor) attribute between Active Directory and Azure AD. 必须先将该帐户作为外部用户添加到该租户中。The account must be added as an external user in the tenant first. 请注销并使用其他 Azure AD 用户帐户登录。Sign out and sign in with a different Azure AD user account.
AADSTS90081AADSTS90081 OrgIdWsFederationMessageInvalid - 服务尝试处理 WS 联合身份验证消息时出错。OrgIdWsFederationMessageInvalid - An error occurred when the service tried to process a WS-Federation message. 消息无效。The message is not valid.
AADSTS90082AADSTS90082 OrgIdWsFederationNotSupported - 目前不支持对该请求使用所选的身份验证策略。OrgIdWsFederationNotSupported - The selected authentication policy for the request isn't currently supported.
AADSTS90084AADSTS90084 OrgIdWsFederationGuestNotAllowed - 此站点不允许来宾帐户。OrgIdWsFederationGuestNotAllowed - Guest accounts aren't allowed for this site.
AADSTS90085AADSTS90085 OrgIdWsFederationSltRedemptionFailed - 由于尚未预配公司对象,服务无法颁发令牌。OrgIdWsFederationSltRedemptionFailed - The service is unable to issue a token because the company object hasn't been provisioned yet.
AADSTS90086AADSTS90086 OrgIdWsTrustDaTokenExpired - 用户 DA 令牌已过期。OrgIdWsTrustDaTokenExpired - The user DA token is expired.
AADSTS90087AADSTS90087 OrgIdWsFederationMessageCreationFromUriFailed - 从 URI 创建 WS 联合身份验证消息时出错。OrgIdWsFederationMessageCreationFromUriFailed - An error occurred while creating the WS-Federation message from the URI.
AADSTS90090AADSTS90090 GraphRetryableError - 服务暂时不可用。GraphRetryableError - The service is temporarily unavailable.
AADSTS90091AADSTS90091 GraphServiceUnreachableGraphServiceUnreachable
AADSTS90092AADSTS90092 GraphNonRetryableErrorGraphNonRetryableError
AADSTS90093AADSTS90093 GraphUserUnauthorized - Graph 返回了针对请求的禁止访问错误代码。GraphUserUnauthorized - Graph returned with a forbidden error code for the request.
AADSTS90094AADSTS90094 AdminConsentRequired - 需要管理员许可。AdminConsentRequired - Administrator consent is required.
AADSTS900382AADSTS900382 跨云请求不支持机密客户端。Confidential Client is not supported in Cross Cloud request.
AADSTS90099AADSTS90099 应用程序“{appId}”({appName}) 未在租户“{tenant}”中获得授权。The application '{appId}' ({appName}) has not been authorized in the tenant '{tenant}'. 应用程序必须获得访问客户租户的授权,然后合作伙伴委托的管理员才能使用应用程序。Applications must be authorized to access the customer tenant before partner delegated administrators can use them. 若要为应用程序授权,请提供预先许可或执行相应的合作伙伴中心 API。Provide pre-consent or execute the appropriate Partner Center API to authorize the application.
AADSTS90100AADSTS90100 InvalidRequestParameter - 参数为空或无效。InvalidRequestParameter - The parameter is empty or not valid.
AADSTS901002AADSTS901002 AADSTS901002:不支持“resource”请求参数。AADSTS901002: The 'resource' request parameter is not supported.
AADSTS90101AADSTS90101 InvalidEmailAddress - 提供的数据不是有效的电子邮件地址。InvalidEmailAddress - The supplied data isn't a valid email address. 电子邮件地址必须采用 someone@example.com 格式。The email address must be in the format someone@example.com.
AADSTS90102AADSTS90102 InvalidUriParameter - 值必须是有效的绝对 URI。InvalidUriParameter - The value must be a valid absolute URI.
AADSTS90107AADSTS90107 InvalidXml - 请求无效。InvalidXml - The request is not valid. 请确保数据不包含无效字符。Make sure your data doesn't have invalid characters.
AADSTS90114AADSTS90114 InvalidExpiryDate - 批量令牌过期时间戳会导致颁发过期的令牌。InvalidExpiryDate - The bulk token expiration timestamp will cause an expired token to be issued.
AADSTS90117AADSTS90117 InvalidRequestInputInvalidRequestInput
AADSTS90119AADSTS90119 InvalidUserCode - 用户代码为 null 或为空。InvalidUserCode - The user code is null or empty.
AADSTS90120AADSTS90120 InvalidDeviceFlowRequest - 请求已获授权或被拒绝。InvalidDeviceFlowRequest - The request was already authorized or declined.
AADSTS90121AADSTS90121 InvalidEmptyRequest - 无效的空请求。InvalidEmptyRequest - Invalid empty request.
AADSTS90123AADSTS90123 IdentityProviderAccessDenied - 由于标识或声明颁发提供者拒绝了请求,无法颁发该令牌。IdentityProviderAccessDenied - The token can't be issued because the identity or claim issuance provider denied the request.
AADSTS90124AADSTS90124 V1ResourceV2GlobalEndpointNotSupported - /common/consumers 终结点不支持该资源。V1ResourceV2GlobalEndpointNotSupported - The resource is not supported over the /common or /consumers endpoints. 请改用 /organizations 或特定于租户的终结点。Use the /organizations or tenant-specific endpoint instead.
AADSTS90125AADSTS90125 DebugModeEnrollTenantNotFound - 用户不在系统中。DebugModeEnrollTenantNotFound - The user isn't in the system. 请务必正确输入用户名。Make sure you entered the user name correctly.
AADSTS90126AADSTS90126 DebugModeEnrollTenantNotInferred - 此终结点不支持该用户类型。DebugModeEnrollTenantNotInferred - The user type is not supported on this endpoint. 系统无法从用户名推断用户的租户。The system can't infer the user's tenant from the user name.
AADSTS90130AADSTS90130 NonConvergedAppV2GlobalEndpointNotSupported - /common/consumers 终结点不支持该应用程序。NonConvergedAppV2GlobalEndpointNotSupported - The application is not supported over the /common or /consumers endpoints. 请改用 /organizations 或特定于租户的终结点。Use the /organizations or tenant-specific endpoint instead.
AADSTS120000AADSTS120000 PasswordChangeIncorrectCurrentPasswordPasswordChangeIncorrectCurrentPassword
AADSTS120002AADSTS120002 PasswordChangeInvalidNewPasswordWeakPasswordChangeInvalidNewPasswordWeak
AADSTS120003AADSTS120003 PasswordChangeInvalidNewPasswordContainsMemberNamePasswordChangeInvalidNewPasswordContainsMemberName
AADSTS120004AADSTS120004 PasswordChangeOnPremComplexityPasswordChangeOnPremComplexity
AADSTS120005AADSTS120005 PasswordChangeOnPremSuccessCloudFailPasswordChangeOnPremSuccessCloudFail
AADSTS120008AADSTS120008 PasswordChangeAsyncJobStateTerminated - 发生了不可重试的错误。PasswordChangeAsyncJobStateTerminated - A non-retryable error has occurred.
AADSTS120011AADSTS120011 PasswordChangeAsyncUpnInferenceFailedPasswordChangeAsyncUpnInferenceFailed
AADSTS120012AADSTS120012 PasswordChangeNeedsToHappenOnPremPasswordChangeNeedsToHappenOnPrem
AADSTS120013AADSTS120013 PasswordChangeOnPremisesConnectivityFailurePasswordChangeOnPremisesConnectivityFailure
AADSTS120014AADSTS120014 PasswordChangeOnPremUserAccountLockedOutOrDisabledPasswordChangeOnPremUserAccountLockedOutOrDisabled
AADSTS120015AADSTS120015 PasswordChangeADAdminActionRequiredPasswordChangeADAdminActionRequired
AADSTS120016AADSTS120016 PasswordChangeUserNotFoundBySsprPasswordChangeUserNotFoundBySspr
AADSTS120018AADSTS120018 PasswordChangePasswordDoesnotComplyFuzzyPolicyPasswordChangePasswordDoesnotComplyFuzzyPolicy
AADSTS120020AADSTS120020 PasswordChangeFailurePasswordChangeFailure
AADSTS120021AADSTS120021 PartnerServiceSsprInternalServiceErrorPartnerServiceSsprInternalServiceError
AADSTS130004AADSTS130004 NgcKeyNotFound - 未为用户主体配置 NGC ID 密钥。NgcKeyNotFound - The user principal doesn't have the NGC ID key configured.
AADSTS130005AADSTS130005 NgcInvalidSignature - NGC 密钥签名验证失败。NgcInvalidSignature - NGC key signature verified failed.
AADSTS130006AADSTS130006 NgcTransportKeyNotFound - 设备上未配置 NGC 传输密钥。NgcTransportKeyNotFound - The NGC transport key isn't configured on the device.
AADSTS130007AADSTS130007 NgcDeviceIsDisabled - 设备已禁用。NgcDeviceIsDisabled - The device is disabled.
AADSTS130008AADSTS130008 NgcDeviceIsNotFound - 找不到 NGC 密钥引用的设备。NgcDeviceIsNotFound - The device referenced by the NGC key wasn't found.
AADSTS135010AADSTS135010 KeyNotFoundKeyNotFound
AADSTS140000AADSTS140000 InvalidRequestNonce - 未提供请求 nonce。InvalidRequestNonce - Request nonce is not provided.
AADSTS140001AADSTS140001 InvalidSessionKey - 会话密钥无效。InvalidSessionKey - The session key is not valid.
AADSTS165900AADSTS165900 InvalidApiRequest - 请求无效。InvalidApiRequest - Invalid request.
AADSTS220450AADSTS220450 UnsupportedAndroidWebViewVersion - 不支持 Chrome WebView 版本。UnsupportedAndroidWebViewVersion - The Chrome WebView version is not supported.
AADSTS220501AADSTS220501 InvalidCrlDownloadInvalidCrlDownload
AADSTS221000AADSTS221000 DeviceOnlyTokensNotSupportedByResource - 资源未配置为接受仅限设备的令牌。DeviceOnlyTokensNotSupportedByResource - The resource is not configured to accept device-only tokens.
AADSTS240001AADSTS240001 BulkAADJTokenUnauthorized - 未授权用户在 Azure AD 中注册设备。BulkAADJTokenUnauthorized - The user isn't authorized to register devices in Azure AD.
AADSTS240002AADSTS240002 RequiredClaimIsMissing - 无法将 id_token 用作 urn:ietf:params:oauth:grant-type:jwt-bearer 授予。RequiredClaimIsMissing - The id_token can't be used as urn:ietf:params:oauth:grant-type:jwt-bearer grant.
AADSTS530032AADSTS530032 BlockedByConditionalAccessOnSecurityPolicy - 租户管理员已配置了阻止此请求的安全策略。BlockedByConditionalAccessOnSecurityPolicy - The tenant admin has configured a security policy that blocks this request. 检查在租户级别定义的安全策略来确定你的请求是否满足策略要求。Check the security policies that are defined on the tenant level to determine if your request meets the policy requirements.
AADSTS700016AADSTS700016 UnauthorizedClient_DoesNotMatchRequest - 应用程序中找不到目录/租户。UnauthorizedClient_DoesNotMatchRequest - The application wasn't found in the directory/tenant. 如果应用程序尚未由租户管理员安装,或者尚未获得租户中的任何用户同意,则可能会发生这种情况。This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. 可能错误配置了应用程序的标识符值,或者将身份验证请求发送到了错误的租户。You might have misconfigured the identifier value for the application or sent your authentication request to the wrong tenant.
AADSTS700020AADSTS700020 InteractionRequired - 访问权限授予需要交互。InteractionRequired - The access grant requires interaction.
AADSTS700022AADSTS700022 InvalidMultipleResourcesScope - 为输入参数范围提供的值无效,因为它包含多个资源。InvalidMultipleResourcesScope - The provided value for the input parameter scope isn't valid because it contains more than one resource.
AADSTS700023AADSTS700023 InvalidResourcelessScope - 请求访问令牌时,为输入参数范围提供的值无效。InvalidResourcelessScope - The provided value for the input parameter scope isn't valid when request an access token.
AADSTS7000215AADSTS7000215 提供的客户端密码无效。Invalid client secret is provided. 开发人员错误 - 应用尝试在没有必需的或正确的身份验证参数的情况下登录。Developer error - the app is attempting to sign in without the necessary or correct authentication parameters.
AADSTS7000222AADSTS7000222 InvalidClientSecretExpiredKeysProvided - 提供的客户端密钥已过期。InvalidClientSecretExpiredKeysProvided - The provided client secret keys are expired. 访问 Azure 门户,为你的应用创建新密钥,或者考虑使用证书凭据提高安全性:/active-directory/develop/active-directory-certificate-credentialsVisit the Azure portal to create new keys for your app, or consider using certificate credentials for added security: /active-directory/develop/active-directory-certificate-credentials
AADSTS700005AADSTS700005 InvalidGrantRedeemAgainstWrongTenant - 提供的授权代码是用于其他租户的,因此已被拒绝。InvalidGrantRedeemAgainstWrongTenant - Provided Authorization Code is intended to use against other tenant, thus rejected. 兑换 OAuth2 授权代码时所针对的租户必须是获取该代码时所针对的租户(根据情况使用 /common 或 {tenant ID} 进行指定)OAuth2 Authorization Code must be redeemed against same tenant it was acquired for (/common or /{tenant-ID} as appropriate)
AADSTS1000000AADSTS1000000 UserNotBoundError - 绑定 API 要求 Azure AD 用户同时使用外部 IDP 进行身份验证,但尚未执行此操作。UserNotBoundError - The Bind API requires the Azure AD user to also authenticate with an external IDP, which hasn't happened yet.
AADSTS1000002AADSTS1000002 BindCompleteInterruptError - 绑定已成功完成,但必须通知用户。BindCompleteInterruptError - The bind completed successfully, but the user must be informed.
AADSTS7000112AADSTS7000112 UnauthorizedClientApplicationDisabled - 应用程序处于禁用状态。UnauthorizedClientApplicationDisabled - The application is disabled.
AADSTS7000114AADSTS7000114 不允许使用应用程序“appIdentifier”进行应用程序代理调用。Application 'appIdentifier' is not allowed to make application on-behalf-of calls.
AADSTS7500529AADSTS7500529 值“SAMLId-Guid”不是有效的 SAML ID - Azure AD 使用此属性填充返回的响应的 InResponseTo 属性。The value ‘SAMLId-Guid’ is not a valid SAML ID - Azure AD uses this attribute to populate the InResponseTo attribute of the returned response. ID 的开头不能是数字,因此常见的策略是在 GUID 的字符串表示形式前面加上类似于“id”的字符串。ID must not begin with a number, so a common strategy is to prepend a string like "id" to the string representation of a GUID. 例如,id6c1c178c166d486687be4aaf5e482730 是有效的 ID。For example, id6c1c178c166d486687be4aaf5e482730 is a valid ID.

后续步骤Next steps