Azure Active Directory B2B 协作故障排除Troubleshooting Azure Active Directory B2B collaboration

以下是 Azure Active Directory (Azure AD) B2B 协作的常见问题的一些补救措施。Here are some remedies for common problems with Azure Active Directory (Azure AD) B2B collaboration.

我已添加外部用户,但在全局通讯簿或人员选取器中看不到这些用户I’ve added an external user but do not see them in my Global Address Book or in the people picker

在外部用户未填充到列表中的情况下,可能需要几分钟复制对象。In cases where external users are not populated in the list, the object might take a few minutes to replicate.

B2B 来宾用户没有显示在 SharePoint Online/OneDrive 人员选取器中A B2B guest user is not showing up in SharePoint Online/OneDrive people picker

默认情况下,搜索现有来宾用户的功能在 SharePoint Online (SPO) 人员选取器中处于“关闭”状态以匹配旧行为。The ability to search for existing guest users in the SharePoint Online (SPO) people picker is OFF by default to match legacy behavior.

可使用“ShowPeoplePickerSuggestionsForGuestUsers”设置在租户和网站集级别启用此功能。You can enable this feature by using the setting 'ShowPeoplePickerSuggestionsForGuestUsers' at the tenant and site collection level. 可使用 Set-SPOTenant 和 Set-SPOSite cmdlet 设置此功能,这将允许用户搜索目录中的所有现有来宾用户。You can set the feature using the Set-SPOTenant and Set-SPOSite cmdlets, which allow members to search all existing guest users in the directory. 租户范围中的更改不会影响已经预配的 SPO 站点。Changes in the tenant scope do not affect already provisioned SPO sites.

已对目录禁用邀请Invitations have been disabled for directory

如果收到无权邀请用户的通知,请在“Azure Active Directory”>“用户设置”>“外部用户”>“管理外部协作设置”下验证你的用户帐户是否有权邀请外部用户:If you are notified that you do not have permissions to invite users, verify that your user account is authorized to invite external users under Azure Active Directory > User settings > External users > Manage external collaboration settings:

显示了”外部用户”设置的屏幕截图

如果最近修改了这些设置或为用户分配了“来宾邀请者”角色,可能有 15-60 分钟的延迟更改才生效。If you have recently modified these settings or assigned the Guest Inviter role to a user, there might be a 15-60 minute delay before the changes take effect.

我邀请的用户在兑换过程中收到错误The user that I invited is receiving an error during redemption

常见错误包括:Common errors include:

当发生以下情况时,被邀请者的管理员禁止在其租户中创建电子邮件验证的用户Invitee’s Admin has disallowed EmailVerified Users from being created in their tenant

受邀用户所在组织正在使用 Azure Active Directory,但其中不存在特定用户帐户(例如,用户不存在于 AAD contoso.comAzure AD contoso.com 中)。When inviting users whose organization is using Azure Active Directory, but where the specific user’s account does not exist (for example, the user does not exist in Azure AD contoso.com). contoso.com 的管理员可能会设置一个策略以阻止创建用户。The administrator of contoso.com may have a policy in place preventing users from being created. 用户必须向其管理员进行核实以确定是否允许外部用户。The user must check with their admin to determine if external users are allowed. 外部用户的管理员可能需要在其域中允许电子邮件验证的用户(请参阅有关允许电子邮件验证的用户的此文章)。The external user’s admin may need to allow Email Verified users in their domain (see this article on allowing Email Verified Users).

错误,指出租户不允许经电子邮件验证的用户

外部用户尚未存在于联合域中External user does not exist already in a federated domain

如果使用联合身份验证,并且用户在 Azure Active Directory 中不存在,则无法邀请该用户。If you are using federation authentication and the user does not already exist in Azure Active Directory, the user cannot be invited.

要解决此问题,外部用户的管理员必须将该用户的帐户同步到 Azure Active Directory。To resolve this issue, the external user’s admin must synchronize the user’s account to Azure Active Directory.

“#”(这通常不是有效字符)如何与 Azure AD 进行同步?How does ‘#’, which is not normally a valid character, sync with Azure AD?

由于受邀帐户 user@contoso.com 变为 user_contoso.com#EXT#@fabrikam.partner.onmschina.cn,“\#”是 Azure AD B2B 协作或外部用户的 UPN 中的保留字符。“#” is a reserved character in UPNs for Azure AD B2B collaboration or external users, because the invited account user@contoso.com becomes user_contoso.com#EXT#@fabrikam.partner.onmschina.cn. 因此,不允许来自本地的 UPN 中的 # 登录到 Azure 门户。Therefore, # in UPNs coming from on-premises aren't allowed to sign in to the Azure portal.

我将外部用户添加到同步组时,收到错误I receive an error when adding external users to a synchronized group

外部用户只能添加到“已分配”或“安全”组,而不能分配到在本地控制的组。External users can be added only to “assigned” or “Security” groups and not to groups that are mastered on-premises.

我的外部用户未收到用于兑换的电子邮件My external user did not receive an email to redeem

被邀请者应该向其 ISP 或垃圾邮件筛选器查询,以确保允许以下地址:Invites@microsoft.comThe invitee should check with their ISP or spam filter to ensure that the following address is allowed: Invites@microsoft.com

我发现邀请消息有时不包含自定义消息I notice that the custom message does not get included with invitation messages at times

为遵守隐私法规,在以下情况下,API 不会在电子邮件邀请中包含自定义邮件:To comply with privacy laws, our APIs do not include custom messages in the email invitation when:

  • 邀请方在邀请租户中没有电子邮件地址The inviter doesn’t have an email address in the inviting tenant
  • 应用服务主体发送邀请When an appservice principal sends the invitation

如果此方案非常重要,则可取消 API 邀请电子邮件,并通过所选的电子邮件机制发送邮件。If this scenario is important to you, you can suppress our API invitation email, and send it through the email mechanism of your choice. 请咨询所属组织的法律顾问,确保通过这种方式发送的任何电子邮件均符合隐私法规。Consult your organization’s legal counsel to make sure any email you send this way also complies with privacy laws.

尝试登录到 Azure 资源时收到“AADSTS65005”错误You receive an “AADSTS65005” error when you try to log in to an Azure resource

具有来宾帐户的某个用户无法登录,并收到以下错误消息:A user who has a guest account cannot log on, and is receiving the following error message:

    AADSTS65005: Using application 'AppName' is currently not supported for your organization contoso.com because it is in an unmanaged state. An administrator needs to claim ownership of the company by DNS validation of contoso.com before the application AppName can be provisioned.

该用户具有 Azure 用户帐户,是已被放弃的或非托管的病毒性租户。The user has an Azure user account and is a viral tenant who has been abandoned or unmanaged. 此外,租户中没有全局或公司管理员。Additionally, there are no global or company administrators in the tenant.

若要解决此问题,你必须接管被放弃的租户。To resolve this problem, you must take over the abandoned tenant. 你还必须访问相关域后缀的面向 Internet 的 DNS,以便提供直接证据来证明你控制着该命名空间。You must also access the internet-facing DNS for the domain suffix in question in order to provide direct evidence that you are in control of the namespace. 在租户返回到托管状态后,请与客户讨论保留用户和经验证的域名是否是其组织的最佳选择。After the tenant is returned to a managed state, please discuss with the customer whether leaving the users and verified domain name is the best option for their organization.

具有实时或“病毒性”租户的来宾用户无法重置其密码A guest user with a just-in-time or "viral" tenant is unable to reset their password

如果标识租户是实时 (JIT) 或病毒性租户(独立的不受管 Azure 租户),则只有来宾用户可以重置其密码。If the identity tenant is a just-in-time (JIT) or viral tenant (meaning it's a separate, unmanaged Azure tenant), only the guest user can reset their password. 有时,组织会接管员工在使用其工作电子邮件地址注册服务时创建的病毒性租户的管理。Sometimes an organization will take over management of viral tenants that are created when employees use their work email addresses to sign up for services. 组织接管病毒性租户后,只有该组织中的管理员可以重置用户密码或启用 SSPR。After the organization takes over a viral tenant, only an administrator in that organization can reset the user's password or enable SSPR. 如果需要,作为邀请方组织,你可以从目录中删除来宾用户帐户并重新发送邀请。If necessary, as the inviting organization, you can remove the guest user account from your directory and resend an invitation.

来宾用户无法使用 AzureAD PowerShell V1 模块A guest user is unable to use the AzureAD PowerShell V1 module

从 2019 年 11 月 18 日开始,你的目录中的来宾用户(所定义的其 userType 属性为 Guest 的用户帐户)被系统阻止使用 AzureAD PowerShell V1 模块。As of November 18, 2019, guest users in your directory (defined as user accounts where the userType property equals Guest) are blocked from using the AzureAD PowerShell V1 module. 之后,用户需要成为成员用户(userType 为 Member )或使用 AzureAD PowerShell V2 模块。Going forward, a user will need to either be a member user (where userType equals Member) or use the AzureAD PowerShell V2 module.

后续步骤Next steps

获取对 B2B 协作的支持Get support for B2B collaboration