排查 Azure AD 权利管理的问题Troubleshoot Azure AD entitlement management

本文介绍应检查哪些项目来帮助排查 Azure Active Directory (Azure AD) 权利管理的问题。This article describes some items you should check to help you troubleshoot Azure Active Directory (Azure AD) entitlement management.

管理Administration

  • 如果你在配置权利管理时收到拒绝访问消息,而你是全局管理员,请确保你的目录具有 Azure AD Premium P2(或 EMS E5)许可证If you get an access denied message when configuring entitlement management, and you are a Global administrator, ensure that your directory has an Azure AD Premium P2 (or EMS E5) license.

  • 如果你在创建或查看访问包时收到拒绝访问消息,而你是目录创建者组的成员,则必须在创建第一个访问包之前创建目录If you get an access denied message when creating or viewing access packages, and you are a member of a Catalog creator group, you must create a catalog prior to creating your first access package.

资源Resources

  • 应用程序的角色由应用程序自身定义,并在 Azure AD 中进行管理。Roles for applications are defined by the application itself and are managed in Azure AD. 如果某个应用程序没有任何资源角色,则权利管理会将用户分配到一个 默认访问 角色。If an application does not have any resource roles, entitlement management assigns users to a Default Access role.

    请注意,Azure 门户可能还会显示不能选作应用程序的服务的服务主体。Note that the Azure portal may also show service principals for services that cannot be selected as applications. 具体而言,Exchange OnlineSharePoint Online 是服务,而不是在目录中具有资源角色的应用程序,因此,不能将它们包含在访问包中。In particular, Exchange Online and SharePoint Online are services, not applications that have resource roles in the directory, so they cannot be included in an access package. 相反,使用基于组的许可为需要访问这些服务的用户建立适当的许可。Instead, use group-based licensing to establish an appropriate license for a user who needs access to those services.

  • 要使组成为访问包中的资源,该组必须能够在 Azure AD 中可修改。For a group to be a resource in an access package, it must be able to be modifiable in Azure AD. 源自本地 Active Directory 的组无法分配为资源,因为无法在 Azure AD 中更改其所有者或成员属性。Groups that originate in an on-premises Active Directory cannot be assigned as resources because their owner or member attributes cannot be changed in Azure AD. 也无法在 Azure AD 中修改作为通讯组在 Exchange Online 中创建的组。Groups that originate in Exchange Online as Distribution groups cannot be modified in Azure AD either.

  • 无法将 SharePoint 联机文档库和单个文档添加为资源。SharePoint Online document libraries and individual documents cannot be added as resources. 只能创建一个 Azure AD 安全组,在访问包中包含该组和站点角色,然后在 SharePoint Online 中使用该组来控制对文档库或文档的访问。Instead, create an Azure AD security group, include that group and a site role in the access package, and in SharePoint Online use that group to control access to the document library or document.

  • 如果有已分配给要使用访问包管理的资源的用户,请确保已使用适当的策略将这些用户分配给访问包。If there are users that have already been assigned to a resource that you want to manage with an access package, be sure that the users are assigned to the access package with an appropriate policy. 例如,你可能希望在访问包中包含一个组,该组中已有用户。For example, you might want to include a group in an access package that already has users in the group. 如果该组中的这些用户需要继续访问,则他们必须具有访问包的适当策略,以便不会失去对组的访问权限。If those users in the group require continued access, they must have an appropriate policy for the access packages so that they don't lose their access to the group. 你可以通过请求用户请求包含该资源的访问包,或直接将其分配给访问包来分配访问包。You can assign the access package by either asking the users to request the access package containing that resource, or by directly assigning them to the access package. 有关详细信息,请参阅访问包的更改请求和审批设置For more information, see Change request and approval settings for an access package.

  • 删除团队成员时,也会将其从 Microsoft 365 组中删除。When you remove a member of a team, they are removed from the Microsoft 365 Group as well. 从团队的聊天功能中删除可能会延迟。Removal from the team's chat functionality might be delayed. 有关详细信息,请参阅组成员身份For more information, see Group membership.

访问包Access packages

  • 如果你在尝试删除访问包或策略时看到一条错误消息,该消息指出存在活动的分配,但你没有看到具有分配的用户,则请检查是否有任何最近删除的用户仍然具有分配。If you attempt to delete an access package or policy and see an error message that says there are active assignments, if you don't see any users with assignments, check to see whether any recently deleted users still have assignments. 在用户被删除后的 30 天时段内可以还原该用户帐户。During the 30-day window after a user is deleted, the user account can be restored.

外部用户External users

  • 当外部用户想要请求对访问包进行访问时,请确保他们正在使用访问包的“我的访问权限”门户链接。When an external user wants to request access to an access package, make sure they are using the My Access portal link for the access package. 有关详细信息,请参阅共享用来请求访问包的链接For more information, see Share link to request an access package.

  • 如果外部用户无法请求对访问包的访问权限或无法访问资源,请确保检查外部用户的设置If an external user is unable to request access to an access package or is unable to access resources, be sure to check your settings for external users.

  • 如果以前未在目录中登录的新外部用户接收到包含 SharePoint Online 站点的访问包,则其访问包将显示为未完全传递,直到其帐户在 SharePoint Online 中设置。If a new external user, that has not previously signed in your directory, receives an access package including a SharePoint Online site, their access package will show as not fully delivered until their account is provisioned in SharePoint Online. 有关共享设置的详细信息,请参阅查看 SharePoint Online 外部共享设置For more information about sharing settings, see Review your SharePoint Online external sharing settings.

请求Requests

  • 当用户想要请求访问包的访问权限时,请确保他们使用访问包的 “我的访问权限”门户链接When a user wants to request access to an access package, be sure that they are using the My Access portal link for the access package. 有关详细信息,请参阅共享用来请求访问包的链接For more information, see Share link to request an access package.

  • 如果在浏览器设置为“专用”或“匿名”模式时打开“我的访问权限”门户,这可能会与登录行为产生冲突。If you open the My Access portal with your browser set to in-private or incognito mode, this might conflict with the sign-in behavior. 建议在访问“我的访问权限”门户时不要在浏览器的“专用”或“匿名”模式下使用。We recommend that you do not use in-private or incognito mode for your browser when you visit the My Access portal.

  • 当尚未在你的目录中的用户登录到“我的访问权限”门户以请求访问包时,请确保他们使用其组织帐户进行身份验证。When a user who is not yet in your directory signs in to the My Access portal to request an access package, be sure they authenticate using their organizational account. 组织帐户可以是资源目录中的帐户,也可以是其他目录中的帐户,该目录包含在访问包的其中一个策略中。The organizational account can be either an account in the resource directory, or in a directory that is included in one of the policies of the access package. 如果用户的帐户不是组织帐户,或者策略中不包含他们验证的目录,那么用户将看不到访问包。If the user's account is not an organizational account, or the directory where they authenticate is not included in the policy, then the user will not see the access package. 有关详细信息,请参阅请求访问访问包For more information, see Request access to an access package.

  • 如果阻止用户登录到资源目录,则他们将无法在“我的访问权限”门户中请求访问。If a user is blocked from signing in to the resource directory, they will not be able to request access in the My Access portal. 必须从用户配置文件中删除登录块,用户才可以请求访问。Before the user can request access, you must remove the sign-in block from the user's profile. 若要解除阻止登录,请在 Azure 门户中依次单击“Azure Active Directory”、“用户”、该用户、“配置文件”。 To remove the sign-in block, in the Azure portal, click Azure Active Directory, click Users, click the user, and then click Profile. 编辑“设置”部分,将“阻止登录”更改为“否”。 Edit the Settings section and change Block sign in to No. 有关详细信息,请参阅使用 Azure Active Directory 添加或更新用户的配置文件信息For more information, see Add or update a user's profile information using Azure Active Directory.

  • 在“我的访问权限”门户中,如果某个用户既是请求者又是审批者,该用户不会在“审批”页上看到自己对访问包的请求。In the My Access portal, if a user is both a requestor and an approver, they will not see their request for an access package on the Approvals page. 此行为是有意行为 - 用户无法批准自己的请求。This behavior is intentional - a user cannot approve their own request. 确保他们请求的访问包在策略上配置了其他审批者。Ensure that the access package they are requesting has additional approvers configured on the policy. 有关详细信息,请参阅访问包的更改请求和审批设置For more information, see Change request and approval settings for an access package.

查看请求的传递错误View a request's delivery errors

必备角色: 全局管理员、用户管理员、目录所有者、访问包管理员或访问包分配管理员Prerequisite role: Global administrator, User administrator, Catalog owner, Access package manager or Access package assignment manager

  1. 在 Azure 门户中,依次单击“Azure Active Directory”、“标识监管”。 In the Azure portal, click Azure Active Directory and then click Identity Governance.

  2. 在左侧菜单中单击“访问包”,然后打开访问包。In the left menu, click Access packages and then open the access package.

  3. 单击“请求”。Click Requests.

  4. 选择要查看的请求。Select the request you want to view.

    如果该请求发生了任何传递错误,则请求状态将是“未传递”或“已部分传递”。 If the request has any delivery errors, the request status will be Undelivered or Partially delivered.

    如果发生了任何传递错误,则请求的详细信息窗格中会显示传递错误计数。If there are any delivery errors, a count of delivery errors will be displayed in the request's detail pane.

  5. 单击计数可查看该请求的所有传递错误。Click the count to see all of the request's delivery errors.

重新处理请求Reprocess a request

如果在触发访问包重新处理请求后遇到错误,则必须等待系统重新处理请求。If an error is met after triggering an access package reprocess request, you must wait while the system reprocesses the request. 系统会在几小时内多次尝试重新处理,因此你不能在这段时间内强制重新处理。The system tries multiple times to reprocess for several hours, so you can't force reprocessing during this time.

你只能重新处理状态为“传递失败”或“已部分传递”且完成日期不到一周的请求。 You can only reprocess a request that has a status of Delivery failed or Partially delivered and a completed date of less than one week. 否则,“重新处理”按钮会灰显。The reprocess button would be grayed out otherwise.

灰显的“重新处理”按钮

  • 如果在试用时段内修复了错误,则请求状态将更改为“正在传递”。If the error is fixed during the trials window, the request status will change to Delivering. 请求将重新处理,不需要用户执行其他操作。The request will reprocess without additional actions from the user.

  • 如果在试用时段内未修复错误,则请求状态可能为“传递失败”或“已部分传递”。If the error wasn't fixed during the trials window, the request status may be Delivery failed or partially delivered. 然后,你可以使用“重新处理”按钮。You can then use the reprocess button. 你将有 7 天时间来重新处理请求。You'll have seven days to reprocess the request.

必备角色: 全局管理员、用户管理员、目录所有者、访问包管理员或访问包分配管理员Prerequisite role: Global administrator, User administrator, Catalog owner, Access package manager or Access package assignment manager

  1. 在 Azure 门户中,依次单击“Azure Active Directory”、“标识监管”。 In the Azure portal, click Azure Active Directory and then click Identity Governance.

  2. 在左侧菜单中单击“访问包”,然后打开访问包。In the left menu, click Access packages and then open the access package.

  3. 单击“请求”。Click Requests.

  4. 单击要重新处理的请求。Click the request you want to reprocess.

  5. 在请求详细信息窗格中,单击“重新处理请求”。In the request details pane, click Reprocess request.

    重新处理失败的请求

取消挂起的请求Cancel a pending request

你只能取消尚未传递或传递已失败的挂起请求。否则,“取消”按钮将灰显。You can only cancel a pending request that has not yet been delivered or whose delivery has failed.The cancel button would be grayed out otherwise.

必备角色: 全局管理员、用户管理员、目录所有者、访问包管理员或访问包分配管理员Prerequisite role: Global administrator, User administrator, Catalog owner, Access package manager or Access package assignment manager

  1. 在 Azure 门户中,依次单击“Azure Active Directory”、“标识监管”。 In the Azure portal, click Azure Active Directory and then click Identity Governance.

  2. 在左侧菜单中单击“访问包”,然后打开访问包。In the left menu, click Access packages and then open the access package.

  3. 单击“请求”。Click Requests.

  4. 单击要取消的请求。Click the request you want to cancel.

  5. 在请求详细信息窗格中,单击“取消请求”。In the request details pane, click Cancel request.

多个策略Multiple policies

  • 权利管理遵循最小特权最佳做法。Entitlement management follows least privilege best practices. 当用户请求访问应用了多个策略的访问包时,权利管理会包括相关逻辑,以便确保更严格或更具体的策略优先于通用策略。When a user requests access to an access package that has multiple policies that apply, entitlement management includes logic to help ensure stricter or more specific policies are prioritized over generic policies. 如果策略是通用的,则权利管理可能不会向请求者显示该策略,也可能会自动选择更严格的策略。If a policy is generic, entitlement management might not display the policy to the requestor or might automatically select a stricter policy.

  • 例如,假设有一个访问包,其中有两个适用于内部员工的策略,这两个策略都应用于请求者。For example, consider an access package with two policies for internal employees in which both policies apply to the requestor. 第一个策略适用于包括请求者在内的特定用户。The first policy is for specific users that include the requestor. 第二个策略适用于请求者所属目录中的所有用户。The second policy is for all users in a directory that the requestor is a member of. 在这种情况下,会自动为请求者选择第一个策略,因为这是更严格的策略。In this scenario, the first policy is automatically selected for the requestor because it is more strict. 不会为请求者提供选择第二个策略的选项。The requestor is not given the option to select the second policy.

  • 如果应用了多个策略,则自动选择的策略或向请求者显示的策略将基于以下优先级逻辑:When multiple policies apply, the policy that is automatically selected or the policies that are displayed to the requestor is based on the following priority logic:

    策略优先级Policy priority 作用域Scope
    P1P1 你的目录中的或特定的连接组织中的特定用户和组Specific users and groups in your directory OR Specific connected organizations
    P2P2 你的目录中的所有成员(不包括来宾)All members in your directory (excluding guests)
    P3P3 你的目录中的或特定的连接组织中的所有用户(包括来宾)All users in your directory (including guests) OR Specific connected organizations
    P4P4 所有配置的已连接组织或所有用户(所有连接的组织 + 任何新的外部用户)All configured connected organizations OR All users (all connected organizations + any new external users)

    如果有任何策略具有较高的优先级类别,则会忽略较低的优先级类别。If any policy is in a higher priority category, the lower priority categories are ignored. 若要通过示例来了解如何将优先级相同的多个策略显示给请求者,请参阅选择策略For an example of how multiple policies with same priority are displayed to the requestor, see Select a policy.

后续步骤Next steps