登录 Microsoft 应用程序时出现的问题Problems signing in to a Microsoft application

用户访问 Microsoft 发布的应用程序的方法主要有三种。There are three main ways that a user can get access to a Microsoft-published application.

  • 对于 Office 365 或其他付费套件中的应用程序,可以通过许可证分配直接向用户的用户帐户授予访问权限,也可以使用基于组的许可证分配功能通过组授予用户访问权限。For applications in the Office 365 or other paid suites, users are granted access through license assignment either directly to their user account, or through a group using our group-based license assignment capability.

  • 对于 Microsoft 或第三方发布的可供任何人免费使用的应用程序,可以通过用户许可授予用户访问权限。For applications that Microsoft or a Third Party publishes freely for anyone to use, users may be granted access through user consent. 这意味着他们使用其 Azure AD 工作或学校帐户登录到应用程序,并允许它访问其帐户上一些受限制的数据集。This means that they sign in to the application with their Azure AD Work or School account and allow it to have access to some limited set of data on their account.

  • 对于 Microsoft 或第三方发布的可供任何人免费使用的应用程序,还可以通过管理员同意授予用户访问权限。For applications that Microsoft or a 3rd party publishes freely for anyone to use, users may also be granted access through administrator consent. 这意味着管理员已确定组织中的所有人都可以使用此应用程序,因此他们使用全局管理员帐户可以登录到应用程序并向组织中所有人授予访问权限。This means that an administrator has determined the application may be used by everyone in the organization, so they sign in to the application with a Global Administrator account and grant access to everyone in the organization.

若要解决问题,请从对于应用程序访问要考虑的常规问题领域开始,并阅读“演练:对 Microsoft 应用程序访问进行故障排除的步骤”了解详细信息。To troubleshoot your issue, start with the General Problem Areas with Application Access to consider and then read the Walkthrough: Steps to troubleshoot Microsoft Application access to get into the details.

对于应用程序访问要考虑的常规问题区域General Problem Areas with Application Access to consider

如果知道从何处着手,以下列表提供了需要深入了解的常规问题领域,但我们建议阅读以下演练以便快速开始操作:演练:对 Microsoft 应用程序访问进行故障排除的步骤。Following is a list of the general problem areas that you can drill into if you have an idea of where to start, but we recommend you read the walkthrough to get going quickly: Walkthrough: Steps to troubleshoot Microsoft Application access.

对 Microsoft 应用程序访问进行故障排除的步骤Steps to troubleshoot Microsoft Application access

下面是当用户无法登录到 Microsoft 应用程序时遇到的一些常见问题。Following are some common issues folks run into when their users cannot sign in to a Microsoft application.

用户帐户问题Problems with the user’s account

由于已分配到应用程序的用户出现问题,应用程序访问可能会遭到阻止。Application access can be blocked due to a problem with a user that is assigned to the application. 下面是可以用来排除和解决用户及其帐户设置存在的问题的一些方法:Following are some ways you can troubleshoot and solve problems with users and their account settings:

检查在 Azure Active Directory 中是否存在用户帐户Check if a user account exists in Azure Active Directory

若要检查是否存在某个用户帐户,请执行以下步骤:To check if a user’s account is present, follow these steps:

  1. 打开 Azure 门户,并以“全局管理员” 身份登录。Open the Azure portal and sign in as a Global Administrator.

  2. 选择 Azure Active Directory 项。select the Azure Active Directory item.

  3. 在导航菜单中单击“用户” 。click Users in the navigation menu.

  4. 单击“所有用户” 。click All users.

  5. 搜索感兴趣的用户,并单击对应的行进行选择。Search for the user you are interested in and click the row to select.

  6. 检查用户对象的属性,确保它们看上去与预期一致并且未丢失任何数据。Check the properties of the user object to be sure that they look as you expect and no data is missing.

检查用户帐户的状态Check a user’s account status

若要检查用户帐户的状态,请执行以下步骤:To check a user’s account status, follow these steps:

  1. 打开 Azure 门户,并以“全局管理员” 身份登录。Open the Azure portal and sign in as a Global Administrator.

  2. 选择 Azure Active Directory 项。select the Azure Active Directory item.

  3. 在导航菜单中单击“用户” 。click Users in the navigation menu.

  4. 单击“所有用户” 。click All users.

  5. 搜索感兴趣的用户,并单击对应的行进行选择。Search for the user you are interested in and click the row to select.

  6. 单击“配置文件” 。click Profile.

  7. 在“设置” 下,确保“阻止登录” 设置为“否” 。Under Settings ensure that Block sign in is set to No.

重置用户的密码Reset a user’s password

若要重置用户的密码,请执行以下步骤:To reset a user’s password, follow these steps:

  1. 打开 Azure 门户,并以“全局管理员” 身份登录。Open the Azure portal and sign in as a Global Administrator.

  2. 选择 Azure Active Directory 项。select the Azure Active Directory item.

  3. 在导航菜单中单击“用户” 。click Users in the navigation menu.

  4. 单击“所有用户” 。click All users.

  5. 搜索感兴趣的用户,并单击对应的行进行选择。Search for the user you are interested in and click the row to select.

  6. 单击用户窗格顶部的“重置密码” 按钮。click the Reset password button at the top of the user pane.

  7. 在出现的“重置密码” 窗格上,单击“重置密码” 按钮。click the Reset password button on the Reset password pane that appears.

  8. 为用户复制临时密码输入新密码Copy the temporary password or enter a new password for the user.

  9. 告知用户此新密码,在他们下一次登录到 Azure Active Directory 时,需要更改此密码。Communicate this new password to the user, they be required to change this password during their next sign in to Azure Active Directory.

启用自助服务密码重置Enable self-service password reset

若要启用自助服务密码重置,请执行以下部署步骤:To enable self-service password reset, follow the deployment steps below:

检查用户的多重身份验证状态Check a user’s multi-factor authentication status

若要检查用户的多重身份验证状态,请执行以下步骤:To check a user’s multi-factor authentication status, follow these steps:

  1. 打开 Azure 门户,并以“全局管理员” 身份登录。Open the Azure portal and sign in as a Global Administrator.

  2. 选择 Azure Active Directory 项。select the Azure Active Directory item.

  3. 在导航菜单中单击“用户” 。click Users in the navigation menu.

  4. 单击“所有用户” 。click All users.

  5. 单击窗格顶部的“多重身份验证” 按钮。click the Multi-Factor Authentication button at the top of the pane.

  6. 多重身份验证管理门户加载后,确保位于“用户” 选项卡上。Once the Multi-Factor Authentication Administration portal loads, ensure you are on the Users tab.

  7. 通过搜索、筛选或排序在用户列表中找到用户。Find the user in the list of users by searching, filtering, or sorting.

  8. 从用户列表中选择用户,并根据需要启用禁用强制实施多重身份验证。Select the user from the list of users and Enable, Disable, or Enforce multi-factor authentication as desired.

    • 注意:如果用户处于已强制实施状态,可暂时将其设置为已禁用以允许用户重新登录到其帐户。Note: If a user is in an Enforced state, you may set them to Disabled temporarily to let them back into their account. 一旦他们重新登录到其帐户,便可以再次将其状态更改为已启用来要求他们在下次登录期间重新注册其联系信息。Once they are back in, you can then change their state to Enabled again to require them to re-register their contact information during their next sign in. 此外,也可以按照检查用户的身份验证联系信息中的步骤为其验证或设置此数据。Alternatively, you can follow the steps in the Check a user’s authentication contact info to verify or set this data for them.

检查用户的身份验证联系信息Check a user’s authentication contact info

若要检查用于多重身份验证和密码重置的用户身份验证联系信息,请执行以下步骤:To check a user’s authentication contact info used for Multi-factor authentication and Password Reset, follow these steps:

  1. 打开 Azure 门户,并以“全局管理员” 身份登录。Open the Azure portal and sign in as a Global Administrator.

  2. 选择 Azure Active Directory 项。select the Azure Active Directory item.

  3. 在导航菜单中单击“用户” 。click Users in the navigation menu.

  4. 单击“所有用户” 。click All users.

  5. 搜索感兴趣的用户,并单击对应的行进行选择。Search for the user you are interested in and click the row to select.

  6. 单击“配置文件” 。click Profile.

  7. 向下滚动到“身份验证联系信息” 。Scroll down to Authentication contact info.

  8. 查看为用户注册的数据并根据需要进行更新。Review the data registered for the user and update as needed.

检查用户的组成员身份Check a user’s group memberships

若要检查用户的组成员身份,请执行以下步骤:To check a user’s group memberships, follow these steps:

  1. 打开 Azure 门户,并以“全局管理员” 身份登录。Open the Azure portal and sign in as a Global Administrator.

  2. 选择 Azure Active Directory 项。select the Azure Active Directory item.

  3. 在导航菜单中单击“用户” 。click Users in the navigation menu.

  4. 单击“所有用户” 。click All users.

  5. 搜索感兴趣的用户,并单击对应的行进行选择。Search for the user you are interested in and click the row to select.

  6. 单击“组” 查看用户所属的组。click Groups to see which groups the user is a member of.

检查用户的已分配许可证Check a user’s assigned licenses

若要检查用户的已分配许可证,请执行以下步骤:To check a user’s assigned licenses, follow these steps:

  1. 打开 Azure 门户,并以“全局管理员” 身份登录。Open the Azure portal and sign in as a Global Administrator.

  2. 选择 Azure Active Directory 项。select the Azure Active Directory item.

  3. 在导航菜单中单击“用户” 。click Users in the navigation menu.

  4. 单击“所有用户” 。click All users.

  5. 搜索感兴趣的用户,并单击对应的行进行选择。Search for the user you are interested in and click the row to select.

  6. 单击“许可证” 查看当前已分配给用户的许可证。click Licenses to see which licenses the user currently has assigned.

为用户分配许可证Assign a user a license

若要将许可证分配给用户,请执行以下步骤:To assign a license to a user, follow these steps:

  1. 打开 Azure 门户,并以“全局管理员” 身份登录。Open the Azure portal and sign in as a Global Administrator.

  2. 选择 Azure Active Directory 项。select the Azure Active Directory item.

  3. 在导航菜单中单击“用户” 。click Users in the navigation menu.

  4. 单击“所有用户” 。click All users.

  5. 搜索感兴趣的用户,并单击对应的行进行选择。Search for the user you are interested in and click the row to select.

  6. 单击“许可证” 查看当前已分配给用户的许可证。click Licenses to see which licenses the user currently has assigned.

  7. 单击“分配” 按钮。click the Assign button.

  8. 从可用产品列表中选择一个或多个产品Select one or more products from the list of available products.

  9. 可选单击“分配选项” 项精确分配产品。Optional click the assignment options item to granularly assign products. 完成此操作后,单击“确定” 。Click Ok when this is completed.

  10. 单击“分配” 按钮,将这些许可证分配给此用户。Click the Assign button to assign these licenses to this user.

组问题Problems with groups

由于已分配到应用程序的组出现问题,应用程序访问可能会遭到阻止。Application access can be blocked due to a problem with a group that is assigned to the application. 下面是可以用来进行故障排除并解决组和组成员身份问题的一些方法:Following are some ways you can troubleshoot and solve problems with groups and group memberships:

检查组的成员身份Check a group’s membership

若要检查组的成员身份,请执行以下步骤:To check a group’s membership, follow these steps:

  1. 打开 Azure 门户,并以“全局管理员” 身份登录。Open the Azure portal and sign in as a Global Administrator.

  2. 选择 Azure Active Directory 项。select the Azure Active Directory item.

  3. 在导航菜单中单击“组” 。click Groups in the navigation menu.

  4. 单击“所有组” 。click All groups.

  5. 搜索感兴趣的组,并单击对应的行进行选择。Search for the group you are interested in and click the row to select.

  6. 单击“成员” 查看分配到此组的用户列表。click Members to review the list of users assigned to this group.

检查组的已分配许可证Check a group’s assigned licenses

若要检查组的已分配许可证,请执行以下步骤:To check a group’s assigned licenses, follow these steps:

  1. 打开 Azure 门户,并以“全局管理员” 身份登录。Open the Azure portal and sign in as a Global Administrator.

  2. 选择 Azure Active Directory 项。select the Azure Active Directory item.

  3. 在导航菜单中单击“组” 。click Groups in the navigation menu.

  4. 单击“所有组” 。click All groups.

  5. 搜索感兴趣的组,并单击对应的行进行选择。Search for the group you are interested in and click the row to select.

  6. 单击“许可证” 查看当前已分配给组的许可证。click Licenses to see which licenses the group currently has assigned.

重新处理组的许可证Reprocess a group’s licenses

若要重新处理组的已分配许可证,请执行以下步骤:To reprocess a group’s assigned licenses, follow these steps:

  1. 打开 Azure 门户,并以“全局管理员” 身份登录。Open the Azure portal and sign in as a Global Administrator.

  2. 选择 Azure Active Directory 项。select the Azure Active Directory item.

  3. 在导航菜单中单击“组” 。click Groups in the navigation menu.

  4. 单击“所有组” 。click All groups.

  5. 搜索感兴趣的组,并单击对应的行进行选择。Search for the group you are interested in and click the row to select.

  6. 单击“许可证” 查看当前已分配给组的许可证。click Licenses to see which licenses the group currently has assigned.

  7. 单击“重新处理” 按钮,确保分配给此组成员的许可证是最新许可证。click the Reprocess button to ensure that the licenses assigned to this group’s members are up-to-date. 这可能需要较长时间,具体取决于组的大小和复杂程度。This may take a long time, depending on the size and complexity of the group.

    Note

    要更快地执行此操作,可考虑暂时会许可证直接分配给用户。To do this faster, consider temporarily assigning a license to the user directly. 为用户分配许可证Assign a user a license.

为组分配许可证Assign a group a license

若要将许可证分配给组,请执行以下步骤:To assign a license to a group, follow these steps:

  1. 打开 Azure 门户,并以“全局管理员” 身份登录。Open the Azure portal and sign in as a Global Administrator.

  2. 选择 Azure Active Directory 项。select the Azure Active Directory item.

  3. 在导航菜单中单击“组” 。click Groups in the navigation menu.

  4. 单击“所有组” 。click All groups.

  5. 搜索感兴趣的组,并单击对应的行进行选择。Search for the group you are interested in and click the row to select.

  6. 单击“许可证” 查看当前已分配给组的许可证。click Licenses to see which licenses the group currently has assigned.

  7. 单击“分配” 按钮。click the Assign button.

  8. 从可用产品列表中选择一个或多个产品Select one or more products from the list of available products.

  9. 可选单击“分配选项” 项精确分配产品。Optional click the assignment options item to granularly assign products. 完成此操作后,单击“确定” 。Click Ok when this is completed.

  10. 单击“分配” 按钮,将这些许可证分配给此组。Click the Assign button to assign these licenses to this group. 这可能需要较长时间,具体取决于组的大小和复杂程度。This may take a long time, depending on the size and complexity of the group.

    Note

    要更快地执行此操作,可考虑暂时会许可证直接分配给用户。To do this faster, consider temporarily assigning a license to the user directly. 为用户分配许可证Assign a user a license.

由于相应的权限许可操作并未发生,应用程序访问可能会遭到阻止。Application access can be blocked because the proper permissions consent operation has not occurred. 下面是可以用来进行故障排除并解决应用程序许可问题的一些方法:Following are some ways you can troubleshoot and solve application consent issues:

  • 对于需要权限的任何已启用 Open ID Connect 的应用程序,导航到应用程序的登录屏幕都会面向已登录用户为应用程序执行用户级许可。For any Open ID Connect-enabled application that requests permissions, navigating to the application’s sign in screen performs a user level consent to the application for the signed-in user.

  • 如果要以编程方式执行此操作,请参阅请求单个用户的同意If you wish to do this programmatically, see Requesting individual user consent.

  • 对于仅使用 V1 应用程序模型开发的应用程序,可通过在应用程序的登录 URL 末尾添加“?prompt=admin_consent” 强制执行此管理员级许可。For only applications developed using the V1 application model, you can force this administrator level consent to occur by adding “?prompt=admin_consent” to the end of an application’s sign in URL.

  • 对于使用 V2 应用程序模型开发的任何应用程序,可以按照使用管理员许可终结点的“向目录管理员请求权限” 部分中的说明强制执行此管理员级许可。For any application developed using the V2 application model, you can enforce this administrator-level consent to occur by following the instructions under the Request the permissions from a directory admin section of Using the admin consent endpoint.

  • 对于请求权限的单租户应用程序(如组织内正在开发或组织拥有的应用程序),可以通过以全局管理员”身份登录,并单击“应用程序注册表”->“所有应用程序”-> 选择应用 ->“所需权限” 窗格顶部的“授予权限” 按钮,代表所有用户执行“管理级许可” 操作。For single-tenant applications that request permissions (like those you are developing or own in your organization), you can perform an administrative-level consent operation on behalf of all users by signing in as a Global Administrator and clicking on the Grant permissions button at the top of the Application Registry -> All Applications -> Select an App -> Required Permissions pane.

  • 对于使用 V1 或 V2 应用程序模型开发的任何应用程序,可以按照使用管理员许可终结点的“向目录管理员请求权限” 部分下的说明强制执行此管理员级许可。For any application developed using the V1 or V2 application model, you can enforce this administrator-level consent to occur by following the instructions under the Request the permissions from a directory admin section of Using the admin consent endpoint.

  • 对于请求权限的多租户应用程序(如第三方或 Microsoft 开发的应用程序),可以执行“管理级许可” 操作。For multi-tenant applications that request permissions (like an application a third party, or Microsoft, develops), you can perform an administrative-level consent operation. 以“全局管理员”身份登录,并在“企业应用程序”->“所有应用程序”-> 选择应用 ->“权限” 窗格(即将可用)下单击“授予权限” 按钮。Sign in as a Global Administrator and clicking on the Grant permissions button under the Enterprise Applications -> All Applications -> Select an App -> Permissions pane (available soon).

  • 还可以按照使用管理员许可终结点的“向目录管理员请求权限” 部分下的说明强制执行此管理员级许可。You can also enforce this administrator-level consent to occur by following the instructions under the Request the permissions from a directory admin section of Using the admin consent endpoint.

后续步骤Next steps

使用管理员许可终结点Using the admin consent endpoint