托管标识的已知问题Known issues with Managed Identities

本文讨论有关托管标识的几个问题以及如何解决这些问题。This article discusses a couple of issues around managed identities and how to address them. 常见问题一文中介绍了有关托管标识的常见问题。Common questions about managed identities are documented in our frequently asked questions article.

迁移后无法启动 VMVM fails to start after being moved

如果从资源组或订阅中移动处于运行状态的 VM,它将在移动过程中继续运行。If you move a VM in a running state from a resource group or subscription, it continues to run during the move. 不过,如果在迁移后停止并重启 VM,那么它将无法启动。However, after the move, if the VM is stopped and restarted, it will fail to start. 导致此问题发生的原因是,VM 未更新对 Azure 资源托管标识的标识的引用,仍然继续指向旧资源组中的标识。This issue happens because the VM is not updating the reference to the managed identities for Azure resources identity and continues to point to it in the old resource group.

解决方法Workaround

在 VM 上触发更新,以便它可以获取正确的 Azure 资源托管标识的值。Trigger an update on the VM so it can get correct values for the managed identities for Azure resources. 可以更改 VM 属性,从而更新对 Azure 资源托管标识的标识的引用。You can do a VM property change to update the reference to the managed identities for Azure resources identity. 例如,可以运行下列命令,在 VM 上设置新的标记值:For example, you can set a new tag value on the VM with the following command:

az vm update -n <VM Name> -g <Resource Group> --set tags.fixVM=1

此命令在 VM 上设置值为 1 的新标记“fixVM”。This command sets a new tag "fixVM" with a value of 1 on the VM.

通过设置此属性,VM 可以更新包含正确的 Azure 资源托管标识资源 URI,然后就应该能启动 VM 了。By setting this property, the VM updates with the correct managed identities for Azure resources resource URI, and then you should be able to start the VM.

在 VM 启动后,便可以运行下列命令,从而删除此标记:Once the VM is started, the tag can be removed by using following command:

az vm update -n <VM Name> -g <Resource Group> --remove tags.fixVM

在 Azure AD 目录之间转移订阅Transferring a subscription between Azure AD directories

将订阅移动/转移到另一个目录时,托管标识不会更新。Managed identities do not get updated when a subscription is moved/transferred to another directory. 因此,任何现存的系统分配的或用户分配的托管标识将被破坏。As a result, any existent system-assigned or user-assigned managed identities will be broken.

对于已移到另一目录的订阅中的托管标识,解决方法是:Workaround for managed identities in a subscription that has been moved to another directory:

  • 对于系统分配的托管标识:禁用并重新启用。For system assigned managed identities: disable and re-enable.
  • 对于用户分配的托管标识:删除、重新创建并重新将其附加到所需的资源(例如虚拟机)For user assigned managed identities: delete, re-create, and attach them again to the necessary resources (for example, virtual machines)

有关详细信息,请参阅将 Azure 订阅转移到其他 Azure AD 目录For more information, see Transfer an Azure subscription to a different Azure AD directory.

后续步骤Next steps

你可以查看列出了支持托管标识的服务常见问题的文章You can review our article listing the services that support managed identities and our frequently asked questions