什么是 Azure AD 中的登录诊断?What is the sign-in diagnostic in Azure AD?

Azure Active Directory (Azure AD) 提供了灵活的安全模型,可使用此模板控制用户可以对受管理资源执行的操作。Azure Active Directory (Azure AD) provides you with a flexible security model to control what users can do with managed resources. 对这些资源的访问不仅受访问者标识控制,还受访问方式控制 。Access to these resources is controlled not only by who they are, but also by how they access them. 通常,由于有许多配置选项,因此灵活模型伴随着一定程度的复杂性。Typically, a flexible model comes with a certain degree of complexity because of the number of configuration options you have. 复杂性可能会增加出错的风险。Complexity has the potential to increase the risk for errors.

作为 IT 管理员,你需要一个解决方案来了解系统中的活动。As an IT admin, you need a solution that gives you insight into the activities in your system. 这样,你可以在发生问题时诊断并解决问题。This visibility can let you diagnose and solve problems when they occur. Azure AD 的登录诊断就是这种解决方案的一个示例。The sign-in diagnostic for Azure AD is an example of such a solution. 可以使用诊断在没有 Microsoft 支持人员参与的情况下分析登录过程中发生的情况并获取解决问题的建议。You can use the diagnostic to analyze what happened during a sign-in attempt and get recommendations for resolving problems without needing to involve Microsoft support.

本文概述该解决方案的功能以及如何使用它。This article gives you an overview of what the solution does and how you can use it.

要求Requirements

所有版本的 Azure AD 都提供登录诊断。The sign-in diagnostic is available in all editions of Azure AD.

需要具有 Azure AD 中的全局管理员身份才能使用登录诊断。You must be a global administrator in Azure AD to use it.

工作原理How it works

在 Azure AD 中,对登录尝试的响应与访问者标识和访问租户的方式有关 。In Azure AD, the response to a sign-in attempt is tied to who signs in and how they access the tenant. 例如,当从公司网络登录时,管理员通常可以配置租户的所有方面。For example, an administrator can typically configure all aspects of the tenant when they sign in from the corporate network. 但是,当使用同一帐户从不受信任的网络登录时,甚至可能会遭到阻止。But the same user might be blocked when they sign in with the same account from an untrusted network.

由于系统可以灵活地响应登录尝试,因此可能最终需要解决登录问题。登录诊断具有以下功能:Due to the greater flexibility of the system to respond to a sign-in attempt, you might end-up in scenarios where you need to troubleshoot sign-ins. The sign-in diagnostic is a feature that:

  • 分析登录事件数据。Analyzes data from sign-in events.

  • 显示发生了什么。Displays what happened.

  • 提供有关如何解决问题的建议。Provides recommendations for how to resolve problems.

Azure AD 的登录诊断旨在启用登录错误的自我诊断。The sign-in diagnostic for Azure AD is designed to enable self-diagnosis of sign-in errors. 若要完成诊断过程,需执行以下操作:To complete the diagnostic process, you need to:

显示登录诊断的关系图。

  1. 定义你所关心的登录事件的范围。Define the scope of the sign-in events you care about.

  2. 选择要查看的登录。Select the sign-in you want to review.

  3. 查看诊断结果。Review the diagnostic results.

  4. 执行操作。Take action.

定义范围Define scope

此步骤旨在定义要调查的登录事件的范围。The goal of this step is to define the scope of the sign-in events to investigate. 范围基于用户或标识符(correlationId、requestId)和时间范围。Your scope is either based on a user or on an identifier (correlationId, requestId) and a time range. 要进一步缩小范围,可以指定应用名称。To narrow down the scope further, you can specify an app name. Azure AD 使用范围信息来查找合适的事件。Azure AD uses the scope information to locate the right events for you.

选择登录Select sign-in

根据搜索条件,Azure AD 检索所有匹配的登录事件并将其显示在身份验证摘要列表视图中。Based on your search criteria, Azure AD retrieves all matching sign-in events and presents them in an authentication summary list view.

显示“身份验证摘要”部分的局部屏幕截图。

可以自定义在此视图中显示的列。You can customize the columns displayed in this view.

查看诊断结果Review diagnostic

对于所选登录事件,Azure AD 可提供诊断结果。For the selected sign-in event, Azure AD provides you with diagnostic results.

显示“诊断结果”部分的局部屏幕截图。

这些结果以评估开头,该评估用几句话解释发生的情况。These results start with an assessment, which explains what happened in a few sentences. 解释有助于了解系统的行为。The explanation helps you to understand the behavior of the system.

接下来,获取应用于所选登录事件的相关条件访问策略的摘要。Next, you get a summary of the related conditional access policies that were applied to the selected sign-in event. 诊断结果还包括用于解决问题的建议修正步骤。The diagnostic results also include recommended remediation steps to resolve your issue. 由于并非总是可以在不借助其他帮助的情况下解决问题,因此可能建议创建支持工单。Because it's not always possible to resolve issues without more help, a recommended step might be to open a support ticket.

执行操作Take action

此时,应拥有解决问题所需的信息。At this point, you should have the information you need to fix your issue.

方案Scenarios

登录诊断包括以下方案:The following scenarios are covered by the sign-in diagnostic:

  • 被条件访问阻止Blocked by conditional access

  • 因条件访问失败Failed conditional access

  • 条件访问中的多重身份验证 (MFA)Multifactor authentication (MFA) from conditional access

  • 来自其他要求的 MFAMFA from other requirements

  • 需要 MFA 证明MFA proof up required

  • 需要 MFA 证明(风险登录位置)MFA proof up required (risky sign-in location)

  • 成功登录Successful sign-in

被条件访问阻止Blocked by conditional access

在本方案中,登录尝试已被条件访问策略阻止。In this scenario, a sign-in attempt has been blocked by a conditional access policy.

显示访问配置的屏幕截图,其中已选中“阻止访问”。

此方案的诊断部分显示有关用户登录事件和所应用策略的详细信息。The diagnostic section for this scenario shows details about the user sign-in event and the applied policies.

因条件访问失败Failed conditional access

此方案通常是由于登录尝试失败造成的,失败原因是未满足条件访问策略的要求。This scenario is typically a result of a sign-in attempt that failed because the requirements of a conditional access policy weren't satisfied. 常见示例包括:Common examples are:

显示访问配置的屏幕截图,其中已选中常用策略示例和“授权访问”。

  • 要求使用已建立混合 Azure AD 联接的设备Require hybrid Azure AD joined device

  • 需要批准的客户端应用Require approved client app

  • 需要应用保护策略Require app protection policy

此方案的诊断部分显示有关用户登录尝试和所应用策略的详细信息。The diagnostic section for this scenario shows details about the user sign-in attempt and the applied policies.

通过条件访问进行 MFAMFA from conditional access

在此方案中,条件访问策略要求使用多重身份验证集登录。In this scenario, a conditional access policy has the requirement to sign in using multifactor authentication set.

显示访问配置的屏幕截图,其中已选中“需要多重身份验证”。

此方案的诊断部分显示有关用户登录尝试和所应用策略的详细信息。The diagnostic section for this scenario shows details about the user sign-in attempt and the applied policies.

来自其他要求的 MFAMFA from other requirements

在此方案中,条件访问策略未强制实施多重身份验证要求。In this scenario, a multifactor authentication requirement wasn't enforced by a conditional access policy. 例如,基于每个用户的多重身份验证。For example, multifactor authentication on a per-user basis.

显示基于每个用户配置的多重身份验证的屏幕截图。

此诊断方案的目的是提供有关以下内容的更多详细信息:The intent of this diagnostic scenario is to provide more details about:

  • 多重身份验证中断的源The source of the multifactor authentication interrupt
  • 客户端交互的结果The result of the client interaction

你还可以查看用户登录尝试的所有详细信息。You can also view all details of the user sign-in attempt.

需要 MFA 证明MFA proof up required

在此方案中,登录尝试被设置多重身份验证的请求中断。In this scenario, sign-in attempts were interrupted by requests to set up multifactor authentication. 此设置也称为“证明”。This setup is also known as proof up.

当要求用户使用多重身份验证但尚未对其进行配置,或管理员已要求用户对其进行配置时,则会发生多重身份验证证明。Multifactor authentication proof up occurs when a user is required to use multifactor authentication but hasn't configured it yet, or an administrator has required the user to configure it.

此诊断方案旨在表明多重身份验证中断是由于缺乏用户配置导致的。The intent of this diagnostic scenario is to reveal that the multifactor authentication interruption was due to lack of user configuration. 建议的解决方案是要求用户完成“证明”。The recommended solution is for the user to complete the proof up.

需要 MFA 证明(风险登录位置)MFA proof up required (risky sign-in location)

在此方案中,登录尝试被从风险登录位置发出的设置多重身份验证的请求中断。In this scenario, sign-in attempts were interrupted by a request to set up multifactor authentication from a risky sign-in location.

此诊断方案旨在表明多重身份验证中断是由于缺乏用户配置导致的。The intent of this diagnostic scenario is to reveal that the multifactor authentication interruption was due to lack of user configuration. 建议的解决方案是要求用户完成“证明”,具体而言,需要通过没有风险的网络位置完成。The recommended solution is for the user to complete the proof up, specifically from a network location that doesn't appear risky.

例如,如果将公司网络定义为命名位置,则用户应改为尝试通过公司网络进行证明。For example, if a corporate network is defined as a named location, the user should attempt to do the proof up from the corporate network instead.

成功登录Successful sign-in

在此方案中,登录事件没有被条件访问或多重身份验证中断。In this scenario, sign-in events weren't interrupted by conditional access or multifactor authentication.

此诊断方案详细介绍了会因条件访问策略或多重身份验证而中断的用户登录事件。This diagnostic scenario provides details about user sign-in events that were expected to be interrupted due to conditional access policies or multifactor authentication.

后续步骤Next steps