登录活动报告错误代码Sign-in activity report error codes

参考用户登录报告提供的信息,可以找到一些问题的答案,例如:With the information provided by the user sign-ins report, you find answers to questions such as:

  • 谁登录到了我的应用程序?Who signed in to my application?
  • 已登录到哪些应用程序?Which applications were signed in to?
  • 哪些登录失败?为什么?Which sign-ins failed and why?

登录失败时,会显示对应于失败的错误代码。When a sign-in fails, you will see an error code corresponding to the failure. 本文列出错误代码和及其说明,以及建议的处理措施(如果适用)。This article lists the error codes and their descriptions, along with a suggested course of action where applicable.

如何才能显示失败的登录?How can I display failed sign-ins?

导航到 Azure 门户中的登录报告Navigate to the Sign-ins report in the Azure portal.

登录活动Sign-in activity

在“登录状态”下拉框中选择“失败”,以筛选报告,显示所有失败的登录。 Filter the report to display all failed sign-ins by selecting Failure from the Sign-in status drop-down box.

登录活动Sign-in activity

从筛选的列表中选择某个项会打开“活动详细信息:登录”边栏选项卡。 Selecting an item from the filtered list opens the Activity Details: Sign-ins blade. 此视图提供有关失败的登录事件的其他信息,包括登录错误代码失败原因This view provides you with additional information about the failed sign-in event, including the sign-in error code and failure reason.

登录活动Sign-in activity

错误代码Error codes

错误Error 说明Description
1600016000 这是内部实现详细信息,而不是错误条件。This is an internal implementation detail and not an error condition. 可以放心地忽略此引用。You can safely ignore this reference.
2000120001 联合标识提供者出现问题。There is an issue with your federated Identity Provider. 请联系 IDP 解决此问题。Contact your IDP to resolve this issue.
2001220012 联合标识提供者出现问题。There is an issue with your federated Identity Provider. 请联系 IDP 解决此问题。Contact your IDP to resolve this issue.
2003320033 联合标识提供者出现问题。There is an issue with your federated Identity Provider. 请联系 IDP 解决此问题。Contact your IDP to resolve this issue.
4000840008 联合标识提供者出现问题。There is an issue with your federated Identity Provider. 请联系 IDP 解决此问题。Contact your IDP to resolve this issue.
4000940009 联合标识提供者出现问题。There is an issue with your federated Identity Provider. 请联系 IDP 解决此问题。Contact your IDP to resolve this issue.
4001440014 联合标识提供者出现问题。There is an issue with your federated Identity Provider. 请联系 IDP 解决此问题。Contact your IDP to resolve this issue.
5000050000 登录服务出现问题。There is an issue with our sign-in service. 开具支持票证以解决此问题。Open a support ticket to resolve this issue.
5000150001 在此租户中找不到服务主体名称。The service principal name was not found in this tenant. 如果在应用程序尚未由租户管理员安装,或者资源主体在目录中找不到或无效,则可能会发生这种情况。This can happen if the application has not been installed by the administrator of the tenant, or if the resource principal was not found in the directory or is invalid.
5000250002 由于租户中的代理访问权限受限,登录失败。Sign-in failed due to restricted proxy access on tenant. 如果这是你自己的租户策略,可以更改受限的租户设置来解决此问题。If it's your own tenant policy, you can change your restricted tenant settings to fix this issue.
5000750007 找不到此应用程序的合作伙伴加密证书。Partner encryption certificate was not found for this application. 请向 Microsoft 开具支持票证以解决此问题。Open a support ticket with Microsoft to get this fixed.
5000850008 SAML 断言在令牌中缺失或配置错误。SAML assertion is missing or misconfigured in the token. 请联系联合提供者。Contact your federation provider.
5001050010 由于未配置令牌受众,应用程序的受众 URI 验证失败。Audience URI validation for the application failed since no token audiences were configured. 请联系应用程序所有者获得解决方法。Contact the application owner for resolution.
5001250012 这是一条通用错误消息,指示身份验证失败。This is a generic error message that indicates that authentication failed. 这可能是请求中的凭据或声明缺失或无效等原因导致的。This can happen for reasons such as missing or invalid credentials or claims in the request. 请确保使用正确的凭据和声明发送请求。Ensure that the request is sent with the correct credentials and claims.
5001350013 多种原因导致断言无效。Assertion is invalid because of various reasons. 例如,令牌颁发者与令牌有效时间范围内的 API 版本不匹配、令牌已过期或格式不正确,或者断言中的刷新令牌不是主要刷新令牌。For instance, the token issuer doesn't match the api version within its valid time range, the token is expired or malformed, or the refresh token in the assertion is not a primary refresh token.
5001750017 证书验证失败,原因如下:Certification validation failed, reasons for the following reasons:
  • 在受信任的证书列表中找不到颁发证书Cannot find issuing certificate in trusted certificates list
  • 找不到所需的 CrlSegmentUnable to find expected CrlSegment
  • 在受信任的证书列表中找不到颁发证书Cannot find issuing certificate in trusted certificates list
  • 在没有对应 CRL 分发点的情况下配置了增量 CRL 分发点Delta CRL distribution point is configured without a corresponding CRL distribution point
  • 由于超时问题,无法检索有效的 CRL 段Unable to retrieve valid CRL segments due to timeout issue
  • 无法下载 CRLUnable to download CRL
请联系租户管理员。Contact the tenant administrator.
5002050020 由于以下原因之一,未对该用户授权。The user is unauthorized for one of the following reasons.
  • 该用户正在尝试在 v1 终结点上使用 MSA 帐户登录The user is attempting to login with an MSA account with the v1 endpoint
  • 租户中不存在该用户。The user doesn't exist in the tenant.
请联系应用程序所有者。Contact the application owner.
5002750027 以下原因导致 JWT 令牌无效:Invalid JWT token due to the following reasons:
  • 不包含 nonce 声明和子声明doesn't contain nonce claim, sub claim
  • 使用者标识符不匹配subject identifier mismatch
  • idToken 声明中存在重复声明duplicate claim in idToken claims
  • 意外的颁发者unexpected issuer
  • 意外的受众unexpected audience
  • 不在有效的时间范围内not within its valid time range
  • 令牌格式不正确token format is not proper
  • 颁发者的外部 ID 令牌未通过签名验证。External ID token from issuer failed signature verification.
请联系应用程序所有者Contact the application owner
5002950029 URI 无效 - 域名包含无效字符。Invalid URI - domain name contains invalid characters. 请联系租户管理员。Contact the tenant administrator.
5003450034 用户在目录中不存在。User does not exist in directory. 请联系租户管理员。Contact your tenant administrator.
5004250042 主体中缺少生成成对标识符所需的盐。The salt required to generate a pairwise identifier is missing in principle. 请联系租户管理员。Contact the tenant administrator.
5004850048 使用者与客户端断言中的颁发者声明不匹配。Subject mismatches Issuer claim in the client assertion. 请联系租户管理员。Contact the tenant administrator.
5005050050 请求格式不正确。Request is malformed. 请联系应用程序所有者。Contact the application owner.
5005350053 帐户已锁定,因为用户尝试使用不正确的用户 ID 或密码登录的次数过多。Account is locked because the user tried to sign in too many times with an incorrect user ID or password.
5005550055 密码无效,输入的密码已过期。Invalid password, entered expired password.
5005650056 密码无效或为 null - 密码在此用户的存储中不存在。Invalid or null password - Password does not exist in store for this user.
5005750057 用户帐户已禁用。User account is disabled. 帐户已被管理员禁用。The account has been disabled by an administrator.
5005850058 应用程序尝试执行无提示登录,而用户无法以无提示方式登录。The application tried to perform a silent sign in and the user could not be silently signed in. 应用程序需要启动交互式流,为用户提供登录选项。The application needs to start an interactive flow giving users an option to sign-in. 请联系应用程序所有者。Contact application owner.
5005950059 用户在目录中不存在。User does not exist in directory. 请联系租户管理员。Contact your tenant administrator.
5006150061 注销请求无效。Sign-out request is invalid. 请联系应用程序所有者。Contact the application owner.
5007250072 用户需注册进行双重身份验证(交互式)。User needs to enroll for two-factor authentication (interactive).
5007450074 用户未通过 MFA 质询。User did not pass the MFA challenge.
5007650076 用户未通过 MFA 质询(非交互式)。User did not pass the MFA challenge (non interactive).
5007950079 用户需要注册双重身份验证(非交互式登录)。User needs to enroll for two factor authentication (non-interactive logins).
5008550085 刷新令牌需要社交 IDP 登录。Refresh token needs social IDP login. 请让用户尝试使用用户名和密码再次登录。Have user try signing-in again with their username and password.
5008950089 流令牌过期 - 身份验证失败。Flow token expired - Authentication failed. 请让用户尝试使用用户名和密码再次登录Have user try signing-in again with their username and password
5009750097 需要执行设备身份验证。Device Authentication Required. 之所以出现此问题,是因为 DeviceId 或DeviceAltSecId 声明为 null,或者与设备标识符对应的设备不存在。This could occur because the DeviceId or DeviceAltSecId claims are null, or if no device corresponding to the device identifier exists.
5009950099 JWT 签名无效。JWT signature is invalid. 请联系应用程序所有者。Contact the application owner.
5010750107 请求的联合领域对象不存在。Requested federation realm object does not exist. 请联系租户管理员。Contact the tenant administrator.
5012050120 JWT 标头有问题。Issue with JWT header. 请联系租户管理员。Contact the tenant administrator.
5012450124 声明转换包含无效的输入参数。Claims Transformation contains invalid input parameter. 请联系租户管理员来更新策略。Contact the tenant administrator to update the policy.
5012550125 由于密码重置或密码注册项,登录已中断。Sign-in was interrupted due to a password reset or password registration entry.
5012650126 用户名或密码无效,或者本地用户名或密码无效。Invalid username or password, or invalid on-premises username or password.
5012750127 用户需要安装中转站应用程序,才能访问此内容。User needs to install a broker application to gain access to this content.
5012850128 域名无效 - 未在请求中找到或提供的任何凭据均未暗示任何租户标识信息。Invalid domain name - No tenant-identifying information found in either the request or implied by any provided credentials.
5012950129 设备未加入工作区 - 需要加入工作区才能注册设备。Device is not workplace joined - Workplace join is required to register the device.
5013050130 无法将声明值解释为已知的身份验证方法。Claim value cannot be interpreted as known auth method.
5013250132 以下原因导致凭据被吊销:Credentials have been revoked due to the following reasons:
  • SSO 项目无效或已过期SSO Artifact is invalid or expired
  • 应用程序的会话不够新Session not fresh enough for application
  • 已发送无提示登录请求,但用户在 Azure AD 中的会话无效或已过期。A silent sign-in request was sent but the user's session with Azure AD is invalid or has expired.
5013350133 会话因过期或最近更改了密码而无效。Session is invalid due to expiration or recent password change.
5013550135 由于存在帐户风险,需要更改密码。Password change is required due to account risk.
5013650136 将 MSA 会话重定向到应用程序 - 检测到单个 MSA 会话。Redirect MSA session to application - Single MSA session detected.
5014050140 此错误是由于用户登录时出现“使我保持登录状态”中断而发生的。This error occurred due to "Keep me signed in" interrupt when the user was signing-in. 开具支持票证并提供相关性 ID、请求 ID 和错误代码,以获取更多详细信息。Open a support ticket with Correlation ID, Request ID, and Error code to get more details.
5014350143 会话不匹配 - 会话无效,由于资源不同,用户租户与域提示不匹配。请使用关联 ID、请求 ID 和错误代码 开具支持票证,以获得更多详细信息。Session mismatch - Session is invalid because user tenant does not match the domain hint due to different resource. Open a support ticket with Correlation ID, Request ID, and Error code to get more details.
5014450144 用户的 Active Directory 密码已过期。User's Active Directory password has expired. 为用户生成新密码,或者让最终用户使用自助重置工具。Generate a new password for the user or have the end user using self-service reset tool.
5014650146 需要为此应用程序配置特定于应用程序的签名密钥。This application is required to be configured with an application-specific signing key. 没有为此应用程序配置签名密钥,或者密钥已过期或尚未生效。It is either not configured with one, or the key has expired or is not yet valid. 请联系应用程序所有者。Contact the application owner.
5014850148 code_verifier 与 PKCE 的授权请求中提供的 code_challenge 不匹配。The code_verifier does not match the code_challenge supplied in the authorization request for PKCE. 请与应用程序开发人员联系。 Contact the application developer.
5015550155 此用户的设备身份验证失败。Device authentication failed for this user.
5015850158 不满足外部安全质询。External security challenge was not satisfied.
5016150161 外部提供程序发送的声明不足,或者向外部提供程序请求的声明缺失。Claims sent by external provider is not sufficient, or missing claim requested to external provider.
5016650166 无法将请求发送到声明提供程序。Failed to send request to claims provider.
5016950169 领域不是当前服务命名空间的已配置领域。The realm is not a configured realm of the current service namespace.
5017250172 外部声明提供程序未获批准。External claims provider is not approved. 请联系租户管理员Contact the tenant administrator
5017350173 需要提供刷新身份验证令牌。Fresh auth token is needed. 让用户使用刷新凭据再次登录。Have the user sign-in again using fresh credentials.
5017750177 直通用户不支持外部质询。External challenge is not supported for passthrough users.
5017850178 直通用户不支持会话控制。Session Control is not supported for passthrough users.
5018050180 需要 Windows 集成身份验证。Windows Integrated authentication is needed. 为租户启用无缝 SSO。Enable the tenant for Seamless SSO.
5020150201 在登录期间应向用户提供附加信息时,将向用户显示此消息提示中断。This message prompt interrupt will be shown to the user during login when additional information should be provided to user.
5100151001 本地安全标识符中不存在域提示 - 本地 UPN。Domain Hint is not present with On-Premises Security Identifier - On-Premises UPN.
5100451004 用户帐户在目录中不存在。User account doesn’t exist in the directory.
5100651006 需要 Windows 集成身份验证。Windows Integrated authentication is needed. 用户已通过声明使用丢失的会话令牌登录。User logged in using session token that is missing via claim. 请求用户重新登录。Request the user to re-login.
5200452004 用户尚未许可 LinkedIn 资源的访问权限。User has not provided consent for access to LinkedIn resources.
5300453004 在访问此内容之前,用户需要完成多重身份验证注册过程。User needs to complete Multi-factor authentication registration process before accessing this content. 用户应注册多重身份验证。User should register for multi-factor authentication.
6500165001 应用程序 X 无权访问应用程序 Y,或者权限已被吊销。Application X doesn't have permission to access application Y or the permission has been revoked. 或者,用户或管理员尚未同意将应用程序与 ID X 配合使用。请发送针对该用户和资源的交互式授权请求。Or The user or administrator has not consented to use the application with ID X. Send an interactive authorization request for this user and resource. 或者,用户或管理员尚未同意将应用程序与 ID X 配合使用。请代表应用 Y向租户管理员发送针对资源 Z的授权请求。Or The user or administrator has not consented to use the application with ID X. Send an authorization request to your tenant admin to act on behalf of the App : Y for Resource : Z.
6500465004 用户拒绝许可该应用的访问权限。User declined to consent to access the app. 让用户重试登录并许可应用Have the user retry the sign-in and consent to the app
7000070000 以下原因导致授权无效:Invalid grant due to the following reasons:
  • 请求的 SAML 2.0 断言包含无效的使用者确认方法Requested SAML 2.0 assertion has invalid Subject Confirmation Method
  • V2 不支持应用 OnBehalfOf 流App OnBehalfOf flow is not supported on V2
  • 未使用会话密钥为主要刷新令牌签名Primary refresh token is not signed with session key
  • 外部刷新令牌无效Invalid external refresh token
  • 获取了其他租户的访问权限授权。The access grant was obtained for a different tenant.
7000170001 在名为 Y 的租户中找不到名为 X 的应用程序。如果标识符为 X 的应用程序尚未由租户管理员安装,或者尚未获得租户中的任何用户同意,则可能会发生这种情况。The application named X was not found in the tenant named Y. This can happen if the application with identifier X has not been installed by the administrator of the tenant or consented to by any user in the tenant. 可能错误配置了应用程序的标识符值,或者将身份验证请求发送到了错误的租户。You might have misconfigured the Identifier value for the application or sent your authentication request to the wrong tenant.
7000270002 应用程序返回了无效的客户端凭据。The application returned invalid client credentials. 请联系应用程序所有者。Contact the application owner.
7000370003 应用程序返回了不受支持的授权类型。The application returned an unsupported grant type. 请联系应用程序所有者。Contact the application owner.
7000470004 应用程序返回了无效的重定向 URI。The application returned an invalid redirect URI. 客户端指定的重定向地址与配置的任何地址或者 OIDC 批准列表中的任何地址都不匹配。The redirect address specified by the client does not match any configured addresses or any addresses on the OIDC approve list. 请联系应用程序所有者。Contact the application owner.
7000570005 由于以下原因,应用程序返回了不受支持的响应类型:The application returned an unsupported response type due to the following reasons:
  • 没有为应用程序启用响应类型“token”response type 'token' is not enabled for the application
  • 响应类型“id_token”需要“OpenID”作用域 - 编码的 wctx 中包含不支持的 OAuth 参数值response type 'id_token' requires the 'OpenID' scope -contains an unsupported OAuth parameter value in the encoded wctx
请联系应用程序所有者。Contact the application owner.
7000770007 请求令牌时,应用程序返回了不受支持的“response_mode”值。The application returned an unsupported value of 'response_mode' when requesting a token. 请联系应用程序所有者。Contact the application owner.
7000870008 提供的授权代码或刷新令牌已过期或已吊销。The provided authorization code or refresh token is expired or has been revoked. 让用户重试登录。Have the user retry signing in.
7001170011 应用程序请求的作用域无效。The scope requested by the application is invalid. 请联系应用程序所有者。Contact the application owner.
7001270012 对 MSA(使用者)用户进行身份验证时发生服务器错误。A server error occurred while authenticating an MSA (consumer) user. 请重试登录,如果问题持续出现,请开具支持票证 Retry the sign-in, and if the issue persists, open a support ticket 
7001870018 由于用户为设备代码流键入了错误的用户代码,验证码无效。Invalid verification code due to User typing in wrong user code for device code flow. 授权未获批准。Authorization is not approved.
7001970019 验证码已过期。Verification code expired. 让用户重试登录。Have the user retry the sign-in.
7003770037 提供了错误的质询响应。Incorrect challenge response provided. 已拒绝远程控制身份验证会话。Remote auth session denied.
7500175001 SAML 消息绑定期间出错。An error occurred during SAML message binding.
7500375003 应用程序返回了与不受支持的绑定相关的错误(无法通过 HTTP POST 以外的绑定发送 SAML 协议响应)。The application returned an error related to unsupported Binding (SAML protocol response cannot be sent via bindings other than HTTP POST). 请联系应用程序所有者。Contact the application owner.
7500575005 Azure AD 不支持应用程序针对单一登录所发送的 SAML 请求。Azure AD doesn’t support the SAML Request sent by the application for Single Sign-on. 请联系应用程序所有者。Contact the application owner.
7500875008 由于 SAML 请求的目标不符合预期,来自应用程序的请求被拒绝。The request from the application was denied since the SAML request had an unexpected destination. 请联系应用程序所有者。Contact the application owner.
7501175011 用户在服务中用于身份验证的身份验证方法与请求的身份验证方法不匹配。Authentication method by which the user authenticated with the service doesn't match requested authentication method. 请联系应用程序所有者。Contact the application owner.
7501675016 SAML2 身份验证请求包含无效的 NameIdPolicy。SAML2 Authentication Request has invalid NameIdPolicy. 请联系应用程序所有者。Contact the application owner.
8000180001 身份验证代理无法连接到 Active Directory。Authentication Agent unable to connect to Active Directory. 请务必在可为用户登录请求提供服务的 DC 建立直接连接的、已加入域的计算机上安装身份验证代理。Make sure the authentication agent is installed on a domain-joined machine that has line of sight to a DC that can serve the user's login request.
8000280002 内部错误。Internal error. 密码验证请求超时。我们无法将身份验证请求发送到内部混合标识服务。Password validation request timed out. We were unable to either send the authentication request to the internal Hybrid Identity Service. 开具支持票证,获取有关该错误的更多详细信息。Open a support ticket to get more details on the error.
8000380003 身份验证代理收到的响应无效。Invalid response received by Authentication Agent. 尝试对本地 Active Directory 进行身份验证时发生未知错误。An unknown error occurred while attempting to authentication against Active Directory on-premises. 开具支持票证,获取有关该错误的更多详细信息。Open a support ticket to get more details on the error.
8000580005 身份验证代理:处理来自身份验证代理的响应时出现未知错误。Authentication Agent: An unknown error occurred while processing the response from the Authentication Agent. 开具支持票证,获取有关该错误的更多详细信息。Open a support ticket to get more details on the error.
8000780007 身份验证代理无法验证用户的密码。Authentication Agent unable to validate user's password.
8001080010 身份验证代理无法解密密码。Authentication Agent unable to decrypt password.
8001180011 身份验证代理无法检索加密密钥。Authentication Agent unable to retrieve encryption key.
8001280012 用户尝试在允许的小时(在 AD 中指定)以外登录。The users attempted to log on outside of the allowed hours (this is specified in AD).
8001380013 由于运行身份验证代理的计算机与 AD 之间存在时间偏差,身份验证尝试无法完成。The authentication attempt could not be completed due to time skew between the machine running the authentication agent and AD. 解决时间同步问题Fix time sync issues
8001480014 身份验证代理超时。开具支持票证并提供错误代码、相关性 ID和日期时间,以获取有关此错误的更多详细信息。Authentication agent timed out. Open a support ticket with the error code, correlation ID, and Datetime to get more details on this error.
8100181001 用户的 Kerberos 票证太大。User's Kerberos ticket is too large. 如果用户处于过多的组中,从而使得 Kerberos 票证包含过多的组成员身份,则可能会出现此问题。This can happen if the user is in too many groups and thus the Kerberos ticket contains too many group memberships. 减少用户的组成员身份,然后重试。Reduce the user's group memberships and try again.
8100581005 身份验证包不受支持。Authentication Package Not Supported.
8100781007 没有为租户启用无缝 SSO。Tenant is not enabled for Seamless SSO.
8101281012 这不是错误条件。This is not an error condition. 它指示尝试登录到 Azure AD 的用户不同于已登录到设备的用户。It indicates that user trying to sign in to Azure AD is different from the user signed into the device. 可以放心地忽略日志中的此代码。You can safely ignore this code in the logs.
9001090010 出于各种原因,不支持该请求。The request is not supported for various reasons. 例如,该请求是使用不受支持的请求方法(仅支持 POST 方法)发出的,或者不支持请求的令牌签名算法。For example, the request is made using an unsupported request method (only POST method is supported) or the token signing algorithm that was requested is not supported. 请与应用程序开发人员联系。Contact the application developer.
9001490014 协议消息的必填字段缺失,请与应用程序所有者联系。A required field for a protocol message was missing, contact the application owner. 如果你是应用程序所有者,请确保具有登录请求所需的所有参数。If you are the application owner, ensure that you have all the necessary parameters for the login request.
9005190051 委派令牌无效。Invalid Delegation Token. 指定的国家云 ID ({cloudId}) 无效。Invalid national Cloud ID ({cloudId}) is specified.
9007290072 该帐户需要先作为外部用户添加到租户中。The account needs to be added as an external user in the tenant first. 注销并使用其他 Azure AD 帐户重新登录。Sign-out and sign-in again with a different Azure AD account.
9009490094 该授权需要管理员权限。The grant requires administrator permissions. 让租户管理员同意此应用程序。Ask your tenant administrator to provide consent for this application.
500021500021 租户受公司代理限制。Tenant is restricted by company proxy. 拒绝访问资源。Denying the resource access.
500121500121 在强身份验证请求期间身份验证失败。Authentication failed during strong authentication request.
500133500133 断言不在其有效时间范围内。The assertion is not within its valid time range. 确保访问令牌在用于用户断言或请求新令牌之前没有过期。Ensure that the access token is not expired before using it for user assertion, or request a new token.
530032530032 被安全策略阻止。Blocked by security policy.
700016700016 在目录“{tenantName}”中找不到标识符为“{appIdentifier}”的应用程序。Application with identifier '{appIdentifier}' was not found in the directory '{tenantName}'. 如果应用程序尚未由租户管理员安装,或者尚未获得租户中的任何用户同意,则可能会发生这种情况。This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. 可能将身份验证请求发送给了错误的租户。You may have sent your authentication request to the wrong tenant.
900432900432 跨云请求不支持机密客户端。Confidential Client is not supported in Cross Cloud request.
70002187000218 请求正文必须包含以下参数:“client_assertion”或“client_secret”。The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

后续步骤Next steps