识别和解决 Azure Active Directory 中组的许可证分配问题Identify and resolve license assignment problems for a group in Azure Active Directory

Azure Active Directory (Azure AD) 中基于组的许可引入了处于许可错误状态的用户的概念。Group-based licensing in Azure Active Directory (Azure AD) introduces the concept of users in a licensing error state. 本文说明用户可能会以此状态结束的原因。In this article, we explain the reasons why users might end up in this state.

如果直接将许可证分配给单个用户而不使用基于组的许可,分配操作可能会失败。When you assign licenses directly to individual users, without using group-based licensing, the assignment operation might fail. 例如,对用户系统执行 PowerShell cmdlet Set-MsolUserLicense 时,由于与业务逻辑相关的多个原因,该 cmdlet 可能会失败。For example, when you execute the PowerShell cmdlet Set-MsolUserLicense on a user system, the cmdlet can fail for many reasons that are related to business logic. 例如,可能许可证数量不足,或者两个服务计划之间存在冲突,不能同时分配。For example, there might be an insufficient number of licenses or a conflict between two service plans that can't be assigned at the same time. 将立即向你返回该问题的报告。The problem is immediately reported back to you.

使用基于组的许可时,可能会发生相同的错误,但是在 Azure AD 服务分配许可证时在后台发生这些错误。When you're using group-based licensing, the same errors can occur, but they happen in the background while the Azure AD service is assigning licenses. 由于此原因,这些错误无法立即传达给你。For this reason, the errors can't be communicated to you immediately. 但是,这些错误会记录在用户对象中,并通过管理门户进行报告。Instead, they're recorded on the user object and then reported via the administrative portal. 为用户提供许可证的原始意图永远不会丢失,但以错误状态记录,供以后调查和解决。The original intent to license the user is never lost, but it's recorded in an error state for future investigation and resolution.

查找许可证分配错误Find license assignment errors

在组中查找处于错误状态的用户To find users in an error state in a group

  1. 打开该组的概述页,然后选择“许可证”。Open the group to its overview page and select Licenses. 如果有任何用户处于错误状态,则会显示通知。A notification appears if there are any users in an error state.

    组和错误通知消息

  2. 选择通知以打开所有受影响的用户列表。Select the notification to open a list of all affected users. 可以分别选择每个用户以查看更多详细信息。You can select each user individually to see more details.

    处于组许可错误状态的用户列表

  3. 若要查找包含至少一个错误的所有组,请在“Azure Active Directory”边栏选项卡上,选择“许可证”,再选择“概述”。To find all groups that contain at least one error, on the Azure Active Directory blade select Licenses, and then select Overview. 如果有一些组需要关注,则会显示信息框。An information box is displayed when groups require your attention.

    有关处于错误状态的组的概述和信息

  4. 选中该框可查看具有错误的所有组的列表。Select the box to see a list of all groups with errors. 可以选择每个组以了解更多详细信息。You can select each group for more details.

    包含错误的组的概述和列表

以下部分提供每个潜在问题的说明及其解决方法。The following sections give a description of each potential problem and the way to resolve it.

许可证不足Not enough licenses

问题: 组中指定的某个产品没有足够的可用许可证。Problem: There aren't enough available licenses for one of the products that's specified in the group. 需要为该产品购买更多的许可证,或者释放其他用户或组中未使用的许可证。You need to either purchase more licenses for the product or free up unused licenses from other users or groups.

若要查看可用的许可证数量,请转到“Azure Active Directory” > “许可证” > “所有产品”。To see how many licenses are available, go to Azure Active Directory > Licenses > All products.

若要查看哪些用户和组正在使用许可证,请选择某个产品。To see which users and groups are consuming licenses, select a product. 在“许可的用户”下面,可以看到直接或者通过一个或多个组向其分配许可证的所有用户的列表。Under Licensed users, you see a list of all users who have had licenses assigned directly or via one or more groups. 在“许可的组”下面,可以看到该产品已分配到的所有组。Under Licensed groups, you see all groups that have that products assigned.

PowerShell: PowerShell cmdlet 将此错误报告为 CountViolationPowerShell: PowerShell cmdlets report this error as CountViolation.

冲突的服务计划Conflicting service plans

问题: 组中指定的某个产品包含的服务计划,与已通过不同的产品分配给用户的另一个服务计划相冲突。Problem: One of the products that's specified in the group contains a service plan that conflicts with another service plan that's already assigned to the user via a different product. 某些服务计划已配置为不能作为另一个相关服务计划分配给相同的用户。Some service plans are configured in a way that they can't be assigned to the same user as another, related service plan.

请考虑以下示例。Consider the following example. 为某个用户直接分配了 Office 365 企业版 E1 许可证并启用了所有计划。A user has a license for Office 365 Enterprise E1 assigned directly, with all the plans enabled. 该用户已添加到分配有 Office 365 企业版 E3 产品的组。The user has been added to a group that has the Office 365 Enterprise E3 product assigned to it. E3 产品包含的服务计划不能与 E1 中包含的计划重叠,因此,组许可证分配会失败并显示“冲突的服务计划”错误。The E3 product contains service plans that can't overlap with the plans that are included in E1, so the group license assignment fails with the “Conflicting service plans” error. 在此示例中,冲突的服务计划为:In this example, the conflicting service plans are:

  • SharePoint Online(计划 2)与 SharePoint Online(计划 1)冲突。SharePoint Online (Plan 2) conflicts with SharePoint Online (Plan 1).
  • Exchange Online(计划 2)与 Exchange Online(计划 1)冲突。Exchange Online (Plan 2) conflicts with Exchange Online (Plan 1).

若要解决此冲突,需要禁用两个计划。To solve this conflict, you need to disable two of the plans. 可以禁用直接分配给用户的 E1 许可证。You can disable the E1 license that's directly assigned to the user. 或者,需要修改整个组许可证分配并在 E3 许可证中禁用计划。Or, you need to modify the entire group license assignment and disable the plans in the E3 license. 或者,你可能会决定删除用户的 E1 许可证(如果 E1 许可证在 E3 许可证的上下文中是多余的)。Alternatively, you might decide to remove the E1 license from the user if it's redundant in the context of the E3 license.

有冲突的产品许可证的解决方法始终由管理员决定。The decision about how to resolve conflicting product licenses always belongs to the administrator. Azure AD 不会自动解决许可证冲突。Azure AD doesn't automatically resolve license conflicts.

PowerShell: PowerShell cmdlet 将此错误报告为 MutuallyExclusiveViolationPowerShell: PowerShell cmdlets report this error as MutuallyExclusiveViolation.

其他产品依赖于此许可证Other products depend on this license

问题: 组中指定的某个产品包含的服务计划必须为另一个产品中的另一个服务计划启用才能正常工作。Problem: One of the products that's specified in the group contains a service plan that must be enabled for another service plan, in another product, to function. 当 Azure AD 尝试删除基础服务计划时,将出现此错误。This error occurs when Azure AD attempts to remove the underlying service plan. 例如,从组中删除用户时,可能会发生此错误。For example, this can happen when you remove the user from the group.

若要解决此问题,需确保所需的计划仍通过其他某种方法分配给用户,或者为这些用户禁用了依赖服务。To solve this problem, you need to make sure that the required plan is still assigned to users through some other method or that the dependent services are disabled for those users. 执行这些操作后,可以正确地删除这些用户的组许可证。After doing that, you can properly remove the group license from those users.

PowerShell: PowerShell cmdlet 将此错误报告为 DependencyViolationPowerShell: PowerShell cmdlets report this error as DependencyViolation.

不允许的使用位置Usage location isn't allowed

问题: 由于当地法律和法规方面的原因,某些 Microsoft 服务不能在所有位置使用。Problem: Some Microsoft services aren't available in all locations because of local laws and regulations. 必须先为用户指定“使用位置”属性,才能将许可证分配给用户。Before you can assign a license to a user, you must specify the Usage location property for the user. 可以在 Azure 门户中的“用户” > “配置文件” > “设置”部分下指定位置。You can specify the location under the User > Profile > Settings section in the Azure portal.

当 Azure AD 尝试向使用位置不受支持的用户分配组许可证时,该操作会失败,并且会记录用户发生的此项错误。When Azure AD attempts to assign a group license to a user whose usage location isn't supported, it fails and records an error on the user.

若要解决此问题,请从许可组中删除其位置不受支持的用户。To solve this problem, remove users from unsupported locations from the licensed group. 或者,如果当前使用位置值不代表实际用户位置,可以修改这些值,以便下次可以正常分配许可证(如果新位置受支持)。Alternatively, if the current usage location values don't represent the actual user location, you can modify them so that the licenses are correctly assigned next time (if the new location is supported).

PowerShell: PowerShell cmdlet 将此错误报告为 ProhibitedInUsageLocationViolationPowerShell: PowerShell cmdlets report this error as ProhibitedInUsageLocationViolation.

备注

当 Azure AD 分配组许可证时,任何未指定使用位置的用户将继承目录的位置。When Azure AD assigns group licenses, any users without a specified usage location inherit the location of the directory. 建议管理员在使用基于组的许可之前,先为用户设置正确的使用位置值,以符合当地法律和法规。We recommend that administrators set the correct usage location values on users before using group-based licensing to comply with local laws and regulations.

重复的代理地址Duplicate proxy addresses

如果使用的是 Exchange Online,可能会使用相同的代理地址值错误地配置组织中的某些用户。If you use Exchange Online, some users in your organization might be incorrectly configured with the same proxy address value. 当基于组的许可尝试为此类用户分配许可证时,此操作会失败并显示“代理地址已被使用”。When group-based licensing tries to assign a license to such a user, it fails and shows “Proxy address is already being used”.

提示

若要查看是否有重复的代理地址,请针对 Exchange Online 执行以下 PowerShell cmdlet:To see if there is a duplicate proxy address, execute the following PowerShell cmdlet against Exchange Online:

Get-Recipient -ResultSize unlimited | where {$_.EmailAddresses -match "user@contoso.partner.onmschina.cn"} | fL Name, RecipientType,emailaddresses

有关此问题的详细信息,请参阅 Exchange Online 中的“代理地址已被使用”错误消息For more information about this problem, see "Proxy address is already being used" error message in Exchange Online. 此文还包含有关如何使用远程 PowerShell 连接到 Exchange Online 的信息。The article also includes information on how to connect to Exchange Online by using remote PowerShell.

为受影响的用户解决代理地址问题之后,请确保强制对组进行许可证处理,确保现在可以应用许可证。After you resolve any proxy address problems for the affected users, make sure to force license processing on the group to make sure that the licenses can now be applied.

Azure AD 邮件和 ProxyAddresses 属性更改Azure AD Mail and ProxyAddresses attribute change

问题: 更新用户或组的许可证分配时,可能会看到某些用户的 Azure AD 邮件和 ProxyAddresses 属性已更改。Problem: While updating license assignment on a user or a group, you might see that the Azure AD Mail and ProxyAddresses attribute of some users are changed.

更新用户的许可证分配会导致触发代理地址计算,这可能会更改用户属性。Updating license assignment on a user causes the proxy address calculation to be triggered, which can change user attributes. 若要了解更改的确切原因并解决问题,请参阅这篇关于如何在 Azure AD 中填充 proxyAddresses 属性的文章。To understand the exact reason of the change and solve the problem, see this article on how the proxyAddresses attribute is populated in Azure AD.

审核日志中的 LicenseAssignmentAttributeConcurrencyExceptionLicenseAssignmentAttributeConcurrencyException in audit logs

问题: 用户在审核日志中有针对许可证分配的 LicenseAssignmentAttributeConcurrencyException。Problem: User has LicenseAssignmentAttributeConcurrencyException for license assignment in audit logs. 当基于组的许可尝试处理对某个用户进行的相同许可证的并发许可证分配时,将在该用户上记录此异常。When group-based licensing tries to process concurrent license assignment of same license to a user, this exception is recorded on the user. 当用户是分配有相同许可证的多个组的成员时,通常会发生这种情况。This usually happens when a user is a member of more than one group with same assigned license. Azure AD 将重新尝试处理用户许可证,并解决此问题。Azure AD will retry processing the user license and will resolve the issue. 客户无需执行任何操作即可解决此问题。There is no action required from the customer to fix this issue.

分配给一个组的多个产品许可证More than one product license assigned to a group

可将多个产品许可证分配到一个组。You can assign more than one product license to a group. 例如,可将 Office 365 企业版 E3 和企业移动性 + 安全性分配到某个组,轻松为用户启用所有包含的服务。For example, you can assign Office 365 Enterprise E3 and Enterprise Mobility + Security to a group to easily enable all included services for users.

Azure AD 会尝试将该组中指定的所有许可证分配给每个用户。Azure AD attempts to assign all licenses that are specified in the group to each user. 如果由于业务逻辑问题,Azure AD 无法分配某个产品,则也不会在该组中分配其他许可证。If Azure AD can't assign one of the products because of business logic problems, it won't assign the other licenses in the group either. 例如,所有产品的许可证数量不足,或者与针对用户启用的其他服务冲突。An example is if there aren't enough licenses for all, or if there are conflicts with other services that are enabled on the user.

可以查看无法被分配许可证的用户,并且可以检查哪些产品受此问题的影响。You can see the users who failed to get assigned and check which products are affected by this problem.

删除授权组时When a licensed group is deleted

在删除组之前,必须先删除分配到该组的所有许可证。You must remove all licenses assigned to a group before you can delete the group. 但是,删除组中所有用户的许可证可能比较耗时。However, removing licenses from all the users in the group may take time. 删除组的许可证分配时,如果为用户分配了依赖的许可证,或者某个代理地址冲突问题阻止删除许可证,则删除操作可能失败。While removing license assignments from a group, there can be failures if user has a dependent license assigned or if there is a proxy address conflict issue which prohibits the license removal. 如果用户的某个许可证依赖于删除组时一同删除的许可证,则用户的许可证分配将从继承转换为直接。If a user has a license that is dependent on a license which is being removed due to group deletion, the license assignment to the user is converted from inherited to direct.

例如,假设分配了 Office 365 E3/E5 的某个组启用了 Skype for Business 服务计划。For example, consider a group that has Office 365 E3/E5 assigned with a Skype for Business service plan enabled. 此外,假设直接为组中的几个成员分配了 Audio Conferencing 许可证。Also imagine that a few members of the group have Audio Conferencing licenses assigned directly. 删除该组时,基于组的许可会尝试删除所有用户的 Office 365 E3/E5。When the group is deleted, group-based licensing will try to remove Office 365 E3/E5 from all users. 由于 Audio Conferencing 依赖于 Skype for Business,对于分配了 Audio Conferencing 的所有用户,基于组的许可会将 Office 365 E3/E5 许可证转换为直接许可证分配。Because Audio Conferencing is dependent on Skype for Business, for any users with Audio Conferencing assigned, group-based licensing converts the Office 365 E3/E5 licenses to direct license assignment.

有先决条件的产品管理许可证Manage licenses for products with prerequisites

你拥有的某些 Microsoft Online 产品可能是“附加产品”。Some Microsoft Online products you might own are add-ons. 附加产品要求先为用户或组启用先决服务计划,才能向其分配许可证。Add-ons require a prerequisite service plan to be enabled for a user or a group before they can be assigned a license. 要使用基于组的许可,系统要求先决条件和附加产品服务计划存在于同一组中。With group-based licensing, the system requires that both the prerequisite and add-on service plans be present in the same group. 这是为了确保添加到组的任何用户都能收到功能齐全的产品。This is done to ensure that any users who are added to the group can receive the fully working product. 请考虑以下示例:Let's consider the following example:

Microsoft Workplace Analytics 是一个附加产品。Microsoft Workplace Analytics is an add-on product. 它包含同名单一服务计划。It contains a single service plan with the same name. 仅当同时分配了以下必备产品之一时,才能将此服务计划分配到用户或组:We can only assign this service plan to a user, or group, when one of the following prerequisites is also assigned:

  • Exchange Online(计划 1)Exchange Online (Plan 1)
  • Exchange Online(计划 2)Exchange Online (Plan 2)

如果尝试将此产品本身分配到组,门户将返回通知消息。If we try to assign this product on its own to a group, the portal returns a notification message. 如果选择项详细信息,会显示以下错误消息:If we select the item details, it shows the following error message:

“许可证操作失败。"License operation failed. 添加或删除从属服务前,请确保组具有必要的服务。Make sure that the group has necessary services before adding or removing a dependent service. Microsoft Workplace Analytics 服务还要求启用 Exchange Online(计划 2)。The service Microsoft Workplace Analytics requires Exchange Online (Plan 2) to be enabled as well."

若要将此附加产品许可证分配到组,必须确保该组也包含先决服务计划。To assign this add-on license to a group, we must ensure that the group also contains the prerequisite service plan. 例如,可更新已经包含完整 Office 365 E3 产品的现有组,并向其添加附加产品。For example, we might update an existing group that already contains the full Office 365 E3 product, and then add the add-on product to it.

还可以创建一个独立的组,其中只包含正常运行附加产品所需的最少量产品。It is also possible to create a standalone group that contains only the minimum required products to make the add-on work. 使用该组可以仅向选定的用户授予附加产品的许可证。It can the be used to license only selected users for the add-on product. 根据前面的示例,可以将以下产品分配给同一组:Based on the previous example, you would assign the following products to the same group:

  • Office 365 企业版 E3,仅启用了 Exchange Online(计划 2)服务计划Office 365 Enterprise E3 with only the Exchange Online (Plan 2) service plan enabled
  • Microsoft Workplace AnalyticsMicrosoft Workplace Analytics

从现在起,添加到此组的任何用户都将使用一个 E3 产品许可正和一个 Workplace Analytics 产品许可证。From now on, any users added to this group consume one license of the E3 product and one license of the Workplace Analytics product. 同时,这些用户可以是另一组的成员,为其提供完整的 E3 产品,他们仍只使用该产品的一个许可证。At the same time, those users can be members of another group that gives them the full E3 product, and they still consume only one license for that product.

提示

可为每个先决服务计划创建多个组。You can create multiple groups for each prerequisite service plan. 例如,如果有用户使用 Office 365 Enterprise E1,也有用户 Office 365 Enterprise E3,则可创建两个组来授权 Microsoft Workplace Analytics:一个使用 E1 作为先决条件,另一个使用 E3。For example, if you use both Office 365 Enterprise E1 and Office 365 Enterprise E3 for your users, you can create two groups to license Microsoft Workplace Analytics: one that uses E1 as a prerequisite and the other that uses E3. 这样,不需要额外的许可证,即可将附加产品分发到 E1 和 E3 用户。This lets you distribute the add-on to E1 and E3 users without consuming additional licenses.

强制执行组许可证处理以解决错误Force group license processing to resolve errors

根据解决错误时采取的措施,可能需要手动触发组的处理来更新用户状态。Depending on what steps you've taken to resolve the errors, it might be necessary to manually trigger the processing of a group to update the user state.

例如,如果通过删除用户的直接许可证分配来释放某些许可证,则需要触发以前无法完全为所有用户成员提供许可证的组的处理。For example, if you free up some licenses by removing direct license assignments from users, you need to trigger the processing of groups that previously failed to fully license all user members. 若要重新处理某个组,请转到组窗格,打开“许可证”,并在工具栏中选择“重新处理”按钮。 To reprocess a group, go to the group pane, open Licenses, and then select the Reprocess button on the toolbar.

强制执行用户许可证处理以解决错误Force user license processing to resolve errors

根据解决错误时采取的措施,可能需要手动触发用户的处理来更新用户状态。Depending on what steps you've taken to resolve the errors, it might be necessary to manually trigger the processing of a user to update the users state.

例如,解决受影响用户的重复代理地址问题后,需要触发用户的处理。For example, after you resolve duplicate proxy address problem for an affected user, you need to trigger the processing of the user. 若要重新处理某个用户,请转到用户窗格,打开“许可证”,并在工具栏中选择“重新处理”按钮。 To reprocess a user, go to the user pane, open Licenses, and then select the Reprocess button on the toolbar.

后续步骤Next steps

若要详细了解通过组进行许可证管理的其他方案,请参阅以下部分:To learn more about other scenarios for license management through groups, see the following: