验证 Azure 标识Validate Azure identity

使用 Azure Stack 就绪性检查器工具 (AzsReadinessChecker) 验证 Azure Active Directory (Azure AD) 是否已准备好与 Azure Stack 配合使用。Use the Azure Stack Readiness Checker tool (AzsReadinessChecker) to validate that your Azure Active Directory (Azure AD) is ready to use with Azure Stack. 在开始 Azure Stack 部署之前,请验证 Azure 标识解决方案。Validate your Azure identity solution before you begin an Azure Stack deployment.

就绪性检查器会验证下列项:The readiness checker validates:

  • Azure Active Directory (Azure AD) 用作 Azure Stack 的标识提供程序。Azure Active Directory (Azure AD) as an identity provider for Azure Stack.
  • 你打算使用的 Azure AD 帐户能够以 Azure Active Directory 的全局管理员身份登录。The Azure AD account that you plan to use can sign in as a global administrator of your Azure Active Directory.

验证可以确保你的环境已针对 Azure Stack 做好了准备,可以在 Azure AD 中存储 Azure Stack 中的用户、应用程序、组和服务主体的相关信息。Validation ensures your environment is ready for Azure Stack to store information about users, applications, groups, and service principals from Azure Stack in your Azure AD.

获取就绪性检查器工具Get the readiness checker tool

PowerShell 库下载最新版本的 Azure Stack 就绪性检查器工具 (AzsReadinessChecker)。Download the latest version of the Azure Stack Readiness Checker tool (AzsReadinessChecker) from the PowerShell Gallery.

先决条件Prerequisites

以下系统必备组件是必需的:The following prerequisites are required:

运行该工具的计算机:The computer on which the tool runs:

Azure Active Directory 环境:Azure Active Directory environment:

  • 标识将用于 Azure Stack 的 Azure AD 帐户并确保它是 Azure Active Directory 全局管理员。Identify the Azure AD account to use for Azure Stack, and ensure it is an Azure Active Directory global administrator.
  • 标识你的 Azure AD 租户名称。Identify your Azure AD tenant name. 该租户名称必须是你的 Azure Active Directory 的主域名;例如 contoso.partner.onmschina.cnThe tenant name must be the primary domain name for your Azure Active Directory; for example, contoso.partner.onmschina.cn.
  • 标识你将使用的 Azure 环境。Identify the Azure environment you will use. 支持的环境名称参数值为 AzureChinaCloudSupported values for the environment name parameter is AzureChinaCloud.

验证 Azure 标识的步骤Steps to validate Azure identity

  1. 在满足先决条件的计算机上,打开一个提升的 PowerShell 命令提示符,然后运行以下命令来安装 AzsReadinessCheckerOn a computer that meets the prerequisites, open an elevated PowerShell command prompt, and then run the following command to install AzsReadinessChecker:

    Install-Module Microsoft.AzureStack.ReadinessChecker -Force
    
  2. 从 PowerShell 提示符下,运行以下命令将 $serviceAdminCredential 设置为你的 Azure AD 租户的服务管理员。From the PowerShell prompt, run the following command to set $serviceAdminCredential as the service administrator for your Azure AD tenant. serviceadmin@contoso.partner.onmschina.cn 替换为你的帐户和租户名称:Replace serviceadmin@contoso.partner.onmschina.cn with your account and tenant name:

    $serviceAdminCredential = Get-Credential serviceadmin@contoso.partner.onmschina.cn -Message "Enter credentials for service administrator of Azure Active Directory tenant"
    
  3. 从 PowerShell 提示符下,运行以下命令来启动对 Azure AD 的验证:From the PowerShell prompt, run the following command to start validation of your Azure AD:

    • AzureEnvironment 指定环境名称值。Specify the environment name value for AzureEnvironment. 支持的环境名称参数值为 AzureChinaCloud。Supported value for the environment name parameter is AzureChinaCloud.
    • contoso.partner.onmschina.cn 替换为 Azure Active Directory 租户名称。Replace contoso.partner.onmschina.cn with your Azure Active Directory tenant name.
    Invoke-AzsAzureIdentityValidation -AADServiceAdministrator $serviceAdminCredential -AzureEnvironment <environment name> -AADDirectoryTenantName contoso.partner.onmschina.cn`
    
  4. 运行该工具后,查看输出。After the tool runs, review the output. 对于安装要求,确认状态为“正常” 。Confirm the status is OK for installation requirements. 成功的验证如下图所示:A successful validation appears like the following image:

    Invoke-AzsAzureIdentityValidation v1.1809.1005.1 started.
    Starting Azure Identity Validation
    
    Checking Installation Requirements: OK
    
    Finished Azure Identity Validation
    
    Log location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log
    Report location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.json
    Invoke-AzsAzureIdentityValidation Completed
    

报表和日志文件Report and log file

每次运行验证时,它都会将结果记录到 AzsReadinessChecker.logAzsReadinessCheckerReport.json 中。Each time validation runs, it logs results to AzsReadinessChecker.log and AzsReadinessCheckerReport.json. 这些文件的位置会随验证结果一起显示在 PowerShell 中。The location of these files displays with the validation results in PowerShell.

这些文件可以帮助你在部署 Azure Stack 之前共享验证状态,或者调查验证问题。These files can help you share validation status before you deploy Azure Stack or investigate validation problems. 这两个文件都会持久保留每个后续验证检查的结果。Both files persist the results of each subsequent validation check. 报表向你的部署团队提供标识配置确认。The report provides your deployment team confirmation of the identity configuration. 日志文件可以帮助你的部署或支持团队调查验证问题。The log file can help your deployment or support team investigate validation issues.

默认情况下,这两个文件都写入到 C:\Users<username>\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.jsonBy default, both files are written to C:\Users<username>\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.json.

  • 可以在运行命令行的末尾使用 -OutputPath <path> 参数指定一个不同的报表位置。Use the -OutputPath <path> parameter at the end of the run command line to specify a different report location.
  • 可以在运行命令的末尾使用 -CleanReport 参数从 AzsReadinessCheckerReport.json 中清除以前运行此工具时的相关信息。Use the -CleanReport parameter at the end of the run command to clear information about previous runs of the tool from AzsReadinessCheckerReport.json.

有关详细信息,请参阅 Azure Stack 验证报告For more information, see Azure Stack validation report.

验证失败Validation failures

如果验证检查失败,则有关失败的详细信息将显示在 PowerShell 窗口中。If a validation check fails, details about the failure display in the PowerShell window. 该工具还会将信息记录到 AzsReadinessChecker.log 文件中。The tool also logs information to the AzsReadinessChecker.log file.

下面的示例针对常见的验证失败提供了指导。The following examples provide guidance on common validation failures.

过期的或临时密码Expired or temporary password

Invoke-AzsAzureIdentityValidation v1.1809.1005.1 started.
Starting Azure Identity Validation

Checking Installation Requirements: Fail
Error Details for Service Administrator Account admin@contoso.partner.onmschina.cn
The password for account  has expired or is a temporary password that needs to be reset before continuing. Run Login-AzureRMAccount -EnvironmentName AzureChinaCloud , login with  credentials and follow the prompts to reset.
Additional help URL https://aka.ms/AzsRemediateAzureIdentity

Finished Azure Identity Validation

Log location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log
Report location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.json
Invoke-AzsAzureIdentityValidation Completed

原因 - 因为密码已过期或者是临时的,所以帐户无法登录。Cause - The account cannot sign in because the password is either expired, or is temporary.

解决方法 - 在 PowerShell 中运行以下命令,然后根据提示来重置密码:Resolution - In PowerShell, run the following command, and then follow the prompts to reset the password:

Login-AzureRMAccount -EnvironmentName AzureChinaCloud

或者,以帐户所有者身份登录到 Azure 门户,强制用户更改密码。Alternatively, sign in to the Azure portal as the account owner, and the user will be forced to change the password.

未知用户类型Unknown user type

Invoke-AzsAzureIdentityValidation v1.1809.1005.1 started.
Starting Azure Identity Validation

Checking Installation Requirements: Fail
Error Details for Service Administrator Account admin@contoso.partner.onmschina.cn
Unknown user type detected. Check the account  is valid for AzureChinaCloud
Additional help URL https://aka.ms/AzsRemediateAzureIdentity

Finished Azure Identity Validation

Log location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log
Report location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.json
Invoke-AzsAzureIdentityValidation Completed

原因 - 帐户无法登录到指定的 Azure Active Directory (AADDirectoryTenantName)。Cause - The account cannot sign in to the specified Azure Active Directory (AADDirectoryTenantName). 在本例中,将 AzureChinaCloud 指定为了 AzureEnvironmentIn this example, AzureChinaCloud is specified as the AzureEnvironment.

解决方法 - 确认帐户对指定的 Azure 环境有效。Resolution - Confirm that the account is valid for the specified Azure environment. 在 PowerShell 中运行以下命令,验证帐户对特定环境是否有效:In PowerShell, run the following command to verify the account is valid for a specific environment:

Login-AzureRmAccount -EnvironmentName AzureChinaCloud

帐户不是管理员Account is not an administrator

Invoke-AzsAzureIdentityValidation v1.1809.1005.1 started.
Starting Azure Identity Validation

Checking Installation Requirements: Fail
Error Details for Service Administrator Account admin@contoso.partner.onmschina.cn
The Service Admin account you entered 'admin@contoso.partner.onmschina.cn' is not an administrator of the Azure Active Directory tenant 'contoso.partner.onmschina.cn'.
Additional help URL https://aka.ms/AzsRemediateAzureIdentity

Finished Azure Identity Validation

Log location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log
Report location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.json
Invoke-AzsAzureIdentityValidation Completed

原因 - 虽然帐户可以成功登录,但帐户不是 Azure Active Directory (AADDirectoryTenantName) 的管理员。Cause - Although the account can successfully sign in, the account is not an admin of the Azure Active Directory (AADDirectoryTenantName).

解决方法 - 以帐户所有者身份登录到 Azure 门户,转到“Azure Active Directory”、“用户”,单击“选择用户”、“目录角色”,然后确保该用户为全局管理员Resolution - Sign in into the Azure portal as the account owner, go to Azure Active Directory, then Users, then Select the User, then Directory Role, and then ensure the user is a Global administrator. 如果帐户是“用户”,请转到“Azure Active Directory” > “自定义域名”,并确认你为 AADDirectoryTenantName 提供的名称已标记为此目录的主域名。 If the account is a User, go to Azure Active Directory > Custom domain names, and confirm that the name you supplied for AADDirectoryTenantName is marked as the primary domain name for this directory. 在本例中,它是 contoso.partner.onmschina.cnIn this example, that is contoso.partner.onmschina.cn.

Azure Stack 要求域名是主域名。Azure Stack requires that the domain name is the primary domain name.

后续步骤Next Steps

验证 Azure 注册Validate Azure registration
查看就绪性报表View the readiness report
有关 Azure Stack 集成的一般注意事项General Azure Stack integration considerations