验证 Azure 标识Validate Azure identity

使用 Azure Stack Hub 就绪性检查器工具 (AzsReadinessChecker) 验证 Azure Active Directory (Azure AD) 是否已准备好与 Azure Stack Hub 配合使用。Use the Azure Stack Hub Readiness Checker tool (AzsReadinessChecker) to validate that your Azure Active Directory (Azure AD) is ready to use with Azure Stack Hub. 在开始 Azure Stack Hub 部署之前,请验证 Azure 标识解决方案。Validate your Azure identity solution before you begin an Azure Stack Hub deployment.

就绪性检查器会验证下列项:The readiness checker validates:

  • Azure AD 用作 Azure Stack Hub 的标识提供者。Azure AD as an identity provider for Azure Stack Hub.
  • 你打算使用的 Azure AD 帐户能够以 Azure AD 的全局管理员身份登录。The Azure AD account that you plan to use can sign in as a global administrator of your Azure AD.

验证可以确保你的环境已针对 Azure Stack Hub 做好了准备,可以在 Azure AD 中存储 Azure Stack Hub 中的用户、应用程序、组和服务主体的相关信息。Validation ensures your environment is ready for Azure Stack Hub to store information about users, applications, groups, and service principals from Azure Stack Hub in your Azure AD.

获取就绪性检查器工具Get the readiness checker tool

PowerShell 库下载最新版本的 Azure Stack Hub 就绪性检查器工具 (AzsReadinessChecker)。Download the latest version of the Azure Stack Hub Readiness Checker tool (AzsReadinessChecker) from the PowerShell Gallery.

安装和配置Install and configure

必备条件Prerequisites

需要以下先决条件:The following prerequisites are required:

AzureRM PowerShell 模块AzureRM PowerShell modules

将需要安装 Az PowerShell 模块。You will need to have the Az PowerShell modules installed. 有关说明,请参阅安装 PowerShell AzureRM 模块For instructions, see Install PowerShell AzureRM module.

运行该工具的计算机The computer on which the tool runs

Azure AD 环境Azure AD environment

  • 标识将用于 Azure Stack Hub 的 Azure AD 帐户并确保它是 Azure AD 全局管理员。Identify the Azure AD account to use for Azure Stack Hub and ensure it's an Azure AD global administrator.
  • 标识你的 Azure AD 租户名称。Identify your Azure AD tenant name. 该租户名称必须是 Azure AD 的主域名。The tenant name must be the primary domain name for your Azure AD. 例如 contoso.partner.onmschina.cnFor example, contoso.partner.onmschina.cn.
  • 标识要使用的 Azure 环境。Identify the Azure environment you'll use. 支持的环境名称参数值为 AzureChinaCloudSupported values for the environment name parameter is AzureChinaCloud.

验证 Azure 标识的步骤Steps to validate Azure identity

  1. 在满足先决条件的计算机上,打开一个提升的 PowerShell 命令提示符,然后运行以下命令来安装 AzsReadinessCheckerOn a computer that meets the prerequisites, open an elevated PowerShell command prompt, and then run the following command to install AzsReadinessChecker:

    Install-Module Microsoft.AzureStack.ReadinessChecker -Force
    
  2. 从 PowerShell 提示符下,运行以下命令将 $serviceAdminCredential 设置为你的 Azure AD 租户的服务管理员。From the PowerShell prompt, run the following command to set $serviceAdminCredential as the service administrator for your Azure AD tenant. serviceadmin\@contoso.partner.onmschina.cn 替换为你的帐户和租户名称:Replace serviceadmin\@contoso.partner.onmschina.cn with your account and tenant name:

    $serviceAdminCredential = Get-Credential serviceadmin@contoso.partner.onmschina.cn -Message "Enter credentials for service administrator of Azure Active Directory tenant"
    
  3. 从 PowerShell 提示符下,运行以下命令来启动对 Azure AD 的验证:From the PowerShell prompt, run the following command to start validation of your Azure AD:

    • AzureEnvironment 指定环境名称值。Specify the environment name value for AzureEnvironment. 支持的环境名称参数值为 AzureChinaCloud。Supported value for the environment name parameter is AzureChinaCloud.
    • contoso.partner.onmschina.cn 替换为你的 Azure Active Directory 租户名称。Replace contoso.partner.onmschina.cn with your Azure Active Directory tenant name.
    Invoke-AzsAzureIdentityValidation -AADServiceAdministrator $serviceAdminCredential -AzureEnvironment <environment name> -AADDirectoryTenantName contoso.partner.onmschina.cn
    
  4. 运行该工具后,查看输出。After the tool runs, review the output. 对于安装要求,确认状态为“正常”****。Confirm the status is OK for installation requirements. 成功的验证如以下示例所示:A successful validation appears like the following example:

    Invoke-AzsAzureIdentityValidation v1.1809.1005.1 started.
    Starting Azure Identity Validation
    
    Checking Installation Requirements: OK
    
    Finished Azure Identity Validation
    
    Log location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log
    Report location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.json
    Invoke-AzsAzureIdentityValidation Completed
    

报表和日志文件Report and log file

每次运行验证时,它都会将结果记录到 AzsReadinessChecker.logAzsReadinessCheckerReport.json 中。Each time validation runs, it logs results to AzsReadinessChecker.log and AzsReadinessCheckerReport.json. 这些文件的位置会随验证结果一起显示在 PowerShell 中。The location of these files displays with the validation results in PowerShell.

这些文件可以帮助你在部署 Azure Stack Hub 之前共享验证状态,或者调查验证问题。These files can help you share validation status before you deploy Azure Stack Hub or investigate validation problems. 这两个文件都会持久保留每个后续验证检查的结果。Both files persist the results of each subsequent validation check. 报表向你的部署团队提供标识配置确认。The report provides your deployment team confirmation of the identity configuration. 日志文件可以帮助你的部署或支持团队调查验证问题。The log file can help your deployment or support team investigate validation issues.

这两个文件默认写入到 C:\Users\<username>\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.jsonBy default, both files are written to C:\Users\<username>\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.json.

  • 在运行命令行的末尾使用 -OutputPath <path> 参数来指定不同的报表位置。Use the -OutputPath <path> parameter at the end of the run command line to specify a different report location.
  • 在运行命令的末尾使用 -CleanReport 参数从 AzsReadinessCheckerReport.json 中清除有关以前运行此工具的相关信息。Use the -CleanReport parameter at the end of the run command to clear information about previous runs of the tool from AzsReadinessCheckerReport.json.

有关详细信息,请参阅 Azure Stack Hub 验证报告For more information, see Azure Stack Hub validation report.

验证失败Validation failures

如果验证检查失败,则有关失败的详细信息将显示在 PowerShell 窗口中。If a validation check fails, details about the failure display in the PowerShell window. 该工具还会将信息记录到 AzsReadinessChecker.log 文件中。The tool also logs information to the AzsReadinessChecker.log file.

下面的示例针对常见的验证失败提供了指导。The following examples provide guidance on common validation failures.

过期的或临时密码Expired or temporary password

Invoke-AzsAzureIdentityValidation v1.1809.1005.1 started.
Starting Azure Identity Validation

Checking Installation Requirements: Fail
Error Details for Service Administrator Account admin@contoso.partner.onmschina.cn
The password for account  has expired or is a temporary password that needs to be reset before continuing. Run Login-AzureRMAccount -EnvironmentName AzureChinaCloud , login with  credentials and follow the prompts to reset.
Additional help URL https://aka.ms/AzsRemediateAzureIdentity

Finished Azure Identity Validation

Log location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log
Report location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.json
Invoke-AzsAzureIdentityValidation Completed

原因 - 因为密码已过期或者是临时的,所以帐户无法登录。Cause - The account can't sign in because the password is either expired or temporary.

解决方法 - 在 PowerShell 中运行以下命令,然后根据提示重置密码:Resolution - In PowerShell, run the following command and then follow the prompts to reset the password:

Login-AzureRMAccount -EnvironmentName AzureChinaCloud

另一种方法是以帐户所有者身份登录到 Azure 门户,强制用户更改密码。Another way is to sign in to the Azure portal as the account owner and the user will be forced to change the password.

未知用户类型Unknown user type

Invoke-AzsAzureIdentityValidation v1.1809.1005.1 started.
Starting Azure Identity Validation

Checking Installation Requirements: Fail
Error Details for Service Administrator Account admin@contoso.partner.onmschina.cn
Unknown user type detected. Check the account  is valid for AzureChinaCloud
Additional help URL https://aka.ms/AzsRemediateAzureIdentity

Finished Azure Identity Validation

Log location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log
Report location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.json
Invoke-AzsAzureIdentityValidation Completed

原因 - 帐户无法登录到指定的 Azure AD (AADDirectoryTenantName)。Cause - The account can't sign in to the specified Azure AD (AADDirectoryTenantName). 在本例中,将 AzureChinaCloud 指定为了 AzureEnvironmentIn this example, AzureChinaCloud is specified as the AzureEnvironment.

解决方法 - 确认帐户对指定的 Azure 环境有效。Resolution - Confirm that the account is valid for the specified Azure environment. 在 PowerShell 中运行以下命令,验证帐户对特定环境是否有效:In PowerShell, run the following command to verify the account is valid for a specific environment:

Login-AzureRmAccount -EnvironmentName AzureChinaCloud

帐户不是管理员Account is not an administrator

Invoke-AzsAzureIdentityValidation v1.1809.1005.1 started.
Starting Azure Identity Validation

Checking Installation Requirements: Fail
Error Details for Service Administrator Account admin@contoso.partner.onmschina.cn
The Service Admin account you entered 'admin@contoso.partner.onmschina.cn' is not an administrator of the Azure Active Directory tenant 'contoso.partner.onmschina.cn'.
Additional help URL https://aka.ms/AzsRemediateAzureIdentity

Finished Azure Identity Validation

Log location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log
Report location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.json
Invoke-AzsAzureIdentityValidation Completed

原因 - 虽然帐户可以成功登录,但帐户不是 Azure AD (AADDirectoryTenantName) 的管理员。Cause - Although the account can successfully sign in, the account isn't an admin of the Azure AD (AADDirectoryTenantName).

解决方法 - 以帐户所有者身份登录到 Azure 门户,依次选择“Azure Active Directory”、“用户”、“选择用户” 。Resolution - Sign in into the Azure portal as the account owner, go to Azure Active Directory, then Users, then Select the User. 然后选择“目录角色”并确保用户是“全局管理员” 。Then select Directory Role and ensure the user is a Global administrator. 如果帐户是“用户”,请转到“Azure Active Directory” > “自定义域名”,并确认你为 AADDirectoryTenantName 提供的名称已标记为此目录的主域名。 If the account is a User, go to Azure Active Directory > Custom domain names and confirm that the name you supplied for AADDirectoryTenantName is marked as the primary domain name for this directory. 在此示例中,它是 contoso.partner.onmschina.cnIn this example, that's contoso.partner.onmschina.cn.

Azure Stack Hub 要求域名是主域名。Azure Stack Hub requires that the domain name is the primary domain name.

后续步骤Next Steps

验证 Azure 注册Validate Azure registration
查看就绪性报表View the readiness report
有关 Azure Stack Hub 集成的一般注意事项General Azure Stack Hub integration considerations