条件访问疑难解答Troubleshoot conditional access

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

通常情况下,用户在尝试访问电子邮件或 SharePoint 时会收到注册提示。Typically, a user is trying to access email or SharePoint and receives a prompt to enroll. 该提示会使用户转到公司门户。That prompt will lead the user to the company portal.

本主题介绍用户无法通过 Intune 条件访问对资源进行访问时可执行的操作。This topic describes what to do when your users fail to get access to resources through Intune conditional access.

条件访问成功的基础知识The basics for success in conditional access

为使条件访问起作用,需满足以下条件:In order to conditional access to work, you need the following conditions:

  • 必须由 Intune 管理设备。The device must be managed by Intune
  • 设备必须注册 Azure Active Directory (AAD)。The device must be registered with Azure Active Directory (AAD) . 正常情况下,此注册在 Intune 注册时自动进行Under normal circumcstances this registration takes place automatically during Intune enrollment
  • 设备必须符合设备或设备用户的 Intune 合规性策略。The device must be compliant with your Intune compliance policies, for the device, and for the user of the device. 如果不存在合规性策略,则 Intune 注册可充分进行。If there are no compliance policies, Intune enrollment is sufficient.
  • 如果用户通过设备的本机邮件客户端而不是通过 Outlook 检索邮件,则必须在设备上激活 Exchange ActiveSync。Exchange ActiveSync must be activated on the device if the user is retrieving mail through the device's native mail client rather than through Outlook. 此操作在 iOS、Windows Phone 和 Android/KNOX 标准设备上自动进行。This happens automatically for iOS, Windows Phone and Android/KNOX Standard devices.
  • Intune Exchange Connector 应正确配置。Your Intune Exchange Connector should be properly configured. 有关详细信息,请参阅 Microsoft Intune 中的 Exchange Connector 疑难解答See Troubleshooting the Exchange Connector in Microsoft Intune for more information.

可在 Azure 管理门户和设备清单报告中针对各个设备查看这些条件。These conditions can be viewed for each device in the Azure Management Portal and in the device inventory report.

注册问题Enrollment issues

  • 设备未注册,因此注册即可解决问题。The device isn't enrolled, so enrollment will resolve the issue.
  • 用户已注册设备,但工作区加入失败。The user enrolled the device, but the workplace join failed. 用户应从公司门户更新注册。The user should update the enrollment from the company portal.

合规性问题Compliance issues

  • 设备不符合 Intune 策略。The device is not compliant with Intune policy. 常见的问题是加密和密码要求。Common issues are encryption and password requirements. 用户将被重定向到公司门户中,他们可在其中配置设备以符合要求。The user will be redirected to the company portal, where they can configure their device to be compliant.
  • 为设备注册合规性信息需要一点时间。It may take some time for compliance information to be registered for a device. 请稍等几分钟,然后重试。Wait a few minutes and try again.
  • 对于 iOS 设备:For iOS devices:

    • 用户创建的现有电子邮件配置文件将阻止由 Intune 管理员创建的配置文件的部署。An existing email profile created by the user will block the deployment of an Intune admin-created profile. 这是一个常见问题,因为 iOS 用户通常将创建电子邮件配置文件,然后注册。This is a common problem as iOS users will typically create an email profile, then enroll. 公司门户将通知用户由于其手动配置的电子邮件配置文件而导致他们不符合要求,并提示用户删除该配置文件。用户应删除其电子邮件配置文件,以便可以部署 Intune 配置文件。The company portal will inform the user that they are not compliant due to their manually-configured email profile, and will prompt the user to remove that profile.The user should remove their email profile so that the Intune profile can be deployed. 为防止此问题,请告知用户注册时不要安装电子邮件配置文件,并允许 Intune 部署配置文件。To prevent the problem instruct your users to enroll without installing an email profile and to allow Intune to deploy the profile.
    • iOS 设备可能在检查合规性状态过程中受阻,进而阻止用户初始化其他签入。An iOS device may get stuck in a checking-compliance state, preventing the user from initiating another check-in. 重启公司门户可能可以修复此问题,且合规性状态将反映 Intune 中的设备状态。Restarting the company portal may fix this, and the compliance state will reflect the device state in Intune. 通过设备同步收集所有的数据后,合规性检查将快速进行,平均速度不超过半秒。After all of the data is collected from a device sync the compliance check is, fast, less than half a second on average.

      通常,设备保持此状态的原因是其在连接到服务时出现问题或同步花费的时间较长。Typically, the reason devices stay in this state is because they are having trouble connecting to the service or the sync is taking a long time. 如果设备重启且已验证 SSP 在设备上为最新后,此问题继续存在于不同网络配置(移动电话网络、Wi-Fi、VPN)中,请按照如何获取 Microsoft Intune 的支持中的说明,与Microsoft 支持人员取得联系。If the problem persists on different network configurations (cellular, Wi-Fi, VPN), through device restarts, and after verifying that the SSP is up-to-date on the device, contact Microsoft Support as described in How to get support for Microsoft Intune.

  • 对于 Android 设备:For Android devices:

    • 某些 Android 设备看似已加密,但公司门户应用还是会将这些设备识别为未加密。Certain Android devices may seem to be encrypted, but the Company Portal app recognizes these devices as not encrypted.

      • 遇到这种情况的设备需要用户设置一个安全启动密码。Devices that are in this state require the user to set a secure start-up passcode. 用户会在公司门户应用中看到一条设备通知,通知中要求为设备设置一个启动密码。The user will see a device notification from the Company Portal app asking to set a start-up passcode for the device. 点击设备通知并确认现有 PIN 或密码后,在“安全启动”屏幕上选择“需要 PIN 才能启动设备”选项。After tapping the device notification and confirming the existing PIN or password, choose the Require PIN to start device option on the Secure start-up screen. 然后在公司门户应用中点击设备的“检查符合性”按钮。Then, tap the Check Compliance button for the device from the Company Portal app. 现在设备应该被标识为已加密。The device should now be detected as encrypted.

      • 某些设备制造商使用默认 PIN,而不是用户设置的机密 PIN 来加密其设备。Some device manufacturers encrypt their devices using a default PIN instead of the secret PIN set by the user. Intune 会将使用默认 PIN 的加密识别为不安全,因为这种加密方式会让设备上的数据受到威胁,使数据可能泄露给对设备具有物理访问权限的恶意用户。Intune recognizes encryption using the default PIN as insecure because this method of encryption can put the data on the device at risk from malicious users with physical access to the device. 如果存在此问题,建议使用应用保护策略If this is the issue, consider using app protection policies.

策略问题Policy issues

创建合规性策略并将其链接到电子邮件策略时,必须将这两个策略部署到同一用户,因此在规划将哪些策略部署到哪些组时需谨慎。When you create a compliance policy and link it to an email policy, both policies have to be deployed to the same user, so be careful when planning which policies are deployed to which groups. 只应用了一个策略的用户很可能发现他们的设备不合规。Users that have only one policy applied are likely to find that their devices are not compliant.

Exchange ActiveSync 问题Exchange ActiveSync issues

合规的 Android 设备收到隔离通知Compliant Android device gets quarantine notice

  • 在尝试访问公司资源时,已注册且合规的 Android 设备仍可能会收到隔离通知。An Android device that is enrolled and compliant may still get a quarantine notice when trying to access corporate resources. 选择显示开始的链接之前,用户应确保在尝试访问资源时未打开公司门户。Before choosing the link that says Begin, the user should ensure that the company portal was not open when they tried to access the resources. 用户应关闭公司门户,重试访问资源,然后选择开始链接。The users should close the company portal, try again to access the resources, and then choose the Begin link.

已停用的设备继续拥有访问权限。Retired device continues to have access.

  • 使用 Exchange Online 时,已停用的设备可能会在停用后的几个小时内仍拥有访问权限。When using Exchange Online, a retired device may continue to have access for several hours after retirement. 这是因为 Exchange 将缓存访问权限 6 个小时。This is because Exchange caches access rights for 6 hours. 在这种情况下,请考虑保护已停用设备上数据的其他方法。Consider other means of protecting data on retired devices in this scenario.

设备合规且已注册 AAD 但仍受阻Device is compliant and registered with AAD but still blocked

  • 有时 Exchange ActiveSync ID (EASID) 到 AAD 的预配被延迟。Sometimes, provision of the Exchange ActiveSync ID (EASID) to AAD is delayed. 正在限制引发此问题的常见原因,请稍等几分钟,然后重试。A common cause of this issue is throttling, so wait a few minutes and try again.

设备受阻Device blocked

设备可能由于未获取激活电子邮件而在条件访问中被阻止。A device may be blocked from Conditional Access without receiving an activation email.

  • 是否存在默认的 Exchange 规则隔离或阻止设备?Is there a default Exchange rule which quarantines or blocks devices? 如果默认的规则阻止或隔离设备,设备将无法从 Exchange Connector 中收到激活电子邮件。If a default rule blocks or quarantines devices, devices will not be able to receive the activation email from the Exchange Connector. 这是由于设计而导致的。This is by design.
  • 通知帐户是否按照“基本配置”中的说明正确配置?Is the notification account properly configured as described in Basic configuration?
  • 设备是否作为 Exchange ActiveSync 设备显示在 Intune 管理控制台中?Is the device present in the Intune admin console as an Exchange ActiveSync device? 如果没有,则设备发现可能会失败,可能是由于 Exchange Connector 同步出现问题。If not, it's likely that device discovery is failing, probably because of an Exchange Connector sync issue. 请在 Exchange 中查看未发现的 Exchange ActiveSync 设备。See Exchange ActiveSync device not discovered from Exchange.
  • 查看 Exchange Connector 的 sendemail 活动的日志并检查错误。Check the Exchange Connector logs for sendemail activity and check for errors. 要搜索的命令示例为从通知帐户到用户邮箱的 SendEmail。An example of the command to search for is SendEmail from notification account to useremail.
  • Exchange Connector 阻止设备前,将发送激活电子邮件。Before the Exchange Connector blocks the device, it sends the activation email. 如果设备未在线,则可能不会收到此激活电子邮件。If the device is offline, it may not receive the activation email. 查看设备电子邮件客户端是否使用“推送”而非“轮询”进行电子邮件检索,因为这也可能导致用户错过该电子邮件。Check if the device email client has email retrieval using Push instead of Poll as this could also cause the user to miss the email. 切换至“轮询”,然后查看设备是否收到该电子邮件。Switch to Poll and see if the device receives the email.

未阻止不符合设备Noncompliant device not blocked

如果发现不合规但继续拥有访问权限的设备,请按照以下步骤操作。If you encounter a device that is not compliant but continues to have access, take the following steps.

  • 复查目标组和排除组。Review your Target and Exclusion groups. 如果用户未处于正确的目标组或处于排除组中,则不会将其阻止。If a user isn't in the right target group or is in the exclusion group, they won’t be blocked. 只对目标组中的用户的设备进行合规性检查。Only devices of users in a Target group are checked for compliance.
  • 请确保设备处于被发现的状态。Ensure the device is being discovered. Exchange Connector 是否在用户位于 Exchange 2013 服务器上时指向 Exchange 2010 CAS?Is the Exchange Connector pointing to an Exchange 2010 CAS while the user is on an Exchange 2013 server? 该情况下,如果默认的 Exchange 规则为“允许”,则即使用户处于目标组中,Intune 仍无法发现设备已连接到 Exchange。In this case, if the default Exchange rule is Allow, even if the user is in the Target group, Intune can't be aware of the device's connection to Exchange.
  • 检查 Exchange 中的设备存在/访问状态:Check Device Existence/Access State in Exchange:
    • 使用此 PowerShell cmdlet 获取某个邮箱的所有移动设备的列表:"Get-ActiveSyncDeviceStatistics -mailbox mbx”。Use this PowerShell cmdlet to get a list of all mobile devices for a mailbox: "Get-ActiveSyncDeviceStatistics -mailbox mbx'. 如果未列出相应设备,则其未在访问 Exchange。If the device isn’t listed then it isn’t accessing Exchange.
    • 如果列出了相应设备,使用 Get-CASmailbox -identity:’upn’ | fl cmdlet 获取其访问状态的详细信息,然后将此信息提供给 Microsoft 支持。If the device is listed, use the Get-CASmailbox -identity:’upn’ | fl cmdlet to get detailed information about its access state, and provide that information to Microsoft Support.

在开具支持票证前Before you open a support ticket

如果上述疑难解答步骤未解决你的问题,可能要求你向 Microsoft 支持提供相关信息,如 OWA 邮箱日志或 Exchange Connector 日志。If these troubleshooting procedures don't resolve your issue, there is information that you may be asked to provide to Microsoft Support, such as OWA mailbox logs or Exchange Connector logs.

收集 OWA 邮箱日志Collecting OWA mailbox logs

  1. 通过 OWA 登录,并在右上角你的姓名旁选中设置(齿轮)符号。Log on through OWA and choose the settings (gear) symbol next to your name in the upper right corner.
  2. 选择“选项”Choose Options
  3. 在左侧栏中选择“电话”(可能会显示“移动设备”)。Choose Phone (may say Mobile Devices) in the column on the left side.
  4. 从顶部菜单中,选择“移动设备”。From the top menu, choose Mobile Devices.
  5. 从列表中选择你的设备,然后选择“开始记录”。Choose your device from the list and then choose Start Logging.
  6. 出现提示时,在弹出的对话框中选择“是”。When prompted, choose Yes on the pop-up dialog.
  7. 执行导致该问题的操作,以便你可以再现它。Perform the action that caused the issue, so that you can reproduce it.
  8. 请等待 1-2 分钟,然后返回至 OWA 中的电话列表。Wait 1-2 minutes then go back to the phone list in OWA. 请确保你的电话在列表中处于选中状态,然后从顶部菜单中选择“检索日志”。Make sure your phone is selected in the list, and then from the top menu choose Retrieve Log.
  9. 此时,你应会收到一封来自自己的含附件的电子邮件。You should receive an email from yourself with an attachment. 当你打开支持票证时,请将电子邮件中的内容提供给 Microsoft 支持。When you open a support ticket, provide the contents of the email to Microsoft Support.

Exchange Connector 日志Exchange Connector logs

常规日志信息General log information

若要查看 Exchange Connector 日志,请使用 [Server Trace Viewer Tool](服务跟踪查看器工具 (https://msdn.microsoft.com/library/ms732023(v=vs.110).aspx')。To view Exchange Connector logs use the [Server Trace Viewer Tool](server trace viewer tool (https://msdn.microsoft.com/library/ms732023(v=vs.110).aspx'). 此工具需要下载 Windows Server SDK。This tool requires that you download the Windows Server SDK.


该日志位于 C:\ProgramData\Microsoft\Windows Intune Exchange Connector\Logs。The logs are located in C:\ProgramData\Microsoft\Windows Intune Exchange Connector\Logs. 该日志包含在 30 个日志文件的系列中,其中以 Connector0.log 开始并以 Connector29.log 结束。The logs are contained in a series of 30 log files starting with Connector0.log and stopping at Connector29.log. 一个日志中的数据累积 10 MB 后,将滚动更新到另一个日志。Logs rollover from one to another after 10MB of data has accumulated in a log. 日志到达 Connector29 后,将重新从 Connector0 开始,覆盖先前的日志文件。Once the logs get to Connector29, they will start over at Connector0 again, overwriting previous log files.

定位同步日志Locating sync logs

  • 通过搜索“full sync”定位日志中的完全同步。完全同步的开始部分将通过以下文本标记:Locate a full sync in the logs by searching for full sync. The beginning of a full sync will be marked by this text:

    'Handling command: Getting the mobile device list without a time filter (full sync) for users`'Handling command: Getting the mobile device list without a time filter (full sync) for users`

    完全同步的日志结尾部分显示如下:The end of the log for a full sync looks like this:

    Getting the mobile device list without a time filter (full sync) for 4 users completed successfully.Getting the mobile device list without a time filter (full sync) for 4 users completed successfully. Details: Inventory command result - Devices synced: 0 Commmand ID: commandIDGUID' Exchange health: 'Server health 'Name: 'PowerShellExchangeServer: <Name=mymailservername>' Status: Connected','Details: Inventory command result - Devices synced: 0 Commmand ID: commandIDGUID' Exchange health: 'Server health 'Name: 'PowerShellExchangeServer: <Name=mymailservername>' Status: Connected','

  • 通过搜索“quick sync”定位日志中的快速(增量)同步。Locate a quick (delta) sync in the logs by searching for quick sync.

获取下一条命令中的异常Exceptions in Get next command

查看针对“获取下一条命令”中的异常的 Exchange Connector 日志,并将其提供给 Microsoft 支持。Check the Exchange Connector logs for exceptions in Get next command, and provide these to Microsoft Support.

详细日志记录Verbose logging

若要启用详细日志记录:To enable verbose logging:

  1. 打开 Exchange Connector 跟踪配置文件。Open the Exchange Connector tracing configuration file. 该文件位于:%ProgramData%\Microsoft\Windows Intune Exchange Connector\TracingConfiguration.xml。The file is located at: %ProgramData%\Microsoft\Windows Intune Exchange Connector\TracingConfiguration.xml.
  2. 通过以下密钥查找 TraceSourceLine:OnPremisesExchangeConnectorServiceLocate the TraceSourceLine with the following key: OnPremisesExchangeConnectorService
  3. 如下所示,将“SourceLevel”节点值从 Warning ActivityTracing(默认值)更改为 Verbose ActivityTracingChange the SourceLevel node value from Warning ActivityTracing (the default) to Verbose ActivityTracing, as shown below.

    OnPremisesExchangeConnectorService All CircularTraceListener Verbose ActivityTracing 10000000 Microsoft\Windows Intune Exchange Connector\Logs\Connector.svclog 30 OnPremisesExchangeConnectorService All CircularTraceListener Verbose ActivityTracing 10000000 Microsoft\Windows Intune Exchange Connector\Logs\Connector.svclog 30

后续步骤Next steps

如果此疑难解答信息没有帮助到你,请联系 Microsoft 支持部门,如如何获取对 Microsoft Intune 的支持中所述。If this troubleshooting information didn't help you, contact Microsoft Support as described in How to get support for Microsoft Intune.