Hi all,
I have a problem with setting up Azure AD. I have set this up the exact same way as working tenants that successfully AD join and Intune join.
This is the log -
Global script ‘Configure AzureAD’ had a terminating error when run in Set mode
Unable to retrieve BPRT
Exception:
Line |
261 | throw ($bulkaadjtokenresponsedata | fl * | Out-String)
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
error : invalid_grant
error_description : AADSTS90093: {“odata.error”:{“code”:“Authorization_RequestDenied”,“message”:{“lang”:“en”,“value”:“Insufficient privileges to complete the operation.”},“requestId”:“720ba028-7385-479a-b5f7-d51d1042cfff”,“date”:“2025-07-07T07:33:08”}} Trace ID: c4a5c67c-7e49-41b7-823b-eef92f5e0400 Correlation ID: 299aabbe-e363-40d8-854d-a4d9b0309373 Timestamp: 2025-07-07 07:33:08Z
error_codes : {90093}
timestamp : 2025-07-07 07:33:08Z
trace_id : c4a5c67c-7e49-41b7-823b-eef92f5e0400
correlation_id : 299aabbe-e363-40d8-854d-a4d9b0309373
tenant_id :
Invoke-RestMethod:
Line |
50 | … obContent = Invoke-RestMethod -Uri $SasUri -Headers @{'x-ms-blob-type …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| BlobNotFoundThe specified blob does not exist.
RequestId:8fb8a874-201e-0012-4d11-ef682c000000
Time:2025-07-07T07:33:05.2921896Z
Does anyone have any ideas? I am losing it!
I’ve made sure DEM is all good, conditional access is bypassing the DEM, MFA is not on for intune joining and I deleted the package account.
Thanks,
I’m hitting the exact same error. I’ve tried consenting with different accounts, manipulate conditional access policies and random other tweaks but no luck.
Can you guys tell me if you have SkipRegistryTest or ClearExistingEnrollments set to true, or CacheProvisioningPackage set to false? Directory migration was returing this error up until recently until we realized that these 3 parameters were hardcoded into the script with these values. The issue is probably with one, or a combination, of these parameters. Microsoft is making numerous changes on their side, and I don’t think they behaved this way until quite recently.
Also, just for clarity, are you using the Oauth2 flow or the Username/Password flow to join devices?
@Darren_Rose , I saw you have a ticket in already. Can you send one in as well @HonourJ if you haven’t already, so we can track it?
@Dakota.Lewis Hi - hope you’re good.
Everything is left default for SkipRegistryTest, ClearExistingEnrollments and CacheProvisioningPackage. Do you want me to change these to something specific and run another test?
I am using Oauth2flow but have tried the username/password and I get a tenant ID issue as it defaults to the Tenant ID in Immybot (in this case 40) opposed to the actual clients tenant ID.
I’ll raise a ticket now,
AADSTS90093 GraphUserUnauthorized - Graph returned with a forbidden error code for the request.
That is what the error message is indicating.
I would check Conditional Access Policies,
Make sure your enrollment user has Device Administrator role
Don’t use the enforce intune enrollment option, just make sure your setup of Auto-enrollment into inTune.
If your using custom app, make sure your have correct permissions assigned and have approved that in the tenant app.
If your using the built in app, make sure its approved in the tenant as well.