Azure AD Issues - Unable to retrieve BPRT

HonourJ · July 7, 2025, 7:40am

Hi all,

I have a problem with setting up Azure AD. I have set this up the exact same way as working tenants that successfully AD join and Intune join.

This is the log -

Global script ‘Configure AzureAD’ had a terminating error when run in Set mode

Unable to retrieve BPRT
Exception:
Line |
261 | throw ($bulkaadjtokenresponsedata | fl * | Out-String)
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
error : invalid_grant
error_description : AADSTS90093: {“odata.error”:{“code”:“Authorization_RequestDenied”,“message”:{“lang”:“en”,“value”:“Insufficient privileges to complete the operation.”},“requestId”:“720ba028-7385-479a-b5f7-d51d1042cfff”,“date”:“2025-07-07T07:33:08”}} Trace ID: c4a5c67c-7e49-41b7-823b-eef92f5e0400 Correlation ID: 299aabbe-e363-40d8-854d-a4d9b0309373 Timestamp: 2025-07-07 07:33:08Z
error_codes : {90093}
timestamp : 2025-07-07 07:33:08Z
trace_id : c4a5c67c-7e49-41b7-823b-eef92f5e0400
correlation_id : 299aabbe-e363-40d8-854d-a4d9b0309373
tenant_id :

Invoke-RestMethod:
Line |
50 | … obContent = Invoke-RestMethod -Uri $SasUri -Headers @{'x-ms-blob-type …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| BlobNotFoundThe specified blob does not exist.
RequestId:8fb8a874-201e-0012-4d11-ef682c000000
Time:2025-07-07T07:33:05.2921896Z

Does anyone have any ideas? I am losing it!

I’ve made sure DEM is all good, conditional access is bypassing the DEM, MFA is not on for intune joining and I deleted the package account.

Thanks,

Darren_Rose · July 9, 2025, 12:34am

I’m hitting the exact same error. I’ve tried consenting with different accounts, manipulate conditional access policies and random other tweaks but no luck.

Dakota.Lewis · July 9, 2025, 6:49am

Can you guys tell me if you have SkipRegistryTest or ClearExistingEnrollments set to true, or CacheProvisioningPackage set to false? Directory migration was returing this error up until recently until we realized that these 3 parameters were hardcoded into the script with these values. The issue is probably with one, or a combination, of these parameters. Microsoft is making numerous changes on their side, and I don’t think they behaved this way until quite recently.

Also, just for clarity, are you using the Oauth2 flow or the Username/Password flow to join devices?

@Darren_Rose , I saw you have a ticket in already. Can you send one in as well @HonourJ if you haven’t already, so we can track it?

HonourJ · July 9, 2025, 8:27am

@Dakota.Lewis Hi - hope you’re good.

Everything is left default for SkipRegistryTest, ClearExistingEnrollments and CacheProvisioningPackage. Do you want me to change these to something specific and run another test?

I am using Oauth2flow but have tried the username/password and I get a tenant ID issue as it defaults to the Tenant ID in Immybot (in this case 40) opposed to the actual clients tenant ID.

I’ll raise a ticket now,

Jeremy_Barnes · July 11, 2025, 5:56pm

AADSTS90093 GraphUserUnauthorized - Graph returned with a forbidden error code for the request.

That is what the error message is indicating.

I would check Conditional Access Policies,
Make sure your enrollment user has Device Administrator role
Don’t use the enforce intune enrollment option, just make sure your setup of Auto-enrollment into inTune.

If your using custom app, make sure your have correct permissions assigned and have approved that in the tenant app.
If your using the built in app, make sure its approved in the tenant as well.

Jeremy_Barnes · July 16, 2025, 9:48pm

I just had this error pop up during a M365 Tenant to Tenant profile migration.
I found that the device I was trying to migrate had an AutoPilot registration in the source tenant.
Manual join also failed due to AutoPilot.

Once I flushed that out,
and manually flushed out enrollments (even though I had it checked to flush)
I was able to complete Entra Join process into the Destination tenant manually; I am still getting the same error via Immy join; Though I’ll test some more tomorrow, just wanted to pass some findings along.

HonourJ · July 21, 2025, 8:05am

Hi all,

This is resolved now with Support.

We had to do the below -

enable the CacheProvisioningPackage and the ClearExistingEnrollments parameters then ran again, all good.

Jon_FB · September 3, 2025, 10:18pm

For my own scenario, had to switch to Oauth2, and I disabled LimitToPrimaryUser, but it’s working now.