We have started to receive since Friday with a varied number of issues with Azure AD Join deployment task. Essentially most of our tenants have arbitrarily stopped working.
Ive tried support with little success.
Some tenants have received AADSTS90002: Tenant not found. Verified the service principal is present. I ran the immybot update to address it but that is still problematic.
Other tenants have received ```
0xCAA90004 Getting token by refresh token failed
AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password.
We have tried reauthorization and it seems to not be processing successfully.
If there are any suggestions from the group here any suggestions would be appreciated.
Have this issue on random tenants, was the first post i made here a couple of months ago and no help. Its something changed in the tenant on the MS side as it still works for some but i don’t think anyone has narrowed down what yet.
it might be the back-end MSOL depreciation, its been rolling for months now. It should be wrapped up Mid July.
When it hit on the tenants I was doing, it seemed to take them about 4 days.
Also 0xCAA90004 could be indications that you have hit your device enrollment limit in Intune. Make sure the user is set as a DEM and it also came to my attention that you need to exclude the DEM user from passwordless logon AUTH if you have that enabled.
Hey Jeremy appreciate the coms. Those accounts were all DEM accounts when I reviewed with Immy support. Oddly it just stopped working for some tenants and it would last much longer than 4 days. Given the time crunch I rebuilt consent ie removed the Immy App from the customer tenant and regranted consent to recreate the app. Removed the old Azure AD Join task leveraging the username and password field and used the OAuth token option exclusively with the DEM account authorizing the creation of the token. Ive reached out to support on why that it would randomly stop working but it seemed to work with OAuth so Ive done that with a few tenants and it atleast I got it join not sure if it will work for you guys. @Nathan_Woodcock
Maybe someone can help me out with my issues. I have the DEM created, along with the Join AzureAD tasks for our tenants. The problem I am finding is devices will only “Join” to Entra and not “Register.” The joined devices do get any of the Intune enrollment policies we have put in place.
The only fix I have had so far is to break the Azure connection and re-join from “Access Work Or School” using the DEM account and not the Immy task
This will essentially force the device to Intune enroll. We noticed this as sometimes (a small chance) our machines were Azure joined as expected, but they’d never check into Intune and get the policies.