Azure AD Join issues

Jonathan_Perozo · June 10, 2025, 9:09pm

We have started to receive since Friday with a varied number of issues with Azure AD Join deployment task. Essentially most of our tenants have arbitrarily stopped working.
Ive tried support with little success.
Some tenants have received AADSTS90002: Tenant not found. Verified the service principal is present. I ran the immybot update to address it but that is still problematic.
Other tenants have received ```
0xCAA90004 Getting token by refresh token failed

AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. 
We have tried reauthorization and it seems to not be processing successfully. 
If there are any suggestions from the group here any suggestions would be appreciated.

Dakota.Lewis · June 10, 2025, 9:26pm

If you are using the OAuth flow, try switching to Username/Password

Dakota.Lewis · June 10, 2025, 9:30pm

You can also have a look at Everything You Need To Know About AzureAD and Immy for some troubleshooting guidance with AzureAD

Nathan_Woodcock · June 27, 2025, 4:42am

Have this issue on random tenants, was the first post i made here a couple of months ago and no help. Its something changed in the tenant on the MS side as it still works for some but i don’t think anyone has narrowed down what yet.

Jeremy_Barnes · June 27, 2025, 6:25pm

it might be the back-end MSOL depreciation, its been rolling for months now. It should be wrapped up Mid July.

When it hit on the tenants I was doing, it seemed to take them about 4 days.

Also 0xCAA90004 could be indications that you have hit your device enrollment limit in Intune. Make sure the user is set as a DEM and it also came to my attention that you need to exclude the DEM user from passwordless logon AUTH if you have that enabled.

Jonathan_Perozo · June 30, 2025, 8:16pm

Hey Jeremy appreciate the coms. Those accounts were all DEM accounts when I reviewed with Immy support. Oddly it just stopped working for some tenants and it would last much longer than 4 days. Given the time crunch I rebuilt consent ie removed the Immy App from the customer tenant and regranted consent to recreate the app. Removed the old Azure AD Join task leveraging the username and password field and used the OAuth token option exclusively with the DEM account authorizing the creation of the token. Ive reached out to support on why that it would randomly stop working but it seemed to work with OAuth so Ive done that with a few tenants and it atleast I got it join not sure if it will work for you guys. @Nathan_Woodcock