AzureAD Join not working as described

James_Harper · April 3, 2023, 7:12am

The notes for the deployment for the “Join AzureAD” task say that it needs “a user in the tenant’s AzureAD (the clients azure tenant). The user does not need to be an admin, and the user does not need to be licensed.”. When we create such a user with no license and no admin privileges, the task fails with the error:

Script Error:
error : invalid_request
error_description : AADSTS240005: Missing required user role to acquire a bulk AADJ token. For more information please go to Bulk enrollment for Windows devices - Microsoft Intune | Microsoft Learn.

Has Microsoft moved the goalposts since this task was put together? Or is there something else I’m not seeing?

Thanks

James

James_Harper · April 3, 2023, 8:02am

I needed to add the “Cloud Device Administrator” role to the user, then it worked just fine.

Dakota_Lewis · April 3, 2023, 7:47pm

Just an FYI, this seems to be a case by case issue. Sometimes it’s needed, sometimes not. Unfortunately, Microsoft hasn’t given a straight-forward answer to this issue.

In any case, I’d recommend only applying an admin role when you get that error. In my opinion, having admin on a DEM account defeats the purpose of a DEM account (supposed to be a least privilege way to join devices).

Ari_Weisberg · August 28, 2024, 8:50pm

Hi it seems to be working fine
But my issue is that it only works if MFA is bypassed
which is not secure

Any way to do it with MFA turned on?