AzureAD Join not working as described

The notes for the deployment for the “Join AzureAD” task say that it needs “a user in the tenant’s AzureAD (the clients azure tenant). The user does not need to be an admin, and the user does not need to be licensed.”. When we create such a user with no license and no admin privileges, the task fails with the error:

Script Error:
error : invalid_request
error_description : AADSTS240005: Missing required user role to acquire a bulk AADJ token. For more information please go to Bulk enrollment for Windows devices - Microsoft Intune | Microsoft Learn.

Has Microsoft moved the goalposts since this task was put together? Or is there something else I’m not seeing?



I needed to add the “Cloud Device Administrator” role to the user, then it worked just fine.

Just an FYI, this seems to be a case by case issue. Sometimes it’s needed, sometimes not. Unfortunately, Microsoft hasn’t given a straight-forward answer to this issue.

In any case, I’d recommend only applying an admin role when you get that error. In my opinion, having admin on a DEM account defeats the purpose of a DEM account (supposed to be a least privilege way to join devices).