CAnnot get AzureAD Join to work

Nathan_Woodcock · April 9, 2025, 4:17am

Client doesn’t use InTune, so not using the DEM account method which needs InTune and a license. Just want to connect the PC to Azure so they can login with their 365 accounts like we do manually on their new PCs. Seems to be unclear documentation. Trying the oauth method with a GA account (we’re just trialing atm), give consent successfully, but this error happens:

Join AzureAD

Action: Enforce

Reason: Non-CompliantResult: Non-CompliantResult Message: Global script ‘Configure AzureAD’ had a terminating error when run in Set mode While processing Unable to retrieve BPRT Exception: Line | 237 | throw ($bulkaadjtokenresponsedata | fl * | Out-String) | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | error : unauthorized_client error_description : AADSTS650051: Invalid version. Trace ID: 4021ef1a-5ce4-4913-866a-892bfd5c2100 Correlation ID: 9212e888-4def-49e0-8014-23954bac0413 Timestamp: 2025-04-09 04:14:18Z error_codes : {650051} timestamp : 2025-04-09 04:14:18Z trace_id : 4021ef1a-5ce4-4913-866a-892bfd5c2100 correlation_id : 9212e888-4def-49e0-8014-23954bac0413 Invoke-RestMethod: Line | 50 | … obContent = Invoke-RestMethod -Uri $SasUri -Headers @{'x-ms-blob-type … | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | BlobNotFoundThe specified blob does not exist. RequestId:6628f4cb-b01e-0054-1505-a90d24000000 Time:2025-04-09T04:14:16.4779282Z Unable to retrieve BPRT Exception: Line | 237 | throw ($bulkaadjtokenresponsedata | fl * | Out-String) | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | error : unauthorized_client error_description : AADSTS650051: Invalid version. Trace ID: 4021ef1a-5ce4-4913-866a-892bfd5c2100 Correlation ID: 9212e888-4def-49e0-8014-23954bac0413 Timestamp: 2025-04-09 04:14:18Z error_codes : {650051} timestamp : 2025-04-09 04:14:18Z trace_id : 4021ef1a-5ce4-4913-866a-892bfd5c2100 correlation_id : 9212e888-4def-49e0-8014-23954bac0413 Invoke-RestMethod: Line | 50 | … obContent = Invoke-RestMethod -Uri $SasUri -Headers @{'x-ms-blob-type … | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | BlobNotFoundThe specified blob does not exist. RequestId:6628f4cb-b01e-0054-1505-a90d24000000 Time:2025-04-09T04:14:16.4779282Z

any ideas?

ginge · April 9, 2025, 1:36pm

We’re seeing this in a tenant which was working but we needed to change credentials for.

I’ve done a lot of troubleshooting on this today and this appears to be a Microsoft issue. I’ve tried to use the Windows Configuration Designer to pull down a BPRT and I get the same AADSTS650051 error code.

What’s more curious is this isn’t affecting all Azure tenants as I just tried a different existing set of creds and they are able to retrieve a BPRT successfully.

Jake_Reamer · April 9, 2025, 5:31pm

We have the same issue with our tenant. We can no longer obtain bulk enrollment tokens using Windows Configuration Designer tool. This was working fine a week ago

ginge · April 10, 2025, 6:57am

Looks like someone is going to have to summon up the mental capacity to engage with Microsoft support…ugh.

Jake_Reamer · April 15, 2025, 5:52pm

I submitted a ticket 5 days ago, but MS support hasn’t responded yet. I still can’t pull bulk enrollment tokens from my home tenant, but I can from another tenant.

Adam_Kuhn · April 29, 2025, 8:37pm

I know this isn’t the original question - but what M365 license is the client using? I really like M365 Business Premium - as it supports Intune. For any customer under 300 users, It’s a great way to go. Perhaps that would give you more flexibility - if it’s not too much more than they’re currently paying.