Cannot validate argument on parameter 'DEMPassword'. error : server_error error_description : AADSTS90092: Non-retryable error has occurred

Cody_Smith · August 27, 2023, 1:30pm

Is anyone else getting this on their azre join tasks?

James_Harper · August 28, 2023, 6:43am

Something similar. The task seemed to run just fine though.

Dakota_Lewis · August 28, 2023, 3:14pm

Darren posted on the 17th about this issue:

“For those of you experiencing the “Non-Retryable Error” using Azure AD Join/Directory Migration, this appears to be a Microsoft issue as I was able to replicate it the supported way via Windows Configuration Designer. I have an official case open but feel free to blow them up on Twitter (X?) with me as I believe it helped the last 2 times this happened:”

Gav · August 30, 2023, 12:26am

@DarrenDK and team have been chipping away at getting OAuth consent flow working that should assist with some of the issues with AzureAD joining.
Not sure exactly where he is at in the progress but there has been work getting completed on the backend.

Bezalu_CTO · August 31, 2023, 8:15pm

Running into the same. CA’s have service user excluded, no MFA on join, no MFA/Pass change on login (tested), app reg has all required perms, etc. I can’t even find a sign-in error with the mentioned correlation ID.

DarrenDK · September 1, 2023, 5:23am

Even after getting the new OAuth2 consent working tonight the error persists even in Windows Configuration Designer. We are able to replicate it with one of our MSP customers.

It’s almost as if it only happens if Conditional Access isn’t setup. I don’t have enough data points to support this.

Initially we thought is was a change to MFA registration campaigns, then we thought it was secure defaults being enabled, but none of that is setup on this tenant.

I opened another severity A case with Microsoft tonight since the one I opened on 8/14/2023 got no response at all.

DarrenDK · September 7, 2023, 2:16pm

Microsoft finally got back to me and we figured it out.

At some point in time Microsoft stopped including the Microsoft.Azure.SyncFabric Enterprise App when creating tenants, and evidently it is required for this to work.

The workaround is to add the Enterprise Application via the AzureAD PowerShell Module

Open Windows PowerShell locally and run the following:

# Install-Module AzureAD -Context CurrentUser
Import-Module AzureAD
Connect-AzureAd -TenantId contoso.com # Login as Global admin in customer tenant
New-AzureADServicePrincipal -AppId 00000014-0000-0000-c000-000000000000

I’m trying to schedule another call with them today to see if there is a workaround that doesn’t involve PowerShell, perhaps via an adminconsent link.