Everything You Need To Know About AzureAD and Immy

As we all know, AzureAD is a massive platform, and a LOT can go wrong. Since it is one of our most common tickets to date, I thought it might be fitting to have a community guide that we can point you to. Of course, Microsoft is always changing, so I’ll try to update this as I go. Feel free to comment with new finds and fixes, as well. This IS a community, after all.

Table of Contents

• Join Issues
  • MFA Prohibiting AAD Joins
  • Azure SyncFabric App
  • Known Error Codes
    • 0xcaa10059
    • 0xcaa50021
    • 0x8018000a
    • 0x801c0024
    • 0x800700b7
    • AADSTS90092 or AADSTS90202
    • AADSTS240005
    • AADSTS50126
    • AADSTS50055
    • AADSTS240003
    • AADSTS90002
  • Creating A Device Enrollment Manager
• Registered Application Issues

- Join Issues -

MFA Prohibiting AAD Joins (0xCAA2000C):

If your conditional access policies require MFA for all users, adjust the settings as follows:

1. Exclude ‘Microsoft Intune Enrollment’ from the Cloud Apps requiring MFA.

2. In Azure AD, create a Dynamic Security Group named ‘Provisioning Packages’.
   Set its Dynamic Membership Rule to: user.userPrincipalName -startsWith “package_”

3. Ensure that this ‘Provisioning Packages’ group is excluded from the MFA requirement.

Azure SyncFabric App

This cloud app needs to exist for the task to run properly. Many new environments do not have the app when they are created, so you will need to create them. Microsoft has also been known to occasionally remove the app from tenants that already have it.

To add the cloud app to the desired tenant, run the following script:

#Install-Module AzureAD #Uncomment this if you do not already have the AzureAD module installed
Import-Module AzureAD
Connect-AzureAd -TenantId contoso.com # Login as Global admin in customer tenant
New-AzureADServicePrincipal -AppId 00000014-0000-0000-c000-000000000000

WARNING
Replace the “contoso.com” domain with the one corresponding to your desired tenant.

Alternatively, there is a cloud task that can add Azure SyncFabric back to the tenant. It may require a custom app registration, though.

Known Error Codes

0xCAA10059

The account (DEM) you are using to enroll the device does not have permissions to join devices to Azure AD.
Add the account to ‘Selected Users’ or enable ‘Allow All’ users to join devices at:

Microsoft Entra ID - Device Settings

0xCAA50021

The AAD Broker Plugin has been reset by us. You’ll need to re-run the task if you see this.

0x8018000A

The device is already enrolled by a user. Re-run with ‘ClearExistingEnrollments’ set to ‘True’.

0x801C0024

The package_ AAD user associated with the PPKG was not found. Please run again with ‘CacheProvisioningPackage’ set to ‘False’ to generate a new package and user. This one shouldn’t be an issue anymore, since we implemented retries that will generate a new package user if we are unable to create a token on the first try.

0x800700B7

The provisioning package already exists. This may happen if you have executed the provisioning package earlier on this machine.

AADSTS90092 or AADSTS90202

This tenant is missing the Microsoft.Graph.SyncFabric app (Microsoft stopped including it at some point in life)

Refer to Azure SyncFabric App

AADSTS240005

To correct this, navigate to Intune - Roles

Assign the Cloud Device Administrator or Cloud PC Administrator role to the DEM account you are using and try again.

AADSTS50126

The credentials are invalid OR the user has not been excluded from your Registration Campaign

Microsoft Entra Admin Center - Registration Campaign

AADSTS50055

Reset the user’s password via Microsoft Admin Center

AADSTS240003

This issue might be related to Multi-Factor Authentication (MFA) being enabled for $Username.

It’s recommended to disable MFA for this account or consider using OAuth for a more secure authentication method.

AADSTS90002

This error can typically be resolved by using the OAuth flow instead of the username/password flow.

Creating a DEM (Device Enrollment Manager)

1. Create a service account in Intune
2. Apply an Intune User license to the account
3. Apply the Cloud Device Administrator role to the account
4. Go to Microsoft Intune Admin Center - Devices under the “Device Enrollment Managers” tab and add the account
5. MFA exclusions and enrollment policies may need to be adjusted to fit your use-case (as mentioned above)

WARNING
From a security standpoint, we do NOT recommend using a global admin or existing user as a DEM.

- Registered Application Issues -

• I’ll come by and update this with more later, but for now just make sure that if you modify permissions on the app, it requires reconsenting in ImmyBot.

Thanks for this! Also wanted to share that I had some issues with DEM users failing because they did not meet the requirements for Self Service Password Resets (SSPR). As Cloud Device Admins the users needed to have 2 forms of authentication listed in the user properties, such as email and phone. Once those are entered in the Entra Identity Properties or Authentication Methods for the user, the prompts to set up MS Authenticator App stopped.