How to troubleshoot Azure AD device registration or join issues

Case



You encounter errors when you try to login to Microsoft 365 services from your Windows 10 device. You may come across Azure AD device registration or join issues in an already existing device which is registered or joined to Azure AD.



Solution



Understanding Azure AD device registration and join

First off, you need to understand the basic concepts behind Azure AD device registration and join.



device identity is an object in Azure Active Directory (Azure AD). This device object is similar to users, groups, or applications. A device identity gives administrators information they can use when making access or configuration decisions. There are three ways to get a device identity:



- Azure AD registration

- Azure AD join

- Hybrid Azure AD join

Device identities are a prerequisite for scenarios like device-based Conditional Access policies and Mobile Device Management with Microsoft Endpoint Manager.



Also you need to have an understanding of which operating systems and devices can be registered or joined to Azure AD. The following comparison matrix shows all supported operating systems and features per Azure AD registration/join option. Apple iOS, MacOS and Android operating systems are also supported for Azure AD registration. More details on the operating system supported versions can be found at: https://docs.microsoft.com/en-us/mem/intune/fundamentals/supported-devices-browsers.



ConsiderationAzure AD registeredAzure AD joinedHybrid Azure AD joinedClient operating systemsWindows 10 devicesCheckmark for these values.Checkmark for these values.Checkmark for these values.Windows down-level devices (Windows 8.1 or Windows 7)Checkmark for these values.Sign in optionsEnd-user local credentialsCheckmark for these values.PasswordCheckmark for these values.Checkmark for these values.Checkmark for these values.Device PINCheckmark for these values.Windows HelloCheckmark for these values.Windows Hello for BusinessCheckmark for these values.Checkmark for these values.FIDO 2.0 security keysCheckmark for these values.Checkmark for these values.Microsoft Authenticator App (passwordless)Checkmark for these values.Checkmark for these values.Checkmark for these values.Key capabilitiesSSO to cloud resourcesCheckmark for these values.Checkmark for these values.Checkmark for these values.SSO to on-premises resourcesCheckmark for these values.Checkmark for these values.Conditional Access
(Require devices be marked as compliant)
(Must be managed by MDM)Checkmark for these values.Checkmark for these values.Checkmark for these values.Conditional Access
(Require hybrid Azure AD joined devices)Checkmark for these values.Self-service password reset from the Windows login screenCheckmark for these values.Checkmark for these values.Windows Hello PIN resetCheckmark for these values.Checkmark for these values.

Azure AD registration issues



You need to collect traces from the following items to troubleshoot an Azure AD registration issue:



- Run the dsregcmd /verbose /status command. This will reveal useful information about all sync parameters of your device.



- After getting the device ID from the above command, check this device ID in the Microsoft 365 management portal at https://portal.azure.com/#blade/Microsoft_AAD_Devices/DevicesMenuBlade/Devices. Also compare this information with the Devices tab under your Microsoft 365 user account at: https://myaccount.microsoft.com.

- Check the relevant event logs under Applications and Services logs --> Microsoft --> Windows --> User Device Registration.



- Remove all other Microsoft work accounts from your local machine and try connecting only with the account in question from Windows 10.

- Check the Office 365 apps activation status on the machine. If needed, run the Support and Recovery Assistant (SARA) tool from Microsoft.

Check the validity and expiration date of the system-generated self-signed certs which are used for Azure AD registration and domain join. These TLS certs can be found under the user certificate store and have a name which is a GUID and are issued by "MSOrganization-Access", as shown in the example below.





Check the scheduled task under path "Task Scheduler Library --> Microsoft --> Windows --> Workplace Join".





- Check the registry for Azure AD sync related entries.

- Receive Azure AD registration/join authentication traces and network traces by following steps below.

- For regular traces, download the following tool: https://aka.ms/icesdptool.

- For network traces, run the following steps.

Run netsh trace start scenario=internetClient_dbg capture=yes persistent=yes.



Lock and unlock the device. For hybrid-joined devices, wait a minute or more to allow the PRT acquisition task to finish.



Run netsh trace stop.



Azure AD join and hybrid AD join issues

For hybrid AD join to work properly, check the following pre-requisites and troubleshooting steps. Remember that in hybrid Azure AD join cases, the on-premises Azure AD Connect tool's configuration is involved.



- https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start

- https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains

- https://neroblanco.co.uk/2021/02/troubleshooting-hybrid-ad-join/

Sources



https://docs.microsoft.com/en-us/azure/active-directory/devices/overview



https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register



https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join



https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid



https://docs.microsoft.com/en-us/azure/active-directory/devices/plan-device-deployment



https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current



https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-device-dsregcmd



https://portal.azure.com/#blade/Microsoft_AAD_Devices/DevicesMenuBlade/Devices



https://www.itpromentor.com/troubleshooting-weird-azure-ad-join-issues/

https://www.maximerastello.com/manually-re-register-a-windows-10-or-windows-server-machine-in-hybrid-azure-ad-join/

https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register



https://docs.microsoft.com/en-us/azure/active-directory/devices/manage-stale-devices



https://docs.microsoft.com/en-us/azure/active-directory/devices/faq



https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal


https://stefanos.cloud/kb/how-to-troubleshoot-azure-ad-device-registration-or-join-issues/

Comments

Post a Comment

Popular posts from this blog

How to resolve Group Policy error codes 8007071a and 800706ba

Image
Case You are running "Group Policy Update" on an OU inside the Group Policy Management Console in Active Directory but you are receiving RPC errors from your servers or domain-joined workstations, as shown in the example below. After a Group Policy Update, you come across Group Policy error codes 8007071a and 800706ba. This means that the local Windows Firewall is not configured properly to allow Group Policy (GPO) traffic. GPO traffic an be either remote GPO update or remote GP Resultant Set of Policy (RSOP) operations. Solution Option 1 Run gpedit.msc and create a new local group policy object which implements the following policies under Local Computer Policy --> Computer Configuration --> Windows Settings --> Security Settings --> Windows Defender Firewall --> Inbound Rules : The full configuration is shown below. After the above local group policies are configured on each domain server and workstation, you can start applying group policy objects to the dom...
Read more

How to resolve Exchange Online 550 5.1.11 error

Image
Case You receive a Non Delivery Report in Exchange Online similar to the following, after sending an email message. Your message to IMCEAEX -_o=_ou=Exchange+20Administrative+20Group+20+28FYDIBOHF23SPDLT+29_cn=Recipients_cn=d478a21369b24b7dbbcd0eaab8ff6e36-d+2E@.PROD.OUTLOOK.COM couldn't be delivered. Your email program is using outdated address information for this recipient. Reported error: 550 5.1.11 RESOLVER.ADR.ExRecipNotFound; Recipient not found by Exchange Legacy encapsulated email address lookup. Solution To prevent the Outlook client from using outdated address information, you will need to clear the recipient Auto-Complete List in Outlook or Outlook on the web by carrying out the following steps to clear the recipient Auto-Complete List from the Outlook email client. - Identify the recipient who did not receive your email message by looking at the To or CC information located in the Original Message Headers section. Recipients whose names are followed by a set of charact...
Read more

Acronis Cyber Protect 15 virtual machine backup not working when using shared mode virtual disks vhds

Image
Case When you apply and run an Acronis Cyber Protect backup against a virtual machine which is part of a guest cluster which makes use of virtual disk shared files of type .vhds (VHD Set), you run across the following error. Activity succeeded with warnings. Activity 'Preparing for backup of virtual machine' succeeded with the following warning 'Windows error: (0xC05CFF0A). The requested operation cannot be performed on the virtual disk as it is currently used in shared mode. Or the error may state something along the lines of: "Failed to open virtual disk file '.vhds'. Unknown format of the virtual disk." The same error as above can occur in virtual machine backup of virtual machines which include a .vdhx shared disk. Solution The above error is by design when you are attempting a virtual machine backup to virtual machine which does not have an Acronis backup agent installed, as per https://kb.acronis.com/content/68573 . According to Acronis, as of July 2...
Read more