Not sure if this is an Intune or Azure AD issue but.. 700003 error

Question

I have a feeling this may relate to Intune/AZURE AD somehow but not 100% sure. or maybe some config in office 365.

For the past few months we have been getting reports, of the below. And it can be from Teams, Outlook OneDrive etc.

Your organization has deleted this device. To fix this, contact your system administrator and provide the error code 700003′.

We see this on Domain joined devices. ON Perm AD devices and Hybrid devices, as well on users personal devices.

Now we have been fixing this issue a few ways.

• Deleting windows credentials in Control Panel\All Control Panel Items\Credential Manager that pertain the the app.
• Uninstalling and reinstalling the APP.
• And Disconnect the problematic account by doing the below
  1. Open the Settings app
  2. Go to Accounts
  3. Select Access work or school
  4. Find the account that you can’t use and select Disconnect
  5. Wait until the account is disconnected
  6. Try to login to Office again using your regular username and password.

What we would like to know is what is causing this error? We think it may some type of misconfiguration in Intune or Azure AD but we are not sure what..

Thoughts?

Answer 1

First, none of this is Intune related as Intune has nothing to do directly with identity thus adding M365 and AAD tags.

Exactly as the message says though, someone deleted the device object out of AAD. By default, when signing into M365 apps (formerly O365 apps), the device is automatically registered with AAD unless the users uncheck the checkbox that does this. Most users never do this so the device gets registered. Someone at your org, or maybe a script, is then deleting these device objects leading to the issue.

You noted in your initial reply that this is happening on non-BYOD devices as well though?

Answer 2

Where exactly do you "see" this? Have you validated that the device still exists in AAD?

Answer 3

@5Y54DMIN There are few other occurrence of this but under scenario where users connected to AAD via Adding a work or school account and after sometime when their company enabled hybrid AAD domain join.

As a result this causes the device to have 2 different single sign on state and then it fails with the error you mentioned. (On newer version of windows 10, the older DeviceID with the one created with adding work account gets removed automatically to prevent this dual SSO state which causes the AAD to think that the device is no longer present )

I think you might be falling under same scenario, if yes, you can remove the previous SSO cookies from following registry :
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AAD\Storage key registry key

Once user is authenticated again, we write the SSO cookies again to the same location with updated device ID.

If the above does not fix your issue, please raise a support case with azure AD team.

-----------------------------------------------------------------------------------------------------------------

If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.