![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 27%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Microsoft Security | Intune | Enrollment
Registering devices with Intune for management and policy enforcement
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 69%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
The dsregcmd output shows the device is correctly Microsoft Entra hybrid joined (AzureAdJoined = YES, DomainJoined = YES), but MDM auto-enrollment and user SSO are failing because:
- MDM URLs are empty
- In the Tenant Details section, these values are blank:
- MdmUrl
- MdmTouUrl
- MdmComplianceUrl
- SettingsUrl
- When auto-enrollment is correctly configured, these URLs are populated from Microsoft Entra ID based on the MDM authority and auto-enrollment settings.
- In the Tenant Details section, these values are blank:
- The user account used for SSO does not exist in the tenant
- SSO State shows:
- AzureAdPrt : NO
- HTTP status : 400
- Server Error Code : invalid_grant
- Server Error Description: AADSTS50034: The user account … does not exist in the 28e546c7-fd4b-4246-b0c1-c800d6381d7d directory.
- This means the sign-in attempt is using an identity that is not present in the Microsoft Entra tenant, so a Primary Refresh Token (PRT) cannot be issued. Without a valid user in the tenant and PRT, user-based auto-enrollment cannot complete.
- SSO State shows:
To get auto-enrollment working as expected, the following must be in place:
- Verify MDM authority and auto-enrollment configuration
- Ensure the tenant’s MDM authority is set to Intune and that automatic MDM enrollment is configured for the correct users/groups.
- The MDM authority and auto-enrollment settings must be configured in Microsoft Entra ID/Intune so that:
- The device is allowed to auto-enroll into Intune.
- The MDM URLs (MdmUrl, MdmComplianceUrl, SettingsUrl) are published to the device.
- The article on diagnosing MDM enrollment explicitly calls out:
- The user must have a valid Intune license.
- Auto-enrollment must be activated for those users.
- The device OS must be a supported Windows version.
- Auto-enrollment via Group Policy is valid only for Microsoft Entra hybrid joined devices, which is already true in this case.
- Confirm the user account is in the correct tenant and licensed
- The error AADSTS50034 indicates the UPN being used does not exist in the tenant with ID 28e546c7-fd4b-4246-b0c1-c800d6381d7d.
- Ensure:
- The user’s UPN matches an account synchronized or created in this tenant.
- The user has an Intune license assigned.
- The user is in the MDM user scope configured for automatic enrollment.
- Validate hybrid join and SSO prerequisites
- For auto-enrollment via Group Policy, the device must be Microsoft Entra hybrid joined and have a valid PRT:
- dsregcmd /status should show:
- AzureAdJoined : YES
- DomainJoined : YES
- AzureAdPrt : YES
- dsregcmd /status should show:
- The diagnostics guidance notes that auto-enrollment requires:
- Hybrid join (already present).
- A valid Microsoft Entra PRT (currently missing because the user is not recognized in the tenant).
- For auto-enrollment via Group Policy, the device must be Microsoft Entra hybrid joined and have a valid PRT:
- Re-run dsregcmd diagnostics after fixing tenant/user configuration
- After ensuring:
- MDM authority is Intune.
- Auto-enrollment is enabled for the user.
- The user exists in the tenant and is licensed.
- Sign in with that user, then run
dsregcmd /statusagain to confirm:- MdmUrl and related URLs are populated.
- AzureAdPrt is YES.
- Auto-enrollment should then proceed and the device should enroll into Intune.
- After ensuring:
If MDM URLs remain blank after confirming the above, verify the auto-enrollment configuration and Group Policy (if used) against the “Verify autoenrollment requirements and settings” guidance.
References: