Share via

Hybrid Azure AD Joined Device Registration Pending Issue

Xijie Yi 0 Reputation points
Jan 17, 2023, 9:32 PM

Hi,

Recently, we found an issue regarding login on MS product (Outlook, Teams, and OneDrive) after changing the password.

If an user changed the password, the user will see " Stay signed in to all your apps "page when opened a Microsoft product (Teams, Outlook, OneDrive, etc.). When we saw this page, we had to select “No, sign in to this app only” instead of clicking “OK”.

User's image

If we directly selected “Ok”, an error message will pop out said that "Something went wrong, we couldn't sign you in....... Error code CAA50021, Server message: Number if retry attempts exceeds expectation"

User's image

We did some trouble shooting and find out that in our Azure AD, we have about 400 devices that already joined our own domain but cannot register successfully on our Azure AD. The status stuck on pending.User's image

We find a solution by run "dsregcmd/ leave" cmd on affected device, then we reboot the device. After about 30 mins, the device can register successfully on our Azure AD. And the user will not see the error message again. But this method is kind of in-efficient. Is there another way(bulkly, remotely) to resolve this issue? Thank you!

Regards,

Xijie

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,312 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Adewale Bello 10 Reputation points
    Oct 26, 2023, 3:51 PM

    How to resolve the device registration issue on Azure AD:

    1. Open a command prompt on the problematic device as an administrator.
    2. Run the command dsregcmd /leave.
    3. Wait for approximately 30 minutes for the device to successfully register on your Azure AD. Alternatively, if you don't want to wait and have an Azure AD Connect server, remote into it and open PowerShell as an administrator.
    4. Run the command Start-ADSyncSyncCycle -PolicyType Delta to force a synchronization.
    5. On the problematic device, open a command prompt as an administrator and run the command dsregcmd /join.
    6. Wait for the process to complete, and you are finished.
    7. Thank me later lol
    2 people found this answer helpful.
    0 comments No comments

  2. Jan 18, 2023, 5:18 PM

    Hello, you're unregistering the affected Azure AD device so that it automatically re-registers itself after a reboot. To automate such procedure for all affected devices you may use a Startup Script in Group Policy.

    To find the affected devices and export them as a CSV you can use a PowerShell script such as:

    Get-AzureADDevice -all $true |  Where-Object{($_.DeviceTrustType -eq"ServerAd") -and ($_.ProfileType -ne"RegisteredDevice") -and (-not $_.AlternativeSecurityIds)} | select-object -Property AccountEnabled, ObjectId, DeviceId, DisplayName, DeviceOSType, DeviceOSVersion, DeviceTrustType | export-csv pendingdevicelist-summary.csv -NoTypeInformation
    

    You may choose to run a simple script that reads the computer name, look up if it's included in the exported CSV (to be copied over trough GPO too or shared trough a read-only share), run the unjoin command and proceed to set a flag in the file system or registry so that it does no run again.

    Something along the lines of the following pseudo code:

    If file flag is not present and computer name is present in csv
     unjoin device
     create file flag
     reboot
    else
     do nothing
    

    Let us know if you need additional assistance. If the answer was helpful, please accept it so that others can find a solution.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.