'DeviceAADJoin' failed with '0x8018000A' or APP with 4fdb6e89-84e8-4e85-a606-176df7a8737b remove device

Question

'DeviceAADJoin' failed with '0x8018000A' or APP with 4fdb6e89-84e8-4e85-a606-176df7a8737b remove device

Mountain Pond 881

Hello,

I'm using provision package for migration from on-prem to Azure AD. Everything was fine, but from some point, some devices join Azre AD, while others do not want to. At the same time, my test machine on Hyper-V may or may not be connected (I restore from a checkpoint and repeat the process). Each time there may be different results.

I looked at the event log and saw an error

ProvXML category 'DeviceAADJoin' failed with '0x8018000A' at CSP node 'AADJ/BPRT'

ApplicationFrameHost_zRFNe0Gjm8

In the audit log, I see that the device joins and after a while the application removes it.

msedge_1sBdejyfFG

I didn't find what app it is. I can't find it by ID. I suspect that I have increased the number of devices allowed.

msedge_6c7vN5IWny

Therefore, this limit was magnified, it seems that you need to wait a while.

Also, I have long excluded the account from being authenticated without a second factor. This is not a problem.

I can't find any information what this app is and why it deletes new devices.

Thank you.

Answer 1

Alfredo Revilla (MSFT) 18,496 Microsoft Employee

Hello @Denis Pasternak , app with appId 4fdb6e89-84e8-4e85-a606-176df7a8737b does not look like Microsoft first party app. Try finding its service principal using PowerShell:

Connect-AzureAD
Get-AzureADServicePrincipal -Filter "appId eq '4fdb6e89-84e8-4e85-a606-176df7a8737b'"

If you cannot then will need to to create an Azure Support Request ensuring Advanced diagnostic collection is enabled and request it to be assigned to Alfredo Revilla, that's me :)

Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

Mountain Pond 881 Reputation points

2023-05-17T13:35:54.36+00:00

I tried creating another Provisioning package. The problem is the same, but now the application with a different ID deletes the device.

Will I need to enable advanced logging? Sorry, I don't understand what I need to do.
Alfredo Revilla (MSFT) 18,496 Reputation points Microsoft Employee

2023-05-17T14:35:20.2033333+00:00

I will reach the AAD team about this and will come back ASAP.
Mountain Pond 881 Reputation points

2023-05-17T14:38:23.38+00:00

Thank you. I will wait impatiently.
Mountain Pond 881 Reputation points

2023-05-17T16:00:48.67+00:00

Application ID is the same as Device Object ID.

Application = Device. Looks like device remove itself, right after added.

A little about the device. Windows 11 Enterprise device. It has been added to on-prem AD. The user is a domain user, but he has a "Work or School account" configured. The device in Azure AD is registered.

There is no synchronization between on-prem and Azure AD, so the device is not hybrid.

Provision Package - Adds the device to Azure AD.

Previously, there were no problems, perhaps this is due to this test device.

In any case, I would really like to hear from Microsoft :) because it should be obvious to you, this behavior.
Mountain Pond 881 Reputation points

2023-05-25T17:34:11.9466667+00:00

Sorry, did you reached ADD team?
Alfredo Revilla (MSFT) 18,496 Reputation points Microsoft Employee

2023-05-26T00:30:32.85+00:00

Hello @Denis Pasternak , not yet so I'm reaching them again. I will come back ASAP.

'DeviceAADJoin' failed with '0x8018000A' or APP with 4fdb6e89-84e8-4e85-a606-176df7a8737b remove device

1 answer

Activity