Share via

'DeviceAADJoin' failed with '0x8018000A' or APP with 4fdb6e89-84e8-4e85-a606-176df7a8737b remove device

Mountain Pond 1,696 Reputation points
2023-05-16T21:05:35.7833333+00:00

Hello,

I'm using provision package for migration from on-prem to Azure AD. Everything was fine, but from some point, some devices join Azre AD, while others do not want to. At the same time, my test machine on Hyper-V may or may not be connected (I restore from a checkpoint and repeat the process). Each time there may be different results.

I looked at the event log and saw an error

ProvXML category 'DeviceAADJoin' failed with '0x8018000A' at CSP node 'AADJ/BPRT'

ApplicationFrameHost_zRFNe0Gjm8

In the audit log, I see that the device joins and after a while the application removes it.

msedge_1sBdejyfFG

I didn't find what app it is. I can't find it by ID. I suspect that I have increased the number of devices allowed.

msedge_6c7vN5IWny

Therefore, this limit was magnified, it seems that you need to wait a while.

Also, I have long excluded the account from being authenticated without a second factor. This is not a problem.

I can't find any information what this app is and why it deletes new devices.

Thank you.

Microsoft Security | Intune | Enrollment
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  2. Mountain Pond 1,696 Reputation points
    2023-05-31T21:53:34.3966667+00:00

    Hello @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA ,

    we found out that the device cannot be joined because such a device already exists in Azure AD.

    We have tried installing Windows from scratch and we are getting the same error. We are 100% sure that the problem is in the ISO from which the systems were installed (because from another ISO, there is no such problem).

    After sysprep fixes the problem, the provision packeg successfully adds the device right after the reboot.

    My only question is what changes sysprep on a system that makes the system unique to Azure and doesn't create a conflict.

    We have a lot of devices and we can't sysprep for everyone, is there a faster way to make the system unique? But I don't know what needs to be changed, which is a unique system token for Azure.

    Was this answer helpful?

    0 comments
  3. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,546 Reputation points Moderator
    2023-05-17T06:59:57.4633333+00:00

    Hello @Mountain Pond , app with appId 4fdb6e89-84e8-4e85-a606-176df7a8737b does not look like Microsoft first party app. Try finding its service principal using PowerShell:

    Connect-AzureAD
Get-AzureADServicePrincipal -Filter "appId eq '4fdb6e89-84e8-4e85-a606-176df7a8737b'"

    If you cannot then will need to to create an Azure Support Request ensuring Advanced diagnostic collection is enabled and request it to be assigned to Alfredo Revilla, that's me :)

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.