This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 86%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Hello,
I'm using provision package for migration from on-prem to Azure AD. Everything was fine, but from some point, some devices join Azre AD, while others do not want to. At the same time, my test machine on Hyper-V may or may not be connected (I restore from a checkpoint and repeat the process). Each time there may be different results.
I looked at the event log and saw an error
ProvXML category 'DeviceAADJoin' failed with '0x8018000A' at CSP node 'AADJ/BPRT'
In the audit log, I see that the device joins and after a while the application removes it.
I didn't find what app it is. I can't find it by ID. I suspect that I have increased the number of devices allowed.
Therefore, this limit was magnified, it seems that you need to wait a while.
Also, I have long excluded the account from being authenticated without a second factor. This is not a problem.
I can't find any information what this app is and why it deletes new devices.
Thank you.
Hello @Mountain Pond , app with appId 4fdb6e89-84e8-4e85-a606-176df7a8737b does not look like Microsoft first party app. Try finding its service principal using PowerShell:
Connect-AzureAD
Get-AzureADServicePrincipal -Filter "appId eq '4fdb6e89-84e8-4e85-a606-176df7a8737b'"
If you cannot then will need to to create an Azure Support Request ensuring Advanced diagnostic collection is enabled and request it to be assigned to Alfredo Revilla, that's me :)
Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.
I tried creating another Provisioning package. The problem is the same, but now the application with a different ID deletes the device.
Will I need to enable advanced logging? Sorry, I don't understand what I need to do.
I will reach the AAD team about this and will come back ASAP.
Thank you. I will wait impatiently.
Application ID is the same as Device Object ID.
Application = Device. Looks like device remove itself, right after added.
A little about the device. Windows 11 Enterprise device. It has been added to on-prem AD. The user is a domain user, but he has a "Work or School account" configured. The device in Azure AD is registered.
There is no synchronization between on-prem and Azure AD, so the device is not hybrid.
Provision Package - Adds the device to Azure AD.
Previously, there were no problems, perhaps this is due to this test device.
In any case, I would really like to hear from Microsoft :) because it should be obvious to you, this behavior.
Sorry, did you reached ADD team?
Hello @Mountain Pond , not yet so I'm reaching them again. I will come back ASAP.
Converting this to comment as a defintive answer may be provided by PG.
Hello @Mountain Pond and thanks for your findings. I'm reaching the Windows team due to they being the more appropiate team for this issue.
Hello @Alfredo Revilla - Senior Freelance SWE, SWA, IAM ,
we found out that the device cannot be joined because such a device already exists in Azure AD.
We have tried installing Windows from scratch and we are getting the same error. We are 100% sure that the problem is in the ISO from which the systems were installed (because from another ISO, there is no such problem).
After sysprep fixes the problem, the provision packeg successfully adds the device right after the reboot.
My only question is what changes sysprep on a system that makes the system unique to Azure and doesn't create a conflict.
We have a lot of devices and we can't sysprep for everyone, is there a faster way to make the system unique? But I don't know what needs to be changed, which is a unique system token for Azure.
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more