Azure
Authentication Token Failures on Entra Joined Autopilot devices causing build failures
Describe the bug
When performing Pre-Provisioning Autopilot/Entra Joined only provisioning, the Web Sign-in Icon is missing from the first Windows Logon screen.
Log Name: Microsoft-Windows-AAD/Operational Source: Microsoft-Windows-AAD Date: 5/28/2024 9:13:33 AM Event ID: 1098 Task Category: AadTokenBrokerPlugin Operation Level: Error Keywords: Operational,Error User: **** Computer: **** Description: Error: 0xCAA20002 The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Code: invalid_request Description: AADSTS65002: Consent between first party application '3a4d129e-7f50-4e0d-a7fd-033add0a29f4' and first party resource '00000003-0000-0000-c000-000000000000' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. Trace ID: 7c201ba4-5f0a-4e02-a138-4248b792cc00 Correlation ID: 312125d7-f186-49a7-a147-f48e60ebffe1 Timestamp: 2024-05-28 14:13:33Z TokenEndpoint: https://login.microsoftonline.com/common/oauth2/token Logged at OAuthTokenRequestBase.cpp, line: 452, method: OAuthTokenRequestBase::ProcessOAuthResponse.
Request: authority: https://login.microsoftonline.com/common, client: 3a4d129e-7f50-4e0d-a7fd-033add0a29f4, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/3a4d129e-7f50-4e0d-a7fd-033add0a29f4, resource: 00000003-0000-0000-c000-000000000000, correlation ID (request): 312125d7-f186-49a7-a147-f48e60ebffe1 Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-AAD" Guid="{4de9bc9c-b27a-43c9-8994-0915f1a5e24f}" /> <EventID>1098</EventID> <Version>0</Version> <Level>2</Level> <Task>103</Task> <Opcode>0</Opcode> <Keywords>0x4000000000000012</Keywords> <TimeCreated SystemTime="2024-05-28T14:13:33.8850299Z" /> <EventRecordID>2637</EventRecordID> <Correlation ActivityID="{eb4c9aab-07ac-4d42-9cf0-cd2fd1013e89}" /> <Execution ProcessID="4432" ThreadID="22052" /> <Channel>Microsoft-Windows-AAD/Operational</Channel> <Computer></Computer> <Security UserID="*" /> </System> <EventData> <Data Name="Error">3399614466</Data> <Data Name="ErrorMessage">The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.</Data> <Data Name="AdditionalInformation">Code: invalid_request Description: AADSTS65002: Consent between first party application '3a4d129e-7f50-4e0d-a7fd-033add0a29f4' and first party resource '00000003-0000-0000-c000-000000000000' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. Trace ID: 7c201ba4-5f0a-4e02-a138-4248b792cc00 Correlation ID: 312125d7-f186-49a7-a147-f48e60ebffe1 Timestamp: 2024-05-28 14:13:33Z TokenEndpoint: https://login.microsoftonline.com/common/oauth2/token Logged at OAuthTokenRequestBase.cpp, line: 452, method: OAuthTokenRequestBase::ProcessOAuthResponse.
Request: authority: https://login.microsoftonline.com/common, client: 3a4d129e-7f50-4e0d-a7fd-033add0a29f4, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/3a4d129e-7f50-4e0d-a7fd-033add0a29f4, resource: 00000003-0000-0000-c000-000000000000, correlation ID (request): 312125d7-f186-49a7-a147-f48e60ebffe1</Data> </EventData>
Related command
First Windows Login with a Passwordless User performing post-Technician part of the user-flow. It seems a local login fixes the issue, then the organizational user can perform a web sign in.
Errors
Error: 0xCAA20002 The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Code: invalid_request - Web Sign in is missing from the Windows Login page.
Issue script & Debug output
NGC logs have been collected.
Expected behavior
The web Sign in icon should be presented.
Environment Summary
Web Sign in icon should be presented, and a web sign-in method should be able to be followed to logon to windows the first time.
Additional context
A ticket has been created for Microsoft - Case ID: 2405030040004430
Any updates on this @yonzhan? We are facing the same issue on a Windows 11 device which is already enrolled in Intune.
We are having similar issue as well but only with Software center which is failing to check the device compliance.
We are also getting the same errors in AAD operational logs with few more different one.
I have asked the question on Microsoft Q&A. here is the link for more info: https://learn.microsoft.com/en-us/answers/questions/1861206/aad-token-broker-operation-failed
May i have the same issue but with the "Application Office", how did you solve this?
Error: 0xCAA5001C Token broker operation failed.
Operation name: GetTokenSilently, Error: -895352830 (0xcaa20002), Description: AADSTS65002: Consent between first party application 'e9c51622-460d-4d3d-952d-966a5b1da34c' and first party resource 'f2d19332-a09d-48c8-a53b-c49ae5502dfc' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. Trace ID: [GUID] Correlation ID: [GUID] Timestamp: [DATE]
Logged at WebAccountProcessor.cpp, line: 680, method: AAD::Core::WebAccountProcessor::ReportOperationError.
- https://learn.microsoft.com/en-us/troubleshoot/windows-client/user-profiles-and-logon/event-1098-error-0xcaa5001c (No missing Permission found)
- https://learn.microsoft.com/en-us/answers/questions/1856430/user-getting-prompted-for-credentials-for-every-ap
- https://learn.microsoft.com/en-us/answers/questions/1855739/cannot-enroll-ms365-licenced-users-into-intune-whe
Error: 0xCAA90056 Renew token by the primary refresh token failed.
Logged at RefreshTokenRequest.cpp, line: 150, method: RefreshTokenRequest::AcquireToken.
Request: authority: https://login.microsoftonline.com/common, client: e9c51622-460d-4d3d-952d-966a5b1da34c, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/e9c51622-460d-4d3d-952d-966a5b1da34c, resource: f2d19332-a09d-48c8-a53b-c49ae5502dfc, correlation ID (request): [GUID]
- https://learn.microsoft.com/en-us/answers/questions/1028825/mdm-hybrid-ad-prt
- https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-hybrid-join-windows-current#step-5-collect-logs-and-contact-microsoft-support
- https://www.reddit.com/r/Intune/comments/skepvc/how_to_go_from_azure_ad_registered_to_hybrid/?rdt=57873
- https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-hybrid-join-windows-current#step-2-find-the-error-code
Error: 0xCAA20002 The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.
Code: invalid_request
Description: AADSTS65002: Consent between first party application 'e9c51622-460d-4d3d-952d-966a5b1da34c' and first party resource 'f2d19332-a09d-48c8-a53b-c49ae5502dfc' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. Trace ID: [GUID] Correlation ID: [GUID] Timestamp: [DATE]
TokenEndpoint: https://login.microsoftonline.com/common/oauth2/token
Logged at OAuthTokenRequestBase.cpp, line: 452, method: OAuthTokenRequestBase::ProcessOAuthResponse.
Request: authority: https://login.microsoftonline.com/common, client: e9c51622-460d-4d3d-952d-966a5b1da34c, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/e9c51622-460d-4d3d-952d-966a5b1da34c, resource: f2d19332-a09d-48c8-a53b-c49ae5502dfc, correlation ID (request): [GUID]
- https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/authentication/automatic-authentication-fails
- https://learn.microsoft.com/en-us/answers/questions/1861206/aad-token-broker-operation-failed
- (https://pariswells.com/blog/research/teams-pro-room-device-cannot-connect)
Reference Ticket: #2409181420002854
@weyCC81 Did you get any solution on the ticket or by your own? I'm also stuck at that point during intune onboarding.
@hawkeye80 I can not fully remember it, but I think it was some combination with a transparent proxy (Zscaler & Windows) ...
@weyCC81, ok, thanks. Then my issues will be different. No proxy here and in homeoffice too.