Azure AD Regional ONLY supports auth either for MSIs OR for requests from MSAL using SN+I for 1P apps or 3P apps in Microsoft infrastructure tenants. KmsiInterrupt - This error occurred due to "Keep me signed in" interrupt when the user was signing-in. RequestDeniedError - The request from the app was denied since the SAML request had an unexpected destination. InvalidRequestBadRealm - The realm isn't a configured realm of the current service namespace. Errors: from eventwier EventID 1104 - AAD Cloud AP plugin call Lookup name name from SID returned error:0x000023C DeviceAuthenticationRequired - Device authentication is required. In a previous post I talked about the three ways to setup Windows 10 devices for work with Azure AD. PasswordChangeAsyncJobStateTerminated - A non-retryable error has occurred. InvalidRequestFormat - The request isn't properly formatted. PasswordChangeCompromisedPassword - Password change is required due to account risk. This could be due to one of the following: the client has not listed any permissions for '{name}' in the requested permissions in the client's application registration. Contact your IDP to resolve this issue. This might be because there was no signing key configured in the app. The Enrollment Status Page waits for Azure AD registration to complete. Developer error - the app is attempting to sign in without the necessary or correct authentication parameters. Application {appDisplayName} can't be accessed at this time. SubjectNames/SubjectAlternativeNames (up to 10) in token certificate are: {certificateSubjects}. This means that a user isn't signed in. What is different in VPN settings for this user than others? BadVerificationCode - Invalid verification code due to User typing in wrong user code for device code flow. Open a support ticket with the error code, correlation ID, and timestamp to get more details on this error. You can also link directly to a specific error by adding the error code number to the URL: https://login.microsoftonline.com/error?code=50058. What is the best way to do this? In simple words, if the Cloud AP plugin is able to authenticate on behalf of the user (UPN and password or Windows Hello for Business PIN) to get the Azure AD access token and device is able to authenticate to Azure AD using the device registration state (MS-Organization-Access certificate) the Azure AD PRT will be issued to the user. More details in this official document. I removed it from the on prem AD and also deleted all instances of Azure AD registered entries from the AAD. UserDisabled - The user account is disabled. Task Category: AadCloudAPPlugin Operation Method: GET Endpoint Uri: https://login.microsoftonline.com/xxxxx/sidtoname Correlation ID: xxxxx AAD Cloud AP plugin call Lookup name name from SID returned error: 0xC00485D3 Contact your IDP to resolve this issue. MsaServerError - A server error occurred while authenticating an MSA (consumer) user. We are unable to issue tokens from this API version on the MSA tenant. Look for the event before these two events to see what STS endpoint returned this error and using timestamp, examine the STS logs to get more details. BadResourceRequestInvalidRequest - The endpoint only accepts {valid_verbs} requests. I've tried to join the device manually with an admin account allowed to join devices and with a provisioning package. Retry the request with the same resource, interactively, so that the user can complete any challenges required. -Browse IdpInitiatedsignon, succesfull, Any ideas on what could be wrong? For further information, please visit. Computer: US1133039W1.mydomain.net MissingCustomSigningKey - This app is required to be configured with an app-specific signing key. With Azure AD Conditional Access (CA) policies you can control that only managed devices can access resources protected by Azure AD https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/require-managed-devices#managed-devices. You might have sent your authentication request to the wrong tenant. Or, the admin has not consented in the tenant. I found the following log: microsoft-windows-aad-operational in which i found an ERROR: AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512 Still i cant find any information to what this means. It doesnt look like you are having device registration issues, so i wouldnt recommend spending time on any of the steps you listed besides user password reset. In case you have verified that the signed in user has Azure AD PRT, but still the user who attempts to sign in via Microsoft Edge or Edge Chromium is getting Device State: Unregistered, make sure the user is signed in the browser with his work account. Method: GET Endpoint Uri: https://adfs.ad.uci.edu:443/adfs/.well-known/openid-configuration Correlation ID: 7951BA61-842E-413A-B84D-AE4EA3B5FEDE Error2:AAD Cloud AP plugin call Plugin initialize returned error: 0xC00484B2 Error3:Device is not cloud domain joined: 0xC00484B2 > not been installed by the administrator of the tenant or consented to by any user in the tenant. 3. > AAD Cloud AP plugin call Lookup name name from SID returned error: 0xC00485D3. NoSuchInstanceForDiscovery - Unknown or invalid instance. TemporaryRedirect - Equivalent to HTTP status 307, which indicates that the requested information is located at the URI specified in the location header. Keep in mind that the Azure AD PRT is a per user token, so you might see AzureAdPrt:NO if you are running the dsregcmd /state as local or not synchronized (on-premises AD user UPN doesnt match the Azure AD UPN) user. They will be offered the opportunity to reset it, or may ask an admin to reset it via. UserStrongAuthClientAuthNRequired - Due to a configuration change made by the admin such as a Conditional Access policy, per-user enforcement, or because you moved to a new location, the user must use multi-factor authentication to access the resource. AADSTS500022 indicates that the tenant restriction feature is configured and that the user is trying to access a tenant that isn't in the list of allowed tenants specified in the header, MissingSigningKey - Sign-in failed because of a missing signing key or certificate. Running through the troubleshooting steps as outlined here (https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows#troubleshoot-deployment-issues), I've established the following using a non-AzureAD account (local admin account) to login: Checking the Event Viewer > Applications and Services Logs > Microsoft > Windows > AAD > Operational log, there are a couple of errors (not necessarily in the correct order): 1. ErrorCode: 80080300. UserAccountNotInDirectory - The user account doesnt exist in the directory. BindingSerializationError - An error occurred during SAML message binding. Status: 0xC004848C most likely you will see this for federated with non-Microsoft STS environments when the user is using the SmartCard to sign in the computer and the IdP MEX endpoint doesnt contain information about certificate authentication endpoint/URL. Developer error - the app is attempting to sign in without the necessary or correct authentication parameters. NameID claim or NameIdentifier is mandatory in SAML response and if Azure AD failed to get source attribute for NameID claim, it will return this error. Contact your federation provider. User logged in using a session token that is missing the integrated Windows authentication claim. User should register for multi-factor authentication. The issue is fixed in Windows 10 version 1903 OnPremisePasswordValidatorRequestTimedout - Password validation request timed out. InvalidUserNameOrPassword - Error validating credentials due to invalid username or password. As explained in this blog https://jairocadena.com/2016/11/08/how-sso-works-in-windows-10-devices/ the Azure AD Primary Refresh Token (Azure AD PRT) is used during Azure AD CA policies evaluation to get the information about Windows 10 device registration state. To learn more, see the troubleshooting article for error. The client application might explain to the user that its response is delayed because of a temporary condition. NgcTransportKeyNotFound - The NGC transport key isn't configured on the device. InvalidScope - The scope requested by the app is invalid. Here is official Microsoft documentation about Azure AD PRT. Have the user enter their credentials then the Enrollment Status Page can UnableToGeneratePairwiseIdentifierWithMultipleSalts. AAD Cloud AP plugin call Lookup name name from SID returned error: 0xC000023CAAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512. We would suggest that you check for the Device Configuration Profile that you have for the device from the Azure Portal and possibly delete and recreate the profile. Authorization is pending. Request the user to log in again. Can someone please help on what could be the problem here? HI Sergii, thanks for this very helpful article Description: 0x80072ee7 followed by 0xC000023C as mentioned in my Device Registration post, most likely caused by network or proxy settings, AadCloudAP plugin running under System cant access the Internet; 0xC000006A that has WSTrust response error FailedAuthentication coming before it have seen these errors coming from 3rd party IdPs (Ping, Okta) due to users sync issues to Identity Provider (IdP) database. AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512 and Error: 0xCAA70004 The server or proxy was not found. Check if the computer object is in the sync scope of Azure AD Connect; To get more clues about user portion of the Azure AD PRT receive process, its recommended to review the following Windows 10 logs . WindowsIntegratedAuthMissing - Integrated Windows authentication is needed. DesktopSsoIdentityInTicketIsNotAuthenticated - Kerberos authentication attempt failed. Logged at clientcache.cpp, line: 291, method: ClientCache::LoadPrimaryAccount. List of valid resources from app registration: {regList}. OnPremiseStoreIsNotAvailable - The Authentication Agent is unable to connect to Active Directory. Protocol error, such as a missing required parameter. Go to Azure portal > Azure Active Directory > App registrations > Select your application > Authentication > Under 'Implicit grant and hybrid flows', make sure 'ID tokens' is selected. InvalidUserInput - The input from the user isn't valid. An admin can re-enable this account. BulkAADJTokenUnauthorized - The user isn't authorized to register devices in Azure AD. The token was issued on XXX and was inactive for a certain amount of time. InvalidSessionKey - The session key isn't valid. DomainHintMustbePresent - Domain hint must be present with on-premises security identifier or on-premises UPN. AadCloudAPPlugin error codes examples and possible cause. Has anyone seen this or has any ideas? Saml2MessageInvalid - Azure AD doesnt support the SAML request sent by the app for SSO. SignoutInvalidRequest - Unable to complete sign out. -Rejoin AD Computer Object If any of these two parts (user or device) didnt pass the authentication step, no Azure AD PRT will be issued. DeviceOnlyTokensNotSupportedByResource - The resource isn't configured to accept device-only tokens. The client has requested access to a resource which isn't listed in the requested permissions in the client's application registration. TenantThrottlingError - There are too many incoming requests. Contact your IDP to resolve this issue. This information is preliminary and subject to change. Sign out and sign in with a different Azure AD user account. Method: POST Endpoint Uri: https://sts.mydomain.com/adfs/services/trust/13/usernamemixed Correlation ID: Log Name: Microsoft-Windows-AAD/Operational Error codes are subject to change at any time in order to provide more granular error messages that are intended to help the developer while building their application. Change the grant type in the request. The mentioned blog explains that the Azure AD PRT is initially obtained during user sign into the station. NoMatchedAuthnContextInOutputClaims - The authentication method by which the user authenticated with the service doesn't match requested authentication method. To authorize a request that was initiated by an app in the OAuth 2.0 device flow, the authorizing party must be in the same data center where the original request resides. InvalidRequest - The authentication service request isn't valid. Event ID: 1085 ConditionalAccessFailed - Indicates various Conditional Access errors such as bad Windows device state, request blocked due to suspicious activity, access policy, or security policy decisions. NgcDeviceIsNotFound - The device referenced by the NGC key wasn't found. InvalidRequest - Request is malformed or invalid. The Code_Verifier doesn't match the code_challenge supplied in the authorization request. Also keep in mind that since the computer object is recreated, the Bitlocker recovery keys that you might be saving in Azure AD for this station will be deleted and you will need to re-save them . The problem is in the Windows registry, which contains a key called Automatic-Device-Join. The grant type isn't supported over the /common or /consumers endpoints. InvalidResource - The resource is disabled or doesn't exist. When trying to login using RDP, I receive an error stating "Your credentials didn't work.". UserAccountSelectionInvalid - You'll see this error if the user selects on a tile that the session select logic has rejected. This exception is thrown for blocked tenants. The token was issued on {issueDate} and the maximum allowed lifetime for this request is {time}. Check the security policies that are defined on the tenant level to determine if your request meets the policy requirements. Enter to win a 3 Win Smart TVs (plus Disney+) AND 8 Runner Ups, https://www.prajwal.org/uninstall-sccm-client-agent-manually/, https://www.reddit.com/r/Intune/comments/gvt70q/intune_process_hangs_when_installing_apps/. Contact the tenant admin. The application '{appId}' ({appName}) has not been authorized in the tenant '{tenant}'. Fix time sync issues. Please refer to the known issues with the MDM Device Enrollment as well in this document. Enter your email address to follow this blog and receive notifications of new posts by email. InvalidXml - The request isn't valid. To learn more, see the troubleshooting article for error. Resource value from request: {resource}. Logon failure. RequestBudgetExceededError - A transient error has occurred. I have experience spinning up servers, setting up firewalls, switches, routers, group policy, etc. I get an error in event viewer that failed to get AAD token for sync. AADSTS901002: The 'resource' request parameter isn't supported. AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512 most likely you are looking at the token acquisition events for the local account, that are not related to the sign ins of the user you are trying to troubleshoot. Have the user use a domain joined device. Retry the request. A reboot during Device setup will force the user to enter their credentials before transitioning to Account setup phase. InvalidRequestSamlPropertyUnsupported- The SAML authentication request property '{propertyName}' is not supported and must not be set. The request was invalid. User: S-1-5-18 Make sure your data doesn't have invalid characters. Event ID: 1025 The server is temporarily too busy to handle the request. AAD Cloud AP plugin call Lookup name name from SID returned error: 0xC00485D3 (along with the call to Azure AD sidtoname endpoint in previous AadCloudAPPlugin event) you might see this error on Azure AD Joined machine in managed (non-federated) environment, if the user signs in the Windows machine using the certificate. FedMetadataInvalidTenantName - There's an issue with your federated Identity Provider. I followedhttps://www.prajwal.org/uninstall-sccm-client-agent-manually/ Opens a new windowto remove it and restarted. The specified client_secret does not match the expected value for this client. In the AAD operational log there are always 2 errors 1104 related to "AAd Cloud AP plugin call GenericCallPkg returned error: 0xC0048512". Azure AD Conditional Access policies troubleshooting Device State: Unregistered, https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/require-managed-devices#managed-devices, https://jairocadena.com/2016/11/08/how-sso-works-in-windows-10-devices/, https://login.microsoftonline.com/tenantID, https://s4erka.wordpress.com/2018/03/06/azure-ad-device-registration-error-codes/, RSA SecurID Access SAML Configuration for Microsoft Office 365 issue AADSTS50008: Unable to verify token signature. UserAccountNotFound - To sign into this application, the account must be added to the directory. Check the apps logic to ensure that token caching is implemented, and that error conditions are handled correctly. If you have multiple WAP/ADFS servers in your farm, make sure to point your station to specific server via host file and collect ADFS admin/debug logs to see why user basic auth is failing. CredentialKeyProvisioningFailed - Azure AD can't provision the user key. 5. As a resolution ensure to add this missing reply address to the Azure Active Directory application or have someone with the permissions to manage your application in Active Directory do this for you. Tried to join the device manually with an app-specific signing key app was denied since the SAML sent... Requested information is located at the URI specified in the authorization request i an. Useraccountnotindirectory - the resource is n't authorized to aad cloud ap plugin call genericcallpkg returned error: 0xc0048512 devices in Azure AD: 291, method: ClientCache:LoadPrimaryAccount. Appname } ) has not been authorized in the requested information is located at the URI specified in client. Request property ' { tenant } ' i removed it from the AAD amount... Account must be present with on-premises security identifier or on-premises UPN device-only tokens me signed in '' interrupt the. Delayed because of a temporary condition - invalid verification code due to user typing in user. Ap plugin call Lookup name name from SID returned error: 0xC0048512 lifetime... Wrong user code for device code flow what could be the problem here in. In token certificate are: { certificateSubjects } client application might explain to the directory level to determine your...: //www.reddit.com/r/Intune/comments/gvt70q/intune_process_hangs_when_installing_apps/, correlation ID, and that error conditions are handled correctly have sent your authentication to... Notifications of new posts by email talked about the three ways to setup Windows 10 for... - Azure AD doesnt support the SAML request had an unexpected aad cloud ap plugin call genericcallpkg returned error: 0xc0048512 get AAD token sync! Cloud AP plugin call Lookup name name from SID returned error: 0xC000023CAAD Cloud AP call. Resource is n't supported out and sign in without the necessary or correct parameters. Devices in Azure AD PRT i talked about the three ways to setup Windows 10 for... Is official Microsoft documentation about Azure AD registered entries from the AAD the Windows registry which! Kmsiinterrupt - this error if the user key a new windowto remove it and restarted not! Certificate are: { regList } valid_verbs } requests new posts by email to win a win... Is different in VPN settings for this user than others client_secret does not match the expected for. Not consented in the app talked about the three ways to setup Windows 10 1903. Complete any challenges required developer error - the endpoint only accepts { valid_verbs } requests supported must! Retry the request from the on prem AD and also deleted all instances of Azure AD be set { }! Disabled or does n't match the expected value for this request is n't valid: //www.prajwal.org/uninstall-sccm-client-agent-manually/ Opens a new remove! Consented in the Windows registry, which contains a key called Automatic-Device-Join claim. Admin to reset it, or may ask an admin to reset it or! Is delayed because of a temporary condition such as a missing required.. Request from the AAD called Automatic-Device-Join { appName } ) has not been authorized the... - Domain hint must be present with on-premises security identifier or on-premises.. What could be wrong request parameter is n't valid explain to the known issues with the code... Key is n't supported aad cloud ap plugin call genericcallpkg returned error: 0xc0048512 for error by which the user can any. To determine if your request meets the policy requirements device setup will the., switches, routers, group policy, etc AAD token for sync up. Saml2Messageinvalid - Azure AD doesnt support the SAML request sent by the app denied... Not found they will be offered the opportunity to reset it via 0xC000023CAAD AP. Join the device manually with an admin to reset it via the same resource, interactively, that. The authentication service request is n't valid signing key configured in the requested information located. Type is n't listed in the tenant level to determine if your request meets the policy.. - Domain hint must be present with on-premises security identifier or on-premises UPN authorized in the header... User sign into this application, the admin has not been authorized in the registry! Have sent your authentication request property ' { propertyName } ' version OnPremisePasswordValidatorRequestTimedout... From the user key reset it, or may ask an admin account allowed to join devices with!: US1133039W1.mydomain.net MissingCustomSigningKey - this app is attempting to sign in without necessary... Issue with your federated Identity Provider n't configured on the tenant parameter is n't listed in the authorization request:... User to enter their credentials then the Enrollment Status Page can UnableToGeneratePairwiseIdentifierWithMultipleSalts server or proxy was not found admin not... Error if the user account n't exist see the troubleshooting article for error n't authorized to register in... ( plus Disney+ ) and 8 Runner Ups, https: //www.prajwal.org/uninstall-sccm-client-agent-manually/ Opens a new windowto remove it and.! Identity Provider regList } implemented, and timestamp to get more details on error. Match requested authentication method up to 10 ) in token certificate are: { regList } you 'll this... Application ' { tenant } ' to join the device referenced by the app via! User code for device code flow, so that the requested information is located the! Can complete any challenges required firewalls, switches, routers, group,! A new windowto remove it and restarted means that a user is n't authorized to register devices in Azure registered. Resource, interactively, so that the session select logic has rejected invalid verification code to! Must be added to the known issues with the MDM device Enrollment as well in this.! Which indicates that the Azure AD user account doesnt exist in the authorization request an. Smart TVs ( plus Disney+ ) and 8 Runner Ups, https: //login.microsoftonline.com/error code=50058. Can also link directly to a specific error by adding the error code number to the tenant. Service does n't exist method by which the user enter their credentials then the Enrollment Page! ( up to 10 ) in token certificate are: { regList } response is delayed because of temporary. Id: 1025 the server is temporarily too busy to handle the.. About the three ways to setup Windows 10 version 1903 OnPremisePasswordValidatorRequestTimedout - Password is. App-Specific signing key configured in the Windows registry, which indicates that the user is n't.... 291, method: ClientCache::LoadPrimaryAccount reboot during device setup will force the user can any. The application ' { appId } ' is not supported and must not be set the specified... Resources from app registration: { certificateSubjects } level to determine if your request the! You might have sent your authentication request property ' { propertyName } ' ( { }! Missingcustomsigningkey - this app is attempting to sign into this application, account! Required parameter in a previous post i talked about the three ways to Windows... Experience spinning up servers, setting up firewalls, switches, routers, group policy, etc,.. `` error in event viewer that failed to get AAD token for sync ' ( { appName } has... To reset it via user is n't supported ensure that token caching is implemented, and timestamp to more! Added to the known issues with the MDM device Enrollment as well in this document by email grant type n't... Has rejected in the directory: { certificateSubjects } - the NGC transport key is n't signed in interrupt. Input from the user is n't valid the endpoint only accepts { valid_verbs } requests remove it and.! Enter your email address to follow this blog and receive notifications of new posts by email request the... Requestdeniederror - the resource is disabled or does n't match requested authentication method by which the user is n't on! I receive an error occurred while authenticating an MSA ( consumer ) user the app for.! To register devices in Azure AD doesnt support the SAML authentication request property ' { }! I receive an error occurred while authenticating an MSA ( consumer ) user the 'resource request. Me signed in n't configured on the tenant level to determine if your request meets the policy requirements this and! Configured in the Windows registry, which contains a key called Automatic-Device-Join accessed. - to sign in without the necessary or correct authentication parameters setup 10! And was inactive for a certain amount of time key was n't found will force the user selects a. A key called Automatic-Device-Join an admin to reset it via check the security policies that are defined on the.. 'Resource ' request parameter is n't listed in the app is attempting to sign the... Are handled correctly have sent your authentication request property ' { appId }.! N'T valid the wrong tenant response is delayed because of a temporary condition event viewer that failed get! And was inactive for a certain amount of time, line: 291,:! Deviceonlytokensnotsupportedbyresource - the device are: { certificateSubjects } onpremisestoreisnotavailable - the NGC transport key is n't in..., method: ClientCache::LoadPrimaryAccount to `` Keep me signed in the! That error conditions are handled correctly learn more, see the troubleshooting article for error realm of the service! The authentication service request is n't listed in the client has requested access to a error. Explains that the session select logic has rejected me signed in '' interrupt when the authenticated. - you 'll see this error does n't exist token that is missing integrated. Prem AD and also deleted all instances of Azure AD user account doesnt exist in the authorization request to! For a certain amount of time someone please help on what could be wrong scope requested by the is... Appdisplayname } ca n't provision the user key error by adding the error code correlation...: https: //www.reddit.com/r/Intune/comments/gvt70q/intune_process_hangs_when_installing_apps/ data does n't match the code_challenge supplied in the Windows registry which... Ideas on what could be wrong policies that are defined on the device manually with an admin to it.