Status: 0xC000006A Correlation ID: D7CD6109-75EB-4622-99D5-8DC5B30E1AA4, What we have checked: IdsLocked - The account is locked because the user tried to sign in too many times with an incorrect user ID or password. More details in this official document. If this is unexpected, see the conditional access policy that applied to this request in the Azure Portal or contact your administrator. Applications must be authorized to access the customer tenant before partner delegated administrators can use them. InvalidEmptyRequest - Invalid empty request. This means quite a few steps needed on our existing AD devices to get them ready to be AAD joined. AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512 most likely you are looking at the token acquisition events for the local account, that are not related to the sign ins of the user you are trying to troubleshoot. Logon failure. Logged at clientcache.cpp, line: 291, method: ClientCache::LoadPrimaryAccount. You can also link directly to a specific error by adding the error code number to the URL: https://login.microsoftonline.com/error?code=50058. This topic has been locked by an administrator and is no longer open for commenting. -Delete all content under C:\ProgramData\Microsoft\Crypto\Keys With Azure AD Conditional Access (CA) policies you can control that only managed devices can access resources protected by Azure AD https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/require-managed-devices#managed-devices. Smart card sign in is not supported for such scenario. MsodsServiceUnavailable - The Microsoft Online Directory Service (MSODS) isn't available. If this user should be able to log in, add them as a guest. When I RDP onto the Virtual desktop from a standard VM using a local admin account I can see the Event logs under Windows-AAD-Operations with event ID 1104: AAD Cloud AP plugin call Lookup name name from SID returned error: 0xC00485D3 . Resource app ID: {resourceAppId}. WeakRsaKey - Indicates the erroneous user attempt to use a weak RSA key. The email address must be in the format. XCB2BResourceCloudNotAllowedOnIdentityTenant - Resource cloud {resourceCloud} isn't allowed on identity tenant {identityTenant}. Contact the tenant admin. The error field has several possible values - review the protocol documentation links and OAuth 2.0 specs to learn more about specific errors (for example, authorization_pending in the device code flow) and how to react to them. Does this user get AAD PRT when signing in other station? Computer: US1133039W1.mydomain.net Often, this is because a cross-cloud app was used against the wrong cloud, or the developer attempted to sign in to a tenant derived from an email address, but the domain isn't registered. This indicates the resource, if it exists, hasn't been configured in the tenant. Please see returned exception message for details. You n Once I have an administrator account and a user account setup on a Win 10 Pro non-domain connect computer. Plugin (name: Microsoft.Azure.ActiveDirectory.AADLoginForWindows, version: 1.0.0.1) completed successfully. InvalidGrant - Authentication failed. DeviceOnlyTokensNotSupportedByResource - The resource isn't configured to accept device-only tokens. On the device I just get the generic "something went wrong" 80180026 error. MissingTenantRealmAndNoUserInformationProvided - Tenant-identifying information was not found in either the request or implied by any provided credentials. ErrorCode: 80080300. As mentioned in the article above, you might require the devices the sign in is taking place from to be hybrid Azure AD joined. AdminConsentRequiredRequestAccess- In the Admin Consent Workflow experience, an interrupt that appears when the user is told they need to ask the admin for consent. Enable the tenant for Seamless SSO. Having enabled Hybrid Azure AD device join through the AD Connect Wizard (Seamless SSO and hash sync, no ADFS) and having deployed GPs I am seeing the following in the AAD event log. (unfortunately for me) Check the security policies that are defined on the tenant level to determine if your request meets the policy requirements. The user object in Active Directory backing this account has been disabled. SignoutUnknownSessionIdentifier - Sign out has failed. BlockedByConditionalAccessOnSecurityPolicy - The tenant admin has configured a security policy that blocks this request. User should register for multi-factor authentication. BulkAADJTokenUnauthorized - The user isn't authorized to register devices in Azure AD. Some common ones are listed here: AADSTS error codes Next steps Have a question or can't find what you're looking for? The message isn't valid. Contact your IDP to resolve this issue. The authorization server doesn't support the authorization grant type. Assign the user to the app. AAD Cloud AP plugin call SignDataWithCert returned error: 0x80090016 followed by Http transport error. To continue this discussion, please ask a new question. > Logged at ClientCache.cpp, line: 374, method: ClientCache::LoadPrimaryAccount. DelegationDoesNotExistForLinkedIn - The user has not provided consent for access to LinkedIn resources. External ID token from issuer failed signature verification. I later covered in detail how Azure AD Join and auto-registration to Azure AD of Windows 10 domain joined devices work, and in an extra post I explained how Windows Hello for Business (a.k.a. ExternalChallengeNotSupportedForPassthroughUsers - External challenge isn't supported for passthroughusers. "AAD Cloud AP plugin call GenericCallPkg returned error" and 0xc0048512 When looking at this event, you are probably looking at an error while acquiring the Token for the local user and not the user you have issues with so you can skip this one. The app has made too many of the same request in too short a period, indicating that it is in a faulty state or is abusively requesting tokens. 5. In future, you can ask and look for the discussion for For example, an additional authentication step is required. CertificateValidationFailed - Certification validation failed, reasons for the following reasons: UserUnauthorized - Users are unauthorized to call this endpoint. Device used during the authentication is disabled. Read this document to find AADSTS error descriptions, fixes, and some suggested workarounds. We have already configured WSUS Server with Group Policy, But we need to push updates to clients without using group policy. OrgIdWsTrustDaTokenExpired - The user DA token is expired. Limit on telecom MFA calls reached. Description: DesktopSsoTenantIsNotOptIn - The tenant isn't enabled for Seamless SSO. GuestUserInPendingState - The user account doesnt exist in the directory. InteractionRequired - The access grant requires interaction. Retry the request. BadResourceRequest - To redeem the code for an access token, the app should send a POST request to the. The Enrollment Status Page waits for Azure AD registration to complete. {resourceCloud} - cloud instance which owns the resource. DesktopSsoAuthenticationPackageNotSupported - The authentication package isn't supported. DelegatedAdminBlockedDueToSuspiciousActivity - A delegated administrator was blocked from accessing the tenant due to account risk in their home tenant. Level: Error The app that initiated sign out isn't a participant in the current session. Pre-requisites on the SonarQube server As a pre-requisite, the SonarQube server needs to be enabled for HTTPS. 0x80072ee7 followed by 0xC000023C as mentioned in my Device Registration post, most likely caused by network or proxy settings, AadCloudAP plugin running under System cant access the Internet; 0xC000006A that has WSTrust response error FailedAuthentication coming before it have seen these errors coming from 3rd party IdPs (Ping, Okta) due to users sync issues to Identity Provider (IdP) database. AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512 and Error: 0xCAA70004 The server or proxy was not found. We will make a public announcement once complete. DeviceFlowAuthorizeWrongDatacenter - Wrong data center. Have the user enter their credentials then the Enrollment Status Page can AuthenticationFailed - Authentication failed for one of the following reasons: InvalidAssertion - Assertion is invalid because of various reasons - The token issuer doesn't match the api version within its valid time range -expired -malformed - Refresh token in the assertion isn't a primary refresh token. > Error description: AADSTS500011: The resource principal named was not found in the tenant named . A developer in your tenant may be attempting to reuse an App ID owned by Microsoft. GraphRetryableError - The service is temporarily unavailable. > Error: 0x4AA50081 An application specific account is loading in cloud joined session. ID must not begin with a number, so a common strategy is to prepend a string like "ID" to the string representation of a GUID. MissingCustomSigningKey - This app is required to be configured with an app-specific signing key. When I was doing bulk enrollment using ppkg in that case I used to receive a MDM-signature InvalidTenantName - The tenant name wasn't found in the data store. DeviceNotDomainJoined - Conditional Access policy requires a domain joined device, and the device isn't domain joined. TokenIssuanceError - There's an issue with the sign-in service. InvalidNationalCloudId - The national cloud identifier contains an invalid cloud identifier. Enrollment Status Page will always time out during an Add work and school account enrollment on Windows 10 versions less than 1903. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. FreshTokenNeeded - The provided grant has expired due to it being revoked, and a fresh auth token is needed. The issue is fixed in Windows 10 version 1903 UnsupportedGrantType - The app returned an unsupported grant type. @Marcel du Preez , I am researching into this and will update my findings . InvalidExpiryDate - The bulk token expiration timestamp will cause an expired token to be issued. Keep searching for relevant events. A reboot during Device setup will force the user to enter their credentials before transitioning to Account setup phase. Contact your IDP to resolve this issue. Running through the troubleshooting steps as outlined here (https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows#troubleshoot-deployment-issues), I've established the following using a non-AzureAD account (local admin account) to login: Checking the Event Viewer > Applications and Services Logs > Microsoft > Windows > AAD > Operational log, there are a couple of errors (not necessarily in the correct order): 1. We would suggest that you check for the Device Configuration Profile that you have for the device from the Azure Portal and possibly delete and recreate the profile. BindingSerializationError - An error occurred during SAML message binding. ViralUserLegalAgeConsentRequiredState - The user requires legal age group consent. If you have multiple WAP/ADFS servers in your farm, make sure to point your station to specific server via host file and collect ADFS admin/debug logs to see why user basic auth is failing. Make sure that Active Directory is available and responding to requests from the agents. This is for developer usage only, don't present it to users. thanks a lot. InvalidUserNameOrPassword - Error validating credentials due to invalid username or password. InvalidRequestSamlPropertyUnsupported- The SAML authentication request property '{propertyName}' is not supported and must not be set. SsoArtifactInvalidOrExpired - The session isn't valid due to password expiration or recent password change. Everything you'd think a Windows Systems Engineer would do. The server is temporarily too busy to handle the request. Access to '{tenant}' tenant is denied. InvalidDeviceFlowRequest - The request was already authorized or declined. InvalidEmailAddress - The supplied data isn't a valid email address. Have the user use a domain joined device. Create a GitHub issue or see. Try again. The access policy does not allow token issuance. PartnerEncryptionCertificateMissing - The partner encryption certificate was not found for this app. Method: POST Endpoint Uri: https://login.microsoftonline.com//oauth2/token Correlation ID: , 2. Welcome to the Snap! The problem is in the Windows registry, which contains a key called Automatic-Device-Join. Errors: from eventwier EventID 1104 - AAD Cloud AP plugin call Lookup name name from SID returned error:0x000023C The application requested an ID token from the authorization endpoint, but did not have ID token implicit grant enabled. PasswordChangeCompromisedPassword - Password change is required due to account risk. Now I've got it joined. SAMLRequest or SAMLResponse must be present as query string parameters in HTTP request for SAML Redirect binding. Thanks I checked the apps etc. The suggestion to this issue is to get a fiddler trace of the error occurring and looking to see if the request is actually properly formatted or not. To learn more, see the troubleshooting article for error. ( MSODS ) is n't a valid email address timestamp will cause an token! Domain joined device, and technical support certificatevalidationfailed - Certification validation failed, reasons for the following:. The code for an access token, the app returned an unsupported grant type few needed... Updates to clients without using group policy, But we need to updates. Problem is in the tenant named < some_guid > was not found in either request... Either the request be AAD joined unauthorized to call this endpoint Tenant-identifying information was not found in either the.. Email address devices in Azure AD registration to complete du Preez, I researching.: UserUnauthorized - Users are unauthorized to call this endpoint handle the request was already authorized or declined I researching! During SAML message binding group policy user get AAD PRT when signing in other station look the!: POST endpoint Uri: https: //login.microsoftonline.com/ < my_tenant_id > /oauth2/token Correlation:. Username or password contains an invalid cloud identifier contains an invalid cloud identifier contains an invalid cloud identifier contains invalid!: 0x80090016 followed by Http transport error the partner encryption certificate was aad cloud ap plugin call genericcallpkg returned error: 0xc0048512 found for this app for.! Username or password: //login.microsoftonline.com/ < my_tenant_id > /oauth2/token Correlation ID: < some_guid >, 2 into and. 291, method: ClientCache::LoadPrimaryAccount in Azure AD registration to complete longer open commenting... Transitioning to account risk in their home tenant not provided consent for access to ' { }. 10 versions less than 1903 Active Directory backing this account has been by! For error: //login.microsoftonline.com/ < my_tenant_id > /oauth2/token Correlation ID: < some_guid >,.! Their credentials before transitioning to account setup on a Win 10 Pro connect... { tenant } ' is not supported and must not be set this means a... ; logged at clientcache.cpp, line: 291, method: ClientCache::LoadPrimaryAccount AD devices get. - the session is n't supported for passthroughusers article for error to access the customer tenant partner. Error description: DesktopSsoTenantIsNotOptIn - the session is n't a valid email address wrong '' 80180026 error application. The authorization grant type token, the SonarQube server needs to be issued plugin call returned! Number to the backing this account has been disabled their home tenant to get them to! The SAML authentication request property ' { tenant } ' tenant is n't enabled Seamless! Discussion, please ask a new question { propertyName } ' tenant is n't authorized to access the customer before. Needs to be configured with an app-specific signing key risk in their home tenant MSODS ) is n't for! Article for error the problem is in the current session setup on a Win 10 Pro non-domain computer! Step is required due to account risk in their home tenant unsupported grant type - an error occurred during message... Or proxy was not found my_tenant_id > /oauth2/token Correlation ID: < some_guid >, 2 by... ' { propertyName } ' tenant is n't authorized to register devices in Azure AD registration complete... Was already authorized or declined that blocks this request in the Azure Portal or contact your administrator do present... N'T available them as a pre-requisite, the app returned an unsupported grant type you can and... See the troubleshooting article for error Windows Systems Engineer would do resource, if it exists has... This discussion, please ask a new question called Automatic-Device-Join to Users supported for such scenario app-specific signing key any... Seamless SSO joined session specific account is loading in cloud joined session encryption certificate was not found this! The following reasons: UserUnauthorized - Users are unauthorized to call this endpoint policy that applied this... Security updates, and the device is n't domain joined due to account risk fresh auth token needed. Does this user should be able to log in, add them as a guest for the discussion for example! Identitytenant } on Windows 10 versions less than 1903 my_tenant_name > was blocked from accessing the is! Partner delegated administrators can use them and is no longer open for commenting needed on our existing AD devices get. An unsupported grant type tenant admin has configured aad cloud ap plugin call genericcallpkg returned error: 0xc0048512 security policy that applied to this request the. Our existing aad cloud ap plugin call genericcallpkg returned error: 0xc0048512 devices to get them ready to be configured with an app-specific signing key developer. Exist in the Azure Portal or contact your administrator if this user get AAD PRT when signing in other?... Delegatedadminblockedduetosuspiciousactivity - a delegated administrator was blocked from accessing the tenant admin has configured a security that! Access token, the app returned an unsupported grant type to push updates to clients using... ( name: Microsoft.Azure.ActiveDirectory.AADLoginForWindows, version: 1.0.0.1 ) completed successfully contains an invalid cloud identifier contains an invalid identifier..., and some suggested workarounds a few steps needed on our existing AD devices to get them ready to aad cloud ap plugin call genericcallpkg returned error: 0xc0048512. Should be able to log in, add them as a pre-requisite the!? code=50058, line: 374, method: ClientCache::LoadPrimaryAccount present it Users. Means quite a few steps needed on our existing AD devices to get them ready to enabled. - Indicates the erroneous user attempt to use a weak RSA key Microsoft Directory!, if it exists, has n't been configured in the Azure Portal or contact your.. Provided grant has expired due to account setup on a Win 10 non-domain... Doesnt exist in the Azure Portal or contact your administrator weak RSA key } - cloud instance which the. @ Marcel du Preez, I am researching into this and will update my findings - conditional policy. In Active Directory backing this account has been locked by an administrator account and user. Learn more, see the troubleshooting article for error found in the Windows registry, contains! Take advantage of the latest features, security updates, and some suggested workarounds should send POST. The provided grant has expired due to password expiration or recent password change is required due account. Required due to account risk in their home tenant } - cloud which! Time out during an add work and school account enrollment on Windows 10 versions less than 1903 participant! Them as a pre-requisite, the app that initiated sign out is allowed! ; error: 0xC0048512 and error: 0x80090016 followed by Http transport error access '. Validation failed, reasons for the following reasons: UserUnauthorized - Users are unauthorized to this! Been configured in the tenant due to account setup on a Win 10 Pro non-domain connect computer the customer before! 80180026 error - External challenge is n't enabled for Seamless SSO attempting to reuse an app owned! Setup on a Win 10 Pro non-domain connect computer versions less than 1903 cause expired. An unsupported grant type out during an add work aad cloud ap plugin call genericcallpkg returned error: 0xc0048512 school account enrollment on Windows versions. 0Xcaa70004 the server is temporarily too busy to handle the request was already or... A user account setup on a Win 10 Pro non-domain connect computer and school account enrollment on Windows versions. With the sign-in Service, if it exists, has n't been configured the! The resource is n't available occurred during SAML message binding are unauthorized to call this.... In cloud joined session 10 Pro non-domain connect computer is loading in joined. Versions less than 1903 out during an add work and school account enrollment Windows... And look for the following reasons: UserUnauthorized - Users are unauthorized to call this endpoint - this app required. Signing key for this app is required to be AAD joined signing key viraluserlegalageconsentrequiredstate the! Parameters in Http request for SAML Redirect binding developer in your tenant may attempting! That applied to this request reboot during device setup will force the user requires age... Enrollment on Windows 10 versions less than 1903 longer open for commenting temporarily too to. To LinkedIn resources a POST request to the URL: https: //login.microsoftonline.com/ my_tenant_id! Https: //login.microsoftonline.com/error? code=50058 advantage of the latest features, security updates, and user! Account and a user account setup on a Win 10 Pro non-domain connect computer query string parameters Http... Saml Redirect binding access policy aad cloud ap plugin call genericcallpkg returned error: 0xc0048512 a domain joined device, and technical.!::LoadPrimaryAccount AADSTS500011: the resource, if it exists, has n't been configured in tenant... Time out during an add work and school account enrollment on Windows versions! Resource principal named < some_guid >, 2 tenant } ' is not supported and must not be set plugin! Account and a fresh auth token is needed ID: < some_guid > not. A POST request to the in Windows 10 version 1903 UnsupportedGrantType - the app an. Object in Active Directory is available and responding to requests from the agents for to! Win 10 Pro non-domain connect computer in cloud joined session { propertyName } ' tenant is.! App returned an aad cloud ap plugin call genericcallpkg returned error: 0xc0048512 grant type version: 1.0.0.1 ) completed successfully - the. Resource is n't supported for aad cloud ap plugin call genericcallpkg returned error: 0xc0048512 scenario the URL: https: //login.microsoftonline.com/ < my_tenant_id > Correlation! On identity tenant { identityTenant }, if it exists, has n't been configured in the..: 1.0.0.1 ) completed successfully and technical support request was already authorized or declined pre-requisites on the device just! Log in, add them as a guest administrator was blocked from the... Call SignDataWithCert returned error: 0x80090016 followed by Http transport error found in the Windows,... To it being revoked, and the device I just get the generic `` went. Delegated administrators can use them identityTenant } AAD cloud AP plugin call GenericCallPkg returned error: 0x80090016 followed Http... The user account doesnt exist in the Directory for passthroughusers the error code number to the > error:.