Azure AD (Microsoft Entra) Bulk Token Troubleshooting

 I had an issue with trying to create an AAD bulk token via the Windows Configuration Designer .

The error message I had:



Checking the log located here:
{Replace Kyle with your username}
C:\Users\Kyle\Documents\Windows Imaging and Configuration Designer (WICD)\Project_Name\ICD.log

9/13/2023 3:37:53 PM Info Project 'New' created successfully and added to workspace
9/13/2023 3:37:53 PM Info Loading scenario ID: xxxxx-xxxxxxx-xxxxxx-xxxxxxx, URI: http://localhost:9098/Scenarios/xxxxxxx-xxxxxxx-xxxxxx-xxxxx/Index.html
9/13/2023 3:38:36 PM Error Bulk token retrieval failed: {"error":"server_error","error_description":"AADSTS90092: Non-retryable error has occurred.\r\nTrace ID: caxxxxxx-xxxxxxx-xxxxxx-xxxxxx\r\nCorrelation ID: xxxxxx-xxxxxx-xxxxxx-xxxxxxx\r\nTimestamp: 2023-09-13 20:38:36Z","error_codes":[90092],"timestamp":"2023-09-13 20:38:36Z","trace_id":"xxxxxx-xxxxxxx-xxxxxxx-xxxxxx","correlation_id":"xxxxxxx-xxxxxx-xxxxxxx-xxxxxxx-xxxxxx"}
9/13/2023 3:51:28 PM Error Access token retrieval failed with status: ProviderError


Talking with Microsoft Support and this error code AADSTS90092 doesn't really mean anything and since the request doesn't even hit Azure AD there is no troubleshooting from that end.

After looking into this some more I found the issue is the Enterprise app that gets created was created with wrong permissions.

This is what the permissions looked like:


This is what the permissions should look like:



In my testing, I was able to fix this issue, by deleting the bad permissions enterprise app and letting WCD re-create this when you try to get the AAD bulk token again.


This is what the WCD Enterprise app creation looks like:


Hopefully, this helps others out with this same issue.


Comments

  1. AnonymousOctober 18, 2023 at 9:49 AM

    Thank you! I have been trying to fix this for days.

    ReplyDelete
  2. AnonymousOctober 18, 2023 at 2:26 PM

    BRUH THANK YOU SO MUCH, I haven't been able to find a solution for this until now!

    ReplyDelete

Post a Comment

Popular posts from this blog

Setup Device Compliance with Jamf and Intune

Image
  Requirements: Azure user group created Jamf Pro Smartgroup created Global admin rights in Azure AD Admin account in Jamf Pro Steps to setup Device Compliance 1. Login to Jamf Pro and go to: Global-->Device Compliance-->Pick your Compliance Group (Jamf Pro Smartgroup)-->Pick your Applicable Group (Smart group containing all computers Jamf Pro uses to send a compliance status to Microsoft Intune.) 2. Enable the setting in Jamf Pro and you will be redirected to Azure permissions page. Click Accept on each one. 3. Click the Open Microsoft Endpoint Manager button 4. Click the Add compliance partner button 5. Pick Jamf Device Compliance 6. Click Add groups and add your user group you created in Azure AD. I created one called "All Users" 7. You should see a screen like this. 8. Click Confirm 9. Now wait for the activation to apply. 10. Now the connection is complete and you can start registering devices via Company Portal. 11. Important with the new workflow Macs only sho
Read more

Set Account Pictures via Jamf Connect

Image
 This guide will walk you through setting the local macOS account pictures for endusers via Jamf Connect Requirements: Jamf Pro Jamf Connect Formatted ID Token Path setup in Jamf Connect Login Config ( /private/tmp/token) Azure Storage Blob Email addresses of users follow a pattern for all users (john.smith@myorg.com, jsmith@myorg.com, etc..) Tested with: Azure AD and Jamf Connect Test User: John.smith@ericsontech.com Steps: 1. First step is to get all of your user images. To make this easy on yourself name them the same as the user's email address. So for John Smith his email is john.smith@ericsontech.com I would name his image as john.smith@ericsontech.com.png and upload that image and all other user's images to an Azure Storage blob. Example: 2. Setup this script to run via Jamf Pro. I have mine setup to run via Jamf Connect Notify Note:  You will need to update this with your Azure Storage Blob url  curl -L "https://myazureblobname.blob.core.windows.net/mdm/$EMAIL.png&
Read more

Change Jamf Management Account

Image
 There are times when you sometimes run across this message on a Jamf Instance. So to fix this doesn't seem to be an easy task. Thanks to Jamf API call I have a script which will do all the steps to change this over for you with the exception of one step we can easily use a policy for. This is what the script does: 1. Create a new local admin account. 2. Jamf API call to change the management account to this new local account 3. Send a Jamf recon at the end. Taking this script we can build a policy that looks like this: Scope this out to Macs and once this is done edit this setting in Jamf Pro to your local username.
Read more