7 Replies Latest reply on Feb 21, 2020 7:32 AM by brookspeppin

    Unable to enroll with Azure AD credentials

    Aginaco Novice

      Hi,

       

      our Azure AD environment is federated with OKTA. We create the users in OKTA and they get imported into Azure AD. I´ve enabled "Use Azure AD For Identiity Services" in WS1 and populate the fields in Azure AD & WS1 like it is described in the integration guide. I don´t understanf why must I enter  an "Inmutable ID Mapping Attribute" since I want a pure Azure AD environment, not a local Active Directory synced with Azure AD. As far as I understand this field is supposed to be used for mappig local users with Azure users

      Now when I try to register/join a WIN10 device in Azure AD and enroll it in WS1 both of the operations failed and I get an error message that the device can not be registered and that an error response came from  the "MDM Terms of Use Page"

       

      Has anyone run into the same problem?

       

      Any help will be appreciated

       

      Thank you and regards

        • 1. Re: Unable to enroll with Azure AD credentials
          JosueNegron Hot Shot
          vExpertVMware Employees

          Did you also add the on-premises MDM app in Azure? What is your DS URL?

          • 2. Re: Unable to enroll with Azure AD credentials
            brookspeppin Novice
            VMware Employees

            We don't currently support pure cloud directories as an available directory configuration. However, I do know that this feature is coming very soon so keep an eye out!

            What’s available today

             

             

             

            Outside of that, in terms of the configuration between Azure and WS1, here is an example:

            objectGUID is default but you can also use MS-DS-Consistency-Guid. All this is is an anchor attribute between the Azure user and WS1 UEM user.

            • 3. Re: Unable to enroll with Azure AD credentials
              Aginaco Novice

              Good morning,

               

              first of all thank you for your comments. I will have a look at the provided links,  but initially we don´t want to include WS1 Access in that picture.

               

              I´ve been further investigating this issue and made some progress. Thats what I´ve found out:

               

              as mentioned, our Azure AD is integrated with OKTA and we don´t have a local Active Directory. Users are created in OKTA and then synchronized with Azure AD. I think the problem is that this federation with OKTA generates an immutable ID that is sent to the device in the JWT Token. When WS1 receives this token with an immutable ID he tries to validate the user against a local Active Directory that does not exists

               

              As said in this link :

              https://techzone.vmware.com/enrolling-windows-10-devices-using-azure-ad-vmware-workspace-one-uem-operational-tutorial#1001973

               

               

              So what I have done is to create a local user in Azure AD instead of in OKTA (since users are created in OKTA I  can not create a user with @mydomain.com but with @mydomain.onmicrosoft.com). Then I have used this user to enroll  my win10 virtual machine via Azure AD using the option "Join to Azure AD" in the Setup Work or school account section. The Airwatch app is configured with the MDM & Terms of Use URLs copied  from WS1  and Azure Identity Services with the tenant name  mydomain.com.

               

              I don´t have added the on-premise App in Azure AD. This is not supposed to be used in dedicated SaaS or on-premise environments?

               

              Now I can see the device in WS1, the user is also created but the enrollment does not complete, it stucks with the status "Pending Hub" If I manually install de Hub the enrollment completes after some minutes and apps&configs are deployed to the machine. The same situation occours if I choose the option of registering in Azure AD instead of joining. So now I´m trying to find out why the intelligent Hub does not get installed automatically. This would solve my problem.

               

              What I can also confirm is that before we federated our Azure AD with OKTA ( a pure Azure AD picture) we could enroll win10 machines with autopilot without any problem

               

              Again, thank you for your comments sirs

               

              regards

              • 4. Re: Unable to enroll with Azure AD credentials
                JosueNegron Hot Shot
                VMware EmployeesvExpert

                The best way to troubleshoot pending hub (basically Hub is not installed yet) is to navigate to Registry Editor -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseDesktopAppManagement\S-0-0-00-0000000000-0000000000-000000000-000\MSI\ then find the folder GUID for the Hub. There should be two; one is for the software deployment agent and one is for the hub, and check the status. 70 is successful. More details can be found in the Windows 10 Troubleshooting Tutorial. The most common issue is download failed and it's normally due to the network (e.g. proxy, mismatched time causing SSL failures, etc.).

                • 5. Re: Unable to enroll with Azure AD credentials
                  Aginaco Novice

                  Hi Josue,

                   

                  thank you for your response.

                  This is like it looks like in my case

                   

                   

                  the status is "30". As you mention in your post this means "Download Failure" but I don know the cause yet. I´ve tried to enroll via Ethernet, Wi-FI or 4G and I get always the same result. At least I know a bit more about the problem. I´m also looking for the cause in the troubleshooting guide, but what is odd for me is the value in the "CurrentDownloadURL" key. It´s very different than the one you show me. You know where is this value taken from or how is it generated.

                   

                  Thnank you and regards

                  • 6. Re: Unable to enroll with Azure AD credentials
                    Aginaco Novice

                    Hi,

                     

                    I finally found the solution. As I explained before our Azure AD is federated with OKTA, users are created in OKTA and synchronized with Azure AD. So I created a new user direct in Azure AD to avoid OKTA users but I could not create it with @mydomain.com but with @mydomain.onmicrosoft.com. After checking the eventvwr, regedit and so on in the virtual machine I found that the problem downloading the intelligent hub (Status 30 - Download Fail) was because of insufficient rights.

                    Changing mydomain.com to mydomain.onmicrosoft.com in the Tenant Name in Azure configuration in WS1 solved the problem. Now I can enroll and manage Win10 Machines in WS1 via AZure AD pure model . I can still see some warnings in the eventviewer but the machine gets MDM enrolled, apps, profiles etc are installed, etc

                     

                    Hope this help someone.

                     

                    Thank you for your comment

                     

                    Regards

                    • 7. Re: Unable to enroll with Azure AD credentials
                      brookspeppin Novice
                      VMware Employees

                      Glad it's working. Also wanted to share this blog: Workspace ONE and Okta SCIM Integration Now Available

                       

                      Additionally, there were some bugs on "pending hub" when going through OOBE if you had the OOBE Status screen enabled. It should have been fixed in 2001 release.