Authentication Token Failures on Entra Joined Autopilot devices causing build failures

[avazin]

Describe the bug

When performing Pre-Provisioning Autopilot/Entra Joined only provisioning, the Web Sign-in Icon is missing from the first Windows Logon screen.

Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Date: 5/28/2024 9:13:33 AM
Event ID: 1098
Task Category: AadTokenBrokerPlugin Operation
Level: Error
Keywords: Operational,Error
User: ****
Computer: ****
Description:
Error: 0xCAA20002 The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.
Code: invalid_request
Description: AADSTS65002: Consent between first party application '3a4d129e-7f50-4e0d-a7fd-033add0a29f4' and first party resource '00000003-0000-0000-c000-000000000000' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. Trace ID: 7c201ba4-5f0a-4e02-a138-4248b792cc00 Correlation ID: 312125d7-f186-49a7-a147-f48e60ebffe1 Timestamp: 2024-05-28 14:13:33Z
TokenEndpoint: https://login.microsoftonline.com/common/oauth2/token
Logged at OAuthTokenRequestBase.cpp, line: 452, method: OAuthTokenRequestBase::ProcessOAuthResponse.

Request: authority: https://login.microsoftonline.com/common, client: 3a4d129e-7f50-4e0d-a7fd-033add0a29f4, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/3a4d129e-7f50-4e0d-a7fd-033add0a29f4, resource: 00000003-0000-0000-c000-000000000000, correlation ID (request): 312125d7-f186-49a7-a147-f48e60ebffe1
Event Xml:
](http://schemas.microsoft.com/win/2004/08/events/event%22%3E)


1098
0
2
103
0
0x4000000000000012

2637


Microsoft-Windows-AAD/Operational
*****



3399614466
The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.
Code: invalid_request
Description: AADSTS65002: Consent between first party application '3a4d129e-7f50-4e0d-a7fd-033add0a29f4' and first party resource '00000003-0000-0000-c000-000000000000' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. Trace ID: 7c201ba4-5f0a-4e02-a138-4248b792cc00 Correlation ID: 312125d7-f186-49a7-a147-f48e60ebffe1 Timestamp: 2024-05-28 14:13:33Z
TokenEndpoint: https://login.microsoftonline.com/common/oauth2/token
Logged at OAuthTokenRequestBase.cpp, line: 452, method: OAuthTokenRequestBase::ProcessOAuthResponse.

Request: authority: https://login.microsoftonline.com/common, client: 3a4d129e-7f50-4e0d-a7fd-033add0a29f4, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/3a4d129e-7f50-4e0d-a7fd-033add0a29f4, resource: 00000003-0000-0000-c000-000000000000, correlation ID (request): 312125d7-f186-49a7-a147-f48e60ebffe1

Related command

First Windows Login with a Passwordless User performing post-Technician part of the user-flow. It seems a local login fixes the issue, then the organizational user can perform a web sign in.

Errors

Error: 0xCAA20002 The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.
Code: invalid_request - Web Sign in is missing from the Windows Login page.

Issue script & Debug output

NGC logs have been collected.

Expected behavior

The web Sign in icon should be presented.

Environment Summary

Web Sign in icon should be presented, and a web sign-in method should be able to be followed to logon to windows the first time.

Additional context

A ticket has been created for Microsoft - Case ID: 2405030040004430

[yonzhan]

Thank you for opening this issue, we will look into it.

[SRE93]

Any updates on this @yonzhan? We are facing the same issue on a Windows 11 device which is already enrolled in Intune.

[navjotsingh08]

We are having similar issue as well but only with Software center which is failing to check the device compliance.

We are also getting the same errors in AAD operational logs with few more different one.

I have asked the question on Microsoft Q&A. here is the link for more info:
https://learn.microsoft.com/en-us/answers/questions/1861206/aad-token-broker-operation-failed

[weyCC81]

May i have the same issue but with the "Application Office", how did you solve this?

Error: 0xCAA5001C Token broker operation failed.
Operation name: GetTokenSilently, Error: -895352830 (0xcaa20002), Description: AADSTS65002: Consent between first party application 'e9c51622-460d-4d3d-952d-966a5b1da34c' and first party resource 'f2d19332-a09d-48c8-a53b-c49ae5502dfc' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. Trace ID: [GUID] Correlation ID: [GUID] Timestamp: [DATE]
Logged at WebAccountProcessor.cpp, line: 680, method: AAD::Core::WebAccountProcessor::ReportOperationError.

• https://learn.microsoft.com/en-us/troubleshoot/windows-client/user-profiles-and-logon/event-1098-error-0xcaa5001c (No missing Permission found)
• https://learn.microsoft.com/en-us/answers/questions/1856430/user-getting-prompted-for-credentials-for-every-ap
• https://learn.microsoft.com/en-us/answers/questions/1855739/cannot-enroll-ms365-licenced-users-into-intune-whe

Error: 0xCAA90056 Renew token by the primary refresh token failed.
Logged at RefreshTokenRequest.cpp, line: 150, method: RefreshTokenRequest::AcquireToken.

Request: authority: https://login.microsoftonline.com/common, client: e9c51622-460d-4d3d-952d-966a5b1da34c, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/e9c51622-460d-4d3d-952d-966a5b1da34c, resource: f2d19332-a09d-48c8-a53b-c49ae5502dfc, correlation ID (request): [GUID]

• https://learn.microsoft.com/en-us/answers/questions/1028825/mdm-hybrid-ad-prt
• https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-hybrid-join-windows-current#step-5-collect-logs-and-contact-microsoft-support
• https://www.reddit.com/r/Intune/comments/skepvc/how_to_go_from_azure_ad_registered_to_hybrid/?rdt=57873
• https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-hybrid-join-windows-current#step-2-find-the-error-code

Error: 0xCAA20002 The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.
Code: invalid_request
Description: AADSTS65002: Consent between first party application 'e9c51622-460d-4d3d-952d-966a5b1da34c' and first party resource 'f2d19332-a09d-48c8-a53b-c49ae5502dfc' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. Trace ID: [GUID] Correlation ID: [GUID] Timestamp: [DATE]
TokenEndpoint: https://login.microsoftonline.com/common/oauth2/token
Logged at OAuthTokenRequestBase.cpp, line: 452, method: OAuthTokenRequestBase::ProcessOAuthResponse.

Request: authority: https://login.microsoftonline.com/common, client: e9c51622-460d-4d3d-952d-966a5b1da34c, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/e9c51622-460d-4d3d-952d-966a5b1da34c, resource: f2d19332-a09d-48c8-a53b-c49ae5502dfc, correlation ID (request): [GUID]

• https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/authentication/automatic-authentication-fails
• https://learn.microsoft.com/en-us/answers/questions/1861206/aad-token-broker-operation-failed
• (https://pariswells.com/blog/research/teams-pro-room-device-cannot-connect)

Reference Ticket: #2409181420002854

[hawkeye80]

@weyCC81 Did you get any solution on the ticket or by your own?
I'm also stuck at that point during intune onboarding.

[weyCC81]

@hawkeye80 I can not fully remember it, but I think it was some combination with a transparent proxy (Zscaler & Windows) ...