Authentication Token Failures on Entra Joined Autopilot devices causing build failures

[avazin]

Describe the bug

When performing Pre-Provisioning Autopilot/Entra Joined only provisioning, the Web Sign-in Icon is missing from the first Windows Logon screen.

Log Name: Microsoft-Windows-AAD/Operational Source: Microsoft-Windows-AAD Date: 5/28/2024 9:13:33 AM Event ID: 1098 Task Category: AadTokenBrokerPlugin Operation Level: Error Keywords: Operational,Error User: Computer: Description: Error: 0xCAA20002 The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Code: invalid_request Description: AADSTS65002: Consent between first party application '3a4d129e-7f50-4e0d-a7fd-033add0a29f4' and first party resource '00000003-0000-0000-c000-000000000000' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. Trace ID: 7c201ba4-5f0a-4e02-a138-4248b792cc00 Correlation ID: 312125d7-f186-49a7-a147-f48e60ebffe1 Timestamp: 2024-05-28 14:13:33Z TokenEndpoint: https://login.microsoftonline.com/common/oauth2/token Logged at OAuthTokenRequestBase.cpp, line: 452, method: OAuthTokenRequestBase::ProcessOAuthResponse.

Request: authority: https://login.microsoftonline.com/common, client: 3a4d129e-7f50-4e0d-a7fd-033add0a29f4, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/3a4d129e-7f50-4e0d-a7fd-033add0a29f4, resource: 00000003-0000-0000-c000-000000000000, correlation ID (request): 312125d7-f186-49a7-a147-f48e60ebffe1 Event Xml:

](http://schemas.microsoft.com/win/2004/08/events/event%22%3E) 1098 0 2 103 0 0x4000000000000012 2637 Microsoft-Windows-AAD/Operational ***** 3399614466 The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Code: invalid_request Description: AADSTS65002: Consent between first party application '3a4d129e-7f50-4e0d-a7fd-033add0a29f4' and first party resource '00000003-0000-0000-c000-000000000000' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. Trace ID: 7c201ba4-5f0a-4e02-a138-4248b792cc00 Correlation ID: 312125d7-f186-49a7-a147-f48e60ebffe1 Timestamp: 2024-05-28 14:13:33Z TokenEndpoint: https://login.microsoftonline.com/common/oauth2/token Logged at OAuthTokenRequestBase.cpp, line: 452, method: OAuthTokenRequestBase::ProcessOAuthResponse. Request: authority: https://login.microsoftonline.com/common, client: 3a4d129e-7f50-4e0d-a7fd-033add0a29f4, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/3a4d129e-7f50-4e0d-a7fd-033add0a29f4, resource: 00000003-0000-0000-c000-000000000000, correlation ID (request): 312125d7-f186-49a7-a147-f48e60ebffe1 ### Related command First Windows Login with a Passwordless User performing post-Technician part of the user-flow. It seems a local login fixes the issue, then the organizational user can perform a web sign in. ### Errors Error: 0xCAA20002 The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Code: invalid_request - Web Sign in is missing from the Windows Login page. ### Issue script & Debug output NGC logs have been collected. ### Expected behavior The web Sign in icon should be presented. ### Environment Summary Web Sign in icon should be presented, and a web sign-in method should be able to be followed to logon to windows the first time. ### Additional context A ticket has been created for Microsoft - Case ID: 2405030040004430

[yonzhan]

Thank you for opening this issue, we will look into it.

[SRE93]

Any updates on this @yonzhan? We are facing the same issue on a Windows 11 device which is already enrolled in Intune.

[navjotsingh08]

We are having similar issue as well but only with Software center which is failing to check the device compliance.

We are also getting the same errors in AAD operational logs with few more different one.

I have asked the question on Microsoft Q&A. here is the link for more info: https://learn.microsoft.com/en-us/answers/questions/1861206/aad-token-broker-operation-failed

[weyCC81]

May i have the same issue but with the "Application Office", how did you solve this?

Error: 0xCAA5001C Token broker operation failed.
Operation name: GetTokenSilently, Error: -895352830 (0xcaa20002), Description: AADSTS65002: Consent between first party application 'e9c51622-460d-4d3d-952d-966a5b1da34c' and first party resource 'f2d19332-a09d-48c8-a53b-c49ae5502dfc' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. Trace ID: [GUID] Correlation ID: [GUID] Timestamp: [DATE]
Logged at WebAccountProcessor.cpp, line: 680, method: AAD::Core::WebAccountProcessor::ReportOperationError.

• https://learn.microsoft.com/en-us/troubleshoot/windows-client/user-profiles-and-logon/event-1098-error-0xcaa5001c (No missing Permission found)
• https://learn.microsoft.com/en-us/answers/questions/1856430/user-getting-prompted-for-credentials-for-every-ap
• https://learn.microsoft.com/en-us/answers/questions/1855739/cannot-enroll-ms365-licenced-users-into-intune-whe

Error: 0xCAA90056 Renew token by the primary refresh token failed.
Logged at RefreshTokenRequest.cpp, line: 150, method: RefreshTokenRequest::AcquireToken.

Request: authority: https://login.microsoftonline.com/common, client: e9c51622-460d-4d3d-952d-966a5b1da34c, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/e9c51622-460d-4d3d-952d-966a5b1da34c, resource: f2d19332-a09d-48c8-a53b-c49ae5502dfc, correlation ID (request): [GUID]

• https://learn.microsoft.com/en-us/answers/questions/1028825/mdm-hybrid-ad-prt
• https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-hybrid-join-windows-current#step-5-collect-logs-and-contact-microsoft-support
• https://www.reddit.com/r/Intune/comments/skepvc/how_to_go_from_azure_ad_registered_to_hybrid/?rdt=57873
• https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-hybrid-join-windows-current#step-2-find-the-error-code

Error: 0xCAA20002 The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.
Code: invalid_request
Description: AADSTS65002: Consent between first party application 'e9c51622-460d-4d3d-952d-966a5b1da34c' and first party resource 'f2d19332-a09d-48c8-a53b-c49ae5502dfc' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. Trace ID: [GUID] Correlation ID: [GUID] Timestamp: [DATE]
TokenEndpoint: https://login.microsoftonline.com/common/oauth2/token
Logged at OAuthTokenRequestBase.cpp, line: 452, method: OAuthTokenRequestBase::ProcessOAuthResponse.

Request: authority: https://login.microsoftonline.com/common, client: e9c51622-460d-4d3d-952d-966a5b1da34c, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/e9c51622-460d-4d3d-952d-966a5b1da34c, resource: f2d19332-a09d-48c8-a53b-c49ae5502dfc, correlation ID (request): [GUID]

• https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/authentication/automatic-authentication-fails
• https://learn.microsoft.com/en-us/answers/questions/1861206/aad-token-broker-operation-failed
• (https://pariswells.com/blog/research/teams-pro-room-device-cannot-connect)

Reference Ticket: #2409181420002854