You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{text: 'Moving the original MSP Tenant to another MSP Tenant',link: '/Documentation/HowToGuides/InstanceChanges/move-the-original-msp-tenant-to-a-new-tenant'},
{text: 'Moving the original MSP Tenant to another MSP Tenant',link: '/Documentation/HowToGuides/InstanceChanges/move-the-original-msp-tenant-to-a-new-tenant'},
86
-
103
+
{text: 'Renaming Computers and adding them to an IDP - Configure Directory',link: '/Documentation/HowToGuides/Tasks/ConfigureDirectory'},
If your conditional access policies require MFA for all users, adjust the settings as follows:
5
+
6
+
1. Exclude 'Microsoft Intune Enrollment' from the Cloud Apps requiring MFA.
7
+
8
+
2. In Azure AD, create a Dynamic Security Group named 'Provisioning Packages'.
9
+
Set its Dynamic Membership Rule to: user.userPrincipalName -startsWith "package_"
10
+
11
+
3. Ensure that this 'Provisioning Packages' group is excluded from the MFA requirement.
12
+
13
+
#### Azure SyncFabric App
14
+
This cloud app needs to exist for the task to run properly. Many new environments do not have the app when they are created, so you will need to create them. Microsoft has also been known to occasionally remove the app from tenants that already have it.
15
+
16
+
To add the cloud app to the desired tenant, run the following script:
17
+
```powershell
18
+
#Install-Module AzureAD #Uncomment this if you do not already have the AzureAD module installed
19
+
Import-Module AzureAD
20
+
Connect-AzureAd -TenantId contoso.com # Login as Global admin in customer tenant
> Replace the "contoso.com" domain with the one corresponding to your desired tenant.
26
+
27
+
Alternatively, there is a cloud task that can add Azure SyncFabric back to the tenant. It may require a custom app registration, though.
28
+
29
+
#### Known Error Codes
30
+
31
+
#### 0xCAA10059
32
+
The account (DEM) you are using to enroll the device does not have permissions to join devices to Azure AD.
33
+
Add the account to 'Selected Users' or enable 'Allow All' users to join devices at:
34
+
35
+
[Microsoft Entra ID - Device Settings](https://aad.portal.azure.com/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/DeviceSettings)
36
+
37
+
#### 0xCAA50021
38
+
The AAD Broker Plugin has been reset by us. You'll need to re-run the task if you see this.
39
+
40
+
#### 0x8018000A
41
+
The device is already enrolled by a user. Re-run with 'ClearExistingEnrollments' set to 'True'.
42
+
43
+
#### 0x801C0024
44
+
The package_ AAD user associated with the PPKG was not found. Please run again with 'CacheProvisioningPackage' set to 'False' to generate a new package and user. This one shouldn't be an issue anymore, since we implemented retries that will generate a new package user if we are unable to create a token on the first try.
45
+
46
+
#### 0x800700B7
47
+
The provisioning package already exists. This may happen if you have executed the provisioning package earlier on this machine.
48
+
49
+
#### AADSTS90092 or AADSTS90202
50
+
51
+
This tenant is missing the Microsoft.Graph.SyncFabric app (Microsoft stopped including it at some point in life)
52
+
53
+
Refer to [Azure SyncFabric App](https://community.immy.bot/t/everything-we-know-of-that-can-go-wrong-with-azuread/2669#p-5196-azure-syncfabric-app-5)
54
+
55
+
#### AADSTS240005
56
+
57
+
To correct this, navigate to [Intune - Roles](https://aka.ms/in/#view/Microsoft_Intune_DeviceSettings/RolesLandingMenuBlade/~/roles)
58
+
59
+
Assign the Cloud Device Administrator or Cloud PC Administrator role to the DEM account you are using and try again.
60
+
61
+
#### AADSTS50126
62
+
63
+
The credentials are invalid OR the user has not been excluded from your Registration Campaign
64
+
65
+
[Microsoft Entra Admin Center - Registration Campaign](https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/RegistrationCampaign/fromNav/Identity)
66
+
67
+
#### AADSTS50055
68
+
69
+
Reset the user's password via [Microsoft Admin Center](https://admin.microsoft.com)
70
+
71
+
#### AADSTS240003
72
+
73
+
This issue might be related to Multi-Factor Authentication (MFA) being enabled for $Username.
74
+
75
+
It's recommended to disable MFA for this account or consider using OAuth for a more secure authentication method.
76
+
77
+
#### AADSTS90002
78
+
79
+
This error can typically be resolved by using the OAuth flow instead of the username/password flow.
You only need to create DEM users if you're adding these computers to Azure.
5
+
:::
6
+
7
+
::: danger Do not use a Global Administrator
8
+
From a security standpoint, we do NOT recommend using a global admin or existing user as a DEM.
9
+
:::
10
+
11
+
AzureAD/Entra Join DEM User Instructions
12
+
1. Create a DEM (Device Enrollment Manager) user in the Customer's Azure AD (Ex. [email protected])
13
+
2. Assign the DEM user an Intune license (Intune Plan 1 is fine)
14
+
3. Do NOT make the user a Global Admin (You shouldn't be bypassing MFA for Global Admins)
15
+
4. Go to [Roles and administrators](https://portal.azure.com/#view/Microsoft_AAD_IAM/RolesManagementMenuBlade/~/AllRoles/adminUnitObjectId//resourceScope/%2F) and assign the Cloud Device Administrator or Cloud PC Administrator role
16
+
5. Go to [Device Enrollment Managers](https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/DevicesEnrollmentMenu/~/enrollmentManagers) and make the user a Device Enrollment Manager
17
+
6. Go to [MFA Enrollment](https://portal.azure.com/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/DeviceSettings/menuId/) Settings and verify Require Multi-Factor Authentication to register or join devices with Azure AD is set to "No"
18
+
7. MANUALLY LOGON AS THE USER AN INCOGNITO WINDOW
19
+
- Verify a password change is not required
20
+
8. Verify the user is not being prompted for MFA or MFA Registration
Copy file name to clipboardExpand all lines: Documentation/Administration/preferences.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -53,7 +53,7 @@ These can be managed in the individual tenant, or from Show More > Preferences a
53
53
|| Computers Excluded From Maintenance | Add/Remove computers that should be excluded from sessions. An excluded computer cannot have any software or tasks deployed to it. However, inventory will still be run on it. | Drop Down Selection |
54
54
|| Exclude From Cross-Tenant Deployments and Schedules | When enabled, this tenant and its computers will not be considered when resolving cross-tenant deployments and schedules. | Bool |
55
55
|| Onboarding | Enabling this feature will allow newly synced computers to be onboarded. | Bool |
56
-
|| Onboarding Patching | Enabling this feature will allow for patching during onboarding. This currently only works when the CW Automate integration is enabled.| Bool |
56
+
|| Onboarding Patching | Enabling this feature will allow for patching during onboarding. This currently only works when the ConnectWise Automate integration is enabled. | Bool |
57
57
| Users | User Affinity Sync | Logs the current logged in user to determine who uses a computer. The System User Affinity Sync setting must be enabled for this to take effect. | Bool |
58
58
| Maintenance | Business Hours | Set the business hours. | Time Selection |
59
59
|| Default Time Zone | Set the timezone to be used for this tenant. | Drop Down Selection |
Copy file name to clipboardExpand all lines: Documentation/FAQ.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -352,7 +352,7 @@ Yes, we welcome feature requests and contributions from our community! Please su
352
352
353
353
#### Domain Join didn’t work, what gives?
354
354
::: details It's likely that the DC is missing entirely, or ImmyBot hasn't identified the agent as a DC
355
-
Make sure there is a Domain Controller in ImmyBot for the machine. If you are using a supported RMM like CW Automate/Control setup the integration so the Domain Controller is imported automatically. Otherwise, you’ll need to install the ImmyAgent on a domain controller for that customer.
355
+
Make sure there is a Domain Controller in ImmyBot for the machine. If you are using a supported RMM like ConnectWise Automate/Control setup the integration so the Domain Controller is imported automatically. Otherwise, you’ll need to install the ImmyAgent on a domain controller for that customer.
356
356
357
357
If the Domain Controller doesn’t have the red “Domain Controller” designation, press “Run Inventory”. This may happen if it was recently added to ImmyBot.
0 commit comments