question

5Y54DMIN-6383 avatar image
0 Votes"
5Y54DMIN-6383 asked Jason-MSFT commented

Not sure if this is an Intune or Azure AD issue but.. 700003 error

I have a feeling this may relate to Intune/AZURE AD somehow but not 100% sure. or maybe some config in office 365.

For the past few months we have been getting reports, of the below. And it can be from Teams, Outlook OneDrive etc.

 Your organization has deleted this device. To fix this, contact your system administrator and provide the error code 700003′.

We see this on Domain joined devices. ON Perm AD devices and Hybrid devices, as well on users personal devices.

Now we have been fixing this issue a few ways.

  • Deleting windows credentials in Control Panel\\All Control Panel Items\\Credential Manager that pertain the the app.

  • Uninstalling and reinstalling the APP.

  • And Disconnect the problematic account by doing the below

  1. Open the Settings app

  2. Go to Accounts

  3. Select Access work or school

  4. Find the account that you can’t use and select Disconnect

  5. Wait until the account is disconnected

  6. Try to login to Office again using your regular username and password.

What we would like to know is what is causing this error? We think it may some type of misconfiguration in Intune or Azure AD but we are not sure what..

Thoughts?

mem-intune-generaloffice-itproazure-ad-authentication
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
1 Vote"
Jason-MSFT answered Jason-MSFT commented

First, none of this is Intune related as Intune has nothing to do directly with identity thus adding M365 and AAD tags.

Exactly as the message says though, someone deleted the device object out of AAD. By default, when signing into M365 apps (formerly O365 apps), the device is automatically registered with AAD unless the users uncheck the checkbox that does this. Most users never do this so the device gets registered. Someone at your org, or maybe a script, is then deleting these device objects leading to the issue.

You noted in your initial reply that this is happening on non-BYOD devices as well though?

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Jason-MSFT

Yes My device did it one time, and its domain bound, Not hybrid.

it very well cloud have been removed.

Sense we have the setting to BLOCK for windows(MDM) in Intune, does that mean personal device when users sign into services will no longer appear in Intune? Will they still appear in Azure AD? if so can we block that too?

0 Votes 0 ·

Blocking enrollment in Intune is unrelated to AAD. No, there is no way to block AAD registration of devices. Why does this matter? Registering does not give anyone access to anything.

0 Votes 0 ·
Jason-MSFT avatar image
1 Vote"
Jason-MSFT answered 5Y54DMIN-6383 edited

Where exactly do you "see" this? Have you validated that the device still exists in AAD?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Jason-MSFT ,

This is seems to happen when the user has changed their password. and they have to resign into Outlook, teams or OneDrive. Then this message can appear.

I was able to confirm that the device does not exist in Intune or azure AD. before and after the user signed in.

Thoughts?

EDIT:

To add more info, Both devices where the users personal devices. which we do not want in Azure or Intune. So we did change the setting to BLOCK for windows(MDM) in Intune.

0 Votes 0 ·
vipulsparsh-MSFT avatar image
1 Vote"
vipulsparsh-MSFT answered vipulsparsh-MSFT commented

@5Y54DMIN-6383 There are few other occurrence of this but under scenario where users connected to AAD via Adding a work or school account and after sometime when their company enabled hybrid AAD domain join.

As a result this causes the device to have 2 different single sign on state and then it fails with the error you mentioned. (On newer version of windows 10, the older DeviceID with the one created with adding work account gets removed automatically to prevent this dual SSO state which causes the AAD to think that the device is no longer present )

I think you might be falling under same scenario, if yes, you can remove the previous SSO cookies from following registry :
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AAD\Storage key registry key

Once user is authenticated again, we write the SSO cookies again to the same location with updated device ID.

If the above does not fix your issue, please raise a support case with azure AD team.




If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@5Y54DMIN-6383 I wanted to follow up and know if the above response helped in answering your query. If it did, please do not forget to accept the appropriate response as Answer.

1 Vote 1 ·