Recently i blogged about Hybrid Azure AD Workplace join issue that was causing because of internet explorer user authentication setting .For more information ,please read this article here
This week ,have got another issue that was related to workplace join for windows 7. Users were unable to activate office proplus ,unable to access teams,onedrive and office 365 web portal as well.
User hit the following screen when they try to activate office 365 proplus .
You can’t get there from here , please contact your administrator. This application contains sensitive information and can only be accessed from company domain joined devices.
This issue is because ,we had Azure AD Conditional access policy with ‘Hybrid Azure AD Join’ checked ,which allow only corporate domain join computers to access office 365 applications while blocking the access to personnel windows 7.
If you click on Ok , you will see full information about user identify ,what is the app name,device platform ,device state which is unregistered.
This is very generic and for anything ,if the computer is not hybrid azure AD join, then you will see same error .
So by looking at above error, how do we troubleshoot the issue ?
Like i said in my previous blog post here ,Hybrid Azure AD join will be performed by workplace join tool so we need to troubleshoot on this tool why did the issue happens.
As usual open cmd (command prompt) and change the directory to C:\Program Files\Microsoft Workplace Join (if not installed, install the tool ) and run AutoWorkplace.exe /i
With the above command line, i get error An error occurred while trying to join your device to your organisation’s workplace with details Unknown Error
you can also look at the event viewer for workplace join related issues by visiting event viewer—>applications and services logs –> Microsoft-workplace Join—Admin
Even here ,It doesn't reveal any information about why did it failed except unknown error.
This leads me to check on the Azure AD portal for this specific user related to license or any other devices registered or not. The intension by looking at azure portal is to verify only this computer had issue or user account had issue.
Go to https://portal.azure.com , click on Azure Active Directory ,Click on users,type the name of the user that had issue.
Click on devices on the left pane to see the devices registered under the name.
As you can see, user already had 20 devices and the limit that we have set is 20 hence the error code.
Now ,we have 2 options here, 1 ) delete (make sure you delete windows 7 rather mobile devices) some of the devices by sorting with activity and remove devices which are not connected recently or increase the limit count .
1.Deletion is very simple .Click on the dots (…) on the device and choose delete (required enough permissions).
2.Increase the device count limit and how to do that ? If you are Global admin ,follow the steps listed below.
Visit https://portal.azure.com ,click on Azure Active Directory ,click on Devices ,click on Device settings
In this case, rather changing the count ,i simply deleted some devices (count <20) with old activity date . After the removal ,come back to the PC that had issue.
while on the CMD prompt ,rerun the command line AutoWorkplace.exe /i ,this time ,the device is joined to organisation workplace which is Hybrid Azure AD join.
Deletion of the devices cannot be done by end users and if they go the URL https://portal.fei.msuc05.manage.microsoft.com/Devices ,they cannot see the Hybrid Azure AD joined devices ,it must be performed by Global Admin (GA) or user with enough permissions.
Hope it helps.