We are in the process of Integrating a third party MDM (on-premise) with Autopilot in AAD portal to enable Windows 10 OOBE. We want to achieve this by leveraging an on-premise Core Enterprise Application server in Azure. We have configured the following so far which is not working as expected. Also Can't find any relevant event logs within "User Device Registration" or "DeviceManagement-Enterprise-Diagnostics-Provider" :
The Autopilot Device Profile was created by importing ID into Autpilot. Security Group with authorised users incl. MFA enabled Authentication Redirect URIs was also configured in MDM App used by Azure AD to join Web App via corresponding client_id which maps one of Azure DRS. Terms of Usage URLs plus secret keys was also created. MDM DISCOVERY URL & MDM TERMS OF USE URL are correctly set but havent checked if they are accessible over the Internet NB: All of the above and a host of other requirements was double checked and tested several times. Device is able to enrol when InTune is used as the MDM server (by adding the InTune application to my Azure AD)
A Test Device out of the box was used to run the following test scenarios in Azure with an E5 incl. mdm + security subscription.
During our tests we got the following error:
****> we are not able to enroll Azure AD due to : Redirect UI
[https://login.microsoftonline.com/WebApp/CloudDomainJoin/10] is not formed correctly**** After some googling i read this could be caused by DNS issues, outbound proxy issues, or a variety of other reasons.
I also read this can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. We might have sent the authentication request to the wrong tenant but checked this with a colleague today and granted all necessary permissions as required. Didnt do the trick
I also read this could simply be due to a general Authentification Failure which still looks very generic to me.
Anyone has any clues on how to troubleshoot these kinds of problems based on the error reported. Tips Will be very much appreciated.
There's a simple way to fix this by altering the associated properties file (mifs.properties). Herein you'll find that - as you rightfully deduced - the current regex is fixed at [0,9]. This one can be modified accordingly as a workaround until this is formally fixed. Assuming you have a support contract with MobileIron, reach out to get the proposed WA implemented (requires tomcat restart).
Current:
msft.aad.redirect.url.pattern=^https://login.microsoftonline.com/WebApp/CloudDomainJoin/0-9?$
Workaround:
msft.aad.redirect.url.pattern=^https://login\.microsoftonline\.com/WebApp/CloudDomainJoin/[0-9]{1,10}(/)?$
Reference https://social.msdn.microsoft.com/Forums/en-US/60c55212-fd6d-4c5c-a415-47ab404b7945/unable-to-enroll-device-into-azure-ad-using-3rd-party-onpremise-mdm?forum=WindowsAzureAD#c41a355a-260a-41db-84dd-78895059a645