Small org which has been using Office 365 Business Premium for a year. Was previously able to join (not register) new Win 10 Pro desktops to Azure AD. Following upgrade to Microsoft 365 Business, device join now fails.
-----
Details:
1. Set up new desktops with local admin user (not built-in administrator account)
2. Settings > Access work or school > Connect > Join this device to Azure Active Directory > enter domain admin full address (with @company.com)
3. "Looks like we can't connect to the URL for your organization's MDM terms of use."
Error: invalid_client
description: failed to authenticate user
Environment: Local AD domain with Server 2012 R2 that synchronizes users with Azure AD using Azure AD Connect (latest version 1.2.70.0). New desktops are not joined to local domain - joined to Azure AD only. Have not changed or used either MDM or Intune
settings on Azure admin. Slowly migrating to Azure-focused environment.
Verified: Azure AD > Devices > Device Settings > Users may join devices to Azure AD > All
Auto enrollment is not enabled, as this is not available for Microsoft 365 Business.
Troubleshooting attempted:
1. Removed DNS CNAME entries for EnterpriseEnrollment and EnterpriseRegistration
result: no change, so added CNAME entries back in.
CNAMEs validated with Device enrollment > Windows enrollment > CNAME Validation.
2. Created new Global Admin user in Azure AD.
result: Used to initiate Azure AD join. Join process noted that this was a new user and successfully performed password update. Proceeded to join process and failed with same error.
Not yet attempted:
1. Downgrade Microsoft 365 Business to Office 365 Business Premium (not sure this is possible)
2. Free trial of Premium (wary of this - cost, and probably no easy downgrade)
I have seen many posts with refer to settings for Azure MDM and Intune which don't seem to apply - most assume Azure AD Premium.
Pages I have read for guidance:
https://social.msdn.microsoft.com/Forums/en-US/b055957b-ecbb-469b-9b33-85fd5c7b2cb8/mdm-terms-of-use-endpoint-is-not-correctly-configured
https://docs.microsoft.com/en-us/intune/troubleshoot-device-enrollment-in-intune
https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current
https://docs.microsoft.com/en-us/azure/active-directory/devices/faq