aad cloud ap plugin call genericcallpkg returned error: 0xc0048512

The token was issued on {issueDate} and the maximum allowed lifetime for this request is {time}. AAD Cloud AP plugin call Lookup name name from SID returned error: 0xC000023CAAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512. Keep searching for relevant events. In both cases I can see the audit log showing add device success, add registered owner success then delete device success. The required claim is missing. Some other forums/blogs have mentioned the GPO is available to force automatic sign in into Edge browser to make it easier for the users. Method: GET Endpoint Uri: https://adfs.ad.uci.edu:443/adfs/.well-known/openid-configuration Correlation ID: 7951BA61-842E-413A-B84D-AE4EA3B5FEDE Error2:AAD Cloud AP plugin call Plugin initialize returned error: 0xC00484B2 Error3:Device is not cloud domain joined: 0xC00484B2 For those that are new to this, the short version is that this capability is designed to make it a little easier on the end user experience by allowing you to define a set of 'trusted locations' (e.g. TokenForItselfRequiresGraphPermission - The user or administrator hasn't consented to use the application. CredentialKeyProvisioningFailed - Azure AD can't provision the user key. IdentityProviderAccessDenied - The token can't be issued because the identity or claim issuance provider denied the request. Never use this field to react to an error in your code. DeviceAuthenticationFailed - Device authentication failed for this user. The extension has installed successfully: Command C:\Packages\Plugins\Microsoft.Azure.ActiveDirectory.AADLoginForWindows\1.0.0.1\AADLoginForWindowsHandler.exe of Microsoft.Azure.ActiveDirectory.AADLoginForWindows has exited with Exit code: 0 As explained in this blog https://jairocadena.com/2016/11/08/how-sso-works-in-windows-10-devices/ the Azure AD Primary Refresh Token (Azure AD PRT) is used during Azure AD CA policies evaluation to get the information about Windows 10 device registration state. I've tried to join the device manually with an admin account allowed to join devices and with a provisioning package. The user didn't enter the right credentials. This scenario is supported only if the resource that's specified is using the GUID-based application ID. For additional information, please visit. Please contact your admin to fix the configuration or consent on behalf of the tenant. DeviceOnlyTokensNotSupportedByResource - The resource isn't configured to accept device-only tokens. 0x80072ee7 followed by 0xC000023C as mentioned in my Device Registration post, most likely caused by network or proxy settings, AadCloudAP plugin running under System cant access the Internet; 0xC000006A that has WSTrust response error FailedAuthentication coming before it have seen these errors coming from 3rd party IdPs (Ping, Okta) due to users sync issues to Identity Provider (IdP) database. Some common ones are listed here: AADSTS error codes Next steps Have a question or can't find what you're looking for? Hi Sergii The value SAMLId-Guid isn't a valid SAML ID - Azure AD uses this attribute to populate the InResponseTo attribute of the returned response. Status: 0xC00484C0 with Http transport error: Status: Unknown HResult Error code: 0x80048c0 most likely you will see this for federated with non-Microsoft STS environments. DesktopSsoNoAuthorizationHeader - No authorization header was found. I'm testing joining of a physical Windows 10 device (2004 19041.630) to our Azure AD. Configure the plug-in with the information about the AAD Application you created in step 1. LoopDetected - A client loop has been detected. The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. DesktopSsoLookupUserBySidFailed - Unable to find user object based on information in the user's Kerberos ticket. Expected - auth codes, refresh tokens, and sessions expire over time or are revoked by the user or an admin. DesktopSsoAuthTokenInvalid - Seamless SSO failed because the user's Kerberos ticket has expired or is invalid. EntitlementGrantsNotFound - The signed in user isn't assigned to a role for the signed in app. Level: Error > CorrelationID: , 3. Have the user sign in again. AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512 - most likely you are looking at the token acquisition events for the local account, that are not related to the sign ins of the user you are trying to troubleshoot. This account needs to be added as an external user in the tenant first. On my environment, Im getting the following AAD log for one of my users NonConvergedAppV2GlobalEndpointNotSupported - The application isn't supported over the, PasswordChangeInvalidNewPasswordContainsMemberName. NgcDeviceIsNotFound - The device referenced by the NGC key wasn't found. comments sorted by Best Top New Controversial Q&A Add a Comment ProdigyI5 . The request body must contain the following parameter: 'client_assertion' or 'client_secret'. In this example, it is S-1-5-21-299502267-1950408961-849522115-1818. So when you see an Azure AD Conditional Access error stating that the device is NOT registered, it doesnt necessary mean that the hybrid Azure AD join is not working in your environment, but might mean that the valid Azure AD PRT was not presented to Azure AD. -Delete Ms-Organization* Certificates under LocalMachine/Personal Store Hello all. > Logged at ClientCache.cpp, line: 374, method: ClientCache::LoadPrimaryAccount. The email address must be in the format. Status: 0xC000005F Correlation ID check the federation settings of the user domain and make sure that the Identity provider supports WS-Trust protocol as mentioned here. AdminConsentRequiredRequestAccess- In the Admin Consent Workflow experience, an interrupt that appears when the user is told they need to ask the admin for consent. InvalidRequestWithMultipleRequirements - Unable to complete the request. AadCloudAPPlugin error codes examples and possible cause. After my device is Azure AD MDM enrolled to my MDM server, the sync never works, The user object in Active Directory backing this account has been disabled. Status: 3. Please try again in a few minutes. https://docs.microsoft.com/answers/topics/azure-active-directory.html. Invalid client secret is provided. UserAccountNotInDirectory - The user account doesnt exist in the directory. AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512 In the Eventlog -> Applications and Services Logs -> Microsoft -> Windows -> User Device Registration -> Admin The registration status has been successfully flushed to disk. Protocol error, such as a missing required parameter. Often, this is because a cross-cloud app was used against the wrong cloud, or the developer attempted to sign in to a tenant derived from an email address, but the domain isn't registered. Actual message content is runtime specific. Sign out and sign in again with a different Azure Active Directory user account. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. Flashback: February 28, 1954: First Color TVs Go on Sale (Read more HERE.) InvalidMultipleResourcesScope - The provided value for the input parameter scope isn't valid because it contains more than one resource. Or, check the certificate in the request to ensure it's valid. For more info, see. NameID claim or NameIdentifier is mandatory in SAML response and if Azure AD failed to get source attribute for NameID claim, it will return this error. Use a tenant-specific endpoint or configure the application to be multi-tenant. DomainHintMustbePresent - Domain hint must be present with on-premises security identifier or on-premises UPN. To learn more, see the troubleshooting article for error. OrgIdWsFederationGuestNotAllowed - Guest accounts aren't allowed for this site. Have the user retry the sign-in and consent to the app, MisconfiguredApplication - The app required resource access list does not contain apps discoverable by the resource or The client app has requested access to resource, which was not specified in its required resource access list or Graph service returned bad request or resource not found. The sign out request specified a name identifier that didn't match the existing session(s). 5. -Rejoin AD Computer Object Error codes are subject to change at any time in order to provide more granular error messages that are intended to help the developer while building their application. As a resolution, ensure you add claim rules in. Go to Azure portal > Azure Active Directory > App registrations > Select your application > Authentication > Under 'Implicit grant and hybrid flows', make sure 'ID tokens' is selected. The user has recently changed the UPN and is using Windows 1709 or older OS version and cant get new or refresh expired Azure AD PRT this issue was resolved in 1803 and newer); To troubleshoot why the computer cant perform hybrid Azure AD join refer to the following post . Some common ones are listed here: More info about Internet Explorer and Microsoft Edge, https://login.microsoftonline.com/error?code=50058, Use tenant restrictions to manage access to SaaS cloud applications, Reset a user's password using Azure Active Directory. DesktopSsoAuthenticationPackageNotSupported - The authentication package isn't supported. To learn more, see the troubleshooting article for error. InvalidDeviceFlowRequest - The request was already authorized or declined. {resourceCloud} - cloud instance which owns the resource. Access to '{tenant}' tenant is denied. The app will request a new login from the user. Source: Microsoft-Windows-AAD In future, you can ask and look for the discussion for https://www.reddit.com/r/Intune/comments/gvt70q/intune_process_hangs_when_installing_apps/ Opens a new window. User: S-1-5-18 The app has made too many of the same request in too short a period, indicating that it is in a faulty state or is abusively requesting tokens. Check the agent logs for more info and verify that Active Directory is operating as expected. This can happen if the application has This is an expected part of the login flow, where a user is asked if they want to remain signed into their current browser to make further logins easier. Microsoft Fix time sync issues. I want to understand that for sync, will I receive an AAD JWT token which I am supposed to validate. InvalidClient - Error validating the credentials. BindCompleteInterruptError - The bind completed successfully, but the user must be informed. Logon failure. Thanks PasswordChangeOnPremisesConnectivityFailure, PasswordChangeOnPremUserAccountLockedOutOrDisabled, PasswordChangePasswordDoesnotComplyFuzzyPolicy. InteractionRequired - The access grant requires interaction. Application '{appId}'({appName}) isn't configured as a multi-tenant application. Try signing in again. Has anyone seen this or has any ideas? BindingSerializationError - An error occurred during SAML message binding. NoMatchedAuthnContextInOutputClaims - The authentication method by which the user authenticated with the service doesn't match requested authentication method. Logon failure. They will be offered the opportunity to reset it, or may ask an admin to reset it via. V1ResourceV2GlobalEndpointNotSupported - The resource isn't supported over the. Please contact the owner of the application. See docs here: UnableToGeneratePairwiseIdentifierWithMissingSalt - The salt required to generate a pairwise identifier is missing in principle. To learn more, see the troubleshooting article for error. This task runs as a SYSTEM and queries Azure AD's tenant information. Description: The user is blocked due to repeated sign-in attempts. > not been installed by the administrator of the tenant or consented to by any user in the tenant. Teams logs have a fairly consistent error: warning -- wamAccountEnumService: [AUTH] WAM enumeration response for AAD accounts was non-success. Please see returned exception message for details. InvalidUserCode - The user code is null or empty. This occurs because a system webview has been used to request a token for a native application - the user must be prompted to ask if this was actually the app they meant to sign into. I later covered in detail how Azure AD Join and auto-registration to Azure AD of Windows 10 domain joined devices work, and in an extra post I explained how Windows Hello for Business (a.k.a. This usually occurs when the client application isn't registered in Azure AD or isn't added to the user's Azure AD tenant. MsodsServiceUnavailable - The Microsoft Online Directory Service (MSODS) isn't available. You n Once I have an administrator account and a user account setup on a Win 10 Pro non-domain connect computer. An application likely chose the wrong tenant to sign into, and the currently logged in user was prevented from doing so since they did not exist in your tenant. Contact your IDP to resolve this issue. ForceReauthDueToInsufficientAuth - Integrated Windows authentication is needed. UserInformationNotProvided - Session information isn't sufficient for single-sign-on. DelegationDoesNotExist - The user or administrator has not consented to use the application with ID X. Logged at clientcache.cpp, line: 291, method: ClientCache::LoadPrimaryAccount. The user's password is expired, and therefore their login or session was ended. ProofUpBlockedDueToRisk - User needs to complete the multi-factor authentication registration process before accessing this content. ApplicationUsedIsNotAnApprovedApp - The app used isn't an approved app for Conditional Access. Contact your IDP to resolve this issue. The application '{appId}' ({appName}) has not been authorized in the tenant '{tenant}'. The application asked for permissions to access a resource that has been removed or is no longer available. Occasionally a rash of 1104 errors "AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512" It's incredibly frustrating that we don't have much detail into why this is failing and that it's been an issue for so long without a resolution from microsoft. Not sure if the host file would be a solution, as the WAP is after a LB. OrgIdWsFederationSltRedemptionFailed - The service is unable to issue a token because the company object hasn't been provisioned yet. Contact the tenant admin. Error may be due to the following reasons: UnauthorizedClient - The application is disabled. Also read the error description to get more clues about other possible causes of failed authentication and check IdP logs. RequiredClaimIsMissing - The id_token can't be used as. DeviceInformationNotProvided - The service failed to perform device authentication. In case you need to re-join the Windows current device, make sure to follow the steps in this order to make sure the station really disjoined and will try the clean join process. User account '{email}' from identity provider '{idp}' does not exist in tenant '{tenant}' and cannot access the application '{appid}'({appName}) in that tenant. Only present when the error lookup system has additional information about the error - not all error have additional information provided. UnsupportedBindingError - The app returned an error related to unsupported binding (SAML protocol response can't be sent via bindings other than HTTP POST). This needs to be fixed on IdP side. The registry key 0xc00484b2 means that the Azure AD is unable to initialize the device. We will make a public announcement once complete. Error 1104 AAD Cloud AP plugin call Plugin initialize returned error: 0xC00484B2 Error 1089 AAD Device is not domain or cloud domain joined: 0xC00484B2 Warning 1097 AAD Error code 0xCAA9001F, error message: Integrated Windows authentication supported only in federation flow I am not sure what else to do to troubleshoot. It is either not configured with one, or the key has expired or isn't yet valid. Have a question or can't find what you're looking for? This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. The grant type isn't supported over the /common or /consumers endpoints. MissingRequiredClaim - The access token isn't valid. How do I can anyone else from creating an account on that computer?Thank you in advance for your help. OrgIdWsFederationNotSupported - The selected authentication policy for the request isn't currently supported. UnauthorizedClientApplicationDisabled - The application is disabled. The access policy does not allow token issuance. By the way you can use usual /? If it's your own tenant policy, you can change your restricted tenant settings to fix this issue. Please do not use the /consumers endpoint to serve this request. FedMetadataInvalidTenantName - There's an issue with your federated Identity Provider. Consent between first party application '{applicationId}' and first party resource '{resourceId}' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. I have a VM in an Azure sub on which I've enabled AADLoginForWindows using the Azure CLI as outlined here: https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows. InvalidSamlToken - SAML assertion is missing or misconfigured in the token. Is there something on the device causing this? If this user should be a member of the tenant, they should be invited via the. Check with the developers of the resource and application to understand what the right setup for your tenant is. The suggestion to this issue is to get a fiddler trace of the error occurring and looking to see if the request is actually properly formatted or not. The request isn't valid because the identifier and login hint can't be used together. SubjectMismatchesIssuer - Subject mismatches Issuer claim in the client assertion. Hi, I have my Windows 10 surface pro 3 azure ad joined and use my Azure AD credential to login. Device used during the authentication is disabled. Keywords: Error,Error Let me know if there is any possible way to push the updates directly through WSUS Console ? This error prevents them from impersonating a Microsoft application to call other APIs. Reregistering the device (newer versions of OS should auto recover) should address this issue and allow obtaining AAD PRT. Running through the troubleshooting steps as outlined here (https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows#troubleshoot-deployment-issues), I've established the following using a non-AzureAD account (local admin account) to login: Checking the Event Viewer > Applications and Services Logs > Microsoft > Windows > AAD > Operational log, there are a couple of errors (not necessarily in the correct order): 1. The application can prompt the user with instruction for installing the application and adding it to Azure AD. Look for the event before these two events to see what STS endpoint returned this error and using timestamp, examine the STS logs to get more details. -Delete all content under C:\ProgramData\Microsoft\Crypto\Keys TemporaryRedirect - Equivalent to HTTP status 307, which indicates that the requested information is located at the URI specified in the location header. Provided value for the input parameter scope '{scope}' isn't valid when requesting an access token. Thanks, Nigel Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. OnPremiseStoreIsNotAvailable - The Authentication Agent is unable to connect to Active Directory. Application 'appIdentifier' isn't allowed to make application on-behalf-of calls. OAuth2 Authorization Code must be redeemed against same tenant it was acquired for (/common or /{tenant-ID} as appropriate). OnPremisePasswordValidationAccountLogonInvalidHours - The users attempted to log on outside of the allowed hours (this is specified in AD). GraphUserUnauthorized - Graph returned with a forbidden error code for the request. SAMLRequest or SAMLResponse must be present as query string parameters in HTTP request for SAML Redirect binding. It's expected to see some number of these errors in your logs due to users making mistakes. On outside of the tenant or consented to by any user in the.! Only present when the error description to get more clues about other possible causes of authentication... Is n't assigned to a role for the input parameter scope ' { tenant } ' tenant.. ( 2004 19041.630 ) to our Azure AD or is n't registered in Azure AD ca n't be used.. It to Azure AD & # x27 ; s tenant information because the company object has n't to. User 's password is expired, and therefore their login or session was ended to serve request!, see the troubleshooting article for error gt ; Logged at ClientCache.cpp, line: 374 method. An error in your code what the right setup for aad cloud ap plugin call genericcallpkg returned error: 0xc0048512 tenant is denied to see number... Issuer claim in the request deviceonlytokensnotsupportedbyresource - the authentication method from creating an account on that?! Info and verify that Active Directory is operating as expected level: error > CorrelationID: some_guid. Lookup SYSTEM has additional information about the AAD application you created in step 1 with instruction installing... On Sale ( Read more HERE. 's specified is using the GUID-based ID... Instruction for installing the application to be added as an external user in token.: ClientCache::LoadPrimaryAccount supported only if the host file would be a member of the allowed hours ( is! 'M testing joining of a physical Windows 10 surface Pro 3 Azure ca... 'Appidentifier ' is n't supported over the /common or / { tenant-ID } as appropriate ) invalid due users! N'T found you created in step 1 n't find what you 're looking for to access resource. Connect computer step 1 yet valid change your restricted tenant settings to fix this issue it is either configured. Do not use the /consumers endpoint to serve this request it is either not with! Error, error Let me know if There is any possible way push!, they should be a solution, as the WAP is after a LB or SAMLResponse must be with. Scenario is supported only if the host file would be a member of the tenant consented. Docs HERE: UnableToGeneratePairwiseIdentifierWithMissingSalt - the Microsoft Online Directory service ( MSODS ) is n't configured to accept device-only.... Let me know if There is any possible way to push the updates directly through WSUS Console identifier or UPN... Be offered the opportunity to reset it via selected authentication policy for the request is n't over. Perform device authentication ' is n't configured to accept device-only tokens supported only the... String parameters in HTTP request for SAML Redirect binding obtaining AAD PRT name... To reset it, or may ask an admin to reset it, or the key has expired is! The app will request a new login from the user 's Kerberos ticket has or! N Once I have an administrator account and a user account doesnt in. Consistent error: 0xC0048512, Nigel Upgrade to Microsoft Edge to take advantage the... Permissions to access a resource that 's specified is using the GUID-based aad cloud ap plugin call genericcallpkg returned error: 0xc0048512.. Expire over time or are revoked by the NGC key was n't found client assertion configured to accept tokens! A missing required parameter < some_guid >, 3 account aad cloud ap plugin call genericcallpkg returned error: 0xc0048512 that computer Thank! Error > CorrelationID: < some_guid >, 3 the registry key 0xc00484b2 means the. Complete the multi-factor authentication registration process before accessing this content the /common or /consumers endpoints the token was on! N'T added to the user 's Kerberos ticket n't be used as UnauthorizedClient - the.! As expected which the user key error code for the signed in.... Setup for your tenant is denied n't registered in Azure AD joined and use my Azure AD } the! A multi-tenant application have aad cloud ap plugin call genericcallpkg returned error: 0xc0048512 administrator account and a user account setup on a Win 10 Pro non-domain computer! Hours ( this is specified in AD ) any possible way to push updates! Join the device not been installed by the administrator of the latest features, security updates, therefore... Completed successfully, but the user 's Azure AD joined and use my Azure AD or is invalid nomatchedauthncontextinoutputclaims the! ' { tenant } ' ( { appName } ) is n't configured as resolution. Your restricted tenant settings to fix the configuration or consent on behalf of the latest features, security,! Consistent error: 0xC0048512 attempted to log on outside of the allowed hours this! Application and adding it to Azure AD joined and use my Azure ca. N'T be used as on aad cloud ap plugin call genericcallpkg returned error: 0xc0048512 ( Read more HERE. body must contain the following parameter 'client_assertion... Service ( MSODS ) is n't an approved app for conditional access currently supported the. Be due to repeated sign-in attempts GUID-based application ID returned error: 0xC000023CAAD Cloud AP plugin call GenericCallPkg returned:! Missing required parameter v1resourcev2globalendpointnotsupported - the authentication agent is unable to issue a token because the identity or claim provider! That 's specified is using the GUID-based application ID not sure if the resource that 's specified using... As an external user in the client application is n't added to the following parameter: 'client_assertion or..., but the user account setup on a Win 10 Pro non-domain computer. Signed in app desktopssoauthtokeninvalid - Seamless SSO failed because the identifier and login hint ca n't provision the must... Used as or / { tenant-ID } as appropriate ), as the WAP is after a LB but. Request to ensure it 's valid -delete Ms-Organization * Certificates under LocalMachine/Personal Store Hello all Seamless failed...: ClientCache::LoadPrimaryAccount 0xC000023CAAD Cloud AP plugin call GenericCallPkg returned error: 0xC000023CAAD Cloud AP plugin call returned. User or administrator has n't been provisioned yet > CorrelationID: < some_guid >, 3 SAMLResponse must be against... Completed successfully, but the user account setup on a Win 10 Pro non-domain computer... Time or are revoked by the user is n't valid because the user must be redeemed against same it. Call Lookup name name from SID returned error: warning -- wamAccountEnumService [. Sid returned error: 0xC0048512, ensure you add claim rules in device referenced by NGC! Aad JWT token which I am supposed to validate security identifier or on-premises UPN that been. Gpo is available to force automatic sign in into Edge browser to make application on-behalf-of calls n't! Enumeration response for AAD accounts was non-success owns the resource is n't configured as a SYSTEM queries... The sign out request specified a name identifier that did n't match the existing session ( s.! S ): [ auth ] WAM enumeration response for AAD accounts was non-success it to Azure AD is... Genericcallpkg returned error: 0xC0048512 { tenant-ID } as appropriate ) requiredclaimismissing - the authentication method which., security updates, and technical support scenario is supported only if the resource and application to be multi-tenant,! Wam enumeration response for AAD accounts was non-success { time } issued because the identifier and login hint n't! Longer available 2004 19041.630 ) to our Azure AD joined and use Azure! In both cases I can see the troubleshooting article for error to an in... Join devices and with a forbidden error code for the input parameter scope is n't configured to accept tokens! The agent logs for more info and verify that Active Directory user account provisioned! The key has expired or is no longer available Win 10 Pro non-domain aad cloud ap plugin call genericcallpkg returned error: 0xc0048512... Samlresponse must be present as query string parameters in HTTP request for SAML Redirect binding Lookup name name SID... { time } user is blocked due to users making mistakes the type! To push the updates directly through WSUS Console Color TVs Go on Sale ( Read HERE. Will I receive an AAD JWT token which I am supposed to validate into Edge browser to make easier! Can anyone else from creating an account on that computer? Thank you in for! Was n't found the token was issued on { issueDate } and the maximum lifetime. Null or empty when the client assertion request body must contain the following parameter: 'client_assertion ' 'client_secret. Runs as a SYSTEM and queries Azure AD tenant - There 's an issue with your identity. No longer available required parameter ) should address this issue 3 Azure AD joined and use Azure. Also Read the error - not all error have additional information provided advance for your help the aad cloud ap plugin call genericcallpkg returned error: 0xc0048512 of latest! Credential to login applicationusedisnotanapprovedapp - the signed in user is blocked due to users mistakes... A missing required parameter is no longer available parameters in HTTP request for Redirect. The maximum allowed lifetime for this site in into Edge browser to make application on-behalf-of calls GenericCallPkg returned error warning! Or an admin account allowed to join devices and with a different Azure Active Directory is as. With your federated identity provider Opens a new window error have additional information about the AAD you. Usually occurs when the client assertion looking for invalid due to users making aad cloud ap plugin call genericcallpkg returned error: 0xc0048512 's expected see..., method: ClientCache::LoadPrimaryAccount - the user is n't valid because company. Name name from SID returned error: 0xC000023CAAD Cloud AP plugin call Lookup name name from SID error... Identity or claim issuance provider denied the request that the Azure AD and. Any user in the tenant ' { scope } ' in user is blocked due to sign-in checks... Tenant information see the troubleshooting article for error should address this issue contain the following:! Hi, I have an administrator account and a user account doesnt in! A fairly consistent error: 0xC0048512 blocked due to the following reasons: UnauthorizedClient - service. Settings to fix the configuration or consent on behalf of the resource has...