Support tip: Troubleshoot device cap reached when enrolling devices into Microsoft Intune

By: Premkumar N – Security Customer Experience Engineer | Microsoft Intune

 

When Microsoft Entra or Intune device limits are reached, users will encounter an error when enrolling their device into Intune.  While it can be difficult to understand the reason for the failure from the error message, this blog will explain the differences between Microsoft Entra device registration limit and the Intune device enrollment limit, along with the steps to resolve these issues.

 

For an overview of Microsoft Entra and Intune device limit scenarios refer to: Understand Intune and Microsoft Entra device limit restrictions.

 

Let’s look at the experiences on different platforms, followed by the resolution steps.

 

Android

Intune device limit reached

When the Intune device limit is reached, an Android device enrollment will fail with the following error:

An image of the ‘Device limit reached’ enrollment error message on Android devices.

To diagnose the issue, review the Intune Company Portal logs for the affected device.

Capturing Company Portal logs: Users can select "Email Support" from the error screen to send the logs via email or Send logs from Company Portal.

If the Company Portal logs display the “Device Cap Reached” error as shown in the example logs below, this indicates that the Intune device limit has been reached.

2025-07-16T15:07:39.8410000    VERB    o.zzafi    13923    6035
sending event: EnrollmentFailureEvent(
    networkState=CONNECTED,
    enrollmentFlowType=Enrollment,
    enrollmentType=AfwProfileOwner,
    failureName=DeviceEnrollmentFailure,
    errorException=com.microsoft.windowsintune.companyportal.exceptions.EnrollmentException: 
        Server error = 
        <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" 
                    xmlns:a="http://www.w3.org/2005/08/addressing">
            <s:Body>
                <s:Fault>
                    <s:Code>
                        <s:Value>s:Receiver</s:Value>
                        <s:Subcode>
                            <s:Value>s:Authorization</s:Value>
                        </s:Subcode>
                    </s:Code>
                    <s:Reason>
                        <s:Text xml:lang="en-US">Device Cap Reached</s:Text>
                    </s:Reason>
                    <s:Detail>
                        <DeviceEnrollmentServiceError 
                            xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">
                            <ErrorType>DeviceCapReached</ErrorType>
                            <Message>Device Cap Reached</Message>
                            <TraceId>xxx</TraceId>
                        </DeviceEnrollmentServiceError>
                    </s:Detail>
                </s:Fault>
            </s:Body>
        </s:Envelope>,
    errorMessage=,
    sessionGuid=xxx
)

 

By default, Intune allows a maximum of 15 devices per user; exceeding this limit logs an error in the Company Portal. To address this issue, either remove inactive devices that have not checked in to Intune within a specified timeframe, or increase the device limit (up to 15) in the Intune settings.

 

To remove stale devices:

1. Navigate to the Microsoft Intune admin center > Devices > All Devices.
2. Search using the affected user's UPN to view all enrolled devices.
3. Remove any devices no longer in use.
   
   

To increase the device limit:

1. Navigate to the Microsoft Intune admin center > Devices > Enrollment > Device Limit Restrictions.
2. Select the policy, go to Properties, then edit Device Limit, and adjust the limit (maximum 15).

 

Note: If the Intune device limit is reached, errors are logged in the Microsoft Intune admin center under Devices > Monitor > Enrollment failures.

 

A screenshot of the Enrollment failures report in the Microsoft Intune admin center.

Microsoft Entra device limit reached

For Android, users will see the same error message when Microsoft Entra device limit has been reached.

 

An image of the “Device limit reached” error message.

You can confirm the Microsoft Entra device limit has been reached by checking the Company Portal logs for the following error:

com.microsoft.identity.broker4j.workplacejoin.exception.DrsErrorResponseException:
{
    "code": "invalid_request",
    "subcode": "error_directory_quota_exceeded",
    "message": "User 'xxx' is not eligible to enroll a device of type 'Android'. 
                Reason 'DeviceCapReached'.",
    "operation": "DeviceJoin",
    "requestid": "xxx",
    "time": "xxx"
}

 

Similar to the Intune device limit reached, to resolve this issue either increase the device limit in Microsoft Entra for Microsoft Entra registration or remove any stale devices associated with the user in the Microsoft Entra admin center. Stale devices are those that are no longer active and can be removed when they haven’t checked in for a specified period. One cause of stale devices is deleting or retiring an Intune device, which may leave behind a record in Microsoft Entra and contribute to reaching the Microsoft Entra device registration limit.

 

To remove stale devices:

1. Go to the Microsoft Entra admin center.
2. Navigate to Microsoft Entra ID > Users.
3. Search for the user using their UPN.
4. Select Devices.
5. This displays a list of registered devices for the user. Devices that are no longer in use can be removed.

 

To increase the device limit for Microsoft Entra registration:

1. Go to the Microsoft Entra admin center.
2. Navigate to Microsoft Entra ID > Devices.
3. Select Device Settings.
4. Locate Maximum number of Devices Per User.
5. Adjust the device limit as needed.

 

iOS

Intune device limit reached

For iOS, device enrollment may fail with the following error if the device limit has been reached.

An image of the “Couldn’t add your device.” enrollment error message on iOS devices.

To check the issue, select 'Report and Email logs' to collect Company Portal logs. If the logs show the below error, it confirms the Intune device limit has been reached.

2025-07-18 12:38:33.427 | utility | 31673 | AlertManager.swift:37 (push(alert:grouping:))

Pushing alert with:
    grouping = 0
    title    = Couldn't add your device.
    message  = You have reached the limit of devices you can register. 
               Please contact your company support to increase this number, 
               or review and remove devices that are already registered 
               with this account.

into the AlertManager

 

The resolution is the same as Android, refer to the earlier steps for Intune device limit reached on Android.

 

Microsoft Entra device limit reached

On iOS devices, Intune enrollment may successfully complete; however, device registration may still result in an error as shown below in the Company Portal app.

 

An image of the Intune Company Portal with an error message that the device isn’t registered.

To collect Intune Company Portal logs, select More > Send logs > Email Logs.

 

When you see the following error message in the Company Portal logs:

iOSunderlyingErrorMessage:
{
    "ErrorType": "AuthorizationError",
    "Message": "User '00000000-0000-0000-0000-000000000000' is not eligible 
                to enroll a device of type 'Ios'. 
                Reason 'DeviceCapReached'.",
    "TraceId": "00000000-0000-0000-0000-000000000000",
    "Time": "2025-07-16 14:07:23Z"
}

 

To resolve, use the same steps as Android when Microsoft Entra device limit is reached.

 

macOS

Intune device limit reached

For macOS, device enrollment will fail with the following error when the Intune device limit has been reached.

 

An image of the “Couldn’t add your device.” enrollment error message on macOS devices.

To identify the issue, collect the Company Portal logs by selecting 'Report' and then email the logs. In the logs, when you see the following error, this confirms the Intune device limit has been reached.

 

2025-07-25 07:39:23.731 | utility | 14262 | AlertManager.swift:37 (push(alert:grouping:))

Pushing alert with:
    grouping = 0
    title    = Couldn't add your device.
    message  = You have reached the limit of devices you can register. 
               Please contact your company support to increase this number, 
               or review and remove devices that are already registered 
               with this account.

into the AlertManager

 

 To resolve, use the same steps as Android when Intune device limit is reached.

 

Microsoft Entra device limit reached

For macOS when enrolling into Intune, if the Microsoft Entra device limit has been reached, you’ll notice the following error:

 

An image of the “Couldn’t add your device.” enrollment error message on macOS devices.

In the Company Portal logs, when you see the following error, this confirms the Microsoft Entra device limit has been reached.

 

Description:
{
    "ErrorType": "AuthorizationError",
    "Message": "User '00000000-0000-0000-0000-000000000000' is not eligible 
                to enroll a device of type 'Mac'. 
                Reason 'DeviceCapReached'.",
    "TraceId": "00000000-0000-0000-0000-000000000000",
    "Time": "2025-05-27 05:24:52Z"
}

 

To resolve, use the same steps as Android when Microsoft Entra device limit is reached.

 

Windows

Intune device limit reached

For Windows devices, enrollment will fail with the following error when Intune device limit has been reached:

An image of the “There was a problem” enrollment error message on Windows devices.

When you see this error, you can check the logs in the event viewer in this path:

Source: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin  
Event ID: 71  

MDM Enroll:  
    Failed to receive or parse certificate enroll response.  

Result:  
    The account has too many devices enrolled to Mobile Device Management (MDM).  
    Delete or unenroll old devices to fix this error.

 

 To resolve, use the same steps as Android when Intune device limit is reached.

 

Microsoft Entra device limit reached

For Windows, when the Microsoft Entra device limit has been reached, you’ll notice the following error during Intune enrollment:

 

An image of the “Additional problem information" enrollment error message on Windows devices.

When you see this error, you can check the logs in the event viewer in this path:

Windows Device
Source: Microsoft-Windows-User Device Registration/Admin
Event ID: 304

 

The get join response operation callback failed with:
    exit code: Unknown HResult Error code: 0x801c000e

Activity Id:
    a0a15e15-631a-46ab-b0a4-2f540778df7d

The server returned:
    HTTP status: 400

Server response:
{
    "code": "invalid_request",
    "subcode": "error_directory_quota_exceeded",
    "message": "User '8b000000-0000-0000-0000-000000000000' is not eligible 
                to enroll a device of type 'Windows'. 
                Reason 'DeviceCapReached'.",
    "operation": "DeviceJoin",
    "requestid": "a0000000-0000-0000-0000-000000000000",
    "time": "2025-05-30 15:33:09Z"
}

 

This is the result of the Microsoft Entra device limit reached for the user for Windows platform. To resolve, use the same steps as Android when Microsoft Entra device limit is reached.

 

Device limit reached – Windows Autopilot hybrid join scenario

The Microsoft Entra device limit reached error will also occur when changing the primary user in Intune for Windows Autopilot Microsoft Entra hybrid joined devices). In the Autopilot hybrid join scenario there will be two device records in Azure. The Microsoft Entra hybrid join record, and the standard Microsoft Entra join record. Changing the primary user only updates the hybrid joined record in Microsoft Entra, leaving the original user as the owner of the Microsoft Entra join record. The owner entries on the Microsoft Entra join record will impact the device registration limit. Rather than removing the Microsoft Entra join device, which deletes its join state and is not a recommended approach, remove the registered owner on that record.

 

Note: Deploying new devices as Microsoft Entra hybrid join devices isn’t recommended, for more details refer to Microsoft Entra joined vs. Microsoft Entra hybrid joined in cloud-native endpoints: Which option is right for your organization.

 

The following image shows the device state after the Microsoft Entra hybrid joined deployment is completed. User1 enrolled a Microsoft Entra hybrid join device with Intune and Windows Autopilot and the registered user for both the records is ‘user1’.

 

After changing the primary user in Intune to user2, only the Microsoft Entra hybrid joined record is updated for user2.

 

The Microsoft Entra device registration usage for user1 remains unchanged for the Microsoft Entra joined record, both before and after modifying the primary user of the Intune device. This counts toward the Microsoft Entra registration limit for user1.

 

Resolution

Before proceeding with the resolution steps for this scenario, it’s important to note the difference between a registered owner and a registered user:

• Registered owner: A registered owner is the user that cloud joined the device or registered their personal device. The registered owner is set at the time of registration.
• Registered user: For cloud joined devices and registered personal devices, registered users are set to the same value as registered owners at the time of registration.

 

Remove the registered owner

This action can be done using PowerShell and Graph Explorer.

 

Step 1. Check the user's device count in Microsoft Entra ID using Graph Explorer or PowerShell.

PowerShell: This query lists the registered devices for the user.

Install-Module Microsoft.graph
Connect-MGgraph
Get-MgUserRegisteredDevice -UserId <userID>
Get-MgUserRegisteredOwner -UserId <userId>

 

Sample from PowerShell:

 

Graph Explorer queries:

Owned devices for the user

GET https://graph.microsoft.com/v1.0/users/{user-id}/OwnedDevices

 

Registered device for the user

GET https://graph.microsoft.com/v1.0/users/{user-id}/registeredDevices

 

Sample Graph Explorer output: Only the "ID" in the output is needed to remove the device in next step.

{
    "@odata.context": "******",
    "@microsoft.graph.tips": "******",
    "id": "00000000-0000-0000-0000-00000000",
    "deletedDateTime": null,
    "accountEnabled": true,
    "approximateLastSignInDateTime": "******",
    "complianceExpirationDateTime": null,
    "createdDateTime": "******",
    "deviceCategory": null,
    "deviceId": "******",
    "deviceMetadata": null,
    "deviceOwnership": "Company",
    "deviceVersion": 2,
    "displayName": "******",
    "domainName": null,
    "enrollmentProfileName": null,
    "enrollmentType": "AzureDomainJoined",
    "externalSourceName": null,
    "isCompliant": false,
    "isManaged": true,
    "isRooted": false,
    "managementType": "MDM",
    "manufacturer": "******",
    "mdmAppId": "******",
    "model": "******",
    "onPremisesLastSyncDateTime": null,
    "onPremisesSyncEnabled": null,
    "operatingSystem": "******",
    "operatingSystemVersion": "******",
    "physicalIds": [
        "******",
        "******",
        "******",
        "******"
    ],
    "profileType": "RegisteredDevice"
}

 

Step 2. After confirming the user association for the device, remove both the registered owner and user for the Microsoft Entra joined device record to clear the user count toward the pre-defined limit.

 

Graph API query: Replace the 'deviceid' in the following query with the 'id' from the Graph Explorer output from the previous step.

 

Delete Registered Owner

DELETE       https://graph.microsoft.com/v1.0/devices/{deviceid}/registeredowners/{user-id}/$ref

 

Delete Registered User

DELETE       https://graph.microsoft.com/v1.0/devices/{deviceid}/registeredusers/{user-id}/$ref

 

This can also be done with PowerShell as below.

 

PowerShell commands

In the below commands DeviceID = Microsoft Entra Device ID/ObjectID. It’s important to remove both the registered owner and registered user for the device.

 

Remove registered owner:

Remove-mgdeviceregisteredownerDirectoryObjectByRef –DeviceId <DeviceID> -DirectoryObjectId <userID>

 

Sample PowerShell output:

 

Remove registered user:

Remove-mgdeviceregistereduserDirectoryObjectByRef –DeviceId <DeviceID> -DirectoryObjectId <userID>

 

Sample PowerShell output:

 

PowerShell or Graph Explorer can also be used to delete the device in other scenarios such as Intune device deletion and Microsoft Entra device ID deletion.

 

Summary

Device enrollment can fail when either Intune or Microsoft Entra device limits are reached.  These errors can be confusing, however, understanding the difference between Microsoft Entra device registration limits and Intune device enrollment limits makes it easier to sort out and resolve the issue. These issues commonly stem from stale device records, or changing the primary user of a Microsoft Entra hybrid joined device. Resolving them involves removing inactive devices or adjusting device limit policies in the appropriate service. As a best practice, avoid changing the primary user of the Microsoft Entra hybrid joined device and deploy the Windows Autopilot device to new users with a fresh start.

 

Additional information on this topic can be found in the Microsoft Learn docs below:

• Device limit - Understand Intune and Microsoft Entra device limit restrictions
• List RegisteredDevices for user - List registeredDevices - Microsoft Graph v1.0
• ListOwnedDevices for user - List ownedDevices - Microsoft Graph v1.0
• Remove the registered owners for the device - Delete registeredOwners - Microsoft Graph v1.0
• Remove the registered user for the device - List registeredUsers - Microsoft Graph v1.0

 

If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam.