If we want the devices to be managed when no user is logged in.
How do we know if Device token is not working?
Windows\CCM\Logs\ADALOperationProvider.log is a good place to confirm and following is a common error we see when there is an issue. Error usually follows "Getting AAD (device) token" entry as seen below.
IWebAuthenticationCoreManagerStatics4 not available. Falling back to user token.ADALOperationProviderBlockOnCompletionAndGetResults(spWebAccountProviderOperation.Get(), &spProvider), HRESULT=800703f0 (..\Token.cpp,531)ADALOperationProvider
Failed to get AAD token..
An attempt was made to reference a token that does not exist. (Error: 800703F0; Source: Windows)ADALOperationProvider
Failed to get AAD token for 'S-1-5-18' from WAM API. Error 0x800703f0ADALOperationProvider
Following are the pre-requisites for AAD Device Token to work.
SCCM 1806 or higher
Devices running Win 10 version must be 1803 or higher and Hybrid AAD joined.
Server/Web App must be enabled for Device Token
The first two are straightforward. How can we ensure Server/Web App is enabled for Device token?
If you have let SCCM create/register the Apps (Server/Web and Client/Native) automatically from SCCM console, most likely the Server App is configured correctly. If you have registered the Apps manually in Azure and imported them in SCCM, you would have to patch/update the App by running "Update Application Settings".
Update may fail with "Failed to update settings for the application. For more information, see SMSAdminUI.log" and following error in SMSAdminUi.log, if you are running Pre-1810 HFRU2 version of SCCM.
Microsoft.ConfigurationManagement.ManagementProvider.SmsExceptionFailed to update settings for the application. For more information, see SmsAdminUI.log.at Microsoft.ConfigurationManagement.AdminConsole.CloudServicesManagement.AAD.AADUtilities.RefreshAppSettings(Object sender, ScopeNodescopeNode, ActionDescription action, IResultObjectselectedResultObject, PropertyDataUpdateddataUpdatedDelegate, Status status) One or more errors occurred.System.AggregateExceptionOne or more errors occurred.at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)at System.Threading.Tasks.Task`1.get_Result()at Microsoft.ConfigurationManagement.AdminConsole.CloudServicesManagement.AAD.AADDataHandler.AssignAndGrantPermissionOnServerApplication()at Microsoft.ConfigurationManagement.AdminConsole.CloudServicesManagement.AAD.AADUtilities.RefreshAppSettings(Object sender, ScopeNodescopeNode, ActionDescription action, IResultObjectselectedResultObject, PropertyDataUpdateddataUpdatedDelegate, Status status)System.ArgumentNullExceptionValue cannot be null.Parameter name: type
The above issue is fixed in 1810 HFRU2.
In a situation where you are either unable to upgrade to 1810 HFRU2 or higher to resolve the update issue and still want to enable Device Token Authentication or you are just looking to confirm if the device token is enabled on the Server/Web App, you can use Azure Graph Explorer http://aka.ms/ge to query App properties and also make modifications.
Azure Graph Explorer won't allow you to query or make changes to the App properties by default. Select modify permissions to grant Directory.AccessasUser.All permission to the Signed in user, which grants access to query and modify App properties.
Grant access to Graph explorer to access the directory as you.
Select retrieve the list of applications from the list of queries under Applications (beta) to see the list of registered Apps. You can highlight "Response Preview" area and press Ctrl+F to search the Server App you are interested in. This may be handy when there are several Apps. The property we are interested in is isDeviceOnlyAuthSupported. If this is set to "null" as you see below, it means Device Token is not enabled.
Looking at some of output closely, we see two IDs here, id and appid. We are interested in id when running the query.
Once the device token works, the request is sent to internal MP via CMG to get a CCM token. Client must get a CCM token successfully before accessing internal resources. CCM_STS.log available on the Management Point enabled for CMG traffic is a good place to know if CCM token was issued successfully.
Return token to client, token type: UDA, hierarchyId: 3a25dd9f-b871-4b26-87c0-81ab03a43375, userId: 00000000-0000-0000-0000-000000000000, deviceId: GUID:8AAE207C-880C-45C5-BC3A-16919E85F6F2 CCM_STS Elapsed time: 743 ms CCM_STS
If you have just updated Device token property and seeing 401 error in CCM_STS.log, advise is to give it some time for it to catch up.
ProcessRequest - Start CCM_STS
Return code: 401, Description: No bearer token found in request, No bearer token found in request CCM_STS
Elapsed time: 1 ms CCM_STS
Once the CCM_STS.log indicates successful retrieval of CCM token, you can look at CCMmessaging.log on the client and also add Device Online From Internet and Device Online Management Point columns to Devices view in the console to confirm successful communication with CMG.