Why isn't my device joining the target Entra ID, and why is it being removed automatically after a successful initial join?

If you have enabled automatic enrollment for Windows devices, you may need to create an exclusion for the provisioning package account. This exclusion is necessary when auto-enrollment is active.

With these settings enabled, the device will be automatically joined when the provisioning package is installed. However, it may also be removed immediately if the computer or account is not compliant with policy requirements. This commonly occurs when Multi-Factor Authentication (MFA) is enforced, as the provisioning package account is typically not MFA-compliant.

To resolve this, you’ll need to create an MFA exclusion. Check the target MFA policy and add an exclusion for the provisioning package. When adding the exclusion, search for "package ...", you should see a result similar to the provisioning package account.

Add the provisioning package to the exclusion list, wait approximately 10 minutes for the changes to replicate, and then try provisioning the device again. Finally, review the Audit Logs to see if the behavior has changed.