-
Title
Entra ID Cutover does not join the device to the target -
Description
Entra ID Cutover does not join the device to the target
If checking the device logs in the Target Entra you can see the device being added and automatically removed then the provisioning package is working but the enviorement configuration is not allowing the Package to complete the domain join.
-
Cause
If you have activated automatic enrollment for Windows devices, you may have to create an exclusion for the provisioning package account.You will need to perform this exclusion if you have activated auto-enrollment. With this settings activated, the device will be joined automatically when the provisioning package is installed, but it may also be immediately deleted if the computer or account is not compliant with the policies. This will happen if MFA is enforced, since the provisioning account is not MFA compliant.
-
Resolution
Therefore, you’ll have to create a MFA exclusion.Check the Target MFA policy and add an exclusion for the provisioning package. When adding the exclusion if you look for package_ you will have a result similar to this one .
Add the provisioning package to the exception list, then wait 10 minutes for the changes the replicate, and after that try the provisioning packaged and check the Audit Logs to see if you have a different behavior.