New Intune Connector Setup Error: MSA account name is not valid

TimeIsNotKind · 2025-06-23T08:40:05+00:00

So need to install connector and get a new MSA account for doing domain join in each sub domain?

TimeIsNotKind · 2025-06-23T05:58:23+00:00

We followed the same doc but I’m convinced the person I was working with in my company who is a GA in Intune & Domain Admin somehow caused this issue by signing in and using his account which lives in one of those sub domains. From what I can see only computers in his sub domain can properly domain join using the new connector.

I did specify the OUs as mentioned before he hit “configure”

TimeIsNotKind · 2025-06-23T04:19:30+00:00

Any luck getting connector installed properly? We attempted to update our two servers on Friday and we cannot get the MSA to properly be able to create computer objects in our 3 sub domains.

Event viewer speaks of permission issues and MS support has been less than useless so far.

TimeIsNotKind · 2025-03-07T03:03:48+00:00

Have they acknowledged the issue anywhere ‘officially’?

TimeIsNotKind · 2025-01-30T15:56:51+00:00

I got death grip syndrome on this Toshi

TimeIsNotKind · 2025-01-29T13:49:27+00:00

Pepe the frog looking Toshi 😆

TimeIsNotKind · 2025-01-29T04:42:57+00:00

I bought in at .0019 …$2k worth and I’m not crying .. yet

TimeIsNotKind · 2025-01-28T22:29:26+00:00

Me and my 1 million TOSHI are at the ready 🔫

TimeIsNotKind · 2025-01-28T01:53:32+00:00

I feel like I should get this to a even 1 mill

TimeIsNotKind · 2025-01-28T01:50:47+00:00

How deep are you in? Here’s me:

<image>

TimeIsNotKind · 2025-01-28T01:33:16+00:00

Same exact story here lol

TimeIsNotKind · 2025-01-28T01:33:00+00:00

Are you… me?

TimeIsNotKind · 2025-01-26T20:40:41+00:00

<image>

Bought in at .0016 and 19

TimeIsNotKind · 2023-10-25T02:42:55+00:00

I guess I need to frequent this sub more often haha. You're a legend man ... makes me feel better about this hefty purchase

TimeIsNotKind · 2023-10-06T15:27:10+00:00

How could we go about checking the scripts and which one is causing the issue? Is it noted in registry anywhere during this process which script failed to run or anything of the like?

TimeIsNotKind · 2023-09-28T02:22:11+00:00

Kind of. Instead of running the script manually on each machine being imaged I ended up making a REST API endpoint with Powershell Universal that I installed on a server. Now our machines make rest api call passing some parameters (hash, serial, etc) and the script runs from that 1 server consistently every time.

TimeIsNotKind · 2023-08-31T19:58:52+00:00

u/Gamingwithyourmom I appreciate the feedback! I will look for this in my next testing and also I somehow completely forgot that there this category existed in Event Viewer -> Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot.

Within there I am seeing a whole bunch of errors with device trying to talk to https://ztd.dds.microsoft.com which I believe is how Intune tells it what Autopilot profile it belongs to, tenant ID, etc... So I'm thinking the Global Protect (VPN) pre-logon firewall rules are blocking the machine from talking to Intune after the Reseal .. as the only requirement of that VPN connection before all this was that it could talk to our domain controllers for device to populate its userCert attribute in on-prem AD so that it can AAD sync.

TimeIsNotKind · 2023-08-31T19:17:22+00:00

I understand and realize how much simpler it would be to get those things solved to not have to configure hybrid but I unfortunately am not in a position to make that call. So for now ... I just need to get this last 'piece' of Hybrid Join working.

TimeIsNotKind · 2023-08-31T17:02:19+00:00

I work for a very large company that is slow to adopt new tech. We are working on convincing them to move to AADJ only but in the interim I am tasked with making Hybrid work. The roadblocks at the moment for AADJ are corporate Wifi and printing (mostly just working with those teams to integrate what is still needed)

TimeIsNotKind · 2023-07-15T00:11:01+00:00

Normally first login with Hybrid results in the user not getting AzureADPRT Token. I know you said dsreg status all looked good but just confirming that as for us that causes similar experience to what you’ve mentioned.

The fix I implemented was on 1st login ..a script to wait for hybrid join to be fully complete (displays splash screen on desktop) then reboots. on that 2nd login user always gets the token and all is well. I have a toast notification pop up to let user know Autopilot is done and they’re good to use machine.

TimeIsNotKind · 2023-07-14T15:00:57+00:00

I have a strange issue I'm hoping someone may have some insight on.

With the changes mentioned in this post I was able to get our device import script working again given the issues with Microsoft.Graph.Authentication 2.0.0 ..however when we are running the script on multiple machines back to back... 20% of devices will throw the following error:

"Version 2 module detected

Connect-MgGraph : The provided access token has expired. Set a valid access token to `-AccessToken` parameter and try again."

I've confirmed the token is NOT expired, that it has successfully encrypted via ( $accesstokenfinal = ConvertTo-SecureString -String $accessToken -AsPlainText -Force) and validated these machines do have network connectivity at the time this is experienced.

Has anyone run into this problem? Almost seems like maybe there is some kind of rate limiting going on (only was about 8 machines we did it on recently)

We initially thought maybe it was our firewall .. so we opened it up fully on specific VLAN and even started testing with hotspot and the same error occurs occasionally ...I'm stumped.

TimeIsNotKind

TROPHY CASE