When joining a device to Azure AD, you may receive the following error message: Something went wrong. It looks like we can't connect to the URL for your organization's MDM terms of use. Try again, or contact your system administrator with the problem information from this page.

The error text here is slightly misleading; you may be left trying to troubleshoot why a device cannot reach a specific URL.

Cant connect to the URL for your organizations MDM terms

Cant connect to the URL for your organizations MDM terms

What the error is actually telling you, though, is that the user account you tried to join Azure AD with is not licensed for MDM. You might be thinking, well, that's right, this user does not have MDM, and this device is out of scope of our MDM deployment.

However, the default setting for MDM enrollment with Intune is that all users are in scope for MDM, so irrespective of whether they have a license or not, the Azure AD join process will attempt to enroll in MDM. If they are not licensed, it will fail. It does not, at the time of writing, simply skip MDM enrollment.

Fortunately, resolving this is rather straightforward and relies on creating a dynamic group and modifying the enrollment scope of MDM.

If you have never used dynamic groups, you should definitely investigate them.

So, first, let's create a dynamic group. From the Azure Active Directory portal, go to Groups, and select New Group.

Adding a group

Adding a group

On the New Group screen, set Group type to Security, choose a Group name, add a Group description if you want, and set the Membership type to Dynamic User.

Creating a dynamic group

Creating a dynamic group

Once you select Dynamic User, you will see a new option appear. Click Add a dynamic query.

Add dynamic query

Add dynamic query

On the Add Dynamic Query screen, you can specify the criteria that should be met for someone to be a member of this group. The goal of this group is only to add members who have an MDM license.

So, using some detective work (i.e., Google), we can find some information on what type of query would yield those results.

This article is a great resource for SKU names and their GUIDs. It tells us that the GUID for Microsoft Intune (MDM) is 8e9ff0ff-aa7a-4b20-83c1-2f636b600ac2.

A word of caution here, though, depending on what license is assigned to your user. Whether it be a bundle or a single license, the GUID may be different. We can check this below.

This document is also a good place to start with dynamic query rules.

So now that we have an idea of what we want to put in our rule, we can try to craft one that says, "any user that has an Intune license."

Click Edit to enter the Rule Syntax editor.

Adding a rule

Adding a rule

We want to add the syntax below. Click OK to save.

user.assignedPlans -any (assignedPlan.servicePlanId -eq "8e9ff0ff-aa7a-4b20-83c1-2f636b600ac2" -and assignedPlan.capabilityStatus -eq "Enabled")

Click Validate Rules.

This is a useful preview feature that allows us to test our dynamic query. We can select users who should or should not be included in the results and then adjust the query as required.

Validating rule results

Validating rule results

I deliberately chose a user who I knew should be in the group (represented by the green check), and one that shouldn't (represented by the red cross). This shows that my query is working as expected.

I can now save the group.

Saving the group

Saving the group

Now, we need to adjust the scope for our MDM autoenrollment. In the Azure AD menu, find Mobility (MDM and MAM).

Configuring the MDM settings

Configuring the MDM settings

Click through the breadcrumbs until you reach the Configure page.

Change the MDM scope from All to some.

The Groups link will now become active.

Search for and select the dynamic user group we made in the previous steps.

Save your changes.

Saving the MDM user scope

Saving the MDM user scope

You now need to wait for the settings to flush through the system. I would allow at least an hour for this.

Subscribe to 4sysops newsletter!

Then, when you try to join your device to Azure AD, it will not attempt to enroll in MDM unless the user is a member of the dynamic group (i.e., has an Intune license), and the join will succeed.


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account