Joining Azure AD fails—Can’t connect to URL for your organization’s MDM terms

• Author
• Recent Posts

Robert Pearman

Robert is a small business specialist from the UK and currently works as a system administrator. He was a Microsoft MVP for eight years and has worked as a technical reviewer for Microsoft Press. You can follow Robert on Twitter and in his blog.

Latest posts by Robert Pearman (see all)

• Run Exchange Online commands using Azure Automation - Tue, Jul 25 2023
• Connect to Exchange Online with PowerShell and certificate-based authentication - Wed, Jul 19 2023
• Office Deployment Tool (ODT): Deploy Office using custom XML files - Thu, Mar 30 2023

The error text here is slightly misleading; you may be left trying to troubleshoot why a device cannot reach a specific URL.

Cant connect to the URL for your organizations MDM terms

What the error is actually telling you, though, is that the user account you tried to join Azure AD with is not licensed for MDM. You might be thinking, well, that's right, this user does not have MDM, and this device is out of scope of our MDM deployment.

However, the default setting for MDM enrollment with Intune is that all users are in scope for MDM, so irrespective of whether they have a license or not, the Azure AD join process will attempt to enroll in MDM. If they are not licensed, it will fail. It does not, at the time of writing, simply skip MDM enrollment.

Fortunately, resolving this is rather straightforward and relies on creating a dynamic group and modifying the enrollment scope of MDM.

If you have never used dynamic groups, you should definitely investigate them.

So, first, let's create a dynamic group. From the Azure Active Directory portal, go to Groups, and select New Group.

Adding a group

On the New Group screen, set Group type to Security, choose a Group name, add a Group description if you want, and set the Membership type to Dynamic User.

Creating a dynamic group

Once you select Dynamic User, you will see a new option appear. Click Add a dynamic query.

Add dynamic query

On the Add Dynamic Query screen, you can specify the criteria that should be met for someone to be a member of this group. The goal of this group is only to add members who have an MDM license.

So, using some detective work (i.e., Google), we can find some information on what type of query would yield those results.

This article is a great resource for SKU names and their GUIDs. It tells us that the GUID for Microsoft Intune (MDM) is 8e9ff0ff-aa7a-4b20-83c1-2f636b600ac2.

A word of caution here, though, depending on what license is assigned to your user. Whether it be a bundle or a single license, the GUID may be different. We can check this below.

This document is also a good place to start with dynamic query rules.

So now that we have an idea of what we want to put in our rule, we can try to craft one that says, "any user that has an Intune license."

Click Edit to enter the Rule Syntax editor.

Adding a rule

We want to add the syntax below. Click OK to save.

user.assignedPlans -any (assignedPlan.servicePlanId -eq "8e9ff0ff-aa7a-4b20-83c1-2f636b600ac2" -and assignedPlan.capabilityStatus -eq "Enabled")

Click Validate Rules.

This is a useful preview feature that allows us to test our dynamic query. We can select users who should or should not be included in the results and then adjust the query as required.

Validating rule results

I deliberately chose a user who I knew should be in the group (represented by the green check), and one that shouldn't (represented by the red cross). This shows that my query is working as expected.

I can now save the group.

Saving the group

Now, we need to adjust the scope for our MDM autoenrollment. In the Azure AD menu, find Mobility (MDM and MAM).

Configuring the MDM settings

Click through the breadcrumbs until you reach the Configure page.

Change the MDM scope from All to some.

The Groups link will now become active.

Search for and select the dynamic user group we made in the previous steps.

Save your changes.

Saving the MDM user scope

You now need to wait for the settings to flush through the system. I would allow at least an hour for this.

Then, when you try to join your device to Azure AD, it will not attempt to enroll in MDM unless the user is a member of the dynamic group (i.e., has an Intune license), and the join will succeed.