How to Resolve Error Code Caa50021 in Microsoft 365 App Login

Error code Caa50021 occurs when users attempt to log in to Microsoft 365 applications but encounter device or domain-related issues. This can be caused by conditional access policies, device registration problems, or configuration mismatches in Microsoft Entra.

This step-by-step troubleshooting guide will help you resolve the error, including checking device logs, registration status, and domain connectivity.

Domain connectivity

Step 1. Check Device Status.

Check Domain or Azure AD Connection

Ensure that your device is either joined to the domain (for on-premises environments) or registered in Microsoft Entra.

  1. For Windows devices:
  2. Press `Windows Key + I` to open Settings.
  3. Navigate to Accounts > Access work or school.
  4. Ensure that your device is either Domain joined or Azure AD joined.
    Domain joined

Verify Network Connectivity

Ensure that your device is connected to a stable network. Connection issues can trigger login errors like Caa50021.

Step 2. Check Event Logs for Device Registration.

To diagnose potential device registration issues, you can check the Windows Event Viewer for relevant logs.

  1. Open Event Viewer
    • Press `Windows Key + R` to open the Run dialog.
    • Type `eventvwr.msc` and press Enter.
  2. Locate Device Registration Logs
    • In Event Viewer, navigate to Applications and Services Logs > Microsoft > Windows > User Device Registration.
    • Check for any errors or warnings that might indicate a problem with the device’s registration.
  3. Common Event IDs
    • Event ID 304: Indicates successful device registration.
    • Event ID 307: Indicates issues with device registration or token acquisition.
      Token acquisition

Step 3. Check Device Registration Status with `dsregcmd /status`.

The `dsregcmd /status` command can be used to view the registration status of the device.

Run `dsregcmd /status`

  1. Open Command Prompt or PowerShell as an administrator.
  2. Run the following command.
    dsregcmd /status
    Run Command

Analyze the Output

The output of this command will provide details about the device's registration status with Azure AD, such as,

  1. Azure Ad Joined: Whether the device is joined to Azure AD.
  2. Enterprise Joined: Whether the device is joined to an on-premises domain.
  3. Device Id: The unique device identifier in Azure AD.

Review Registration Details

  1. AzureAdJoined: Should be YES for Azure AD-joined devices.
  2. DomainJoined: This should be YES for on-premises domain-joined devices.
  3. AzureADPrt: Should be YES for single sign-on (SSO) support

Run Device Registration Troubleshooting Commands

If device registration or connectivity remains an issue, use the following commands.

To force the device to re-register.

Run dsregcmd /debug /leave

This command un-registers the device from Azure AD.

Once executed, reconnect the device by signing out and signing back in.

Force Device to Rejoin Azure AD

Run the following scheduled task to trigger automatic device registration.

schtasks.exe /run /tn "Microsoft\Windows\Workplace Join\Automatic-Device-Join"

Confirm Registration

After running these commands, rerun dsregcmd /status to confirm that the device has been successfully re-registered.

Step 4. Check Device Compliance in Microsoft Entra.

Ensure that the device is compliant with your organization's policies. If conditional access is enforcing device compliance, this could be the cause of the error.

Log into the Microsoft Entra portal

Go to https://entra.microsoft.com.

Check Device Registration

  1. In the Entra portal, go to Devices > All Devices.
  2. Search for the device and confirm its status. It should be listed as Registered and Compliant.
  3. If the device is marked as non-compliant, investigate the compliance policies that are being enforced.
    Compliance policies

Step 5. Review Conditional Access Policies.

Conditional access policies can block access based on device registration or compliance. Review and adjust these policies if needed.

Navigate to Conditional Access

In the Entra portal, go to Security > Conditional Access.

Evaluate Conditional Access Policies

  1. Review policies that require the device to be registered or compliant before granting access.
  2. You may need to temporarily disable certain policies to test if they are causing the Caa50021 error.
    Access Policies

Step 6. Re-register or Rejoin the Device.

If your device isn’t properly registered, re-registering it might resolve the issue.

Re-register the device

  1. Go to Settings > Accounts > Access work or school.
  2. Disconnect and reconnect the work or school account to re-register the device with Azure AD.

Hybrid Domain-Joined Devices

If the device is Hybrid Azure AD Joined, ensure that Azure AD Connect is synchronizing the device properly.

Step 7. Understand Device Enrollment Types and Common Issues.

There are three primary ways that devices interact with Microsoft Entra and Azure AD, each with its own potential for generating the Caa50021 error:

  1. Azure AD Joined Devices
    • Scenario: The device is entirely cloud-based and joined to Azure AD. These devices are managed by Intune or another MDM (Mobile Device Management) solution.
    • Common Issue: If the device is not properly registered in Azure AD, login attempts can fail due to misconfigured registration or compliance settings.
  2. Azure AD Registered Devices
    • Scenario: Personal devices that are registered with Azure AD but not joined to the domain. These are typically BYOD (Bring Your Own Device) devices.
    • Common Issue: These devices might not meet all compliance requirements enforced by conditional access policies, causing errors like Caa50021.
  3. Hybrid Azure AD Joined Devices
    • Scenario: These devices are joined to an on-premises Active Directory domain and are also registered in Azure AD for cloud-based authentication.
    • Common Issue: If there is a misconfiguration between on-premises AD and Azure AD, it can lead to device synchronization issues, causing errors during login.

Note. Devices that are Hybrid Azure AD Joined are most likely to encounter errors related to conditional access policies or device registration, especially if Azure AD Connect isn’t properly configured.

Conclusion

Error code Caa50021 in Microsoft 365 login is typically associated with device or domain connectivity issues. By following the steps outlined in this guide, including reviewing event logs, checking device registration status, and ensuring compliance with conditional access policies, you can methodically resolve the issue.


Similar Articles