"AADSTS700003: Device object was not found in the tenant" issue started since the beginning of September

Question

"AADSTS700003: Device object was not found in the tenant" issue started since the beginning of September

slavag opened this issue 4 years ago · 3 comments

Hi,
We see lot of issues (and it's increasing) across many tenants, when we're trying to acquire token :
AuthenticationContext.acquireTokenByRefreshToken :
Sep 13 13:55:26 Caused by: com.microsoft.aad.adal4j.AuthenticationException: {"error_description":"AADSTS700003: Device object was not found in the tenant 'xxxx' directory.\r\nTrace ID: 154e5983-63d2-4c61-bcc1-717dc2169400\r\nCorrelation ID: f8666b39-307e-4230-b6e5-64ee68c8e86c\r\nTimestamp: 2020-09-13 13:55:25Z","error":"invalid_grant","error_uri":"https://login.microsoftonline.com/error?code=700003"}
Sep 13 13:55:26 at com.microsoft.aad.adal4j.AdalTokenRequest.executeOAuthRequestAndProcessResponse(AdalTokenRequest.java:128)
Sep 13 13:55:26 at com.microsoft.aad.adal4j.AuthenticationContext.acquireTokenCommon(AuthenticationContext.java:913)
Sep 13 13:55:26 at com.microsoft.aad.adal4j.AcquireTokenCallable.execute(AcquireTokenCallable.java:70)
Sep 13 13:55:26 at com.microsoft.aad.adal4j.AcquireTokenCallable.execute(AcquireTokenCallable.java:38)
Sep 13 13:55:26 at com.microsoft.aad.adal4j.AdalCallable.call(AdalCallable.java:47)
Sep 13 13:55:26 ... 4 more

And it's increasing across another tenants, and nothing with change in our side (code or app configuration).
Please advise what can be possible solution for that issue ?
Thanks

Answer 1 · 2020-09-14T19:26:35.000Z

Hi @slavag, there have been no changes in the library, so I suspect this might be related to changes happening on the service. Could you please share the configuration values for applications where you are seeing issues so we can investigate further? Value for authority, tenant id, client id, and resource would be a good start. Feel free to email them via email to sagonzal @ microsoft if you would like to avoid posting that information here.

Answer 2 · 2020-09-14T19:56:18.000Z

@sangonzal Thanks, will send you in private.

Answer 3 · 2020-09-22T18:25:46.000Z

Discussed via email. Posting answer here in case anyone runs into this issue in the future:

The AAD service has shipped a security fix to validate that a device that matches the deviceId claim from a token is actually read from directory and is enabled irrespective of device based conditional access policies.

The reason that the tokens are rejected is because the presence of the deviceId claim indicates a binding to that device and when this device is not found in the directory it indicates a revocation action where the device was deleted or disabled and tokens for that device will no longer be valid.

You can either:

Work with the tenant administrator to get the device record restored https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal#device-management-tasks",
Acquire a new set of tokens, including a new refresh token.