Intune Autopilot enrollment: invalid_client error failed%20to%20authenticate%20user
Intune Autopilot enrollment fails with an “invalid_client” error after the user enters their credentials with the following error message:
TL;DR
Error invalid_client failed%20to%20authenticate%20user
Something went wrong
Looks like we can’t connect to the URL for your organization’s MDM terms of use. Try again or contact your system administrator with problem information from this page.
Additional problem information:
Error: invalid_client
Error subcode:
Description: failed%20to%20authenticate%20user
Cause of error invalid_client failed%20to%20authenticate%20user
The user cannot access the terms of use configured in Intune or does not have an Enterprise Mobility + Security E3 license.
Solution
Verify from Microsoft Endpoint Manager Admin Center that the user who is registering for Intune is licensed:
- Go to the Microsoft Endpoint Manager Admin Center > Users | All users> Search for user > Licenses > Assignments.
- Verify that the user has an Enterprise Mobility + Security E3 or higher license and check the option of Microsoft Intune. In the image below, the license is granted with an Azure Active Directory group named “INTUNE_ENROLL”:
Next, check that the user has permissions to read the MDM terms of use of our organization in Intune:
- Go to the Microsoft Endpoint Manager Admin Center > Enroll devices | Windows enrollment > Configure.
- Verify that the user is in both user scopes (MDM and MAM). In the image below, the user will be in the MDM scope with option “All” and in the scope of MAM with the group “INTUNE_ENROLL”:
Result
After applying the Intune license and adding the user to the terms of use scope, Intune Autopilot now works and starts configuring the device: