![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 2%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,150 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 55.00000000000001%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hello @Preeti Mishra,
Thank you for posting your query on Microsoft Q&A.
Based on your issue description, I understand that while you are adding 'AADLogin for windows' extension on your newly created VM, it gives error that tenant id is not discoverable.
When I reviewed the error message, I can see that the device is unable to get joined to Azure Active Directory(Microsoft Entra ID) and it is failing in the Discover phase.
Firstly, This error occurs when you have the MDM user scope (and/or the MAM user scope) set to Some or All. You need those scopes to be disabled for the VM to be able to be AAD joined.
To do this, navigate to the Microsoft Entra ID blade -> Mobility (MDM and MAM)
Select Microsoft Intune and set the MAM and MDM user scope to None.
If you have Microsoft Intune enrollment, do the same thing, that is set the MDM user scope to None.
Also, please check the below mentioned Possible causes of failures in the Discover phase.
Discover phase
Possible reasons for failure:
- The service connection point object is misconfigured or can't be read from the domain controller.
- A valid service connection point object is required in the AD forest, to which the device belongs, that points to a verified domain name in Microsoft Entra ID.
- For more information, see the "Configure a service connection point" section of Tutorial: Configure Microsoft Entra hybrid join for federated domains.
- Failure to connect to and fetch the discovery metadata from the discovery endpoint.
- The device should be able to access
https://enterpriseregistration.windows.net, in the system context, to discover the registration and authorization endpoints. - If the on-premises environment requires an outbound proxy, the IT admin must ensure that the computer account of the device can discover and silently authenticate to the outbound proxy.
- The device should be able to access
- Failure to connect to the user realm endpoint and do realm discovery (Windows 10 version 1809 and later only).
- The device should be able to access
https://login.microsoftonline.com, in the system context, to do realm discovery for the verified domain and determine the domain type (managed or federated). - If the on-premises environment requires an outbound proxy, the IT admin must ensure that the system context on the device can discover and silently authenticate to the outbound proxy.
- The device should be able to access
For additional details, please refer to the below document for your reference.
https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-hybrid-join-windows-current
I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thanks and Regards,
Sanoop Mohan