The other error related to this is: Authorisation code not received from authorize endpoint call.

We have seen this error when the organisation has a restriction on “Users may join devices to Microsoft Entra” and they come to generate the bulk enrolment token (BPRT) for Entra Joining devices within the PowerSyncPro directory setup for Entra ID.

The organisation had only just added the Global Admin account into the inclusion (the ability to join devices) to allow PowerSyncPro to create the Bulk Enrolment account, therefore there was a caching issue in the Edge browser.

As the Global Admin was cached in the browser, they needed to forcibly log out of all sessions and clear their refresh token so that they could be fully reauthenticated with their new permission to join devices. This did take 2 hours before Entra ID served the correct authorisation codes.

One way to circumvent this is to add a different Global Admin into the Entra ID permission “Users may join devices to Microsoft Entra” who has not yet tried to use the PowerSyncPro server, and use their credentials when generating the BPRT so there is no caching.