The other error related to this is: Authorisation code not received from authorize endpoint call.

We have seen this error when the organisation has a restriction on “Users may join devices to Microsoft Entra” and they come to generate the bulk enrolment token (BPRT) for Entra Joining devices within the PowerSyncPro directory setup for Entra ID.

The organisation had only just added the Global Admin account into the inclusion (the ability to join devices) to allow PowerSyncPro to create the Bulk Enrolment account, therefore there was a caching issue in the Edge browser.

As the Global Admin was cached in the browser, they needed to forcibly log out of all sessions and clear their refresh token so that they could be fully reauthenticated with their new permission to join devices. This did take 2 hours before Entra ID served the correct authorisation codes.

One way to circumvent this is to add a different Global Admin into the Entra ID permission “Users may join devices to Microsoft Entra” who has not yet tried to use the PowerSyncPro server, and use their credentials when generating the BPRT so there is no caching. 

We have also seen AADSTS240004 error. This appeared to be related to using password-less sign-in when generating the BPRT. If you try username and password with standard MFA then this error disappeared. Also remember the GA account you use should NOT be from a federated domain.

For error AADSTS50079, it is very important for the account to be MFA enabled. But we have also seen issues where the BPRT account (where UPN begins package_) was created successfully however, it then subsequently failed conditional access because the package_ account was not listed as excluded by this CA policy. Because each time we try to generate the BPRT token a fresh package_ account was created, the accounts could not be put into the CA policy in advance of the process. We ultimately make the CA policy “report-only” briefly to allow the process to complete.