Recently I have been troubleshooting a nasty Windows Hello for Business problem which prevented all users in a tenant from resetting their Windows Hello for Business PIN’s on Azure AD joined devices while getting the error CAA20004.
Issue
When clicking on “I forgot my PIN”:
After completing the account sign-in and MFA challenge the Error CAA20004 came up:
Troubleshooting
The Azure AD Portal shows us “Failure reason: other”.
While recording all the https traffic to Microsofts oauth2 endpoint with Fiddler this finally unveils usable information:
AADSTS65001: The user or administrator has not consented to use the application with ID ’ 9115dd05-fad5-4f9c-acc7-305d08b1b04e’ named ’ Microsoft Pin Reset Client Production’. Send an interactive authorization request for this user and resource.
The error indicates that an application registration is missing in the tenant for the application “Microsoft Pin Reset Client Production”
Solution
After a short search I found a matching Microsoft docs article. Instead of reading through the whole article the only thing I needed to do was consenthing to the: Microsoft PIN Reset Service production application and also for the Microsoft PIN Reset Client production
(just klick on the links in order to consent to the app registrations) as tenant admin. Although in some tenants I have only seen the “Microsoft PIN Reset Service production” and PIN resets are working without the “Microsoft PIN Reset Client production”.
When checking the registered enterprise applications in Azure AD the “Microsoft Pin Reset Client Production” was visible:
… and resetting Windows Hello for Business PIN’s is from now on possible and works like a charm.
Final words
Did you encounter the same difficulties? Or do you know why some tenants only have the “Microsoft PIN Reset Service production” and not the “Microsoft PIN Reset Client production” registered? I am curious to read your experiences in the comments.