During my tests, I keep changing configurations in Entra ID and Intune. This was also the case a few days ago. I deleted one of my “Entra registered” devices in Entra ID for a test.
In Windows, Microsoft applications (like Edge, Teams, and others) first reported my organization deleted the device.
Your organization has deleted this device.
The device is still connected to Entra ID. I disconnect the device via Windows Settings > Accounts > Access work or school. As a result, applications no longer show the message.
I want to add the account again via Windows Settings > Email & Accounts to re-register my PC in Entra ID.
Alternatively, Edge, Teams, and other Microsoft applications show the familiar message an organization could manage the device.
My re-registration of the PC takes a very long time and ends with an error / time-out.
CAA50021 – Number of retry attempts exceeds expectation
A check in Entra ID shows permanent errors for the account and “Device Registration Service”.
The search for CAA50021 error results in a lot of suggestions for a solution. None of them helped in my case.
With the addition for “Device Registration Service” I found the following information, noted in Microsoft’s FAQs for Entra ID devices:
What are the MS-Organization-Access certificates present on our Windows 10/11 devices?
The MS-Organization-Access certificates are issued by the Microsoft Entra Device Registration Service during the device registration process. These certificates are issued to all join types supported on Windows – Microsoft Entra joined, Microsoft Entra hybrid joined and Microsoft Entra registered devices. Once issued, they’re used as part of the authentication process from the device to request a Primary Refresh Token (PRT). For Microsoft Entra joined and Microsoft Entra hybrid joined devices, this certificate is present in Local Computer\Personal\Certificates whereas for Microsoft Entra registered devices, certificate is present in Current User\Personal\Certificates. All MS-Organization-Access certificates have a default lifetime of 10 years. These certificates are deleted from the corresponding certificate store when the device is unregistered from Microsoft Entra ID. Any inadvertent deletion of this certificate leads to authentication failures for the user, and requiring re-registration of the device in such cases.
My device has been deleted. I can find the deleted device ID in the Entra ID audit log.
I check the local certificates for my account. The certificate from my deleted and disconnected device is still available.
I delete the certificate and try to register my PC again.
It only takes a few seconds and my PC is successfully registered.
My PC has been re-registered in Entra ID.
The certificate has been recreated on my PC.
Conclusion:
If you delete a device in Entra ID and want to re-register it, make sure that the old device certificate is no longer available on your PC.
