0xCAA2000C The request requires user interaction
0xCAA1007B AADBAcquireTokenInternal failed
Root Cause
Conditional Access (CA) policies are enforcing requirements like:
MFA
Device compliance
These require interactive authentication, which is not possible in Workspot provisioning.
Why does this happen
In your case:
BPRT regenerated
But: Account NOT excluded from CA ❌
Azure requires:
MFA or validation
→ Agent cannot prompt
→ Token acquisition fails
Resolution
Exclude the provisioning account from CA
Exclude service: Microsoft Azure Device Registration
From:
MFA policies
Compliance policies
Validation
Reprovision VM
Confirm:
No
interaction requirederrorsSuccessful Entra join
Key Takeaway
BPRT provisioning requires fully non-interactive authentication — any CA enforcement breaks it.