AI Agent MCP Tools: QuickStart to MCP Tools Development with Azure AI Foundry SDK
July 12, 2025Exposing Azure Document Intelligence Service through Azure Front Door
July 12, 2025
By: Arpit Sinha | Support Escalation Engineer – Microsoft Intune
The purpose of the Microsoft Intune Connector for Active Directory, also known as the Offline Domain Join (ODJ) Connector, is to join computers to an on-premises domain during the Windows Autopilot process with the device ultimately becoming Microsoft Entra hybrid joined after the user logs into the device for the first time. The Intune Connector for Active Directory creates computer objects in a specified Organizational Unit (OU) in Active Directory during the domain join process.
Important Note: Although fully supported, performing hybrid join during Windows Autopilot isn’t recommended as it can be difficult to configure, troubleshoot, and support over time. For additional information on this topic refer to Join your cloud-native endpoints to Microsoft Entra and the blog, Success with remote Windows Autopilot and hybrid Azure Active Directory join.
Earlier this year, Intune released an updated Intune Connector for Active Directory that strengthens security and follows least privilege principles by using a Managed Service Account (MSA). As communicated in both the blog and Message Center, as started in July 2025, older versions of the connector will cease to operate successfully.
Below are the useful steps you should follow while configuring the updated Intune Connector for Active Directory:
- Sign in to the Intune Connector for Active Directory
- Verify the Intune Connector for Active Directory is active
- Configure the MSA to allow creating objects in OUs (optional)
Error when granting permissions to MSA account
An issue that a small number of customers may experience during the connector installation is the inability for the installation process to grant the MSA account the necessary permissions on the default computers container or a specific organizational unit.
The below screenshot shows the error message displayed when you encounter this error during installation.
The installation log is named odjconnectorUI.txt, located in C:Program FilesMicrosoft IntuneODJConnectorODJConnectorEnrollmentWizard, and shows the following when you encounter this error:
Unknown error: System.DirectoryServices.DirectoryServicesCOMException (0x8007202F):
A constraint violation occurred.
Workaround and walk through
To workaround the above issue, the following is a walkthrough for successfully installing the connector and the steps required to handle the MSA permission error.
- Follow the Install the Intune Connector for Active Directory on the server guidance to setup the new ODJ connector. You need to initiate the installation with an account that has the following rights:
- Create msDs-ManagedServiceAccount objects in the Managed Service Accounts container (domain rights)
- Local administrator on your Windows Server
- After successful installation and Microsoft Entra sign in (using an Intune Admin or Global Admin account), you’ll get the below confirmation screen in the Intune Connector for Active Directory showing that the connector is successfully enrolled and that an MSA account was successfully created.
Intune Connector for Active Directory installation screen confirming successful enrollment and creation of a Managed Service Account (MSA).
- After selecting on ‘Ok’ in the above confirmation screen, wait a few seconds, and you might receive the error that mentions the MSA account ‘could not be granted permission’ and will show the MSA name which was created as highlighted in the below screenshot. Note the name of the MSA account as this is needed in a below step.
Error showing, MSA account lacks permissions on the default Computers container or specified OU.
Note: If setup is complete and successful, it won’t throw the above error. If the dialog is closed, go to location ‘C:Program FilesMicrosoft IntuneODJConnectorODJConnectorEnrollmentWizard’ and relaunch ‘ODJConnectorEnrollmentWizard.exe’.
- Verify that the connector installation successfully created the MSA in Manager Service Account container in the Active Directory User and Computers console. Note that you must enable Advanced Features in the View menu to show this container.
Active Directory Users and Computers console with Advanced Features enabled, displaying the Managed Service Accounts container and the newly created MSA.
- Validate that the ‘Intune ODJ connector service’ is Running with an Automatic Startup Type and with ‘Log on As’ use the MSA account configured during the connector’s installation only. As shown in the following example screenshot.
Windows Services panel showing “Intune ODJConnectorService” running with Automatic startup type and logged on using the configured MSA.
- Verify in the Intune admin center under Device > Enrollment > Intune Connector for Active Directory that the connector is Active.
Intune admin center view under Device → Enrollment → Intune Connector for Active Directory, showing the connector status as Active.
Note: Inactive connectors in the Intune Connector for Active Directory page will automatically be cleaned up after 30 days. - Grant the Create Computer objects permission to the MSA account created by the connector installation on the organization unit or container that you configured the connector to use. This is best done using the Delegation of Control Wizard in the Active Directory User and Computers console. The following screenshot shows the end result.
Active Directory Delegation of Control Wizard result screen showing granted permissions for the MSA to create computer objects in the designated OU.
- Note: Selecting ‘Configure Managed Service Account’ again will still result in the same permissions error. This is a known issue that can be ignored and will be addressed in the next released build of the connector.You can now proceed with provisioning devices using Autopilot. Look for the following event log events in Event Viewer on the server hosting the connector to validate correct functionality:
Event Log
Event
Application and Services Logs > Microsoft > Intune > ODJConnectorService > Admin
Event ID 30120 (successful Event)
Application and Services Logs > Microsoft > Intune > ODJConnectorService > Operational
Event ID 30130 and 30140 (successful Events)
Summary
Ensure that you’ve updated to the new connector as old versions will stop working. Additionally, ensure that the Managed Service Account has the correct permissions on the designated organizational unit. This is essential for the smooth operation of the Intune Connector for Active Directory.
While you may encounter an error when selecting “Configure Managed Service Account”, this can typically be safely ignored during initial setup. To confirm that the connector is functioning correctly and that devices can be provisioned through Autopilot without issues, monitor the event logs under the Intune ODJConnectorService. These logs provide critical insight into the provisioning process and helps validate successful connector enrollment and operation.
Related information:
- Plan for Change: New Intune connector for deploying Microsoft Entra hybrid joined devices using Windows Autopilot
- Microsoft Intune Connector for Active Directory security update
If you have any questions or want to share how you’re managing your Windows Autopilot devices with Intune, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn.