Fix Company Portal App Login Error Occurred AAD Auth Proxy Issues | Tenant Restriction Policy

Well, this is a weird issue and so stay with me! Let’s learn how to Fix Company Portal App Login Error Occurred. This issue is only for the Intune Company portal application. There was no issue accessing company portal Website. And this issue is only applicable for Windows 10 devices.

I have a couple of other posts that might be interesting for you. Learn how to install a company portal application on Windows 10 devices. Intune Company Portal Setup for Personal Windows 10 Device Intune Enrollment Options.

Also, Read more about Intune Company Portal Branding Customization Options & Intune Different End-User Application Portals for Modern Management.

Problem Statement – Fix Company Portal App Login Error

Windows 10 devices started getting error messages whenever the user tries to launch the Company portal app. The error details are given below.

Login error occurred – An error occurred while attempting to login

Company Portal Login Error

You get two options:

• Share Details
• Close

Send Company Portal App for Windows 10 Logs

• Try to click on Share details to get the Company portal app log for Windows 10 device.
• The message shows “Sending the Logs to Microsoft“

• Now you have an option to share the details with Microsoft using the Onenote file.
  • Requesting help with company portal app for Windows 10

NOTE! – You can send the company portal app logs for Windows 10 using the following method as well:

1. Open the Company Portal app.
2. Select Help & support > Get help.

Details of Company Portal App Log

Describe the problem you're experiencing.
The Company Portal has collected your logs (Diagnostics ID: 2WWEWN) and sent them to Microsoft to help troubleshoot. Your description will help us to understand what happened and how we can fix the problem.
After you've described the problem, send this email to your company support for more help.

Troubleshooting – Fix Company Portal App Login Error

Now let’s enter into the real troubleshooting scenario of Company Portal app for Windows 10 devices.

• First of all, I couldn’t find much information from Microsoft logs mentioned in the above section.
• I started looking at event logs to get more details.
• Navigate to Microsoft-Windows-AAD/Operational (Azure AD authentication related errors).
• The following event IDs 1098 shows up with error started whenever I tried to launch the company portal app.

Error: 0xCAA5001C Token broker operation failed.
Log: 0xcaa10083 Exception in WinRT wrapper.
Log: 0xcaa1007b Acquire token failed.
Log: 0xcaa9004b Exception during nonce request.

Event Log Details

• Error: 0xCAA5001C Token broker operation failed.

Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Date: 15/07/2020 16:00:58
Event ID: 1098
Task Category: AadTokenBrokerPlugin Operation
Level: Error
Keywords: Operational,Error
User:
Computer:
Description:
Error: 0xCAA5001C Token broker operation failed.
Operation name: GetTokenSilently, Error: -894947614 (0xcaa82ee2), Description: The request has timed out.
Logged at webaccountprocessor.cpp, line: 593, method: AAD::Core::WebAccountProcessor::ReportOperationError.

• Error: 0xCAA82EE2 The request has timed out.

Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Date: 15/07/2020 16:00:58
Event ID: 1098
Task Category: AadTokenBrokerPlugin Operation
Level: Error
Keywords: Operational,Error
User:
Computer:
Description:
Error: 0xCAA82EE2 The request has timed out.
Exception of type 'class HttpException' at xmlhttpwebrequest.cpp, line: 163, method: XMLHTTPWebRequest::ReceiveResponse.
Log: 0xcaa10083 Exception in WinRT wrapper.
Logged at authorizationclient.cpp, line: 233, method: ADALRT::AuthorizationClient::AcquireToken.
Request: authority: https://login.microsoftonline.com/common, client: 8ba1a5c7-f19a-5de9-a1f1-7178c8d51343, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-2666988183-1750391847-2906264630-3525785777-2857982319-3063633125-1907478113

• Log: 0xcaa1007b Acquire token failed.

Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Date: 15/07/2020 16:00:58
Event ID: 1098
Task Category: AadTokenBrokerPlugin Operation
Level: Error
Keywords: Operational,Error
User:
Computer:
Description:
Error: 0xCAA82EE2 The request has timed out.
Exception of type 'class HttpException' at xmlhttpwebrequest.cpp, line: 163, method: XMLHTTPWebRequest::ReceiveResponse.
Log: 0xcaa1007b Acquire token failed.
Logged at aggregatedtokenrequest.cpp, line: 70, method: AggregatedTokenRequest::AcquireToken.
Request: authority: https://login.microsoftonline.com/common, client: 8ba1a5c7-f19a-5de9-a1f1-7178c8d51343, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-2666988183-1750391847-2906264630-3525785777-2857982319-3063633125-1907478113, resource: 00000002-0000-0000-c000-000000000000, correlation ID (request): 9d18dbac-d522-4d6e-8d14-c3e7610ec34c

• 0xcaa9004b Exception during nonce request

Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Date: 16/07/2020 10:11:06
Event ID: 1098
Task Category: AadTokenBrokerPlugin Operation
Level: Error
Keywords: Operational,Error
User:
Computer:
Description:
Error: 0xCAA82EE2 The request has timed out.
Exception of type 'class HttpException' at xmlhttpwebrequest.cpp, line: 163, method: XMLHTTPWebRequest::ReceiveResponse.
Log: 0xcaa9004b Exception during nonce request.
Request: authority: https://login.microsoftonline.com/common, client: 8ba1a5c7-f19a-5de9-a1f1-7178c8d51343, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-2666988183-1750391847-2906264630-3525785777-2857982319-3063633125-1907478113, resource: 00000002-0000-0000-c000-000000000000, correlation ID (request): 9d18dbac-d522-4d6e-8d14-c3e7610ec34c

Fix Company Portal App Login Error Occurred

There was a proxy server tenant restriction implemented using the following Use tenant restrictions to manage access to SaaS cloud applications. More details https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions.

The company portal app for Windows 10 requires authentication to Azure AD through https://login.microsoftonline.com. These URLs are available in the above event logs. Tenant restrictions require TLS inspection only on traffic to Azure AD, not to the Office 365 cloud services.

It seems the TLS inspection for the following URL cause the issue. At least one of the following URL which is required:

• https://enterpriseregistration.windows.net
• https://login.microsoftonline.com
• https://device.login.microsoftonline.com
• https://autologon.microsoftazuread-sso.com (If you use or plan to use seamless SSO)

Resolution – Proxy Issue

**Updated on 29-Jan-2021

The client app (in this case Company Portal) should support tenant restrictions. I have over looked this point while writing this post. This is already documented in Microsoft docs that client software must request tokens directly from Azure AD, so that the proxy infrastructure can intercept traffic.

NOTE! – The company portal (website) works well with tenant restrictions.

The OMT feature for TLS inspection for AAD authentication communication removed from the proxy servers and that fixed the Company Portal

Resources

• Azure tenant restriction headers setup
• Use tenant restrictions to manage access to SaaS cloud applications
• Get help and support in Company Portal for Windows 10