This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I have two projects that need the Intune Connector for Active Directory installed. I went through the processes listed here: https://learn.microsoft.com/en-us/autopilot/tutorial/user-driven/hybrid-azure-ad-join-intune-connector?tabs=updated-connector
On the first project, I had an issue and ultimately it was solved by giving my Global Admin account an Intune license temporarily.
On the second project, it just refuses to work at all. Three different admins tried signing in and we all get the same results:
The Managed Service OU was missing so we followed some directions online and fixed it.
Log file has the following entry over and over with the main issue saying "Failed to create a managed service account - Element not found"
Any help welcomed. About to open a Microsoft ticket.
ODJ Connector UI Information: 0 : User clicked on SignIn
DateTime=2025-03-14T15:39:59.2116739Z
ODJ Connector UI Information: 0 : Navigating to URL https://portal.manage.microsoft.com/Home/ClientLogon
DateTime=2025-03-14T15:39:59.2898053Z
ODJ Connector UI Information: 0 : Browser loaded page https://login.microsoftonline.com/common/oauth2/authorize?client_id=74bcdadc-2fdc-4bb3-8459-76d06952a0e9&redirect_uri=https%3A%2F%2Fportal.manage.microsoft.com%2Fsignin-oidc&response_type=code&prompt=select_account&scope=openid profile&response_mode=form_post&nonce=638775635996879226.MjIwYWI0ODItYTc3YS00NzY2LWEyZTEtMjYyN2Q2MTY4YTkzMTgwNDMyNzMtMmQzNC00MTY1LThhN2ItMDMxOTE2NDA4MDMx&display=host&state=CfDJ8Ji1hs71b9ZDlZfpMprk6xUmh5ZyiH2tn2o80ueQkJnLktqRnri68LHjk9smwi1SW4CxmiwntrTIiqivmIKN4GNOs17XMCIMq_gK50SStqkrPdrTYW092vUJu3uqjVqUxveNpJygWFHIkSw1CDKf-kRD3ugxbsWkKstPzUAtdK_d4vhOEk4PNCXdnL2-D0ZzgrIgMrMHZNSIbF9f0aC1Ya8xHg79E5Ev88B9t87DUeR2KFCoJBKrBcyADHWrfzJxBTQANVdVcA8DSsoczySKv6LyrVsRK0ZgllR2jh9uF4jAY91uDgX3Rby7TMbM9rDrwiDqjgKniaKt4oF1Df7lnB27gG4jSe6ZoOg52y5uxfitA5SkPWuJH-w_0FdNfeRk5g&x-client-SKU=ID_NET472&x-client-ver=8.3.0.0
DateTime=2025-03-14T15:40:00.0710556Z
ODJ Connector UI Information: 0 : Browser loaded page https://portal.manage.microsoft.com/Home/ClientLogonSuccess
DateTime=2025-03-14T15:41:26.9508117Z
ODJ Connector UI Information: 0 : Getting the URL for EnrollmentService from https://manage.microsoft.com/RestUserAuthLocationService/RestUserAuthLocationService/ServiceAddresses
DateTime=2025-03-14T15:41:27.6851767Z
ODJ Connector UI Information: 0 : Received Url for EnrollmentService as https://fef.amsua0102.manage.microsoft.com/StatelessEnrollmentService from RestUserAuthLocationService.
DateTime=2025-03-14T15:41:27.6851767Z
ODJ Connector UI Information: 0 : Getting the URL for RAODJPlusFEGatewayService_FEF from https://manage.microsoft.com/RestUserAuthLocationService/RestUserAuthLocationService/ServiceAddresses
DateTime=2025-03-14T15:41:27.6851767Z
ODJ Connector UI Information: 0 : Received Url for RAODJPlusFEGatewayService_FEF as https://fef.amsua0102.manage.microsoft.com/TrafficGateway/TrafficRoutingService/RAODJPlus/StatelessODJService from RestUserAuthLocationService.
DateTime=2025-03-14T15:41:27.6851767Z
ODJ Connector UI Information: 0 : Searching for any pre-existing Managed Service Accounts installed on this machine.
DateTime=2025-03-14T15:41:27.7320578Z
ODJ Connector UI Information: 0 : MSA name : msaODJBfuWt
DateTime=2025-03-14T15:41:27.8414250Z
ODJ Connector UI Error: 2 : ERROR: Enrollment failed. Detailed message is: Microsoft.Management.Services.ConnectorCommon.Exceptions.ConnectorConfigurationException: Failed to create a managed service account - Element not found
at Microsoft.Management.Services.ConnectorCommon.ManagedServiceAccountUtilities.NativeMethods.NetAddServiceAccountWrapper(String accountName)
at Microsoft.Management.Services.ConnectorCommon.ManagedServiceAccountUtilities.ManagedServiceAccountUtilities.CreateManagedServiceAccount(String domainName, String precreatedMsaAccount)
at ODJConnectorUI.EnrollmentTab.CreateMsa(String domainName, StepsStarted& stepsStartedFlag)
at ODJConnectorUI.EnrollmentTab.webBrowser_LoadCompleted(Object sender, NavigationEventArgs e)
DateTime=2025-03-14T15:41:27.8883066Z
ODJ Connector UI Information: 0 : Storing telemetry: CreateMsaAccount, hasException: True
DateTime=2025-03-14T15:41:27.8883066Z
ODJ Connector UI Information: 0 : Sending telemetry: CreateMsaAccount, hasException: True
DateTime=2025-03-14T15:41:27.8883066Z
ODJ Connector UI Information: 0 : Sending telemetry to ODJService
DateTime=2025-03-14T15:41:27.9039290Z
ODJ Connector UI Information: 0 : RAODJPlus Service URL: https://fef.amsua0102.manage.microsoft.com/TrafficGateway/TrafficRoutingService/RAODJPlus/StatelessODJService/odjConnectorTelemetry/uploadTelemetry
DateTime=2025-03-14T15:41:27.9039290Z
ODJ Connector UI Information: 0 : Successfully sent request to RAODJPlusFEGatewayService_FEF
DateTime=2025-03-14T15:41:28.2320528Z
ODJ Connector UI Information: 0 : Response from ODJService: OK
DateTime=2025-03-14T15:41:28.2320528Z
ODJ Connector UI Error: 8 : Removing Managed Service Account ...
DateTime=2025-03-14T15:41:28.2320528Z
ODJ Connector UI Error: 8 : Successfully removed Managed Service Account
DateTime=2025-03-14T15:41:28.2476749Z
ODJ Connector UI Error: 8 : Returning to the home page
DateTime=2025-03-14T15:41:28.2476749Z
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 61%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXM%3C/text%3E%3C/svg%3E)
@Matt Dillon Thanks for posting in our Q&A.
For this issue, please check if the updated Intune Connector for Active Directory requirements are met.
Please make sure that you use the local administrator install the Intune Connector for Active Directory. In addition, I find that it needs Managed Service Accounts. Just a thinking, is there a Managed Service Account?
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 61%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEJ%3C/text%3E%3C/svg%3E)
I have this exact same issue. My account is a Domain Admin and Enterprise Admin for Active Directory and the M365 account I use when I click on the Sign In button is a Global Administrator with an Intune licensed assigned.
@Matt Dillon have you found a fix to this issue?
I will check in with my client next week. I don’t like this new process. The old process took like 5 min and always worked. The one time I set this up, it took like 8 tries.
no solution that I have found.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 55.00000000000001%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
I can see this isn't just me...................
Any word from Microsoft. Followed the docs to the letter and this is still coming up.........
Also try Enterprise admin permission as I have more success configuring mine even though it's not documented.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 54%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERH%3C/text%3E%3C/svg%3E)
I also have this issue. Did you get anywhere?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 10%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EO%3C/text%3E%3C/svg%3E)
Same issue. Very frustrating. IMO, Microsoft needs to abandon this effort. In our test environment it doesn't work. In production I don't know how we are going to do it as we don't have an account with that level of on prem access + Intune admin. Goes against all MS security best practice :/
Met with client today - they opened a ticket with MSFT - no response or answer yet. Today we validated internet access and all the other pre-req's.
We uninstalled a number of times and reinstalled with no change. I am feeling like the recreation of that managed service folder has something to do with it. The other thing we noticed is if we go on a browser on the server to https://manage.microsoft.com we get prompted for 2FA but we do not get prompted when trying to log in on the server.
Very frustrating.
Known issues with the Intune Connector for AD version 6.2501.2000.5
Date added: April 8, 2025
The following issues are under active investigation:
Error MSA account <accountName> is not valid when signing in.
This error occurs when the connector successfully creates the MSA but fails to retrieve the data from the domain controller. Various issues can cause the error, including replication delays between domain controllers in single domain, or when the user account exists in a different domain to the connector machine.
Error Failed to create a managed service account - Element not found.
Error Cannot start service ODJConnectorSvc on computer '.'. ---> System.ComponentModel.Win32Exception: The service did not start due to a logon failure after the MSA is created.
This error occurs when the service can't run as the MSA. The service not being able to run as the MSA can be caused by various issues, including group or local policy restricting Log on as a service privileges.
Error System.DirectoryServices.DirectoryServicesCOMException (0x8007202F): A constraint violation occurred.
There is a known issue reported https://learn.microsoft.com/en-us/autopilot/known-issues
Yea, I opened a case yesterday. The engineer mentioned that there were known issues and collected the log. This is in a test environment. Not sure what we're going to do in production where no accounts have on prem access to create MSA's and cloud Intune Admin....and our Identity team says 'that goes against our security processes and procedures'... I wish they would just keep the old tool until they simply dump hybrid join Autopilot support - it can't be very long since Microsoft stopped investing in it over a year ago..........
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 0%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENM%3C/text%3E%3C/svg%3E)
Its something to do with "OtherWellKnownObjects" GUID mismatch. When you re-create the MSA container the "OtherWellKnownObjects" GUID is still pointing to the previously deleted MSA container.
Will have client try the recommended PowerShell script and try again.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 39%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
I've been hitting my head against the wall with this exact error message for the past month now and reading Nirmal's comment last week has helped out tremendously. I too have an environment where I needed to recreate the MSA CN and I was getting the same error, "element not found", when trying to run the installer. After reading Nirmal's comments I looked into it and found exactly that, the GUID was set to the old deleted container and not the new one.
Here is what I did to solve that (for others in the future):
#This will give you what the current GUID is of the new MSA CN you created
$DomainDN = "DC=your,DC=domain"
$MSAContainer = Get-ADObject -Filter {Name -eq "Managed Service Accounts"} -SearchBase $DomainDN
$MSAContainer.ObjectGUID
#This will give you a list of all "OtherWellKnownObjects" so that you can see whats been deleted. In my case I was able to see "B:32:1EB93889E40C45DF9F0C64D23BBB6237:CN=Managed Service Accounts\0ADEL:67756e44-b23d-4c77-a0cd-4d36346349fc,CN=Deleted Objects,DC=my,DC=domain"
$DomainRoot = Get-ADObject -Identity $DomainDN -Properties OtherWellKnownObjects
$DomainRoot.OtherWellKnownObjects | FL
# Get the GUID of the NEW MSA container and change it to all uppercase (to match the formatting it should be)
$NewMSAGuid = $MSAContainer.ObjectGUID.Guid.ToUpper()
# Remove hyphens from the GUID (AD format)
$NewMSAGuidADFormat = $NewMSAGuid.Replace("-", "")
# Update the OtherWellKnownObjects attribute. You can call the variables but I chose to enter in the values myself just to be extra sure. You will also need to run this portion as Administrator on the DC so make sure you launch powershell as admin.
Set-ADObject -Identity "DC=your,DC=domain" -Replace @{
OtherWellKnownObjects = "PUT_THE_GUID_HERE:CN=Managed Service Accounts,DC=your,DC=domain"
}
This solved my error and now I've got a new one to tackle (yay! .. sigh):
"Failed to create a managed service account - The filename, directory name, or volume label syntax is incorrect"
If you find anything about this do let me know :)
Entered your error in Copilot and got this:
This error typically occurs when setting up the Intune Connector for Active Directory, often due to issues with the Managed Service Account (MSA) or incorrect directory paths. Here are a few troubleshooting steps:
Possible Causes & Fixes
Verify the Managed Service Account (MSA) OU
- Confirm that no invalid characters are present in the directory path.
- Ensure the system drive and volume labels are correctly formatted.
**Review Event Logs & Connector Logs**
- Open **Event Viewer** and check logs under **Applications and Services Logs > Microsoft > Windows > IntuneODJConnector**.
- Look for specific errors related to account creation.
**Validate Service Account Permissions**
- Ensure the account running the connector has **Create/Delete Managed Service Account** permissions in Active Directory.
- If necessary, temporarily assign **Domain Admin** rights to test.
**Reinstall the Intune Connector**
- Uninstall and reinstall the **Intune Connector for Active Directory** to reset configurations.
If the issue persists, you might find additional insights in this Microsoft Q&A thread discussing similar problems. Let me know if you need help troubleshooting further!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 12%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Also have issues with installing the connector for a Client.
The client has decided to move the Managed Service Account OU - from the default location in the root of the tree.
Can this please be affirmed as a hard requirement.
The documentation around this new connector is absolute rubbish, compared to what Microsoft normally produce which is decent...
All items (including the Webview2 add-in I was prompted for today) and all pre-requisites need to be a lot more clearly defined, and how to check verify each one, accounted for.
Considering organisations are being asked to move off this in May -- this connector hardly seems ready to do that without disruptions immenient.
Will be raising a support ticket as well.
We're facing exact same issue. We also had to recreate "Managed Service Accounts" container. Wonder if recreating has to do something with it.
https://learn.microsoft.com/en-us/autopilot/known-issues
Known issues with the Intune Connector for AD version 6.2501.2000.5
Date added: April 8, 2025
The following issues are under active investigation:
Error MSA account <accountName> is not valid when signing in.
This error occurs when the connector successfully creates the MSA but fails to retrieve the data from the domain controller. Various issues can cause the error, including replication delays between domain controllers in single domain, or when the user account exists in a different domain to the connector machine.
Error Failed to create a managed service account - Element not found.
Error Cannot start service ODJConnectorSvc on computer '.'. ---> System.ComponentModel.Win32Exception: The service did not start due to a logon failure after the MSA is created.
This error occurs when the service can't run as the MSA. The service not being able to run as the MSA can be caused by various issues, including group or local policy restricting Log on as a service privileges.
Error System.DirectoryServices.DirectoryServicesCOMException (0x8007202F): A constraint violation occurred.