Hello Gilbert Wong,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I will try to clarify your doubts and help you out in this issue.
The error occurs during the device registration/join flow when the MDM User Scope is set to All or Some users in Microsoft Entra ID. This configuration triggers an MDM auto-enrollment attempt.
1.The Entra ID service attempts to redirect the user to the configured MDM Terms of Use URL.
2.The error indicates that the URL is unreachable or improperly set in the MDM configuration settings within Entra ID.
3.This failure prevents the mandatory Terms of Use step, which in turn halts the MDM enrollment, causing the device join process to fail entirely.
A frequent underlying cause is the user attempting to join does not have an Entra ID Premium P1/P2 license (or an equivalent license like an M365 E3/E5 subscription that includes Intune/MDM) required for the automatic enrollment to proceed.
I will recommend you to check below and let us know:
- Are MDM terms of use URLs configured in Microsoft Entra ID Admin Center under Mobility (MDM and MAM)?
- Does the user/device have an Intune or applicable Microsoft 365 license?
- What is the MDM user scope setting (None, Some, or All)?
- Are there Conditional Access policies requiring MDM device compliance?
The workaround will be to navigate to the Mobility (MDM and MAM) settings in the Microsoft Entra admin center and correct the configuration.
A.Correct the MDM URLs (If you intend to use MDM/Intune):
- Sign in to the Microsoft Entra admin center as a Global Administrator.
- Navigate to Identity > Devices > All devices.
- In the top menu, click Device settings.
- Scroll down to the Mobility (MDM and MAM) section.
- Click on the relevant MDM application (usually Microsoft Intune).
- Look at the three URLs: MDM Terms of use URL, MDM discovery URL, and MDM compliance URL.
- Verify the URLs, if using Microsoft Intune, click Restore default MDM URLs and ensure the MDM Terms of use URL is set to the default:
https://portal.manage.microsoft.com/TermsofUse.aspx
- Ensure the users attempting to enroll have a valid Intune/MDM license and that the MDM User Scope is set correctly to target those users.
B.Disable MDM Auto-Enrollment (If you do not intend to use MDM/Intune):
If you do not have licenses or do not want devices to automatically enroll in MDM, you must disable the scope.
- Follow steps above till navigate to Mobility (MDM and MAM) and select the MDM application.
- Set the MDM user scope to None > Click Save.
This prevents Entra ID from attempting to redirect to the non-existent or faulty Terms of Use URL during the device join process.
Please do refer below docs for more understanding:
https://learn.microsoft.com/en-us/windows/client-management/azure-active-directory-integration-with-mdm
https://learn.microsoft.com/en-us/entra/identity/devices/device-join-plan
Hope this helps! If it answered your question, please consider clicking Accept Answer and Upvote. This will help us and others in the community as well.
If you need more info, feel free to ask in the comments. Happy to help!
Regards,
Monalisha
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 72%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGW%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 4%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMJ%3C/text%3E%3C/svg%3E)