Are you using the AirWatch Provisioning Adapter without a locally configured directory in Workspace ONE UEM and when trying to enroll your Windows 10 Devices and you are getting the following error:
The reason behind this error is because UEM is checking if the attribute “aadMappingAtribute” is currently set for the particular user received in the request from Azure. If the attribute is not currently set, UEM will search the directory to retrieve this attribute based on on the value configured in UEM:
UEM will retrieve this value from Active Directory (typically) and store this as a binary/hex (ie. 1e7306a8-7eb8-4b6e-a22f-c3e951a5db6e) or as a string depending on the mapping attribute data type. This is very important because UEM will not successfully map to a user if the value is Base64 encoded. So the following “vZ/lGAC9bUWiA7Egpw5fqg==” is not acceptable.
If this attribute is not set and you don’t have an Enterprise Systems Connector (ACC) with a directory configured, you will receive this error. If you are using the AirWatch Provisioning Adapter, you probably don’t have an Enterprise Systems Connector (ACC) and directory configured.
Workspace ONE UEM will allow you to update this attribute manually in the Admin Console:
This however is not scalable by any means. Workspace ONE Access is releasing functionality to set this attribute when the user is created by the AirWatch Provisioning Adapter. Unfortunately, UEM will not allow this attribute to be updated via the API so only “CREATE” is supported at this time.
In the AirWatch Provisioning Adapter, you’ll soon be able to map this attribute:
Please remember that this value can NOT be Based64 encoded. The following is a guideline of possible values:
|aadMappingAttribute in Workspace ONE UEM||Immutable ID in Azure||Acceptable|