You may get this error when you try to reset the PIN of your Azure AD Joined Device:
“CAA2000B. AADSTS500014: The service principal for resource cred.microsoft.com is disabled. This indicates that a subscription within the tenant has lapsed, or that the administrator for the tenant has disabled the application, preventing tokens from being issued for it.”
Based on that, you will recognize that an Admin had to setup the PIN Reset feature for your tenant and provide consent to the app. A detailed instruction to onboard it to your Azure Active Directory Tenant can be found on this docs article here.
This setup deploys two OAuth apps to your Enterprise Applications in Azure called Microsoft Pin Reset Client Production and Microsoft Pin Reset Service Production.
On the properties page of the Pin Reset Service Production, the Application was disabled in my case. But even after enabling the OAuth application, it still did not work to resetting the PIN on an Azure AD Joined device. We received the same error above.
In this case, make sure that the Security or Global Admin did not block the OAuth App within Cloud App Security. You can verify the blocked app by navigating to your Cloud App Security portal by:
https://tenantname(without .onmicrosoft.com).portal.cloudappsecurity.com / Investigate / OAuth apps and search for “Microsoft Pin Reset“. This will show you the both apps you also have in Azure Active Directory Enterprise Applications.
In case one app is blocked, click on the red block sign an unblock the app to get a green tick :-). If one is blocked, users won’t be able to reset their PIN. This was the case here.
After that, I had to give consent to the Microsoft Pin Reset Client Production app again using the Enterprise Application Permission blade and an account with sufficient rights to grant consent.
SOME OTHER THOUGHTS
Some other features such as Self-Service-Password-Reset (SSPR) and the combined registration for security information’s is recommended (Users can use the combined security information registration experience). Consider also Azure AD Connect to use Password Hash Sync and Password Hash Writeback in Hybrid Identity deployments. Hope this helps.
Happy PIN Reset!