We have a service account that we use to run tasks. The account has been synced to AAD (Azure AD) and added to the proper AAD groups.

We have scripted tasks which are set to run as this service account, which runs fine for Domain or Hybrid joined devices. However, with AAD-only devices we get the following error in the Task Output:

"An error occurred while attempting to impersonate the requested user"

I have found that if I connect to the device and use RUN AS manually on any program (CMD for example) using the service account, it works fine. Also, once I run manually, the Altiris task then works afterwards. 

ITMS 8.7

This issue was fixed in 8.7.1

If credentials are formatted as "AzureAD\name@domain" then SMA is using them first as "AzureAD\name@domain" and then as "domain\name" in case the first login attempt fails.

The fix can be tested even without AAD, simply specifying the credentials as "AzureAD\name@domain".