Tenant Attach

Tenant Attach

Cloud Attach

What is Tenant attach ?

The tenant attach solution allows devices present in SCCM to be managed by Microsoft Intune. This will make it possible to manage them in Microsoft Intune as well.

The tenant attach functionality requires the following prerequisites.

  • An account with Global administrator rights in the Intune tenant.
  • The AD user is synchronised with Azure AD


Firewall and proxy must be configured to allow the following URL’s

  • https://aka.ms/configmgrgateway
  • https://*.manage.microsoft.com
  • https://dc.services.visualstudio.com

Enable Co-Management

Before configure Co-Management, you need to configure Azure AD user discovery. From the SCCM console, open Administration tab and expand Cloud Services. Click on Azure Services then on Configure Azure Services.

Configure Azure Services on Azure

A wizard appear, enter the desired name and click on Next

Name of the Azure Services

On App Properties windows, click on Browse.

Create Azure AD Application

Click on Create for Create new server application.

Server application

Enter Application Name then select Secret key validity period. Click on Sign in for enter Azure AD Admin credential account.

Admin credential and name of the application

Enter the credential of Azure AD Admin Account.Azure AD Tenant Name appear, click on OK.

Admin credential for Azure Services

Repeat the same operation Native Client app

Create Client app on SCCM

The name of the application is ConfigMgr Client App.

Enter the name of the client application

Check Enable Azure Active Directory User Discovery option and click on next.

Configure user discovery

Click on Next on other windows. The Azure Services has been created.

Azure Services has been created

Enable Co-Management

You must configure Co-Management, from the Configuration Manager console open Administration tab and expand Cloud Services. Click on Co-management then on Configure co-management.

Tenant Attach - Configure Co-Management

A new wizard appear, click on Sign In for enter credential of a global admin of the Azure AD.

Tenant Attach - SignIn and enter global admin credential

Check that the option Upload to Microsoft Endpoint Manager admin center is enable.

Tenant Attach - Enable option for Tenant attach on co-management

An application will be created on Azure AD. Click on Yes for create application on Azure AD.

Create Azure AD Application

I prefer limiting the upload to Microsoft Endpoint Configuration Manager. I use a collection for this. Check Specific collection and select collection with Browse button.

Tenant Attach - Select collection for limiting Tenant attach

Automatic enrollment in Intune may be limited to any position. To do so, select Pilot from the drop-down list and then select the desired collection using the Browse button.

Limit automatic enrollment

For each Workloads, select if it’s managed by Configuration Manager or by Intune. Pilot Intune permit to manage the workloads by Intune only for client into the Pilot group.

Configure Workload co-management

For each Workloads, select the desired collection.

Select collection for each workloads

The Co-Management has been configured.

Co-Management has been configured

Application has been configured on Azure AD.

Application has been present on Azure AD

Application ID can be found on Configuration Manager. Open Administration tab and expand Cloud Services. Click on Azure Active Directory Tenants. Select the tenant, Application has been present.

note the azure ad application name

You can use two Configuration Manager log file.

  • CMGatewayNotificationWorker.log
  • CMGatewaySyncUploadWorker.log
Log for Tenant Attach

Perform device actions

The device appear on Microsoft Intune. Click on the device.

Device appear on Intune

Three actions can be launched from Microsoft Intune.

  • Sync machine policy
  • Sync user policy
  • App evaluation cycle
Launch sync operation from Microsoft Intune

I run Sync Machine Policy from the intune console.

Run sync policy Intune

You can use the log for view if operation is carried out correctly.

log on Configuration Manager
Log on Configuration Manager

You can use the log for view if operation is carried out correctly.

Log on client sccm

Error Configuration missing

On the properties of the devices, you can access to Timeline, Collections, etc. When you click on it, if an error Configuration missing appear, run the following action.

Error 401 Tenant Attach Configuration Missing error 500

From the SCCM console, open Administration tab and expand Cloud Services. Click on Azure Active Directory Tenants and select the tenant name. The Application Name appear.

note the azure ad application name

Open the Azure AD portal, click on Azure Active Directory blade then on App registrations.

Access to Azure AD portal

Enter Config and verify that the application is present. Click on ConfigMgrSvc_xxxxx. It’s the same name as you have in Configuration Manager.

Select configmgr application in Azure AD

From the properties of your application, click on API permissions then on Add a permission.

Change permission

Click on Microsoft Graph.

Add Microsoft Graph permission

Click on Delegated permission then expand Directory. Check Directory.Read.All. Click on Add permission.

Add permission

Permission has been added. Click on Grant admin consent for Annuaire InYourCloud.

Grant admin consent

Synchronize AD user account which has admin rights to the workstations with the sccm client and presents on Microsoft Intune. This account must be have Intune administrator role or delegation. For use this feature user must be present on AD and Azure AD.

Role to user account

You can now access to CMPivot, Scripts, ….

Access to CMPivot

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.