Tenant Attach
What is Tenant attach ?
The tenant attach solution allows devices present in SCCM to be managed by Microsoft Intune. This will make it possible to manage them in Microsoft Intune as well.
The tenant attach functionality requires the following prerequisites.
- An account with Global administrator rights in the Intune tenant.
- The AD user is synchronised with Azure AD
Prerequisite
Firewall and proxy must be configured to allow the following URL’s
- https://aka.ms/configmgrgateway
- https://*.manage.microsoft.com
- https://dc.services.visualstudio.com
Enable Co-Management
Before configure Co-Management, you need to configure Azure AD user discovery. From the SCCM console, open Administration tab and expand Cloud Services. Click on Azure Services then on Configure Azure Services.
A wizard appear, enter the desired name and click on Next
On App Properties windows, click on Browse.
Click on Create for Create new server application.
Enter Application Name then select Secret key validity period. Click on Sign in for enter Azure AD Admin credential account.
Enter the credential of Azure AD Admin Account.Azure AD Tenant Name appear, click on OK.
Repeat the same operation Native Client app
The name of the application is ConfigMgr Client App.
Check Enable Azure Active Directory User Discovery option and click on next.
Click on Next on other windows. The Azure Services has been created.
Enable Co-Management
You must configure Co-Management, from the Configuration Manager console open Administration tab and expand Cloud Services. Click on Co-management then on Configure co-management.
A new wizard appear, click on Sign In for enter credential of a global admin of the Azure AD.
Check that the option Upload to Microsoft Endpoint Manager admin center is enable.
An application will be created on Azure AD. Click on Yes for create application on Azure AD.
I prefer limiting the upload to Microsoft Endpoint Configuration Manager. I use a collection for this. Check Specific collection and select collection with Browse button.
Automatic enrollment in Intune may be limited to any position. To do so, select Pilot from the drop-down list and then select the desired collection using the Browse button.
For each Workloads, select if it’s managed by Configuration Manager or by Intune. Pilot Intune permit to manage the workloads by Intune only for client into the Pilot group.
For each Workloads, select the desired collection.
The Co-Management has been configured.
Application has been configured on Azure AD.
Application ID can be found on Configuration Manager. Open Administration tab and expand Cloud Services. Click on Azure Active Directory Tenants. Select the tenant, Application has been present.
You can use two Configuration Manager log file.
- CMGatewayNotificationWorker.log
- CMGatewaySyncUploadWorker.log
Perform device actions
The device appear on Microsoft Intune. Click on the device.
Three actions can be launched from Microsoft Intune.
- Sync machine policy
- Sync user policy
- App evaluation cycle
I run Sync Machine Policy from the intune console.
You can use the log for view if operation is carried out correctly.
You can use the log for view if operation is carried out correctly.
Error Configuration missing
On the properties of the devices, you can access to Timeline, Collections, etc. When you click on it, if an error Configuration missing appear, run the following action.
From the SCCM console, open Administration tab and expand Cloud Services. Click on Azure Active Directory Tenants and select the tenant name. The Application Name appear.
Open the Azure AD portal, click on Azure Active Directory blade then on App registrations.
Enter Config and verify that the application is present. Click on ConfigMgrSvc_xxxxx. It’s the same name as you have in Configuration Manager.
From the properties of your application, click on API permissions then on Add a permission.
Click on Microsoft Graph.
Click on Delegated permission then expand Directory. Check Directory.Read.All. Click on Add permission.
Permission has been added. Click on Grant admin consent for Annuaire InYourCloud.
Synchronize AD user account which has admin rights to the workstations with the sccm client and presents on Microsoft Intune. This account must be have Intune administrator role or delegation. For use this feature user must be present on AD and Azure AD.
You can now access to CMPivot, Scripts, ….