Tenant Attach

Cloud Attach

What is Tenant attach ?

The tenant attach solution allows devices present in SCCM to be managed by Microsoft Intune. This will make it possible to manage them in Microsoft Intune as well.

The tenant attach functionality requires the following prerequisites.

  • An account with Global administrator rights in the Intune tenant.
  • The AD user is synchronised with Azure AD


Firewall and proxy must be configured to allow the following URL’s

  • https://aka.ms/configmgrgateway
  • https://*.manage.microsoft.com
  • https://dc.services.visualstudio.com

Enable Co-Management

You must configure Co-Management, from the Configuration Manager console open Administration tab and expand Cloud Services. Click on Co-management then on Configure co-management.

Tenant Attach - Configure Co-Management

A new wizard appear, click on Sign In for enter credential of a global admin of the Azure AD.

Tenant Attach - SignIn and enter global admin credential

Check that the option Upload to Microsoft Endpoint Manager admin center is enable.

Tenant Attach - Enable option for Tenant attach on co-management

An application will be created on Azure AD. Click on Yes for create application on Azure AD.

Create Azure AD Application

I prefer limiting the upload to Microsoft Endpoint Configuration Manager. I use a collection for this. Check Specific collection and select collection with Browse button.

Tenant Attach - Select collection for limiting Tenant attach

Automatic enrollment in Intune may be limited to any position. To do so, select Pilot from the drop-down list and then select the desired collection using the Browse button.

Limit automatic enrollment

For each Workloads, select if it’s managed by Configuration Manager or by Intune. Pilot Intune permit to manage the workloads by Intune only for client into the Pilot group.

Configure Workload co-management

For each Workloads, select the desired collection.

Select collection for each workloads

The Co-Management has been configured.

Co-Management has been configured

Application has been configured on Azure AD.

Application has been present on Azure AD

Application ID can be found on Configuration Manager. Open Administration tab and expand Cloud Services. Click on Azure Active Directory Tenants. Select the tenant, Application has been present.

Application has present on Configuration Manager

You can use two Configuration Manager log file.

  • CMGatewayNotificationWorker.log
  • CMGatewaySyncUploadWorker.log
Log for Tenant Attach

Perform device actions

The device appear on Microsoft Intune. Click on the device.

Device appear on Intune

Three actions can be launched from Microsoft Intune.

  • Sync machine policy
  • Sync user policy
  • App evaluation cycle
Launch sync operation from Microsoft Intune

I run Sync Machine Policy from the intune console.

Run sync policy Intune

You can use the log for view if operation is carried out correctly.

log on Configuration Manager
Log on Configuration Manager

You can use the log for view if operation is carried out correctly.

Log on client sccm

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.