In Configuration Manager, production version 2002, Microsoft introduced a new feature called “Tenant attach“. With this feature, you can synchronize ConfigMgr agents to Intune without enrolling in Intune. Once synchronized, the ConfigMgr device will be visible in Microsoft Endpoint Manager Admin Center (MEMAC).
The key point here is that ConfigMgr client is in Intune console without enrolling in Intune. This means your ConfigMgr managed device does not needs co-managed to avail of some of the Cloud benefits. You can refer to more details on Tenant attach troubleshooting details from the blog post-SCCM Tenant Attach Background Process Walkthrough via Logs.
Both tenants attached and co-managed devices will be visible in single MEMAC console but they are not the same.
- Co managed device = SCCM agent + Intune enrolled
- Tenant attach device = SCCM agent synced to MEM (Not Intune enrolled)
The co-managed device got a lot more options available in Microsoft Endpoint Manager Admin Center (MEMAC). However, In the future we can expect a lot more features for tenant-attached devices also in MEMAC console. Below are some of the cloud benefits ConfigMgr tenant attach provide:
- Single Microsoft Endpoint Admin Console (MEMAC) to manage ConfigMgr and intune devices.
- ATP Integration
- Helpdesk troubleshooting
- User Experience Analytics
- Web front-end CMPivot
Note: Above listed benefits announced in ignite 2019 is not yet available to public. Only limited features are available at the time of writing. We will discuss some of the features currently available.
More updated details about prerequisites are given in Microsoft docs.
- Appropriate access to SCCM infra (Full Admin preferably)
- Recommended to perform this activity from the Tier 1 server in ConfigMgr Hierarchy (CAS) or standalone primary server
- Global Administrator account for signing in the Tenant onboarding page (configuration in SCCM).
- An Azure public cloud environment.
- The user account triggering device actions has the following prerequisites:
- Discovered with Azure Active Directory user discovery
- Discovered with Active Directory user discovery
- The Notify Resource permission under Collections object class in Configuration Manager.
- On-Prem user synchronized to azure using AADconnect
- SCCM server should have access to below Internet endpoints
NOTE! – Permissions for Tenant attach is updated. You don’t need to give permissions to Configuration Manager Microservice https://docs.microsoft.com/en-us/mem/configmgr/tenant-attach/client-details#permissions
Tenant attach high level Architecture
There are three components in Tenant attach Architecture.
- ConfigMgr agent:
- ConfigMgr client communicate with ConfigMgr server as normal.
- There is no change. In addition, there is no need to enroll to Intune.
- ConfigMgr server:
- ConfigMgr synchronizes devices to Microsoft Endpoint Manager Admin Center (MEMAC).
- ConfigMgr server receive instructions from Microsoft Endpoint Manager Admin Center (MEMAC) and forward the instructions to ConfigMgr clients.
- ConfigMgr server plays middleman between Intune and ConfigMgr client.
- MEMAC console show the SCCM Devices synchronized from SCCM server to Intune.
Note: In this architecture, entire ConfigMgr database will not be synchronize to Intune. It is a on demand architecture. MEMAC console connects to SCCM only when required or admin initiate action.
How to configure Tenant Attach?
The configuration required for the tenant attach is within co management wizard. If you have not enabled co management wizard then follow the steps as mentioned here . There is a good post from Windows noob on tenant attach
In Configuration Manager Admin console, go to Administration > Overview > Cloud Services > Co-management.
- Ensure your Azure environment is AzurePublicCloud.
- Tenant is boarded to azure by singing in using your Global Administrator account.
- Ensure you select the option “upload to MEM admin center”
- Please make sure you select a collection for which you want to devices to synchronize. Its recommended to select a test device collection to start with. Also, ensure you exclude the servers managed by ConfigMgr
- Tenant attach sync setting has nothing to do with co-management. However, tenant attaches settings are available within the co-management wizard.
- Note: In my scenario, I do not have any co-managed devices so I configured it as none for Intune enrollment. You need to decide the configuration based on your scenario.
- Below azure AD application gets created automatically after completing the configuration in ConfigMgr. You can see the events for troubleshooting from the log SmsAdminUI.log
- You can see the application name starts with “ConfigMgrSVC_… “
- ConfigMgr server communicate with cloud using this Azure AD Web application.
We completed the configuration. Let us discuss how ConfigMgr server establish a connection with Intune and upload the devices.
NOTE! – Let’s add your admin user to this (Configuration Manager Microservice) enterprise app to get appropriate permissions to initiate SCCM actions from Intune portal.
- Run Script
Log Files – Troubleshooting
Let’s see how log files can help to troubleshoot the issue with device sync and tenant attach.
ConfigMgr Device Upload to Intune Workflow
This log tracks the connectivity between ConfigMgr and Intune . You can use this log to troubleshoot if ConfigMgr devices does not upload to MEMAC console
- ConfigMgr server selects the gateway to upload the device based on the location.
- For the US the gateway URL is https://us.gateway.configmgr.manage.microsoft.com
- For Europe gateway URL is https://eu.gateway.configmgr.manage.microsoft.com
- Next, the ConfigMgr server will authenticate and establish the connection.
- Once succeeded, ConfigMgr agent uploads to Intune through the gateway.
- You can see the ConfigMgr client records uploaded in batch
If you enable verbose logging, log will tell the bytes written to network for upload. Based on my testing this network traffic is less. Moreover, follow-up device synch will be delta only.
- The default upload sync interval is 15 min (delta)
- Response code 200 state the connection between ConfigMgr and Intune is successful
After successful upload , You can start seeing your ConfigMgr client in Microsoft endpoint manager admin center console
Until now, we discussed the device upload events from ConfigMgr to intune. Next, let us discuss the workflow from MEM admin console to ConfigMgr.
Intune to SCCM event workflow
At the time of writing this post, only limited features are available in MEM admin console for ConfigMgr clients as listed below
- Machine policy synch
- User policy synch
- Application evaluation
Let us see what happens when I trigger a machine policy from MEM admin console. Below are the high-level activities
- MEM admin console sent instruction for triggering machine policy to ConfigMgr server
- ConfigMgr server receive notification from MEM gateway and authenticate
- Forwards as BGB instruction and process
- ConfigMgr server sent the notification to ConfigMgr client
- ConfigMgr client receive the instruction from ConfigMgr server and process
- MEM admin console sent the machine policy instruction to the ConfigMgr server. Initially, you can see the status will show pending.
This log tracks the events from from Intune to ConfigMgr. You can refer this log while troubleshooting communication between Intune and ConfigMgr.
- ConfigMgr server receive the notification and authenticate the user who initiated the policy from MEM console.
- If user authentication is successful, the ConfigMgr BGB remote task will process further
You may get below error if the user is not having necessary ConfigMgr permission as mentioned in pre-req. Also If user is not an on Prem user id and not synchronized to azure then we see below error
Unauthorized to perform client action. TemplateID: RequestMachinePolicy TenantId: ed7ef5f4-73f7-4c1d-83de-453635ac145d AADUserID: f91c3e40-4c30-42e0-b0eb-c5663d549b75
ConfigMgr process the BGB notification service. Then sent the notification to ConfigMgr client.
You can also track the status for the ConfigMgr client Machine policy, which you initiated from MEM console. The different status are Complete or pending or failed as shown below.