Fix ConfigMgr Tenant Attach Error 401 403 | Missing Config| SCCM

0
SCCM ConfigMgr Tenant Attach Error

I have received an error 401 (403) when I tried to access Run Script or CMPivot blade from the Intune portal after the ConfigMgr tenant attach. Let’s try to ix ConfigMgr Tenant Attach Error 401 403 (Missing Config) through this post.

I tried to explain how to enable SCCM Run scripts Feature from Intune Portal when you are running the 2006 version of ConfigMgr. You will need to enable this script option by going through the following guide.

Issue – Tenant Attach Error 401 / 403

Scripts – Configuration Missing:

I was not able to access the scripts blade from Intune Portal (a.k.a Microsoft Endpoint Manager admin center). Let’s try to find more details about this issue “Configuration missing Error Code 401/403”.

{ "shellProps": { "sessionId": "69f3c2eab1e64c05b556a897614e67b7", "extName": "Microsoft_Intune_DeviceExplorer", "contentName": "ScriptsBlade", "code": 403 }, "error": { "message": "Configuration missing", "code": 401, "details": { "htmlTemplate": "\n <span>The necessary configuration is missing in Azure Active Directory. Make sure to attach the Configuration Manager site to your Azure tenant, and assign the proper user role in Azure AD.<span>\n <a href =\"https://aka.ms/cmdeviceexplorerdoc_aadconfig\"> More information</a>" } }}
Fix ConfigMgr Tenant Attach Error 401 403 | (Missing Configuration) - SCCM
Fix ConfigMgr Tenant Attach Error 401 403 | (Missing Configuration) – SCCM

CMPivot Configuration Missing:

I was not able to access the CMPivot blade from Intune Portal (a.k.a Microsoft Endpoint Manager admin center). Let’s try to find more details about this issue “Configuration missing Error Code 401/403”.

{ "shellProps": { "sessionId": "69f3c2eab1e64c05b556a897614e67b7", "extName": "Microsoft_Intune_DeviceExplorer", "contentName": "CMPivotMainBlade", "code": 403 }, "error": { "message": "Configuration missing", "code": 401, "details": { "htmlTemplate": "\n <span>The necessary configuration is missing in Azure Active Directory. Make sure to attach the Configuration Manager site to your Azure tenant, and assign the proper user role in Azure AD.<span>\n <a href =\"https://aka.ms/cmdeviceexplorerdoc_aadconfig\"> More information</a>" } }}
Fix ConfigMgr Tenant Attach Error 401 403 | (Missing Configuration) - SCCM
Fix ConfigMgr Tenant Attach Error 401 403 | (Missing Configuration) – SCCM

Understand Service Account

Let’s find out the correct service principal account or Azure application that provides access to SCCM to use the Tenant attach feature from SCCM console and Azure portal.

From SCCM Console

  • Launch Console
  • Navigate \Administration\Overview\Cloud Services\Azure Active Directory Tenants
  • Select Application or service account or service principle accountConfigMgrSvc_6cf7c942-7a51-4796-98ae-1c5f2ede96fa that is used for tenant attach.

I could see three (3) service accounts in the console under Azure Active Directory Tenant and I selected the one highlighted in yellow. Because the other two service accounts were part of Azure active directory discovery-related services.

Fix ConfigMgr Tenant Attach Error 401 403 | (Missing Configuration) - SCCM
Fix ConfigMgr Tenant Attach Error 401 403 | (Missing Configuration) – SCCM

Azure Portal

  • Open the Azure portal
  • Navigate to Azure Active Directory blade
  • Select Enterprise Applications
  • Inside Enterprise applications node
  • Use “Config” as the search word to find out the service accounts in Azure AD enterprise applications.
  • Select the same app ConfigMgrSvc_6cf7c942-7a51-4796-98ae-1c5f2ede96fa that we selected in the above section.
  • You can’t find the Configuration Manager Microservice. Why?

NOTE! – You will have to select Application Type All applications instead of default one Enterprise app to view the details of Configuration Manager Microservice.

Fix ConfigMgr Tenant Attach Error 401 403 | (Missing Configuration) - SCCM
Fix ConfigMgr Tenant Attach Error 401 403 | (Missing Configuration) – SCCM

Check Permissions

Let’s check the permissions for Azure Application (the selected account that we selected in the above section).

  • Open the Azure portal
  • Navigate to Azure Active Directory blade
  • Select Enterprise Applications
  • Inside Enterprise applications node – select All Applications.
  • Use “Config” as the search word to find out the service accounts in Azure AD enterprise applications.
  • Click on the same app Configuration Manager Microservice that we selected in the above section.
  • Select the Users and Groups option.
SCCM tenant attach configuration Error Missing Configuration
SCCM tenant attach configuration Error Missing Configuration
  • Check whether your admin account (anoopb) is added into this section or not.
  • In the above screen shot, you can’t see any users or groups! Only service Principle accounts are available.

Fix ConfigMgr Tenant Attach Error 401 403

Now let’s Fix ConfigMgr Tenant Attach Error 401 403 related to configuration settings.

  • Open the Azure portal
  • Navigate to Azure Active Directory blade
  • Select Enterprise Applications
  • Inside Enterprise applications node – select All Applications.
  • Use “Config” as the search word to find out the service accounts in Azure AD enterprise applications.
  • Click on the same app Configuration Manager Microservice that we selected in the above section.
  • Select the Users and Groups option.
  • Click on Add Users.
ConfigMgr tenant attach configuration Error 401 403 (Missing Configuration) - SCCM
ConfigMgr tenant attach configuration Error 401 403 (Missing Configuration) – SCCM
  • Click on Users and Groups from Add Assignment.
  • Search for the Group or User you want to add as Admin user for Running script or CMPivot.
  • Select the Group or User.
  • Click on Assign button.
Fix ConfigMgr Tenant Attach Error 401 403 | (Missing Configuration) - SCCM
Fix ConfigMgr Tenant Attach Error 401 403 | (Missing Configuration) – SCCM
  • Now, you can see the user added to the Users and Groups section.
  • You can see the account Anoop-Backup added to the users and groups.
    • This account is synced from On-prem AD to Azure AD using Azure AD Connect.
Fix ConfigMgr Tenant Attach Error 401 403 | (Missing Configuration) - SCCM
Fix ConfigMgr Tenant Attach Error 401 403 | (Missing Configuration) – SCCM

Confirm SCCM Azure AD User Discovery

Let’s check Azure AD user discovery for this account Anoop-Back. The AAD user discovery should be enabled from SCCM and this user should be discovered with appropriate details as mentioned below.

  • Azure Active Directory Tenant ID: This value should be a GUID for the Azure AD tenant.
  • Azure Active Directory User ID: This value should be a GUID for this account in Azure AD.
  • User Principal Name: The format of this value is [email protected] For example, [email protected].
    • I have also a user that still shows UPN as @xyz.onmicrosoft.com UPN but it worked OK for me.

NOTE! – If the Azure AD Tenant ID and Azure AD User ID are not populated, then make sure you have enabled Azure AD user discovery from SCCM.

Fix ConfigMgr Tenant Attach Error 401 403 | (Missing Configuration) - SCCM
Fix ConfigMgr Tenant Attach Error 401 403 | (Missing Configuration) – SCCM

Logs Details

Tenant Attach Guide for SCCM Logs Data Flow Troubleshooting Intune from Vimal to understand the log flow and internals processes for tenant attach.

Results

Let’s check the results of Run Script and CMPivot.

Run Script

  1. Open https://endpoint.microsoft.com with an admin user ID that is already discovered via SCCM Azure AD User.
  2. Select Devices then All Devices.
  3. Select a device that is synced from SCCM via tenant attach.
  4. Select Scripts.
  5. Click on the Run script button to show all the approved scripts.
  6. Click on one of the scripts to run.
  7. Click on the Run button to execute the script on the device.
Fix ConfigMgr Tenant Attach Error 401 403 | (Missing Configuration) - SCCM
Fix ConfigMgr Tenant Attach Error 401 403 | (Missing Configuration) – SCCM

CMPivot

  1. Open https://endpoint.microsoft.com with an admin user ID that is already discovered via SCCM Azure AD User.
  2. Select Devices then All Devices.
  3. Select a device that is synced from SCCM via tenant attach.
  4. Click on CMPivot and select any sample queries.
Fix ConfigMgr Tenant Attach Error 401 403 | (Missing Configuration) - SCCM
Fix ConfigMgr Tenant Attach Error 401 403 | (Missing Configuration) – SCCM

Resources

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.