I had received an error 401 (403) when I tried to access Run Script or CMPivot blade from the Intune portal after the ConfigMgr Tenant attach. Through this post, let’s try to ix ConfigMgr Tenant Attach Error 401 403 (Missing Config).
I tried to explain how to enable the SCCM Run scripts Feature from Intune Portal when running the 2006 version of ConfigMgr. You will need to allow this script to option by going through the following guide.
Issue – Tenant Attach Error 401 / 403
Scripts – Configuration Missing:
I could not access the script blade from Intune Portal (a.k.a, Microsoft Endpoint Manager admin center). Let’s find more details about this issue “Configuration missing Error Code 401/403”.
{ "shellProps": { "sessionId": "69f3c2eab1e64c05b556a897614e67b7", "extName": "Microsoft_Intune_DeviceExplorer", "contentName": "ScriptsBlade", "code": 403 }, "error": { "message": "Configuration missing", "code": 401, "details": { "htmlTemplate": "\n <span>The necessary configuration is missing in Azure Active Directory. Make sure to attach the Configuration Manager site to your Azure tenant, and assign the proper user role in Azure AD.<span>\n <a href =\"https://aka.ms/cmdeviceexplorerdoc_aadconfig\"> More information</a>" } }}
CMPivot Configuration Missing:
I could not access the CMPivot blade from Intune Portal (a.k.a Microsoft Endpoint Manager admin center). Let’s find more details about this issue “Configuration missing Error Code 401/403”.
{ "shellProps": { "sessionId": "69f3c2eab1e64c05b556a897614e67b7", "extName": "Microsoft_Intune_DeviceExplorer", "contentName": "CMPivotMainBlade", "code": 403 }, "error": { "message": "Configuration missing", "code": 401, "details": { "htmlTemplate": "\n <span>The necessary configuration is missing in Azure Active Directory. Make sure to attach the Configuration Manager site to your Azure tenant, and assign the proper user role in Azure AD.<span>\n <a href =\"https://aka.ms/cmdeviceexplorerdoc_aadconfig\"> More information</a>" } }}
Understand Service Account
Let’s find out the correct service principal account or Azure application that provides access to SCCM to use the Tenant attach feature from the SCCM console and Azure portal.
NOTE! – Permissions for Tenant attached are updated. You don’t need to give permissions to Configuration Manager Microservice https://docs.microsoft.com/en-us/mem/configmgr/tenant-attach/client-details#permissions
From SCCM Console
How to run CMPivot from the SCCM admin console? You have to follow the steps mentioned below.
- Launch Console
- Navigate \Administration\Overview\Cloud Services\Azure Active Directory Tenants
- Select Application or service account or service principle account – ConfigMgrSvc_6cf7c942-7a51-4796-98ae-1c5f2ede96fa that is used for tenant attach.
I could see three (3) service accounts under Azure Active Directory Tenant in the console. I selected the one highlighted in yellow because the other two service accounts were part of Azure’s active directory discovery-related services.
Azure AD Service Principal Permissions
Now let’s learn how to launch CMPviot from ConfigMgr. The following steps are listed down below. The Azure AD Service Principal Permissions.
Open the Azure AD Portal and Navigate to the Azure Active Directory blade. And select Enterprise Applications inside the Enterprise applications node.
Use “Config” as the search word to find out the service accounts in Azure AD enterprise applications. Select the same app ConfigMgrSvc_6cf7c942-7a51-4796-98ae-1c5f2ede96fa that we selected in the above section.
You can’t find the Configuration Manager Microservice. Why?
NOTE! – You will have to select Application Type All applications instead of the default one Enterprise app to view the details of Configuration Manager Microservice.
Check Permissions
Let’s check the permissions for the Azure Application (the selected account that we selected in the above section).
Open the Azure portal. Navigate to Azure Active Directory blade. Select Enterprise Applications. Inside the Enterprise applications node – select All Applications.
Use “Config” as the search word to find out the service accounts in Azure AD enterprise applications. Click on the same app Configuration Manager Microservice that we selected above. Select the Users and Groups option.
- Check whether your admin account (anoopb) is added to this section or not.
- In the above screenshot, you can’t see any users or groups! Only service Principle accounts are available.
Fix ConfigMgr Tenant Attach Error 401 403
Now let’s Fix ConfigMgr Tenant Attach Error 401 403 related to configuration settings.
Open the Azure portal. Navigate to Azure Active Directory blade. Select Enterprise Applications. Inside the Enterprise applications node – select All Applications.
Use “Config” as the search word to find out the service accounts in Azure AD enterprise applications. Click on the same app Configuration Manager Microservice that we selected above. Select the Users and Groups option.
Click on Add Users.
Click on Users and Groups from Add Assignment. Search for the Group or User you want to add as an Admin user for the Running script or CMPivot. Select the Group or User.
Click on the Assign button.
Now, you can see the user added to the Users and Groups section. You can see the account Anoop-Backup added to the users and groups.
This account is synced from On-prem AD to Azure AD using Azure AD Connect.
Confirm SCCM Azure AD User Discovery
Let’s check Azure AD user discovery for this account Anoop-Back. The AAD user discovery should be enabled from SCCM and this user should be discovered with appropriate details as mentioned below.
Azure Active Directory Tenant ID: This value should be a GUID for the Azure AD tenant. Azure Active Directory User ID: This value should be a GUID for this account in Azure AD.
User Principal Name: The format of this value is anoopb@domain. For example, [email protected]. I also have a user that still shows UPN as @xyz.onmicrosoft.com UPN, but it worked OK for me.
NOTE! – If the Azure AD Tenant ID and Azure AD User ID are not populated, then make sure you have enabled Azure AD user discovery from SCCM.
Logs Details
Tenant Attach Guide for SCCM Logs Data Flow Troubleshooting Intune from Vimal to understand the log flow, and internal processes for Tenant attach.
Results
Let’s check the results of Run Script and CMPivot.
Run Script
Let’s check another option to have Run Script and proactive remediation option.
Open https://endpoint.microsoft.com with an admin user ID that is already discovered via SCCM Azure AD User. Select Devices, then All Devices. Select a device that is synced from SCCM via Tenant attach.
Select Scripts.
Click on the Run script button to show all the approved scripts. Click on one of the scripts to run. Click on the Run button to execute the script on the device.
CMPivot from MEM Admin Center
Let’s see learn how CMPivot from MEM Admin Center. Open https://endpoint.microsoft.com with an admin user ID that is already discovered via SCCM Azure AD User.
Select Devices then All Devices. Select a device that is synced from SCCM via tenant attach. Click on CMPivot and select any sample queries.
Relate Post –
Resources
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.