Fix ConfigMgr Tenant Attach Error 401 403 | Missing Config | SCCM

Today, we will discuss Fix ConfigMgr Tenant Attach Error 401 403 | Missing Config | SCCM. After the ConfigMgr Tenant attached, I received an error 401 (403) when I tried to access Run Script or CMPivot blade from the Intune portal. Try to fix ConfigMgr Tenant Attach Error 401 403 (Missing Config) through this post.

Tenant attaches a connection between your Azure tenant and your on-premises SCCM environment, enabling you to conveniently oversee and manage devices directly from the Intune Admin Center. This integration also empowers you to access crucial data and perform administrative tasks within your SCCM environment.

Tenant Attach offers instant benefits by storing your device records in the cloud and enabling you to manage these devices from a cloud-based console. Additionally, you can access real-time data from Configuration Manager clients, including those connected to the internet.

I tried to explain how to enable the SCCM Run scripts Feature from Intune Portal when running the 2006 version of ConfigMgr. It would help if you allowed this script to be an option by following the guide.

Patch My PC
Index
Issue – Tenant Attach Error 401 / 403
Understand Service Account
From SCCM Console
Azure AD Service Principal Permissions
Check Permissions
Fix ConfigMgr Tenant Attach Error 401 403
Confirm SCCM Azure AD User Discovery
Logs Details
Results
Run Script
CMPivot from MEM Admin Center
Fix ConfigMgr Tenant Attach Error 401 403 | Missing Config | SCCM – Table 1

Issue – Tenant Attach Error 401 / 403

Scripts – Configuration Missing:

I could not access the script blade from Intune Portal (a.k.a. Microsoft Endpoint Manager admin centre). Let’s find more details about this issue: “Configuration missing Error Code 401/403.”

Adaptiva
{ "shellProps": { "sessionId": "69f3c2eab1e64c05b556a897614e67b7", "extName": "Microsoft_Intune_DeviceExplorer", "contentName": "ScriptsBlade", "code": 403 }, "error": { "message": "Configuration missing", "code": 401, "details": { "htmlTemplate": "\n <span>The necessary configuration is missing in Azure Active Directory. Make sure to attach the Configuration Manager site to your Azure tenant, and assign the proper user role in Azure AD.<span>\n <a href =\"https://aka.ms/cmdeviceexplorerdoc_aadconfig\"> More information</a>" } }}
Fix ConfigMgr Tenant Attach Error 401 403 | Missing Config | SCCM - Fig.1
Fix ConfigMgr Tenant Attach Error 401 403 | Missing Config | SCCM – Fig.1

Understand Service Account

Let’s find the correct service principal account or Azure application that provides access to SCCM so we can use the Tenant attach feature from the SCCM console and Azure portal.

NOTE! The permissions for the Tenant attached have been updated. You don’t need to give permissions to Configuration Manager Microservice https://docs.microsoft.com/en-us/mem/configmgr/tenant-attach/client-details#permissions

From SCCM Console

How do you run CMPivot from the SCCM admin console? You have to follow the steps mentioned below.

  • Launch Console
  • Navigate \Administration\Overview\Cloud Services\Azure Active Directory Tenants
  • Select Application or service account or service principle accountConfigMgrSvc_6cf7c942-7a51-4796-98ae-1c5f2ede96fa used for Tenant attach.

I could see three (3) service accounts under Azure Active Directory Tenant in the console. I selected the one highlighted in yellow because the other two service accounts were part of Azure’s active directory discovery-related services.

Fix ConfigMgr Tenant Attach Error 401 403 | Missing Config | SCCM - Fig.2
Fix ConfigMgr Tenant Attach Error 401 403 | Missing Config | SCCM – Fig.2

Azure AD Service Principal Permissions

Now, let’s learn how to launch CMPviot from ConfigMgr. The steps and Azure AD Service Principal Permissions are listed below.

Open the Azure AD Portal, navigate to the Azure Active Directory blade, and select Enterprise Applications inside the Enterprise Applications node.

Use “Config” as the search word to find the service accounts in Azure AD enterprise applications. Select the same app ConfigMgrSvc_6cf7c942-7a51-4796-98ae-1c5f2ede96fa that we selected in the above section.

You can’t find the Configuration Manager Microservice. Why?

NOTE: To view the details of Configuration Manager Microservice, you will have to select Application Type All applications instead of the default one Enterprise app.

Fix ConfigMgr Tenant Attach Error 401 403 | Missing Config | SCCM - Fig.3
Fix ConfigMgr Tenant Attach Error 401 403 | Missing Config | SCCM – Fig.3

Check Permissions

Let’s check the permissions for the Azure Application (the selected account we specified in the above section).

Open the Azure portal. Navigate to the Azure Active Directory blade. Select Enterprise Applications. Inside the Enterprise Applications node, select All Applications.

Use “Config” as the search word to find the service accounts in Azure AD enterprise applications. Click on the same app Configuration Manager Microservice that we selected above. Select the Users and Groups option.

Fix ConfigMgr Tenant Attach Error 401 403 | Missing Config | SCCM - Fig.4
Fix ConfigMgr Tenant Attach Error 401 403 | Missing Config | SCCM – Fig.4
  • Check whether your admin account (anoopb) is added to this section.
  • In the above screenshot, you can’t see any users or groups! Only service Principle accounts are available.

Fix ConfigMgr Tenant Attach Error 401 403

Now let’s Fix ConfigMgr Tenant Attach Error 401 403 related to configuration settings.

Open the Azure portal. Navigate to the Azure Active Directory blade. Select Enterprise Applications. Inside the Enterprise Applications node, select All Applications.

Use “Config” as the search word to find the service accounts in Azure AD enterprise applications. Click on the same app Configuration Manager Microservice that we selected above. Select the Users and Groups option.

Click on Add Users.

Fix ConfigMgr Tenant Attach Error 401 403 | Missing Config | SCCM - Fig.5
Fix ConfigMgr Tenant Attach Error 401 403 | Missing Config | SCCM – Fig.5

Click on Users and Groups from Add Assignment. Search for the Group or User you want to add as an Admin user for the Running script or CMPivot. Select the Group or User.

Click on the Assign button.

Fix ConfigMgr Tenant Attach Error 401 403 | Missing Config | SCCM - Fig.6
Fix ConfigMgr Tenant Attach Error 401 403 | Missing Config | SCCM – Fig.6

The user and account Anoop-Backup have been added to the Users and Groups section.

This account is synced from On-prem to Azure AD using Azure AD Connect.

Fix ConfigMgr Tenant Attach Error 401 403 | Missing Config | SCCM - Fig.7
Fix ConfigMgr Tenant Attach Error 401 403 | Missing Config | SCCM – Fig.7

Confirm SCCM Azure AD User Discovery

Let’s check Azure AD user discovery for this account, Anoop-Back. AAD user discovery should be enabled from SCCM, and this user should be discovered with appropriate details, as mentioned below.

Azure Active Directory Tenant ID: This value should be a GUID for the Azure AD tenant. Azure Active Directory User ID: This value should be a GUID for this Azure AD account.

User Principal Name: The format of this value is anoopb@domain. For example, [email protected]. A user still shows UPN as @xyz.onmicrosoft.com UPN, but it worked OK for me.

NOTE! – If the Azure AD Tenant ID and Azure AD User ID are not populated, ensure you have enabled Azure AD user discovery from SCCM.

Fix ConfigMgr Tenant Attach Error 401 403 | Missing Config | SCCM - Fig.8
Fix ConfigMgr Tenant Attach Error 401 403 | Missing Config | SCCM – Fig.8

Logs Details

Tenant Attach Guide for SCCM Logs Data Flow Troubleshooting Intune from Vimal to understand the log flow and internal processes for Tenant attach.

Results

Let’s check the results of Run Script and CMPivot.

Run Script

Let’s check another option to have a Run Script and proactive remediation option.

Open https://endpoint.microsoft.com with an admin user ID already discovered via SCCM Azure AD User. Select Devices, then All Devices. Select a device that is synced from SCCM via Tenant Attach.

Select Scripts.

Click on the Run script button to show all the approved scripts. Click on one of the scripts to run. Click on the Run button to execute the script on the device.

Fix ConfigMgr Tenant Attach Error 401 403 | Missing Config | SCCM - Fig.9
Fix ConfigMgr Tenant Attach Error 401 403 | Missing Config | SCCM – Fig.9

CMPivot from MEM Admin Center

Let’s learn how to use CMPivot from the MEM Admin Center. Open https://endpoint.microsoft.com with an admin user ID already discovered via SCCM Azure AD User.

Select Devices, then All Devices. Select a device that is synced from SCCM via tenant attachment. Click on CMPivot and select any sample queries.

Fix ConfigMgr Tenant Attach Error 401 403 | Missing Config | SCCM - Fig.10
Fix ConfigMgr Tenant Attach Error 401 403 | Missing Config | SCCM – Fig.10

Resources

We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His primary focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.