How to Integrate ConfigMgr SCCM CB 1702 TP with Azure AD

Is this actual integration with Azure AD and SCCM? Would SCCM be able to discover the devices and users from Azure AD?

5

SCCM ConfigMgr 1702 Technical Preview version has released a few weeks before. More details about SCCM 1702 TP version is available here. Last weekend, I did get a chance to look at SCCM 1702 TP version. My SCCM/ConfigMgr TP lab got expired as I didn’t upgrade the lab since last November (1611 time frame). The technical preview versions are cumulate but if you don’t upgrade to the latest version within 90 days then, it will get expired, and you need to build one from scratch.

How do we come to know whether your SCCM CB TP lab has expired or not? You could either see the expiry duration on the top tab of your SCCM console (evaluation 10 days left) or SMS executive and other services will start getting stopped every hour (I’m not very sure whether it’s every hour or less). Apart from the points mentioned above, it won’t get the latest version of TP updates/builds. If your SCCM TP lab got expired then, take a pleasure of installing the new one!

Video Tutorial How to Integrate ConfigMgr SCCM CB 1702 TP Azure AD Integration – here

SCCM CB 1702 TP Console view :-

So, coming back to the topic “How to integrate Azure AD with SCCM/ConfigMgr?” This is very straight forward process if you already have an azure subscription and you are global admin of your Azure subscription. Add Azure Active Directory button has made available in SCCM CB 1702 TP console ribbon menu, under Cloud services section as you can see in the above picture. Click on sign in button and enter your Azure subscription (probably with global admin access).

Once the above step has successfully completed then, you could see two Azure Applications appear in SCCM console. These apps are registered during the Azure AD integration process with SCCM/ConfigMgr CB. The first app that you can see is SCCM server app and the second one is SCCM client app. Another option available in the SCCM console is to renew the secret key used for the registration of the app in Azure. By default the secret key has one year validity.

Azure AD – App Registration View :-

I could see TWO apps got created in the Azure portal as part of AAD integration with SCCM CB 1702 TP. There are three apps in my Azure Active Directory – App Registration, and those are SCCM client, SCCM server, and P2P server. I’m not sure whether the P2P server got created during the Azure AD integration process with SCCM CB. I can confirm that P2P server has not created during SCCM and AAD integration Also, I’ve not tested the end to end scenario of Azure AD domain services integration.

With SCCM CB 1702 technical preview version, you can manage devices those are joined to an Azure Active Directory (AAD) Domain Services managed domain. You can also discover devices, users, and groups in that domain with various SCCM Discovery methods.

Conclusion:-

Is this actual integration with Azure AD and SCCM in all terms? Would SCCM be able to discover the devices and users from Azure AD? The answer to both the questions is NO. This feature is to enable the discovery for Azure AD domain services managed devices. Azure AD (SaaS identity solution) devices and Azure AD domain services are “Domain controller installed inside a virtual server hosted in Azure.”

References :-

  • Use Azure Active Directory Domain Services to manage devices, users, and groups – here
  • Get started with Azure AD Domain Services – here

5 COMMENTS

  1. In the document you are referring to, (https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1702) it says:

    After you set up Configuration Manager to run in Azure AD, you can use the following Active Directory discovery methods to search Azure AD for resources:
    Active Directory System Discovery
    Active Directory User Discovery
    Active Directory Group Discovery

    Yet you claim it’s not possible? Is that because it is in TechPreview?

    • First of all thank you for the comment. Do you know the difference between “Azure Active Directory Domain Service” and “Azure Active Directory”?

      Azure Active Directory Domain Services = IaaS
      Azure Active Directory = SaaS

      I agree document can be more clearer. But it is clearly mentioned that

      “Use Azure Active Directory Domain Services to manage devices, users, and groups
      With this technical preview version you can manage devices that are joined to an Azure Active Directory (AD) Domain Services managed domain. You can also discover devices, users, and groups in that domain with various Configuration Manager Discovery methods.

      The technical preview site infrastructure, clients, and the Azure AD Domain Services domain must all run in Azure”

  2. Hi Anoop.
    I have CM CB 1702. Status all features are “on”.
    But I don’t see container “Azure Active Directory”.
    What I must do?
    Thank you for your help

LEAVE A REPLY

Please enter your comment!
Please enter your name here