ConfigMgr SCCM Setup Co-Management CMG Azure Cloud Services

The Cloud Management Gateway (CMG) provides a simple way to manage SCCM clients on the internet. The CMG is a PaaS (Platform As A Service) solution in Azure. So, we don’t need to maintain the servers in the Azure platform, unlike Azure IaaS (Infrastructure As A Service) solution.

We need to set up and configure Azure Cloud Services within SCCM before implementing Co-Management CMG.

Co-Management Related Posts

All Co Management Video Tutorial in one post here.

Patch My PC
Overview Windows 10 Co-Management with Intune and SCCM 
Custom Report to Identify Machines Connected via SCCM CMG  
How to Setup Co-Management - Introduction - Prerequisites Part 1 
How to Setup Co-Management - Firewall Ports Proxy Requirements Part 2 
Setup Co-Management - AAD Connect UPN Suffix Part 3 
Setup Co-Management - CA PKI & Certificates Part 4 
Setup Co-Management Cloud DP Azure Blob Storage Part 5 
Setup Co-Management Azure Cloud Services CMG Part 6 (This Post)
SCCM Configure Settings for Client PKI certificates Part 7
How to Setup SCCM Co-Management to Offload Workloads to Intune - Part 8
How to Deploy SCCM Client from Intune - Co-Management - Part 9
End User Experience of Windows 10 Co-Management - Part 10

Co-Management CMG Requirements

Co-Management CMG is not a prerequisite for all the SCCM Co-Management scenarios. However,  CMG is required for the scenario where you want to install SCCM client from the internet. SCCM Cloud Management Gateway (CMG) & CDP are required for the situation mentioned above.

  • Azure subscription with Azure Admin access to host the CMG
  • Azure Cloud Services Configured within SCCM (Azure AD User Discovery – for some authentication scenarios)
  • Azure Web and Client applications (Part of Azure Cloud Services)
  • Azure Resource Manager (ARM) SCCM 1802 or later to avoid Azure Management certificates
  • Client Authentication Certificate – Root Cert and Intermediate/Issuing certificates (PKI or Public Certificates)
  • Server Authentication Certificate (Web Server Template & Custom web server certificate with CMG/CDP CNAME)
  • The service connection point must be in online mode

I would recommend reading CMG Prerequisite and Certificate requirements before implementing Co-Management CMG setup.

Video Step by Step Guide to Setup Cloud Management Gateway

Watch this video on YouTube.

Setup Azure Services – Cloud Management

I would recommend going through and configure Azure services cloud management before proceeding with CMG configuration. Use the Azure Services Wizard to simplify the process of setting up the Azure cloud services you use with SCCM. I have also explained this in the video tutorial.

1E Nomad

Azure Services configuration wizard provides a standard configuration experience by using Azure Active Directory (Azure AD) web app registrations. This wizard creates Web and Client (native) applications to subscription & configuration details, & authenticate communications with Azure AD.

Cloud Management: This service enables the SCCM site and clients to authenticate by using Azure AD. This authentication allows for other scenarios, such as:

Install and assign SCCM Windows 10 clients using Azure AD for authentication
Configure Azure AD User Discovery
Support specific Cloud Management Gateway scenarios

Configure Azure Services

This wizard helps you deploy and configure Azure services through SCCM. I have explained the same in the Video Tutorial as well.

Navigate via \Administration\Overview\Cloud Services\Azure Services – Click on Configure Azure Services button from the ribbon menu.

1. Select an Azure service and specify the name, description:-

Name:- ACN Azure Cloud Services
Description:- Any meaning full description

2. Select Cloud Management and click on NEXT button to proceed further

Note - Deploying the Azure service for Cloud Management enables SCCM clients to 
authenticate with the site using Azure AD. You can also enable discovery 
for Azure AD resources for this tenant.

3. Select AzurePublicCloud as Azure Environment from App properties page

4. Create a new WEB APP in Azure for Authentication (Server App for SCCM). Add an application that represents a web application, a web API, or both.

Server App – Select a from the list of available server apps to configure Azure services. You can also import or create a server app. In this scenario, I opted to create new Server Application.

Specify an application details and sign in with AAD admin credentials to create application in the Azure Active Directory

Application Name: ACNCloudServiceAnoopC
HomePage URL: https://ConfigMgrService1
App ID URI: https://ConfigMgrService1
Secret Key Validity Period: 1 Year
Azure AD Admin Account: Sign in - Signed in successfully!
Azure AD Tenant Name: ANOOPC
Co-Management CMG Azure Cloud Services

5. Create NATIVE Client APP. A native client is an application that can be installed on a user’s device or computer. To Create Client Application Specify application details and sign in with AAD admin credentials to create an application in the Azure Active Directory.

Application Name: ACN CloudService AnoopC
Reply URL: https://ConfigMgrClient1
Azure AD Admin Account: Sign in - Signed in successfully!
Tenant Friendly Name: ANOOPC
App Friendly Name: ACN CloudService AnoopC
Service Type: Blank

6. Enable Azure AD Discovery on Configure Discovery Settings page. Click on settings button to check and configure advanced options of AAD Discovery.

Azure AD User Discovery – Configure the settings to discover resources in the Azure AD. When resources are discovered, SCCM creates records in the SCCM DB for the resources and their associated information.

We need to enable Azure AD discovery to enable AAD authentication scenario in SCCM. If you want SCCM to authenticate the AAD user, you need have the user discovered first.

You need to provide/grand appropriate permissions for WEB (Server) application on Azure as I showed in the video tutorial.

Setup Co-Management CMG (Cloud Management Gateway)

Before the start of Co-management CMG setup, make sure that all the prerequisites and certs are readily available with you. I have also explained this in video tutorial.

  1. Navigate via SCCM CB console –  \Administration\Overview\Cloud Services\Cloud Management Gateway
  2. Click on Create Cloud Management Gateway icon in the ribbon menu
  3. Select Azure Environment as AzurePublicCloud on Specify details of this cloud service page
NOTE - Specify the Azure environment and the deployment method for the cloud 
service. Provide Azure subscription ID, the management certificate or 
Azure AD administrator credentials to proceed.

4. Choose how you want to deploy your cloud Service –  Azure Resource Manager (ARM) deployment 

Note:- Please sign in as administrator account to access your Azure subscription. 
SCCM will obtain the subscription information, and contribute permission 
that are required for deploying the service.
Subscription Admin Account: Sign In
Subscription ID: Automatically get populated once you logged in with Azure admin account 
Azure AD App Name: ACNCloudServiceAnoopC (WEB/Server Application which we created (above) will automatically get populated)
Azure AD Tenant: ANOOPC (Automatically get populated once you logged in with Azure admin account)

5. Specify Additional Details for the cloud Service (CMG) page

Service Name:  ACMCMG01 Automatically get populated based on the CName mentioned in the certificate. You won’t be able to change it. To change the service name, you need to create a new WEB certificate as explained in the previous blog.

Description: Useful information to identify the CMG instance if you have more than one CMGRegion: South Central US
Resource Group: ACNCMGCDP. Click on Create New radio button above and give it a meaningful name

VM Instance: 1 (depending on your requirement)

Co-Management CMG

Select the CMG PFX file created for CMG in the previous post about creating certs. We need to specify a server PKI certificate for this cloud service.

Certificate File: Select the PFX file created for CMG in the previous post. Enter the password for PFX certificate. Service Name, Service FQDN will automatically get populated once you have uploaded the PFX cert successfully.

Service FQDN: This details will get populated automatically as I mentioned above.

Specify security settings for authenticating client connections through CMG (Cloud Management Gateway).

Certificates uploaded to the cloud services: Click on Certificates button to upload Root CA and Intermediate/Issuing CA certs. I have only root CA in the chain of certs. Click on Add to upload certificates to the cloud service.

Remove “Verify Client Certificate Revocation” check box when you have not published CRL to internet. I would recommend to publish CRL to internet to have more secure PKI. However I don’t use this for my lab environment.

Sample Configuration Details of SCCM Cloud Management Gateway (CMG) Wizard

• Subscription ID: dda75f69a-5a3b-4ecd-b385-db1223e9549873
• Azure AD application: ACNCloudServiceAnoopc
• Service Name: ACMCMG01
• Description:
• Primary Site: Primary CB 2 (PR3)
• Region: South Central US
• Resource group: ACNCMGCDP
• Service Certificate:\\dc1\Sources\Certs\ACNCMG01.pfx
• Number of Instances: 1
• Root Certificate: 681B323ghdAC90E2523489898HUD7C0E4015E812;
• Verify client certificate revocation enabled:True
• Outbound Data Transfer Threshold:Enabled
• Outbound Data Transfer Threshold:10000 GB
• Outbound data transfer Warning alert level: 50%
• Outbound data transfer Critical alert level: 90%

Setup Co-Management – Cloud Management Gateway Connector

The CMG connection point is the SCCM site system role for communicating with the CMG and on-prem components like MP/SUP. I have also explained this in video tutorial.

Add new Site System Role – Select a server to use as a site system. When you have only one site system – Click NEXT

System Role Selection – Specify roles for this server – Select Cloud Management Gateway Connection Point

Specify the Cloud Management Gateway Connection Point settings. When you have more than one CMG in your SCCM environment, you can select relevant one from the drop down option. For me, it’s only one CMG.

Cloud Management Gateway Name: ACMCMG01.CLOUDAPP.NET
Region: South Central US

Install client authentication purpose certificate manually for CMG connection point to communicate with client facing site roles in HTTPS mode.

Azure Portal experience Co-Management CMG

Login to Azure Portal and click on Subscriptions – Resource Groups – ACMCMG01

There will be 2 (two) services associated with Resource Group which we create from SCCM console. More details available in the video tutorial.

1. ACMCMG01 PaaS server for CMG service
2. acmcmg01 storage account for CMG

Click on PaaS server ACMCMG01 to check the details and you can also login to the server and check (there is no need to login and check in normal scenarios).

SCCM Cloud Management Gateway CMG Log Files

The following table lists the log files that contain information related to the cloud management gateway.

Log nameDescriptionComputer with log file
CloudMgr.logRecords details about deploying the cloud management gateway service, ongoing service status, and use data associated with the service. You can configure the logging level be editing the Logging level value in the registry key HKLM\SOFTWARE\ Microsoft\SMS\COMPONENTS\ SMS_CLOUD_ SERVICES_MANAGERThe installdir folder on the primary site server or CAS.
CMGSetup.log1Records details about the second phase of the cloud management gateway deployment (local deployment in Azure) You can configure the logging level using the setting Trace level (Information (Default), VerboseError) on the Azure portal\Cloud services configuration tab.The %approot%\logs on your Azure server, or the SMS/Logs folder on the site system server
CMGHttpHandler.log1Records details about the cloud management gateway http handler binding with Internet Information Services in Azure You can configure the logging level using the setting Trace level (Information (Default), VerboseError) on the Azure portal\Cloud services configuration tab.The %approot%\logs on your Azure server, or the SMS/Logs folder on the site system server
CMGService.log1Records details about the cloud management gateway service core component in Azure You can configure the logging level using the setting Trace level (Information (Default), VerboseError) on the Azure portal\Cloud services configuration tab.The %approot%\logs on your Azure server, or the SMS/Logs folder on the site system server
SMS_Cloud_ ProxyConnector.logRecords details about setting up connections between the cloud management gateway service and the cloud management gateway connection point.Site system server


2 thoughts on “ConfigMgr SCCM Setup Co-Management CMG Azure Cloud Services”

  1. Hi,
    Is it possible to join a w10 to only AAD (with automatic Intune enrollment) and install the configmgr client on it via the install string thats displayed during co-mgmt configuration? Of we try this the configmgr client never initialize. On technet rendement is hybrid aad joined so i presume it will not work for pure aad joined/Intune devices, correct?

  2. Hi there,
    If we are using a 3rd Party DigiCert certificate for the cloud service, do we still need to upload our internal root cert as in section:
    Specify security settings for authenticating client connections through Cloud Management Gateway
    Our computers are all connected to on prem AD.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.