How to Build Sync between SCCM Intune Portal | Tenant Attach

0
Build Sync between SCCM Intune Portal

Well, the single pane of glass is back again for Configuration Manager and Intune customers. With SCCM 2002 or later version, you can sync ConfigMgr Devices to Intune. Let’s learn how to build sync between SCCM Intune Portal. This is also referred to as Tenant attach.

Related post by Vimal Das How to Build Tenant attach for Microsoft Endpoint Manager | SCCM | ConfigMgr | Intune

What is Tenant Attach?

Tenant Attach is the feature to connect the SCCM site to Microsoft Intune for instant cloud console (Microsoft Endpoint Manager Admin Center) and troubleshooting power. The “tenant attach” is on-demand connected architecture.

The tenant Attach architecture is an on-demand connection when you click on an item in the Microsoft Endpoint Manager portal. Also, these types of information will give help desk teams a better experience (as per Rob York and Jason Githens’s Ignite presentation).

SCCM Cloud Attach Architecture Diagram
Diagram Creds to Rob York and Jason Githens’s Ignite presentation

Tenant Attach is NOT

  • No, The tenant Attach or Device Sync option doesn’t replicate the entire Configuration Manager (a.k.a SCCM) DB to Intune!!
  • Nay, it’s not Co-Management
  • Nay, it’s not SCCM collection sync to Azure AD Groups
  • Nay. it’s not just Device Sync (rather you can manage SCCM clients from Intune portal)

Why Enable Sync Between SCCM Intune Portal

As per Microsoft’s Ignite presentation, the following are the business justifications to enable sync between SCCM and Intune.

Pre Requisites of SCCM Device Sync to Intune

  • Full Admin access (infrastructure admin) to ConfigMgr infra is preferred.
  • Global Administrator Access on Azure Active Directory tenant (These apps will be created automatically during the tenant attach onboarding process)
    • To Create a 3rd party application under App Registration
    • To Create a first-party service principal account
  • An Azure public cloud environment (not available for Govt and other Azure Cloud environments)
  • The user account triggering device actions from Cloud console has the following prerequisites:
    • Azure AD Connect should be in place to sync on-prem AD users and groups to Azure AD (if you have Office 365, then you might already be using Azure AD connect).

Firewall Proxy Settings for ConfigMgr Tenant Attach

In a corporate environment, you always need to open some firewall ports and proxy bypass list updates. In this scenario to enable tenant attach, you might need to white list the following url (internet endpoints for tenant attach scenario).

Protocol & Port number used for the following endpoints are https (443).

https://aka.ms/configmgrgateway
https://gateway.configmgr.manage.microsoft.com
https://us.gateway.configmgr.manage.microsoft.com
https://eu.gateway.configmgr.manage.microsoft.com

Enable Tenant Attach

Let’s see how to enable SCCM device sync to cloud console (A.K.A tenant attach).

NOTE! – The following steps should be followed only when you have not enabled the co-management feature in SCCM environment.

  • Navigate Administration > Overview > Cloud Services > Co-management.
  • Click on the Configuration Co-management Management button.
  • On the Tenant onboarding page, select AzurePublicCloud for your environment.
  • Click Sign In. Use the Azure Global Administrator account to sign in.
  • Select Upload to Microsoft Endpoint Manager admin center option on the Tenant onboarding page to enable device sync to the Intune portal.

NOTE! – Select Enable Automatic client enrollment for co-management option to enable co-management. Do not select this option not to enable co-management.

  • Click on YES button to create Azure AD applications as mentioned in the pre-requisite checks section.
Enable Tenant Attach for SCCM 2002
Enable Tenant Attach for SCCM 2002
  • Select the devices to upload to Microsoft Endpoint Manager (Intune portal)
    • Select the “All my devices managed by Microsoft Endpoint Configuration Manager (recommended)” to sync all devices from SCCM to Intune.
All my devices managed by Microsoft Endpoint Configuration Manager (recommended)
All my devices managed by Microsoft Endpoint Configuration Manager (recommended)
  • Complete the Wizard by clicking on CLOSE.
Complete the Wizard by clicking on CLOSE
Complete the Wizard by clicking on CLOSE

SCCM Tenant Attach Azure Apps

When you enable Device Sync or Tenant attach from SCCM 2002 production version, there are two (2) Azure applications (App Registration Node) get created automatically in Azure. The Onboarding process creates a third-party app and a first-party service principal in your Azure AD tenant

From the SCCM console, you can see one application from Active Directory Tenants node under Cloud Services.

Sync Between SCCM Intune Portal
Active Directory Apps – Sync Between SCCM Intune Portal
  • Check the Azure Portal Azure AD -> “App Registration” to confirm ConfigMgrSvc applications are created
Sync Between SCCM Intune Portal
Sync Between SCCM Intune Portal

From the Azure portal, you can check two (2) applications under Azure Active DirectoryApp RegistrationAll Application blade. A third-party app and a first-party service principal.

  • ConfigMgrSvc_6cf7c923
  • ConfigMgrSvc_94b2529e

Azure Apps Permissions for Tenant Attach

The above two application and respective permissions are automatically created during device sync or SCCM tenant attach configuration. No manual intervention is required.

Tenant Attach AzureAD App Permission - Sync Between SCCM Intune Portal
Tenant Attach Azure AD App Permission – Sync Between SCCM Intune Portal
Scopes Defined by Tenant Attach API - Sync Between SCCM Intune Portal
Scopes Defined by Tenant Attach API – Sync Between SCCM Intune Portal

Results – MDM\ConfigMgr Agent ConfigMgr MDM

SCCM Console End Results

  • You can go to properties of SCCM co-management
    • Click on Configure Upload to check and confirm whether the device sync is enabled or not.
Click on Configure Upload to check and confirm
Click on Configure Upload to check and confirm – Sync Between SCCM Intune Portal

Intune Portal (Microsoft Endpoint Manager Admin Center)

Let’s have a look at the results of SCCM 2002 tenant attach or device sync options.

Co-Managed with Intune and ConfigMgr - Device Sync from SCCM - Intune Managed - Build Sync between SCCM Intune Portal
Co-Managed with Intune and ConfigMgr – Device Sync from SCCM – Intune Managed – Build Sync between SCCM Intune Portal

Logs Related to Tenant Attach

Use the following logs located on the service connection point:

  • CMGatewaySyncUploadWorker.log
  • CMGatewayNotificationWorker.log

Results

Related post by Vimal Das How to Build Tenant attach for Microsoft Endpoint Manager | SCCM | ConfigMgr | Intune

Resources

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.