Video Tutorial How to Setup SCCM Azure AD User Discovery

0

SCCM 1706 and later versions allowed us to discover Azure Active Directory users. Azure AD user discovery helps to deploy applications to Azure AD users. Azure AD user discovery helps to deploy apps to AAD users in a co-management scenario. Azure AD User Discovery can be configured from Administration workspace – Cloud Management. In this post, we will see “Video Tutorial How to Setup SCCM Azure AD User Discovery.”

Watch Video Tutorial What is SCCM Azure AD User Discovery here

Topics Covered in this post

What is SCCM Azure AD User Discovery?
Where is Azure AD User Discovery Configurations?
How to Create Azure Server and Client Apps from SCCM console?
How to Configure Azure AD User Discovery Settings?
Permission Required for SCCM Azure AD User Discovery
Troubleshooting - SCCM Azure AD User Discovery - Issues

What is SCCM Azure AD User Discovery?

SCCM Azure AD user discovery is the discovery process to find out the specific users from Azure AD. The details of discovered users from Azure AD will be stored in SCCM DB. This provides deeper visibility on Azure AD user properties. And SCCM would be able to use this visibility to target applications to Azure AD Users.

Where is Azure AD User Discovery Configurations?

In SCCM console, navigate through Administration- Cloud Services – Azure Services – Cloud Management. You don’t have to go through the Azure portal and create server and client applications. Rather, the following SCCM Azure service Wizard helps to create apps in Azure and schedule the Azure AD User Discovery configurations.

Video Tutorial How to Setup SCCM Azure AD User Discovery

How to Create Azure Server and Client Apps from SCCM console?

As part of Azure AD user discovery configuration process, we need to create connectivity between on-prem SCCM CB server and Azure AD. This is done through Azure server side and client side applications (more details in the below section). We can create these apps using Azure Services Wizard in SCCM console.

We need to create Azure Apps using Azure AD admin credentials. Once you have successfully authenticated with Azure AD then, SCCM helps us to create those two apps mentioned in the following screenshot.

Creating applications are straight forward process as you can see in the video tutorial. Enter Application Name. Home Page URL and APP ID URI – Any URL is fine. You don’t want to have proper working URL rather any URL will be ok. The secret key Validity period is 1 year and sign in with Azure AD admin account.

Azure AD tenant name will automatically get populated when you successfully authenticated with Azure AD. You need to have an internet connection on the server where the SCCM console installed.

Watch Video Tutorial to get more details about SCCM Azure AD User Discovery here

Video Tutorial How to Setup SCCM Azure AD User DiscoveryHow to Configure Azure AD User Discovery Settings?

Unlike, SCCM Active Directory discovery there is no option to select particular OU while configuring SCCM Azure AD user discovery. The Azure AD user discovery will run for the entire tenant.

There is an option to Enable Azure AD discovery settings in Azure Services Wizard. Configure the settings to discover resources in the Azure AD. When the resources are discovered, SCCM CB creates records in its own Database.

There are two options for SCCM Azure AD user discovery Schedule.

Full Azure AD User Discovery
Delta Azure AD User Discovery

The default settings of full Azure AD user discovery is set to occur every 7 days. Delta discovery interval is 5 minutes. Delta discovery finds resources in Azure AD that are new or modified since the last discovery cycle.

Video Tutorial How to Setup SCCM Azure AD User DiscoveryPermission Required for SCCM Azure AD User Discovery

We have created to two Azure apps (Server and Client) in Azure App Registration blade. Select the server application and client application – click on Settings and select Required Permission button.

Click on Grant Permissions to provide access to SCCM for discovering the Azure AD users. The same steps should be repeated for the Client application.

Watch Video Tutorial to get more details about SCCM Azure AD User Discovery here

Video Tutorial How to Setup SCCM Azure AD User Discovery

Troubleshooting – SCCM Azure AD User Discovery – Issues

SMS_AZUREAD_DISCOVERY_AGENT.log is the place where you can trace the details Azure AD User Discovery.

Full Azure AD User Discovery Sync – Details

Initializing Task Execution Manager instance as SMS_AZUREAD_DISCOVERY_AGENT. $$<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:22.056-330><thread=4184 (0x1058)>
Starting component SMS_AZUREAD_DISCOVERY_AGENT~~ $$<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:22.165-330><thread=4184 (0x1058)>
Component SMS_AZUREAD_DISCOVERY_AGENT started successfully.~~ $$<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:22.712-330><thread=4184 (0x1058)>
Azure AD Discovery Worker starts.~~ $$<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:27.353-330><thread=4204 (0x106C)>
Subscribing to Registry Hive: LocalMachine, KeyPath: SOFTWARE\Microsoft\SMS\COMPONENTS\SMS_AZUREAD_DISCOVERY_AGENT, FilterType: ValueChange, WatchSubTree: False~~ $$<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:27.369-330><thread=4204 (0x106C)>
Registry Watcher started~~ $$<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:27.385-330><thread=4204 (0x106C)>
Successfully subscribed listener to registry key.~~ $$<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:27.385-330><thread=4204 (0x106C)>
AAD sync manager for cloud service ID=16777217 started. ~~ $$<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:44.541-330><thread=4204 (0x106C)>
Full sync for cloud service ID=16777217 will start immediately. ~~ $$<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:44.604-330><thread=4204 (0x106C)>
Graph API version changed to 1.6~~ $$<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:45.510-330><thread=4204 (0x106C)>
Query batch size changed to 100~~ $$<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:45.526-330><thread=4204 (0x106C)>
Max Json length changed to 33554432~~ $$<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:45.572-330><thread=4204 (0x106C)>
AAD full sync initialized for tenant 67bb8c6d-7266-4faa-a290-5edd572c2210, with server app 7f81b297-e94e-4767-b44a-b0a191f32989.~~ $$<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:46.416-330><thread=4204 (0x106C)>
ERROR: Sync request failed. Error: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: Service returned error. Check

Delta Azure AD User Discovery sync – Details

INFO: UDX was written for user [email protected] - C:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box\userddrsonly\___mrxm4stp.UDX at 06-11-2017 16:10:11.~~ $$<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:10:11.412-330><thread=2552 (0x9F8)>
Successfully published UDX for Azure Active Directory users.~~ $$<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:10:11.453-330><thread=2552 (0x9F8)>
Total AAD Users Found: 1. Total AAD User Record Created: 1~~ $$<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:10:11.536-330><thread=2552 (0x9F8)>
AAD delta sync completed successfully at 16:10:11. ~~ $$<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:10:11.612-330><thread=2552 (0x9F8)>
Next DELTA sync for cloud service 16777217 will start at 11/06/2017 16:15:11.~~ $$<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:10:11.665-330><thread=2552 (0x9F8)>
AAD delta sync initialized for tenant 67bb8c6d-7266-4faa-a290-5edd572c2210, with server app 7f81b297-e94e-4767-b44a-b0a191f32989.~~ $$<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:15:11.763-330><thread=2552 (0x9F8)>
Successfully acquired access token for server app. ~~ $$<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:15:11.866-330><thread=2552 (0x9F8)>

References:-

  • Configure Azure AD User Discovery – here
  • Configure Azure services for use with SCCM – here
  • Create or import an Azure Active Directory web app registration for use with SCCM – here

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.