How to Setup SCCM Azure AD User Discovery | ConfigMgr

Let’s learn How to set up SCCM Azure AD User Discovery | ConfigMgr. The Azure Active Directory user discovery feature is added to SCCM from1706 and later versions.

Azure AD user discovery helps to deploy applications to Azure AD users. Azure AD user discovery enables deployment apps to AAD users in a co-management scenario. 

Azure AD User Discovery can be configured from the Administration workspace – Cloud Management. In this post, we will see “Video Tutorial on How to Setup SCCM Azure AD User Discovery.”

Video – How to Setup SCCM Azure AD User Discovery | ConfigMgr

Let’s go through the video walkthrough of the Azure AD user discovery setup in SCCM.

How to Configure Azure Active Directory User Discovery with SCCM – YouTube

What is SCCM Azure AD User Discovery?

SCCM Azure AD user discovery is the process of discovering the specific users from Azure AD. The details of discovered users from Azure AD will be stored in SCCM DB.

This provides deeper visibility of Azure AD user properties. And SCCM would be able to use this visibility to target applications to Azure AD Users.

Where are Azure AD User Discovery Configurations?

In the SCCM console, navigate through Administration- Cloud Services – Azure Services – Cloud Management. You don’t have to go through the Azure portal and create server and client applications.

Rather, the following SCCM Azure service Wizard helps create apps in Azure and schedule the Azure AD User Discovery configurations.

How to Create Azure Server and Client Apps from the SCCM console?

As part of the Azure AD user discovery process, we need to create connectivity between the on-prem SCCM CB server and Azure AD.

This is done through Azure server-side and client-side applications (more details in the below section). We can create these apps using Azure Services Wizard in the SCCM console.

We need to create Azure Apps using Azure AD admin credentials. Once you have successfully authenticated with Azure AD, SCCM helps us make those two apps mentioned in the following screenshot.

Creating applications is a straightforward process, as seen in the video tutorial. Enter Application Name. Home Page URL and APP ID URI – Any URL is fine. You don’t want a proper working URL; rather, any URL will be ok. The secret key Validity period is 1 year, and the Azure AD admin account signs in.

Azure AD tenant names will automatically populate when you authenticate with Azure AD. It would help if you had an internet connection on the SCCM console’s server.

Watch Video Tutorial to get more details about SCCM Azure AD User Discovery

How to Configure Azure AD User Discovery Settings?

Unlike SCCM Active Directory discovery, there is no option to select particular OU while configuring SCCM Azure AD user discovery. The Azure AD user discovery will run for the entire tenant.

There is an option to Enable Azure AD discovery settings in Azure Services Wizard. Configure the settings to discover resources in the Azure AD. When the resources are discovered, SCCM CB creates records in its Database.

There are two options for the SCCM Azure AD user discovery Schedule.

• Full Azure AD User Discovery
• Delta Azure AD User Discovery

The default settings of full Azure AD user discovery occur every 7 days. Delta discovery interval is 5 minutes. Delta discovery finds resources in Azure AD that have been new or modified since the last discovery cycle.

Permission Required for SCCM Azure AD User Discovery

We have created two Azure apps (Server and Client) in the Azure App Registration blade. Select the server application and client application – click on Settings and select the Required Permission button.

Click on Grant Permissions to provide access to SCCM for discovering the Azure AD users. The same steps should be repeated for the Client application.

Watch Video Tutorial to get more details about SCCM Azure AD User Discovery

Troubleshooting – SCCM Azure AD User Discovery – Issues

SMS_AZUREAD_DISCOVERY_AGENT.log is where you can trace the details of Azure AD User Discovery.

Full Azure AD User Discovery Sync – Details

Full discovery sync details of Azure AD user discovery are recorded in the log file called SMS_AZUREAD_DISCOVERY_AGENT.log.

Initializing Task Execution Manager instance as SMS_AZUREAD_DISCOVERY_AGENT. $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:22.056-330><thread=4184 (0x1058)>
Starting component SMS_AZUREAD_DISCOVERY_AGENT~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:22.165-330><thread=4184 (0x1058)>
Component SMS_AZUREAD_DISCOVERY_AGENT started successfully.~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:22.712-330><thread=4184 (0x1058)>
Azure AD Discovery Worker starts.~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:27.353-330><thread=4204 (0x106C)>
Subscribing to Registry Hive: LocalMachine, KeyPath: SOFTWARE\Microsoft\SMS\COMPONENTS\SMS_AZUREAD_DISCOVERY_AGENT, FilterType: ValueChange, WatchSubTree: False~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:27.369-330><thread=4204 (0x106C)>
Registry Watcher started~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:27.385-330><thread=4204 (0x106C)>
Successfully subscribed listener to registry key.~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:27.385-330><thread=4204 (0x106C)>
AAD sync manager for cloud service ID=16777217 started. ~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:44.541-330><thread=4204 (0x106C)>
Full sync for cloud service ID=16777217 will start immediately. ~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:44.604-330><thread=4204 (0x106C)>
Graph API version changed to 1.6~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:45.510-330><thread=4204 (0x106C)>
Query batch size changed to 100~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:45.526-330><thread=4204 (0x106C)>
Max Json length changed to 33554432~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:45.572-330><thread=4204 (0x106C)>
AAD full sync initialized for tenant 67bb8c6d-7266-4faa-a290-5edd572c2210, with server app 7f81b297-e94e-4767-b44a-b0a191f32989.~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:46.416-330><thread=4204 (0x106C)>
ERROR: Sync request failed. Error: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: Service returned error. Check

Delta Azure AD User Discovery sync – Details

Let’s find out more details from the log files SMS_AZUREAD_DISCOVERY_AGENT.log.

INFO: UDX was written for user [email protected] - C:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box\userddrsonly\___mrxm4stp.UDX at 06-11-2017 16:10:11.~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:10:11.412-330><thread=2552 (0x9F8)>
Successfully published UDX for Azure Active Directory users.~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:10:11.453-330><thread=2552 (0x9F8)>
Total AAD Users Found: 1. Total AAD User Record Created: 1~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:10:11.536-330><thread=2552 (0x9F8)>
AAD delta sync completed successfully at 16:10:11. ~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:10:11.612-330><thread=2552 (0x9F8)>
Next DELTA sync for cloud service 16777217 will start at 11/06/2017 16:15:11.~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:10:11.665-330><thread=2552 (0x9F8)>
AAD delta sync initialized for tenant 67bb8c6d-7266-4faa-a290-5edd572c2210, with server app 7f81b297-e94e-4767-b44a-b0a191f32989.~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:15:11.763-330><thread=2552 (0x9F8)>
Successfully acquired access token for server app. ~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:15:11.866-330><thread=2552 (0x9F8)>

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.