Enable Tenant Attach in ConfigMgr | SCCM

This post is a step by step guide to enable tenant attach in SCCM or ConfigMgr. Using the Co-management configuration wizard, we will add Tenant Attach to our Configuration Manager instance.

Starting in Configuration Manager version 2002, you can upload your Configuration Manager devices to the cloud service and take actions from the Devices blade in the admin center.

The idea of Configuration Manager and Intune into a single console called Microsoft Endpoint Manager admin center is simply awesome. Lets connect SCCM site to Microsoft Intune.

What is SCCM Tenant Attach

Probably you have heard about the Co-management if you have been working on Configuration Manager. However let us understand what is ConfigMgr Tenant Attach and is it the same as Co-management?

Co-management is not new and has been around for quite a while now. A co-managed device is basically managed by both ConfigMgr and Intune at the same time.

Tenant Attach means the device can be either managed by ConfigMgr or Intune. The reason why we use the term “Tenant Attach” is because it simply a way to attach your ConfigMgr hierarchy to your tenant.

And when you do that you can perform several tasks such as discover cloud users and groups, synchronize Azure AD groups from a device collection and much more.

SCCM Tenant Attach Prerequisites

Before you perform Tenant Attach to the ConfigMgr instance, ensure you know or read the prerequisites.

  • An account that is a Global Administrator for signing in when applying this change.
  • You need Configuration Manager current branch version 2002 and above. Microsoft Endpoint Manager tenant attach was one of the exciting feature of SCCM 2002.
  • An Azure public cloud environment.
  • The user accounts triggering device actions should meet the following conditions. First the users account should have been discovered with both Azure Active Directory user discovery and Active Directory user discovery. In other words, the user account needs to be a synced user object in Azure AD. Second, the Initiate Configuration Manager action permission under Remote tasks in the Microsoft Endpoint Manager admin center.

Enable device upload when co-management is already enabled

If you have already enabled the co-management in your setup, you’ll use the co-management properties to enable device upload. If the co-management isn’t already enabled, then jump to next step. You use the Configure co-management wizard to enable device upload instead.

Assuming that co-management is already enabled, simply edit the co-management properties to enable device upload using the steps below:

  • In the Configuration Manager admin console, go to Administration > Overview > Cloud Services > Co-management.
  • Right click CoMgmtSettingsProd and select Properties.
  • In the Configure upload tab, select Upload to Microsoft Endpoint Manager admin center. Select Apply. The default setting for device upload is All my devices managed by Microsoft Endpoint Configuration Manager. If required, you can limit upload to a single device collection.
  • Click Enable Endpoint analytics for devices uploaded to Microsoft Endpoint Manager if you want to get insights to optimize the end-user experience in Endpoint Analytics.
  • Sign in with your Global Administrator account when prompted. Select Yes to Create AAD Application notification. Click OK to exit the co-management properties once you’ve done making changes.

""

 Configure Co-Management

To configure the Co-management for the first time in the Configuration Manager setup.

  • Launch the Configuration Manager console.
  • Go to Administration > Overview > Cloud Services > Co-management.
  • Right click Co-management and click Configure co-management.
Configure co-management wizard to enable device upload
Configure co-management wizard to enable device upload

ConfigMgr Tenant Onboarding

On the Tenant onboarding page, select AzurePublicCloud for your environment. Azure Government Cloud and Azure China 21Vianet aren’t supported. Therefore don’t select them.

Next, click Sign In. Use your Global Administrator account to sign in.

Ensure the Upload to Microsoft Endpoint Manager admin center option is selected on the Tenant onboarding page.

Make sure the option Enable automatic client enrollment for co-management isn’t checked if you don’t want to enable co-management now. However if you do want to enable co-management, select the option.

Click Next.

Tenant onboarding page
Tenant onboarding page

Click Yes to accept the Create AAD Application notification. This action provisions a service principal and creates an Azure AD application registration to facilitate the sync.

Enable Tenant Attach in ConfigMgr
Enable Tenant Attach in ConfigMgr

Configure Upload to Microsoft Endpoint Manager Cloud Console

On the Configure Upload page, select the devices that you want to upload to Microsoft Endpoint Manager.

  • All devices managed by Microsoft Endpoint Configuration Manager – This is a recommended option.
  • Specific Collection – If you don’t wish to choose all devices, you can click and Browse and select a specific collection.

Endpoint Analytics – Enable Endpoint analytics for devices uploaded to Microsoft Endpoint Manager if you want to get insights to optimize the end-user experience in Endpoint Analytics.

Click Next.

Configure Upload to Microsoft Endpoint Manager Cloud Console
Configure Upload to Microsoft Endpoint Manager Cloud Console

Enable Co-Management in SCCM Console

To enable co-management for devices managed by Configuration Manager, you must configure the automatic enrollment.

Next to Automatic enrollment in Intune, click the drop-down and select one of the following.

  • None
  • Pilot
  • All
Enable Co-Management
Enable Co-Management

I have selected Pilot and for Intune Auto Enrollment, I have selected a Windows 10 device collection. This collection consists of only 4 devices running Windows 10. Click Next.

Configure Automatic enrollment in Intune
Configure Automatic enrollment in Intune

In this step, as an administrator you can configure specific workloads for Configuration Manager or Microsoft Intune.

Click Next.

Configure Workloads
Configure Workloads

Staging – Configure Roll Out Collections

When you configure a workaround for Pilot Intune, you must select a device collection to each of the pilot group.

For each of the items listed below, click Browse and select a device collection.

  • Compliance Policies
  • Device Configuration
  • Endpoint Protection
  • Resource access policies
  • Office click-to-run apps

Finally click Next.

Staging - Roll out Collections
Staging – Roll out Collections

On the Summary page, click Next.

If you need to change or modify any of the co-management settings, you can edit co-management properties to enable device upload.

Enable Tenant Attach in ConfigMgr
Enable Tenant Attach in ConfigMgr

In the Configuration Manager console, if you navigate to Cloud Services > Azure Active Directory Tenants, you should see a new application. The name begins with ConfigMgrSvc_id.

ConfigMgr Tenant Attach Log Files

If you are looking for Tenant Attach log files, then here they are. The below two ConfigMgr logs are located on the service connection point. Use these log files for troubleshooting tenant attach and device actions.

  • CMGatewayNotificationWorker.log
  • CMGatewaySyncUploadWorker.log

Most of all, if you monitor the CMGatewaySyncUploadWorker.log, we see 4 devices uploaded to Intune. The device collection that i chose has got 4 devices running Windows 10.

ConfigMgr Tenant Attach Log Files
ConfigMgr Tenant Attach Log Files

In the upcoming posts, I will show you what you can do after you have enabled tenant attach in SCCM. Until then stay tuned.

Related Posts
guest
1 Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Sunday

Wonderful Article as always from you. Can you show picture of:
” Initiate Configuration Manager action permission under Remote tasks in the Microsoft Endpoint Manager admin center.” requirement?

Last edited 27 days ago by Sunday

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More