This post is a step by step guide to enable tenant attach in ConfigMgr or SCCM. Using the Co-management configuration wizard, we will add Tenant Attach to our Configuration Manager instance.
Starting in Configuration Manager version 2002, you can upload your Configuration Manager devices to the cloud service and take actions from the Devices blade in the admin center.
The idea of Configuration Manager and Intune into a single console called Microsoft Endpoint Manager admin center is simply awesome. Lets connect SCCM site to Microsoft Intune.
Table of Contents
What is SCCM Tenant Attach ?
Probably you have heard about the Co-management if you have been working on Configuration Manager. However let us understand what is ConfigMgr Tenant Attach and is it the same as Co-management?
Co-management is not new and has been around for quite a while now. A co-managed device is basically managed by both ConfigMgr and Intune at the same time.
Tenant Attach means the device can be either managed by ConfigMgr or Intune. The reason why we use the term “Tenant Attach” is because it simply a way to attach your ConfigMgr hierarchy to your tenant.
And when you do that you can perform several tasks such as discover cloud users and groups, synchronize Azure AD groups from a device collection and much more.
SCCM Tenant Attach Prerequisites
Before you perform Tenant Attach to the ConfigMgr instance, ensure you know or read the prerequisites.
- An account that is a Global Administrator for signing in when applying this change.
- You need Configuration Manager current branch version 2002 and above. Microsoft Endpoint Manager tenant attach was one of the exciting feature of SCCM 2002.
- An Azure public cloud environment.
- The user accounts triggering device actions should meet the following conditions. First the users account should have been discovered with both Azure Active Directory user discovery and Active Directory user discovery. In other words, the user account needs to be a synced user object in Azure AD. Second, the Initiate Configuration Manager action permission under Remote tasks in the Microsoft Endpoint Manager admin center.
Enable device upload when co-management is already enabled
If you have already enabled the co-management in your setup, you’ll use the co-management properties to enable device upload. If the co-management isn’t already enabled, then jump to next step. You use the Configure co-management wizard to enable device upload instead.
Assuming that co-management is already enabled, simply edit the co-management properties to enable device upload using the steps below:
- In the Configuration Manager admin console, go to Administration > Overview > Cloud Services > Co-management.
- Right click CoMgmtSettingsProd and select Properties.
- In the Configure upload tab, select Upload to Microsoft Endpoint Manager admin center. Select Apply. The default setting for device upload is All my devices managed by Microsoft Endpoint Configuration Manager. If required, you can limit upload to a single device collection.
- Click Enable Endpoint analytics for devices uploaded to Microsoft Endpoint Manager if you want to get insights to optimize the end-user experience in Endpoint Analytics.
- Sign in with your Global Administrator account when prompted. Select Yes to Create AAD Application notification. Click OK to exit the co-management properties once you’ve done making changes.
Configure Co-Management in ConfigMgr
To configure the Co-management for the first time in the Configuration Manager setup.
- Launch the Configuration Manager console.
- Go to Administration > Overview > Cloud Services > Co-management.
- Right click Co-management and click Configure co-management.
ConfigMgr Tenant Onboarding
On the Tenant onboarding page, select AzurePublicCloud for your environment. Azure Government Cloud and Azure China 21Vianet aren’t supported. Therefore don’t select them.
Next, click Sign In. Use your Global Administrator account to sign in.
Ensure the Upload to Microsoft Endpoint Manager admin center option is selected on the Tenant onboarding page.
Make sure the option Enable automatic client enrollment for co-management isn’t checked if you don’t want to enable co-management now. However if you do want to enable co-management, select the option.
Click Next.
Click Yes to accept the Create AAD Application notification. This action provisions a service principal and creates an Azure AD application registration to facilitate the sync.
Configure Upload to Microsoft Endpoint Manager Cloud Console
On the Configure Upload page, select the devices that you want to upload to Microsoft Endpoint Manager.
- All devices managed by Microsoft Endpoint Configuration Manager – This is a recommended option.
- Specific Collection – If you don’t wish to choose all devices, you can click and Browse and select a specific collection.
Endpoint Analytics – Enable Endpoint analytics for devices uploaded to Microsoft Endpoint Manager if you want to get insights to optimize the end-user experience in Endpoint Analytics.
Click Next.
Enable Co-Management in SCCM Console
To enable co-management for devices managed by Configuration Manager, you must configure the automatic enrollment.
Next to Automatic enrollment in Intune, click the drop-down and select one of the following.
- None
- Pilot
- All
I have selected Pilot and for Intune Auto Enrollment, I have selected a Windows 10 device collection. This collection consists of only 4 devices running Windows 10. Click Next.
In this step, as an administrator you can configure specific workloads for Configuration Manager or Microsoft Intune.
Click Next.
Staging – Configure Roll Out Collections
When you configure a workaround for Pilot Intune, you must select a device collection to each of the pilot group.
For each of the items listed below, click Browse and select a device collection.
- Compliance Policies
- Device Configuration
- Endpoint Protection
- Resource access policies
- Office click-to-run apps
Finally click Next.
On the Summary page, click Next.
If you need to change or modify any of the co-management settings, you can edit co-management properties to enable device upload.
In the Configuration Manager console, if you navigate to Cloud Services > Azure Active Directory Tenants, you should see a new application. The name begins with ConfigMgrSvc_id.
ConfigMgr Tenant Attach Log Files
If you are looking for Tenant Attach log files, then here they are. The below two ConfigMgr logs are located on the service connection point. Use these log files for troubleshooting tenant attach and device actions.
- CMGatewayNotificationWorker.log
- CMGatewaySyncUploadWorker.log
Most of all, if you monitor the CMGatewaySyncUploadWorker.log, we see 4 devices uploaded to Intune. The device collection that i chose has got 4 devices running Windows 10.
In the upcoming posts, I will show you what you can do after you have enabled tenant attach in SCCM. Until then stay excited.
Hi, when I click on the Sign In button on the Co-management Configuration Wizard. I get prompted with “content within this application coming from the website listed below is being blocked in IE enhanced Security configurations.” However, I’ve added https://login.microsoftonline.com to my local security. Any thoughts
Wonderful Article as always from you. Can you show picture of:
” Initiate Configuration Manager action permission under Remote tasks in the Microsoft Endpoint Manager admin center.” requirement?