Now that we have tenant attach available let’s have a closer look.
Microsoft is now bringing Configuration Manager and Intune closer together in a the console Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com/).
Starting in Configuration Manager version 2002, we can upload Configuration Manager devices to the admin center and start actions on the uploaded devices.
Go to Administration – Cloud Services – Co-management, and select Configure co-management.
Click the Sign In button.
Select or enter the account you want to use (Global Administrator).
The Sign in button and Azure environment will after sign in be grayed out, now we can deselect the option Enable automatic client enrollment for co-management and make sure that Upload to Microsoft Endpoint manager admin center is selected.
In this test we don’t need co-management so no need to select it.
Select Yes to allow registering an application in Azure AD.
For this test I will select All my devices managed by Microsoft Endpoint Configuration Manager.
Click Next.
Click Close.
After some time we can see in the CMgatewaySyncUploadWorker.log that our clients are uploaded to the cloud. (Batching x records).
When the configuration has been created and we go to Azure AD, we can find two new Enterprise Application registered.
And also the same under App registrations.
In the Microsoft Endpoint Configuration Manager console, we can now also see our configuration under Co-management and change it.
Under Azure Services we will se that Cloud Attach has been added.
And under our tenant one of the application registration is visibly, not sure why we can one see one when two is actually created.
Before we can use the Microsoft Endpoint manager admin center to send commands to the Configuration manager agent, the user triggering this must has been discovered with both Azure Active Directory user discovery and Active Directory user discovery.
So let’s make sure we have both enabled.
Active Directory user discovery is already configured in this lab for a specific Active Directory OU.
Let’s create the Azure AD user discovery, go to Cloud Services – Azure Services and select Configure Azure Services.
Name the service and select Cloud Management.
We select AzurePublicCloud and then click Browse for the Web app.
Select Create.
Set the Application name, and Home page URL and App ID URI.
Since the App ID URI needs to be unique in our Azure AD tenant, I have added “1” to the default value, I already use the default value for another configuration.
I will set the validity period for 2 Years, and then Sign in.
Select the required account.
When sign in is successful then press OK.
Select OK one time more.
Click Browse for the Native Client app.
Select Create.
Set the Application name, and then Sign in.
Select the required account.
When sign in is successful then press OK.
Select OK again one time more.
And now we are ready to press Next.
For this test we will just use the default discovery settings, and click Next, but settings can be customized as you prefer.
Press Next again.
And finally Close.
The service will the be visible under our Azure Services and you can see the current discovery schedule, change settings or force a discovery to run.
Under our Azure Active Directory tenant we can now also see the two newly created applications.
Again in Azure AD we will also see the two applications under App registrations.
And the server application under Enterprise Applications.
In the Microsoft Endpoint Configuration Manager console we now have test users from our on-premises AD and from Azure AD.
The only users we will be able to grant access to perform client operations is synced user objects in Azure AD (Azure AD connect), so in this test we will use the test1 user.
In the Microsoft Endpoint Configuration Manager console this test user needs to be assigned the required security rights – Notify Resource permission under Collections object class.
For this test we created a security role based on the Read-only Analyst and added the permission required.
And then assigned the role to our test user.
Now let’s go to the Microsoft Endpoint Manager admin center and login with our test1 user.
Under Devices – All devices, we can now see the clients managed by Configuration Manager (Managed by ConfigMgr).
Notice that the LAB-CLIENT01 is co-managed but the commands will also be available for this type of clients.
We will use the LAB-CLIENT02 which is only managed by Configuration Manager. When selecting this client we can now see the available actions:
- Sync machine policy
- Sync user policy
- App evaluation cycle
Let’s try Sync machine policy by clicking at the option.
Confirm the action.
Sync machine policy will be initiated.
And the status change to pending.
After some time we can in the CMgatewayNotificationWorker.log see that action is received, that we are authorized to perform the action and that the request is forwarded.
Jumping to the client and the PolicyAgent.log we can see that the client is requesting Machine policy.
Back in the portal we can see that the status has changed to Completed.
Please note that if we try with an account that has not been granted the right permissions, we will see in the log that the user is unauthorized to perform the action.
I am really looking forward to see how this option can expand in the future, I hope we will see a lot more features for the tenant-attach option.
