Search This Blog

Monday, April 20, 2020

Microsoft Endpoint Manager tenant attach

Now that we have tenant attach available let’s have a closer look.

Microsoft is now bringing Configuration Manager and Intune closer together in a the console Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com/).

Starting in Configuration Manager version 2002, we can upload Configuration Manager devices to the admin center and start actions on the uploaded devices.

Go to Administration – Cloud Services – Co-management, and select Configure co-management.

image

Click the Sign In button.

image

Select or enter the account you want to use (Global Administrator).

image

The Sign in button and Azure environment will after sign in be grayed out, now we can deselect the option Enable automatic client enrollment for co-management and make sure that Upload to Microsoft Endpoint manager admin center is selected.

In this test we don’t need co-management so no need to select it.

image

Select Yes to allow registering an application in Azure AD.

image

For this test I will select All my devices managed by Microsoft Endpoint Configuration Manager.

image

Click Next.

image

Click Close.

image

After some time we can see in the CMgatewaySyncUploadWorker.log that our clients are uploaded to the cloud. (Batching x records).

image

When the configuration has been created and we go to Azure AD, we can find two new Enterprise Application registered.

image

And also the same under App registrations.

image

In the Microsoft Endpoint Configuration Manager console, we can now also see our configuration under Co-management and change it.

image

Under Azure Services we will se that Cloud Attach has been added.

image

And under our tenant one of the application registration is visibly, not sure why we can one see one when two is actually created.

image

Before we can use the Microsoft Endpoint manager admin center to send commands to the Configuration manager agent, the user triggering this must has been discovered with both Azure Active Directory user discovery and Active Directory user discovery.

So let’s make sure we have both enabled.

Active Directory user discovery is already configured in this lab for a specific Active Directory OU.

image

Let’s create the Azure AD user discovery, go to Cloud ServicesAzure Services and select Configure Azure Services.

image

Name the service and select Cloud Management.

image

We select AzurePublicCloud and then click Browse for the Web app.

image

Select Create.

image

Set the Application name, and Home page URL and App ID URI.

Since the App ID URI needs to be unique in our Azure AD tenant, I have added “1” to the default value, I already use the default value for another configuration.

I will set the validity period for 2 Years, and then Sign in.

image

Select the required account.

image

When sign in is successful then press OK.

image

Select OK one time more.

image

Click Browse for the Native Client app.

image

Select Create.

image

Set the Application name, and then Sign in.

image

Select the required account.

image

When sign in is successful then press OK.

image

Select OK again one time more.

image

And now we are ready to press Next.

image

For this test we will just use the default discovery settings, and click Next, but settings can be customized as you prefer.

image

Press Next again.

image

And finally Close.

image

The service will the be visible under our Azure Services and you can see the current discovery schedule, change settings or force a discovery to run.

image

Under our Azure Active Directory tenant we can now also see the two newly created applications.

image

Again in Azure AD we will also see the two applications under App registrations.

image

And the server application under Enterprise Applications.

image

In the Microsoft Endpoint Configuration Manager console we now have test users from our on-premises AD and from Azure AD.

The only users we will be able to grant access to perform client operations is synced user objects in Azure AD (Azure AD connect), so in this test we will use the test1 user.

image

In the Microsoft Endpoint Configuration Manager console this test user needs to be assigned the required security rights - Notify Resource permission under Collections object class.

For this test we created a security role based on the Read-only Analyst and added the permission required.

image

And then assigned the role to our test user.

image

Now let’s go to the Microsoft Endpoint Manager admin center and login with our test1 user.

Under DevicesAll devices, we can now see the clients managed by Configuration Manager (Managed by ConfigMgr).

Notice that the LAB-CLIENT01 is co-managed but the commands will also be available for this type of clients.

image

We will use the LAB-CLIENT02 which is only managed by Configuration Manager. When selecting this client we can now see the available actions:

  • Sync machine policy
  • Sync user policy
  • App evaluation cycle

image

Let’s try Sync machine policy by clicking at the option.

image

Confirm the action.

image

Sync machine  policy will be initiated.

image

And the status change to pending.

image

After some time we can in the CMgatewayNotificationWorker.log see that action is received, that we are authorized to perform the action and that the request is forwarded.

image

Jumping to the client and the PolicyAgent.log we can see that the client is requesting Machine policy.

image

Back in the portal we can see that the status has changed to Completed.

image

Please note that if we try with an account that has not been granted the right permissions, we will see in the log that the user is unauthorized to perform the action.

image 

I am really looking forward to see how this option can expand in the future, I hope we will see a lot more features for the tenant-attach option.

No comments:

Post a Comment