In the recently released update 1705 for the Technical Preview Branch of System Center Configuration Manager, you can now set up Azure Active Directory User Discovery. This post will show how you can test it in your lab once you have updated to 1705 Technical Preview. More about this feature can be read here – https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1705#new-capabilities-for-azure-ad-and-cloud-management

In the Console, expand Cloud Services, then right click on Azure Services and click Configure Azure Services

Enter in the Name, I have chosen “Azure AD Connector” and make sure Cloud Management is selected.

Click Browse to create the Server app and Client app

Click on Create

Enter in a Application Name, Homepage URL and Identifier URL (you can make these up). Click on Sign in to sign in with your Azure admin account then click OK.

Select the app you created and click OK.

Click on Browse to create the client app.

Click Create.

Enter in an Application Name and enter in a Reply URL (again, you can make this up). Then sign in to Azure AD with your admin account.

Select the client app and click OK.

Make sure Enable Azure Active Directory User Discovery is selected. Click Settings to enable Delta user discovery and adjust the scheduling to however you like it.

Once the Wizard is done, open up SMS_AZUREAD_DISCOVERY_AGENT.log from the Logs location on your site server, and you will see a whole bunch of Forbidden errors when trying to access https://graph.windows.net

Go into portal.azure.com, then Azure Active Directory, then App Registrations, then select the Server app you created before.

Click on Required Permissions, then Grant Permissions, then Yes.

If you wait a little while, you will see SMS_AZUREAD_DISCOVERY_AGENT.log will start to sync the Azure Active Directory Users.

You can now view your Azure AD users in the SCCM console.