One of the nice new features in the SCCM Technical Preview 1805 is the ability for an Azure AD joined device to communicate through the Cloud Management Gateway when the management point is configured for HTTP and not HTTPS. In the SCCM 1802 production release, the management point needs to be in HTTPS for this to work.
To view more about this feature see https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1805#improved-secure-client-communications
The post below will show how to configure an Azure AD joined Windows 10 1803 device communicate with the CMG whilst the management point is in HTTP mode. This post assumes that you have already created the Azure services and Cloud Management Gateway, and that the MP is in HTTP mode.
The first step is to check the box Use Configuration Manager-generated certificates for HTTP site systems on the site properties.
Once it has been checked, if you open up computer certificates in MMC, you will see there is a new SMS Role SSL Certificate in the personal store.
Once the certificate has been generated, you need to update your cloud services wizard, select the tenant from Azure Active Directory Tenants and select Update Application Settings and proceed with the prompts.
Next part is to select the new certificate on the HTTPS bindings in IIS.
Select the SMS Role SSL Certificate and click OK.
One of the new cool features in the Technical Preview 1805 is the Connection analyzer. You can do this to check for any issues in your Cloud Management Gateway.
Now previously my HTTPS bindings had no certificate selected. So when I tested the Azure AD Authentication with the CMG, I got the below error.
Once I selected the certificate in the IIS bindings the tests worked fine.
On a test Windows 10 1803 client which is joined to Azure Active Directory, I copied the SCCM client set up files and used the co-management command generated by the wizard (I did not enable co-management, I cancelled out of it after I got the set up switches) to install the client. I have added the /source switch to specify the source, and removed the /mp switch.
The client has been installed on my Azure AD joined machine with my management point in HTTP and is communicating with the Cloud Management Gateway.
The device ow shows up in the console and shows the current logged on user which is my Azure AD user.