When using the Cloud Management Gateway in SCCM Current Branch 1806, with Hybrid Azure AD clients for authentication, you may see the following errors in ccmmessaging.log on the client:
[CCMHTTP] ERROR: URL=https://<cmgname>/CCM_Proxy_MutualAuth/<guid>/ccm_system_windowsauth/request, Port=0, Options=1216, Code=0, Text=CCM_E_NO_TOKEN_AUTH
Failed to get CCM access token and client doesn’t have PKI issued cert to use SSL. Error 0x80004005
Post to https://<cmgname>/CCM_Proxy_MutualAuth/<guid>/ccm_system_windowsauth/request failed with 0x87d00231.
If you then check the logs on the management point, specifically CCM_STS.log, you will see:
AAD user with ID <ID> and SID is not completely discovered
Return code: 403, Description: Un-authorized request, AAD user is not discovered
At the time of writing this post, if you are using hybrid Azure AD for authentication, you need enable both Azure AD User Discovery, and the on-premises User Discovery. You can see in the CCM_STS.log above that it says the Azure AD user is not discovered which causes the 403 error.
Once both user discovery methods have been enabled, the client can authenticate over the CMG.