SCCM 1706 was recently released and one of the new features is Azure AD Discovery. This was in Technical Preview 1705. This guide will show how to set up Azure AD Discovery and install the SCCM client on a workgroup machine on the Internet without certificates using the Cloud Management Gateway.
For more information about SCCM 1706 see What’s new in version 1706 of System Center Configuration Manager
In my lab, I already have the Cloud Management Gateway set up. To set up the CMG you can see the documentation here https://docs.microsoft.com/en-us/sccm/core/clients/manage/setup-cloud-management-gateway
Once you have installed the 1706 update, expand Cloud Services, then right click on Azure Services and click Configure Azure Services
Select Cloud Management and click Next
Next create the Server and Client Apps. Click Browse on the Web App then click Create.
Enter in an Application Name, HomePage URL and App ID URL. Then Sign in to Azure AD with an admin account and it will create the app for you in Azure.
Select the app and click Ok.
Do the same as above but for the Client App and give it an Application Name and a Reply URL, then sign in to Azure with an Azure admin account. The app will then be created in Azure.
Enable Azure Active Directory User Discovery.
You need to grant permissions on both the client app and server app in Azure, otherwise you will see in SMS_AZUREAD_DISCOVERY_AGENT.log there will be access denied errors.
Login to https://portal.azure.com and go to Azure Active Directory, then App Registrations. Select the app and go to Required Permissions and click Grant Permissions. I did this for both the client app and server app.
Now looking back in SMS_AZUREAD_DISCOVERY_AGENT.log mine is now successful and has discovered by Azure AD users.
You can view the Azure AD users in the SCCM console in \Assets and Compliance\Overview\Users\All Users
An example below you can see that it is discovered by SMS_AZUREAD_USER_DISCOVERY_AGENT
In the SCCM console, in \Administration\Overview\Cloud Services\Azure Services, you can also run a full discovery by clicking Run Full Discovery Now, and view information about Azure AD Discovery like the Full Sync Schedule, Delta Sync Interval, and the Last Full Sync/Delta Sync time.
On a Windows 10 Azure AD joined machine, you can install the SCCM manually client without using any certificates. This is useful on Workgroup machines.
You can use the installation command
ccmsetup.exe /NoCrlCheck /Source:C:\CLIENT CCMHOSTNAME=SCCMPROXYCONTOSO.CLOUDAPP.NET/CCM_Proxy_ServerAuth/72457598037527932 SMSSiteCode=HEC AADTENANTID=780433B5-E05E-4B7D-BFD1-E8013911E543 AADTENANTNAME=contoso AADCLIENTAPPID= AADRESOURCEURI=https://contososerver
For a reference of how to obtain the information above, see https://docs.microsoft.com/en-us/sccm/core/clients/deploy/deploy-clients-cmg-azure#step-4-install-and-register-the-configuration-manager-client-using-azure-active-directory-identity