Tag Archives: Azure AD

SCCM 1706 – Azure AD Discovery

SCCM 1706 was recently released and one of the new features is Azure AD Discovery. This was in Technical Preview 1705. This guide will show how to set up Azure AD  Discovery and install the SCCM client on a workgroup machine on the Internet without certificates using the Cloud Management Gateway.

For more information about SCCM 1706 see What’s new in version 1706 of System Center Configuration Manager

In my lab, I already have the Cloud Management Gateway set up. To set up the CMG you can see the documentation here https://docs.microsoft.com/en-us/sccm/core/clients/manage/setup-cloud-management-gateway

Once you have installed the 1706 update, expand Cloud Services, then right click on Azure Services and click Configure Azure Services


Select Cloud Management and click Next


Next create the Server and Client Apps. Click Browse on the Web App then click Create.


Enter in an Application Name, HomePage URL and App ID URL. Then Sign in to Azure AD with an admin account and it will create the app for you in Azure.


Select the app and click Ok.


Do the same as above but for the Client App and give it an Application Name and a Reply URL, then sign in to Azure with an Azure admin account. The app will then be created in Azure.


Enable Azure Active Directory User Discovery.


You need to grant permissions on both the client app and server app in Azure, otherwise you will see in SMS_AZUREAD_DISCOVERY_AGENT.log there will be access denied errors.


Login to https://portal.azure.com and go to Azure Active Directory, then App Registrations. Select the app and go to Required Permissions and click Grant Permissions. I did this for both the client app and server app.


Now looking back in SMS_AZUREAD_DISCOVERY_AGENT.log mine is now successful and has discovered by Azure AD users.


You can view the Azure AD users in the SCCM console in \Assets and Compliance\Overview\Users\All Users

An example below you can see that it is discovered by SMS_AZUREAD_USER_DISCOVERY_AGENT


In the SCCM console, in \Administration\Overview\Cloud Services\Azure Services, you can also run a full discovery by clicking Run Full Discovery Now, and view information about Azure AD Discovery like the Full Sync Schedule, Delta Sync Interval, and the Last Full Sync/Delta Sync time.


On a Windows 10 Azure AD joined machine, you can install the SCCM manually client without using any certificates. This is useful on Workgroup machines.

You can use the installation command

ccmsetup.exe /NoCrlCheck /Source:C:\CLIENT CCMHOSTNAME=SCCMPROXYCONTOSO.CLOUDAPP.NET/CCM_Proxy_ServerAuth/72457598037527932 SMSSiteCode=HEC AADTENANTID=780433B5-E05E-4B7D-BFD1-E8013911E543 AADTENANTNAME=contoso AADCLIENTAPPID= AADRESOURCEURI=https://contososerver

For a reference of how to obtain the information above, see https://docs.microsoft.com/en-us/sccm/core/clients/deploy/deploy-clients-cmg-azure#step-4-install-and-register-the-configuration-manager-client-using-azure-active-directory-identity



SCCM 1705 TP – Azure AD User Discovery

In the recently released update 1705 for the Technical Preview Branch of System Center Configuration Manager, you can now set up Azure Active Directory User Discovery. This post will show how you can test it in your lab once you have updated to 1705 Technical Preview. More about this feature can be read here – https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1705#new-capabilities-for-azure-ad-and-cloud-management

In the Console, expand Cloud Services, then right click on Azure Services and click Configure Azure Services


Enter in the Name, I have chosen “Azure AD Connector” and make sure Cloud Management is selected.


Click Browse to create the Server app and Client app


Click on Create


Enter in a Application Name, Homepage URL and Identifier URL (you can make these up). Click on Sign in to sign in with your Azure admin account then click OK.


Select the app you created and click OK.


Click on Browse to create the client app.


Click Create.


Enter in an Application Name and enter in a Reply URL (again, you can make this up). Then sign in to Azure AD with your admin account.


Select the client app and click OK.


Make sure Enable Azure Active Directory User Discovery is selected. Click Settings to enable Delta user discovery and adjust the scheduling to however you like it.


Once the Wizard is done, open up SMS_AZUREAD_DISCOVERY_AGENT.log from the Logs location on your site server, and you will see a whole bunch of Forbidden errors when trying to access https://graph.windows.net


Go into portal.azure.com, then Azure Active Directory, then App Registrations, then select the Server app you created before.


Click on Required Permissions, then Grant Permissions, then Yes.


If you wait a little while, you will see SMS_AZUREAD_DISCOVERY_AGENT.log will start to sync the Azure Active Directory Users.


You can now view your Azure AD users in the SCCM console.




Azure AD public preview in new Azure portal is available

Finally – The public preview for Azure AD is now available in the new Azure portal (Azure Resource Manager) portal.azure.com

Azure AD has always only been available in the Azure classic portal (manage.windowsazure.com)

You can read up more on it here https://blogs.technet.microsoft.com/enterprisemobility/2016/09/12/the-azuread-admin-experience-in-the-new-azure-portal-is-now-in-public-preview/

You can pin the Azure AD in the portal.azure.com like this


You can then view the public preview of Azure AD