What is ConfigMgr SCCM Tenant Attach Architecture

Let’s see what is ConfigMgr SCCM Tenant Attach Architecture? Well, the single pane of glass is back again for Configuration Manager and Intune customers. With SCCM 2002 or later version, you can sync ConfigMgr Devices to Intune. Let’s learn how to build sync between SCCM Intune Portal. This is also referred to as Tenant attach.

Related post by Vimal Das How to Build Tenant attach for Microsoft Endpoint Manager | SCCM | ConfigMgr | Intune

What is Tenant Attach?

Tenant Attach is the feature to connect the SCCM site to Microsoft Intune for instant cloud console (Microsoft Endpoint Manager Admin Center) and troubleshooting power. The “tenant attach” is on-demand connected architecture.

The tenant Attach architecture is an on-demand connection when you click on an item in the Microsoft Endpoint Manager portal. Also, these types of information will give help desk teams a better experience (as per Rob York and Jason Githens’s Ignite presentation).

Patch My PC
SCCM Cloud Attach Architecture Diagram - What is ConfigMgr SCCM Tenant Attach Architecture
Diagram Creds to Rob York and Jason Githens’s Ignite presentation – What is ConfigMgr SCCM Tenant Attach Architecture

Tenant Attach is NOT

  • No, The tenant Attach or Device Sync option doesn’t replicate the entire Configuration Manager (a.k.a SCCM) DB to Intune!!
  • Nay, it’s not Co-Management
  • Nay, it’s not SCCM collection sync to Azure AD Groups
  • Nay. it’s not just Device Sync (rather you can manage SCCM clients from Intune portal)

Why Enable Sync Between SCCM Intune Portal

As per Microsoft’s Ignite presentation, the following are the business justifications to enable sync between SCCM and Intune.

Prerequisites of SCCM Device Sync to Intune

More updated details about prerequisites are given in Microsoft docs.

  • Full Admin access (infrastructure admin) to ConfigMgr infra is preferred.
  • Global Administrator Access on Azure Active Directory tenant (These apps will be created automatically during the tenant attach onboarding process)
    • To Create a 3rd party application under App Registration
    • To Create a first-party service principal account
  • An Azure public cloud environment (not available for Govt and other Azure Cloud environments)
  • The user account triggering device actions from the Cloud console has the following prerequisites:
    • Azure AD Connect should be in place to sync on-prem AD users and groups to Azure AD (if you have Office 365, then you might already be using Azure AD connect).

Firewall Proxy Settings for ConfigMgr Tenant Attach

In a corporate environment, you always need to open some firewall ports and proxy bypass list updates. In this scenario to enable a tenant to attach, you might need to white list the following url (internet endpoints for tenant attach scenario).

Protocol & Port number used for the following endpoints are https (443).

Adaptiva
https://aka.ms/configmgrgateway
https://gateway.configmgr.manage.microsoft.com
https://us.gateway.configmgr.manage.microsoft.com
https://eu.gateway.configmgr.manage.microsoft.com

Enable Tenant Attach

Let’s see how to enable SCCM device sync to cloud console (A.K.A tenant attach).

NOTE! – The following steps should be followed only when you have not enabled the co-management feature in the SCCM environment.

  • Navigate Administration > Overview > Cloud Services > Co-management.
  • Click on the Configuration Co-management Management button.
  • On the Tenant onboarding page, select AzurePublicCloud for your environment.
  • Click Sign In. Use the Azure Global Administrator account to sign in.
  • Select the Upload to Microsoft Endpoint Manager admin center option on the Tenant onboarding page to enable device sync to the Intune portal.

NOTE! – Select Enable Automatic client enrollment for the co-management option to enable co-management. Do not select this option not to enable co-management.

  • Click on the YES button to create Azure AD applications as mentioned in the pre-requisite checks section.
Enable Tenant Attach for SCCM 2002 - What is ConfigMgr SCCM Tenant Attach Architecture
Enable Tenant Attach for SCCM 2002 – What is ConfigMgr SCCM Tenant Attach Architecture
  • Select the devices to upload to Microsoft Endpoint Manager (Intune portal)
    • Select the “All my devices managed by Microsoft Endpoint Configuration Manager (recommended)” to sync all devices from SCCM to Intune.
All my devices managed by Microsoft Endpoint Configuration Manager (recommended) - What is ConfigMgr SCCM Tenant Attach Architecture
All my devices managed by Microsoft Endpoint Configuration Manager (recommended) – What is ConfigMgr SCCM Tenant Attach Architecture
  • Complete the Wizard by clicking on CLOSE.
Complete the Wizard by clicking on CLOSE - What is ConfigMgr SCCM Tenant Attach Architecture
Complete the Wizard by clicking on CLOSE – What is ConfigMgr SCCM Tenant Attach Architecture

SCCM Tenant Attach Azure Apps

When you enable Device Sync or Tenant attach from SCCM 2002 production version, there are two (2) Azure applications (App Registration Node) that get created automatically in Azure. The Onboarding process creates a third-party app and a first-party service principal in your Azure AD tenant

From the SCCM console, you can see one application from the Active Directory Tenants node under Cloud Services.

Sync Between SCCM Intune Portal - What is ConfigMgr SCCM Tenant Attach Architecture
Active Directory Apps – Sync Between SCCM Intune Portal – What is ConfigMgr SCCM Tenant Attach Architecture
  • Check the Azure Portal Azure AD -> “App Registration” to confirm ConfigMgrSvc applications are created
Sync Between SCCM Intune Portal - What is ConfigMgr SCCM Tenant Attach Architecture
Sync Between SCCM Intune Portal – What is ConfigMgr SCCM Tenant Attach Architecture

From the Azure portal, you can check two (2) applications under the Azure Active DirectoryApp RegistrationAll Application blade. A third-party app and a first-party service principal.

  • ConfigMgrSvc_6cf7c923
  • ConfigMgrSvc_94b2529e

Azure Apps Permissions for Tenant Attach

The above two applications and respective permissions are automatically created during device sync or SCCM tenant attach configuration. No manual intervention is required.

Tenant Attach AzureAD App Permission - Sync Between SCCM Intune Portal - What is ConfigMgr SCCM Tenant Attach Architecture
Tenant Attach Azure AD App Permission – Sync Between SCCM Intune Portal – What is ConfigMgr SCCM Tenant Attach Architecture
Scopes Defined by Tenant Attach API - Sync Between SCCM Intune Portal
Scopes Defined by Tenant Attach API – Sync Between SCCM Intune Portal

Configuration Manager Microservice

Let’s add your admin user to this (Configuration Manager Microservice) enterprise app to get appropriate permissions to initiate SCCM actions from Intune portal.

  • CMPivot
  • Run Script
  • Collections
  • etc..
Configuration Manager Microservice - What is ConfigMgr SCCM Tenant Attach Architecture
What is ConfigMgr SCCM Tenant Attach Architecture

Results

SCCM Console End Results

  • You can go to properties of SCCM co-management
    • Click on Configure Upload to check and confirm whether the device sync is enabled or not.
Click on Configure Upload to check and confirm
Click on Configure Upload to check and confirm – Sync Between SCCM Intune Portal

Intune Portal (Microsoft Endpoint Manager Admin Center)

Let’s have a look at the results of SCCM 2002 tenant attach or device sync options.

Co-Managed with Intune and ConfigMgr - Device Sync from SCCM - Intune Managed - Build Sync between SCCM Intune Portal
Co-Managed with Intune and ConfigMgr – Device Sync from SCCM – Intune Managed – Build Sync between SCCM Intune Portal

Logs Related to Tenant Attach

Use the following logs located on the service connection point:

  • CMGatewaySyncUploadWorker.log
  • CMGatewayNotificationWorker.log
  • Adminservice.log

Results

Related post by Vimal Das How to Build Tenant attach for Microsoft Endpoint Manager | SCCM | ConfigMgr | Intune

Resources

1 thought on “What is ConfigMgr SCCM Tenant Attach Architecture”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.