In this post, I’ll discuss how to add more Security CMG Web App in Configuration Manager 2309 Update. Beginning with version 2309 of SCCM Current Branch, Microsoft has improved web (server) app security to enable the creation of CMG.
Using the Azure AD tenant name, users can choose the tenant and app name when creating a new CMG. The sign-in button appears after choosing the tenant and app name; proceed with the other steps in accordance with the setup CMG.
This action updates the Azure AD web app with the latest configuration manager settings. These settings include reading directory data and enabling the Azure AD/Azure Entra ID device token.
This post provides prescriptive instructions for integrating the site, especially for the cloud management gateway. See Configure Azure Services for additional details on this procedure and other applications of the Azure Services node in the Configuration Manager console.
- How to Setup SCCM CMG in Virtual Machine Scale Set Model
- Free SCCM Training 37 Hours of Latest Technical Content Lab Setup
- SCCM ConfigMgr CMG Architecture Decisions
Pre-requisite to Create CMG Web App
Here are the Microsoft recommended few basic requirements to create a CMG Web App
- You need an active Azure subscription because the Cloud Management Gateway leverages Azure services.
- To create Azure AD Apps (CMG Web & Client Apps), you should have Global Admin privilege in the Azure Portal
- Since we’ll initiate Apps creation from the SCCM Console, Full Admin access is also required
What is Microsoft Entra Apps?
You can configure various Azure services differently through the Azure site. Moreover, apps may need distinct permissions to use Azure resources for every service. A single app can be used to access many services. With Configuration Manager and Microsoft Entra ID, there is only one object to handle. You only need to update the app’s security key once it expires. Configuration Manager is designed to reuse data shared by services when you build new Azure services using the wizard. This behaviour saves you from having to enter the same data repeatedly.
How to Update CMG Web App Settings
Pre-existing CMG customers must update their web server app by navigating the Configuration Manager console.
- Administration Work Space > Cloud Services > Azure Active Directory Tenants > Select the Tenant > Select the server app > Right-click on the server app, then “Update Application Settings“
Configure Azure Active Directory to Add More Security CMG Web App
The Configuration Manager site must be integrated with your Azure Active Directory (Azure AD/Azure Entra ID) tenant as the second essential step in setting up a cloud management gateway (CMG). The site can deploy and monitor the CMG service by using Azure AD authentication, which is made possible by this integration. This integration is a requirement for the Azure AD authentication mechanism for clients, should you decide to use it in the following step.
To integrate the site, you had to generate app registrations in Azure AD. The CMG requires two app registrations.
- Web app (also called as a server app in Configuration Manager)
- Native app (also called as a client app in Configuration Manager)
These apps can be created using one of two techniques, both of which need a Global Administrator role in Azure AD.
- When you integrate the site, use Configuration Manager to automate the app creation process.
- Make the apps by hand beforehand, and then import them when the website is integrated.
In this article am going to follow the first method.
Note! Verify that the Azure AD/Azure Entra ID Global Administrator role is assigned to your user ID before proceeding.
Why CMG Web App & Client App Registrations are Required?
The server and client sides of the CMG are represented by these two Azure AD app registrations. Users and managed clients who connect to the CMG are represented by the client app. It outlines the resources, including the CMG itself, that they can access within Azure.
The server app represents the Azure-hosted CMG components and outlines the Azure resources to which they have access. Its purpose is to enable users, managed clients, and the CMG connection point to authorize and authenticate against the Azure-based CMG components.
Initial CMG provisioning in Azure, Azure AD discovery, and traffic to on-premises management points and software update points are all included in this communication.
The two client apps are not used for device-centric activities if clients employ client authentication certificates issued by PKI. For instance, software distribution is intended for a group of devices. User-centric activities always use these two app registrations for authorization and authentication.
Now we can go ahead and start the activity
- In the Configuration Manager console, navigate to Administration workspace > Cloud Services > Azure Services node right click and Configure Azure Services
- Enter a name for the Configuration Manager object on the Azure Services page of the Azure Services Wizard. This connection’s name is only used in Configuration Manager.
- In order to further identify this service connection, please provide an optional description.
- Select the Cloud Management option
On the App properties page of the Azure Services Wizard, select the Azure environment for your tenant.
- AzurePublicCloud: Your tenant belongs to the global Azure cloud
- AzureUSGovernmentCloud: Your tenant is in the Azure US Government cloud
Usually, we will go with the AzurePublicCloud option.
Now we can create the web (server) app registration on the App Properties page of the Azure Services Wizard window for the Web app, select Browse.
In order to incorporate the website, it is necessary to establish app registrations in Azure AD. For the CMG, two app registrations are required.
- To automate the creation of the app using Configuration Manager, choose Create in the Server App box.
- Enter the information below in the Create Server Application window.
- Application name: A friendly name for the app (E.g., vklabcmg_serverapp)
Azure AD Administrator: Choose Log in to become a global administrator and authenticate against Azure AD. These login credentials are not saved by Configuration Manager. It is not necessary for this persona to have Configuration Manager rights, nor does it have to be the same account that launches the Azure Services Wizard. The screen displays the name of the Azure AD tenant for reference after a successful Azure authentication.
- Click OK to exit the Create Client Application window and start building the native app on Azure AD.
- Verify that your new app is selected in the Client App window, then click OK to save and shut the window.
- Finish the Azure Services wizard and verify that the Web app and Native Client app values in the Azure Services Wizard are complete. To proceed, select Next.
The wizard’s Discovery page is only required in certain situations. The creation of the CMG is not necessary while onboarding the site to Azure AD. You can enable it later if you require it to support a particular functionality in your environment.
Check and verify the configurations again and finish the wizard.
The new connection will be visible on the Azure Services node after the wizard closes. The Azure Active Directory Tenants node of the Configuration Manager console allows you to view tenant and app registrations as well.
If your devices are in a different Azure AD tenant from the tenant that has a subscription for CMG computing resources, you can turn off authentication for tenancies unrelated to users and devices.
- Access the Cloud Management service’s attributes.
- Navigate to the Applications tab.
- Select the corresponding option to disable Azure Active Directory authentication for this tenant.
CMG Web App Set up Azure Resource Providers
You must register particular resource providers with your Azure subscription in order to use the CMG service. Once the CMG is deployed to a virtual machine scale set, make sure to register the subsequent resource providers:
- Sign in to the Azure Portal
- Navigate Subscriptions > Resource providers and register all the below-mentioned providers.
| Resource Provider Name | Status |
|---|---|
| Microsoft.KeyValut | Registered |
| Microsoft.Storage | Registered |
| Microsoft.Network | Registered |
| Microsoft.Compute | Registered |
Note! The following two resource providers are required for your Azure subscription if you previously installed the CMG using a classic cloud service.
| Resource Provider Name | Status |
|---|---|
| Microsoft.ClassicCompute | Registered |
| Microsoft.Storage | Registered |
As of version 2203, the standard method of deploying a CMG as a cloud service is no longer available. A virtual machine scale set ought to be used for every CMG deployment.
To perform the /register/action function for the resource provider, your Azure AD account needs permission. The Contributor and Owner roles come with this permission by default.
Automate a few Steps with PowerShell
PowerShell can be used to optionally automate certain parts of these setups
- Open Configuration Manager Console > From the left-top corner, click on the “Connect via Windows PowerShell” option.
Use the following commands to automate the steps.
- Use the Import-CMAADServerApplication cmdlet to define the Azure AD web/server app in Configuration Manager.
- Use the Import-CMAADClientApplication cmdlet to define the Azure AD native/client app in Configuration Manager.
- Use the Get-CMAADApplication cmdlet to get the imported app objects.
- Then pass the app objects to the New-CMCloudManagementAzureService cmdlet to create the Azure service for Cloud Management in Configuration Manager.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Vaishnav K has over 10+ years of experience in SCCM, Device Management, and Automation Solutions. He writes and imparts his knowledge about Microsoft Intune, Azure, PowerShell scripting, and automation. Check out his profile on LinkedIn.