MSEndpointMgr

Synchronize Device Collection memberships to an Azure AD group with ConfigMgr

Groups in Azure AD have sometimes proven difficult to fully utilize when it comes to querying a set of devices based out of various specific data. These groups are limited to a defined set of properties available on the Azure AD device object. In a ConfigMgr world, we’ve always had the pleasure of extending hardware inventory and being able to gather extensive data allowing us to group devices more or less how we want. These days, with cloud attaching your on-premise infrastructure, we gain more functionality with features like with Co-management. However, being able to group devices more specifically based out of a desired property and value from Intune have not been possible.

With the release of ConfigMgr 1906 we can now synchronize the memberships of a given device collection to a specific Azure AD group. You may wonder, why is that important? The answer is that you’re now able to have the same targeting capabilities in a Co-management scenario from both ConfigMgr and Intune. Simply put, utilize the extensive hardware inventory gathering process of ConfigMgr, create a device collection based out of that information and synchronize the memberships directly to an Azure AD group in the cloud.

In this post I’ll show you how to enable the synchronization of a device collection with an Azure AD group. When writing this post, this new feature is currently available as a pre-release feature. It needs to be turned on under Administration – Updates and Servicing – Features as shown below.

As an extra bonus, we’ve only mentioned this new feature in the context of device collections, but it works for user collections and Azure AD user groups too. However, we’re going to focus on device collections for the remainder of this post.

Prerequisites for synchronizing memberships

Before we get started, if you have not started your journey to cloud-attaching ConfigMgr to the cloud, or have never heard of Co-management before, read up on the following documentation from Microsoft:

https://docs.microsoft.com/en-us/sccm/comanage/overview

A prerequisite for synchronizing device collections memberships using this new feature, you need to have configured Cloud Management under Administration – Cloud Services – Azure Services in the ConfigMgr console, meaning you’ve on-boarded your tenant and connected it with ConfigMgr. This service configuration enables the site server(s) and clients to authenticate by using Azure AD. You’ll also enable other scenarios such as Azure AD user discovery and more. Refer to the following documentation for more information and how to set it up:

https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/azure-services-wizard

Devices that’ll be be synchronized to an Azure AD group also needs to be either Azure AD joined or hybrid Azure AD joined.

  • Once the Azure AD tenant on-boarding have successfully been completed, open the ConfigMgr console and navigate to Administration – Cloud Services – Azure Services, right-click and select Properties.

  • Under the Collection Synchronization tab, check Enable Azure Active Directory Group Sync and click OK.

You have now configured the required prerequisites for synchronizing device collection memberships to the cloud.

If you wanted to automate this configuration for various reasons, here’s the required PowerShell code to enable or disable the Azure Active Directory Group Sync for the Cloud Management service.

# Site information
$SiteServer = "CM01"
$SiteCode = "P01"

# Get Cloud Management service ID
$CloudServiceID = Get-WmiObject -Namespace "root\SMS\site_$($SiteCode)" -Class SMS_Azure_CloudService -Filter "ServiceType = 3" | Select-Object -ExpandProperty ID

# Check if Azure AD group synchronization is enabled
Invoke-WmiMethod -Namespace "root\SMS\site_$($SiteCode)" -Class SMS_AAD_Sync_Settings -Name "GetAADGroupSyncConfig" -ArgumentList @($CloudServiceID)

# Enable Azure AD group synchronization
Invoke-WmiMethod -Namespace "root\SMS\site_$($SiteCode)" -Class SMS_AAD_Sync_Settings -Name "ConfigureCollectionAADGroupSync" -ArgumentList @($CloudServiceID, 1)

# Disable Azure AD group synchronization
Invoke-WmiMethod -Namespace "root\SMS\site_$($SiteCode)" -Class SMS_AAD_Sync_Settings -Name "ConfigureCollectionAADGroupSync" -ArgumentList @($CloudServiceID, 0)

Enable synchronization for an existing device collection

Synchronization between a device collection and an Azure AD group are managed on a per device collection basis. You could either create a new device collection either with a query or static memberships or simply use an existing device collection. As of writing this post, configuring the synchronization of a device collection is performed under Properties, much like any other configuration available. In the example below, I’l going to demonstrate how to synchronize the members of a device collection named LC – All Windows 10 Clients that currently contains 9 devices to an Azure AD group named CM-LC-Windows10-Clients.

Device collection configuration

Follow these instructions to set up the synchronization of memberships between a device collection and an Azure AD group. It’s recommended that you have access to an user identity that have permissions to add other identities as Owners of groups.

  • In the ConfigMgr console, open the Properties window of an existing device collection.
  • Under the AAD Group Sync tab, click Add.

  • From the Tenant drop down menu, ensure that your correct tenant is selected and click Search. When prompted, sign in with required credentials.

  • Select the desired Azure AD group and click OK. Notice here that it will also list Dynamic Membership groups from Azure AD, however these are not supported and you need to make sure you select an Azure AD group that’s an Assigned group. Microsoft has a known bug for this and it will be fixed in an later update.

  • Back in the Properties window of the device collection, click OK and finally click Apply in the Properties window. If the account that you used to search for Azure AD groups does not have permissions to add your Server App used for the Cloud Management service as the owner of the selected Azure AD group, you’ll get a prompt that you have to manually configure that, or the synchronization will not work. Follow the instructions in the next sub-section of this post, if you run into this.

Azure AD group configuration

Only perform the following configuration if you were prompted that you needed to manually make additional configuration for the Azure AD group.

  • In the Azure portal, browse to Groups and select the desired group, in this case a group named CM-LC-Windows10-Clients.
  • Click on Owners, Add owners and search for an Azure AD app registration (e.g. the ConfigMgr Server App identity). Select this app identity to make it an owner of the group. In the example below, my app identity is named ConfigMgr-ServerApp, yours could be named differently.

The device collection has now been setup to synchronize it’s members with the selected Azure AD group. For a detailed view of what’s syncing, refer to the SMS_AZUREAD_DISCOVERY_AGENT.log. This synchronization is invoked every 5 minutes. A successful synchronization would have entries like the following in the recently mentioned log file:

Just like the Cloud Management service and automating if the synchronization is enabled or disabled, we can utilize the SMS Provider and PowerShell to create the same Azure AD group mapping instance that we just configured step by step from the console. Below is an example of the required PowerShell code and parameter inputs for the AddCollectionAADGroupMapping static method.

# Site information
$SiteServer = "CM01"
$SiteCode = "P01"

# Get Cloud Management service ID
$CloudServiceID = Get-WmiObject -Namespace "root\SMS\site_$($SiteCode)" -Class SMS_Azure_CloudService -Filter "ServiceType = 3" | Select-Object -ExpandProperty ID

# Add a group mapping instance between device collection and Azure AD group for synchronization
$Args = @{
    CollectionSiteID = "P0100001" # This is the Collection ID
    AADGroupID = "7693c3e1-82bd-4d39-afaf-af6bb9074fb9" # This is the Object ID of the Azure AD group
    CloudServiceID = $CloudServiceID
    AADGroupName = "CM-LC-Windows10-Clients"
}
Invoke-CimMethod -Namespace "root\SMS\site_$($SiteCode)" -ClassName SMS_CollectionAADGroupMapping -MethodName "AddCollectionAADGroupMapping" -Arguments $Args

A view from the cloud

After the first initial full synchronization, members will be visible. Microsoft has documented that it normally takes between 5-7 minutes before changes of members in the Azure AD group are visible. If we take a look at the group configured for synchronization in the Azure portal, if everything went well and the memberships have successfully synchronized, it should look something like the following:

As you see in the above picture, CL03 are added to the group. However, my collection contained several more members and they’ve not been added. Read more about why that’s happening in the troubleshooting section below.

Troubleshooting

Device memberships will not synchronize to an Azure AD group if a certain value with the Azure AD tenant ID (also known as the Directory ID) is populated on the device in the ClientKeyData table. Below is a useful query to troubleshoot why a certain device may not have been added to an Azure AD group.

SELECT Name0, SMSID, SMS_Unique_Identifier0, cData.AADTenantID FROM ClientKeyData AS cData
JOIN System_DISC ON cData.SMSID = System_DISC.SMS_Unique_Identifier0

Running this query will give you an overview of what devices have gotten the AADTenantID set, which allows the device to be synchronized.

I’ll update this part of the post once I’ve received more information from Microsoft on why this happens and hopefully with an easy fix.

Update 2020-02-29: What essentially fixed this in my lab environment was to enable E-HTTP. My fellow MVP and friend Ronny de Jong has written an extensive blog post regarding how this all works and explains it very well, see his blog post for more information.

(33112)

Nickolaj Andersen

Chief Technical Architect and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences such as Microsoft Ignite, NIC Conference and IT/Dev Connections including nordic user groups.

1 comment

  • Did it take long after enabling Enhanced HTTP for this to work?

    Thanks in advance!

Sponsors