Let’s discuss about the SCCM collection sync to Azure AD group. This feature got introduced in SCCM 1906 production version. In this video you will be able to see how to sync your collection with devices into Azure ready group (SCCM Collection AAD Group Sync).
NOTE! – I have given a live demo of the Collection Sync Feature in the two live Webinars which Parallels conducted recently. More details about the Webinars is available here.
Introduction
SCCM 1906 version onwards you would be able to sync your SCCM collection and the devices inside that collection to Azure AD groups. This feature will help you to deploy modern policies to those Azure AD Groups. This feature provides helps to automate the Azure Group management.
SCCM will automatically take care of adding Azure AD devices into that group depending on your Collection membership. This feature can be used for static or dynamic collections.
Advantage of SCCM Collection AAD Group Sync
This SCCM collection sync feature is useful as SCCM can query devices based on many attributes and the devices dynamically into a collection. Azure AD dynamic groups are not that much capable for querying the complex attributes of devices.
So, grouping those devices based on complex attributes into a particular AAD dynamic groups is nearly impossible. The support of Azure AD dynamic groups and attributes allowed in dynamic groups are very limited if you compare it with SCCM.
So, you can use SCCM collection AAD Group sync feature to create very complex Azure AD groups. These groups can be used to deploy modern policies modern applications to those Azure AD groups.
Prerequisites
The following prerequisite should be in place to get SCCM Collection AAD Group sync to work.
- SCCM Cloud Services configured correctly (Azure AD user/group sync)
- Enable SCCM Collection Sync
- The Device/machine should be Hybrid Azure AD joined (Domain Join + Azure AD Registered)
- AAD Connection configured and enabled for Hybrid Azure AD Join scenario
- SCCM server should have internet connection and connectivity to the URLs required for this SCCM Collection Sync (Graph API and all)
NOTE! – I found that if your SCCM server is behind a NATed network, then the SCCM cloud services won’t work as expected.
Create Azure AD group
You need to go to Azure AD and create a new group for SCCM collection sync to Azure AD group. This AAD Group will be assigned as your Azure AD group that means a static Azure AD group.
The owner of the AAD group should be the service principal or server application which you created in SCCM console when you created the cloud services and Azure AD discovery feature.
The owner is critical because that is the attribute which provides SCCM access to Azure AD groups. Otherwise the SCM won’t be able to add or remove devices from Azure AD group. So that owner is a basically a service principal which will provide SCCM server access to edit Azure AD groups.
Create a New Collection
To test this feature what you can do is create a new device collection from Assets and Complaints. Once the collection is created, you can go to the properties of that collection and click on AAD group tab.
- Once you are in that Azure Group Sync tab, you would be able to see your tenant detail and there is a search box over there.
- In the search box, you can search for Azure AD groups.
- And Select one of the AAD groups which you created for collection sync.
- Now add Azure AD group and click OK to continue.
Log File – SCCM Collection AAD Group Sync
Immediately SCCM should start syncing this device into Azure AD group which we created above. You can validate this activity from log file called as SMS_AZUREAD_DISCOVERY_AGENT.log.
Collection to AAD group sync worker starts.
Get group members for group: https://graph.microsoft.com/v1.0/groups/56f72f14-625a-4f7e-a299-8cbc200be430/members?$select=id&$top=500
Add device: c7b5bc39-ec90-44e8-9f83-3789317416bd to group 56f72f14-625a-4f7e-a299-8cbc200be430 in request 0
Sync successful, new Watermark: 2317
Collection to AAD group sync worker ends.
Resources
- What is New in SCCM 1906 New Features a Walkthrough
- SCCM 1906 Upgrade Walkthrough Video Guide
- Synchronize collection membership results to Azure Active Directory groups
Hi,
I am trying to configure the collection sync feature but every time I go to the properties of a collection and select an AAD group to sync with, I am getting an error that says “There is no cloud service found for tenant that will allow collection member upload to AAD.”
I see the Cloud Management settings in Azure Services and the Enable Azure Active Directory Group sync is checked. The pre-release feature is Enabled. The AAD User sync seems to be working fine and I don’t see any errors in the SMS_AZUREAD_DISCOVERY_AGENT log. Is there something I am missing to sync collection membership?
Thanks
Please can you confirm the azure ad users and groups successfully synced ?
Yes – it appears the sync is successful. I am able to search for AAD groups in the SCCM console it just gives me that error about allowing collection member upload to AAD when I try to actually set one of the collections to sync with a group.
That is really strange. I don’t remember whether I have seen this error before or not. I hope your Windows 10 device is Hybrid Azure AD joined ? We need to make sure that otherwise the sync won’t work
Hi,
same error message here. I’ve just opened a support ticket with Microsoft, curious what they’ll say…
There could be some known issues. I’m sorry I think I tried with technical preview version
Hi Christian, did you find a fix to this? i got the error as well initially, then i added another cloud management service in SCCM and post that i do not see any error, but no device syncs as well.
Once I removed my tenant out of the Config Manager console and re-added it, the error went away but devices were not syncing. I opened a case with Microsoft and they found that the clients (at least for Hybrid AAD joined clients) need to have an approval status of 3 in order to sync. MS Support gave me 2 SQL queries to run to confirm what the current status is of a client:
SELECT AADTenantID, AADDeviceID, Name0, SMS_Unique_Identifier0 FROM System_DISC WHERE Name0 = ‘HOSTNAME’
*Replace HOSTNAME with the hostname of a device that should be syncing, but is not.
Then run:
SELECT AADTenantID, AADDeviceID, ApprovalStatus, SMSID FROM ClientKeyData WHERE SMSID = ‘DeviceGuid’
*Replace DeviceGuid using the SMS_Unique_Identifier result from the above query.
The ApprovalStatus from the 2nd query should be 3 for a Hybrid AAD joined client (not sure about Azure AD Joined only devices). If it is not, my issue was related to authentication. I configured a Cloud Management Gateway and then the intranet clients all started changing to approval status 3 and syncing into the AAD group over time. Setting up a CMG resolved the issue for me.
I fixed the “No cloud service” error by deleting my tenant out of SCCM and re-creating it again. This required deleting Cloud Management and Desktop Analytics as well as the actual tenant. Then I needed to delete the Enterprise Apps and App Registrations created by ConfigMgr in Azure before setting everything up again. No more errors but now when I sync, only a few devices went into the AAD group. About 90% did not show up even though they are Hybrid Azure-AD Joined. Haven’t figured that out yet.