SCCM Collection AAD Group Sync Setup Video Guide

Let’s discuss about the SCCM collection sync to Azure AD group. This feature got introduced in SCCM 1906 production version. In this video you will be able to see how to sync your collection with devices into Azure ready group (SCCM Collection AAD Group Sync).

NOTE! – I have given a live demo of the Collection Sync Feature in the two live Webinars which Parallels conducted recently. More details about the Webinars is available here.

Introduction

SCCM 1906 version onwards you would be able to sync your SCCM collection and the devices inside that collection to Azure AD groups. This feature will help you to deploy modern policies to those Azure AD Groups. This feature provides helps to automate the Azure Group management.

SCCM will automatically take care of adding Azure AD devices into that group depending on your Collection membership. This feature can be used for static or dynamic collections.

Advantage of SCCM Collection AAD Group Sync

This SCCM collection sync feature is useful as SCCM can query devices based on many attributes and the devices dynamically into a collection. Azure AD dynamic groups are not that much capable for querying the complex attributes of devices.

So, grouping those devices based on complex attributes into a particular AAD dynamic groups is nearly impossible. The support of Azure AD dynamic groups and attributes allowed in dynamic groups are very limited if you compare it with SCCM.

So, you can use SCCM collection AAD Group sync feature to create very complex Azure AD groups. These groups can be used to deploy modern policies modern applications to those Azure AD groups.

Prerequisites

The following prerequisite should be in place to get SCCM Collection AAD Group sync to work.

  • SCCM Cloud Services configured correctly (Azure AD user/group sync)
  • Enable SCCM Collection Sync
  • The Device/machine should be Hybrid Azure AD joined (Domain Join + Azure AD Registered)
  • AAD Connection configured and enabled for Hybrid Azure AD Join scenario
  • SCCM server should have internet connection and connectivity to the URLs required for this SCCM Collection Sync (Graph API and all)
SCCM Collection AAD Group Sync - Hybrid Azure AD joined
SCCM Collection AAD Group Sync – Hybrid Azure AD joined

NOTE! – I found that if your SCCM server is behind a NATed network, then the SCCM cloud services won’t work as expected.

Create Azure AD group

You need to go to Azure AD and create a new group for SCCM collection sync to Azure AD group. This AAD Group will be assigned as your Azure AD group that means a static Azure AD group.

The owner of the AAD group should be the service principal or server application which you created in SCCM console when you created the cloud services and Azure AD discovery feature.

SCCM Collection AAD Group Sync - Owner of Azure AD group
SCCM Collection AAD Group Sync – Owner of Azure AD group

The owner is critical because that is the attribute which provides SCCM access to Azure AD groups. Otherwise the SCM won’t be able to add or remove devices from Azure AD group. So that owner is a basically a service principal which will provide SCCM server access to edit Azure AD groups.    

Create a New Collection

To test this feature what you can do is create a new device collection from Assets and Complaints. Once the collection is created, you can go to the properties of that collection and click on AAD group tab.

  • Once you are in that Azure Group Sync tab, you would be able to see your tenant detail and there is a search box over there.
  • In the search box, you can search for Azure AD groups.
  • And Select one of the AAD groups which you created for collection sync.
  • Now add Azure AD group and click OK to continue.
SCCM Collection AAD Group Sync - Add Azure AD Group
SCCM Collection AAD Group Sync – Add Azure AD Group

Log File – SCCM Collection AAD Group Sync

Immediately SCCM should start syncing this device into Azure AD group which we created above. You can validate this activity from log file called as SMS_AZUREAD_DISCOVERY_AGENT.log.

Collection to AAD group sync worker starts.
Get group members for group: https://graph.microsoft.com/v1.0/groups/56f72f14-625a-4f7e-a299-8cbc200be430/members?$select=id&$top=500
Add device: c7b5bc39-ec90-44e8-9f83-3789317416bd to group 56f72f14-625a-4f7e-a299-8cbc200be430 in request 0
Sync successful, new Watermark: 2317
Collection to AAD group sync worker ends.
SCCM Collection AAD Group Sync - Log Snippet
SCCM Collection AAD Group Sync – Log Snippet

Resources

9 thoughts on “SCCM Collection AAD Group Sync Setup Video Guide”

  1. Hi,

    I am trying to configure the collection sync feature but every time I go to the properties of a collection and select an AAD group to sync with, I am getting an error that says “There is no cloud service found for tenant that will allow collection member upload to AAD.”

    I see the Cloud Management settings in Azure Services and the Enable Azure Active Directory Group sync is checked. The pre-release feature is Enabled. The AAD User sync seems to be working fine and I don’t see any errors in the SMS_AZUREAD_DISCOVERY_AGENT log. Is there something I am missing to sync collection membership?

    Thanks

    Reply
      • Yes – it appears the sync is successful. I am able to search for AAD groups in the SCCM console it just gives me that error about allowing collection member upload to AAD when I try to actually set one of the collections to sync with a group.

        Reply
        • That is really strange. I don’t remember whether I have seen this error before or not. I hope your Windows 10 device is Hybrid Azure AD joined ? We need to make sure that otherwise the sync won’t work

          Reply
          • Hi Christian, did you find a fix to this? i got the error as well initially, then i added another cloud management service in SCCM and post that i do not see any error, but no device syncs as well.

          • Once I removed my tenant out of the Config Manager console and re-added it, the error went away but devices were not syncing. I opened a case with Microsoft and they found that the clients (at least for Hybrid AAD joined clients) need to have an approval status of 3 in order to sync. MS Support gave me 2 SQL queries to run to confirm what the current status is of a client:
            SELECT AADTenantID, AADDeviceID, Name0, SMS_Unique_Identifier0 FROM System_DISC WHERE Name0 = ‘HOSTNAME’
            *Replace HOSTNAME with the hostname of a device that should be syncing, but is not.

            Then run:
            SELECT AADTenantID, AADDeviceID, ApprovalStatus, SMSID FROM ClientKeyData WHERE SMSID = ‘DeviceGuid’
            *Replace DeviceGuid using the SMS_Unique_Identifier result from the above query.

            The ApprovalStatus from the 2nd query should be 3 for a Hybrid AAD joined client (not sure about Azure AD Joined only devices). If it is not, my issue was related to authentication. I configured a Cloud Management Gateway and then the intranet clients all started changing to approval status 3 and syncing into the AAD group over time. Setting up a CMG resolved the issue for me.

  2. I fixed the “No cloud service” error by deleting my tenant out of SCCM and re-creating it again. This required deleting Cloud Management and Desktop Analytics as well as the actual tenant. Then I needed to delete the Enterprise Apps and App Registrations created by ConfigMgr in Azure before setting everything up again. No more errors but now when I sync, only a few devices went into the AAD group. About 90% did not show up even though they are Hybrid Azure-AD Joined. Haven’t figured that out yet.

    Reply

Leave a Comment