Tenant Attach – Deployment

What is Tenant Attach (TA)

TA is simply connecting your ConfigMgr environment to the cloud (the Endpoint Manager admin center).  It gives ConfigMgr admins a web-based portal to execute specific tasks (run scripts, CMpivot, install applications, etc..) that they would normally only have access to in the ConfigMgr console.

Why Tenant Attach (TA):

Microsoft is customer-focused, so we are constantly developing features that will add value and provide a better overall customer experience. Since Microsoft Endpoint Configuration Manager is a brand that includes Configuration Manager, Intune, Desktop Analytics, Autopilot, and the other features in the device management admin console, it would be advantageous to manage all features from a single plain of glass.  Therefore, in addition to managing your co-management and Intune devices from the Endpoint Manager admin center, you can currently manage your ConfigMgr devices as well.

TA provides unified management from a convenient web-based console (the MEM admin center), giving admins access to client management insights without the need for a VPN connection to manage both ConfigMgr supported servers and workstations.

Requirements

To configure TA, the following are required.

• An account with global administrator rights for signing into your Tenant – This will recreate a registered app
• An Azure cloud environment – starting with 2107 Gov customers can use Tenant Attach
• Intune License to access the Microsoft Endpoint Manager admin center
• The account triggering the device actions needs to be synced to Azure AD (Azure Active Directory user discovery – CM)
  • The Initiate Configuration Manager action permission under Remote tasks in the Microsoft Endpoint Manager admin center (I will explain how to do this in a few).
• If CAS has a remote provider, add the provider and the CAS to the Configmgr_DviewAccess group on the SQL server of each primary site server (link to steps).

URLS:
Your devices will need access to the following URLs. If your environment is not configured for Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP), then you can disregard the CRL and OCSP URLs.

• Internet Endpoints
  • https://aka.ms/configmgrgateway
  • https://*.manage.microsoft.us
  • https://dc.services.visualstudio.com
• CRL and OCSP
  • http://crl3.digicert.com
  • http://crl4.digicert.com
  • http://ocsp.digicert.com
  • http://www.d-trust.net
  • http://root-c3-ca2-2009.ocsp.d-trust.net
  • http://crl.microsoft.com
  • http://oneocsp.microsoft.com
  • http://ocsp.msocsp.com
  • http://www.microsoft.com/pkiops

Tenant Attach Features

In the next post, we will demo the highlighted TA features in the image below followed by the Endpoint Security (EDR, AV policy, firewall policy and ASR) features in another post.

Enabling Tenant Attach

After meeting all the prerequisites, it is very easy to enable TA. TA does not require CMG or Co-management. To enable do the following:

• Open the ConfigMgr console and navigate to Administration > Overview > Cloud Services > Cloud Attach.
  
• If Co-Management is already enable as seen in the image above, open Co-Management properties, click on Configure upload, then check “Upload to Microsoft Endpoint Manager admin center“. Select Specific collection if you only want to upload a certain amount of devices. Note: All sub-collections of the specified collection will be synced as well.
  
• Sign in with the global admin account when prompted
  
• Select Yes to accept the application registration notification. This action provisions a service principal and creates an Azure AD application registration to facilitate the sync. Exit the Co-management properties when done.
  
• If Co-management is not enabled, go through the Co-management wizard and select Enable Microsoft Endpoint Manager admin center > Sign in as shown above then select the desired collection to upload or accept the recommended All devices. If you have a large enviroment, I would start by selecting a specific collection with a small amount of devices before uploading all devices.
  
• If desired, enable Endpoint analytics. The Timeline feature requires Endpoint Analytics.

Validate Tenant Attach Status

To confirm that TA was configured correctly, do the following.

• Enabling Tenant Attach will automatically register an application if you selected Yes to the prompt above. To validate the registration of the application, log into you Azure portal, select Azure Active Directory > App Registration > an application with a name that starts with “ConfigMgrSvcXXXXXXXXXXXX” should exist.
  
• Navigate to the Microsoft Endpoint admin center (https://endpoint.microsoft.com) and click on Tenant Administration > Connectors and Tokens > Microsoft Endpoint Configuration Manager. The status should be healthy as seen in the image below. You should see the name of your site and site code as well.
  
• Your ConfigMgr devices (both servers and workstations) should show up in the admin center as managed by ConfigMgr. In the image below, the four devices are TA. Win and Win1 are both TA and Co-managed.
  

Tenant Attach Logs

Use the following logs located on the service connection point:

• CMGatewaySyncUploadWorker.log (view device upload activity)
  • Upload occurs every 15 minutes for changes. Once changes are uploaded, it may take an additional 5 to 10 minutes for client changes to appear in Microsoft Endpoint Manager admin center
  • In the log search for “Next run time will be at approximately” or “Batching”
• CMGatewayNotificationWorker.log (remote actions)
  • View this log when an action is initiated from the Microsoft Endpoint Manager admin center
  • In the log search for “Validating device action message” & “Received new notification”
• GenericUploadWorker.log (sync issues – also CMGatewayNotificationWorker.log)
  • Report Tenant Attach configuration errors
  • In the log search for “The remote server returned an error: (400) Bad Request” or “[WebException]: Failed to upload data to” to view errors.

Use the following logs located on the management point:

• BgbServer.log (remote actions)
  • The notification for the remote action is sent from the management point to the client
  • In the log search for “Starting to send push task (PushID: 7 TaskID: 8″

Use the following logs located on the client:

• CcmNotificationAgent.log (remote actions)
  • That last step occurs on the client
  • In the log search for “Receive task from server with pushid=7, taskid=8″

That concludes enabling Tenant Attach. In the next post, we will sync the active directory accounts that are used to manage ConfigMgr to Azure AD. We will also add the required Intune permission to those identities and provide a pictorial demo of the Tenant Attach features.