Hi, my name is Taj Mohammed, I am a PFE working in the US primarily with SCCM. This is a continuation of my other blog titled Importing Apps to set up Cloud Management Gateway for Configuration Manager. In this blog, we will be looking at AAD Device Token Authentication pre-requisites.
Why do we need AAD Device token to work?
If we want the devices to be managed when no user is logged in.
How do we know if Device token is not working?
Windows\CCM\Logs\ADALOperationProvider.log is a good place to confirm and following is a common error we see when there is an issue. Error usually follows "Getting AAD (device) token" entry as seen below.
Getting AAD (device) token with: ClientId = e234afc5-70f6-44fc-9063-f42ddf30c954, ResourceUrl = https://ConfigMgrCMG, AccountId = https://login.microsoftonline.com/common/oauth2/token ADALOperationProvider
IWebAuthenticationCoreManagerStatics4 not available. Falling back to user token. ADALOperationProvider BlockOnCompletionAndGetResults(spWebAccountProviderOperation.Get(), &spProvider), HRESULT=800703f0 (..\Token.cpp,531) ADALOperationProvider
Failed to get AAD token..
An attempt was made to reference a token that does not exist. (Error: 800703F0; Source: Windows) ADALOperationProvider
CcmGetAADTokenFromWAM( sClientId.c_str(), sResourceUri.c_str(), sAccountId.c_str(), bForDevice, sToken, sAADUserId ), HRESULT=800703f0 (..\CcmToken.cpp,2293) ADALOperationProvider
Failed to get AAD token for 'S-1-5-18' from WAM API. Error 0x800703f0 ADALOperationProvider
Following are the pre-requisites for AAD Device Token to work.
- SCCM 1806 or higher
- Devices running Win 10 version must be 1803 or higher and Hybrid AAD joined.
- Server/Web App must be enabled for Device Token
The first two are straightforward. How can we ensure Server/Web App is enabled for Device token?
If you have let SCCM create/register the Apps (Server/Web and Client/Native) automatically from SCCM console, most likely the Server App is configured correctly. If you have registered the Apps manually in Azure and imported them in SCCM, you would have to patch/update the App by running "Update Application Settings".
Update may fail with "Failed to update settings for the application. For more information, see SMSAdminUI.log" and following error in SMSAdminUi.log, if you are running Pre-1810 HFRU2 version of SCCM.
Microsoft.ConfigurationManagement.ManagementProvider.SmsExceptionFailed to update settings for the application. For more information, see SmsAdminUI.log. at Microsoft.ConfigurationManagement.AdminConsole.CloudServicesManagement.AAD.AADUtilities.RefreshAppSettings(Object sender, ScopeNode scopeNode, ActionDescription action, IResultObject selectedResultObject, PropertyDataUpdated dataUpdatedDelegate, Status status) One or more errors occurred.System.AggregateExceptionOne or more errors occurred. at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions) at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification) at System.Threading.Tasks.Task`1.get_Result() at Microsoft.ConfigurationManagement.AdminConsole.CloudServicesManagement.AAD.AADDataHandler.AssignAndGrantPermissionOnServerApplication() at Microsoft.ConfigurationManagement.AdminConsole.CloudServicesManagement.AAD.AADUtilities.RefreshAppSettings(Object sender, ScopeNode scopeNode, ActionDescription action, IResultObject selectedResultObject, PropertyDataUpdated dataUpdatedDelegate, Status status)System.ArgumentNullExceptionValue cannot be null.Parameter name: type
The above issue is fixed in 1810 HFRU2.
In a situation where you are either unable to upgrade to 1810 HFRU2 or higher to resolve the update issue and still want to enable Device Token Authentication or you are just looking to confirm if the device token is enabled on the Server/Web App, you can use Azure Graph Explorer http://aka.ms/ge to query App properties and also make modifications.
Go to http://aka.ms/ge and Sign in with Global Admin credentials.
Azure Graph Explorer won't allow you to query or make changes to the App properties by default. Select modify permissions to grant Directory.AccessasUser.All permission to the Signed in user, which grants access to query and modify App properties.
Grant access to Graph explorer to access the directory as you.
Select retrieve the list of applications from the list of queries under Applications (beta) to see the list of registered Apps. You can highlight "Response Preview" area and press Ctrl+F to search the Server App you are interested in. This may be handy when there are several Apps. The property we are interested in is isDeviceOnlyAuthSupported. If this is set to "null" as you see below, it means Device Token is not enabled.
Looking at some of output closely, we see two IDs here, id and appid. We are interested in id when running the query.
{
"id": "dfd44c17-459a-451e-8f4a-c635a497a1ea",
"deletedDateTime": null,
"isFallbackPublicClient": null,
"appId": "5df94352-894e-4ee6-9219-df787ba6e578",
"applicationTemplateId": null,
"identifierUris": [
],
Select update application properties from the list of queries on the left and you will see a new query formed, which allows you to insert the id in curly brackets.
Under Request Body, have the property we are going to update/patch as shown below and make sure the query type is "Patch".
{
"isDeviceOnlyAuthSupported": "true"
}
You will see Success - Status Code 204 if the changes were successful.
Run retrieve application properties query again to confirm the changes.
How do we know AAD Device token is working after making the above changes?
Check Windows\CCM\Logs\ADALOperationProvider.log. If you don't see "Getting AAD (device) token" entry followed by an error as shown below, it is working.
Getting AAD (device) token with: ClientId = 387b3bc8-de92-48f2-980f-c196a9669e5e, ResourceUrl = https://CMGConfigMgrService, AccountId = https://login.microsoftonline.com/common/oauth2/token ADALOperationProvider
Getting AAD (user) token with: ClientId = 387b3bc8-de92-48f2-980f-c196a9669e5e, ResourceUrl = https://CMGConfigMgrService, AccountId = https://login.microsoftonline.com/common/oauth2/token ADALOperationProvider
Getting AAD (user) token with: ClientId = 387b3bc8-de92-48f2-980f-c196a9669e5e, ResourceUrl = https://CMGConfigMgrService, AccountId = https://login.microsoftonline.com/common/oauth2/token ADALOperationProvider
Once the device token works, the request is sent to internal MP via CMG to get a CCM token. Client must get a CCM token successfully before accessing internal resources. CCM_STS.log available on the Management Point enabled for CMG traffic is a good place to know if CCM token was issued successfully.
ProcessRequest - Start CCM_STS
Validated AAD token. TokenType: Device TenantId: b02d4d89-e6d5-4b3d-b072-3457aa833ec4 UserId: 00000000-0000-0000-0000-000000000000 DeviceId: db94ed37-c03c-4d44-8d0a-97cac0187e6f OnPrem_UserSid: OnPrem_DeviceSid: CCM_STS
TokenType is Device, use UDA for now CCM_STS
Created SCCM token CCM_STS
Issued SCCM token CCM_STS
Return token to client, token type: UDA, hierarchyId: 3a25dd9f-b871-4b26-87c0-81ab03a43375, userId: 00000000-0000-0000-0000-000000000000, deviceId: GUID:8AAE207C-880C-45C5-BC3A-16919E85F6F2 CCM_STS Elapsed time: 743 ms CCM_STS
If you have just updated Device token property and seeing 401 error in CCM_STS.log, advise is to give it some time for it to catch up.
ProcessRequest - Start CCM_STS
Return code: 401, Description: No bearer token found in request, No bearer token found in request CCM_STS
Elapsed time: 1 ms CCM_STS
Once the CCM_STS.log indicates successful retrieval of CCM token, you can look at CCMmessaging.log on the client and also add Device Online From Internet and Device Online Management Point columns to Devices view in the console to confirm successful communication with CMG.
Thank you,
Taj Mohammed