Tech Community Live: Endpoint Manager edition
Jul 21 2022, 08:00 AM - 12:00 PM (PDT)

Azure AD User ID Dependencies for Tenant Attach

%3CLINGO-SUB%20id%3D%22lingo-sub-3320267%22%20slang%3D%22en-US%22%3EAzure%20AD%20User%20ID%20Dependencies%20for%20Tenant%20Attach%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3320267%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22%22%3EI%20was%20wondering%20about%26nbsp%3B%3CSPAN%20class%3D%22%22%3ETenant%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3EAttach%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%2B%20Azure%20AD%20User%20ID%20Dependencies.%20What%20would%20be%20the%20Azure%20AD%20User%20ID%20Dependencies%20for%20Tenant%20Attach%3F%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EI%20know%20from%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fconfigmgr%2Ftenant-attach%2Fprerequisites%23permissions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E2103%20onwards%3C%2FA%3E%2C%20the%20Azure%20AD%20user%20discovery%20dependency%26nbsp%3Bis%20removed%20for%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3ETenant%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3EAttach%3C%2FSPAN%3E.%20We%20%22just%22%20need%20to%20enable%20AD%20User%20Discovery%20to%20make%26nbsp%3B%3CSPAN%20class%3D%22%22%3ETenant%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3EAttach%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ework.%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3ELet's%20have%20a%20quick%20go%20through%20of%20very%20specific%20requirements%20that%20we%20have%20interms%20of%20user%20IDs%20or%20user%20discovery%20records%20such%20as%3A%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3COL%3E%3CLI%3E-%20AD%20Domain%2C%20from%20where%20users%20are%20discovered%20via%20SCCM%20AD%20Discovery%2C%20must%20have%20AAD%20Connect%20configured%20to%20sync%20identities%20to%20the%20Azure%20AD%20(to%20satisfy%20hybrid%20identity%20requirement)%3C%2FLI%3E%3CLI%3E-%20The%20user%20UPN%20must%20be%20the%20same%20in%20both%20AAD%20and%20AD.%3C%2FLI%3E%3CLI%3E-%20The%20user%20must%26nbsp%3Bbe%20part%20of%20the%20same%20AAD%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3Etenant%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3Eattached%20to%20Intune%3C%2FSPAN%3E.%3C%2FLI%3E%3CLI%3E-%20The%20AAD%20User%20ID%20column%20must%20be%20populated%20with%20the%20correct%20value%20in%20the%20User_DISC%20table%3F%3C%2FLI%3E%3C%2FOL%3E%3CDIV%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22AnoopCNair_0-1651733387884.png%22%20style%3D%22width%3A%20827px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F369380iCE0CB8C23817628A%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22AnoopCNair_0-1651733387884.png%22%20alt%3D%22AnoopCNair_0-1651733387884.png%22%20%2F%3E%3C%2FSPAN%3E%3CP%3E%26nbsp%3BPic%20credits%20to%20Microsoft%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EI%20know%20the%20user%20identities%26nbsp%3Bmust%20be%20synced%20with%20Azure%20AD%20is%20the%20main%20requirement%20(that%20is%20the%20same%26nbsp%3Bfor%20Exchange%20Online%20as%20well).%20But%20I%20thought%20there%20is%20a%20difference%20between%20the%20exchange%20online%20hybrid%20identity%20requirement%20and%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3Etenant%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3Eattach%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ehybrid%20identify%20requirement.%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3ESo%20you%20can%20enable%20tenant%20attach%20with%20just%20a%20click%20of%20a%20button%20if%20you%20have%20a%20well-organized%20single%20AD%20forest%2Fdomain.%20However%2C%20if%20you%20have%20a%20very%20complex%20AD%20structure%2C%20it%20will%20take%20time%20to%20implement%20the%20SCCM%20tenant%20attach.%20It%20might%20even%20not%20be%20possible%20for%20some%20organizations%20to%20implement%20tenant%20attach.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3ENOTE%3C%2FSTRONG%3E!%20-%20These%20are%20not%20because%20of%20Configuration%20Manager-related%20issues%20or%20limitations%20but%20because%20more%20user%20ID%20and%20AAD%20connect%20sync%20setup%20for%20complex%20organizations.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EI%20learned%20a%20bit%20hard%20way%20during%20the%20%3CA%20href%3D%22https%3A%2F%2Fwww.anoopcnair.com%2Fbuild-tenant-attach-sccm-configmgr-intune%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ETenant%20Attach%20step%20by%20step%20guide%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Fwww.anoopcnair.com%2Fsccm-tenant-attach-background-process-walkthrough-via-logs%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Etroubleshooting%3C%2FA%3E%20and%20checking%20out%20%3CA%20href%3D%22https%3A%2F%2Fwww.anoopcnair.com%2Fsccm-logs-files-list-of-configmgr-log-files%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ESCCM%20logs%3C%2FA%3E%20file%20way.%20I%20have%20checked%20the%20newest%20%3CA%20href%3D%22https%3A%2F%2Fwww.anoopcnair.com%2Fsccm-2203-upgrade-guide-top-5-best-new-features%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ESCCM%202203%3C%2FA%3E%20%3CA%20href%3D%22https%3A%2F%2Fwww.anoopcnair.com%2Fkb13953025-first-hotfix-for-sccm-2203-released%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EKB13953025%3C%2FA%3E%20as%20well%20and%20no%20clarification%20on%20this%20point.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CA%20href%3D%22https%3A%2F%2Fwww.anoopcnair.com%2Fsccm-co-management-intune-sccm%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ECo-Management%3C%2FA%3E%20is%20different%20from%20Tenant%20attach.%20Co-management%20is%20server-side%20%3CA%20href%3D%22https%3A%2F%2Fwww.anoopcnair.com%2Fsccm-co-management-configuration-8%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Eworkload%20shift%3C%2FA%3E%26nbsp%3B(workload%20%3CA%20href%3D%22https%3A%2F%2Fhowtomanagedevices.com%2Fintune%2F5318%2Fintune-co-management-workloads-report%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ereport%3C%2FA%3E%20from%20MEM%20%3CA%20href%3D%22https%3A%2F%2Fwww.anoopcnair.com%2Ffree-intune-training-device-management-admins%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EIntune%3C%2FA%3E%20portal)%20such%20as%20%3CA%20href%3D%22https%3A%2F%2Fwww.anoopcnair.com%2Fsccm-application-supported-deployment-types%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EApplications%3C%2FA%3E%2C%20WSUS%20based%20on%20%3CA%20href%3D%22https%3A%2F%2Fwww.anoopcnair.com%2Fintune-vs-sccm-and-wsus-vs-wufb-patching-method%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ESoftware%20Updates%20to%20WUfB%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Fwww.anoopcnair.com%2Fhow-create-sccm-configuration-items-baselines%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EConfiguration%20Items%3C%2FA%3E%20(%3CA%20href%3D%22https%3A%2F%2Fwww.anoopcnair.com%2Fdevice-configuration-workload-switch-configmgr%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Edevice%20configs%3C%2FA%3E)%2C%20%3CA%20href%3D%22https%3A%2F%2Fwww.anoopcnair.com%2Fsccm-deploy-office-365-proplus-microsoft-365-ap%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EOffice%20Click%20to%20Run%3C%2FA%3E%2C%20etc.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EI%20have%20seen%20a%20query%20how%20can%20I%20track%20who%20changed%20this%20setting%20in%20SCCM%3F%20%3CA%20href%3D%22https%3A%2F%2Fwww.anoopcnair.com%2Ftrack-deleted-modified-changed-sccm-settings%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EAudit%20messages%3C%2FA%3E%20can%20be%20looked%20at%20to%20find%20out%20the%20details.%20You%20can%20also%20look%20into%20the%20%3CA%20href%3D%22https%3A%2F%2Fwww.anoopcnair.com%2F43-sccm-status-message-queries-ts-engine-status%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ecustom%20status%20message%3C%2FA%3E%20query%20creation%20process%20to%20find%20more%20details%20on%20who%20%3CA%20href%3D%22https%3A%2F%2Fwww.anoopcnair.com%2Fconfigmgr-who-modified-sccm-collection-deleted%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Edeleted%20the%20collection%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Fwww.anoopcnair.com%2Fwho-deleted-application-from-sccm-audit-reports%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Eapplications%3C%2FA%3E%2C%20who%20ran%20the%20%3CA%20href%3D%22https%3A%2F%2Fwww.anoopcnair.com%2Fsccm-audit-reports-who-initiated-cmpivot-query-configmgr%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ECMPivot%20query%3C%2FA%3E%2C%20Deleted%20TS%2C%20etc.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CA%20href%3D%22https%3A%2F%2Fwww.anoopcnair.com%2Fsccm-management-insights-3%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EProactive%26nbsp%3Bmaintenance%3C%2FA%3E%20using%20Management%20Insights%20is%20another%20good%20way%20to%20keep%20SCCM%20Infra%20healthy.%20An%20extended%20%3CA%20href%3D%22https%3A%2F%2Fwww.anoopcnair.com%2Fsccm-server-infrastructure-monitoring-without%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ESCCM%20Infra%20Monitoring%20script%3C%2FA%3E%20(community%20solution)%20can%20also%20be%20used.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EYou%20can%20remove%20the%20SCCM%20%3CA%20href%3D%22https%3A%2F%2Fwww.anoopcnair.com%2Finstall-a-new-sccm-management-point-roles%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EMPs%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Fwww.anoopcnair.com%2Fsccm-install-new-distribution-point-role%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EDPs%3C%2FA%3E%2C%20and%20%3CA%20href%3D%22https%3A%2F%2Fwww.anoopcnair.com%2Finstall-configmgr-software-update-point-role%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ESUPs%3C%2FA%3E%20in%20branch%20offices%20with%20the%20Cloud%20Management%20Gateway%20(%3CA%20href%3D%22https%3A%2F%2Fwww.anoopcnair.com%2Fsccm-cmg-cloud-management-gateway%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ECMG%3C%2FA%3E)%20server%20implementations.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3320267%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EGeneral%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor
I was wondering about Tenant Attach + Azure AD User ID Dependencies. What would be the Azure AD User ID Dependencies for Tenant Attach?
 
I know from 2103 onwards, the Azure AD user discovery dependency is removed for Tenant Attach. We "just" need to enable AD User Discovery to make Tenant Attach work. 
 
Let's have a quick go through of very specific requirements that we have interms of user IDs or user discovery records such as:
 
  1. - AD Domain, from where users are discovered via SCCM AD Discovery, must have AAD Connect configured to sync identities to the Azure AD (to satisfy hybrid identity requirement)
  2. - The user UPN must be the same in both AAD and AD.
  3. - The user must be part of the same AAD tenant attached to Intune.
  4. - The AAD User ID column must be populated with the correct value in the User_DISC table?
AnoopCNair_0-1651733387884.png

 Pic credits to Microsoft

 

 
I know the user identities must be synced with Azure AD is the main requirement (that is the same for Exchange Online as well). But I thought there is a difference between the exchange online hybrid identity requirement and the tenant attach hybrid identify requirement. 
 
So you can enable tenant attach with just a click of a button if you have a well-organized single AD forest/domain. However, if you have a very complex AD structure, it will take time to implement the SCCM tenant attach. It might even not be possible for some organizations to implement tenant attach.
 
NOTE! - These are not because of Configuration Manager-related issues or limitations but because more user ID and AAD connect sync setup for complex organizations.
 
I learned a bit hard way during the Tenant Attach step by step guide, troubleshooting and checking out SCCM logs file way. I have checked the newest SCCM 2203 KB13953025 as well and no clarification on this point.
 
Co-Management is different from Tenant attach. Co-management is server-side workload shift (workload report from MEM Intune portal) such as Applications, WSUS based on Software Updates to WUfB, Configuration Items (device configs), Office Click to Run, etc.
 
I have seen a query how can I track who changed this setting in SCCM? Audit messages can be looked at to find out the details. You can also look into the custom status message query creation process to find more details on who deleted the collection, applications, who ran the CMPivot query, Deleted TS, etc.
 
Proactive maintenance using Management Insights is another good way to keep SCCM Infra healthy. An extended SCCM Infra Monitoring script (community solution) can also be used.
 
You can remove the SCCM MPs, DPs, and SUPs in branch offices with the Cloud Management Gateway (CMG) server implementations.
 
0 Replies