Blog Post

Configuration Manager Blog
4 MIN READ

Cloud Attach Your Future - Part I - ConfigMgr to AzureAD Groups

Danny_Guillory's avatar
May 28, 2020

From the title, you may be wondering what the heck does Configuration Manager have to do with Azure Active Directory (AD) groups. Well, get ready for another lesson.

 

As a Configuration Manager admin or an IT Manager, you may be wondering, “Why I should care about Azure AD groups? I have collections and collections are way better than Azure AD groups.” Azure AD groups become more important when you start to have conversations that include cloud context and dialogue. As you transition workloads to the cloud, Azure AD Groups are how Endpoint Manager targets users and devices. So, it’s a concept you should get familiar with if you aren’t already. Azure AD groups are robust and have many different capabilities, including letting you maintain or delegate access to cloud-based resources and cloud integrated resources. You may consider even using Azure AD groups to give permissions to on-premises resources. Finally, Azure AD gives you the ability to simplify licensing by using group-based licensing. I could give more examples, but we should move on to the real value of this post.

 

Getting your collections (device-based or user-based) to the cloud should be exciting for any Configuration Manager administrator because of the capabilities this opens up. One ability is that you can create very detailed grouping in the form of collections. For a Configuration Manager administrator, this is huge as the conversation about pushing towards cloud management gets louder, especially in today’s current state. Given the ongoing work-from-home situation, imagine a scenario where after leaping into cloud, you now need to deliver an application, device configuration, or software update. Those comprehensive collections from Configuration Manager would come in handy, wouldn’t they? Here comes the power of Azure AD Groups to facilitate the targeting and assignment.

 

Let’s get started getting some device collections synced up with Azure AD groups. The first step forward, provided you have Configuration Manager, is to enable collection synchronization, which is what we are going to do together. Navigate to Administration > Overview > Cloud Services > Azure Services. Once you get there, right-click on the cloud management item and select Properties. Check the Enable Azure Active Directory Group Sync checkbox on the Collection Synchronization tab as shown in the image below.

 

 

Attached is a PowerShell script that will act as the “easy button” to take care of the mundane task of creating Azure AD groups that have the same name as your collections. The script reads your device collections from Configuration Manager and stores the collection details in an array. It then uses that array to create Azure AD groups based on the .name property. In the video below, you can see the process in action. Using the script, I created several Azure AD groups with the same name as my collections.

 

 

To recap the script’s functionality, it

  1. Gets collections from Configuration Manager
  2. Stores collection names as an array
  3. Connects to Azure AD
  4. Loops through the array to create Azure AD groups with the same name as the Configuration Manager collections

The last step is to manually go to the properties of the collections in Configuration Manager and assign the Azure AD Group you want it to synchronize with. As usual, it wouldn’t be Configuration Manager without a log to look at. If you’re looking for the log that corresponds to the synchronization details, look for CollectionsAADGroupSyncWorker.log in the logs folder on the primary site server. Keeping the Configuration Manager collection names aligned with the Azure AD names removes confusion and keeps workflows enabled by the cloud a little easier to adopt. So, now you don’t have to guess what collection a group is synchronizing with. You just know because you kept the naming standard between both tools.

 

Now that I have Configuration Manager collections as Azure AD groups, more possibilities come to mind, and now the fun begins. Throughout this post, I’ve assumed you’ve made it past the enablement of work from home functionality, like setting up Co-management and a Cloud Management Gateway. In part two, I’ll address group policy and device configuration.

 

In closing, as I work with customers daily in this time of, this is one of the first steps for customers that have Configuration Manager. It initially seems like such a small step, but don’t overlook the value of this option. The more you lean on cloud management with Endpoint Manager, the more these comprehensive collections from Configuration Manager become relevant and can smooth out that transition to cloud management. “Slow is smooth, and Smooth is Fast”

 

We’ve discussed why this is important and how to get started with an “easy button” script with minimal manual steps. In the next part of the series, I’ll break down a method to the madness of getting another weight off your VPN:Group Policy!

 

Official docs: https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_aadcollsync 

 

 

Thanks,

Danny Guillory Jr - Senior Program Manager

DannyGu@microsoft.com

@sccmavenger

Updated Sep 24, 2020
Version 3.0
  • ToddMote's avatar
    ToddMote
    Brass Contributor

    This was a great find for me.  We are heavily federated, to the point that each college/school/unit (CSU) wants to "run their own SCCM without running their own server."  Essentially I'm a "cloud" service provider kind of like Microsoft, in that I run the infrastructure for constituents and provide them a "slice" of CM via RBAC.  I RBAC CM for each CSU by on-prem OU, Libraries, Engineering, Fine Arts, etc., etc. and moving to Intune was going to be a challenge because it's flat and there really was no concept of the OU in AzAD.  But, syncing the top level collections I create in SCCM to AzAD groups and then using those to achieve the same result is fantastic.  Our only issue now is that every CSU sees all of the CM devices for the whole university in the Intune portal with no real good way to filter out the ones they can't affect.  Can't wait for RBAC in intune to catch up, or to get a filter for devices.  federation is a huge deal here, so I'd say that's the #1 thing we almost can't wait for, RBAC consistency between CM, EM and ATP.  Thanks for all the work so far, it's been amazing!