From the title, you may be wondering what the heck does Configuration Manager have to do with Azure Active Directory (AD) groups. Well, get ready for another lesson.
As a Configuration Manager admin or an IT Manager, you may be wondering, “Why I should care about Azure AD groups? I have collections and collections are way better than Azure AD groups.” Azure AD groups become more important when you start to have conversations that include cloud context and dialogue. As you transition workloads to the cloud, Azure AD Groups are how Endpoint Manager targets users and devices. So, it’s a concept you should get familiar with if you aren’t already. Azure AD groups are robust and have many different capabilities, including letting you maintain or delegate access to cloud-based resources and cloud integrated resources. You may consider even using Azure AD groups to give permissions to on-premises resources. Finally, Azure AD gives you the ability to simplify licensing by using group-based licensing. I could give more examples, but we should move on to the real value of this post.
Getting your collections (device-based or user-based) to the cloud should be exciting for any Configuration Manager administrator because of the capabilities this opens up. One ability is that you can create very detailed grouping in the form of collections. For a Configuration Manager administrator, this is huge as the conversation about pushing towards cloud management gets louder, especially in today’s current state. Given the ongoing work-from-home situation, imagine a scenario where after leaping into cloud, you now need to deliver an application, device configuration, or software update. Those comprehensive collections from Configuration Manager would come in handy, wouldn’t they? Here comes the power of Azure AD Groups to facilitate the targeting and assignment.
Let’s get started getting some device collections synced up with Azure AD groups. The first step forward, provided you have Configuration Manager, is to enable collection synchronization, which is what we are going to do together. Navigate to Administration > Overview > Cloud Services > Azure Services. Once you get there, right-click on the cloud management item and select Properties. Check the Enable Azure Active Directory Group Sync checkbox on the Collection Synchronization tab as shown in the image below.
Attached is a PowerShell script that will act as the “easy button” to take care of the mundane task of creating Azure AD groups that have the same name as your collections. The script reads your device collections from Configuration Manager and stores the collection details in an array. It then uses that array to create Azure AD groups based on the .name property. In the video below, you can see the process in action. Using the script, I created several Azure AD groups with the same name as my collections.
To recap the script’s functionality, it
The last step is to manually go to the properties of the collections in Configuration Manager and assign the Azure AD Group you want it to synchronize with. As usual, it wouldn’t be Configuration Manager without a log to look at. If you’re looking for the log that corresponds to the synchronization details, look for CollectionsAADGroupSyncWorker.log in the logs folder on the primary site server. Keeping the Configuration Manager collection names aligned with the Azure AD names removes confusion and keeps workflows enabled by the cloud a little easier to adopt. So, now you don’t have to guess what collection a group is synchronizing with. You just know because you kept the naming standard between both tools.
Now that I have Configuration Manager collections as Azure AD groups, more possibilities come to mind, and now the fun begins. Throughout this post, I’ve assumed you’ve made it past the enablement of work from home functionality, like setting up Co-management and a Cloud Management Gateway. In part two, I’ll address group policy and device configuration.
In closing, as I work with customers daily in this time of, this is one of the first steps for customers that have Configuration Manager. It initially seems like such a small step, but don’t overlook the value of this option. The more you lean on cloud management with Endpoint Manager, the more these comprehensive collections from Configuration Manager become relevant and can smooth out that transition to cloud management. “Slow is smooth, and Smooth is Fast”
We’ve discussed why this is important and how to get started with an “easy button” script with minimal manual steps. In the next part of the series, I’ll break down a method to the madness of getting another weight off your VPN:Group Policy!
Official docs: https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_aad...
Thanks,
Danny Guillory Jr - Senior Program Manager
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.