Connecting Configuration Manager 1706 to OMS

This post follows on from a speaking session I did with Sam Erksine recently at Experts Live Europe in Berlin. A great event by the way if you ever get the chance to attend. In that session I demonstrated how to perform all the necessary pre-reqs and connect your Configuration Manager into an OMS subscription. The premise of our session was specifically for working with patching via OMS but I will cover more of that in a later post as it’s quite a hot topic for me at the moment. I should say now that all of this can also be done via PowerShell however this guide will take you through the GUI steps as I believe it helps you understand what you are doing. Obviously feel free to read this and then run the PowerShell from Tao Yang (based on CM 1606) https://blog.tyang.org/2016/08/06/configmgr-oms-connector/

Why?

Well a couple of whys here really.

Why am a writing this when this has been around a little while now? – Because in true Microsoft style, they like to keep us on our toes and some things have changed and moved around and a guide based on 1606 won’t be quite the same as this one based on 1706.

In earlier posts you may also notice that you had to use the Azure ASM portal (the old one!) but nowadays you can use just the ARM portal.

Why would I want to connect my OMS to my SCCM? – Because rather than be competing technologies I believe they are complementary products and OMS can provide some great facilities for update assessment and reporting as well as giving another option for monitoring and update deployment. Working for a managed services provider I very often find that one solution does not meet all customers environments so it’s good to have different options available to make a solution.

What do I need?

So, to do this you will need:

  • Microsoft System Center Configuration Manager Current Branch v1706 (also available 1606 onwards) with a service connection point set to ‘Online’ mode.
  • Microsoft Azure Subscription (consumer or US government)
  • An Azure Active directory (Basic will do)
  • Microsoft Operation Management Suite workspace (free tier is adequate)
  • About 20 minutes to set up the connection and then you’ll need to leave it for some hours (I will try to clarify this time) to do the initial synchronise and assessment.

How?

In quick summary we are going to:

  • Create and Azure App registration
  • Set the appropriate permissions
  • Gather the relevant information
  • Make the connection in SCCM
  • Install the OMS agent
  • Tell OMS to import computers from SCCM

As per the session with Sam, for the slides we used DBS (demo by screenshot) so these are those screenshots.

1. Log into your Azure portal at https://portal.azure.com and open your Azure Active Directory

OMSAzure1

2. Select “App registrations”

OMSAzure2

3. Create a new application registration.

OMSAzure3

4. Give the app registration a name, this can be anything you like but I’d suggest something meaningful and make a note of this for later. Leave it as a Web app and finally input a sign-on URL, this also can be anything and is not significant but don’t clash with your existing app registrations. This will be used purely to grant permissions for SCCM into the OMS workspace. Click Create.

OMSAzure4

5. Select your app registration from the list

OMSAzure5

6. Select “Keys”

OMSAzure6

7. We’re going to now create a key for the app registration. Consider this as a password, you only get one chance to note this key value when it is shown. If you miss it you will need to create a new key.

Enter a meaningful name into the Description field and choose a duration in the expires field, the default is 1 year. Based on what you select, make a note of the expiry date I.e. current date + 1 year.

OMSAzure7

8. Now hit the Save button and you will be presented with the key value. Remember you only get to see this once so copy this somewhere as you will need it later.

OMSAzure8

9. Now back in your Azure portal find “Log Analytics”

OMSAzure9

10. If you don’t already have an OMS workspace, you will need to create one. It’s simple, free and takes a couple of minutes. Use this as a guide – https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-get-started

Once you have your OMS workspace, you will need to make a note of the resource group that it lives in. Keep this noted for later.

OMSAzure10

11. Again in your Azure portal browse to Resource groups.

OMSAzure10a

12. Find that Resource group you just noted for your OMS workspace and select it.

OMSAzure10b

13. Select “Access control (IAM)”

OMSAzure10c

14. Now click “Add”.

Ensure the role is selected as “Contributor” (**very important**)

In the select field add the name of the App registration you created and select it, it should move to “Selected members”.

Hit Save.

OMSAzure10d

So from an Azure perspective at least, you’re done. The next job is to connect your Configuration Manager 1706 into OMS.

15. In your Configuration Manager 1706 console, browse to the Administration workspace > Cloud Services > Azure Services > Configure Azure Services. This can be done either from a right click menu or from the ribbon.

OMSSCCM1

16. Enter an appropriate name for your OMS Connector, give it a meaningful description and select OMS Connector from the radio buttons. Hit Next.

OMSSCCM2

17. Select your appropriate Azure environment. Note that if you are using the US government cloud then there are some extra configuration steps required. These are detailed here – https://docs.microsoft.com/en-us/sccm/core/clients/manage/sync-data-microsoft-operations-management-suite#fairfaxconfig

I like most am using Azure Public Cloud. Hit Next.

OMSSCCM3

18. Here you need to supply all the relevant information about your Azure AD and App registration for SCCM to make the connection. Be careful and make sure you have the correct information in the correct place. This process is different in older versions (pre-1706) of Configuration Manager.

Azure AD Tenant Name = your domain name in Azure AD

Azure AD Tenant ID = Azure portal > Azure Active Directory > Properties > Directory ID

Application Name = The App registration name

Client ID = Azure Portal > Azure Active Directory > App registrations > your OMS App reg > Application ID

Secret Key = The App registration key value you noted in step 8

Secret Key Expiry = The expiry date you calculated in step 7

App ID URI = Azure Portal > Azure Active Directory > App registrations > your OMS App reg > Properties > App ID URI (the end value is sufficient)

OMSSCCM4

19. Once you’ve filled in all the info correctly, hit the verify button and you should hopefully see “Successfully verified”. Hit OK.

OMSSCCM5

20. Confirm your Azure environment and Web app are correct then hit Next.

OMSSCCM6

21. Ensure you have the correct Azure subscription selected along with the correct Resource group. If you see these drop down boxes empty then there’s a good chance you have the permissions wrong in the earlier steps. I’ve seen this when the permissions have been set on the App registration as opposed to the Resource group.

image001

22. You will need to now select a collection to synchronise with OMS. I suggest you make a separate collection(s) for this and do not use a high level collection such as All Systems. Hit Next.

image002

23. Review the summary information and hit Next.

image003

24. Wait for the green tick, hit close, whoop and cheer at your awesomeness. Almost there.

image004

So with all that done there are two last things to do to get OMS to start seeing your SCCM collection.

25. We need to install the OMS agent on the Configuration Manager server at a minimum. There are other scenarios for this but I’ll cover this in a later post. The OMS agent must be installed on the Configuration Manager server that contains the Service Connection point and again this must be in the Online mode.

If by chance you already have the SCOM agent installed on this server then you can use this and add the OMS workspace ID in through the Microsoft Monitoring Agent applet in Control Panel. The SCOM and OMS agents are almost identical. See here – https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents

If you don’t already have this then you will need to install the OMS agent onto the appropriate server. I’ll spare you the screenshots as if you’re doing this then you are capable of following the short wizard. Download the 64 bit OMS agent from the OMS portal and note the workspace ID and Primary key to supply in the install.

You can find this in your OMS portal under Settings.

OMSGroups1

Now browse through Connected Sources > Windows Servers.

OMSConnectedSource1

26. Now for the final steps. Tell OMS to Import Configuration Manager collection memberships.

In your OMS portal go to Settings.

OMSGroups1

27. Browse through Computer Groups > SCCM. Put a tick in the box to import collection memberships.

OMSGroups2

That’s it, you’re done! You will need to wait 12 hours for your OMS portal to bring in the computers before you can start to use them. I can’t put my hand on the exact timing right now but I will go find it and loop back to confirm this.

I suspect that there will become more use cases for this going forward and I hope to bring more information on that as and when these become available. Watch this space!

/Peter

3 thoughts on “Connecting Configuration Manager 1706 to OMS

  1. HI Peter, thanks for this great blog post. I had this all running on ConfigMgr 1702, but since we upgraded to 1706, the connection is broke and i do no longer get collections imported into OMS. The whole app registration works fine and is verified, but it just doesn’t feed data to OMS, would you have a hint as to where to look (log) files to find the issue? i looked at the mpdownloader.log files, where i find info about the upgrade analytics, nothing about the OMS connector. Thanks

    • HI Alex. Short answer is I’m not sure. Logging in this is not great at the moment. I also had an issue on 1610 (I think?) where it simply did nothing for a week or so and suddenly started to work. I do see some references to OMS in the dmpdownloader.log but these are more for upgrade analytics not necessarily the connector.
      As it happens, I am presenting on this on Monday and David James will be there so I will make a note to highlight this to him. I’ll let you know if I get any confirmation.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s