If you haven’t seen the parent post for this article, jump back here to see a complete list of all new features in Configuration Manager 1906.
This post covers the specific additions and improvements to the cloud-attached management features that were added to Configuration Manager 1906.
Azure Active Directory User Group Discovery
Firstly, this one is a pre-release feature so don’t be surprised if you find some subtle changes in the forthcoming releases. A want for many though, we can now discover in Azure Active Directory User Groups. As this is a pre-release feature, don’t forget to turn this on in the screen below.
To enable this, it’s not where you may expect it to be. Some people (including me) would expect to go to Discovery Methods but this one is found in
Administration > Cloud Services > Azure Services > Service Properties > Discovery tab.
From here we need to enable the discovery type, go into settings and add the relevant group or groups. Of course there is an authentication prompt to connect to the Azure AD and you can use the search feature limited only to “Starts with” to narrow your groups down. It’s also worth noting that you can multi-select in this window which is helpful.
Synchronize collection membership results to Azure Active Directory groups
Also, we now have an option to populate Azure AD groups which are based directly on the devices within a ConfigMgr collection. This isn’t an automatic sync as you might hope or fear, we need to manually volunteer a collection to be synchronised into an existing AAD group. Prior to this however, we need to turn on the AAD Group discovery feature in the earlier instructions in this post.
Once the feature is switched on, we need to enable it for use in the properties of the Azure Service noted earlier in this post.
Now we have enabled this, we can go and select the collection of choice and you will notice an “AAD Group Sync” tab. This allows us to effectively match up that collection with a corresponding Azure AD Group.
When you hit apply on the collection once you have added your AAD group, you will be prompted like so to authenticate against the AAD tenant…
This will the instigate an initial synchronisation with Azure AD. You can check progress in the SMS_AZUREAD_DISCOVERY_AGENT.log file and you will notice that this is all being done by using Microsoft Graph requests. The synchronisation happens every 5 minutes and is outbound from ConfigMgr only.
More info on this specifically can be found on this link – https://docs.microsoft.com/en-us/sccm/core/clients/manage/collections/create-collections#bkmk_aadcollsync