Skip to content

Troubleshooting: Endpoint Configuration Manager Device Collection Membership Synchronization


Device collection membership Synchronization to Azure AD security groups (aka Azure AD Group sync) is introduced since 1906 and offers a multitude of new management options. Meanwhile a lot has been written and resulted in some great blog posts by various community peers like Nickolaj Andersen, Nick Hogarth as well as by Microsoft Docs.

What these resources have in common is they all describe how to enable and configure Azure AD group sync. In this blog post I’ll go in to more details what’s behind the scenes, how device collection synchronization works and what actions you can take in the event of troubleshooting is desired.

Background

As mentioned synchronizing device collection membership to Azure AD security groups is useful in various scenarios. Microsoft Endpoint Configuration Manager (MECM) simply offers way more options as Azure AD Dynamics Group membership by default does.

Reason to investigate was a customer case where Azure AD Group sync didn’t work. Cloud management seemed to be properly configured in the first place, where co-managed devices were registered successfully in Azure AD. With some research I came across a blog post of my community fellow Nickolaj Andersen which provided me some pointers to determine why device collection membership were not synchronized.

“Device memberships will not synchronize to an Azure AD group if a certain value with the Azure AD tenant ID (also known as the Directory ID) is populated on the device in the ClientKeyData table. “

Retrieving AAD discovery settings from database„. 
2/23/2020 PM 
AAD USER delta sync initialized for tenant ,dOC4ec9.bc4b-4721-82df.cd3a2e134a09, with server 2/23/2020 PM 
STATMSG: 11801 SEV=I LEV-M SOURCE: "SMS Server" 2/23/2020 PM 
Making Graph request 2/23/2020 4:20:34 PM 
AAD USER delta sync completed successfulYy at 4:20:35 PM. 
2/23/2020 PM 
STATMSG: 11802 SEV-I LEV-M SOURCE- "SMS Server" COMP: 2.123/2020 4:2E5 PM 
Next DELTA USER sync for cloud service 16777217 will start at 02/23/202016:25:35. 
2/23/2020 PM 
33616 (00350) 
33616 (018350) 
33616 (00350) 
33616 
33616 (00350) 
33616 (00350) 
33616 (00350)
No device objects are populated and therefore not being added to an Azure AD group.

Azure AD Group Sync flow in a nutshell

Flow of how device collection membership synchronization to Azure AD groups works.
  1. The Endpoint Configuration Manager administrator imports or creates the client and server apps in Azure AD.
  2. Endpoint Configuration Manager Azure AD user discovery method runs. The site uses the Azure AD server app token to query Microsoft Graph for user objects.
  3. The site stores data about the user objects. For more information, see Azure AD User Discovery.
  4. The Endpoint Configuration Manager client requests the Azure AD user- or device token. The client makes the claim using the application ID of the Azure AD client app, and the server app as the audience. For more information, see Claims in Azure AD Security Tokens.
  5. Clients will register their Azure AD information to the Endpoint Configuration Manager server using Azure AD token authentication.
  6. When the AADTenantID information is populated in dbo.ClientKeyData table, device collection membership(s) are synced to Azure AD security groups.

Troubleshooting

Now we’ve a better understanding how Azure AD Group sync works, we’ll continue with troubleshooting attempt. When Azure AD Group sync isn’t working as expected please double check the following areas:

Validate Cloud Management setup

Make sure you on-board the Azure AD tenant to allow Endpoint Configuration Manager (client/server) to use Azure AD authentication in the first place.

A “ to 丨 y n 1 n 
Tenant Name 
lnSpark Labs 
Applications 
Application N 
Tenant 
〔 D004EC9- 4 4 1 20 : … 
lnSpark Labs 08d M ” ~ , 
T 1 ” t … 
16777m 
15 一 97r 一 4dfb 孓 31k …
Make sure your Azure AD tenant is successfully registered in Endpoint Configuration Manager.

select convert(xml, settings), * from sites where ISNULL(reporttosite, N”) = N”

To confirm if the tenant is added for the client, can you run this query on your site database.

The first column xml should be like this,

Only after the tenant is on boarded successfully, clients will register their Azure AD information to the Endpoint Configuration Manager server using Azure AD token authentication.

This information will end up at the dbo.ClientKeyData table. When the AADTenantID information isn’t populated in dbo.ClientKeyData table, device collection membership(s) are not synchronized to Azure AD security groups.

S MS _Lhq»e _Idertf•erO 
A.ADTenantlD 
GUID49973499&04acOb490E7SSS9424829 NULL
When the AADTenant ID isn’t populated in dbo.ClientKeyData table, device memberships are not synced.

The Azure AD information in dbo.System_Disc table comes from the client heartbeat discovery. Although only heart-beats from registered clients are accepted by Endpoint Configuration Manager server, there is no proper Azure AD authentication flow for that route so any registered client can say whatever Azure AD device ID it has.

That’s why the Azure AD info from dbo.System_Disc is not trusted. For the Azure AD groups sync, only trusted data is used. That’s why Azure AD tenant on-boarding for client management is a prerequisite for Azure AD Group sync.

Validate devices are (Hybrid) Azure AD registered

For those that are supposed to register but didn’t, likely will need to get the client logs to see what went wrong. Besides dsregcmd.exe /status consult ClientIDManagerStartup and ADALOperationProvider* log files on the client side.

Another common failure is fail to get Azure AD token because of Multi-Factor Authentication (MFA) is enabled. Windows 10 RS3 (1709) and below devices don’t support Azure AD device token. The user token of the logged on user even for the machine scenarios is required. If MFA is required, and the user didn’t login using PIN, failure can happen as well.

Windows 10 RS3 (1709) and below devices don’t support Azure AD device token and therefore an user token is used.
Starting from Windows 10 RS4 (1803) and higher devices use device token which is way more stable to use Azure AD token authentication.

select count(*) from clientkeydata where isnull(isrevoked, 0) = 0 and agenttype=0 and (AADDeviceID is not null)

Use the query below to check if devices that were able to Azure AD register.

Validate SSL communication

One important requirement, which is part of Cloud Management configuration is Enhanced HTTP (E-HTTP) which is fairly hidden but which proved to be the key success to let Azure AD Group sync work as expected. Azure AD-joined and Hybrid Azure AD-joined clients can communicate with a management point (MP) via HTTP for device-centric scenarios, but requires E-HTTP or HTTPS to enable user-centric scenarios.

一 イ 5P0 「 ・ P ュ ョ 0 安 5 、 0 Prop き 
〔 当 0 は M ミ 象 On ロ 良 、 5 、 め ar は 印 & 立 宝 5 洋 eW 当 w “ 
・ 、 “ 受 ー 0 、 dPK 一 , & ・ “ 賃 、 6 象 0 一 “ “ 賃 キ 0 6 0 一 0 名 第 を 
5 一 0 当 、 象 01 ョ h を TTPor 工 TTPS ) 、 0 血 ミ ・ 第 慕 - To に 慕 工 TTPS& 
幻 0 当 点 当 量 を を 
◎ エ コ psor エ コ P 
0 江 コ PS 9 
X
On the site properties Communication Security tab, you configure the site system settings to HTTPS or HTTP, and you enable the option to Use Configuration Manager-generated certificates for HTTP site systems (aka Enhanced HTTP).

Next step is to configure your Management Point for both HTTP and HTTPS communication. On your Management Point, checks CCM_STS, MP_Registration and ClientAuth logs whether communication based on Azure AD token authentication is successful.

Management Insights

Technical Preview 2002.2 release includes additional management insight rules to help you configure your site for adding secure HTTPS communication:

  • Sites that don’t have proper HTTPS configuration: This rule lists sites in your hierarchy that are not properly configured for HTTPS. This configuration prevents the site from synchronizing collection membership results to Azure Active Directory (Azure AD) groups. It may cause Azure AD sync to not upload all devices. Management of these clients may not function properly.
  • Devices not uploaded to Azure AD: This rule lists devices that aren’t uploaded to Azure AD because the site isn’t properly configured for HTTPS.
Additional management rules to help you configure your site for adding secure HTTPS communication.

For either rule, configure Enhanced HTTP, or enable at least one management point for HTTPS. These rules will not appear if you have previously configured the site for HTTPS communication.

Lovely when a plan comes together

By enabling Enhanced HTTP on our primary site device collection membership got synced to Azure AD Groups.

0 “ on A40 group sync wo 「 k , 茂 
G 9r0 叩 n n 、 b , forgro : h p / 9 「 h , n 、 i “ 0 , Oft.con 、 八 , 1 」 0 / 9r0 叩 , / b b - f , " -41 - , If , - b : , 9B7 b7 而 , , 1b , ? “ & op : 58 
R " d eo “ Dh p / / gr , ph • n , 0 , 0 0 " 、 , 1 」 0 / devic “ , deviceldeq ' 4f6 424- d 473- B22 , -48d 55 & “ 
0 , 0b 亅 “ 6 , , b13 巧 , 3C -47d4- gd - , 2dd 
Add device 0 “ 0 6 , , b13 - 5e3c -47d4- gd - 4 2dd3c for device 4f6 424- 艿 -4724- B22 , - d 558e3 cache 
Add d 6 , , bl 巧 , 3C -47d4- gd - , 8d2dd 0 叩 b 昍 b - f , " -41dd - , If , - b : , 7 b7 request 0 
Syncsuccessful,newWatermark90048 
Collection to A40 group sync wo ends. 
R " “ , AADdi ov ~ n f 「 on 、 d ab , … 
AADUSERd , , nc , edfor tc 〕 “ 9- b b -4721 一 82 -c , 2 3 , w , en , “ pb , 5 孓 9737 一 4 b 孓 31 2 
STATMSG:lD=11801SEV=lLEV=MSOURCE="SMSSen.•er"COMP="%1SAZUREADDlSCOVERYAGENT"SYS=E4W-CFGE4GR01.lNSPARKLABS.DEE40SlTE=S01Plm 
Making Graph request https://graph•mcr0S0ft.com/v1•O/users/delta?Sdeltatoker= 
AAD USER delta sync completed su u PM. 
」 73uy … 
STATMSG:lD:11802SEV=lLEV:MSOURCE="SMSServer"COMP:"SMSAZUREAD_DlSCOVERY_AGENT"SYS=MW-CFGMGR01.lNSPARKLABS.DEPv-10SlTE2S01Plm 
N tDELTAUSER n : fo 「 cloud ric ~ 167r217 0 / 20202d3 : 5 
2 2020 40PM 
2 2020 3 40PM 
23 / 2020 3 40PM 
2 / 23 / 2020 3 41PM 
2 2020 41PM 
2 2020 3 41PM 
23 / 2020 3 41 PM 
2 2020 3 41PM 
/ 2020 & 3 52PM 
2 2020 52PM 
2 2020 & 52PM 
2 / 2 2020 52PM 
2 2020 & PM 
2 / 2 2020 53PM 
23 / 2020 & PM 
SMS-AZUREAD-DISCOVERY-AGENT 1322 ( CC) 
一 I-JR 0 一 D | 0 RY 一 AG T 1322 ( 3 C) 
SMS_AZUREAD_DISCOVERY_AGENT 1322 ( CC) 
一 'JR 0 一 D | 0 RY 一 AG T 1322 ( 〕 0 
一 A I-JR 0 一 D | 0 RY G T 1322 ( CC) 
SW_AZUREAD_DISCOVERY_AGENT 1322 ( 〕 3u0 
一 A I-JR 0 一 D | 0 RY G T 1322 ( CC) 
一 AZUR 0 一 D | 0 Ry 一 A NT 1322 ( 〕 3u0 
%•IS_AZUREAD_DISCOVERY_AGENT 1322 ( CC) 
一 'JR 0 一 D | 0 RY 一 AG T 1322 ( 〕 0 
一 之 UR 0 一 D | 0 RYA NT 1322 ( CC) 
一 AZUR DD | 0 Ry 一 A NT 1322 ( 〕 3u0 
一 'JR 0 一 D | 0 RY G T 1322 ( CC) 
一 AZUR DD | 0 Ry 一 A NT 1322 ( 〕 3u0 
一 UR 0 一 D | 0 RY G 1322 ( CC)
Device collection membership information is synced where devices shows up in the according Azure AD security groups.

Part on the cloud-attach strategy to empower your Endpoint Configuration Manager hierarchy, Azure AD Web App- (Web app / API/aka server app) and Azure AD Native App (Native/aka client app) services are used to integrate with Azure services to authenticate communications and perform actions in Azure AD.

The web app configured as part of the Cloud Management configuration should be assigned as Owners of the Azure AD Security group(s) which will be filled with devices based on the linked collection(s). Use the Audit logs to determine whether the web app has assigned the correct permissions to perform device adds- or deletions.

Using Audit logs to track changes to the Azure AD Group(s) which are being synced.

Good to know

  • The Azure AD synchronization happens every five minutes.
  • It’s a one-way process, from Configuration Manager to Azure AD. Changes made in Azure AD aren’t reflected in Endpoint Configuration Manager collections, but aren’t overwritten by Configuration Manager.
  • Only devices with an Azure Active Directory record are reflected in the Azure AD Group sync.
  • Both Hybrid Azure AD Joined and Azure Active Director joined devices are supported.

An overview of Endpoint Configuration Manager features which support or require enhanced HTTP can be found here. Based on my experience Azure AD Group sync should be added to this list as well.

Conclusion

HTTPS is mandatory for Azure AD Group sync as Azure AD token authentication requires SSL. That means Management Point’s have to be either HTTPS using PKI, or Enhanced HTTP using the Endpoint Configuration Manager generated certificates.

Note: Special thanks to Vincent Huang (Microsoft) for sharing valuable insights!

Sources

3 thoughts on “Troubleshooting: Endpoint Configuration Manager Device Collection Membership Synchronization Leave a comment

  1. Thank you Ronny, Great insights on CloudSync feature in ConfigMgr. Do you know how long will it take for a collection that has CloudSync enabled to replicate machines in AAD group that we had configured for this Sync. In my case it took months to sync complete list of machines from a collection to AAD Group. Please share your experience.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: