Syncing Device Collections to Azure AD
In SCCM 1906 they released a new pre-release feature which allows you to sync the membership of a device collection to an Azure AD Group. A perfect scenario for this is when you have multiple pilot collections for Co-Management as you can now sync those collections to Azure AD Groups and use them for targeting within Intune.
The first step is to enable the pre-release feature if you hadn’t already done so.
In order to use this feature you must have already configured azure services for cloud management and turned on Azure AD User Discovery. I am not going to go through that process in this blog post but you can find more information here: https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/azure-services-wizard
Once Cloud Management is configured in Azure Services and you have turned on Azure AD User Discovery you can go to the properties of Cloud Management and on the Collection Synchronization tab tick the box for “Enable Azure Active Directory Group Sync”
The next step is to create an empty group in Azure AD with the following settings:
- Group Type: Security
- Name the Group
- Set A Description (Optional)
- Membership Type: Assigned
- Owner: Set this to your admin account which will create the relationship in SCCM
Now Back in ConfigMgr we can go to the properties of the device collection we wish to sync and navigate to the AAD Group Sync tab and click Add
You can now search for the name of the Azure AD Group we just created or just click search whilst the box is blank and it will list the available groups. I am going to select Co-Management Pilot and click Ok
I can now apply and ok these settings
I received this error because i had my ConfigMgr Console opened as user who was not the owner of the group I created in Azure AD. If you click yes you can then sign in as the owner of the group.
Now we have successfully setup the sync, this will run every 5 minutes (For them to be members in Azure AD they must be Hybrid AD Joined or Azure AD Joined). If you wish to force a sync you can right click the collection and choose Synchronize Membership
After a couple of minutes the devices were visible in the Azure AD group. I can now use this for targeting in Intune. If you have a very keen eye you will notice the collection actually had 10 members and the screenshot below has 4. This is just because the collection contained stale clients which are no longer in Azure AD.
