Syncing Device Collections to Azure AD

In SCCM 1906 they released a new pre-release feature which allows you to sync the membership of a device collection to an Azure AD Group. A perfect scenario for this is when you have multiple pilot collections for Co-Management as you can now sync those collections to Azure AD Groups and use them for targeting within Intune.

The first step is to enable the pre-release feature if you hadn’t already done so.

image

In order to use this feature you must have already configured azure services for cloud management and turned on Azure AD User Discovery. I am not going to go through that process in this blog post but you can find more information here: https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/azure-services-wizard

Once Cloud Management is configured in Azure Services and you have turned on Azure AD User Discovery you can go to the properties of Cloud Management and on the Collection Synchronization tab tick the box for “Enable Azure Active Directory Group Sync”

image

The next step is to create an empty group in Azure AD with the following settings:

  1. Group Type: Security
  2. Name the Group
  3. Set A Description (Optional)
  4. Membership Type: Assigned
  5. Owner: Set this to your admin account which will create the relationship in SCCM

image

Now Back in ConfigMgr we can go to the properties of the device collection we wish to sync and navigate to the AAD Group Sync tab and click Add

image

You can now search for the name of the Azure AD Group we just created or just click search whilst the box is blank and it will list the available groups. I am going to select Co-Management Pilot and click Ok

image

I can now apply and ok these settings

image

I received this error because i had my ConfigMgr Console opened as user who was not the owner of the group I created in Azure AD. If you click yes you can then sign in as the owner of the group.

image

Now we have successfully setup the sync, this will run every 5 minutes (For them to be members in Azure AD they must be Hybrid AD Joined or Azure AD Joined). If you wish to force a sync you can right click the collection and choose Synchronize Membership

image

After a couple of minutes the devices were visible in the Azure AD group. I can now use this for targeting in Intune. If you have a very keen eye you will notice the collection actually had 10 members and the screenshot below has 4. This is just because the collection contained stale clients which are no longer in Azure AD.

image


Jake Stoker

Jake Stoker

Enteprise Mobility + Security SME