SCCM – You can now discover your Azure AD Security Groups with SCCM

The release of System Center Configuration Manager Current Branch 1906 (SCCM Current Branch) is providing an updated discovery method to your Azure AD tenant.

As you may be already aware, you have been able to discover your Azure AD users objects with SCCM for quite some time now.

Well, this Azure AD discovery functionality has been updated with SCCM 1906 to also allow you to discover your Azure AD Security Group.

To enable this new discovery, open your SCCM administration console and reach out the Administration\Cloud Services\Azure Services workspace and edit your Cloud Management configuration

image

Then reach the Discovery tab and enable the Azure Directory Group Discovery

image

When enabling this discovery method you also have to define a scope by edit the Settings; defining a scope will ask you to authenticate against your Azure AD when performing the search

If you don’t enable a scope, you will get an SMS provider error when running the full discovery

image

ConfigMgr Error Object:
instance of SMS_ExtendedStatus
{
    Description = “Parameter DiscoveryScopeIds is null or has the wrong type”;
    ErrorCode = 1078462208;
    File = “..\\sspaaddiscoverysettings.cpp”;
    Line = 198;
    ObjectInfo = “DiscoveryScopeIds”;
    Operation = “PutInstance”;
    ParameterInfo = “”;
    ProviderName = “ExtnProv”;
    StatusCode = 2147749889;
};

——————————-
Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryException
The SMS Provider reported an error.

Stack Trace:
   at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlResultObject.Put(ReportProgress progressReport)
   at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlResultObject.Put()
   at Microsoft.ConfigurationManagement.AdminConsole.CloudServicesManagement.CloudManagementAction.RunFullDiscovery(Object sender, ScopeNode scopeNode, ActionDescription action, IResultObject selectedResultObject, PropertyDataUpdated dataUpdatedDelegate, Status status)

——————————-

System.Management.ManagementException
Generic failure

Stack Trace:
   at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlResultObject.Put(ReportProgress progressReport)
   at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlResultObject.Put()
   at Microsoft.ConfigurationManagement.AdminConsole.CloudServicesManagement.CloudManagementAction.RunFullDiscovery(Object sender, ScopeNode scopeNode, ActionDescription action, IResultObject selectedResultObject, PropertyDataUpdated dataUpdatedDelegate, Status status)

——————————-

image  image  image

Once enabled you should see a new agent type called Azure Active Directory Group Discovery

image

You can monitor/troubleshoot the Azure Active Directory discovery methods using the SMS_AZUREAD_DISCOVERY_AGENT.log log file (shared with Azure AD User Discovery).

Below an example of a successful discovery in the log and then in the Assets and Compliance\Users workspace – the Domain column is empty Azure AD groups and you can see in the properties the Agent used (SMS_AZUREAD_USER_GROUP_DISCOVERY_AGENT) and the tenant ID and group ID from Azure AD.

image  image  image

Leave a Comment

Your email address will not be published. Required fields are marked *