Setting up a 2nd CMG VMSS, Do I need to create new Azure Services (Web&native apps) in ConfigMGR

Question

Dear Team,

We have a unique case here as below and we need your expert advice.

Scenario - In current SCCM hierarchy we have 1 CAS and 2 primary site which are running on EOL OS version. We have created a new PRI site under same hierarchy and now migrating the clients from existing to new PRI site under same hierarchy. CMG Classic is installed on CAS currently and we are planning to install new CMG VMSS on CAS again.

We faced the challenge while creating the new Azure apps(web&native) from ConfigMGR console and manual method as well. But it says, "Tenant already exists".

If we go by the below MS article it says "The user identities, device registrations, and app registrations are all in the same tenant. You can choose which subscription the CMG uses. You can deploy multiple CMG services from one site into separate subscriptions. The site has a one-to-one relationship with the tenant. You decide which subscriptions to use for various reasons such as billing or logical separation."

https://learn.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/cloud-management-gateway-faq#do-the-user-accounts-have-to-be-in-the-same-microsoft-entra-tenant-as-the-tenant-associated-with-the-subscription-that-hosts-the-cmg-cloud-service-

Query 1- Can we use same Azure Services (Web&client apps) which are currently used by CMG Classic? Will there be any impact to existing configuration?

Query2- If our new CMG VMSS gets setup with existing CMG classic at the same time, in such case the clients reporting from existing PRI site (e.g. ABC) currently served with content from CMG classic with (a CMG connection point is installed at ABC site). How the clients when migrated to new PRI site (e.g. CDE) will connect with new CMG VMSS with (a new CMG connection point will be installed at CDE site)?

Query3- In such migration situation, what should be best approach to deal with a new CMG setup?

Your recommendation will be highly appreciated.

Answer 1

Hi, @Mohd Atif Husain

Thank you for posting in Microsoft Q&A forum.

Query 1: Yes, you can use the same Azure Services (Web&client apps) which are currently used by CMG Classic. There will be no impact on the existing configuration. You can deploy multiple CMG services from one site into separate subscriptions. The site has a one-to-one relationship with the tenant. You decide which subscriptions to use for various reasons such as billing or logical separation.

Query 2: When the clients are migrated to the new PRI site (e.g. CDE), they will connect with the new CMG VMSS with a new CMG connection point that will be installed at CDE site. You can create a CMG in any available subscription in either tenant. Devices that are joined or hybrid joined to either Microsoft Entra ID could use a CMG. If the user and device identities are in one tenant, but the CMG's subscription is in another tenant, you need to attach the site to both tenants. Technically, the client app isn't needed for the second tenant that only has the CMG service. The client app only provides user and device authentication for clients that use the CMG service.

Query 3: In such a migration situation, the best approach to deal with a new CMG setup is to deploy multiple CMG services from one site into separate subscriptions. The site has a one-to-one relationship with the tenant. You decide which subscriptions to use for various reasons such as billing or logical separation. You can use the same Azure Services (Web&client apps) which are currently used by CMG Classic. There will be no impact on the existing configuration. When the clients are migrated to the new PRI site (e.g. CDE), they will connect with the new CMG VMSS with a new CMG connection point that will be installed at CDE site.

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Add comment".