Enable Microsoft Endpoint Manager tenant attach: Device sync and device actions

Applies to: Configuration Manager (current branch)

Microsoft Endpoint Manager is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune into a single console called Microsoft Endpoint Manager admin center. You can upload your Configuration Manager devices to the cloud service and take actions from the Devices blade in the admin center.

Enable device upload when co-management is already enabled

If you have co-management enabled currently, you'll use the co-management properties to enable device upload. When co-management isn't already enabled, Use the Cloud Attach Configuration Wizard to enable device upload instead. Before you enable tenant attach, verify that the prerequisites for tenant attach have been met.

When co-management is already enabled, edit the co-management properties to enable device upload using the instructions below:

  1. In the Configuration Manager admin console, go to Administration > Overview > Cloud Services > Cloud Attach.
    • For version 2103 and earlier, select the Co-management node.
  2. In the ribbon, select Properties for your co-management production policy.
  3. In the Configure upload tab, select Upload to Microsoft Endpoint Manager admin center. Select Apply.
    • The default setting for device upload is All my devices managed by Microsoft Endpoint Configuration Manager. If needed, you can limit upload to a single device collection.
    • When a single collection is selected, its child collections are also uploaded.
  4. Check the option to Enable Endpoint analytics for devices uploaded to Microsoft Endpoint Manager if you also want to get insights for optimizing the end-user experience in Endpoint Analytics.
  5. Check the option to Enforce Role-based Access Control for the devices uploading to cloud service. By default, SCCM RBAC will be enforced along with Intune RBAC when you are uploading your Configuration Manager devices to the cloud service. Hence, the checkbox will be checked by default. If you want to enforce only Intune RBAC, you can uncheck the box. However, the enforcement of Intune RBAC only won't apply at this time. The Release notes and the What's New in Intune will be updated when you're able to enforce Intune RBAC only.

Important

When you enable Endpoint analytics data upload, your default client settings will be automatically updated to allow managed endpoints to send relevant data to your Configuration Manager site server. If you use custom client settings, you may need to update and re-deploy them for data collection to occur. For more details on this, as well as how to configure data collection, such as to limit collection only to a specific set of devices, see the section on Configuring Endpoint analytics data collection.

Screenshot that shows how to upload devices to Microsoft Endpoint Manager admin center.

  1. Sign in with your Global Administrator account when prompted.
  2. Select Yes to accept the Create AAD Application notification. This action provisions a service principal and creates an Azure AD application registration to facilitate the sync.
  3. Choose OK to exit the co-management properties once you've done making changes.

Enable device upload when co-management isn't enabled

If you don't have co-management enabled, you'll use the Cloud Attach Configuration Wizard to enable device upload. You can upload your devices without enabling automatic enrollment for co-management or switching workloads to Intune. All Devices managed by Configuration Manager that have Yes in the Client column will be uploaded. If needed, you can limit upload to a single device collection. If co-management is already enabled in your environment, Edit co-management properties to enable device upload instead. Before you enable tenant attach, verify that the prerequisites for tenant attach have been met.

When co-management isn't enabled, use the instructions below to enable device upload:

  1. In the Configuration Manager admin console, go to Administration > Overview > Cloud Services > Cloud Attach. For version 2103 and earlier, select the Co-management node.

    • Starting in Configuration Manager version 2111, the tenant attach onboarding experience changed. The cloud attach wizard makes it easier to enable tenant attach and other cloud features. You can choose a streamlined set of recommended defaults, or customize your cloud attach features. For more information on enabling tenant attach with the new wizard, see Enable cloud attach.
  2. In the ribbon, select Configure Cloud Attach to open the wizard. For version 2103 and earlier, select Configure co-management to open the wizard.

  3. On the onboarding page, select AzurePublicCloud for your environment. Azure Government Cloud and Azure China 21Vianet aren't supported.

    • Starting in version 2107, US Government customers can select AzureUSGovernmentCloud.
  4. Select Sign In. Use your Global Administrator account to sign in.

  5. Ensure the Enable Microsoft Endpoint Manager admin center option is selected on the Cloud attach page. For version 2103 and earlier, select the Upload to Microsoft Endpoint Manager admin center option on the Tenant onboarding page.

    • Make sure the option Enable automatic client enrollment for co-management isn't checked if you don't want to enable co-management now. If you do want to enable co-management, select the option.
    • If you enable co-management along with device upload, you'll be given additional pages in the wizard to complete. For more information, see Enable co-management.

    Co-management Configuration Wizard

  6. Choose Next and then Yes to accept the Create AAD Application notification. This action provisions a service principal and creates an Azure AD application registration to facilitate the sync.

  7. On the Configure upload page, select the recommended device upload setting for All my devices managed by Microsoft Endpoint Configuration Manager. If needed, you can limit upload to a single device collection.

    • When a single collection is selected, its child collections are also uploaded.
  8. Check the option to Enable Endpoint analytics for devices uploaded to Microsoft Endpoint Manager if you also want to get insights to optimize the end-user experience in Endpoint Analytics.

  9. Select Summary to review your selection, then choose Next.

  10. When the wizard is complete, select Close.

Scope tags

Tenant-attached devices receive the default scope tag from Microsoft Intune. If you remove the default scope tag from a tenant-attached device, the device won't be displayed at all in the Microsoft Endpoint Manager admin center. Currently, tenant-attached devices can't be assigned scope tags unlike co-managed devices can.

However, sometimes you don’t want certain Intune roles to see tenant-attached devices. For instance, you may not want someone with Intune's Help Desk Operator role to see tenant-attached devices because they're servers. In these cases, create or use a custom role in Intune that doesn't have Default listed for its Scope tags. When creating custom Intune roles, keep in mind that the default scope tag is automatically added to all untagged objects.

Perform device actions

  1. In a browser, navigate to endpoint.microsoft.com

  2. Select Devices then All devices to see the uploaded devices. You'll see ConfigMgr in the Managed by column for uploaded devices. All devices in Microsoft Endpoint Manager admin center

  3. Select a device to load its Overview page.

  4. Choose any of the following actions:

    • Sync Machine Policy
    • Sync User Policy
    • App Evaluation Cycle

    Device overview in Microsoft Endpoint Manager admin center

Display the Configuration Manager connector status from the admin console

From the Microsoft Endpoint Manager admin center, you can review the status of your Configuration Manager connector. To display the connector status, go to Tenant administration > Connectors and tokens > Microsoft Endpoint Configuration Manager. Select a Configuration Manager hierarchy to display additional information about it.

Microsoft Endpoint Configuration Manager connector in the admin center

Offboard from tenant attach

While we know customers get enormous value by enabling tenant attach, there are rare cases where you might need to offboard a hierarchy. You can offboard from either the Configuration Manager console (recommend method) or from the Microsoft Endpoint Manager admin center.

Offboard from the Configuration Manager console

When tenant attach is already enabled, edit the co-management properties to disable device upload and offboard.

  1. In the Configuration Manager admin console, go to Administration > Overview > Cloud Services > Cloud Attach.
    • For version 2103 and earlier, select the Co-management node.
  2. In the ribbon, select Properties for your co-management production policy.
  3. In the Configure upload tab, remove the Upload to Microsoft Endpoint Manager admin center selection.
  4. Select Apply.

Offboard from the Microsoft Endpoint Manager admin center

If needed, you can offboard a Configuration Manager hierarchy from the Microsoft Endpoint Manager admin center. For example, you may need to offboard from the admin center following a disaster recovery scenario where the on-premises environment was removed. Follow the steps below to remove your Configuration Manager hierarchy from the Microsoft Endpoint Manager admin center:

  1. Sign in to the Microsoft Endpoint Manager admin center.
  2. Select Tenant administration then Connectors and tokens.
  3. Select Microsoft Endpoint Configuration Manager.
  4. Choose the name of the site you would like to offboard, then select Delete.
    • The connector may be listed as Unknown if the site information is lacking.

When you offboard a hierarchy from the admin center, it may take up to two hours to remove from the Microsoft Endpoint Manager admin center. If you offboard a Configuration Manager 2103 or later site that's online and healthy, the process may only take a few minutes.

Note

If you are using custom RBAC roles with Intune, you will need to grant the Organization > Delete permission to offboard a hierarchy.

Import a previously created Azure AD application (optional)

During a new onboarding, an administrator can specify a previously created application during onboarding to tenant attach. Don't share or reuse Azure AD applications across multiple hierarchies. If you have multiple hierarchies, create separate Azure AD applications for each.

From the onboarding page in the Cloud Attach Configuration Wizard (Co-management Configuration Wizard in versions 2103 and earlier), select Optionally import a separate web app to synchronize Configuration Manager client data to Microsoft Endpoint Manager admin center. This option will prompt you to specify the following information for your Azure AD app:

  • Azure AD tenant name
  • Azure AD tenant ID
  • Application name
  • Client ID
  • Secret key
  • Secret key expiry
  • App ID URI

Important

  • The App ID URI must use one of the following formats:

    • api://{tenantId}/{string}, for example, api://5e97358c-d99c-4558-af0c-de7774091dda/ConfigMgrService
    • https://{verifiedCustomerDomain}/{string}, for example, https://contoso.onmicrosoft.com/ConfigMgrService

    For more information on creating an Azure AD app, see Configure Azure services.

  • When you use an imported Azure AD app, you aren't notified of an upcoming expiration date from console notifications.

Azure AD application permissions and configuration

Using a previously created application during onboarding to tenant attach requires the following permissions:

Next steps