Microsoft Intune tenant attach: Prerequisites
Applies to: Configuration Manager (current branch)
The Microsoft Intune family of products is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune into a single console called Microsoft Intune admin center. You can upload your Configuration Manager devices to the cloud service and take actions from the Devices page in the admin center. Some of the features you may want to use include:
- Run PowerShell scripts
- Install applications
- Query devices with CMPivot
- Display a timeline of events from the device
Prerequisites
An account that is a Global Administrator for signing in when applying this onboarding change. For more information, see Microsoft Entra administrator roles.
- Onboarding creates a third-party app and a first party service principal in your Microsoft Entra tenant.
An Azure cloud environment.
- The Upload to Microsoft Endpoint Manager admin center option is disabled for Microsoft Azure China 21Vianet (Azure China Cloud) and Azure US Government Cloud. Starting in version 2107, this option is available for US Government customers.
Starting in version 2107, United States Government customers can use the following tenant attach features in the US Government cloud:
- Account onboarding
- Tenant sync to Intune
- Device sync to Intune
- Device actions in the Microsoft Intune admin center
The geographic location of the Azure tenant and the service connection point should be the same.
At least one Intune license for you as the administrator to access the Microsoft Intune admin center.
The administration service in Configuration Manager needs to be set up and functional.
If your central administration site has a remote provider, then follow the instructions for the CAS has a remote provider scenario in the CMPivot article.
This feature supports all OS versions that Configuration Manager currently supports as a client. For more information, see Supported OS versions for clients and devices.
Permissions
The user accounts performing device actions have the following prerequisites:
- The user account needs to be a synced user object in Microsoft Entra ID (hybrid identity). This means that the user is synced to Microsoft Entra ID from Active Directory.
- For Configuration Manager version 2103, and later:
Has been discovered with either Microsoft Entra user discovery or Active Directory user discovery.
- For Configuration Manager version 2103, and later:
- The Initiate Configuration Manager action permission under Remote tasks in the Microsoft Intune admin center.
- For more information about adding or verifying permissions in the admin center, see Role-based access control (RBAC) with Microsoft Intune.
Internet endpoints
https://aka.ms/configmgrgateway
https://*.manage.microsoft.com
for Azure public cloud customershttps://*.manage.microsoft.us
for US Government cloud customers on version 2107 or laterhttps://dc.services.visualstudio.com
The service connection point makes a long standing outgoing connection to the notification service hosted on https://*.manage.microsoft.com
. Verify the proxy used for the service connection point doesn't time out outgoing connections too quickly. We recommend 3 minutes for outgoing connections to this internet endpoint.
If your environment has proxy rules to allow only specific certificate revocation lists (CRLs) or online certificate status protocol (OCSP) verification locations, also allow the following CRL and OCSP URLs:
http://crl3.digicert.com
http://crl4.digicert.com
http://ocsp.digicert.com
http://www.d-trust.net
http://root-c3-ca2-2009.ocsp.d-trust.net
http://crl.microsoft.com
http://oneocsp.microsoft.com
http://ocsp.msocsp.com
http://www.microsoft.com/pkiops
The service connection point validates important internet endpoints for tenant attach. These checks help make sure that the cloud service is available. It also helps you troubleshoot issues by quickly determining if network connectivity is a problem. For more information, see Validate internet access.
Note
The service connection point checks the CRL. If this server doesn't have access to the URLs listed above, the CRL check fails. Consider setting a system proxy or use the following command: 'netsh winhttp set proxy'. For more information, see How the Windows Update client determines which proxy server to use to connect to the Windows Update Web site. Make sure that you include a bypass list for internal site communications. This configuration may be necessary as the proxy server settings within Configuration Manager only configure the proxy for Configuration Manager applications and not the underlying OS.
Limitations
Currently, Configuration Manager devices aren't included when retrieving a device list through a PowerShell script or through Microsoft Graph API. To work around this issue, use the Export option from the All devices page in the admin center.