Get a flexible and unified approach to building and managing apps that can run across both the cloud and on-premises. Deploy your apps to App Service in your cloud of choice—Azure, Azure national clouds, or even on-premises with Azure Stack. Securely run your apps in your Azure Virtual Network at large scale with enhanced privacy, power,. I'm no genius, I've made more than one change without documentation and spent hours trying to figure out what I did three years later, I've called someone on the helpdesk and not used the ticket system, I've went to lunch with our TAM and let them pay, I've been handed projects and be completely lost just muddling through the whole thing until the end, I've made a bonehead mistake. Aug 02, 2021 The cloud management gateway (CMG) provides a simple way to manage Configuration Manager clients over the internet. You deploy CMG as a cloud service in Microsoft Azure. Then without additional on-premises infrastructure, you can manage clients that roam on the internet or are in branch offices across the WAN. You also don't need to expose your. The deployment server then redeploys the app to all clients that it's mapped to. Update the content. The topic 'Create deployment apps' described how to create app directories on the deployment server. You can add or overwrite the content in those directories at any time.
-->Applies to: Configuration Manager (current branch)
The cloud management gateway (CMG) provides a simple way to manage Configuration Manager clients over the internet. You deploy CMG as a cloud service in Microsoft Azure. Then without more on-premises infrastructure, you can manage clients that roam on the internet or are in branch offices across the WAN. You also don't need to expose your on-premises infrastructure to the internet.
After establishing the prerequisites, creating the CMG consists of the following three steps in the Configuration Manager console:
- Deploy the CMG cloud service to Azure.
- Add the CMG connection point role.
- Configure the site and site roles for the service.
Once deployed and configured, clients seamlessly access on-premises site roles whether they're on the intranet or internet.
This article provides the foundational knowledge to learn about the CMG and the scenarios where you can use it.
Scenarios
There are several scenarios for which a CMG is beneficial. The following scenarios are some of the more common:
Manage traditional Windows clients with Active Directory domain-joined identity. These clients include Windows 8.1 and Windows 10. It uses PKI certificates to secure the communication channel. Management activities include:
- Software updates and endpoint protection
- Inventory and client status
- Compliance settings
- Software distribution to the device
- Windows 10 in-place upgrade task sequence
Manage traditional Windows 10 clients with modern identity, either hybrid or pure cloud domain-joined with Azure Active Directory (Azure AD). Clients use Azure AD to authenticate rather than PKI certificates. Using Azure AD is simpler to set up, configure and maintain than more complex PKI systems. Management activities are the same as the first scenario plus:
- Software distribution to the user
Install the Configuration Manager client on Windows 10 devices over the internet. Using Azure AD allows the device to authenticate to the CMG for client registration and assignment. You can install the client manually, or using another software distribution method, such as Microsoft Intune.
New device provisioning with co-management. When auto-enrolling existing clients, CMG isn't required for co-management. It's required for new devices involving Windows Autopilot, Azure AD, Microsoft Intune, and Configuration Manager. For more information, see Paths to co-management.
Specific use cases
Across these scenarios, the following specific device use cases may apply:
Roaming devices such as laptops
Remote/branch office devices that are less expensive and more efficient to manage over the internet than across a WAN or through a VPN.
Mergers and acquisitions, where it may be easiest to join devices to Azure AD and manage through a CMG.
Workgroup clients. These devices may require other configurations, such as certificates.
To help with management of remote workgroup clients, use Configuration Manager token-based authentication. For more information, see Token-based authentication for CMG.
Important
By default all clients receive policy for a CMG, and start using it when they become internet-based. Depending upon the scenario and use case that applies to your organization, you may need to scope usage of the CMG. For more information, see the Enable clients to use a cloud management gateway client setting.
Next steps
Develop your design and plan for implementing a CMG in your environment:
-->Applies to: Configuration Manager (current branch)
Use the Azure Services Wizard to simplify the process of configuring the Azure cloud services you use with Configuration Manager. This wizard provides a common configuration experience by using Azure Active Directory (Azure AD) web app registrations. These apps provide subscription and configuration details, and authenticate communications with Azure AD. The app replaces entering this same information each time you set up a new Configuration Manager component or service with Azure.
Available services
Configure the following Azure services using this wizard:
Cloud Management: This service enables the site and clients to authenticate by using Azure AD. This authentication enables other scenarios, such as:
Support certain cloud management gateway scenarios
Tip
For more information specific to cloud management, see Configure Azure Active Directory for cloud management gateway.
Log Analytics Connector: Connect to Azure Log Analytics. Sync collection data to Log Analytics.
Important
This article refers to the Log Analytics Connector, which was formerly called the OMS Connector. This feature was deprecated in November 2020. It's removed from Configuration Manager in version 2107. For more information, see Removed and deprecated features.
Microsoft Store for Business: Connect to the Microsoft Store for Business. Get store apps for your organization that you can deploy with Configuration Manager.
Service details
The following table lists details about each of the services.
Tenants: The number of service instances you can configure. Each instance must be a distinct Azure AD tenant.
Clouds: All services support the global Azure cloud, but not all services support private clouds, such as the Azure US Government cloud.
Web app: Whether the service uses an Azure AD app of type Web app / API, also referred to as a server app in Configuration Manager.
Native app: Whether the service uses an Azure AD app of type Native, also referred to as a client app in Configuration Manager.
Actions: Whether you can import or create these apps in the Configuration Manager Azure Services Wizard.
Service | Tenants | Clouds | Web app | Native app | Actions |
---|---|---|---|---|---|
Cloud management with Azure AD discovery | Multiple | Public, Private | Import, Create | ||
Log Analytics Connector | One | Public, Private | Import | ||
Microsoft Store for Business | One | Public | Import, Create |
About Azure AD apps
Different Azure services require distinct configurations, which you make in the Azure portal. Additionally, the apps for each service can require separate permissions to Azure resources.
You can use a single app for more than one service. There's only one object to manage in Configuration Manager and Azure AD. When the security key on the app expires, you only have to refresh one key.
When you create additional Azure services in the wizard, Configuration Manager is designed to reuse information that's common between services. This behavior helps you from needing to input the same information more than once.
For more information about the required app permissions and configurations for each service, see the relevant Configuration Manager article in Available services.
For more information about Azure apps, start with the following articles:
Before you begin
After you decide the service to which you want to connect, refer to the table in Service details. This table provides information you need to complete the Azure Service Wizard. Have a discussion in advance with your Azure AD administrator. Decide which of the following actions to take:
Manually create the apps in advance in the Azure portal. Then import the app details into Configuration Manager.
Tip
For more information specific to cloud management, see Manually register Azure Active Directory apps for the cloud management gateway.
Use Configuration Manager to directly create the apps in Azure AD. To collect the necessary data from Azure AD, review the information in the other sections of this article.
Some services require the Azure AD apps to have specific permissions. Review the information for each service to determine any required permissions. For example, before you can import a web app, an Azure administrator must first create it in the Azure portal.
When configuring the Log Analytics Connector, give your newly registered web app contributor permission on the resource group that contains the relevant workspace. This permission allows Configuration Manager to access that workspace. When assigning the permission, search for the name of the app registration in the Add users area of the Azure portal. This process is the same as when providing Configuration Manager with permissions to Log Analytics. An Azure administrator must assign these permissions before you import the app into Configuration Manager.
Start the Azure Services wizard
In the Configuration Manager console, go to the Administration workspace, expand Cloud Services, and select the Azure Services node.
On the Home tab of the ribbon, in the Azure Services group, select Configure Azure Services.
On the Azure Services page of the Azure Services Wizard:
Specify a Name for the object in Configuration Manager.
Specify an optional Description to help you identify the service.
Select the Azure service that you want to connect with Configuration Manager.
Select Next to continue to the Azure app properties page of the Azure Services Wizard.
Azure app properties
On the App page of the Azure Services Wizard, first select the Azure environment from the list. Refer to the table in Service details for which environment is currently available to the service.
The rest of the App page varies depending upon the specific service. Refer to the table in Service details for which type of app the service uses, and which action you can use.
If the app supports both import and creates actions, select Browse. This action opens the Server app dialog or the Client App dialog.
If the app only supports the import action, select Import. This action opens the Import Apps dialog (server) or the Import Apps dialog (client).
After you specify the apps on this page, select Next to continue to the Configuration or Discovery page of the Azure Services Wizard.
Web app
This app is the Azure AD type Web app / API, also referred to as a server app in Configuration Manager.
Server app dialog
When you select Browse for the Web app on the App page of the Azure Services Wizard, it opens the Server app dialog. It displays a list that shows the following properties of any existing web apps:
- Tenant friendly name
- App friendly name
- Service Type
There are three actions you can take from the Server app dialog:
- To reuse an existing web app, select it from the list.
- Select Import to open the Import apps dialog.
- Select Create to open the Create Server Application dialog.
After you select, import or create a web app, select OK to close the Server app dialog. This action returns to the App page of the Azure Services Wizard.
Import apps dialog (server)
When you select Import from the Server app dialog or the App page of the Azure Services Wizard, it opens the Import apps dialog. This page lets you enter information about an Azure AD web app that is already created in the Azure portal. It imports metadata about that web app into Configuration Manager. Specify the following information:
- Azure AD Tenant Name: The name of your Azure AD tenant.
- Azure AD Tenant ID: The GUID of your Azure AD tenant.
- Application Name: A friendly name for the app, the display name in the app registration.
- Client ID: The Application (client) ID value of the app registration. The format is a standard GUID.
- Secret Key: You have to copy the secret key when you register the app in Azure AD.
- Secret Key Expiry: Select a future date from the calendar.
- App ID URI: This value needs to be unique in your Azure AD tenant. It's in the access token used by the Configuration Manager client to request access to the service. The value is the Application ID URI of the app registration entry in the Azure AD portal. The format is similar to
https://ConfigMgrService
.
After entering the information, select Verify. Then select OK to close the Import apps dialog. This action returns to either the App page of the Azure Services Wizard, or the Server app dialog.
Important
When you use an imported Azure AD app, you aren't notified of an upcoming expiration date from console notifications.
Create Server Application dialog
When you select Create from the Server app dialog, it opens the Create Server Application dialog. This page automates the creation of a web app in Azure AD. Specify the following information:
Application Name: A friendly name for the app.
HomePage URL: This value isn't used by Configuration Manager, but required by Azure AD. By default this value is
https://ConfigMgrService
.App ID URI: This value needs to be unique in your Azure AD tenant. It's in the access token used by the Configuration Manager client to request access to the service. By default this value is
https://ConfigMgrService
.Secret Key validity period: choose either 1 year or 2 years from the drop-down list. One year is the default value.
Note
You may see an option for Never, but Azure AD no longer supports it. If you previously selected this option, the expiration date is now set for 99 years from the date you created it.
Select Sign in to authenticate to Azure as an administrative user. These credentials aren't saved by Configuration Manager. This persona doesn't require permissions in Configuration Manager, and doesn't need to be the same account that runs the Azure Services Wizard. After successfully authenticating to Azure, the page shows the Azure AD Tenant Name for reference.
Select OK to create the web app in Azure AD and close the Create Server Application dialog. This action returns to the Server app dialog.
Note
If you have an Azure AD Conditional Access policy defined and applies to All Cloud apps - you must exclude the created Server Application from this policy. For more information on how to exclude specific apps, see Azure AD Conditional Access Documentation.
Native Client app
This app is the Azure AD type Native, also referred to as a client app in Configuration Manager.
Client App dialog
When you select Browse for the Native Client app on the App page of the Azure Services Wizard, it opens the Client App dialog. It displays a list that shows the following properties of any existing native apps:
- Tenant friendly name
- App friendly name
- Service Type
There are three actions you can take from the Client App dialog:
- To reuse an existing native app, select it from the list.
- Select Import to open the Import apps dialog.
- Select Create to open the Create Client Application dialog.
After you select, import or create a native app, choose OK to close the Client App dialog. This action returns to the App page of the Azure Services Wizard.
Import apps dialog (client)
When you select Import from the Client App dialog, it opens the Import apps dialog. This page lets you enter information about an Azure AD native app that is already created in the Azure portal. It imports metadata about that native app into Configuration Manager. Specify the following information:
- Application Name: A friendly name for the app.
- Client ID: The Application (client) ID value of the app registration. The format is a standard GUID.
After entering the information, select Verify. Then select OK to close the Import apps dialog. This action returns to the Client App dialog.
Tip
When you register the app in Azure AD, you may need to manually specify the following Redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/<ClientID>
. Specify the app's client ID GUID, for example: ms-appx-web://Microsoft.AAD.BrokerPlugin/a26a653e-17aa-43eb-ab36-0e36c7d29f49
.
Create Client Application dialog
When you select Create from the Client App dialog, it opens the Create Client Application dialog. This page automates the creation of a native app in Azure AD. Specify the following information:
- Application Name: A friendly name for the app.
- Reply URL: This value isn't used by Configuration Manager, but required by Azure AD. By default this value is
https://ConfigMgrService
.
Select Sign in to authenticate to Azure as an administrative user. These credentials aren't saved by Configuration Manager. This persona doesn't require permissions in Configuration Manager, and doesn't need to be the same account that runs the Azure Services Wizard. After successfully authenticating to Azure, the page shows the Azure AD Tenant Name for reference.
Select OK to create the native app in Azure AD and close the Create Client Application dialog. This action returns to the Client App dialog.
Configuration or Discovery
After specifying the web and native apps on the Apps page, the Azure Services Wizard proceeds to either a Configuration or Discovery page, depending upon the service to which you're connecting. The details of this page vary from service to service. For more information, see one of the following articles:
Cloud Management service, Discovery page: Configure Azure AD User Discovery
Log Analytics Connector service, Configuration page: Configure the connection to Log Analytics
Microsoft Store for Business service, Configurations page: Configure Microsoft Store for Business synchronization
Finally, complete the Azure Services Wizard through the Summary, Progress, and Completion pages. You've completed the configuration of an Azure service in Configuration Manager. Repeat this process to configure other Azure services.
Update application settings
To allow your Configuration Manager clients to request an Azure AD device token and to enable the Reading directory data permissions, you need to update the web server application settings.
Update Application Settings
- In the Configuration Manager console, go to the Administration workspace, expand Cloud Services, and select the Azure Active Directory Tenants node.
- Select the Azure AD tenant for the application you want to update.
- In the Applications section, select your Azure AD web server application, then select Update Application Settings from the ribbon.
- When prompted for confirmation, select Yes to confirm you want to update the application with the latest settings.
Renew secret key
You need to renew the Azure AD app's secret key before the end of its validity period. If you let the key expire, Configuration Manager can't authenticate with Azure AD, which will cause your connected Azure services to stop working.
Starting in version 2006, the Configuration Manager console displays notifications for the following circumstances:
- One or more Azure AD app secret keys will expire soon
- One or more Azure AD app secret keys have expired
Content Services | OpenText Content Suite
To mitigate both cases, renew the secret key.
For more information on how to interact with these notifications, see Configuration Manager console notifications.
Renew key for created app
In the Configuration Manager console, go to the Administration workspace, expand Cloud Services, and select the Azure Active Directory Tenants node.
On the Details pane, select the Azure AD tenant for the app.
In the ribbon, select Renew Secret Key. Enter the credentials of either the app owner or an Azure AD administrator.
Renew key for imported app
If you imported the Azure app in Configuration Manager, use the Azure portal to renew. Note the new secret key and expiry date. Add this information on the Renew Secret Key wizard.
9 Best Home Server Apps To Automate Media Management
Note
Save the secret key before closing the Azure application properties Key page. This information is removed when you close the page.
Disable authentication
Starting in version 2010, you can disable Azure AD authentication for tenants not associated with users and devices. When you onboard Configuration Manager to Azure AD, it allows the site and clients to use modern authentication. Currently, Azure AD device authentication is enabled for all onboarded tenants, whether or not it has devices. For example, you have a separate tenant with a subscription that you use for compute resources to support a cloud management gateway. If there aren't users or devices associated with the tenant, disable Azure AD authentication.
In the Configuration Manager console, go to the Administration workspace.
Expand Cloud Services and select the Azure Services node.
Select the target connection of type Cloud Management. In the ribbon, select Properties.
Switch to the Applications tab.
Select the option to Disable Azure Active Directory authentication for this tenant.
Select OK to save and close the connection properties.
Tip
It can take up to 25 hours for this change to take effect on clients. For purposes of testing to speed up this change in behavior, use the following steps:
- Restart the sms_executive service on the site server.
- Restart the ccmexec service on the client.
- Trigger the client schedule to refresh the default management point. For example, use the send schedule tool:
SendSchedule {00000000-0000-0000-0000-000000000023}
View the configuration of an Azure service
View the properties of an Azure service you've configured for use. In the Configuration Manager console, go to the Administration workspace, expand Cloud Services, and select Azure Services. Select the service you want to view or edit, and then select Properties.
If you select a service and then choose Delete in the ribbon, this action deletes the connection in Configuration Manager. It doesn't remove the app in Azure AD. Ask your Azure administrator to delete the app when it's no longer needed. Or run the Azure Service Wizard to import the app.
Cloud management data flow
The following diagram is a conceptual data flow for the interaction between Configuration Manager, Azure AD, and connected cloud services. This specific example uses the Cloud Management service, which includes a Windows 10 client, and both server and client apps. The flows for other services are similar.
The Configuration Manager administrator imports or creates the client and server apps in Azure AD.
Configuration Manager Azure AD user discovery method runs. The site uses the Azure AD server app token to query Microsoft Graph for user objects.
The site stores data about the user objects. For more information, see Azure AD User Discovery.
The Configuration Manager client requests the Azure AD user token. The client makes the claim using the application ID of the Azure AD client app, and the server app as the audience. For more information, see Claims in Azure AD Security Tokens.
The client authenticates with the site by presenting the Azure AD token to the cloud management gateway and on-premises HTTPS-enabled management point.
For more detailed information, see Azure AD authentication workflow.