Back in November at the MVP Summit we all where part of a Hackathon where all MVP’s submitted ideas for new features in Configuration Manager. Myself, Kim Oppalfens and Kaido Järvemets where part of a hackathon project that was either mine or Kim’s idea to start with, that can make it easier to do a proof of concept with mobile device management with Intune in Hybrid setup with Configuration Manager. To be able to use Intune in Hybrid with Configuration Manager the users that are allowed to enroll devices must be present in Configuration Manager and match the users in Azure AD which is why it normally requires AzureAD synchronization with AADConnect and matching UPN’s to be in-place before you can use it. To set that up to do a Proof-of-concept for instance can be a huge effort.
It also makes it really simple to setup Intune in a test environment with Technical preview of Configuration Manager. The result of that Hackathon project are now available in Configuration Manager technical preview 1604 and forward in the form of AzuredirectoryUserSync.exe which is located in the Configuration Manager install directory under Tools.
How do AzuredirectoryUserSync work then? It uses the Microsoft Graph API to read the user information from AzureAD and writes them to the Configuration Manager database so we can enroll devices in Intune/Configuration Manager to do a Proof of Concept or setup a test environment with technical preview of Configuration Manager without having to setup AADConnect and handle UPN challenges for instance. It takes 10 Minutes to setup an Intune subscription in Configuration Manager and import the users so you can start enrolling devices.
This is Great stuff!
So how do we do set it up then. To start with we need a Configuration Manager 1604 environment or later and an Intune trial.
- Create an Intune trial (http://aka.ms/intune)
- Log on to the office 365 portal and create a couple of test users (https://portal.office.com/AdminPortal/Home?switchtomoderndefault=true#/users)
- Log on to the O365 App Registration Tool (https://dev.office.com/app-registration)
We use the account we created above for the Intune trial.
- Approve the permissions required for dev.office.com by pressing Accept
- Create an application with the following settings and permissions, this will grant the AzuredirectoryUserSync application permissions to read the user information from AzureAD. Select register App when done.
Note that it must be exactly the settings displayed below.
- Copy the Client ID to clipboard and save it in a text file for use with the AzuredirectoryUserSync tool.
- On your Configuration Manager server open an elevated command prompt and run the following command. (Make sure that IE enhanced Security Configuration is not enabled, otherwise it will fail)
AzureDirectoryUserSync.exe -Tenant <tenant> -appClientId <appid> -redirecturi http://localhost:8000
In my example that will be the following:
AzureDirectoryUserSync.exe -Tenant CCMEXECTP5.onmicrosoft.com -appClientId d089f0bc-123b-4a96-a30f-a3375f3f1ca4 -RedirectURI http://localhost:8000
You will be prompted to log in.
And to accept the permissions needed for the SCCM AAD Sync application.
When the command finishes it looks like this with the numbers of users created in the last line.
- Launch the Configuration Manager console and you will now see the imported users there.
- We can now configure our Intune Subscription as we normally do and use these users to enroll devices.
This is really cool stuff and makes it so easy to do a Proof of Concept setup of Intune in Hybrid and to use the Technical Preview of Configuration Manager as well!
Note that the tool is in the technical preview which means it can change before release.