Saturday, 12 September 2020

Tenant Attach - Resource Explorer in the admin center

 Introduction

Any admin who has had more than a passing interest in Microsoft's Endpoint Configuration Manager product, or any of the previous version names such as SCCM 2007 or SMS 2.0, etc -  will have used the humble Resource Explorer.

Traditionally the Resource Explorer is accessed by navigating to Assets and Compliance\Devices and then right clicking on a device and selecting Start\Resource Explorer.  You are then presented with an MMC type interface with four nodes:  Hardware, Hardware History, Software and Diagnostic files.  Within each node are usually many more sub sections and this will give the IT administrator a great deal of information for troubleshooting any device that has run hardware inventory.

Here is how the Resource Explorer looked in SMS 2.0


And here is how it looks in MEM CM Technical Preview 2008


Within the last week of the time of writing Microsoft has made the Resource Explorer available in the cloud in the Microsoft Endpoint Manager Admin Center.  The feature is in preview status and can be used when Tenant Attach has been configured on the on-premise Configuration Manager site server.  This is a great development from Microsoft and a clear statement of intent if such a statement was ever needed - systems management is moving quickly in the direction of the cloud, and there will be no turning back, to be sure.

This article with contain the following sections:

1) How to use the Resource Explorer in the Microsoft Endpoint Manager Admin Center.

2) How to configure Tenant Attach to enable the Resource Explorer.

3) How to configure the permissions on your MEM CM admin account so that various common errors are avoided.

The article is not a step by step quick start guide, and so will not contain such step by step instructions - but will contain screenshots to help the administrator configure his or her tenant attachment accordingly.


How to use the Resource Explorer in the Microsoft Endpoint Manager Admin Center

Providing you have your on-premise Microsoft Endpoint Configuration Manager server configured correctly with Tenant Attach, there are no additional tasks required.  All you need to do is log into the MEM Admin center portal with an account synchronised with the Azure tenant, and with the correct permissions (detailed below).  You will then navigate to Home\Devices\All Devices and select the device with which you would like to run the online Resource Explorer.  In the left side under the Monitor heading you will see preview features, one of which is the Resource Explorer



When you click on Resource Explorer (preview) you are then presented with all the hardware subsections you are familiar with, on the left hand side - and the inventory details on the right hand side.  In the following we see a capture from the Windows app class.



How to configure Tenant Attach to enable the Resource Explorer

There is a good chance that the Resource Explorer is not working in the cloud portal, when you try the test detailed above. This feature is in preview and thus writing down specific instructions is not the best approach - they could change very quickly.  Instead I will make a few points about pre-requisites and then display screenshots of my Tenant Attach configuration.

Prerequisites

1) A tenant created.

2) A domain suffix configured in Active Directory Domains and Trusts that matches the domain name of your tenant.  My Tenant domain name is endpointmgrbtinternet.onmicrosoft.com and thus I have this configured as an Alternate UPN suffix.

3) An SCCM admin account created with suffix of the name of your cloud tenant.  It needs to have the Intune Administrator cloud role.  My account also has the Global Administrator cloud role assigned.

4) The Tenant Attach cloud service needs to be created in SCCM.  Instructions can be found here:




The Tenant Attach Configuration

1) Configure Tenant Attach via the Co-management node, with upload options as follows:



2) Configure Enablement as follows:




3) You may find that your SCCM account DDR has no Azure ID values - if this is the case then the preview features will fail.  For instance an SCCM User DDR similar to the following is incorrect.  There are no values for Azure Active Directory Tenant ID or Azure Active Directory User ID.



To resolve this we need to create another Azure service from within SCCM.  This will be a Cloud Management Service so that Azure discovery can be run.  The Azure service is created by running the Configure Azure Services wizard from Administration\Overview\Cloud Services\Azure Services.  You will create a standard Web app and a standard Native Client app accepting the default settings. I have named my service Azure Discovery because that is what is required of this service.



8) Within the created User Discovery service I configure the Azure Active Directory User Discovery as follows:


9)  Within the created User Discovery service I configure the Azure Active Directory Group Discovery, so that records for resources within a group can be created.




10) The Collection Synchronisation function is enabled.




11) With the additional Azure cloud service created you can run a full discovery and your SCCM admin account will then be configured with the required Azure DDR information.




12) For belts and braces ensure that you Renew the Azure Secret Key and Update Application Settings actions are run - this can be done from the ribbon above the Azure Active Directory Tenants node.


13) And finally it is a good idea to check that your SMS_SERVICE_CONNECTOR component in SCCM is functioning properly and online.  You can check this through the status messages.





Add MEM CM admin account to Configuration Manager Microservice Application

It is possible that you are still not able to use the MEM CM device preview features with the above configuration in place.  Thus you may have to look at the Configuration Manager Microservice.

1) In the Microsoft Azure portal navigate open Azure Active Directory.

2) Navigate to Enterprise Applications and change the Application type to All Applications.





3)  In the search field type in Configuration Manager Microservice.  





4) Click on the application when it appears and then click on Users and Groups - add your Configuration Manager Administrator account as a user of this application.


I hope you have enjoyed reading my article on using the new Resource Explorer in the Microsoft Endpoint Configuration Manager admin console.












Deploy Windows 11 with MDT - Supported

 Introduction The Microsoft Deployment Toolkit (MDT)  has been used by many companies for the provisioning of operating systems.  It does ha...