| title | Microsoft Intune tenant attach prerequisites |
|---|---|
| description | Prerequisites for Microsoft Intune tenant attach. |
| ms.date | 07/11/2022 |
| ms.topic | article |
| ms.subservice | core-infra |
| ms.collection | tier3 |
Applies to: Configuration Manager (current branch)
The Microsoft Intune family of products is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune into a single console called Microsoft Intune admin center. You can upload your Configuration Manager devices to the cloud service and take actions from the Devices page in the admin center. Some of the features you may want to use include:
- Run PowerShell scripts
- Install applications
- Query devices with CMPivot
- Display a timeline of events from the device
-
An account that is a Microsoft Entra Global Administrator for signing in when applying this onboarding change.
Onboarding creates a third-party app and a first party service principal in your Microsoft Entra tenant.
[!IMPORTANT] [!INCLUDE global-administrator]
-
An Azure cloud environment.
- The Upload to Microsoft Endpoint Manager admin center option is disabled for Microsoft Azure China 21Vianet (Azure China Cloud) and Azure US Government Cloud. Starting in version 2107, this option is available for US Government customers.
-
Starting in version 2107, United States Government customers can use the following tenant attach features in the US Government cloud:
- Account onboarding
- Tenant sync to Intune
- Device sync to Intune
- Device actions in the Microsoft Intune admin center
-
The geographic location of the Azure tenant and the service connection point should be the same.
-
At least one Intune license for you as the administrator to access the Microsoft Intune admin center.
-
The administration service in Configuration Manager needs to be set up and functional.
-
If your central administration site has a remote provider, then follow the instructions for the CAS has a remote provider scenario in the CMPivot article.
This feature supports all OS versions that Configuration Manager currently supports as a client. For more information, see Supported OS versions for clients and devices.
The user accounts performing device actions have the following prerequisites:
- The user account needs to be a synced user object in Microsoft Entra ID (hybrid identity). This means that the user is synced to Microsoft Entra ID from Active Directory.
- For Configuration Manager version 2103, and later:
Has been discovered with either Microsoft Entra user discovery or Active Directory user discovery.
- For Configuration Manager version 2103, and later:
- The Initiate Configuration Manager action permission under Remote tasks in the Microsoft Intune admin center.
- For more information about adding or verifying permissions in the admin center, see Role-based access control (RBAC) with Microsoft Intune.
[!INCLUDE Internet endpoints for tenant attach]
The service connection point validates important internet endpoints for tenant attach. These checks help make sure that the cloud service is available. It also helps you troubleshoot issues by quickly determining if network connectivity is a problem. For more information, see Validate internet access.
Note
The service connection point checks the CRL. If this server doesn't have access to the URLs listed above, the CRL check fails. Consider setting a system proxy or use the following command: 'netsh winhttp set proxy'. For more information, see How the Windows Update client determines which proxy server to use to connect to the Windows Update Web site. Make sure that you include a bypass list for internal site communications. This configuration may be necessary as the proxy server settings within Configuration Manager only configure the proxy for Configuration Manager applications and not the underlying OS.
Currently, Configuration Manager devices aren't included when retrieving a device list through a PowerShell script or through Microsoft Graph API. To work around this issue, use the Export option from the All devices page in the admin center.