ta-scope-INADO-12698965

Author: mestew

memdocs/configmgr/cloud-attach/toc.yml

@@ -7,8 +7,8 @@ items:
   href: enable.md 
 - name: Tenant attach
   items:
-  - name: Tenant attach overview
-    href: ../tenant-attach/device-sync-actions.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json
+  - name: Tenant attach prerequisites
+    href: ../tenant-attach/prerequisites.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json
   - name: Enable tenant attach
     href: ../tenant-attach/device-sync-actions.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json  
   - name: Use tenant attach

memdocs/configmgr/core/get-started/2021/includes/2103/7958749.md

@@ -19,7 +19,7 @@ Microsoft Endpoint Manager is an integrated solution for managing all of your de
 
 ### Prerequisites for cloud attach during upgrade
 
-The same prerequisites apply as for tenant attach. For more information, see [Enable tenant attach](../../../../../tenant-attach/device-sync-actions.md#prerequisites).
+The same prerequisites apply as for tenant attach. For more information, see [Enable tenant attach](../../../../../tenant-attach/device-sync-actions.md).
 
 The new pages in the Updates Wizard only appear when you update the site from technical preview branch version 2102 or later.
 

memdocs/configmgr/core/plan-design/changes/whats-new-in-version-2103.md

@@ -49,7 +49,7 @@ The discovery prerequisite for user accounts accessing tenant attach features wi
 - Azure Active Directory user discovery
 - Active Directory user discovery
 
-For more information, see [Tenant attach prerequisites](../../../tenant-attach/device-sync-actions.md#prerequisites).
+For more information, see [Tenant attach prerequisites](../../../tenant-attach/prerequisites.md).
 
 ### Application details
 <!--8364465-->

memdocs/configmgr/core/understand/product-and-licensing-faq.yml

@@ -117,7 +117,7 @@ sections:
           - [Co-management prerequisites](../../comanage/overview.md#prerequisites)
           - [Windows Autopilot requirements](/windows/deployment/windows-autopilot/windows-autopilot-requirements)
           - [Desktop analytics prerequisites](../../desktop-analytics/overview.md#prerequisites)
-          - [Tenant attach prerequisites](../../tenant-attach/device-sync-actions.md#prerequisites)
+          - [Tenant attach prerequisites](../../tenant-attach/prerequisites.md)
           - [Endpoint analytics licensing prerequisites](../../../analytics/overview.md#licensing-prerequisites)
           - [Use conditional access with Intune](../../../intune/protect/conditional-access.md#ways-to-use-conditional-access-with-intune)
           - [TeamViewer prerequisites](../../../intune/remote-actions/teamviewer-support.md#prerequisites)

memdocs/configmgr/tenant-attach/device-sync-actions.md

@@ -2,7 +2,7 @@
 title: Microsoft Endpoint Manager tenant attach
 titleSuffix: Configuration Manager
 description: Upload your Configuration Manager devices to the cloud service and take actions from the admin center.
-ms.date: 12/21/2021
+ms.date: 03/21/2022
 ms.topic: conceptual
 ms.prod: configuration-manager
 ms.technology: configmgr-core
@@ -17,52 +17,7 @@ ms.collection: highpri
 <!--3555758 live 3/4/2020  Configuration Manager version 2002 min-->
 *Applies to: Configuration Manager (current branch)*
 
-Microsoft Endpoint Manager is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune into a single console called **Microsoft Endpoint Manager admin center**. You can upload your Configuration Manager devices to the cloud service and take actions from the **Devices** blade in the admin center.
-
-## Prerequisites
-
-- An account that is a *Global Administrator* for signing in when applying this change. For more information, see [Azure Active Directory (Azure AD) administrator roles](/azure/role-based-access-control/rbac-and-directory-admin-roles#azure-ad-administrator-roles).
-
-  - Onboarding creates a third-party app and a first party service principal in your Azure AD tenant.
-
-- An Azure cloud environment.
-
-  - The **Upload to Microsoft Endpoint Manager admin center** option is disabled for Microsoft Azure China 21Vianet (Azure China Cloud) and Azure US Government Cloud.<!--8815787--> Starting in version 2107, this option is available for US Government customers.
-
-- Starting in version 2107, United States Government customers can use the following tenant attach features in the US Government cloud:<!-- 8353823 -->
-
-  - Account onboarding
-  - Tenant sync to Intune
-  - Device sync to Intune
-  - Device actions in the Microsoft Endpoint Manager admin center
-
-- At least one Intune license for you as the administrator to access the Microsoft Endpoint Manager admin center. <!--10254915-->
-
-- The [administration service](../develop/adminservice/overview.md) in Configuration Manager needs to be set up and functional. <!--1104776-->
-
-- The user accounts triggering device actions have the following prerequisites:
-   - The user account needs to be a synced user object in Azure AD (hybrid identity). This means that the user is synced to Azure Active Directory from Active Directory.
-     - For Configuration Manager version 2103, and later: </br>
-   Has been discovered with either [Azure Active Directory user discovery](../core/servers/deploy/configure/about-discovery-methods.md#azureaddisc) or [Active Directory user discovery](../core/servers/deploy/configure/about-discovery-methods.md#bkmk_aboutUser). <!--9089764-->
-     - For Configuration Manager version 2010, and earlier: </br>
-   Has been discovered with both [Azure Active Directory user discovery](../core/servers/deploy/configure/about-discovery-methods.md#azureaddisc) and [Active Directory user discovery](../core/servers/deploy/configure/about-discovery-methods.md#bkmk_aboutUser).
-.
-
-   - The **Initiate Configuration Manager action** permission under **Remote tasks** in the Microsoft Endpoint Manager admin center. 
-      - For more information about adding or verifying permissions in the admin center, see [Role-based access control (RBAC) with Microsoft Intune](../../intune/fundamentals/role-based-access-control.md#roles).
-
-- If your central administration site has a [remote provider](../core/plan-design/hierarchy/plan-for-the-sms-provider.md), then follow the instructions for the [CAS has a remote provider](../core/servers/manage/cmpivot-changes.md#cas-has-a-remote-provider) scenario in the CMPivot article. <!--7796824-->
-
-This feature supports all OS versions that Configuration Manager currently supports as a client. For more information, see [Supported OS versions for clients and devices](../core/plan-design/configs/supported-operating-systems-for-clients-and-devices.md).<!-- MEMDocs#545 -->
-
-## Internet endpoints
-
-[!INCLUDE [Internet endpoints for tenant attach](../core/plan-design/network/includes/internet-endpoints-tenant-attach.md)]
-
-Starting in version 2010, the service connection point validates important internet endpoints for tenant attach. These checks help make sure that the cloud service is available. It also helps you troubleshoot issues by quickly determining if network connectivity is a problem. For more information, see [Validate internet access](../core/servers/deploy/configure/about-the-service-connection-point.md#validate-internet-access).<!--8565578-->
-
-> [!NOTE]
-> The service connection point checks the CRL. If this server doesn't have access to the URLs listed above, the CRL check fails. Consider setting a system proxy or use the following command: 'netsh winhttp set proxy'. For more information, see [How the Windows Update client determines which proxy server to use to connect to the Windows Update Web site](https://support.microsoft.com/topic/how-the-windows-update-client-determines-which-proxy-server-to-use-to-connect-to-the-windows-update-web-site-08612ae5-3722-886c-f1e1-d012516c22a1). Make sure that you include a bypass list for internal site communications. This configuration may be neccesary as the proxy server settings within Configuration Manager only configure the proxy for Configuration Manager applications and not the underlying OS.
+Microsoft Endpoint Manager is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune into a single console called **Microsoft Endpoint Manager admin center**. You can upload your Configuration Manager devices to the cloud service and take actions from the **Devices** blade in the admin center. Before you enable tenant attach, verify that the [prerequisites for tenant attach](prerequisites.md) have been met.
 
 ## <a name="bkmk_edit"></a> Enable device upload when co-management is already enabled
 
@@ -128,8 +83,6 @@ When co-management isn't enabled, use the instructions below to enable device up
    [![Device overview in Microsoft Endpoint Manager admin center](./media/3555758-device-overview-actions.png)](./media/3555758-device-overview-actions.png#lightbox)
 
 
-[!INCLUDE [Import a previously created Azure AD application](includes/import-azure-app.md)]
-
 ## Display the Configuration Manager connector status from the admin console
  <!--IN9229333, CM7138634-->
 From the Microsoft Endpoint Manager admin center, you can review the status of your Configuration Manager connector. To display the connector status, go to **Tenant administration** > **Connectors and tokens** > **Microsoft Endpoint Configuration Manager**. Select a Configuration Manager hierarchy to display additional information about it.
@@ -167,6 +120,10 @@ When you offboard a hierarchy from the admin center, it may take up to two hours
 > [!NOTE]
 > If you are using custom [RBAC roles with Intune](../../intune/fundamentals/role-based-access-control.md#roles), you will need to grant the **Organization** > **Delete** permission to offboard a hierarchy.
 
+
+[!INCLUDE [Import a previously created Azure AD application](includes/import-azure-app.md)]
+
+
 ## Next steps
 
 - [Enroll Configuration Manager devices into Endpoint analytics](../../analytics/enroll-configmgr.md#bkmk_cm_enroll)

memdocs/configmgr/tenant-attach/prerequisites.md

@@ -0,0 +1,74 @@
+---
+title: Microsoft Endpoint Manager tenant attach prerequisites
+titleSuffix: Configuration Manager
+description: Prerequisites for Microsoft Endpoint Manager tenant attach.
+ms.date: 03/21/2022
+ms.topic: conceptual
+ms.prod: configuration-manager
+ms.technology: configmgr-core
+manager: dougeby
+author: mestew
+ms.author: mstewart
+ms.localizationpriority: high
+ms.collection: highpri
+---
+
+# Microsoft Endpoint Manager tenant attach: Prerequisites
+<!--3555758 live 3/4/2020  Configuration Manager version 2002 min-->
+*Applies to: Configuration Manager (current branch)*
+
+Microsoft Endpoint Manager is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune into a single console called **Microsoft Endpoint Manager admin center**. You can upload your Configuration Manager devices to the cloud service and take actions from the **Devices** page in the admin center. Some of the features you may want to use include:
+
+- Run PowerShell [scripts](scripts.md)
+- Install [applications](applications.md)
+- Query devices with [CMPivot](../tenant-attach/cmpivot-samples-attached.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json)
+- Display a [timeline](timeline.md) of events from the device
+
+## Prerequisites
+
+- An account that is a *Global Administrator* for signing in when applying this change. For more information, see [Azure Active Directory (Azure AD) administrator roles](/azure/role-based-access-control/rbac-and-directory-admin-roles#azure-ad-administrator-roles).
+
+  - Onboarding creates a third-party app and a first party service principal in your Azure AD tenant.
+
+- An Azure cloud environment.
+
+  - The **Upload to Microsoft Endpoint Manager admin center** option is disabled for Microsoft Azure China 21Vianet (Azure China Cloud) and Azure US Government Cloud.<!--8815787--> Starting in version 2107, this option is available for US Government customers.
+
+- Starting in version 2107, United States Government customers can use the following tenant attach features in the US Government cloud:<!-- 8353823 -->
+
+  - Account onboarding
+  - Tenant sync to Intune
+  - Device sync to Intune
+  - Device actions in the Microsoft Endpoint Manager admin center
+
+- At least one Intune license for you as the administrator to access the Microsoft Endpoint Manager admin center. <!--10254915-->
+
+- The [administration service](../develop/adminservice/overview.md) in Configuration Manager needs to be set up and functional. <!--1104776-->
+
+- The user accounts triggering device actions have the following prerequisites:
+   - The user account needs to be a synced user object in Azure AD (hybrid identity). This means that the user is synced to Azure Active Directory from Active Directory.
+     - For Configuration Manager version 2103, and later: </br>
+   Has been discovered with either [Azure Active Directory user discovery](../core/servers/deploy/configure/about-discovery-methods.md#azureaddisc) or [Active Directory user discovery](../core/servers/deploy/configure/about-discovery-methods.md#bkmk_aboutUser). <!--9089764-->
+     - For Configuration Manager version 2010, and earlier: </br>
+   Has been discovered with both [Azure Active Directory user discovery](../core/servers/deploy/configure/about-discovery-methods.md#azureaddisc) and [Active Directory user discovery](../core/servers/deploy/configure/about-discovery-methods.md#bkmk_aboutUser).
+.
+
+   - The **Initiate Configuration Manager action** permission under **Remote tasks** in the Microsoft Endpoint Manager admin center. 
+      - For more information about adding or verifying permissions in the admin center, see [Role-based access control (RBAC) with Microsoft Intune](../../intune/fundamentals/role-based-access-control.md#roles).
+
+- If your central administration site has a [remote provider](../core/plan-design/hierarchy/plan-for-the-sms-provider.md), then follow the instructions for the [CAS has a remote provider](../core/servers/manage/cmpivot-changes.md#cas-has-a-remote-provider) scenario in the CMPivot article. <!--7796824-->
+
+This feature supports all OS versions that Configuration Manager currently supports as a client. For more information, see [Supported OS versions for clients and devices](../core/plan-design/configs/supported-operating-systems-for-clients-and-devices.md).<!-- MEMDocs#545 -->
+
+## Internet endpoints
+
+[!INCLUDE [Internet endpoints for tenant attach](../core/plan-design/network/includes/internet-endpoints-tenant-attach.md)]
+
+Starting in version 2010, the service connection point validates important internet endpoints for tenant attach. These checks help make sure that the cloud service is available. It also helps you troubleshoot issues by quickly determining if network connectivity is a problem. For more information, see [Validate internet access](../core/servers/deploy/configure/about-the-service-connection-point.md#validate-internet-access).<!--8565578-->
+
+> [!NOTE]
+> The service connection point checks the CRL. If this server doesn't have access to the URLs listed above, the CRL check fails. Consider setting a system proxy or use the following command: 'netsh winhttp set proxy'. For more information, see [How the Windows Update client determines which proxy server to use to connect to the Windows Update Web site](https://support.microsoft.com/topic/how-the-windows-update-client-determines-which-proxy-server-to-use-to-connect-to-the-windows-update-web-site-08612ae5-3722-886c-f1e1-d012516c22a1). Make sure that you include a bypass list for internal site communications. This configuration may be neccesary as the proxy server settings within Configuration Manager only configure the proxy for Configuration Manager applications and not the underlying OS.
+
+## Next steps
+
+- [Enable tenant attach](device-sync-actions.md)

memdocs/configmgr/tenant-attach/toc.yml

@@ -3,6 +3,8 @@ items:
   href: index.yml
 - name: Deploy and use
   items:
+  - name: Prerequisites for tenant attach
+    href: prerequisites.md  
   - name: Enable tenant attach
     href: device-sync-actions.md
   - name: Client details

memdocs/configmgr/tenant-attach/troubleshoot-client-details.md

@@ -81,7 +81,7 @@ Typically, this error is caused by an issue with the admin account. Below are th
 
 **Error message:** Error validating request. Verify that the Configuration Manager service connection point can reach the internet endpoints required for tenant attach.
 
-**Possible causes:** Typically this error is seen when URLs that are needed by tenant attach are blocked. If the service connection point can't access the needed internet endpoints, a validation error will occur. For more information, see [Internet endpoints](device-sync-actions.md#internet-endpoints).
+**Possible causes:** Typically this error is seen when URLs that are needed by tenant attach are blocked. If the service connection point can't access the needed internet endpoints, a validation error will occur. For more information, see [Internet endpoints](prerequisites.md#internet-endpoints).
 
 ## <a name="bkmk_1603"></a> Unexpected error occurred
 

memdocs/configmgr/tenant-attach/troubleshoot.md

@@ -119,7 +119,7 @@ Validating device action message content...
 Unauthorized to perform client action. TemplateID: RequestMachinePolicy TenantId: a1b2c3a1-b2c3-d4a1-b2c3-d4a1b2c3a1b2 AADUserID: 3a1e89e6-e190-4615-9d38-a208b0eb1c78
 ```  
 
-Ensure the user running the action from the Microsoft Endpoint Manager admin center has the required permissions on Configuration Manager site. For more information, see [Microsoft Endpoint Manager tenant attach prerequisites](device-sync-actions.md#prerequisites).
+Ensure the user running the action from the Microsoft Endpoint Manager admin center has the required permissions on Configuration Manager site. For more information, see [Microsoft Endpoint Manager tenant attach prerequisites](prerequisites.md).