Tenant Attach: modern device management

The use of personal devices for work, as well as the fact that employees can also work outside the office, have required changes in the way devices are managed within companies.

Microsoft has introduced the concept of Modern Management to describe the transition process from traditional device management, with an on-premise infrastructure, to a cloud-based environment where Azure AD is used for identity and access management and SaaS solutions ( Software-as-a-Service) are used for messaging, collaboration and other functionalities.

Figure 1 – Modern Management

So it is necessary to depart from the “legacy” philosophy of thinking which provides a traditional concept of IT where the approach adopted is centered on devices. A company-owned device is issued to employees and only they are authorized to join the corporate network for access to corporate applications and services.

Through Modern Management, the policies are aimed at end users and adopt a user-centered approach; BYOD (Bring Your Own Device) allows employees to use their own devices to access company resources allowing much more flexibility, efficiency and productivity than previous traditional methods.

Microsoft Endpoint Manager is the solution that takes the first step towards centralized management of all devices. Microsoft combines Configuration Manager and Intune together in a single console called Microsoft Endpoint Manager Admin Center.

Figure 2 – Microsoft Endpoint Manager

Starting with the 2002 version of Configuration Manager, it is possible to synchronize the devices registered on Configuration Manager on the Cloud service and perform actions through the Admin Center console: this feature was called Tenant Attach.


In order to proceed with the activation of Tenant Attach, you must have the following requirements:

  • An Azure Subscription;
  • Global Administrator account:
    • It will be used within the Configuration Manager console to perform onboarding;
  • An account with Full Administrator rights on the Configuration Manager infrastructure;
  • An account used to perform actions on devices with the following properties:
    • Discovered by the Azure Active Directory User discovery process (functionality to be activated from the Features section on Configuration Manager) and Active Directory User discovery; this means that the account used must be a user object synchronized in Azure AD.
    • Notify Resource rights on the Collections object class on Configuration Manager.
    • Initiate Configuration Manager action rights within the Remote tasks section on Microsoft Endpoint Manager Admin Center.

Feature Activation

Below is a quick guide to activate the Tenant Attach feature:

  • Access Configuration Manager console using the previously defined account with Full Administrator rights;
  • Select the Administration section from the ribbon at the bottom of the console;
  • Expand the Cloud Service folder and select the Co-management option;
  • From the ribbon at the top, select Configure Co-management;
  • Within the Tenant onboarding section, press the Sign In button and use the Global Admin account;
Figure 3 – Tenant onboarding wizard
  • Remove the flag from the Enable automatic client enrollment for co-management option to prevent synchronized devices from automatically proceeding with the enrollment on Microsoft Intune;
  • Press the Next button;

NOTE: a warning will be displayed indicating that a new application will be created on the Azure AD tenant to allow data synchronization on Intune; press the Yes button to continue.

  • Within the Configure upload section, define which devices to synchronize with Microsoft Endpoint Manager;
    • By selecting the option All my devices managed by Microsoft Endpoint Configuration Manager (recommended), all devices in the Configuration Manager infrastructure will be synchronized;
    • By selecting the Specific collection option it will be possible to define a subset of devices;
  • Press the Next button to complete the procedure;

To ensure the correct completion of the procedure, it is necessary to check the presence of the new application on the Azure AD tenant; to do this, follow the steps below:

  • Access Azure portal using the previously defined account with Global Administrator rights;
  • From the Home page, select the Azure Active Directory option (if not present, search for it through the appropriate search field at the top);
  • From the ribbon on the left, select the Enterprise Application item in the Manage section;
  • From the list of applications present, make sure that there is a new application called ConfigMgrSvc_ followed by an identifying GUID;
Figure 4 – Enterprise Application

As previously reported, this application will be used for data synchronization between Microsoft Endpoint Configuration Manager and Microsoft Intune.

How to perform actions on devices

Through the Microsoft Intune portal, you can force some actions on synchronized devices. Now the number of shares appears to be limited but Microsoft has repeatedly stressed that it is working to progressively add more and more actions:

  • Access Microsoft Endpoint Manager Admin Center portal using an account with administrative rights;
  • From the Home page, select the Devices option;
  • From the ribbon on the left, select the All devices item to view all the devices on the portal;
  • From the displayed list, select the affected device (all synchronized objects will have the Managed by field set to ConfigMgr);
Figure 5 – Synchronized and managed objects
  • At this point, you will be able to perform the following actions on the device:
    • Force a Machine Policy evaluation;
    • Force a User Policy evaluation;
    • Force an application evaluation cycle;
    • Force install application;
Figure 6 – Actions available from Microsoft Endpoint Manager
  • Within the Client details section (currently in preview) it will be possible to view some detailed information regarding the device and the communication status with the Configuration Manager server such as:
    • Last time a policy update request was made;
    • Last time the device communicated with the CM infrastructure;
    • Management Point;
    • Boundary Group;
  • Within the Collections section (also in this case in preview) it will be possible to view all the collections of which the device is part.


Here are some useful references to the official Microsoft documentation:


In this article has reported one of the new features available on Configuration Manager Current Branch version 2002 which gives way to an increasingly centralized management of corporate devices.

Microsoft’s vision and strategy for Modern Management is to enable employees to work how, when and where they want, while ensuring the security and protection of corporate data.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: