This article was originally posted on morethanpatches.com
This post follows on from a speaking session I did with Sam Erksine recently at Experts Live Europe in Berlin. A great event by the way if you ever get the chance to attend. In that session I demonstrated how to perform all the necessary pre-reqs and connect your Configuration Manager into an OMS subscription. The premise of our session was specifically for working with patching via OMS but I will cover more of that in a later post as it’s quite a hot topic for me at the moment.
I should say now that all of this can also be done via PowerShell however this guide will take you through the GUI steps as I believe it helps you understand what you are doing. Obviously feel free to read this and then run the PowerShell from Tao Yang (based on CM 1606).
Well, a couple of whys here really.
Why am I writing this when this has been around for a little while now? – Because some things have changed and moved around, and a guide based on 1606 won’t be quite the same as this one based on 1706.
In earlier posts you may also notice that you had to use the Azure ASM portal (the old one!) but nowadays you can use just the ARM portal.
Why would I want to connect my OMS to my SCCM? – Because rather than be competing technologies I believe they are complementary products, and OMS can provide some great facilities for update assessment and reporting as well as giving another option for monitoring and update deployment. Working for a managed services provider I very often find that one solution does not meet all of our customers' environments, so it’s good to have different options available to make a solution.
What do I need?
So, to do this you will need:
- Microsoft System Center Configuration Manager Current Branch v1706 (also available 1606 onwards) with a service connection point set to ‘Online’ mode.
- Microsoft Azure Subscription (consumer or US government)
- Azure Active Directory (Basic will do)
- Microsoft Operation Management Suite workspace (free tier is adequate)
- About 20 minutes to set up the connection and then you’ll need to leave it for some hours (I will try to clarify this time) to do the initial synchronise and assessment.
In quick summary we are going to:
- Create an Azure App registration
- Set the appropriate permissions
- Gather the relevant information
- Make the connection in SCCM
- Install the OMS agent
- Tell OMS to import computers from SCCM
As per the session with Sam we used DBS (demo by screenshot), so these are those screenshots.
1. Log into your Azure portal and open your Azure Active Directory.
2. Select “App registrations”.
3. Create a new application registration.
4. Give the app registration a name. This can be anything you like, but I’d suggest something meaningful and make a note of this for later. Leave it as a Web app and finally input a sign-on URL, which can also be anything, but be sure not to clash with your existing app registrations. This will be used purely to grant permissions for SCCM into the OMS workspace. Click Create.
5. Select your app registration from the list.
6. Select “Keys”.
7. We’re going to now create a key for the app registration. Consider this as a password, as you only get one chance to note this key value when it is shown. If you miss it you will need to create a new key.
Enter a meaningful name into the Description field and choose a duration in the Expires field (the default is 1 year). Based on what you select, make a note of the expiry date i.e. current date plus 1 year.
8. Now hit the Save button and you will be presented with the key value. Remember you only get to see this once so copy this somewhere as you will need it later.
9. Now back in your Azure portal find “Log Analytics”.
10. If you don’t already have an OMS workspace, you will need to create one. It’s simple, free and takes a couple of minutes. Use this guide to get it up and running.
Once you have your OMS workspace, you will need to make a note of the resource group that it lives in. Keep this noted for later.
11. Again in your Azure portal, browse to Resource groups.
12. Find that Resource group you just noted for your OMS workspace and select it.
13. Select “Access control (IAM)”.
14. Now click “Add”.
Ensure the role is selected as “Contributor” (**very important**)
In the select field add the name of the App registration you created and select it, it should move to “Selected members”.
So from an Azure perspective at least, you’re done. The next job is to connect your Configuration Manager 1706 into OMS.
15. In your Configuration Manager 1706 console, browse to the Administration workspace > Cloud Services > Azure Services > Configure Azure Services. This can be done either from a right click menu or from the ribbon.
16. Enter an appropriate name for your OMS Connector, give it a meaningful description and select OMS Connector from the radio buttons. Hit Next.
17. Select your appropriate Azure environment. Note that if you are using the US government cloud then there are some extra configuration steps required. These are detailed here.
I, like most, am using Azure Public Cloud. Hit Next.
18. Here you need to supply all the relevant information about your Azure AD and App registration for SCCM to make the connection. Be careful and make sure you have the correct information in the correct place. This process is different in older versions (pre-1706) of Configuration Manager.
Azure AD Tenant Name = your domain name in Azure AD
Azure AD Tenant ID = Azure portal > Azure Active Directory > Properties > Directory ID
Application Name = The App registration name
Client ID = Azure Portal > Azure Active Directory > App registrations > your OMS App reg > Application ID
Secret Key = The App registration key value you noted in step 8
Secret Key Expiry = The expiry date you calculated in step 7
App ID URI = Azure Portal > Azure Active Directory > App registrations > your OMS App reg > Properties > App ID URI (the end value is sufficient)
19. Once you’ve filled in all the info correctly, hit the verify button and you should hopefully see “Successfully verified”. Hit OK.
20. Confirm your Azure environment and Web app are correct then hit Next.
21. Ensure you have the correct Azure subscription selected along with the correct Resource group. If you see these drop down boxes empty then there’s a good chance you have the permissions wrong in the earlier steps. I’ve seen this when the permissions have been set on the App registration as opposed to the Resource group.
22. You will need to now select a collection to synchronise with OMS. I suggest you make a separate collection(s) for this and do not use a high level collection such as All Systems. Hit Next.
23. Review the summary information and hit Next.
24. Wait for the green tick, hit close, whoop and cheer at your awesomeness. Almost there.
So with all that done there are two last things to do to get OMS to start seeing your SCCM collection.
25. We need to install the OMS agent on the Configuration Manager server at a minimum. There are other scenarios for this but I’ll cover this in a later post. The OMS agent must be installed on the Configuration Manager server that contains the Service Connection point and again this must be in the Online mode.
If by chance you already have the SCOM agent installed on this server then you can use this and add the OMS workspace ID in through the Microsoft Monitoring Agent applet in Control Panel. The SCOM and OMS agents are almost identical, see here for more info.
If you don’t already have this then you will need to install the OMS agent onto the appropriate server. I’ll spare you the screenshots as if you’re doing this then you are capable of following the short wizard. Download the 64 bit OMS agent from the OMS portal and note the workspace ID and Primary key to supply in the install.
You can find this in your OMS portal under Settings.
Now browse through Connected Sources > Windows Servers.
26. Now for the final steps. Tell OMS to Import Configuration Manager collection memberships.
In your OMS portal go to Settings.
27. Browse through Computer Groups > SCCM. Put a tick in the box to import collection memberships.
That’s it, you’re done! You will need to wait 12 hours for your OMS portal to bring in the computers before you can start to use them. I can’t put my hand on the exact timing right now but I will go find it and loop back to confirm this.
I suspect that there will become more use cases for this going forward and I hope to bring more information on that as and when these become available. Watch this space!