AAD Device Token Authentication and Cloud Management Gateway (CMG)

This post has been republished via RSS; it originally appeared at: Premier Field Engineering articles.

Hi, my name is Taj Mohammed, I am a PFE working in the US primarily with SCCM. This is a continuation of my other blog titled Importing Apps to set up Cloud Management Gateway for Configuration Manager. In this blog, we will be looking at AAD Device Token Authentication pre-requisites.

 

Why do we need AAD Device token to work?

 

If we want the devices to be managed when no user is logged in. 

 

How do we know if Device token is not working?

 

Windows\CCM\Logs\ADALOperationProvider.log is a good place to confirm and following is a common error we see when there is an issue. Error usually follows "Getting AAD (device) token" entry as seen below.

 

Getting AAD (device) token with: ClientId = e234afc5-70f6-44fc-9063-f42ddf30c954, ResourceUrl = https://ConfigMgrCMG, AccountId = https://login.microsoftonline.com/common/oauth2/token    ADALOperationProvider   

IWebAuthenticationCoreManagerStatics4 not available. Falling back to user token.    ADALOperationProvider    BlockOnCompletionAndGetResults(spWebAccountProviderOperation.Get(), &spProvider), HRESULT=800703f0 (..\Token.cpp,531)    ADALOperationProvider   

Failed to get AAD token..

An attempt was made to reference a token that does not exist. (Error: 800703F0; Source: Windows)    ADALOperationProvider   

CcmGetAADTokenFromWAM( sClientId.c_str(), sResourceUri.c_str(), sAccountId.c_str(), bForDevice, sToken, sAADUserId ), HRESULT=800703f0 (..\CcmToken.cpp,2293)    ADALOperationProvider   

Failed to get AAD token for 'S-1-5-18' from WAM API. Error 0x800703f0    ADALOperationProvider   

 

Following are the pre-requisites for AAD Device Token to work.

 

  • SCCM 1806 or higher
  • Devices running Win 10 version must be 1803 or higher and Hybrid AAD joined.
  • Server/Web App must be enabled for Device Token

 

The first two are straightforward. How can we ensure Server/Web App is enabled for Device token?

 

If you have let SCCM create/register the Apps (Server/Web and Client/Native) automatically from SCCM console, most likely the Server App is configured correctly. If you have registered the Apps manually in Azure and imported them in SCCM, you would have to patch/update the App by running "Update Application Settings".

 

image002.jpg

 

Update may fail with "Failed to update settings for the application. For more information, see SMSAdminUI.log" and following error in SMSAdminUi.log, if you are running Pre-1810 HFRU2 version of SCCM.

 

image004.jpg

Microsoft.ConfigurationManagement.ManagementProvider.SmsExceptionFailed to update settings for the application. For more information, see SmsAdminUI.log.   at Microsoft.ConfigurationManagement.AdminConsole.CloudServicesManagement.AAD.AADUtilities.RefreshAppSettings(Object sender, ScopeNode scopeNode, ActionDescription action, IResultObject selectedResultObject, PropertyDataUpdated dataUpdatedDelegate, Status status) One or more errors occurred.System.AggregateExceptionOne or more errors occurred.   at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)   at System.Threading.Tasks.Task`1.get_Result()   at Microsoft.ConfigurationManagement.AdminConsole.CloudServicesManagement.AAD.AADDataHandler.AssignAndGrantPermissionOnServerApplication()   at Microsoft.ConfigurationManagement.AdminConsole.CloudServicesManagement.AAD.AADUtilities.RefreshAppSettings(Object sender, ScopeNode scopeNode, ActionDescription action, IResultObject selectedResultObject, PropertyDataUpdated dataUpdatedDelegate, Status status)System.ArgumentNullExceptionValue cannot be null.Parameter name: type

 

The above issue is fixed in 1810 HFRU2.

 

In a situation where you are either unable to upgrade to 1810 HFRU2 or higher to resolve the update issue and still want to enable Device Token Authentication or you are just looking to confirm if the device token is enabled on the Server/Web App, you can use Azure Graph Explorer http://aka.ms/ge to query App properties and also make modifications.

 

Go to http://aka.ms/ge and Sign in with Global Admin credentials.

 

image006.jpg

 

Azure Graph Explorer won't allow you to query or make changes to the App properties by default. Select modify permissions to grant Directory.AccessasUser.All permission to the Signed in user, which grants access to query and modify App properties.

 

image008.jpg

 

Grant access to Graph explorer to access the directory as you.

 

image009.png

 

Select retrieve the list of applications from the list of queries under Applications (beta) to see the list of registered Apps. You can highlight "Response Preview" area and press Ctrl+F to search the Server App you are interested in. This may be handy when there are several Apps. The property we are interested in is isDeviceOnlyAuthSupported. If this is set to "null" as you see below, it means Device Token is not enabled.

 

image011.jpg

 

Looking at some of output closely, we see two IDs here, id and appid. We are interested in id when running the query.

{

            "id": "dfd44c17-459a-451e-8f4a-c635a497a1ea",

            "deletedDateTime": null,

            "isFallbackPublicClient": null,

            "appId": "5df94352-894e-4ee6-9219-df787ba6e578",

            "applicationTemplateId": null,

            "identifierUris": [

                "https://CMGConfigMgrService"

            ],

Select update application properties from the list of queries on the left and you will see a new query formed, which allows you to insert the id in curly brackets.

 

image013.jpg

 

Under Request Body, have the property we are going to update/patch as shown below and make sure the query type is "Patch".

 

{

  "isDeviceOnlyAuthSupported": "true"

}

 

You will see Success - Status Code 204 if the changes were successful.

 

image015.jpg

 

 

Run retrieve application properties query again to confirm the changes.

 

image017.jpg

 

How do we know AAD Device token is working after making the above changes?

 

Check Windows\CCM\Logs\ADALOperationProvider.log. If you don't see "Getting AAD (device) token" entry followed by an error as shown below, it is working. 

 

image019.jpg

 

Getting AAD (device) token with: ClientId = 387b3bc8-de92-48f2-980f-c196a9669e5e, ResourceUrl = https://CMGConfigMgrService, AccountId = https://login.microsoftonline.com/common/oauth2/token        ADALOperationProvider        

Getting AAD (user) token with: ClientId = 387b3bc8-de92-48f2-980f-c196a9669e5e, ResourceUrl = https://CMGConfigMgrService, AccountId = https://login.microsoftonline.com/common/oauth2/token        ADALOperationProvider        

Getting AAD (user) token with: ClientId = 387b3bc8-de92-48f2-980f-c196a9669e5e, ResourceUrl = https://CMGConfigMgrService, AccountId = https://login.microsoftonline.com/common/oauth2/token        ADALOperationProvider

 

Once the device token works, the request is sent to internal MP via CMG to get a CCM token. Client must get a CCM token successfully before accessing internal resources. CCM_STS.log available on the Management Point enabled for CMG traffic is a good place to know if CCM token was issued successfully.

 

ProcessRequest - Start        CCM_STS        

Validated AAD token. TokenType: Device TenantId: b02d4d89-e6d5-4b3d-b072-3457aa833ec4 UserId: 00000000-0000-0000-0000-000000000000 DeviceId: db94ed37-c03c-4d44-8d0a-97cac0187e6f OnPrem_UserSid:  OnPrem_DeviceSid:          CCM_STS        

TokenType is Device, use UDA for now        CCM_STS        

Created SCCM token        CCM_STS        

Issued SCCM token        CCM_STS        

Return token to client, token type: UDA, hierarchyId: 3a25dd9f-b871-4b26-87c0-81ab03a43375, userId: 00000000-0000-0000-0000-000000000000, deviceId: GUID:8AAE207C-880C-45C5-BC3A-16919E85F6F2        CCM_STS        Elapsed time: 743 ms        CCM_STS        

 

If you have just updated Device token property and seeing 401 error in CCM_STS.log, advise is to give it some time for it to catch up.

 

ProcessRequest - Start        CCM_STS        

Return code: 401, Description: No bearer token found in request, No bearer token found in request        CCM_STS        

Elapsed time: 1 ms        CCM_STS

 

Once the CCM_STS.log indicates successful retrieval of CCM token, you can look at CCMmessaging.log on the client and also add Device Online From Internet and Device Online Management Point columns to Devices view in the console to confirm successful communication with CMG.

 image021.jpg 

 

image023.jpg 

 

 

Thank you,

 

Taj Mohammed

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.